[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Fri Jan 5 08:12:24 GMT 2024 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d5a4a21b by security tracker role at 2024-01-05T08:12:10+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,4 +1,38 @@
-CVE-2024-22051 [integer overflow in cmark-gfm's table row parsing may lead to heap memory corruption]
+CVE-2024-22088 (Lotos WebServer through 0.1.1 (commit 3eb36cc) has a use-after-free in ...)
+	TODO: check
+CVE-2024-22087 (route in main.c in Pico HTTP Server in C through f3b69a6 has an sprint ...)
+	TODO: check
+CVE-2024-22086 (handle_request in http.c in cherry through 4b877df has an sscanf stack ...)
+	TODO: check
+CVE-2024-22075 (Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Inject ...)
+	TODO: check
+CVE-2024-22050 (Path traversal in the static file service in Iodine less than 0.7.33 a ...)
+	TODO: check
+CVE-2024-22049 (httparty before 0.21.0 is vulnerable to an assumed-immutable web param ...)
+	TODO: check
+CVE-2024-22048 (govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to  ...)
+	TODO: check
+CVE-2024-21636 (view_component is a framework for building reusable, testable, and enc ...)
+	TODO: check
+CVE-2024-0241 (encoded_id-rails versions before 1.0.0.beta2 are affected by an uncont ...)
+	TODO: check
+CVE-2023-6493 (The Depicter Slider \u2013 Responsive Image Slider, Video Slider & Pos ...)
+	TODO: check
+CVE-2023-52323 (PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakag ...)
+	TODO: check
+CVE-2023-52184 (Cross-Site Request Forgery (CSRF) vulnerability in WP Job Portal WP Jo ...)
+	TODO: check
+CVE-2023-52178 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2023-52150 (Cross-Site Request Forgery (CSRF) vulnerability in Ovation S.R.L. Dyna ...)
+	TODO: check
+CVE-2023-51502 (Authorization Bypass Through User-Controlled Key vulnerability in WooC ...)
+	TODO: check
+CVE-2023-51277 (nbviewer-app (aka Jupyter Notebook Viewer) before 0.1.6 has the get-ta ...)
+	TODO: check
+CVE-2023-41782 (There is a DLL hijacking vulnerability in ZTE ZXCLOUD iRAI, an attacke ...)
+	TODO: check
+CVE-2024-22051 (CommonMarker versions prior to 0.23.4 are at risk of an integer overfl ...)
 	- ruby-commonmarker 0.23.4-1
 	[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
 	[buster] - ruby-commonmarker <no-dsa> (Minor issue)
@@ -7,7 +41,7 @@ CVE-2024-22051 [integer overflow in cmark-gfm's table row parsing may lead to he
 	NOTE: https://github.com/gjtorikian/commonmarker/commit/ab4504fd17460627a6ab255bc3c63e8e5fc6aed3 (v0.23.4)
 	NOTE: This is a specific CVE assignment for the issue covered in CVE-2022-24724
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2256887
-CVE-2024-22047
+CVE-2024-22047 (A race condition exists in Audited 4.0.0 to 5.3.3 that can result in a ...)
 	NOT-FOR-US: audited ruby gem
 CVE-2024-21625 (SideQuest is a place to get virtual reality applications for Oculus Qu ...)
 	NOT-FOR-US: SideQuest
@@ -1498,6 +1532,7 @@ CVE-2023-51767 (OpenSSH through 9.6, when common types of DRAM are used, might a
 	[buster] - openssh <postponed> (Revisit once hardening/mitigation for Rowhammer type of attack exists)
 	NOTE: https://arxiv.org/abs/2309.02545
 CVE-2023-51766 (Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKIN ...)
+	{DSA-5597-1}
 	- exim4 4.97-3 (bug #1059387)
 	NOTE: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
 	NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6
@@ -3637,7 +3672,7 @@ CVE-2023-49820 (Improper Neutralization of Input During Web Page Generation ('Cr
 CVE-2023-49813 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2023-49786 (Asterisk is an open source private branch exchange and telephony toolk ...)
