[Git][security-tracker-team/security-tracker][master] automatic update

Tue Jan 23 20:13:41 GMT 2024


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ff81e261 by security tracker role at 2024-01-23T20:13:30+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,79 +1,161 @@
-CVE-2024-0755
+CVE-2024-23854
+	REJECTED
+CVE-2024-23851 (copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 ...)
+	TODO: check
+CVE-2024-23850 (In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel throug ...)
+	TODO: check
+CVE-2024-23849 (In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel thro ...)
+	TODO: check
+CVE-2024-23848 (In the Linux kernel through 6.7.1, there is a use-after-free in cec_qu ...)
+	TODO: check
+CVE-2024-23636 (SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA He ...)
+	TODO: check
+CVE-2024-23348 (Improper input validation vulnerability in a-blog cms Ver.3.1.x series ...)
+	TODO: check
+CVE-2024-23341 (TuiTse-TsuSin is a package for organizing the comparative corpus of Ta ...)
+	TODO: check
+CVE-2024-23330 (Tuta is an encrypted email service. In versions prior to 119.10, an at ...)
+	TODO: check
+CVE-2024-23183 (Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series vers ...)
+	TODO: check
+CVE-2024-23182 (Relative path traversal vulnerability in a-blog cms Ver.3.1.x series v ...)
+	TODO: check
+CVE-2024-23181 (Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series vers ...)
+	TODO: check
+CVE-2024-23180 (Improper input validation vulnerability in a-blog cms Ver.3.1.x series ...)
+	TODO: check
+CVE-2024-22705 (An issue was discovered in ksmbd in the Linux kernel before 6.6.10. sm ...)
+	TODO: check
+CVE-2024-22663 (TOTOLINK_A3700R_V9.1.2u.6165_20211012has a command Injection vulnerabi ...)
+	TODO: check
+CVE-2024-22662 (TOTOLINK A3700R_V9.1.2u.6165_20211012 has a stack overflow vulnerabili ...)
+	TODO: check
+CVE-2024-22660 (TOTOLINK_A3700R_V9.1.2u.6165_20211012has a stack overflow vulnerabilit ...)
+	TODO: check
+CVE-2024-22497 (Cross Site Scripting (XSS) vulnerability in /admin/login password para ...)
+	TODO: check
+CVE-2024-22496 (Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allows att ...)
+	TODO: check
+CVE-2024-22490 (Cross Site Scripting (XSS) vulnerability in beetl-bbs 2.0 allows attac ...)
+	TODO: check
+CVE-2024-22417 (Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 a ...)
+	TODO: check
+CVE-2024-22205 (Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 a ...)
+	TODO: check
+CVE-2024-22204 (Whoogle Search is a self-hosted metasearch engine. Versions 0.8.3 and  ...)
+	TODO: check
+CVE-2024-22203 (Whoogle Search is a self-hosted metasearch engine. In versions prior t ...)
+	TODO: check
+CVE-2024-22076 (MyQ Print Server before 8.2 patch 43 allows Unauthenticated Remote Cod ...)
+	TODO: check
+CVE-2024-0703 (The Sticky Buttons \u2013 floating buttons builder plugin for WordPres ...)
+	TODO: check
+CVE-2023-7238 (A XSS payload can be uploaded as a DICOM study and when a user tries t ...)
+	TODO: check
+CVE-2023-6926 (There is an OS command injection vulnerability in Crestron AM-300 firm ...)
+	TODO: check
+CVE-2023-6573 (HPE OneView may have a missing passphrase during restore.)
+	TODO: check
+CVE-2023-51210 (SQL injection vulnerability in Webkul Bundle Product 6.0.1 allows a re ...)
+	TODO: check
+CVE-2023-51043 (In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a u ...)
+	TODO: check
+CVE-2023-51042 (In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in driver ...)
+	TODO: check
+CVE-2023-50275 (HPE OneView may allow clusterService Authentication Bypass resulting i ...)
+	TODO: check
+CVE-2023-50274 (HPE OneView may allow command injection with local privilege escalatio ...)
+	TODO: check
+CVE-2023-49783 (Silverstripe Admin provides a basic management interface for the Silve ...)
+	TODO: check
+CVE-2023-49657 (A stored cross-site scripting (XSS) vulnerability exists in Apache Sup ...)
+	TODO: check
+CVE-2023-48714 (Silverstripe Framework is the framework that forms the base of the Sil ...)
+	TODO: check
+CVE-2023-46343 (In the Linux kernel before 6.5.9, there is a NULL pointer dereference  ...)
