[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Wed Sep 20 21:12:26 BST 2023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
5724df17 by security tracker role at 2023-09-20T20:12:15+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,123 @@
+CVE-2023-5084 (Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/h ...)
+ TODO: check
+CVE-2023-5074 (Use of a static key to protect a JWT token used in user authentication ...)
+ TODO: check
+CVE-2023-5042 (Sensitive information disclosure due to insecure folder permissions. T ...)
+ TODO: check
+CVE-2023-43636 (In EVE OS, the \u201cmeasured boot\u201d mechanism prevents a compromi ...)
+ TODO: check
+CVE-2023-43635 (Vault Key Sealed With SHA1 PCRs The measured boot solution imple ...)
+ TODO: check
+CVE-2023-43630 (PCR14 is not in the list of PCRs that seal/unseal the \u201cvault\u201 ...)
+ TODO: check
+CVE-2023-43502 (A cross-site request forgery (CSRF) vulnerability in Jenkins Build Fai ...)
+ TODO: check
+CVE-2023-43501 (A missing permission check in Jenkins Build Failure Analyzer Plugin 2. ...)
+ TODO: check
+CVE-2023-43500 (A cross-site request forgery (CSRF) vulnerability in Jenkins Build Fai ...)
+ TODO: check
+CVE-2023-43499 (Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier does not escap ...)
+ TODO: check
+CVE-2023-43498 (In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file ...)
+ TODO: check
+CVE-2023-43497 (In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file ...)
+ TODO: check
+CVE-2023-43496 (Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary ...)
+ TODO: check
+CVE-2023-43495 (Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the ...)
+ TODO: check
+CVE-2023-43494 (Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414. ...)
+ TODO: check
+CVE-2023-43478 (fake_upload.cgi on the Telstra Smart Modem Gen 2 (Arcadyan LH1000), fi ...)
+ TODO: check
+CVE-2023-43477 (The ping_from parameter of ping_tracerte.cgi in the web UI of Telstra ...)
+ TODO: check
+CVE-2023-43377 (A cross-site scripting (XSS) vulnerability in /hoteldruid/visualizza_c ...)
+ TODO: check
+CVE-2023-43376 (A cross-site scripting (XSS) vulnerability in /hoteldruid/clienti.php ...)
+ TODO: check
+CVE-2023-43375 (Hoteldruid v3.0.5 was discovered to contain multiple SQL injection vul ...)
+ TODO: check
+CVE-2023-43374 (Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerabil ...)
+ TODO: check
+CVE-2023-43373 (Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerabil ...)
+ TODO: check
+CVE-2023-43371 (Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerabil ...)
+ TODO: check
+CVE-2023-43207 (D-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command ...)
+ TODO: check
+CVE-2023-43206 (D-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command ...)
+ TODO: check
+CVE-2023-43204 (D-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command ...)
+ TODO: check
+CVE-2023-43203 (D-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a stack ov ...)
+ TODO: check
+CVE-2023-43202 (D-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command ...)
+ TODO: check
+CVE-2023-43201 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a st ...)
+ TODO: check
+CVE-2023-43200 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a st ...)
+ TODO: check
+CVE-2023-43199 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a st ...)
+ TODO: check
+CVE-2023-43198 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a st ...)
+ TODO: check
+CVE-2023-43197 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a st ...)
+ TODO: check
+CVE-2023-43196 (D-Link DI-7200GV2.E1 v21.04.09E1 was discovered to contain a stack ove ...)
+ TODO: check
+CVE-2023-43138 (TPLINK TL-ER5120G 4.0 2.0.0 Build 210817 Rel.80868n has a command inje ...)
+ TODO: check
+CVE-2023-43137 (TPLINK TL-ER5120G 4.0 2.0.0 Build 210817 Rel.80868n has a command inje ...)
+ TODO: check
+CVE-2023-43134 (There is an unauthorized access vulnerability in Netis 360RAC1200 v1.3 ...)
+ TODO: check
+CVE-2023-42660 (In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8) ...)
+ TODO: check
+CVE-2023-42656 (In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8) ...)
+ TODO: check
+CVE-2023-42335 (Unrestricted File Upload vulnerability in Fl3xx Dispatch 2.10.37 and f ...)
