[Git][security-tracker-team/security-tracker][master] 5 commits: Drop bookworm entries for phppgadmin (removed from bookworm)
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Jun 29 09:46:16 BST 2024
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
96e4734e by Salvatore Bonaccorso at 2024-06-28T23:22:43+02:00
Drop bookworm entries for phppgadmin (removed from bookworm)
- - - - -
5867f8e8 by Salvatore Bonaccorso at 2024-06-28T23:22:43+02:00
Merge fix for tryton-server via bookworm 12.6
- - - - -
fcd29194 by Salvatore Bonaccorso at 2024-06-28T23:22:44+02:00
Merge fix for ngircd via bookworm 12.6 point release
- - - - -
fe38e1ce by Salvatore Bonaccorso at 2024-06-28T23:22:44+02:00
Merge changes for updates with CVEs via bookworm 12.6
- - - - -
c6d104e2 by Salvatore Bonaccorso at 2024-06-29T08:45:52+00:00
Merge branch 'bookworm-12.6' into 'master'
Merge changes accepted for bookworm 12.6 release
See merge request security-tracker-team/security-tracker!180
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -6039,7 +6039,7 @@ CVE-2024-36965 (In the Linux kernel, the following vulnerability has been resolv
CVE-2024-5742 (A vulnerability was found in GNU Nano that allows a possible privilege ...)
{DLA-3831-1}
- nano 8.0-1
- [bookworm] - nano <no-dsa> (Minor issue)
+ [bookworm] - nano 7.2-1+deb12u1
[bullseye] - nano <no-dsa> (Minor issue)
NOTE: Introduced by: https://git.savannah.gnu.org/cgit/nano.git/commit/?id=123110c5dc3e0d8c60a4ff0121056e301f503706 (v2.1.99pre2)
NOTE: Fixed by: https://git.savannah.gnu.org/cgit/nano.git/commit/?id=5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2 (v8.0)
@@ -6073,7 +6073,7 @@ CVE-2023-49223 (Precor touchscreen console P62, P80, and P82 could allow a remot
NOT-FOR-US: Precor touchscreen console
CVE-2024-0092 (NVIDIA GPU Driver for Windows and Linux contains a vulnerability where ...)
- nvidia-graphics-drivers 535.183.01-1 (bug #1072792)
- [bookworm] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bookworm] - nvidia-graphics-drivers 535.183.01-1~deb12u1
[bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #1072793)
[buster] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore)
@@ -6088,12 +6088,12 @@ CVE-2024-0092 (NVIDIA GPU Driver for Windows and Linux contains a vulnerability
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470
- nvidia-graphics-drivers-tesla-470 470.256.02-1 (bug #1072798)
- [bookworm] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
+ [bookworm] - nvidia-graphics-drivers-tesla-470 470.256.02-1~deb12u1
[bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla <unfixed> (bug #1072799)
[bookworm] - nvidia-graphics-drivers-tesla <no-dsa> (Non-free not supported)
- nvidia-open-gpu-kernel-modules 535.183.01-1 (bug #1072800)
- [bookworm] - nvidia-open-gpu-kernel-modules <no-dsa> (Contrib not supported)
+ [bookworm] - nvidia-open-gpu-kernel-modules 535.183.01-1~deb12u1
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5551
CVE-2024-0091 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...)
- nvidia-graphics-drivers <not-affected> (Vulnerable code not present in 535 series)
@@ -6101,7 +6101,7 @@ CVE-2024-0091 (NVIDIA GPU Display Driver for Windows and Linux contains a vulner
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5551
CVE-2024-0090 (NVIDIA GPU driver for Windows and Linux contains a vulnerability where ...)
- nvidia-graphics-drivers 535.183.01-1 (bug #1072792)
- [bookworm] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bookworm] - nvidia-graphics-drivers 535.183.01-1~deb12u1
[bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #1072793)
[buster] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore)
@@ -6116,12 +6116,12 @@ CVE-2024-0090 (NVIDIA GPU driver for Windows and Linux contains a vulnerability
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470
- nvidia-graphics-drivers-tesla-470 470.256.02-1 (bug #1072798)
- [bookworm] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
+ [bookworm] - nvidia-graphics-drivers-tesla-470 470.256.02-1~deb12u1
[bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla <unfixed> (bug #1072799)
[bookworm] - nvidia-graphics-drivers-tesla <no-dsa> (Non-free not supported)
- nvidia-open-gpu-kernel-modules 535.183.01-1 (bug #1072800)
- [bookworm] - nvidia-open-gpu-kernel-modules <no-dsa> (Contrib not supported)
+ [bookworm] - nvidia-open-gpu-kernel-modules 535.183.01-1~deb12u1
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5551
CVE-2024-5761
REJECTED
@@ -6679,7 +6679,7 @@ CVE-2023-6956 (The EasyAzon \u2013 Amazon Associates Affiliate Plugin plugin for
CVE-2024-5629 (An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier ...)