+	TODO: check
+CVE-2023-45889 (A Universal Cross Site Scripting (UXSS) vulnerability in ClassLink One ...)
+	TODO: check
+CVE-2023-44401 (The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQ ...)
+	TODO: check
+CVE-2023-42143 (Missing Integrity Check in Shelly TRV 20220811-152343/v2.1.8 at 5afc928c  ...)
+	TODO: check
+CVE-2024-0755 (Memory safety bugs present in Firefox 121, Firefox ESR 115.6, and Thun ...)
 	- firefox <unfixed>
 	- firefox-esr <unfixed>
 	- thunderbird <unfixed>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0755
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0755
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0755
-CVE-2024-0754
+CVE-2024-0754 (Some WASM source files could have caused a crash when loaded in devtoo ...)
 	- firefox <unfixed>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0754
-CVE-2024-0753
+CVE-2024-0753 (In specific HSTS configurations an attacker could have bypassed HSTS o ...)
 	- firefox <unfixed>
 	- firefox-esr <unfixed>
 	- thunderbird <unfixed>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0753
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0753
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0753
-CVE-2024-0752
+CVE-2024-0752 (A use-after-free crash could have occurred on macOS if a Firefox updat ...)
 	- firefox <not-affected> (Only affects Firefox on MacOS)
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0752
-CVE-2024-0751
+CVE-2024-0751 (A malicious devtools extension could have been used to escalate privil ...)
 	- firefox <unfixed>
 	- firefox-esr <unfixed>
 	- thunderbird <unfixed>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0751
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0751
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0751
-CVE-2024-0750
+CVE-2024-0750 (A bug in popup notifications delay calculation could have made it poss ...)
 	- firefox <unfixed>
 	- firefox-esr <unfixed>
 	- thunderbird <unfixed>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0750
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0750
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0750
-CVE-2024-0749
+CVE-2024-0749 (A phishing site could have repurposed an `about:` dialog to show phish ...)
 	- firefox <unfixed>
 	- firefox-esr <unfixed>
 	- thunderbird <unfixed>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0749
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0749
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0749
-CVE-2024-0748
+CVE-2024-0748 (A compromised content process could have updated the document URI. Thi ...)
 	- firefox <unfixed>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0748
-CVE-2024-0747
+CVE-2024-0747 (When a parent page loaded a child in an iframe with `unsafe-inline`, t ...)
 	- firefox <unfixed>
 	- firefox-esr <unfixed>
 	- thunderbird <unfixed>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0747
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0747
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0747
-CVE-2024-0746
+CVE-2024-0746 (A Linux user opening the print preview dialog could have caused the br ...)
 	- firefox <unfixed>
 	- firefox-esr <unfixed>
 	- thunderbird <unfixed>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0746
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0746
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0746
-CVE-2024-0745
+CVE-2024-0745 (The WebAudio `OscillatorNode` object was susceptible to a stack buffer ...)
 	- firefox <unfixed>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0745
-CVE-2024-0744
+CVE-2024-0744 (In some circumstances, JIT compiled code could have dereferenced a wil ...)
 	- firefox <unfixed>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0744
-CVE-2024-0743
+CVE-2024-0743 (An unchecked return value in TLS handshake code could have caused a po ...)
 	- firefox <unfixed>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0743
 	TODO: check src:nss
-CVE-2024-0742
+CVE-2024-0742 (It was possible for certain browser prompts and dialogs to be activate ...)
 	- firefox <unfixed>
 	- firefox-esr <unfixed>
 	- thunderbird <unfixed>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0742
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0742
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0742
-CVE-2024-0741
+CVE-2024-0741 (An out of bounds write in ANGLE could have allowed an attacker to corr ...)
 	- firefox <unfixed>
 	- firefox-esr <unfixed>
 	- thunderbird <unfixed>
@@ -1344,18 +1426,21 @@ CVE-2023-6395 (The Mock software contains a vulnerability wherein an attacker co
 	NOTE: Fixed by: https://github.com/xsuchy/templated-dictionary/commit/bcd90f0dafa365575c4b101e6f5d98c4ef4e4b69 (python-templated-dictionary-1.4-1)
 	NOTE: Fixed by: https://github.com/xsuchy/templated-dictionary/commit/0740bd0ca8d487301881541028977d120f8b8933 (python-templated-dictionary-1.4-1)
 CVE-2024-0408 (A flaw was found in the X.Org server. The GLX PBuffer code does not ca ...)