+ TODO: check
+CVE-2023-42334 (An Indirect Object Reference (IDOR) in Fl3xx Dispatch 2.10.37 and fl3x ...)
+ TODO: check
+CVE-2023-42331 (A file upload vulnerability in EliteCMS 1.01 allows a remote attacker ...)
+ TODO: check
+CVE-2023-42147 (An issue in CloudExplorer Lite 1.3.1 allows an attacker to obtain sens ...)
+ TODO: check
+CVE-2023-41902 (An XPC misconfiguration vulnerability in CoreCode MacUpdater before 2. ...)
+ TODO: check
+CVE-2023-41484 (An issue in cimg.eu Cimg Library v2.9.3 allows an attacker to obtain s ...)
+ TODO: check
+CVE-2023-41375 (Use after free vulnerability exists in Kostac PLC Programming Software ...)
+ TODO: check
+CVE-2023-41374 (Double free issue exists in Kostac PLC Programming Software Version 1. ...)
+ TODO: check
+CVE-2023-40930 (Skyworth 3.0 OS is vulnerable to Directory Traversal.)
+ TODO: check
+CVE-2023-40619 (phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization of untr ...)
+ TODO: check
+CVE-2023-40618 (A reflected cross-site scripting (XSS) vulnerability in OpenKnowledgeM ...)
+ TODO: check
+CVE-2023-40368 (IBM Storage Protect 8.1.0.0 through 8.1.19.0 could allow a privileged ...)
+ TODO: check
+CVE-2023-40043 (In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8) ...)
+ TODO: check
+CVE-2023-39052 (An information leak in Earthgarden_waiting 13.6.1 allows attackers to ...)
+ TODO: check
+CVE-2023-39045 (An information leak in kokoroe_members card Line 13.6.1 allows attacke ...)
+ TODO: check
+CVE-2023-39044 (An information leak in ajino-Shiretoko Line v13.6.1 allows attackers t ...)
+ TODO: check
+CVE-2023-39041 (An information leak in KUKURUDELI Line v13.6.1 allows attackers to obt ...)
+ TODO: check
+CVE-2023-38718 (IBM Robotic Process Automation 21.0.0 through 21.0.7.8 could disclose ...)
+ TODO: check
+CVE-2023-37410 (IBM Personal Communications 14.05, 14.06, and 15.0.0 could allow a loc ...)
+ TODO: check
+CVE-2023-34047 (A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 a ...)
+ TODO: check
+CVE-2023-2508 (The `PaperCutNG Mobility Print` version 1.0.3512 application allows an ...)
+ TODO: check
CVE-2023-4504 [Postscript parsing heap-based buffer overflow]
- cups <unfixed>
[bookworm] - cups <no-dsa> (Minor issue)
@@ -8,13 +128,13 @@ CVE-2023-4504 [Postscript parsing heap-based buffer overflow]
NOTE: Fixed by: https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31 (v2.4.7)
NOTE: Introduced after: https://github.com/OpenPrinting/libppd/commit/fae71641faa2d778e79245b788a90c0cd5d2cb4b (2.0b1)
NOTE: Fixed by: https://github.com/OpenPrinting/libppd/commit/262c909ac5b8676d1c221584c5a760e5e83fae66
-CVE-2023-4236 [named may terminate unexpectedly under high DNS-over-TLS query load]
+CVE-2023-4236 (A flaw in the networking code handling DNS-over-TLS queries may cause ...)
- bind9 <unfixed>
[bullseye] - bind9 <not-affected> (Vulnerable code introduced later)
[buster] - bind9 <not-affected> (Vulnerable code introduced later)
NOTE: https://kb.isc.org/docs/cve-2023-4236
NOTE: https://gitlab.isc.org/isc-projects/bind9/-/commit/18efa454a98759bf4f3ca806d9a6ef881ff9648d (v9.18.19)
-CVE-2023-3341 [A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly]
+CVE-2023-3341 (The code that processes control channel messages sent to `named` calls ...)