{DLA-3832-1}
- pymongo 4.7.3-1
- [bookworm] - pymongo <no-dsa> (Minor issue)
+ [bookworm] - pymongo 3.11.0-1+deb12u1
[bullseye] - pymongo <no-dsa> (Minor issue)
NOTE: https://jira.mongodb.org/browse/PYTHON-4305
NOTE: https://github.com/mongodb/mongo-python-driver/pull/1564
@@ -13295,7 +13295,7 @@ CVE-2024-36043 (question_image.ts in SurveyJS Form Library before 1.10.4 allows
NOT-FOR-US: SurveyJS Form Library
CVE-2024-34083 (aiosmptd is a reimplementation of the Python stdlib smtpd.py based on ...)
- python-aiosmtpd 1.4.6-1 (bug #1072119)
- [bookworm] - python-aiosmtpd <no-dsa> (Minor issue)
+ [bookworm] - python-aiosmtpd 1.4.3-1.1+deb12u1
[bullseye] - python-aiosmtpd <no-dsa> (Minor issue)
[buster] - python-aiosmtpd <postponed> (Minor issue)
NOTE: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8
@@ -14658,28 +14658,28 @@ CVE-2024-21823 (Hardware logic with insecure de-synchronization in Intel(R) DSA
NOTE: https://git.kernel.org/linus/6827738dc684a87ad54ebba3ae7f3d7c977698eb (6.10-rc1)
CVE-2023-47855 (Improper input validation in some Intel(R) TDX module software before ...)
- intel-microcode 3.20240514.1
- [bookworm] - intel-microcode <no-dsa> (Minor issue; can be fixed in point release)
+ [bookworm] - intel-microcode 3.20240514.1~deb12u1
[bullseye] - intel-microcode <no-dsa> (Minor issue; can be fixed in point release)
[buster] - intel-microcode <postponed> (Minor issue; can be fixed in next update)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01036.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514
CVE-2023-45745 (Improper input validation in some Intel(R) TDX module software before ...)
- intel-microcode 3.20240514.1
- [bookworm] - intel-microcode <no-dsa> (Minor issue; can be fixed in point release)
+ [bookworm] - intel-microcode 3.20240514.1~deb12u1
[bullseye] - intel-microcode <no-dsa> (Minor issue; can be fixed in point release)
[buster] - intel-microcode <postponed> (Minor issue; can be fixed in next update)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01036.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514
CVE-2023-46103 (Sequence of processor instructions leads to unexpected behavior in Int ...)
- intel-microcode 3.20240514.1
- [bookworm] - intel-microcode <no-dsa> (Minor issue; can be fixed in point release)
+ [bookworm] - intel-microcode 3.20240514.1~deb12u1
[bullseye] - intel-microcode <no-dsa> (Minor issue; can be fixed in point release)
[buster] - intel-microcode <postponed> (Minor issue; can be fixed in next update)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01052.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514
CVE-2023-45733 (Hardware logic contains race conditions in some Intel(R) Processors ma ...)
- intel-microcode 3.20240514.1
- [bookworm] - intel-microcode <no-dsa> (Minor issue; can be fixed in point release)
+ [bookworm] - intel-microcode 3.20240514.1~deb12u1
[bullseye] - intel-microcode <no-dsa> (Minor issue; can be fixed in point release)
[buster] - intel-microcode <postponed> (Minor issue; can be fixed in next update)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01051.html
@@ -19010,14 +19010,14 @@ CVE-2023-50231 (NETGEAR ProSAFE Network Management System saveNodeLabel Cross-Si
NOT-FOR-US: Netgear
CVE-2023-50230 (BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code ...)
- bluez 5.70-1
- [bookworm] - bluez <no-dsa> (Minor issue)
+ [bookworm] - bluez 5.66-1+deb12u2
[bullseye] - bluez <no-dsa> (Minor issue)
[buster] - bluez <postponed> (Minor issue; can be fixed in next update)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1812/
NOTE: https://github.com/bluez/bluez/commit/5ab5352531a9cc7058cce569607f3a6831464443 (5.70)
CVE-2023-50229 (BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code ...)
- bluez 5.70-1
- [bookworm] - bluez <no-dsa> (Minor issue)
+ [bookworm] - bluez 5.66-1+deb12u2
[bullseye] - bluez <no-dsa> (Minor issue)
[buster] - bluez <postponed> (Minor issue; can be fixed in next update)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1811/
@@ -21882,7 +21882,7 @@ CVE-2024-1905 (The Smart Forms WordPress plugin before 2.6.96 does not sanitise
CVE-2023-52723 (In KDE libksieve before 23.03.80, kmanagesieve/session.cpp places a cl ...)
