[Git][security-tracker-team/security-tracker][master] 4 commits: Merge linux changes for bookworm 12.2
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Oct 7 09:39:33 BST 2023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
84bf7d53 by Salvatore Bonaccorso at 2023-10-06T22:54:46+02:00
Merge linux changes for bookworm 12.2
- - - - -
6cdc0263 by Salvatore Bonaccorso at 2023-10-06T22:54:48+02:00
Merge changes for updates with CVEs via bookworm 12.2
- - - - -
2bd96443 by Salvatore Bonaccorso at 2023-10-06T22:54:49+02:00
Merge changes for updates without CVEs via bookworm 12.2
- - - - -
8b02225d by Salvatore Bonaccorso at 2023-10-07T08:39:15+00:00
Merge branch 'bookworm-12.2' into 'master'
Merge changes accepted for bookworm 12.2 release
See merge request security-tracker-team/security-tracker!148
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -382,10 +382,12 @@ CVE-2023-39194 [net: xfrm: Fix xfrm_address_filter OOB read]
NOTE: https://git.kernel.org/linus/dfa73c17d55b921e1d4e154976de35317e43a93a (6.5-rc7)
CVE-2023-39193 [netfilter: xt_sctp: validate the flag_info count]
- linux 6.5.3-1
+ [bookworm] - linux 6.1.55-1
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1491/
NOTE: https://git.kernel.org/linus/e99476497687ef9e850748fe6d232264f30bc8f9 (6.6-rc1)
CVE-2023-39192 [netfilter: xt_u32: validate user space input]
- linux 6.5.3-1
+ [bookworm] - linux 6.1.55-1
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1490/
NOTE: https://git.kernel.org/linus/69c5d284f67089b4750d28ff6ac6f52ec224b330 (6.6-rc1)
CVE-2023-39191 (An improper input validation flaw was found in the eBPF subsystem in t ...)
@@ -1146,7 +1148,7 @@ CVE-2023-4316 (Zod in version 3.22.2 allows an attacker to perform a denial of s
NOT-FOR-US: Zod
CVE-2023-44469 (A Server-Side Request Forgery issue in the OpenID Connect Issuer in Le ...)
- lemonldap-ng 2.17.1+ds-1
- [bookworm] - lemonldap-ng <no-dsa> (Minor issue)
+ [bookworm] - lemonldap-ng 2.16.1+ds-deb12u2
[bullseye] - lemonldap-ng <no-dsa> (Minor issue)
[buster] - lemonldap-ng <no-dsa> (Minor issue)
NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998
@@ -1592,7 +1594,7 @@ CVE-2023-32458 (Dell AppSync, versions 4.4.0.0 to 4.6.0.0 including Service Pack
NOT-FOR-US: Dell
CVE-2023-XXXX [code execution via malformed XTGETTCAP]
- foot 1.15.3-2 (bug #1053115)
- [bookworm] - foot <no-dsa> (Minor issue)
+ [bookworm] - foot 1.13.1-2+deb12u1
[bullseye] - foot <no-dsa> (Minor issue)
NOTE: https://codeberg.org/dnkl/foot/commit/8a5f2915e9d327d1517d1da49ce7e2303fe61d36
CVE-2023-5183 (Unsafe deserialization of untrusted JSON allows execution of arbitrary ...)
@@ -2210,11 +2212,13 @@ CVE-2022-48605 (Input verification vulnerability in the fingerprint module. Succ
NOT-FOR-US: Huawei
CVE-2023-42756 (A flaw was found in the Netfilter subsystem of the Linux kernel. A rac ...)
- linux <unfixed>
+ [bookworm] - linux 6.1.55-1
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://www.openwall.com/lists/oss-security/2023/09/27/2
NOTE: https://git.kernel.org/linus/7433b6d2afd512d04398c73aa984d1e285be125b (6.6-rc3)
CVE-2023-42755 (A flaw was found in the IPv4 Resource Reservation Protocol (RSVP) clas ...)
- linux 6.3.7-1
+ [bookworm] - linux 6.1.55-1
NOTE: https://lore.kernel.org/all/CADW8OBtkAf+nGokhD9zCFcmiebL1SM8bJp_oo=pE02BknG9qnQ@mail.gmail.com/
NOTE: https://git.kernel.org/linus/265b4da82dbf5df04bee5a5d46b7474b1aaf326a (6.3-rc1)
CVE-2023-40581 (yt-dlp is a youtube-dl fork with additional features and fixes. yt-dlp ...)
