[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat May 27 09:12:11 BST 2023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
0edb1c50 by security tracker role at 2023-05-27T08:12:01+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,4 +1,50 @@
-CVE-2023-2898
+CVE-2023-33199 (Rekor's goals are to provide an immutable tamper resistant ledger of m ...)
+ TODO: check
+CVE-2023-33196 (Craft is a CMS for creating custom digital experiences. Cross site scr ...)
+ TODO: check
+CVE-2023-33195 (Craft is a CMS for creating custom digital experiences on the web. A m ...)
+ TODO: check
+CVE-2023-33194 (Craft is a CMS for creating custom digital experiences on the web.The ...)
+ TODO: check
+CVE-2023-33192 (ntpd-rs is an NTP implementation written in Rust. ntpd-rs does not val ...)
+ TODO: check
+CVE-2023-33188 (Omni-notes is an open source note-taking application for Android. The ...)
+ TODO: check
+CVE-2023-33187 (Highlight is an open source, full-stack monitoring platform. Highlight ...)
+ TODO: check
+CVE-2023-33184 (Nextcloud Mail is a mail app in Nextcloud. A blind SSRF attack allowed ...)
+ TODO: check
+CVE-2023-32688 (parse-server-push-adapter is the official Push Notification adapter fo ...)
+ TODO: check
+CVE-2023-32686 (Kiwi TCMS is an open source test management system for both manual and ...)
+ TODO: check
+CVE-2023-32676 (Autolab is a course management service that enables auto-graded progra ...)
+ TODO: check
+CVE-2023-32325 (PostHog-js is a library to interface with the PostHog analytics tool. ...)
+ TODO: check
+CVE-2023-32321 (CKAN is an open-source data management system for powering data hubs a ...)
+ TODO: check
+CVE-2023-32319 (Nextcloud server is an open source personal cloud implementation. Miss ...)
+ TODO: check
+CVE-2023-32317 (Autolab is a course management service that enables auto-graded progra ...)
+ TODO: check
+CVE-2023-32316 (CloudExplorer Lite is an open source cloud management tool. In affecte ...)
+ TODO: check
+CVE-2023-32315 (Openfire is an XMPP server licensed under the Open Source Apache Licen ...)
+ TODO: check
+CVE-2023-32311 (CloudExplorer Lite is an open source cloud management platform. In Clo ...)
+ TODO: check
+CVE-2023-32307 (Sofia-SIP is an open-source SIP User-Agent library, compliant with the ...)
+ TODO: check
+CVE-2023-2924 (A vulnerability, which was classified as critical, has been found in S ...)
+ TODO: check
+CVE-2023-2923 (A vulnerability classified as critical was found in Tenda AC6 US_AC6V1 ...)
+ TODO: check
+CVE-2023-2922 (A vulnerability classified as problematic has been found in SourceCode ...)
+ TODO: check
+CVE-2023-2825 (An issue has been discovered in GitLab CE/EE affecting only version 16 ...)
+ TODO: check
+CVE-2023-2898 (There is a null-pointer-dereference flaw found in f2fs_write_end_io in ...)
- linux <unfixed>
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://lore.kernel.org/linux-f2fs-devel/20230522124203.3838360-1-chao@kernel.org/
@@ -28,40 +74,40 @@ CVE-2023-32318 (Nextcloud server provides a home for data. A regression in the s
TODO: check
CVE-2023-2817 (A post-authentication stored cross-site scripting vulnerability exists ...)
NOT-FOR-US: Craft CMS
-CVE-2023-2854
+CVE-2023-2854 (BLF file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 ...)
[experimental] - wireshark 4.0.6-1~exp1
- wireshark <unfixed>
[bookworm] - wireshark <no-dsa> (Minor issue)
[bullseye] - wireshark <no-dsa> (Minor issue)
NOTE: https://www.wireshark.org/security/wnpa-sec-2023-17.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19084
-CVE-2023-2856
+CVE-2023-2856 (VMS TCPIPtrace file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 ...)
[experimental] - wireshark 4.0.6-1~exp1
- wireshark <unfixed>
[bookworm] - wireshark <no-dsa> (Minor issue)
[bullseye] - wireshark <no-dsa> (Minor issue)
NOTE: https://www.wireshark.org/security/wnpa-sec-2023-16.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19083
-CVE-2023-2858
+CVE-2023-2858 (NetScaler file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3 ...)