{DLA-3809-1}
- libkf5ksieve 4:22.12.3-2 (bug #1069163)
- [bookworm] - libkf5ksieve <no-dsa> (Minor issue, will be fixed via spu)
+ [bookworm] - libkf5ksieve 4:22.12.3-1+deb12u1
[bullseye] - libkf5ksieve <no-dsa> (Minor issue, will be fixed via ospu)
NOTE: https://www.openwall.com/lists/oss-security/2024/04/25/1
NOTE: Fixed by: https://invent.kde.org/pim/libksieve/-/commit/6b460ba93ac4ac503ba039d0b788ac7595120db1 (v23.03.80)
@@ -23927,7 +23927,7 @@ CVE-2023-3675 (Improper Limitation of a Pathname to a Restricted Directory ('Pat
NOT-FOR-US: Secomea GateManager
CVE-2024-XXXX [tryton zipbomb DoS]
- tryton-server 6.0.45-1
- [bookworm] - tryton-server <no-dsa> (Minor issue)
+ [bookworm] - tryton-server 6.0.29-2+deb12u2
[bullseye] - tryton-server <no-dsa> (Minor issue)
NOTE: https://discuss.tryton.org/t/security-release-for-issue-13142/7196
NOTE: https://foss.heptapod.net/tryton/tryton/-/issues/13142
@@ -25881,7 +25881,7 @@ CVE-2023-38511 (iTop is an IT service management platform. Dashboard editor : c
NOT-FOR-US: iTop
CVE-2024-XXXX [validate a server certificate in a TLS-based server-server connection]
- ngircd 27~rc1-1
- [bookworm] - ngircd <no-dsa> (Minor issue, will be fixed via point update)
+ [bookworm] - ngircd 26.1-1+deb12u1
[bullseye] - ngircd <no-dsa> (Minor issue, will be fixed via point update)
[buster] - ngircd <postponed> (Minor issue, follow bullseye point update)
NOTE: https://github.com/ngircd/ngircd/issues/120
@@ -26087,7 +26087,7 @@ CVE-2024-3508 (A flaw was found in Bombastic, which allows authenticated users t
CVE-2024-3651 [potential DoS via resource consumption via specially crafted inputs to idna.encode()]
{DLA-3811-1}
- python-idna 3.6-2.1 (bug #1069127)
- [bookworm] - python-idna <no-dsa> (Minor issue)
+ [bookworm] - python-idna 3.3-1+deb12u1
[bullseye] - python-idna <no-dsa> (Minor issue)
NOTE: https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274779
@@ -27124,7 +27124,7 @@ CVE-2024-26815 (In the Linux kernel, the following vulnerability has been resolv
NOTE: https://git.kernel.org/linus/343041b59b7810f9cdca371f445dd43b35c740b1 (6.9-rc1)
CVE-2024-3447
- qemu 1:8.2.3+ds-1 (bug #1068821)
- [bookworm] - qemu <no-dsa> (Minor issue)
+ [bookworm] - qemu 1:7.2+dfsg-7+deb12u6
[bullseye] - qemu <no-dsa> (Minor issue)
[buster] - qemu <no-dsa> (Minor issue)
NOTE: https://patchew.org/QEMU/20240404085549.16987-1-philmd@linaro.org/
@@ -27296,7 +27296,7 @@ CVE-2024-3512
REJECTED
CVE-2024-3446 (A double free vulnerability was found in QEMU virtio devices (virtio-g ...)
- qemu 1:8.2.3+ds-1 (bug #1068820)
- [bookworm] - qemu <no-dsa> (Minor issue)
+ [bookworm] - qemu 1:7.2+dfsg-7+deb12u6
[bullseye] - qemu <no-dsa> (Minor issue)
[buster] - qemu <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274211
@@ -32056,7 +32056,7 @@ CVE-2024-26652 (In the Linux kernel, the following vulnerability has been resolv
NOTE: https://git.kernel.org/linus/ba18deddd6d502da71fd6b6143c53042271b82bd (6.8)
CVE-2024-2004 (When a protocol selection parameter option disables all protocols with ...)
- curl 8.7.1-1
- [bookworm] - curl <no-dsa> (Minor issue)
+ [bookworm] - curl 7.88.1-10+deb12u6
[bullseye] - curl <not-affected> (Vulnerable code not present)
[buster] - curl <not-affected> (Vulnerable code not present)
NOTE: https://curl.se/docs/CVE-2024-2004.html
@@ -32070,7 +32070,7 @@ CVE-2024-2379 (libcurl skips the certificate verification for a QUIC connection
NOTE: curl in Debian not built with wolfSSL support
CVE-2024-2398 (When an application tells libcurl it wants to allow HTTP/2 server push ...)
- curl 8.7.1-1
- [bookworm] - curl <no-dsa> (Minor issue)
+ [bookworm] - curl 7.88.1-10+deb12u6
[bullseye] - curl <no-dsa> (Minor issue)
[buster] - curl <postponed> (Minor issue; can be fixed in next update)
NOTE: https://curl.se/docs/CVE-2024-2398.html
@@ -33706,7 +33706,7 @@ CVE-2024-28916 (Xbox Gaming Services Elevation of Privilege Vulnerability)
CVE-2024-28835 (A flaw has been discovered in GnuTLS where an application crash can be ...)
