[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Mon Jun 17 21:12:16 BST 2024 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
61865d31 by security tracker role at 2024-06-17T20:11:59+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,4 +1,104 @@
-CVE-2024-36973 [misc: microchip: pci1xxxx: fix double free in the error handling of gp_aux_bus_probe()]
+CVE-2024-6062 (A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master and ...)
+	TODO: check
+CVE-2024-6061 (A vulnerability has been found in GPAC 2.5-DEV-rev228-g11067ea92-maste ...)
+	TODO: check
+CVE-2024-6059 (A vulnerability, which was classified as problematic, has been found i ...)
+	TODO: check
+CVE-2024-6058 (A vulnerability classified as problematic has been found in LabVantage ...)
+	TODO: check
+CVE-2024-6057 (Improper authentication in the vault password feature in Devolutions R ...)
+	TODO: check
+CVE-2024-6056 (A vulnerability was found in nasirkhan Laravel Starter up to 11.8.0. I ...)
+	TODO: check
+CVE-2024-6055 (Improper removal of sensitive information in data source export featur ...)
+	TODO: check
+CVE-2024-5741 (Stored XSS in inventory tree rendering in Checkmk before 2.3.0p7, 2.2. ...)
+	TODO: check
+CVE-2024-4032 (The \u201cipaddress\u201d module contained incorrect information about ...)
+	TODO: check
+CVE-2024-38470 (zhimengzhe iBarn v1.5 was discovered to contain a reflected cross-site ...)
+	TODO: check
+CVE-2024-38469 (zhimengzhe iBarn v1.5 was discovered to contain a reflected cross-site ...)
+	TODO: check
+CVE-2024-38449 (A Directory Traversal vulnerability in KasmVNC 1.3.1.230e50f7b89663316 ...)
+	TODO: check
+CVE-2024-37902 (DeepJavaLibrary(DJL) is an Engine-Agnostic Deep Learning Framework in  ...)
+	TODO: check
+CVE-2024-37896 (Gin-vue-admin is a backstage management system based on vue and gin. G ...)
+	TODO: check
+CVE-2024-37895 (Lobe Chat is an open-source LLMs/AI chat framework. In affected versio ...)
+	TODO: check
+CVE-2024-37893 (Firefly III is a free and open source personal finance manager. In aff ...)
+	TODO: check
+CVE-2024-37891 (urllib3 is a user-friendly HTTP client library for Python. When using  ...)
+	TODO: check
+CVE-2024-37890 (ws is an open source WebSocket client and server for Node.js. A reques ...)
+	TODO: check
+CVE-2024-37848 (SQL Injection vulnerability in Online-Bookstore-Project-In-PHP v1.0 al ...)
+	TODO: check
+CVE-2024-37840 (SQL injection vulnerability in processscore.php in Itsourcecode Learni ...)
+	TODO: check
+CVE-2024-37795 (A segmentation fault in CVC5 Solver v1.1.3 allows attackers to cause a ...)
+	TODO: check
+CVE-2024-37794 (Improper input validation in CVC5 Solver v1.1.3 allows attackers to ca ...)
+	TODO: check
+CVE-2024-37664 (Redmi router RB03 v1.0.57 is vulnerable to TCP DoS or hijacking attack ...)
+	TODO: check
+CVE-2024-37663 (Redmi router RB03 v1.0.57 is vulnerable to forged ICMP redirect messag ...)
+	TODO: check
+CVE-2024-37662 (TP-LINK TL-7DR5130 v1.0.23 is vulnerable to TCP DoS or hijacking attac ...)
+	TODO: check
+CVE-2024-37661 (TP-LINK TL-7DR5130 v1.0.23 is vulnerable to forged ICMP redirect messa ...)
+	TODO: check
+CVE-2024-37625 (zhimengzhe iBarn v1.5 was discovered to contain a reflected cross-site ...)
