[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Fri Sep 8 21:12:28 BST 2023 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d6141c63 by security tracker role at 2023-09-08T20:12:17+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,4 +1,34 @@
-CVE-2023-4807
+CVE-2023-4843 (Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection  ...)
+	TODO: check
+CVE-2023-4782 (Terraform version 1.0.8 through 1.5.6 allows arbitrary file write duri ...)
+	TODO: check
+CVE-2023-4777 (An incorrect permission check in Qualys Container Scanning Connector P ...)
+	TODO: check
+CVE-2023-42268 (Jeecg boot up to v3.5.3 was discovered to contain a SQL injection vuln ...)
+	TODO: check
+CVE-2023-41578 (Jeecg boot up to v3.5.3 was discovered to contain an arbitrary file re ...)
+	TODO: check
+CVE-2023-41575 (Multiple stored cross-site scripting (XSS) vulnerabilities in /bbdms/s ...)
+	TODO: check
+CVE-2023-41338 (Fiber is an Express inspired web framework built in the go language. V ...)
+	TODO: check
+CVE-2023-41318 (matrix-media-repo is a highly customizable multi-domain media reposito ...)
+	TODO: check
+CVE-2023-40924 (SolarView Compact < 6.00 is vulnerable to Directory Traversal.)
+	TODO: check
+CVE-2023-39712 (Multiple cross-site scripting (XSS) vulnerabilities in Free and Open S ...)
+	TODO: check
+CVE-2023-39676 (SimpleImportProduct Prestashop Module v1.0.0 was discovered to contain ...)
+	TODO: check
+CVE-2023-39584 (Hexo up to v7.0.0 (RC2) was discovered to contain an arbitrary file re ...)
+	TODO: check
+CVE-2023-39076 (Injecting random data into the USB memory area on a General Motors (GM ...)
+	TODO: check
+CVE-2023-38736 (IBM QRadar WinCollect Agent 10.0 through 10.1.6, when installed to run ...)
+	TODO: check
+CVE-2023-32332 (IBM Maximo Application Suite 8.9, 8.10 and IBM Maximo Asset Management ...)
+	TODO: check
+CVE-2023-4807 (Issue summary: The POLY1305 MAC (message authentication code) implemen ...)
 	- openssl <not-affected> (Windows-specific)
 	NOTE: https://www.openssl.org/news/secadv/20230908.txt
 CVE-2023-41775 (Improper access control vulnerability in 'direct' Desktop App for macO ...)
@@ -3214,7 +3244,7 @@ CVE-2023-4335 (Broadcom RAID Controller Web server (nginx) is serving private se
 	NOT-FOR-US: Broadcom RAID Controller web interface
 CVE-2023-4334 (Broadcom RAID Controller Web server (nginx) is serving private files w ...)
 	NOT-FOR-US: Broadcom RAID Controller web interface
-CVE-2023-4333 (Broadcom RAID Controller web interface is vulnerable  to exposure of s ...)
+CVE-2023-4333 (Broadcom RAID Controller web interface doesn\u2019t enforce SSL cipher ...)
 	NOT-FOR-US: Broadcom RAID Controller web interface
 CVE-2023-4332 (Broadcom RAID Controller web interface is vulnerable due to Improper p ...)
 	NOT-FOR-US: Broadcom RAID Controller web interface
@@ -16481,7 +16511,7 @@ CVE-2023-30910
 	RESERVED
 CVE-2023-30909
 	RESERVED
-CVE-2023-30908 (Potential security vulnerabilities have been identified in Hewlett Pac ...)
+CVE-2023-30908 (Potential security vulnerability have been identified in Hewlett Packa ...)
 	NOT-FOR-US: HPE
 CVE-2023-30907
 	RESERVED
@@ -20770,22 +20800,22 @@ CVE-2023-29411 (A CWE-306: Missing Authentication for Critical Function vulnerab
 	NOT-FOR-US: Schneider
 CVE-2023-29410 (A CWE-20: Improper Input Validation vulnerability exists that could al ...)
 	NOT-FOR-US: Schneider
-CVE-2023-39322 [crypto/tls: panic when processing post-handshake message on QUIC connections]
+CVE-2023-39322 (QUIC connections do not set an upper bound on the amount of data buffe ...)
 	- golang-1.21 1.21.1-1
 	NOTE: https://go.dev/issue/62266
 	NOTE: https://github.com/golang/go/commit/91a4e74b98179f63a27dbff1ad68ddd0ed64363a (go1.21.1)
 	NOTE: https://groups.google.com/g/golang-announce/c/Fm51GRLNRvM
-CVE-2023-39321 [crypto/tls: panic when processing post-handshake message on QUIC connections]
+CVE-2023-39321 (Processing an incomplete post-handshake message for a QUIC connection  ...)
 	- golang-1.21 1.21.1-1
 	NOTE: https://go.dev/issue/62266
 	NOTE: https://github.com/golang/go/commit/91a4e74b98179f63a27dbff1ad68ddd0ed64363a (go1.21.1)