- bind9 <unfixed>
NOTE: https://kb.isc.org/docs/cve-2023-3341
NOTE: https://gitlab.isc.org/isc-projects/bind9/-/commit/432a49a7b089da6340e56d402034a586bc69f80e (v9.18.19)
@@ -1146,7 +1266,8 @@ CVE-2023-35664 (In convertSubgraphFromHAL of ShimConverter.cpp, there is a possi
NOT-FOR-US: Android
CVE-2023-35658 (In gatt_process_prep_write_rsp of gatt_cl.cc, there is a possible priv ...)
NOT-FOR-US: Android
-CVE-2023-4881 (A stack based out-of-bounds write flaw was found in the netfilter subs ...)
+CVE-2023-4881
+ REJECTED
- linux <unfixed>
NOTE: https://git.kernel.org/linus/fd94d9dadee58e09b49075240fe83423eb1dcd36 (6.6-rc1)
CVE-2023-4318 (The Herd Effects WordPress plugin before 5.2.4 does not have CSRF when ...)
@@ -1289,14 +1410,14 @@ CVE-2023-41915 (OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attacke
NOTE: https://github.com/openpmix/openpmix/commit/0bf9801a3017eb6ca411e158da39570ccb998c17 (v5.0.1)
TODO: to be checked if affects the embedded copy for openmpi
CVE-2023-4875 (Null pointer dereference when composing from a specially crafted draft ...)
- {DSA-5494-1}
+ {DSA-5494-1 DLA-3574-1}
- mutt 2.2.12-0.1 (bug #1051563)
NOTE: https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555 (mutt-2-2-12-rel)
NOTE: https://gitlab.com/muttmua/mutt/-/commit/4cc3128abdf52c615911589394a03271fddeefc6 (mutt-2-2-12-rel)
NOTE: http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20230904/000056.html
NOTE: https://www.openwall.com/lists/oss-security/2023/09/09/1
CVE-2023-4874 (Null pointer dereference when viewing a specially crafted email in Mut ...)
- {DSA-5494-1}
+ {DSA-5494-1 DLA-3574-1}
- mutt 2.2.12-0.1 (bug #1051563)
NOTE: https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555 (mutt-2-2-12-rel)
NOTE: https://gitlab.com/muttmua/mutt/-/commit/a4752eb0ae0a521eec02e59e51ae5daedf74fda0 (mutt-2-2-12-rel)
@@ -1332,7 +1453,7 @@ CVE-2023-41564 (An arbitrary file upload vulnerability in the Upload Asset funct
NOT-FOR-US: Cockpit CMS
CVE-2023-40306 (SAP S/4HANA Manage Catalog Items and Cross-Catalog searches Fiori apps ...)
NOT-FOR-US: SAP
-CVE-2023-4853
+CVE-2023-4853 (A flaw was found in Quarkus where HTTP security policies are not sanit ...)
NOT-FOR-US: Quarkus
CVE-2023-4843 (Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection ...)
NOT-FOR-US: Pega Platform
@@ -3529,6 +3650,7 @@ CVE-2023-32078 (Netmaker makes networks with WireGuard. An Insecure Direct Objec
CVE-2023-32077 (Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0 ...)
NOT-FOR-US: Netmaker
CVE-2023-40217 (An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, ...)
+ {DLA-3575-1}
- python3.12 3.12.0~rc1-2
- python3.11 3.11.5-1
- python3.10 3.10.13-1
@@ -3902,6 +4024,7 @@ CVE-2022-48570 (Crypto++ through 8.4 contains a timing side channel in ECDSA sig
NOTE: functionality reasons.
TODO: check details on upstream fix (in 8.4?)
CVE-2022-48566 (An issue was discovered in compare_digest in Lib/hmac.py in Python thr ...)
+ {DLA-3575-1}
- python3.9 3.9.1~rc1-1
- python3.7 <removed>
- python2.7 <removed>
@@ -3913,6 +4036,7 @@ CVE-2022-48566 (An issue was discovered in compare_digest in Lib/hmac.py in Pyth
NOTE: https://github.com/python/cpython/commit/8bef9ebb1b88cfa4b2a38b93fe4ea22015d8254a (v3.6.13)
NOTE: https://github.com/python/cpython/issues/84968
CVE-2022-48565 (An XML External Entity (XXE) issue was discovered in Python through 3. ...)