[experimental] - gnutls28 3.8.4-1
- gnutls28 3.8.4-2 (bug #1067463)
- [bookworm] - gnutls28 <no-dsa> (Minor issue)
+ [bookworm] - gnutls28 3.7.9-2+deb12u3
[bullseye] - gnutls28 <no-dsa> (Minor issue)
[buster] - gnutls28 <not-affected> (Vulnerable code not present)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2269084
@@ -33719,7 +33719,7 @@ CVE-2024-28835 (A flaw has been discovered in GnuTLS where an application crash
CVE-2024-28834 (A flaw was found in GnuTLS. The Minerva attack is a cryptographic vuln ...)
[experimental] - gnutls28 3.8.4-1
- gnutls28 3.8.4-2 (bug #1067464)
- [bookworm] - gnutls28 <no-dsa> (Minor issue)
+ [bookworm] - gnutls28 3.7.9-2+deb12u3
[bullseye] - gnutls28 <no-dsa> (Minor issue)
[buster] - gnutls28 <not-affected> (Vulnerable code not present)
NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1516
@@ -33854,7 +33854,7 @@ CVE-2023-51444 (GeoServer is an open source software server written in Java that
NOT-FOR-US: GeoServer
CVE-2023-50967 (latchset jose through version 11 allows attackers to cause a denial of ...)
- jose 13-1 (bug #1067457)
- [bookworm] - jose <no-dsa> (Minor issue)
+ [bookworm] - jose 11-2+deb12u1
[bullseye] - jose <no-dsa> (Minor issue)
[buster] - jose <postponed> (DoS via a large p2c value but still appears minor; similar to CVE-2023-50966)
NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/latch-jose.md
@@ -34314,11 +34314,11 @@ CVE-2024-1144 (Improper access control vulnerability in Devklan's Alma Blog that
CVE-2024-0450 (An issue was found in the CPython `zipfile` module affecting versions ...)
{DLA-3772-1 DLA-3771-1}
- pypy3 7.3.16+dfsg-1
- [bookworm] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 7.3.11+dfsg-2+deb12u2
[bullseye] - pypy3 <no-dsa> (Minor issue)
- python3.12 3.12.2-1
- python3.11 3.11.8-1 (bug #1070133)
- [bookworm] - python3.11 <no-dsa> (Minor issue)
+ [bookworm] - python3.11 3.11.2-6+deb12u2
- python3.10 <removed>
- python3.9 <removed>
[bullseye] - python3.9 <no-dsa> (Minor issue)
@@ -34337,14 +34337,14 @@ CVE-2023-6597 (An issue was found in the CPython `tempfile.TemporaryDirectory` c
{DLA-3772-1}
- python3.12 3.12.1-1
- python3.11 3.11.8-1 (bug #1070135)
- [bookworm] - python3.11 <no-dsa> (Minor issue)
+ [bookworm] - python3.11 3.11.2-6+deb12u2
- python3.10 <removed>
- python3.9 <removed>
[bullseye] - python3.9 <no-dsa> (Minor issue)
- python3.7 <removed>
- python2.7 <not-affected> (tempfile.TemporaryDirectory added in 3.2)
- pypy3 7.3.13+dfsg-1
- [bookworm] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 7.3.11+dfsg-2+deb12u2
[bullseye] - pypy3 <no-dsa> (Minor issue)
[buster] - pypy3 <no-dsa> (Minor issue)
NOTE: https://github.com/python/cpython/pull/99930
@@ -34989,7 +34989,7 @@ CVE-2024-21824 (Improper authentication vulnerability in exists in multiple prin
CVE-2023-52159 (A stack-based buffer overflow vulnerability in gross 0.9.3 through 1.x ...)
{DLA-3774-1}
- gross 1.0.2-4.1 (bug #1067115)
- [bookworm] - gross <no-dsa> (Minor issue)
+ [bookworm] - gross 1.0.2-4.1~deb12u1
[bullseye] - gross <no-dsa> (Minor issue)
NOTE: https://codeberg.org/bizdelnick/gross/commit/6403985fc1060e7aacea96e60535e1e7b0f6f193 (master)
NOTE: https://codeberg.org/bizdelnick/gross/commit/3f5508cce2c49d216b163eb7b38ea72d5162c76e (1.0.4)
@@ -35522,7 +35522,7 @@ CVE-2023-42286 (There is a PHP file inclusion vulnerability in the template conf
NOT-FOR-US: eyoucms
CVE-2024-28054 (Amavis before 2.12.3 and 2.13.x before 2.13.1, in part because of its ...)
- amavisd-new 1:2.13.0-5
- [bookworm] - amavisd-new <no-dsa> (Minor issue; will be fixed via point release)
+ [bookworm] - amavisd-new 1:2.13.0-3+deb12u1
[bullseye] - amavisd-new <no-dsa> (Minor issue; will be fixed via point release)
[buster] - amavisd-new <postponed> (Minor issue; new configuration to spam-tag some broken e-mails; follow point release)
NOTE: https://gitlab.com/amavis/amavis/commit/78c4b7076ebf1d711629a95860aae1bc0db5277a (v2.13.1)
@@ -36147,7 +36147,7 @@ CVE-2024-27440 (The Toyoko Inn official App for iOS versions prior to 1.13.0 and
NOT-FOR-US: Toyoko Inn official App
CVE-2024-27305 (aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on ...)