[experimental] - wireshark 4.0.6-1~exp1
- wireshark <unfixed>
[bookworm] - wireshark <no-dsa> (Minor issue)
[bullseye] - wireshark <no-dsa> (Minor issue)
NOTE: https://www.wireshark.org/security/wnpa-sec-2023-15.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19081
-CVE-2023-2879
+CVE-2023-2879 (GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 al ...)
[experimental] - wireshark 4.0.6-1~exp1
- wireshark <unfixed>
[bookworm] - wireshark <no-dsa> (Minor issue)
[bullseye] - wireshark <no-dsa> (Minor issue)
NOTE: https://www.wireshark.org/security/wnpa-sec-2023-14.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19068
-CVE-2023-2857
+CVE-2023-2857 (BLF file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 ...)
[experimental] - wireshark 4.0.6-1~exp1
- wireshark <unfixed>
NOTE: https://www.wireshark.org/security/wnpa-sec-2023-13.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19063
-CVE-2023-2855
+CVE-2023-2855 (Candump log parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6. ...)
[experimental] - wireshark 4.0.6-1~exp1
- wireshark <unfixed>
[bookworm] - wireshark <no-dsa> (Minor issue)
@@ -2363,8 +2409,8 @@ CVE-2023-31130 (c-ares is an asynchronous resolver library. ares_inet_net_pton()
NOTE: https://github.com/c-ares/c-ares/commit/f22cc01039b6473b736d3bf438f56a2654cdf2b2 (cares-1_19_1)
CVE-2023-31129 (The Contiki-NG operating system versions 4.8 and prior can be triggere ...)
NOT-FOR-US: Contiki-NG
-CVE-2023-31128
- RESERVED
+CVE-2023-31128 (NextCloud Cookbook is a recipe library app. Prior to commit a46d9855 o ...)
+ TODO: check
CVE-2023-31127 (libspdm is a sample implementation that follows the DMTF SPDM specific ...)
NOT-FOR-US: libspdm
CVE-2023-31126 (`org.xwiki.commons:xwiki-commons-xml` is an XML library used by the op ...)
@@ -8370,6 +8416,7 @@ CVE-2023-1731 (In Meinbergs LTOS versions prior to V7.06.013, the configuration
CVE-2023-1730 (The SupportCandy WordPress plugin before 3.1.5 does not validate and e ...)
NOT-FOR-US: WordPress plugin
CVE-2023-1729 (A flaw was found in LibRaw. A heap-buffer-overflow in raw2image_ex() c ...)
+ {DLA-3433-1}
- libraw 0.20.2-2.1 (bug #1036281)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2188240
NOTE: https://github.com/LibRaw/LibRaw/issues/557
@@ -11009,24 +11056,21 @@ CVE-2023-28324
RESERVED
CVE-2023-28323
RESERVED
-CVE-2023-28322 [more POST-after-PUT confusion]
- RESERVED
+CVE-2023-28322 (An information disclosure vulnerability exists in curl <v8.1.0 when do ...)
- curl 7.88.1-10 (bug #1036239)
[bullseye] - curl <no-dsa> (Minor issue)
[buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2023-28322.html
NOTE: Introduced by: https://github.com/curl/curl/commit/546572da0457f37c698c02d0a08d90fdfcbeedec (curl-7_7)
NOTE: Fixed by: https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de6c5e61272c496b (curl-8_1_0)
-CVE-2023-28321 [IDN wildcard match]
- RESERVED
+CVE-2023-28321 (An improper certificate validation vulnerability exists in curl <v8.1. ...)
- curl 7.88.1-10 (bug #1036239)
[bullseye] - curl <no-dsa> (Minor issue)
[buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2023-28321.html
NOTE: Introduced by: https://github.com/curl/curl/commit/9631fa740708b1890197fad01e25b34b7e8eb80e (curl-7_12_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/199f2d440d8659b42670c1b796220792b01a97bf (curl-8_1_0)
-CVE-2023-28320 [siglongjmp race condition]
- RESERVED
+CVE-2023-28320 (A denial of service vulnerability exists in curl <v8.1.0 in the way li ...)