@@ -2616,7 +2620,7 @@ CVE-2023-2508 (The `PaperCutNG Mobility Print` version 1.0.3512 application allo
CVE-2023-4504 (Due to failure in validating the length provided by an attacker-crafte ...)
{DLA-3594-1}
- cups 2.4.2-6
- [bookworm] - cups <no-dsa> (Minor issue)
+ [bookworm] - cups 2.4.2-3+deb12u2
[bullseye] - cups <no-dsa> (Minor issue)
- libppd <not-affected> (Vulnerable code introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2023/09/20/3
@@ -2785,14 +2789,17 @@ CVE-2023-4237 (A flaw was found in the Ansible Automation Platform. When creatin
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2229979
CVE-2023-42754 (A NULL pointer dereference flaw was found in the Linux kernel ipv4 sta ...)
- linux <unfixed>
+ [bookworm] - linux 6.1.55-1
NOTE: https://www.openwall.com/lists/oss-security/2023/10/02/8
NOTE: https://git.kernel.org/linus/0113d9c9d1ccc07f5a3710dac4aa24b6d711278c (6.6-rc3)
CVE-2023-42753 (An array indexing vulnerability was found in the netfilter subsystem o ...)
- linux 6.5.3-1
+ [bookworm] - linux 6.1.55-1
NOTE: https://www.openwall.com/lists/oss-security/2023/09/22/10
NOTE: https://git.kernel.org/linus/050d91c03b28ca479df13dfb02bcd2c60dd6a878 (6.6-rc1)
CVE-2023-42752 [integer overflows in kmalloc_reserve()]
- linux 6.5.3-1
+ [bookworm] - linux 6.1.55-1
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://www.openwall.com/lists/oss-security/2023/09/18/3
@@ -2841,7 +2848,7 @@ CVE-2020-36766 (An issue was discovered in the Linux kernel before 5.8.6. driver
CVE-2023-43770 (Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 al ...)
{DLA-3577-1}
- roundcube 1.6.3+dfsg-1 (bug #1052059)
- [bookworm] - roundcube <no-dsa> (Minor issue)
+ [bookworm] - roundcube 1.6.3+dfsg-1~deb12u1
[bullseye] - roundcube <no-dsa> (Minor issue)
NOTE: https://roundcube.net/news/2023/09/15/security-update-1.6.3-released
NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/e92ec206a886461245e1672d8530cc93c618a49b (1.6.3)
@@ -2861,7 +2868,7 @@ CVE-2023-5029 (A vulnerability, which was classified as critical, was found in m
NOT-FOR-US: mccms
CVE-2023-43115 (In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead ...)
- ghostscript 10.02.0~dfsg-1
- [bookworm] - ghostscript <no-dsa> (Minor issue; documented risks, can be fixed in later update)
+ [bookworm] - ghostscript 10.0.0~dfsg-11+deb12u2
[bullseye] - ghostscript <no-dsa> (Minor issue; documented risks, can be fixed in later update)
[buster] - ghostscript <ignored> (Minor issue; documented risks, have done refactoring in later versions)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707051
@@ -3257,7 +3264,7 @@ CVE-2023-4910
NOT-FOR-US: 3scale-admin-portal
CVE-2023-38039 (When curl retrieves an HTTP response, it stores the incoming headers s ...)
- curl 8.3.0-1
- [bookworm] - curl <no-dsa> (Minor issue, can be fixed in point release)
+ [bookworm] - curl 7.88.1-10+deb12u3
[bullseye] - curl <not-affected> (Vulnerable code not present)
[buster] - curl <not-affected> (Vulnerable code not present)
NOTE: https://www.openwall.com/lists/oss-security/2023/09/13/1
@@ -3294,7 +3301,7 @@ CVE-2023-41892 (Craft CMS is a platform for creating digital experiences. This i
CVE-2023-41081 (Important: Authentication Bypass CVE-2023-41081 The mod_jk component ...)