- python-aiosmtpd 1.4.6-1 (bug #1066820)
- [bookworm] - python-aiosmtpd <no-dsa> (Minor issue)
+ [bookworm] - python-aiosmtpd 1.4.3-1.1+deb12u1
[bullseye] - python-aiosmtpd <no-dsa> (Minor issue)
[buster] - python-aiosmtpd <postponed> (Minor issue)
NOTE: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65
@@ -36488,41 +36488,41 @@ CVE-2023-36554 (A improper access control in Fortinet FortiManager version 7.4.0
NOT-FOR-US: FortiGuard
CVE-2024-2182 (A flaw was found in the Open Virtual Network (OVN). In OVN clusters wh ...)
- ovn 24.03.1-1
- [bookworm] - ovn <no-dsa> (Minor issue)
+ [bookworm] - ovn 23.03.1-1~deb12u2
NOTE: https://bugs.launchpad.net/bugs/2053113
NOTE: https://mail.openvswitch.org/pipermail/ovs-announce/2024-March/000346.html
CVE-2023-43490 (Incorrect calculation in microcode keying mechanism for some Intel(R) ...)
{DLA-3808-1}
- intel-microcode 3.20240312.1 (bug #1066108)
- [bookworm] - intel-microcode <postponed> (Decide after exposure on unstable for update)
+ [bookworm] - intel-microcode 3.20240312.1~deb12u1
[bullseye] - intel-microcode <postponed> (Decide after exposure on unstable for update)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01045.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312
CVE-2023-39368 (Protection mechanism failure of bus lock regulator for some Intel(R) P ...)
{DLA-3808-1}
- intel-microcode 3.20240312.1 (bug #1066108)
- [bookworm] - intel-microcode <postponed> (Decide after exposure on unstable for update)
+ [bookworm] - intel-microcode 3.20240312.1~deb12u1
[bullseye] - intel-microcode <postponed> (Decide after exposure on unstable for update)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00972.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312
CVE-2023-38575 (Non-transparent sharing of return predictor targets between contexts i ...)
{DLA-3808-1}
- intel-microcode 3.20240312.1 (bug #1066108)
- [bookworm] - intel-microcode <postponed> (Decide after exposure on unstable for update)
+ [bookworm] - intel-microcode 3.20240312.1~deb12u1
[bullseye] - intel-microcode <postponed> (Decide after exposure on unstable for update)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00982.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312
CVE-2023-22655 (Protection mechanism failure in some 3rd and 4th Generation Intel(R) X ...)
{DLA-3808-1}
- intel-microcode 3.20240312.1 (bug #1066108)
- [bookworm] - intel-microcode <postponed> (Decide after exposure on unstable for update)
+ [bookworm] - intel-microcode 3.20240312.1~deb12u1
[bullseye] - intel-microcode <postponed> (Decide after exposure on unstable for update)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00960.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312
CVE-2023-28746 (Information exposure through microarchitectural state after transient ...)
{DSA-5681-1 DLA-3842-1 DLA-3808-1}
- intel-microcode 3.20240312.1 (bug #1066108)
- [bookworm] - intel-microcode <postponed> (Decide after exposure on unstable for update)
+ [bookworm] - intel-microcode 3.20240312.1~deb12u1
[bullseye] - intel-microcode <postponed> (Decide after exposure on unstable for update)
- linux 6.7.9-2
[bookworm] - linux 6.1.82-1
@@ -37259,7 +37259,7 @@ CVE-2024-28110 (Go SDK for CloudEvents is the official CloudEvents SDK to integr
NOT-FOR-US: cloudevents/sdk-go
CVE-2024-28102 (JWCrypto implements JWK, JWS, and JWE specifications using python-cryp ...)
- python-jwcrypto 1.5.6-1 (bug #1065688)
- [bookworm] - python-jwcrypto <no-dsa> (Minor issue)
+ [bookworm] - python-jwcrypto 1.1.0-1+deb12u1
[bullseye] - python-jwcrypto <no-dsa> (Minor issue)
NOTE: https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97
NOTE: https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f (v1.5.6)
@@ -39290,7 +39290,7 @@ CVE-2024-0074 (NVIDIA GPU Display Driver for Linux contains a vulnerability wher
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470
- nvidia-graphics-drivers-tesla-470 470.239.06-1 (bug #1064989)
- [bookworm] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
+ [bookworm] - nvidia-graphics-drivers-tesla-470 470.239.06-1~deb12u1
[bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla <unfixed> (bug #1064990)
[bookworm] - nvidia-graphics-drivers-tesla <no-dsa> (Non-free not supported)
@@ -39335,7 +39335,7 @@ CVE-2024-0078 (NVIDIA GPU Display Driver for Windows and Linux contains a vulner
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470
- nvidia-graphics-drivers-tesla-470 470.239.06-1 (bug #1064989)
- [bookworm] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
+ [bookworm] - nvidia-graphics-drivers-tesla-470 470.239.06-1~deb12u1
[bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla <unfixed> (bug #1064990)
[bookworm] - nvidia-graphics-drivers-tesla <no-dsa> (Non-free not supported)
@@ -40419,24 +40419,24 @@ CVE-2023-48678 (Sensitive information disclosure due to insecure folder permissi
CVE-2024-27354 (An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0 ...)