+	TODO: check
+CVE-2024-37624 (Xinhu RockOA v2.6.3 was discovered to contain a reflected cross-site s ...)
+	TODO: check
+CVE-2024-37623 (Xinhu RockOA v2.6.3 was discovered to contain a reflected cross-site s ...)
+	TODO: check
+CVE-2024-37622 (Xinhu RockOA v2.6.3 was discovered to contain a reflected cross-site s ...)
+	TODO: check
+CVE-2024-37621 (StrongShop v1.0 was discovered to contain a Server-Side Template Injec ...)
+	TODO: check
+CVE-2024-37620 (PHPVOD v4.0 was discovered to contain a reflected cross-site scripting ...)
+	TODO: check
+CVE-2024-37619 (StrongShop v1.0 was discovered to contain a reflected cross-site scrip ...)
+	TODO: check
+CVE-2024-37305 (oqs-provider is a provider for the OpenSSL 3 cryptography library that ...)
+	TODO: check
+CVE-2024-37159 (Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. ...)
+	TODO: check
+CVE-2024-37158 (Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. ...)
+	TODO: check
+CVE-2024-36583 (A Prototype Pollution issue in byondreal accessor <= 1.0.0 allows an a ...)
+	TODO: check
+CVE-2024-36582 (alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollut ...)
+	TODO: check
+CVE-2024-36581 (A Prototype Pollution issue in abw badger-database 1.2.1 allows an att ...)
+	TODO: check
+CVE-2024-36580 (A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to ex ...)
+	TODO: check
+CVE-2024-36578 (akbr update 1.0.0 is vulnerable to Prototype Pollution via update/inde ...)
+	TODO: check
+CVE-2024-36577 (apphp js-object-resolver < 3.1.1 is vulnerable to Prototype Pollution  ...)
+	TODO: check
+CVE-2024-36575 (A Prototype Pollution issue in getsetprop 1.1.0 allows an attacker to  ...)
+	TODO: check
+CVE-2024-36574 (A Prototype Pollution issue in flatten-json 1.0.1 allows an attacker t ...)
+	TODO: check
+CVE-2024-36573 (almela obx before v.0.0.4 has a Prototype Pollution issue which allows ...)
+	TODO: check
+CVE-2024-36543 (Incorrect access control in the Kafka Connect REST API in the STRIMZI  ...)
+	TODO: check
+CVE-2024-36527 (puppeteer-renderer v.3.2.0 and before is vulnerable to Directory Trave ...)
+	TODO: check
+CVE-2024-1469
+	REJECTED
+CVE-2024-0397 (A defect was discovered in the Python \u201cssl\u201d module where the ...)
+	TODO: check
+CVE-2018-25103 (There exists a use-after-free-vulnerability in lighttpd <= 1.4.50 that ...)
+	TODO: check
+CVE-2024-36973 (In the Linux kernel, the following vulnerability has been resolved:  m ...)
 	- linux <unfixed>
 	[bullseye] - linux <not-affected> (Vulnerable code not present)
 	[buster] - linux <not-affected> (Vulnerable code not present)
@@ -2599,6 +2699,7 @@ CVE-2024-36965 (In the Linux kernel, the following vulnerability has been resolv
 	[buster] - linux <not-affected> (Vulnerable code not present)
 	NOTE: https://git.kernel.org/linus/331f91d86f71d0bb89a44217cc0b2a22810bbd42 (6.10-rc1)
 CVE-2024-5742 (A vulnerability was found in GNU Nano that allows a possible privilege ...)
+	{DLA-3831-1}
 	- nano 8.0-1
 	[bookworm] - nano <no-dsa> (Minor issue)
 	[bullseye] - nano <no-dsa> (Minor issue)
@@ -2823,9 +2924,11 @@ CVE-2024-37385 (Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows
 	- roundcube <not-affected> (Windows-specific)
 	NOTE: https://github.com/roundcube/roundcubemail/commit/5ea9f37ce39374b6124586c0590fec7015d35d7f
 CVE-2024-37384 (Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via l ...)