{DLA-3580-1}
- libapache-mod-jk 1:1.2.49-1 (bug #1051956)
- [bookworm] - libapache-mod-jk <no-dsa> (Minor issue)
+ [bookworm] - libapache-mod-jk 1:1.2.48-2+deb12u1
[bullseye] - libapache-mod-jk <no-dsa> (Minor issue)
NOTE: https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b
NOTE: http://www.openwall.com/lists/oss-security/2023/09/13/2
@@ -3423,6 +3430,7 @@ CVE-2023-4527 (A flaw was found in glibc. When the getaddrinfo function is calle
NOTE: https://www.openwall.com/lists/oss-security/2023/09/25/1
CVE-2023-4921 (A use-after-free vulnerability in the Linux kernel's net/sched: sch_qf ...)
- linux <unfixed>
+ [bookworm] - linux 6.1.55-1
NOTE: https://kernel.dance/#8fc134fee27f2263988ae38920bc03da416b03d8
NOTE: https://git.kernel.org/linus/8fc134fee27f2263988ae38920bc03da416b03d8 (6.6-rc1)
CVE-2023-4918 (A flaw was found in the Keycloak package, more specifically org.keyclo ...)
@@ -3640,7 +3648,7 @@ CVE-2023-33136 (Azure DevOps Server Remote Code Execution Vulnerability)
NOT-FOR-US: Microsoft
CVE-2023-XXXX [receiving with Lightning: partial MPP might be accepted]
- electrum 4.4.6+dfsg-1 (bug #1052200)
- [bookworm] - electrum <no-dsa> (Minor issue; can be fixed via point release)
+ [bookworm] - electrum 4.3.4+dfsg1-1+deb12u1
[bullseye] - electrum <not-affected> (Vulnerable code introduced in 4.1.0 release)
NOTE: https://github.com/spesmilo/electrum/security/advisories/GHSA-8r85-vp7r-hjxf
NOTE: https://github.com/spesmilo/electrum/issues/8588
@@ -4159,6 +4167,7 @@ CVE-2023-4634 (The Media Library Assistant plugin for WordPress is vulnerable to
NOT-FOR-US: Media Library Assistant plugin for WordPress
CVE-2023-4623 (A use-after-free vulnerability in the Linux kernel's net/sched: sch_hf ...)
- linux 6.5.3-1
+ [bookworm] - linux 6.1.55-1
NOTE: https://git.kernel.org/linus/b3d26c5702c7d6c45456326e56d2ccf3f103e60f
CVE-2023-4622 (A use-after-free vulnerability in the Linux kernel's af_unix component ...)
{DSA-5492-1}
@@ -4174,6 +4183,7 @@ CVE-2023-4498 (Tenda N300 Wireless N VDSL2 Modem Router allows unauthenticated a
NOT-FOR-US: Tenda
CVE-2023-4244 (A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab ...)
- linux 6.4.13-1
+ [bookworm] - linux 6.1.55-1
NOTE: https://lore.kernel.org/netdev/20230810070830.24064-1-pablo@netfilter.org/
NOTE: https://lore.kernel.org/netdev/20230815223011.7019-1-fw@strlen.de/
NOTE: https://kernel.dance/3e91b0ebd994635df2346353322ac51ce84ce6d8
@@ -4991,7 +5001,7 @@ CVE-2023-40969 (Senayan Library Management Systems SLIMS 9 Bulian v9.6.1 is vuln
NOT-FOR-US: Senayan Library Management Systems SLIMS 9 Bulian
CVE-2023-40968 (Buffer Overflow vulnerability in hzeller timg v.1.5.1 and before allow ...)
- timg 1.5.2-1 (bug #1051231)
- [bookworm] - timg <no-dsa> (Minor issue)
+ [bookworm] - timg 1.4.5-1+deb12u1
NOTE: https://github.com/hzeller/timg/issues/115
NOTE: https://github.com/hzeller/timg/commit/2e9414e668144bbe0afc074dac17b74ef4acfdcf (v1.5.2)
CVE-2023-40771 (SQL injection vulnerability in DataEase v.1.18.9 allows a remote attac ...)
@@ -5271,7 +5281,7 @@ CVE-2023-41041 (Graylog is a free and open log management platform. In a multi-n
CVE-2023-41040 (GitPython is a python library used to interact with Git repositories. ...)