+ {DLA-3575-1}
- python3.9 3.9.1~rc1-1
- python3.7 <removed>
- python2.7 <removed>
@@ -3936,6 +4060,7 @@ CVE-2022-48564 (read_ints in plistlib.py in Python through 3.9.1 is vulnerable t
NOTE: https://github.com/python/cpython/commit/225e3659556616ad70186e7efc02baeebfeb5ec4 (v3.7.10)
NOTE: https://github.com/python/cpython/commit/a63234c49b2fbfb6f0aca32525e525ce3d43b2b4 (v3.6.13)
CVE-2022-48560 (A use-after-free exists in Python through 3.9 via heappushpop in heapq ...)
+ {DLA-3575-1}
- python3.9 <not-affected> (Fixed before initial upload to the archive)
- python3.7 3.7.7-1
- python2.7 <removed>
@@ -8172,7 +8297,8 @@ CVE-2023-34968 (A path disclosure vulnerability was found in Samba. As part of t
{DSA-5477-1}
- samba 2:4.18.5+dfsg-1
NOTE: https://www.samba.org/samba/security/CVE-2023-34968.html
-CVE-2023-42464
+CVE-2023-42464 (A Type Confusion vulnerability was found in the Spotlight RPC function ...)
+ {DSA-5503-1}
- netatalk 3.1.17~ds-1 (bug #1052087)
NOTE: https://github.com/Netatalk/netatalk/issues/486
NOTE: https://github.com/Netatalk/netatalk/pull/485
@@ -17285,8 +17411,8 @@ CVE-2023-2264
RESERVED
CVE-2023-2263 (The Rockwell Automation Kinetix 5700 DC Bus Power Supply Series A is v ...)
NOT-FOR-US: Rockwell Automation
-CVE-2023-2262
- RESERVED
+CVE-2023-2262 (A buffer overflow vulnerability exists in the Rockwell Automation sele ...)
+ TODO: check
CVE-2023-2261 (The WP Activity Log plugin for WordPress is vulnerable to authorizatio ...)
NOT-FOR-US: WP Activity Log plugin for WordPress
CVE-2023-2260 (Authorization Bypass Through User-Controlled Key in GitHub repository ...)
@@ -33604,8 +33730,8 @@ CVE-2023-0831 (The Under Construction plugin for WordPress is vulnerable to Cros
NOT-FOR-US: Under Construction plugin for WordPress
CVE-2023-0830 (A vulnerability classified as critical has been found in EasyNAS 1.1.0 ...)
NOT-FOR-US: EasyNAS
-CVE-2023-0829
- RESERVED
+CVE-2023-0829 (Plesk 17.0 through 18.0.31 version, is vulnerable to a Cross-Site Scri ...)
+ TODO: check
CVE-2023-0828
RESERVED
CVE-2023-0827 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...)
@@ -37928,8 +38054,7 @@ CVE-2023-0464 (A security vulnerability has been identified in all supported ver
NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b (OpenSSL_1_1_1-stable)
CVE-2023-0463 (The force offline MFA prompt setting is not respected when switching t ...)
NOT-FOR-US: Devolutions Remote Desktop Manager
-CVE-2023-0462
- RESERVED
+CVE-2023-0462 (An arbitrary code execution flaw was found in Foreman. This issue may ...)
- foreman <itp> (bug #663101)
CVE-2023-0461 (There is a use-after-free vulnerability in the Linux Kernel which can ...)
{DLA-3404-1 DLA-3403-1}
@@ -38292,6 +38417,7 @@ CVE-2023-24331
CVE-2023-24330
RESERVED
CVE-2023-24329 (An issue in the urllib.parse component of Python before 3.11.4 allows ...)
+ {DLA-3575-1}
- python3.11 3.11.4-1
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -42821,8 +42947,7 @@ CVE-2023-0120 (An issue has been discovered in GitLab affecting all versions sta
- gitlab <unfixed>
CVE-2023-0119 (A stored Cross-site scripting vulnerability was found in foreman. The ...)
- foreman <itp> (bug #663101)
-CVE-2023-0118
- RESERVED
+CVE-2023-0118 (An arbitrary code execution flaw was found in Foreman. This flaw allow ...)
- foreman <itp> (bug #663101)
CVE-2022-4884 (Path-Traversal in MKP storing in Tribe29 Checkmk <=2.0.0p32 and <= 2.1 ...)