{DLA-3750-1 DLA-3749-1}
- phpseclib 1.0.23-1
- [bookworm] - phpseclib <no-dsa> (Minor issue; can be fixed via pu)
+ [bookworm] - phpseclib 1.0.20-1+deb12u2
[bullseye] - phpseclib <no-dsa> (Minor issue; can be fixed via pu)
- php-phpseclib 2.0.47-1
- [bookworm] - php-phpseclib <no-dsa> (Minor issue; can be fixed via pu)
+ [bookworm] - php-phpseclib 2.0.42-1+deb12u2
[bullseye] - php-phpseclib <no-dsa> (Minor issue; can be fixed via pu)
- php-phpseclib3 3.0.36-1
- [bookworm] - php-phpseclib3 <no-dsa> (Minor issue; can be fixed via pu)
+ [bookworm] - php-phpseclib3 3.0.19-1+deb12u3
NOTE: https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
CVE-2024-27355 (An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0 ...)
{DLA-3750-1 DLA-3749-1}
- phpseclib 1.0.23-1
- [bookworm] - phpseclib <no-dsa> (Minor issue; can be fixed via pu)
+ [bookworm] - phpseclib 1.0.20-1+deb12u2
[bullseye] - phpseclib <no-dsa> (Minor issue; can be fixed via pu)
- php-phpseclib 2.0.47-1
- [bookworm] - php-phpseclib <no-dsa> (Minor issue; can be fixed via pu)
+ [bookworm] - php-phpseclib 2.0.42-1+deb12u2
[bullseye] - php-phpseclib <no-dsa> (Minor issue; can be fixed via pu)
- php-phpseclib3 3.0.36-1
- [bookworm] - php-phpseclib3 <no-dsa> (Minor issue; can be fixed via pu)
+ [bookworm] - php-phpseclib3 3.0.19-1+deb12u3
NOTE: https://github.com/phpseclib/phpseclib/commit/e32531001b4d62c66c3d824ccef54ffad835eb59
CVE-2023-50379 (Malicious code injection in Apache Ambari in prior to 2.7.8.Users are ...)
NOT-FOR-US: Apache Ambari
@@ -42517,7 +42517,7 @@ CVE-2024-22369 (Deserialization of Untrusted Data vulnerability in Apache Camel
NOT-FOR-US: Apache Camel
CVE-2024-26328 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...)
- qemu 1:8.2.3+ds-1 (bug #1068819)
- [bookworm] - qemu <no-dsa> (Minor issue)
+ [bookworm] - qemu 1:7.2+dfsg-7+deb12u6
[bullseye] - qemu <not-affected> (Vulnerable code introduced later)
[buster] - qemu <not-affected> (Vulnerable code introduced later)
NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6 (v7.0.0-rc0)
@@ -42526,7 +42526,7 @@ CVE-2024-26328 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vf
NOTE: https://lore.kernel.org/all/20240213055345-mutt-send-email-mst%40kernel.org
CVE-2024-26327 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...)
- qemu 1:8.2.3+ds-1 (bug #1068819)
- [bookworm] - qemu <no-dsa> (Minor issue)
+ [bookworm] - qemu 1:7.2+dfsg-7+deb12u6
[bullseye] - qemu <not-affected> (Vulnerable code introduced later)
[buster] - qemu <not-affected> (Vulnerable code introduced later)
NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6 (v7.0.0-rc0)
@@ -42776,7 +42776,7 @@ CVE-2023-40085 (In convertSubgraphFromHAL of ShimConverter.cpp, there is a possi
CVE-2023-52160 (The implementation of PEAP in wpa_supplicant through 2.10 allows authe ...)