{DLA-3589-1}
- python-git 3.1.36-1
- [bookworm] - python-git <no-dsa> (Minor issue; can be fixed via point release)
+ [bookworm] - python-git 3.1.30-1+deb12u2
[bullseye] - python-git <no-dsa> (Minor issue; can be fixed via point release)
NOTE: https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58c
NOTE: Fixed by: https://github.com/gitpython-developers/GitPython/commit/64ebb9fcdfbe48d5d61141a557691fd91f1e88d6 (3.1.35)
@@ -6403,10 +6413,10 @@ CVE-2023-39441 (Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP P
CVE-2023-40477
{DLA-3543-1 DLA-3542-1}
- rar 2:6.23-1
- [bookworm] - rar <no-dsa> (Non-free not supported)
+ [bookworm] - rar 2:6.23-1~deb12u1
[bullseye] - rar <no-dsa> (Non-free not supported)
- unrar-nonfree 1:6.2.10-1
- [bookworm] - unrar-nonfree <no-dsa> (Non-free not supported)
+ [bookworm] - unrar-nonfree 1:6.2.6-1+deb12u1
[bullseye] - unrar-nonfree <no-dsa> (Non-free not supported)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1152/
NOTE: https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa
@@ -7532,18 +7542,18 @@ CVE-2022-4953 (The Elementor Website Builder WordPress plugin before 3.5.5 does
NOT-FOR-US: WordPress plugin
CVE-2023-39950 (efibootguard is a simple UEFI boot loader with support for safely swit ...)
- efibootguard 0.15-1 (bug #1049436)
- [bookworm] - efibootguard <no-dsa> (Minor issue, can be fixed via point release)
+ [bookworm] - efibootguard 0.13-2+deb12u1
NOTE: https://github.com/siemens/efibootguard/commit/965d65c5751898c4bb094ef191b7387819423414 (v0.15)
NOTE: https://github.com/siemens/efibootguard/commit/53dee61dc8b3a83c882e4bc9a0cfe7d6d73610c4 (v0.15)
CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in ...)
- indent 2.2.13-3 (bug #1049366)
- [bookworm] - indent <no-dsa> (Minor issue)
+ [bookworm] - indent 2.2.12-4+deb12u2
[bullseye] - indent <no-dsa> (Minor issue)
[buster] - indent <no-dsa> (Minor issue)
NOTE: https://savannah.gnu.org/bugs/index.php?64503
CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because of un ...)
- inetutils 2:2.4-3 (bug #1049365)
- [bookworm] - inetutils <no-dsa> (Minor issue)
+ [bookworm] - inetutils 2:2.4-2+deb12u1
[bullseye] - inetutils <no-dsa> (Minor issue)
[buster] - inetutils <no-dsa> (Minor issue)
NOTE: https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
@@ -7702,7 +7712,7 @@ CVE-2023-4105 (Mattermost fails to delete the attachments when deleting a messag
CVE-2023-40267 (GitPython before 3.1.32 does not block insecure non-multi options in c ...)
{DLA-3502-1}
- python-git 3.1.36-1 (bug #1043503)
- [bookworm] - python-git <no-dsa> (Minor issue)
+ [bookworm] - python-git 3.1.30-1+deb12u2
[bullseye] - python-git <no-dsa> (Minor issue)
NOTE: https://github.com/gitpython-developers/GitPython/pull/1609
NOTE: https://github.com/gitpython-developers/GitPython/commit/5c59e0d63da6180db8a0b349f0ad36fef42aceed (3.1.32)
@@ -8762,7 +8772,7 @@ CVE-2023-36220 (Directory Traversal vulnerability in Textpattern CMS v4.8.8 allo
NOT-FOR-US: Textpattern CMS
CVE-2023-36054 (lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 an ...)
- krb5 1.20.1-3 (bug #1043431)
- [bookworm] - krb5 <no-dsa> (Minor issue)
+ [bookworm] - krb5 1.20.1-2+deb12u1
[bullseye] - krb5 <no-dsa> (Minor issue)
[buster] - krb5 <postponed> (Minor issue, DoS)
NOTE: https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd
@@ -9147,7 +9157,7 @@ CVE-2023-3329 (SpiderControl SCADA Webserver versions 2.08 and prior are vulnera
CVE-2023-3180 (A flaw was found in the QEMU virtual crypto device while handling data ...)