 	NOTE: https://groups.google.com/g/golang-announce/c/Fm51GRLNRvM
-CVE-2023-39320 [cmd/go: go.mod toolchain directive allows arbitrary execution]
+CVE-2023-39320 (The go.mod toolchain directive, introduced in Go 1.21, can be leverage ...)
 	- golang-1.21 1.21.1-1
 	NOTE: https://go.dev/issue/62198
 	NOTE: https://github.com/golang/go/commit/d25a935574efd573668d8ce9ea4cfc530bb63ecb (go1.21.1)
 	NOTE: https://groups.google.com/g/golang-announce/c/Fm51GRLNRvM
-CVE-2023-39319 [html/template: improper handling of special tags within script contexts]
+CVE-2023-39319 (The html/template package does not apply the proper rules for handling ...)
 	- golang-1.21 1.21.1-1
 	- golang-1.20 1.20.8-1
 	- golang-1.19 <unfixed>
@@ -20795,7 +20825,7 @@ CVE-2023-39319 [html/template: improper handling of special tags within script c
 	NOTE: https://github.com/golang/go/commit/bbd043ff0d6d59f1a9232d31ecd5eacf6507bf6a (go1.21.1)
 	NOTE: https://github.com/golang/go/commit/2070531d2f53df88e312edace6c8dfc9686ab2f5 (go1.20.8)
 	NOTE: https://groups.google.com/g/golang-announce/c/Fm51GRLNRvM
-CVE-2023-39318 [html/template: improper handling of HTML-like comments within script contexts]
+CVE-2023-39318 (The html/template package does not properly handle HTML-like "" commen ...)
 	- golang-1.21 1.21.1-1
 	- golang-1.20 1.20.8-1
 	- golang-1.19 <unfixed>
@@ -25835,8 +25865,8 @@ CVE-2023-28012 (HCL BigFix Mobile is vulnerable to a command injection attack. A
 	NOT-FOR-US: HCL
 CVE-2023-28011
 	RESERVED
-CVE-2023-28010
-	RESERVED
+CVE-2023-28010 (In some configuration scenarios, the Domino server host name can be ex ...)
+	TODO: check
 CVE-2023-28009 (HCL Workload Automation is vulnerable to an XML External Entity Inject ...)
 	NOT-FOR-US: HCL
 CVE-2023-28008 (HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML Ex ...)
@@ -89843,8 +89873,8 @@ CVE-2022-33166 (IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 could all
 	NOT-FOR-US: IBM
 CVE-2022-33165
 	RESERVED
-CVE-2022-33164
-	RESERVED
+CVE-2022-33164 (IBM Security Directory Server 7.2.0 could allow a remote attacker to t ...)
+	TODO: check
 CVE-2022-33163 (IBM Security Directory Suite VA 8.0.1 specifies permissions for a secu ...)
 	NOT-FOR-US: IBM
 CVE-2022-33162
@@ -221812,6 +221842,7 @@ CVE-2020-22219 (Buffer Overflow vulnerability in function bitwriter_grow_ in fla
 	NOTE: https://github.com/xiph/flac/pull/419 (1.4.0)
 	NOTE: Fixed by: https://github.com/xiph/flac/commit/21fe95ee828b0b9b944f6aa0bb02d24fbb981815 (1.4.0)
 CVE-2020-22218 (An issue was discovered in function _libssh2_packet_add in libssh2 1.1 ...)
+	{DLA-3559-1}
 	- libssh2 1.10.0-2
 	[bullseye] - libssh2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/libssh2/libssh2/pull/476
@@ -284012,7 +284043,7 @@ CVE-2019-17500
 CVE-2019-17499 (The setter.xml component of the Common Gateway Interface on Compal CH7 ...)
 	NOT-FOR-US: Compal CH7465LG devices
 CVE-2019-17498 (In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic i ...)
-	{DLA-2848-1 DLA-1991-1}
+	{DLA-3559-1 DLA-2848-1 DLA-1991-1}
 	- libssh2 1.9.0-1 (low; bug #943562)
 	NOTE: https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c
 	NOTE: https://securitylab.github.com/research/libssh2-integer-overflow-CVE-2019-17498/
@@ -298575,7 +298606,7 @@ CVE-2019-13117 (In numbers.c in libxslt 1.1.33, an xsl:number with certain forma
 CVE-2019-13116 (The MuleSoft Mule Community Edition runtime engine before 3.8 allows r ...)
 	NOT-FOR-US: MuleSoft Mule
 CVE-2019-13115 (In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha2 ...)
-	{DLA-2848-1 DLA-1730-3}
+	{DLA-3559-1 DLA-2848-1 DLA-1730-3}
 	- libssh2 1.9.0-1 (bug #932329)
 	NOTE: https://securitylab.github.com/research/libssh2-integer-overflow/
 	NOTE: https://github.com/libssh2/libssh2/pull/350



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6141c63a05c684d23577ab6263d3a62f7a68a60

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6141c63a05c684d23577ab6263d3a62f7a68a60
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230908/f059a607/attachment.htm>

More information about the debian-security-tracker-commits mailing list