- check-mk <removed>
@@ -43589,8 +43714,8 @@ CVE-2023-22646
RESERVED
CVE-2023-22645 (An Improper Privilege Management vulnerability in SUSE kubewarden allo ...)
NOT-FOR-US: kubewarden
-CVE-2023-22644
- RESERVED
+CVE-2023-22644 (An Innsertion of Sensitive Information into Log File vulnerability in ...)
+ TODO: check
CVE-2023-22643 (An Improper Neutralization of Special Elements used in an OS Command ( ...)
NOT-FOR-US: SAP
CVE-2023-22642 (An improper certificate validation vulnerability [CWE-295] in FortiAna ...)
@@ -54514,10 +54639,10 @@ CVE-2022-45450 (Sensitive information disclosure and manipulation due to imprope
NOT-FOR-US: Acronis
CVE-2022-45449
RESERVED
-CVE-2022-45448
- RESERVED
-CVE-2022-45447
- RESERVED
+CVE-2022-45448 (M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, i ...)
+ TODO: check
+CVE-2022-45447 (M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, i ...)
+ TODO: check
CVE-2022-4036 (The Appointment Hour Booking plugin for WordPress is vulnerable to CAP ...)
NOT-FOR-US: Appointment Hour Booking plugin for WordPress
CVE-2022-4035 (The Appointment Hour Booking plugin for WordPress is vulnerable to iFr ...)
@@ -55532,7 +55657,7 @@ CVE-2022-45190 (An issue was discovered on Microchip RN4870 1.43 devices. An att
CVE-2022-45189
RESERVED
CVE-2022-45188 (Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow ...)
- {DLA-3426-1}
+ {DSA-5503-1 DLA-3426-1}
- netatalk 3.1.15~ds-1 (bug #1024021)
NOTE: https://rushbnt.github.io/bug%20analysis/netatalk-0day/
NOTE: https://github.com/Netatalk/netatalk/commit/dfab56846e8f454fe0548347ae6437bd12a05925
@@ -55887,8 +56012,7 @@ CVE-2022-3918 (A program using FoundationNetworking in swift-corelibs-foundation
NOT-FOR-US: swift-corelibs-foundation
CVE-2022-3917 (Improper access control of bootloader functionwas discovered in Motoro ...)
NOT-FOR-US: Motorola
-CVE-2022-3916
- RESERVED
+CVE-2022-3916 (A flaw was found in the offline_access scope in Keycloak. This issue w ...)
NOT-FOR-US: Keycloak
CVE-2022-3915 (The Dokan WordPress plugin before 3.7.6 does not properly sanitise and ...)
NOT-FOR-US: WordPress plugin
@@ -60369,14 +60493,14 @@ CVE-2023-20599
RESERVED
CVE-2023-20598
RESERVED
-CVE-2023-20597
- RESERVED
+CVE-2023-20597 (Improper initialization of variables in the DXE driver may allow a pri ...)
+ TODO: check
CVE-2023-20596
RESERVED
CVE-2023-20595
RESERVED
-CVE-2023-20594
- RESERVED
+CVE-2023-20594 (Improper initialization of variables in the DXE driver may allow a pri ...)
+ TODO: check
CVE-2023-20593 (An issue in \u201cZen 2\u201d CPUs, under specific microarchitectural ...)
{DSA-5462-1 DSA-5461-1 DSA-5459-1 DLA-3512-1 DLA-3511-1 DLA-3508-1}
- linux 6.4.4-2
@@ -62502,7 +62626,7 @@ CVE-2022-43636 (This vulnerability allows network-adjacent attackers to bypass a
CVE-2022-43635 (This vulnerability allows network-adjacent attackers to disclose sensi ...)
NOT-FOR-US: TP-Link
CVE-2022-43634 (This vulnerability allows remote attackers to execute arbitrary code o ...)
- {DLA-3426-1}
+ {DSA-5503-1 DLA-3426-1}
- netatalk 3.1.15~ds-1 (bug #1034170)
NOTE: https://github.com/Netatalk/Netatalk/pull/186
NOTE: https://github.com/advisories/GHSA-fwj9-7qq8-jc93
@@ -63298,8 +63422,7 @@ CVE-2022-43401 (A sandbox bypass vulnerability involving various casts performed
NOT-FOR-US: Jenkins plugin
CVE-2022-43400 (A vulnerability has been identified in Siveillance Video Mobile Server ...)