{DLA-3604-1}
- qemu 1:8.0.4+dfsg-1
- [bookworm] - qemu <no-dsa> (Minor issue)
+ [bookworm] - qemu 1:7.2+dfsg-7+deb12u2
[bullseye] - qemu <no-dsa> (Minor issue)
NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/04b9b37edda85964cca033a48dcc0298036782f2 (v2.8.0-rc0)
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980 (master)
@@ -9464,7 +9474,7 @@ CVE-2023-38560 (An integer overflow flaw was found in pcl/pl/plfont.c:418 in pl_
CVE-2023-38559 (A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_w ...)
{DLA-3519-1}
- ghostscript 10.02.0~dfsg-1 (bug #1043033)
- [bookworm] - ghostscript <postponed> (Minor issue; can be batched together in a later update)
+ [bookworm] - ghostscript 10.0.0~dfsg-11+deb12u2
[bullseye] - ghostscript <postponed> (Minor issue; can be batched together in a later update)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706897
NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f (ghostpdl-10.02.0rc1)
@@ -9663,7 +9673,7 @@ CVE-2023-3983 (An authenticated SQL injection vulnerability exists in Advantech
CVE-2023-3817 (Issue summary: Checking excessively long DH keys or parameters may be ...)
{DLA-3530-1}
- openssl 3.0.10-1
- [bookworm] - openssl <postponed> (Minor issue, fix along with future DSA)
+ [bookworm] - openssl 3.0.10-1~deb12u1
[bullseye] - openssl <postponed> (Minor issue, fix along with future DSA)
NOTE: https://www.openssl.org/news/secadv/20230731.txt
NOTE: https://www.openwall.com/lists/oss-security/2023/07/31/1
@@ -10079,7 +10089,7 @@ CVE-2023-38410 (The issue was addressed with improved checks. This issue is fixe
NOT-FOR-US: Apple
CVE-2023-38285 (Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Co ...)
- modsecurity 3.0.10-1 (bug #1042475)
- [bookworm] - modsecurity <no-dsa> (Minor issue)
+ [bookworm] - modsecurity 3.0.9-1+deb12u1
[bullseye] - modsecurity <no-dsa> (Minor issue)
[buster] - modsecurity <no-dsa> (Minor issue)
NOTE: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
@@ -10776,7 +10786,7 @@ CVE-2023-32657 (Weintek Weincloud v0.13.6 could allow an attacker to efficie
CVE-2023-38408 (The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insuff ...)
{DLA-3532-1}
- openssh 1:9.3p2-1 (bug #1042460)
- [bookworm] - openssh <no-dsa> (Minor issue; needs specific conditions and forwarding was always subject to caution warning)
+ [bookworm] - openssh 1:9.2p1-2+deb12u1
[bullseye] - openssh <no-dsa> (Minor issue; needs specific conditions and forwarding was always subject to caution warning)
NOTE: https://www.openwall.com/lists/oss-security/2023/07/19/9
NOTE: https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc
@@ -10913,7 +10923,7 @@ CVE-2023-3745 (A heap-based buffer overflow issue was found in ImageMagick's Pus
CVE-2023-3446 (Issue summary: Checking excessively long DH keys or parameters may be ...)
{DLA-3530-1}
- openssl 3.0.10-1 (bug #1041817)
- [bookworm] - openssl <postponed> (Minor issue, fix along with future DSA)
+ [bookworm] - openssl 3.0.10-1~deb12u1
[bullseye] - openssl <postponed> (Minor issue, fix along with future DSA)
NOTE: https://www.openssl.org/news/secadv/20230719.txt
NOTE: https://github.com/openssl/openssl/commit/9e0094e2aa1b3428a12d5095132f133c078d3c3d (master)
@@ -11193,7 +11203,7 @@ CVE-2023-37479 (Open Enclave is a hardware-agnostic open source library for deve
NOT-FOR-US: Open Enclave
CVE-2023-37476 (OpenRefine is a free, open source tool for data processing. A carefull ...)
- openrefine 3.6.2-3 (bug #1041422)
- [bookworm] - openrefine <no-dsa> (Minor issue)
+ [bookworm] - openrefine 3.6.2-2+deb12u1
NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq
NOTE: https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e (master)
NOTE: https://github.com/OpenRefine/OpenRefine/commit/c40c84d8170c4d61c6a0926531b552a50caa5651 (3.7.4)
@@ -11495,7 +11505,7 @@ CVE-2023-32759 (An issue in Archer Platform before v.6.13 and fixed in 6.12.0.6
NOT-FOR-US: Archer
CVE-2023-2975 (Issue summary: The AES-SIV cipher implementation contains a bug that c ...)
