[Git][security-tracker-team/security-tracker][master] 2 commits: Added a note about the work needed after upgrade of borgbackup.

Ola Lundqvist (@opal) opal at debian.org
Sun Oct 1 20:29:29 BST 2023 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
345ff70f by Ola Lundqvist at 2023-10-01T19:18:20+00:00
Added a note about the work needed after upgrade of borgbackup.

- - - - -
66bd8cb9 by Ola Lundqvist at 2023-10-01T19:28:31+00:00
Marked a few CVEs as no-dsa for buster following decision for bullseye.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -257,6 +257,7 @@ CVE-2023-44469 (A Server-Side Request Forgery issue in the OpenID Connect Issuer
 	- lemonldap-ng 2.17.1+ds-1
 	[bookworm] - lemonldap-ng <no-dsa> (Minor issue)
 	[bullseye] - lemonldap-ng <no-dsa> (Minor issue)
+	[buster] - lemonldap-ng <no-dsa> (Minor issue)
 	NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998
 	NOTE: https://security.lauritz-holtmann.de/post/sso-security-ssrf/
 CVE-2023-44466 (An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel ...)
@@ -1581,26 +1582,32 @@ CVE-2023-43377 (A cross-site scripting (XSS) vulnerability in /hoteldruid/visual
 	- hoteldruid <unfixed> (bug #1052572)
 	[bookworm] - hoteldruid <no-dsa> (Minor issue)
 	[bullseye] - hoteldruid <no-dsa> (Minor issue)
+	[buster] - hoteldruid <no-dsa> (Minor issue)
 CVE-2023-43376 (A cross-site scripting (XSS) vulnerability in /hoteldruid/clienti.php  ...)
 	- hoteldruid <unfixed> (bug #1052572)
 	[bookworm] - hoteldruid <no-dsa> (Minor issue)
 	[bullseye] - hoteldruid <no-dsa> (Minor issue)
+	[buster] - hoteldruid <no-dsa> (Minor issue)
 CVE-2023-43375 (Hoteldruid v3.0.5 was discovered to contain multiple SQL injection vul ...)
 	- hoteldruid <unfixed> (bug #1052572)
 	[bookworm] - hoteldruid <no-dsa> (Minor issue)
 	[bullseye] - hoteldruid <no-dsa> (Minor issue)
+	[buster] - hoteldruid <no-dsa> (Minor issue)
 CVE-2023-43374 (Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerabil ...)
 	- hoteldruid <unfixed> (bug #1052572)
 	[bookworm] - hoteldruid <no-dsa> (Minor issue)
 	[bullseye] - hoteldruid <no-dsa> (Minor issue)
+	[buster] - hoteldruid <no-dsa> (Minor issue)
 CVE-2023-43373 (Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerabil ...)
 	- hoteldruid <unfixed> (bug #1052572)
 	[bookworm] - hoteldruid <no-dsa> (Minor issue)
 	[bullseye] - hoteldruid <no-dsa> (Minor issue)
+	[buster] - hoteldruid <no-dsa> (Minor issue)
 CVE-2023-43371 (Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerabil ...)
 	- hoteldruid <unfixed> (bug #1052572)
 	[bookworm] - hoteldruid <no-dsa> (Minor issue)
 	[bullseye] - hoteldruid <no-dsa> (Minor issue)
+	[buster] - hoteldruid <no-dsa> (Minor issue)
 CVE-2023-43207 (D-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command  ...)
 	NOT-FOR-US: D-Link
 CVE-2023-43206 (D-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command  ...)
@@ -2455,6 +2462,7 @@ CVE-2023-3865 [ksmbd: fix out-of-bound read in smb2_write]
 CVE-2023-4813 (A flaw was found in glibc. In an uncommon situation, the gaih_inet fun ...)
 	- glibc 2.36-3
 	[bullseye] - glibc <no-dsa> (Minor issue)
+	[buster] - glibc <no-dsa> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28931
 	NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=1c37b8022e8763fedbb3f79c02e05c6acfe5a215 (glibc-2.36)
 CVE-2023-4806 (A flaw was found in glibc. In an extremely rare situation, the getaddr ...)
@@ -10449,6 +10457,7 @@ CVE-2023-36811 (borgbackup is an opensource, deduplicating archiver with compres
 	NOTE: https://github.com/borgbackup/borg/commit/449cd51b73b0710a940af8cefe74793ce81563f4
 	NOTE: https://github.com/borgbackup/borg/commit/f334ef1b4de2f8a359ededa41ce13358b81e63c1
 	NOTE: https://borgbackup.readthedocs.io/en/stable/changes.html#pre-1-2-5-archives-spoofing-vulnerability-cve-2023-36811
+	NOTE: Requires significant work to check and repair a repo after the upgrade.
 CVE-2023-36466 (Discourse is an open source discussion platform. When editing a topic, ...)
 	NOT-FOR-US: Discourse
 CVE-2023-35802 (IQ Engine before 10.6r1 on Extreme Network AP devices has a Buffer Ove ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/93bfc42850c9f06c82dc245db2e046ab3b68def0...66bd8cb9d6566f04fab416420beda244574afbe2

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/93bfc42850c9f06c82dc245db2e046ab3b68def0...66bd8cb9d6566f04fab416420beda244574afbe2
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231001/8685691d/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list