NOT-FOR-US: Siveillance Video Mobile Server V2022 R2
-CVE-2022-3596
- RESERVED
+CVE-2022-3596 (An information leak was found in OpenStack's undercloud. This flaw all ...)
NOT-FOR-US: undercloud
CVE-2022-3595 (A vulnerability was found in Linux Kernel. It has been rated as proble ...)
- linux <not-affected> (Vulnerable code not in any released version in Debian and upstream)
@@ -74664,7 +74787,7 @@ CVE-2022-39137 (A vulnerability has been identified in Parasolid V33.1 (All vers
NOT-FOR-US: Siemens
CVE-2022-39136 (A vulnerability has been identified in JT2Go (All versions < V14.1.0. ...)
NOT-FOR-US: Siemens
-CVE-2022-39135 (In Apache Calcite prior to version 1.32.0 the SQL operators EXISTS_NOD ...)
+CVE-2022-39135 (Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRAC ...)
NOT-FOR-US: Apache Calcite
CVE-2022-39134 (In audio driver, there is a use after free due to a race condition. Th ...)
NOT-FOR-US: Unisoc
@@ -101847,8 +101970,7 @@ CVE-2022-1440 (Command Injection vulnerability in git-interface at 2.1.1 in GitHub
NOT-FOR-US: git-interface Nodejs module
CVE-2022-1439 (Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository ...)
NOT-FOR-US: microweber
-CVE-2022-1438
- RESERVED
+CVE-2022-1438 (A flaw was found in Keycloak. Under specific circumstances, HTML entit ...)
NOT-FOR-US: Keycloak
CVE-2022-1437 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prio ...)
- radare2 <unfixed> (bug #1014478)
@@ -118549,6 +118671,7 @@ CVE-2022-0392 (Heap-based Buffer Overflow in GitHub repository vim prior to 8.2.
NOTE: https://huntr.dev/bounties/d00a2acd-1935-4195-9d5b-4115ef6b3126
NOTE: https://github.com/vim/vim/commit/806d037671e133bd28a7864248763f643967973a (v8.2.4218)
CVE-2022-0391 (A flaw was found in Python, specifically within the urllib.parse modul ...)
+ {DLA-3575-1}
- python3.9 3.9.7-1
[bullseye] - python3.9 <no-dsa> (Minor issue)
- python3.7 <removed>
@@ -122287,12 +122410,12 @@ CVE-2021-46283 (nf_tables_newset in net/netfilter/nf_tables_api.c in the Linux k
[stretch] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/ad9f151e560b016b6ad3280b48e42fa11e1a5440 (5.13-rc7)
CVE-2022-23125 (This vulnerability allows remote attackers to execute arbitrary code o ...)
- {DLA-3426-1}
+ {DSA-5503-1 DLA-3426-1}
- netatalk 3.1.13~ds-1
NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
NOTE: https://github.com/Netatalk/Netatalk/commit/d801ed421800bcd5df9045f7327c92cd4fc944aa
CVE-2022-23124 (This vulnerability allows remote attackers to disclose sensitive infor ...)
- {DLA-3426-1}
+ {DSA-5503-1 DLA-3426-1}
- netatalk 3.1.13~ds-1
NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
NOTE: https://github.com/Netatalk/Netatalk/commit/4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d
@@ -122302,7 +122425,7 @@ CVE-2022-23124 (This vulnerability allows remote attackers to disclose sensitive
NOTE: 3.1.13~ds-2 merged a patch: https://salsa.debian.org/netatalk-team/netatalk/-/commit/9b7e96c9023402d4f7aa49e28e13aef31aeb1caf
NOTE: but not reviewed/merged upstream so far
CVE-2022-23123 (This vulnerability allows remote attackers to disclose sensitive infor ...)