- openssl 3.0.10-1 (bug #1041818)
- [bookworm] - openssl <postponed> (Minor issue, fix along with future DSA)
+ [bookworm] - openssl 3.0.10-1~deb12u1
[bullseye] - openssl <not-affected> (Vulnerable code not present, only affects 3.x)
[buster] - openssl <not-affected> (Vulnerable code not present, only affects 3.x)
NOTE: https://www.openssl.org/news/secadv/20230714.txt
@@ -13124,7 +13134,7 @@ CVE-2023-35939 (GLPI is a free asset and IT management software package. Startin
CVE-2023-35936 (Pandoc is a Haskell library for converting from one markup format to a ...)
{DLA-3507-1}
- pandoc 2.17.1.1-2 (bug #1041976)
- [bookworm] - pandoc <no-dsa> (Minor issue)
+ [bookworm] - pandoc 2.17.1.1-2~deb12u1
[bullseye] - pandoc <no-dsa> (Minor issue)
NOTE: https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g
NOTE: Fixed by: https://github.com/jgm/pandoc/commit/5e381e3878b5da87ee7542f7e51c3c1a7fd84b89 (3.1.4)
@@ -13244,7 +13254,7 @@ CVE-2023-34150 (** UNSUPPORTED WHEN ASSIGNED **Use of TikaEncodingDetector in Ap
NOT-FOR-US: Apache Any23
CVE-2023-3255 (A flaw was found in the QEMU built-in VNC server while processing Clie ...)
- qemu 1:8.0.4+dfsg-1
- [bookworm] - qemu <no-dsa> (Minor issue)
+ [bookworm] - qemu 1:7.2+dfsg-7+deb12u2
[bullseye] - qemu <not-affected> (Vulnerable code not present)
[buster] - qemu <not-affected> (Vulnerable code not present)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2218486
@@ -13559,7 +13569,7 @@ CVE-2023-3478 (A vulnerability classified as critical was found in IBOS OA 4.5.5
NOT-FOR-US: IBOS OA
CVE-2023-37365 (Hnswlib 0.7.0 has a double free in init_index when the M argument is a ...)
- hnswlib 0.7.0-1 (bug #1041426)
- [bookworm] - hnswlib <no-dsa> (Minor issue)
+ [bookworm] - hnswlib 0.6.2-2+deb12u1
[bullseye] - hnswlib <no-dsa> (Minor issue)
NOTE: https://github.com/nmslib/hnswlib/issues/467
CVE-2023-37360 (pacparser_find_proxy in Pacparser before 1.4.2 allows JavaScript injec ...)
@@ -13925,7 +13935,7 @@ CVE-2023-3355 (A NULL pointer dereference flaw was found in the Linux kernel's d
NOTE: https://git.kernel.org/linus/d839f0811a31322c087a859c2b181e2383daa7be (6.3-rc1)
CVE-2023-3354 (A flaw was found in the QEMU built-in VNC server. When a client connec ...)
- qemu 1:8.0.4+dfsg-1
- [bookworm] - qemu <no-dsa> (Minor issue)
+ [bookworm] - qemu 1:7.2+dfsg-7+deb12u2
[bullseye] - qemu <no-dsa> (Minor issue)
[buster] - qemu <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2216478
@@ -14453,7 +14463,7 @@ CVE-2023-32363 (A permissions issue was addressed by removing vulnerable code an
CVE-2023-32360 (An authentication issue was addressed with improved state management. ...)
{DLA-3594-1}
- cups 2.4.2-6 (bug #1051953)
- [bookworm] - cups <no-dsa> (Workaround exist; patch changes only default cupsd.conf; can be fixed via point release)
+ [bookworm] - cups 2.4.2-3+deb12u2
[bullseye] - cups <no-dsa> (Workaround exist; patch changes only default cupsd.conf; can be fixed via point release)
NOTE: https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913 (v2.4.3)
CVE-2023-32357 (An authorization issue was addressed with improved state management. T ...)
@@ -34273,6 +34283,7 @@ CVE-2023-25777
RESERVED
CVE-2023-25775 (Improper access control in the Intel(R) Ethernet Controller RDMA drive ...)