{DLA-3743-1}
- wpa 2:2.10-21.1 (bug #1064061)
- [bookworm] - wpa <no-dsa> (Minor issue; Will be fixed via point release)
+ [bookworm] - wpa 2:2.10-12+deb12u1
[bullseye] - wpa <no-dsa> (Minor issue; can be fixed via point release)
NOTE: https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c
NOTE: https://www.top10vpn.com/research/wifi-vulnerabilities/
@@ -42794,7 +42794,7 @@ CVE-2024-25580 (An issue was discovered in gui/util/qktxhandler.cpp in Qt before
- qt6-base <unfixed> (bug #1064052)
[bookworm] - qt6-base <no-dsa> (Minor issue)
- qtbase-opensource-src 5.15.10+dfsg-7 (bug #1064053)
- [bookworm] - qtbase-opensource-src <no-dsa> (Minor issue)
+ [bookworm] - qtbase-opensource-src 5.15.8+dfsg-11+deb12u2
[bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
[buster] - qtbase-opensource-src <not-affected> (Vulnerable code not present)
- qtbase-opensource-src-gles 5.15.10+dfsg-5 (bug #1064054)
@@ -43758,7 +43758,7 @@ CVE-2023-50387 (Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4
[bullseye] - pdns-recursor <end-of-life> (No longer supported with security updates in Bullseye)
- unbound 1.19.1-1 (bug #1063845)
- systemd 255.4-1
- [bookworm] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release)
+ [bookworm] - systemd 252.23-1~deb12u1
[bullseye] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release)
[buster] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release)
NOTE: https://kb.isc.org/docs/cve-2023-50387
@@ -43800,7 +43800,7 @@ CVE-2023-50868 (The Closest Encloser Proof aspect of the DNS protocol (in RFC 51
[bullseye] - pdns-recursor <end-of-life> (No longer supported with security updates in Bullseye)
- unbound 1.19.1-1 (bug #1063845)
- systemd 255.4-1
- [bookworm] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release)
+ [bookworm] - systemd 252.23-1~deb12u1
[bullseye] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release)
[buster] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release)
NOTE: https://kb.isc.org/docs/cve-2023-50868
@@ -44135,7 +44135,7 @@ CVE-2024-25718 (In the Samly package before 1.4.0 for Elixir, Samly.State.Store.
NOT-FOR-US: Samly
CVE-2024-25715 (Glewlwyd SSO server 2.x through 2.7.6 allows open redirection via redi ...)
- glewlwyd 2.7.6+ds-2
- [bookworm] - glewlwyd <no-dsa> (Minor issue)
+ [bookworm] - glewlwyd 2.7.5-3+deb12u1
[bullseye] - glewlwyd <no-dsa> (Minor issue)
[buster] - glewlwyd <no-dsa> (Minor issue)
NOTE: https://github.com/babelouest/glewlwyd/commit/59239381a88c505ab38fe64fdd92f846defa5754
@@ -44526,7 +44526,7 @@ CVE-2024-25189 (libjwt 1.15.3 uses strcmp (which is not constant time) to verify
{DLA-3739-1}
[experimental] - libjwt 1.17.0-1
- libjwt 1.17.0-2 (bug #1063534)
- [bookworm] - libjwt <no-dsa> (Minor issue)
+ [bookworm] - libjwt 1.10.2-1+deb12u1
[bullseye] - libjwt <no-dsa> (Minor issue)
NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/benmcollins%3Alibjwt.md
NOTE: https://github.com/benmcollins/libjwt/commit/f73bac57c5bece16ac24f1a70022aa34355fc1bf (v1.17.0)
@@ -44774,13 +44774,13 @@ CVE-2024-22012 (there is a possible out of bounds write due to a missing bounds
NOT-FOR-US: Android
CVE-2024-20290 (A vulnerability in the OLE2 file format parser of ClamAV could allow a ...)
- clamav 1.0.5+dfsg-1 (bug #1063479)
- [bookworm] - clamav <no-dsa> (clamav is updated via -updates)
+ [bookworm] - clamav 1.0.5+dfsg-1~deb12u1
[bullseye] - clamav <not-affected> (Vulnerable code not present)
[buster] - clamav <not-affected> (Vulnerable code not present)
NOTE: https://blog.clamav.net/2023/11/clamav-130-122-105-released.html
CVE-2024-20328 (A vulnerability in the VirusEvent feature of ClamAV could allow a loca ...)
- clamav 1.0.5+dfsg-1 (bug #1063479)
- [bookworm] - clamav <no-dsa> (clamav is updated via -updates)
+ [bookworm] - clamav 1.0.5+dfsg-1~deb12u1
[bullseye] - clamav <not-affected> (Vulnerable code not present)
[buster] - clamav <not-affected> (Vulnerable code not present)
NOTE: https://blog.clamav.net/2023/11/clamav-130-122-105-released.html
@@ -47058,7 +47058,7 @@ CVE-2024-0918 (A vulnerability was found in TRENDnet TEW-800MB 1.0.1.0 and class
NOT-FOR-US: TRENDnet
CVE-2022-48622 (In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows ...)
- gdk-pixbuf 2.42.12+dfsg-1 (bug #1071265)
- [bookworm] - gdk-pixbuf <postponed> (Revisit once fixed upstream)
+ [bookworm] - gdk-pixbuf 2.42.10+dfsg-1+deb12u1
[bullseye] - gdk-pixbuf <postponed> (Revisit once fixed upstream)
[buster] - gdk-pixbuf <postponed> (Minor issue, recheck when fixed upstream)
NOTE: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/202
@@ -47299,7 +47299,7 @@ CVE-2024-0822 (An authentication bypass vulnerability was found in overt-engine.
NOT-FOR-US: ovirt-engine
CVE-2024-0727 (Issue summary: Processing a maliciously formatted PKCS12 file may lead ...)
