[Git][security-tracker-team/security-tracker][master] 3 commits: Process some NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Wed Mar 29 21:15:11 BST 2023 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2cefb2a8 by Salvatore Bonaccorso at 2023-03-29T22:14:34+02:00
Process some NFUs

- - - - -
ec239d84 by Salvatore Bonaccorso at 2023-03-29T22:14:36+02:00
Add two new python-redis CVEs

- - - - -
da1f3991 by Salvatore Bonaccorso at 2023-03-29T22:14:37+02:00
Add CVE-2023-26923/musescore

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -245,9 +245,9 @@ CVE-2023-1687 (A vulnerability classified as problematic has been found in Sourc
 CVE-2023-1686 (A vulnerability was found in SourceCodester Young Entrepreneur E-Negos ...)
 	NOT-FOR-US: SourceCodester Young Entrepreneur E-Negosyo System
 CVE-2023-1685 (A vulnerability was found in HadSky up to 7.11.8. It has been declared ...)
-	TODO: check
+	NOT-FOR-US: HadSky
 CVE-2023-1684 (A vulnerability was found in HadSky 7.7.16. It has been classified as  ...)
-	TODO: check
+	NOT-FOR-US: HadSky
 CVE-2023-1683 (A vulnerability was found in Xunrui CMS 4.61 and classified as problem ...)
 	NOT-FOR-US: Xunrui CMS
 CVE-2023-1682 (A vulnerability has been found in Xunrui CMS 4.61 and classified as pr ...)
@@ -526,9 +526,16 @@ CVE-2023-1638 (A vulnerability was found in IObit Malware Fighter 9.4.0.776. It
 CVE-2018-25083 (The pullit package before 1.4.0 for Node.js allows OS Command Injectio ...)
 	TODO: check
 CVE-2023-28859 (redis-py through 4.5.3 leaves a connection open after canceling an asy ...)
-	TODO: check
+	- python-redis <not-affected> (Incomplete fix for CVE-2023-28858 not applied)
+	NOTE: https://github.com/redis/redis-py/issues/2665
+	NOTE: https://github.com/redis/redis-py/pull/2641
 CVE-2023-28858 (redis-py before 4.5.3, as used in ChatGPT and other products, leaves a ...)
-	TODO: check
+	- python-redis <unfixed>
+	NOTE: https://github.com/redis/redis-py/issues/2624
+	NOTE: https://github.com/redis/redis-py/pull/2641
+	NOTE: https://openai.com/blog/march-20-chatgpt-outage
+	NOTE: When fixing this issue make sure to apply complete fixes (cf. CVE-2023-28859
+	NOTE: CVE entry) to not open CVE-2023-28859.
 CVE-2023-1637 (A flaw that boot CPU could be vulnerable for the speculative execution ...)
 	- linux 5.17.3-1
 	[bullseye] - linux 5.10.113-1
@@ -1243,7 +1250,7 @@ CVE-2023-28639
 CVE-2023-28638 (Snappier is a high performance C# implementation of the Snappy compres ...)
 	TODO: check
 CVE-2023-28637 (DataEase is an open source data visualization analysis tool. In Dataea ...)
-	TODO: check
+	NOT-FOR-US: DataEase
 CVE-2023-28636
 	RESERVED
 CVE-2023-28635
@@ -3088,9 +3095,9 @@ CVE-2023-28105 (go-used-util has commonly used utility functions for Go. Version
 CVE-2023-28104 (`silverstripe/graphql` serves Silverstripe data as GraphQL representat ...)
 	NOT-FOR-US: silverstripe/graphql
 CVE-2023-28103 (matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. I ...)
-	TODO: check
+	NOT-FOR-US: Node matrix-react-sdk
 CVE-2023-28102 (discordrb is an implementation of the Discord API using Ruby. In disco ...)
-	TODO: check
+	NOT-FOR-US: discordrb
 CVE-2023-28101 (Flatpak is a system for building, distributing, and running sandboxed  ...)
 	- flatpak 1.14.4-1 (bug #1033098)
 	[bullseye] - flatpak <no-dsa> (Minor issue)
@@ -5751,13 +5758,13 @@ CVE-2023-27234 (A Cross-Site Request Forgery (CSRF) in /Sys/index.html of Jizhic
 CVE-2023-27233
 	RESERVED
 CVE-2023-27232 (TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a com ...)
-	TODO: check
+	NOT-FOR-US: TOTOLINK
 CVE-2023-27231 (TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a com ...)
-	TODO: check
+	NOT-FOR-US: TOTOLINK
 CVE-2023-27230
 	RESERVED
 CVE-2023-27229 (TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a com ...)
-	TODO: check
+	NOT-FOR-US: TOTOLINK
 CVE-2023-27228
 	RESERVED
 CVE-2023-27227
@@ -6390,7 +6397,8 @@ CVE-2023-26925
 CVE-2023-26924 (LLVM a0dab4950 has a segmentation fault in mlir::outlineSingleBlockReg ...)
 	TODO: check
 CVE-2023-26923 (Musescore 3.0 to 4.0.1 has a stack buffer overflow vulnerability that  ...)
-	TODO: check
+	- musescore <unfixed>
+	NOTE: https://github.com/musescore/MuseScore/issues/16346
 CVE-2023-26922 (SQL injection vulnerability found in Varisicte matrix-gui v.2 allows a ...)
 	NOT-FOR-US: Varisicte
 CVE-2023-26921



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/063df9506c3a15866b7867514dc0ac01080a3625...da1f3991407813aa536721019b45e4893cbd56e5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/063df9506c3a15866b7867514dc0ac01080a3625...da1f3991407813aa536721019b45e4893cbd56e5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230329/27b6cebd/attachment.htm>

More information about the debian-security-tracker-commits mailing list