- {DLA-3426-1}
+ {DSA-5503-1 DLA-3426-1}
- netatalk 3.1.13~ds-1
NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
NOTE: https://github.com/Netatalk/Netatalk/commit/a6fbccb0f2478108add188df023cfbb7428aac33
@@ -122313,7 +122436,7 @@ CVE-2022-23123 (This vulnerability allows remote attackers to disclose sensitive
NOTE: 3.1.13~ds-2 merged a patch: https://salsa.debian.org/netatalk-team/netatalk/-/commit/9b7e96c9023402d4f7aa49e28e13aef31aeb1caf
NOTE: but not reviewed/merged upstream so far
CVE-2022-23122 (This vulnerability allows remote attackers to execute arbitrary code o ...)
- {DLA-3426-1}
+ {DSA-5503-1 DLA-3426-1}
- netatalk 3.1.13~ds-1
NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
NOTE: https://github.com/Netatalk/Netatalk/commit/4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d
@@ -122323,7 +122446,7 @@ CVE-2022-23122 (This vulnerability allows remote attackers to execute arbitrary
NOTE: 3.1.13~ds-2 merged a patch: https://salsa.debian.org/netatalk-team/netatalk/-/commit/9b7e96c9023402d4f7aa49e28e13aef31aeb1caf
NOTE: but not reviewed/merged upstream so far
CVE-2022-23121 (This vulnerability allows remote attackers to execute arbitrary code o ...)
- {DLA-3426-1}
+ {DSA-5503-1 DLA-3426-1}
- netatalk 3.1.13~ds-1
NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
NOTE: https://github.com/Netatalk/Netatalk/commit/0c0465e4e85a27105b61b3918df8f8df0565367c
@@ -122369,7 +122492,7 @@ CVE-2022-21217 (An out-of-bounds write vulnerability exists in the device TestEm
CVE-2022-21134 (A firmware update vulnerability exists in the "update" firmw ...)
NOT-FOR-US: Reolink
CVE-2022-0194 (This vulnerability allows remote attackers to execute arbitrary code o ...)
- {DLA-3426-1}
+ {DSA-5503-1 DLA-3426-1}
- netatalk 3.1.13~ds-1
NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
NOTE: https://github.com/Netatalk/Netatalk/commit/4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d
@@ -168748,7 +168871,7 @@ CVE-2021-31440 (This vulnerability allows local attackers to escalate privileges
NOTE: https://git.kernel.org/linus/10bf4e83167cc68595b85fd73bb91e8f2c086e36
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-21-503/
CVE-2021-31439 (This vulnerability allows network-adjacent attackers to execute arbitr ...)
- {DLA-3426-1}
+ {DSA-5503-1 DLA-3426-1}
- netatalk 3.1.13~ds-1
NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
NOTE: https://github.com/Netatalk/Netatalk/commit/779717df2ed39b701deaf2472b42d59ff50fab7f
@@ -189184,7 +189307,7 @@ CVE-2021-23337 (Lodash versions prior to 4.17.21 are vulnerable to Command Injec
[stretch] - node-lodash <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-1040724
CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0 and be ...)
- {DLA-3164-1 DLA-2628-1 DLA-2619-1 DLA-2569-1}
+ {DLA-3575-1 DLA-3164-1 DLA-2628-1 DLA-2619-1 DLA-2569-1}
- python-django 2:2.2.19-1 (bug #983090)
- python3.9 3.9.2-1
[buster] - python3.9 <ignored> (Will break existing applications, don't backport to released suites)
@@ -276544,8 +276667,8 @@ CVE-2019-19451 (When GNOME Dia before 2019-11-27 is launched with a filename arg
NOTE: Introduced by: https://gitlab.gnome.org/GNOME/dia/commit/9a5f438d4b3e718c8ab0efe01d08ee2c3a0d9a86
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/dia/commit/baa2df853f9fb770eedcf3d94c7f5becebc90bb9
NOTE: Negligible security impact, hang in end user tool
-CVE-2019-19450
- RESERVED
+CVE-2019-19450 (paraparser in ReportLab before 3.5.31 allows remote code execution bec ...)
+ TODO: check
CVE-2019-19449 (In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image c ...)
- linux <unfixed>
[bookworm] - linux <postponed> (Minor issue, revisit once fixed upstream)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5724df17796a64eaebba352cbd380715c5f4be78
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5724df17796a64eaebba352cbd380715c5f4be78
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230920/7adfa0ff/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list