+	{DSA-5603-1}
 	- xorg-server 2:21.1.11-1
 	- xwayland 2:23.2.4-1
 	[bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
 	NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html
 	NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/e5e8586a12a3ec915673edffa10dc8fe5e15dac3
 CVE-2024-0409 (A flaw was found in the X.Org server. The cursor code in both Xephyr a ...)
+	{DSA-5603-1}
 	- xorg-server 2:21.1.11-1
 	- xwayland 2:23.2.4-1
 	[bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
 	NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html
 	NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7
 CVE-2024-21886 [Heap buffer overflow in DisableDevice]
+	{DSA-5603-1}
 	- xorg-server 2:21.1.11-1
 	- xwayland 2:23.2.4-1
 	[bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
@@ -1364,12 +1449,14 @@ CVE-2024-21886 [Heap buffer overflow in DisableDevice]
 	NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8
 	NOTE: Regression: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1623
 CVE-2024-21885 [Heap buffer overflow in XISendDeviceHierarchyEvent]
+	{DSA-5603-1}
 	- xorg-server 2:21.1.11-1
 	- xwayland 2:23.2.4-1
 	[bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
 	NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html
 	NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1
 CVE-2024-0229 [Reattaching to different master device may lead to out-of-bounds memory access]
+	{DSA-5603-1}
 	- xorg-server 2:21.1.11-1
 	- xwayland 2:23.2.4-1
 	[bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
@@ -1378,6 +1465,7 @@ CVE-2024-0229 [Reattaching to different master device may lead to out-of-bounds
 	NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5
 	NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74
 CVE-2023-6816 (A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQuer ...)
+	{DSA-5603-1}
 	- xorg-server 2:21.1.11-1
 	- xwayland 2:23.2.4-1
 	[bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
@@ -2203,6 +2291,7 @@ CVE-2023-4246 (The GiveWP plugin for WordPress is vulnerable to Cross-Site Reque
 CVE-2022-4958 (A vulnerability classified as problematic has been found in qkmc-rk re ...)
 	NOT-FOR-US: qkmc-rk redbbs
 CVE-2024-22195 (Jinja is an extensible templating engine. Special placeholders in the  ...)
+	{DLA-3715-1}
 	- jinja2 <unfixed> (bug #1060748)
 	NOTE: https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95
 	NOTE: Fixed by: https://github.com/pallets/jinja/commit/7dd3680e6eea0d77fde024763657aa4d884ddb23 (3.1.3)
@@ -3580,6 +3669,7 @@ CVE-2024-22075 (Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML
 CVE-2024-22050 (Path traversal in the static file service in Iodine less than 0.7.33 a ...)
 	NOT-FOR-US: Iodine (not the same as src:iodine)
 CVE-2024-22049 (httparty before 0.21.0 is vulnerable to an assumed-immutable web param ...)
+	{DLA-3716-1}
 	- ruby-httparty 0.21.0-1
 	NOTE: https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
 	NOTE: https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e (v0.21.0)
@@ -26620,7 +26710,7 @@ CVE-2023-4409 (A vulnerability, which was classified as critical, has been found
 	NOT-FOR-US: NBS&HappySoftWeChat
 CVE-2023-4407 (A vulnerability classified as critical was found in Codecanyon Credit  ...)
 	NOT-FOR-US: Codecanyon Credit Lite
-CVE-2023-40072 (OS command injection vulnerability in WAB-S600-PS all versions, and WA ...)
+CVE-2023-40072 (OS command injection vulnerability in ELECOM network devices allows an ...)
 	NOT-FOR-US: WAB-S600-PS
 CVE-2023-40069 (OS command injection vulnerability in ELECOM wireless LAN routers allo ...)
 	NOT-FOR-US: ELECOM wireless LAN routers
@@ -220621,7 +220711,7 @@ CVE-2021-20337 (IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA use
 	NOT-FOR-US: IBM
 CVE-2021-20336 (IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to stored cross-sit ...)
 	NOT-FOR-US: IBM
-CVE-2021-20335 (For MongoDB Ops Manager <= 4.2.24 with multiple OM application servers ...)
+CVE-2021-20335 (For MongoDB Ops Manager versions prior to and including 4.2.24 with mu ...)
 	NOT-FOR-US: MongoDB Ops Manager
 CVE-2021-20334 (A malicious 3rd party with local access to the Windows machine where M ...)
 	NOT-FOR-US: MongoDB Compass



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff81e2612dfad70ea6ab0480af52992a5f944426

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff81e2612dfad70ea6ab0480af52992a5f944426
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240123/2a0abb0a/attachment.htm>