- curl 7.88.1-10 (bug #1036239)
[bullseye] - curl <ignored> (Minor issue; Upstream changes drop curl_jmpenv symbol)
[buster] - curl <ignored> (Minor issue; Upstream changes drop curl_jmpenv symbol)
@@ -11034,8 +11078,7 @@ CVE-2023-28320 [siglongjmp race condition]
NOTE: Introduced by: https://github.com/curl/curl/commit/3c49b405de4fbf1fd7127f91908261268640e54f (curl-7_9_8)
NOTE: Fixed by: https://github.com/curl/curl/commit/13718030ad4b3209a7583b4f27f683cd3a6fa5f2 (curl-8_1_0)
NOTE: Follow-up: https://github.com/curl/curl/commit/f446258f0269a62289cca0210157cb8558d0edc3 (curl-8_1_0)
-CVE-2023-28319 [UAF in SSH sha256 fingerprint check]
- RESERVED
+CVE-2023-28319 (A use after free vulnerability exists in curl <v8.1.0 in the way libcu ...)
- curl 7.88.1-10 (bug #1036239)
[bullseye] - curl <not-affected> (Vulnerable code not present)
[buster] - curl <not-affected> (Vulnerable code not present)
@@ -14172,8 +14215,8 @@ CVE-2023-27313
RESERVED
CVE-2023-27312
RESERVED
-CVE-2023-27311
- RESERVED
+CVE-2023-27311 (NetApp Blue XP Connector versions prior to 3.9.25 expose information v ...)
+ TODO: check
CVE-2023-27310 (A vulnerability has been identified in RUGGEDCOM CROSSBOW (All version ...)
NOT-FOR-US: Siemens
CVE-2023-27309 (A vulnerability has been identified in RUGGEDCOM CROSSBOW (All version ...)
@@ -17194,12 +17237,12 @@ CVE-2023-26131
RESERVED
CVE-2023-26130
RESERVED
-CVE-2023-26129
- RESERVED
-CVE-2023-26128
- RESERVED
-CVE-2023-26127
- RESERVED
+CVE-2023-26129 (All versions of the package bwm-ng are vulnerable to Command Injection ...)
+ TODO: check
+CVE-2023-26128 (All versions of the package keep-module-latest are vulnerable to Comma ...)
+ TODO: check
+CVE-2023-26127 (All versions of the package n158 are vulnerable to Command Injection d ...)
+ TODO: check
CVE-2023-26126 (All versions of the package m.static are vulnerable to Directory Trave ...)
NOT-FOR-US: m.static
CVE-2023-26125 (Versions of the package github.com/gin-gonic/gin before 1.9.0 are vuln ...)
@@ -38948,12 +38991,12 @@ CVE-2023-21518
RESERVED
CVE-2023-21517
RESERVED
-CVE-2023-21516
- RESERVED
-CVE-2023-21515
- RESERVED
-CVE-2023-21514
- RESERVED
+CVE-2023-21516 (XSS vulnerability from InstantPlay in Galaxy Store prior to version 4. ...)
+ TODO: check
+CVE-2023-21515 (InstantPlay which included vulnerable script which could execute javas ...)
+ TODO: check
+CVE-2023-21514 (Improper scheme validation from InstantPlay Deeplink in Galaxy Store p ...)
+ TODO: check
CVE-2023-21513
RESERVED
CVE-2023-21512
@@ -98489,7 +98532,7 @@ CVE-2022-0639 (Authorization Bypass Through User-Controlled Key in NPM url-parse
NOTE: https://github.com/unshiftio/url-parse/commit/ef45a1355375a8244063793a19059b4f62fc8788 (1.5.7)
CVE-2022-0638 (Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber p ...)
NOT-FOR-US: microweber
-CVE-2022-0637 (There was an open redirection vulnerability pollbot, which was used in ...)
+CVE-2022-0637 (open redirect in pollbot (pollbot.services.mozilla.com) in versions be ...)
NOT-FOR-US: pollbot
CVE-2022-0636 (A denial of service vulnerability was reported in Lenovo Thin Installe ...)
NOT-FOR-US: Lenovo
@@ -150429,6 +150472,7 @@ CVE-2021-32144
CVE-2021-32143
RESERVED
CVE-2021-32142 (Buffer Overflow vulnerability in LibRaw linux/unix v0.20.0 allows atta ...)
+ {DLA-3433-1}
[experimental] - libraw 0.21.1-1
- libraw 0.20.2-2.1 (bug #1031790)
[bullseye] - libraw <no-dsa> (Minor issue)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0edb1c507cd604c14eb23b97e964e9d45a3b3788
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0edb1c507cd604c14eb23b97e964e9d45a3b3788
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230527/a0e79416/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list