-	{DLA-3696-1}
+	{DSA-5596-1 DLA-3696-1}
 	- asterisk 1:20.5.1~dfsg+~cs6.13.40431414-1 (bug #1059033)
 	NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq
 	NOTE: https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05
@@ -3661,7 +3696,7 @@ CVE-2023-49708 (SQLi vulnerability in Starshop component for Joomla.)
 CVE-2023-49707 (SQLi vulnerability in S5 Register module for Joomla.)
 	NOT-FOR-US: Joomla module
 CVE-2023-49294 (Asterisk is an open source private branch exchange and telephony toolk ...)
-	{DLA-3696-1}
+	{DSA-5596-1 DLA-3696-1}
 	- asterisk 1:20.5.1~dfsg+~cs6.13.40431414-1 (bug #1059032)
 	NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f
 	NOTE: https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5
@@ -3782,7 +3817,7 @@ CVE-2023-40628 (A reflected XSS vulnerability was discovered in the Extplorer co
 CVE-2023-40627 (A reflected XSS vulnerability was discovered in the LivingWord compone ...)
 	NOT-FOR-US: Joomla module
 CVE-2023-37457 (Asterisk is an open source private branch exchange and telephony toolk ...)
-	{DLA-3696-1}
+	{DSA-5596-1 DLA-3696-1}
 	- asterisk <unfixed> (bug #1059303)
 	NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh
 	NOTE: https://github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa
@@ -15835,7 +15870,7 @@ CVE-2023-40008 (Cross-Site Request Forgery (CSRF) vulnerability in Gangesh Matta
 CVE-2023-3725 (Potential buffer overflow vulnerability in the Zephyr CAN bus subsyste ...)
 	NOT-FOR-US: Zephyr RTOS (unrelated to src:zephyr)
 CVE-2023-38703 (PJSIP is a free and open source multimedia communication library writt ...)
-	{DLA-3696-1}
+	{DSA-5596-1 DLA-3696-1}
 	- asterisk <unfixed> (bug #1059303)
 	- pjproject <removed>
 	- ring <unfixed> (bug #1059307)
@@ -141694,6 +141729,7 @@ CVE-2022-22997 (Addressed a remote code execution vulnerability by resolving a c
 CVE-2022-22996 (The G-RAID 4/8 Software Utility setups for Windows were affected by a  ...)
 	NOT-FOR-US: Western Digital Windows setup
 CVE-2022-22995 (The combination of primitives offered by SMB and AFP in their default  ...)
+	{DLA-3706-1}
 	- netatalk 3.1.18~ds-1 (bug #1053545)
 	[bullseye] - netatalk <no-dsa> (Minor issue)
 	NOTE: https://netatalk.sourceforge.io/CVE-2022-22995.php
@@ -261896,10 +261932,10 @@ CVE-2020-13881 (In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ sha
 	NOTE: https://github.com/kravietz/pam_tacplus/issues/149
 CVE-2020-13880
 	RESERVED
-CVE-2020-13879
-	RESERVED
-CVE-2020-13878
-	RESERVED
+CVE-2020-13879 (IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+214f heap-bas ...)
+	TODO: check
+CVE-2020-13878 (IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+27ef heap-bas ...)
+	TODO: check
 CVE-2020-13877 (SQL Injection issues in various ASPX pages of ResourceXpress Meeting M ...)
 	NOT-FOR-US: ResourceXpress Meeting Monitor
 CVE-2020-13876
@@ -517096,7 +517132,7 @@ CVE-2015-1030 (Memory leak in the rfc2553_connect_to function in jbsocket.c in P
 	[wheezy] - privoxy <not-affected> (Introduced in 3.0.21)
 	NOTE: http://www.privoxy.org/announce.txt
 	NOTE: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/cgisimple.c?view=patch&r1=1.130&r2=1.131&pathrev=v_3_0_22
-CVE-2023-7207 [Path traversal vulnerability due to partial revert of fix for CVE-2015-1197]
+CVE-2023-7207 (Debian's cpio contains a path traversal vulnerability. This issue was  ...)
 	- cpio 2.14+dfsg-1 (bug #1059163)
 	[bookworm] - cpio <no-dsa> (Minor issue)
 	[bullseye] - cpio <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a4a21be33fea2fca1a88e55961c969eb61d622

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a4a21be33fea2fca1a88e55961c969eb61d622
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240105/98dd77ed/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list