- linux 6.5.3-1
+ [bookworm] - linux 6.1.55-1
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/bb6d73d9add68ad270888db327514384dfa44958
@@ -35215,7 +35226,7 @@ CVE-2023-26133 (All versions of the package progressbar.js are vulnerable to Pro
NOT-FOR-US: progressbar.js
CVE-2023-26132 (Versions of the package dottie before 2.0.4 are vulnerable to Prototyp ...)
- node-dottie 2.0.6+~2.0.5-1 (bug #1040592)
- [bookworm] - node-dottie <no-dsa> (Minor issue)
+ [bookworm] - node-dottie 2.0.2-4+deb12u1
[bullseye] - node-dottie <no-dsa> (Minor issue)
NOTE: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763
NOTE: https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68 (v2.0.4)
@@ -56818,7 +56829,7 @@ CVE-2022-45583
RESERVED
CVE-2022-45582 (Open Redirect vulnerability in Horizon Web Dashboard 19.4.0 thru 20.1. ...)
- horizon 3:23.1.0-3
- [bookworm] - horizon <no-dsa> (Minor issue)
+ [bookworm] - horizon 3:23.0.0-5+deb12u1
[bullseye] - horizon <no-dsa> (Minor issue)
[buster] - horizon <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/horizon/+bug/1982676
@@ -59535,14 +59546,14 @@ CVE-2022-44731 (A vulnerability has been identified in SIMATIC WinCC OA V3.15 (A
NOT-FOR-US: Siemens
CVE-2022-44730 (Server-Side Request Forgery (SSRF) vulnerability in Apache Software Fo ...)
- batik 1.17+dfsg-1
- [bookworm] - batik <no-dsa> (Minor issue)
+ [bookworm] - batik 1.16+dfsg-1+deb12u1
[bullseye] - batik <no-dsa> (Minor issue)
[buster] - batik <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/08/22/3
NOTE: https://issues.apache.org/jira/browse/BATIK-1347
CVE-2022-44729 (Server-Side Request Forgery (SSRF) vulnerability in Apache Software Fo ...)
- batik 1.17+dfsg-1
- [bookworm] - batik <no-dsa> (Minor issue)
+ [bookworm] - batik 1.16+dfsg-1+deb12u1
[bullseye] - batik <no-dsa> (Minor issue)
[buster] - batik <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/08/22/2
@@ -63924,7 +63935,7 @@ CVE-2023-20213
RESERVED
CVE-2023-20212 (A vulnerability in the AutoIt module of ClamAV could allow an unauthen ...)
- clamav 1.0.2+dfsg-1 (bug #1050057)
- [bookworm] - clamav <no-dsa> (clamav is updated via -updates)
+ [bookworm] - clamav 1.0.2+dfsg-1~deb12u1
[bullseye] - clamav <not-affected> (only affects v1.0.0 and v1.0.1)
[buster] - clamav <not-affected> (only affects v1.0.0 and v1.0.1)
NOTE: https://blog.clamav.net/2023/07/2023-08-16-releases.html
@@ -63959,7 +63970,7 @@ CVE-2023-20198
CVE-2023-20197 (A vulnerability in the filesystem image parser for Hierarchical File S ...)
