[Git][security-tracker-team/security-tracker][master] 3 commits: Process some NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Wed Mar 29 21:15:11 BST 2023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
2cefb2a8 by Salvatore Bonaccorso at 2023-03-29T22:14:34+02:00
Process some NFUs
- - - - -
ec239d84 by Salvatore Bonaccorso at 2023-03-29T22:14:36+02:00
Add two new python-redis CVEs
- - - - -
da1f3991 by Salvatore Bonaccorso at 2023-03-29T22:14:37+02:00
Add CVE-2023-26923/musescore
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -245,9 +245,9 @@ CVE-2023-1687 (A vulnerability classified as problematic has been found in Sourc
CVE-2023-1686 (A vulnerability was found in SourceCodester Young Entrepreneur E-Negos ...)
NOT-FOR-US: SourceCodester Young Entrepreneur E-Negosyo System
CVE-2023-1685 (A vulnerability was found in HadSky up to 7.11.8. It has been declared ...)
- TODO: check
+ NOT-FOR-US: HadSky
CVE-2023-1684 (A vulnerability was found in HadSky 7.7.16. It has been classified as ...)
- TODO: check
+ NOT-FOR-US: HadSky
CVE-2023-1683 (A vulnerability was found in Xunrui CMS 4.61 and classified as problem ...)
NOT-FOR-US: Xunrui CMS
CVE-2023-1682 (A vulnerability has been found in Xunrui CMS 4.61 and classified as pr ...)
@@ -526,9 +526,16 @@ CVE-2023-1638 (A vulnerability was found in IObit Malware Fighter 9.4.0.776. It
CVE-2018-25083 (The pullit package before 1.4.0 for Node.js allows OS Command Injectio ...)
TODO: check
CVE-2023-28859 (redis-py through 4.5.3 leaves a connection open after canceling an asy ...)
- TODO: check
+ - python-redis <not-affected> (Incomplete fix for CVE-2023-28858 not applied)
+ NOTE: https://github.com/redis/redis-py/issues/2665
+ NOTE: https://github.com/redis/redis-py/pull/2641
CVE-2023-28858 (redis-py before 4.5.3, as used in ChatGPT and other products, leaves a ...)
- TODO: check
+ - python-redis <unfixed>
+ NOTE: https://github.com/redis/redis-py/issues/2624
+ NOTE: https://github.com/redis/redis-py/pull/2641
+ NOTE: https://openai.com/blog/march-20-chatgpt-outage
+ NOTE: When fixing this issue make sure to apply complete fixes (cf. CVE-2023-28859
+ NOTE: CVE entry) to not open CVE-2023-28859.
CVE-2023-1637 (A flaw that boot CPU could be vulnerable for the speculative execution ...)
- linux 5.17.3-1
[bullseye] - linux 5.10.113-1
@@ -1243,7 +1250,7 @@ CVE-2023-28639
CVE-2023-28638 (Snappier is a high performance C# implementation of the Snappy compres ...)
TODO: check
CVE-2023-28637 (DataEase is an open source data visualization analysis tool. In Dataea ...)
- TODO: check
+ NOT-FOR-US: DataEase
CVE-2023-28636
RESERVED
CVE-2023-28635
@@ -3088,9 +3095,9 @@ CVE-2023-28105 (go-used-util has commonly used utility functions for Go. Version
CVE-2023-28104 (`silverstripe/graphql` serves Silverstripe data as GraphQL representat ...)
NOT-FOR-US: silverstripe/graphql
CVE-2023-28103 (matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. I ...)
- TODO: check
+ NOT-FOR-US: Node matrix-react-sdk
CVE-2023-28102 (discordrb is an implementation of the Discord API using Ruby. In disco ...)
- TODO: check
+ NOT-FOR-US: discordrb
CVE-2023-28101 (Flatpak is a system for building, distributing, and running sandboxed ...)
- flatpak 1.14.4-1 (bug #1033098)
[bullseye] - flatpak <no-dsa> (Minor issue)
@@ -5751,13 +5758,13 @@ CVE-2023-27234 (A Cross-Site Request Forgery (CSRF) in /Sys/index.html of Jizhic
CVE-2023-27233
RESERVED
CVE-2023-27232 (TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a com ...)
- TODO: check
+ NOT-FOR-US: TOTOLINK
CVE-2023-27231 (TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a com ...)
- TODO: check
+ NOT-FOR-US: TOTOLINK
CVE-2023-27230
RESERVED
CVE-2023-27229 (TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a com ...)
- TODO: check
+ NOT-FOR-US: TOTOLINK
CVE-2023-27228
RESERVED
CVE-2023-27227
@@ -6390,7 +6397,8 @@ CVE-2023-26925
CVE-2023-26924 (LLVM a0dab4950 has a segmentation fault in mlir::outlineSingleBlockReg ...)
TODO: check
CVE-2023-26923 (Musescore 3.0 to 4.0.1 has a stack buffer overflow vulnerability that ...)
- TODO: check
+ - musescore <unfixed>
+ NOTE: https://github.com/musescore/MuseScore/issues/16346
CVE-2023-26922 (SQL injection vulnerability found in Varisicte matrix-gui v.2 allows a ...)
NOT-FOR-US: Varisicte
CVE-2023-26921
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/063df9506c3a15866b7867514dc0ac01080a3625...da1f3991407813aa536721019b45e4893cbd56e5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/063df9506c3a15866b7867514dc0ac01080a3625...da1f3991407813aa536721019b45e4893cbd56e5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230329/27b6cebd/attachment.htm>
More information about the debian-security-tracker-commits
mailing list