+	{DLA-3835-1}
 	- roundcube 1.6.7+dfsg-1 (bug #1071474)
 	NOTE: https://github.com/roundcube/roundcubemail/commit/9ca8aa6680c579132e0d1fa59447df8d524ec91c
 CVE-2024-37383 (Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via S ...)
+	{DLA-3835-1}
 	- roundcube 1.6.7+dfsg-1 (bug #1071474)
 	NOTE: https://github.com/roundcube/roundcubemail/commit/ba252dc5e2946506cb8d0b50b2b7bf95ab51876f
 CVE-2024-36823 (The encrypt() function of Ninja Core v7.0.0 was discovered to use a we ...)
@@ -3237,6 +3340,7 @@ CVE-2023-6966 (The The Moneytizer plugin for WordPress is vulnerable to unauthor
 CVE-2023-6956 (The EasyAzon \u2013 Amazon Associates Affiliate Plugin plugin for Word ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-5629 (An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier ...)
+	{DLA-3832-1}
 	- pymongo 4.7.3-1
 	NOTE: https://jira.mongodb.org/browse/PYTHON-4305
 	NOTE: https://github.com/mongodb/mongo-python-driver/pull/1564
@@ -13420,6 +13524,7 @@ CVE-2024-0445 (The The Plus Addons for Elementor plugin for WordPress is vulnera
 CVE-2023-6327 (The ShopLentor (formerly WooLentor) plugin for WordPress is vulnerable ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-33655 (The DNS protocol in RFC 1035 and updates allows remote attackers to ca ...)
+	{DLA-3834-1}
 	- unbound 1.20.0-1
 	NOTE: https://nlnetlabs.nl/downloads/unbound/CVE-2024-33655.txt
 	NOTE: Fixed by: https://github.com/NLnetLabs/unbound/commit/c3206f4568f60c486be6d165b1f2b5b254fea3de (release-1.20.0rc1)
@@ -22769,6 +22874,7 @@ CVE-2024-5585 (In PHP versions8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* be
 	NOTE: https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385
 	NOTE: https://github.com/php/php-src/commit/4b15f5d4ec750b31ec8911f5eb0915a45f96feca
 CVE-2024-5458 (In PHP versions8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before  ...)
+	{DLA-3833-1}
 	- php8.2 <unfixed> (bug #1072885)
 	- php7.4 <removed>
 	- php7.3 <removed>
@@ -37835,7 +37941,7 @@ CVE-2024-23136 (A maliciously crafted STP file in ASMKERN228A.dll when parsed th
 	NOT-FOR-US: Autodesk
 CVE-2024-23135 (A maliciously crafted SLDPRT file in ASMkern228A.dll when parsed throu ...)
 	NOT-FOR-US: Autodesk
-CVE-2024-23134 (A maliciously crafted IGS or IGES file in tbb.dll when parsed through  ...)
+CVE-2024-23134 (A maliciously crafted IGS file in tbb.dll when parsed through Autodesk ...)
 	NOT-FOR-US: Autodesk
 CVE-2024-23133 (A maliciously crafted STP file in ASMDATAX228A.dll when parsed through ...)
 	NOT-FOR-US: Autodesk
@@ -135864,7 +135970,7 @@ CVE-2022-3343 (The WPQA Builder WordPress plugin before 5.9.3 (which is a compan
 CVE-2022-3342 (The Jetpack CRM plugin for WordPress is vulnerable to PHAR deserializa ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2022-3341 (A null pointer dereference issue was discovered in 'FFmpeg' in decode_ ...)
-	{DLA-3454-1}
+	{DSA-5394-1 DLA-3454-1}
 	- ffmpeg 7:5.1-1
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2157054
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e (n5.1)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61865d31a9aadaf1b37f7be0970e2d109058f9ec

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61865d31a9aadaf1b37f7be0970e2d109058f9ec
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240617/d18b5278/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list