{DLA-3544-1}
- clamav 1.0.2+dfsg-1 (bug #1050057)
- [bookworm] - clamav <no-dsa> (clamav is updated via -updates)
+ [bookworm] - clamav 1.0.2+dfsg-1~deb12u1
[bullseye] - clamav <no-dsa> (clamav is updated via -updates)
NOTE: https://blog.clamav.net/2023/07/2023-08-16-releases.html
CVE-2023-20196
=====================================
data/next-point-update.txt
=====================================
@@ -1,96 +1,3 @@
-CVE-2023-37365
- [bookworm] - hnswlib 0.6.2-2+deb12u1
-CVE-2023-26132
- [bookworm] - node-dottie 2.0.2-4+deb12u1
-CVE-2023-35936
- [bookworm] - pandoc 2.17.1.1-2~deb12u1
-CVE-2023-36054
- [bookworm] - krb5 1.20.1-2+deb12u1
-CVE-2023-39950
- [bookworm] - efibootguard 0.13-2+deb12u1
-CVE-2023-3255
- [bookworm] - qemu 1:7.2+dfsg-7+deb12u2
-CVE-2023-3354
- [bookworm] - qemu 1:7.2+dfsg-7+deb12u2
-CVE-2023-3180
- [bookworm] - qemu 1:7.2+dfsg-7+deb12u2
-CVE-2023-40303
- [bookworm] - inetutils 2:2.4-2+deb12u1
-CVE-2022-44729
- [bookworm] - batik 1.16+dfsg-1+deb12u1
-CVE-2022-44730
- [bookworm] - batik 1.16+dfsg-1+deb12u1
-CVE-2023-40477
- [bookworm] - unrar-nonfree 1:6.2.6-1+deb12u1
- [bookworm] - rar 2:6.23-1~deb12u1
-CVE-2023-2975
- [bookworm] - openssl 3.0.10-1~deb12u1
-CVE-2023-3446
- [bookworm] - openssl 3.0.10-1~deb12u1
-CVE-2023-3817
- [bookworm] - openssl 3.0.10-1~deb12u1
-CVE-2023-40305
- [bookworm] - indent 2.2.12-4+deb12u2
-CVE-2023-20197
- [bookworm] - clamav 1.0.2+dfsg-1~deb12u1
-CVE-2023-20212
- [bookworm] - clamav 1.0.2+dfsg-1~deb12u1
-CVE-2022-45582
- [bookworm] - horizon 3:23.0.0-5+deb12u1
-CVE-2023-37476
- [bookworm] - openrefine 3.6.2-2+deb12u1
-CVE-2023-40968
- [bookworm] - timg 1.4.5-1+deb12u1
-CVE-2023-38408
- [bookworm] - openssh 1:9.2p1-2+deb12u1
-CVE-2023-4504
- [bookworm] - cups 2.4.2-3+deb12u2
-CVE-2023-32360
- [bookworm] - cups 2.4.2-3+deb12u2
-CVE-2023-41081
- [bookworm] - libapache-mod-jk 1:1.2.48-2+deb12u1
-CVE-2023-38285
- [bookworm] - modsecurity 3.0.9-1+deb12u1
-CVE-2023-38039
- [bookworm] - curl 7.88.1-10+deb12u3
-CVE-2023-43770
- [bookworm] - roundcube 1.6.3+dfsg-1~deb12u1
-CVE-2023-38559
- [bookworm] - ghostscript 10.0.0~dfsg-11+deb12u2
-CVE-2023-43115
- [bookworm] - ghostscript 10.0.0~dfsg-11+deb12u2
-CVE-2023-44469
- [bookworm] - lemonldap-ng 2.16.1+ds-deb12u2
-CVE-2023-39193
- [bookworm] - linux 6.1.55-1
-CVE-2023-39192
- [bookworm] - linux 6.1.55-1
-CVE-2023-25775
- [bookworm] - linux 6.1.55-1
-CVE-2023-4244
- [bookworm] - linux 6.1.55-1
-CVE-2023-42752
- [bookworm] - linux 6.1.55-1
-CVE-2023-42753
- [bookworm] - linux 6.1.55-1
-CVE-2023-42754
- [bookworm] - linux 6.1.55-1
-CVE-2023-42755
- [bookworm] - linux 6.1.55-1
-CVE-2023-42756
- [bookworm] - linux 6.1.55-1
-CVE-2023-4623
- [bookworm] - linux 6.1.55-1
-CVE-2023-4921
- [bookworm] - linux 6.1.55-1
-CVE-2023-XXXX [receiving with Lightning: partial MPP might be accepted]
- [bookworm] - electrum 4.3.4+dfsg1-1+deb12u1
-CVE-2023-XXXX [code execution via malformed XTGETTCAP]
- [bookworm] - foot 1.13.1-2+deb12u1
-CVE-2023-41040
- [bookworm] - python-git 3.1.30-1+deb12u2
-CVE-2023-40267
- [bookworm] - python-git 3.1.30-1+deb12u2
CVE-2023-41887
[bookworm] - openrefine 3.6.2-2+deb12u2
CVE-2023-41886
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/07d1a72a81c858ddfc316058041f820f11146675...8b02225d2e6fec917732e7fc098716037e473fd3
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/07d1a72a81c858ddfc316058041f820f11146675...8b02225d2e6fec917732e7fc098716037e473fd3
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231007/079f5b3d/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list