- openssl 3.1.5-1 (bug #1061582)
- [bookworm] - openssl <no-dsa> (Minor issue)
+ [bookworm] - openssl 3.0.13-1~deb12u1
[bullseye] - openssl <no-dsa> (Minor issue)
[buster] - openssl <postponed> (Minor issue, DoS, Low severity)
NOTE: https://www.openssl.org/news/secadv/20240125.txt
@@ -49459,7 +49459,7 @@ CVE-2023-42134 (PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V1
NOT-FOR-US: PAX devices
CVE-2023-6237 (Issue summary: Checking excessively long invalid RSA public keys may t ...)
- openssl 3.1.5-1 (bug #1060858)
- [bookworm] - openssl <no-dsa> (Minor issue)
+ [bookworm] - openssl 3.0.13-1~deb12u1
[bullseye] - openssl <not-affected> (Only affects 3.x)
[buster] - openssl <not-affected> (Only affects 3.x)
NOTE: https://www.openssl.org/news/secadv/20240115.txt
@@ -53160,7 +53160,7 @@ CVE-2023-51714 (An issue was discovered in the HTTP2 implementation in Qt before
- qt6-base 6.4.2+dfsg-21 (bug #1060693)
[bookworm] - qt6-base <no-dsa> (Minor issue)
- qtbase-opensource-src 5.15.10+dfsg-6 (bug #1060694)
- [bookworm] - qtbase-opensource-src <no-dsa> (Minor issue)
+ [bookworm] - qtbase-opensource-src 5.15.8+dfsg-11+deb12u2
[bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
- qtbase-opensource-src-gles 5.15.10+dfsg-4 (bug #1060695)
[bookworm] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
@@ -53229,7 +53229,7 @@ CVE-2023-51766 (Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/C
CVE-2023-51765 (sendmail through 8.17.2 allows SMTP smuggling in certain configuration ...)
{DLA-3829-1}
- sendmail 8.18.1-1 (bug #1059386)
- [bookworm] - sendmail <no-dsa> (Minor issue)
+ [bookworm] - sendmail 8.17.1.9-2+deb12u1
[bullseye] - sendmail <no-dsa> (Minor issue)
NOTE: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6
@@ -53665,7 +53665,7 @@ CVE-2023-6145 (Improper Neutralization of Special Elements used in an SQL Comman
NOT-FOR-US: Istanbul Soft Informatics and Consultancy Limited Company Softomi Advanced C2C Marketplace Software
CVE-2023-6129 (Issue summary: The POLY1305 MAC (message authentication code) implemen ...)
- openssl 3.1.5-1 (bug #1060347)
- [bookworm] - openssl <no-dsa> (Minor issue; can be fixed later along with other issues)
+ [bookworm] - openssl 3.0.13-1~deb12u1
[bullseye] - openssl <not-affected> (Vulnerable code not present)
[buster] - openssl <not-affected> (Vulnerable code not present)
NOTE: https://www.openwall.com/lists/oss-security/2024/01/09/1
@@ -55367,6 +55367,7 @@ CVE-2023-50563 (Semcms v4.8 was discovered to contain a SQL injection vulnerabil
NOT-FOR-US: Semcms
CVE-2023-50472 (cJSON v1.7.16 was discovered to contain a segmentation violation via t ...)
- cjson 1.7.17-1 (unimportant; bug #1059287)
+ [bookworm] - cjson 1.7.15-1+deb12u1
[buster] - cjson <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/DaveGamble/cJSON/issues/803
NOTE: Fixed by: https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
@@ -55374,7 +55375,7 @@ CVE-2023-50472 (cJSON v1.7.16 was discovered to contain a segmentation violation
CVE-2023-50471 (cJSON v1.7.16 was discovered to contain a segmentation violation via t ...)
{DLA-3700-1}
- cjson 1.7.17-1 (bug #1059287)
- [bookworm] - cjson <no-dsa> (Minor issue)
+ [bookworm] - cjson 1.7.15-1+deb12u1
[bullseye] - cjson <no-dsa> (Minor issue)
NOTE: https://github.com/DaveGamble/cJSON/issues/802
NOTE: Fixed by: https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
@@ -59212,7 +59213,7 @@ CVE-2023-49210 (The openssl (aka node-openssl) NPM package through 2.0.0 was cha
NOT-FOR-US: malicious node module
CVE-2023-49208 (scheme/webauthn.c in Glewlwyd SSO server before 2.7.6 has a possible b ...)
- glewlwyd 2.7.6+ds-1
- [bookworm] - glewlwyd <no-dsa> (Minor issue)
+ [bookworm] - glewlwyd 2.7.5-3+deb12u1
[bullseye] - glewlwyd <no-dsa> (Minor issue)
[buster] - glewlwyd <not-affected> (Vulnerable code not present)
NOTE: https://github.com/babelouest/glewlwyd/commit/f9d8c06aae8dfe17e761b18b577ff169e059e812 (v2.7.6)
@@ -63907,7 +63908,7 @@ CVE-2023-5717 (A heap out-of-bounds write vulnerability in the Linux kernel's Li
NOTE: https://git.kernel.org/linus/32671e3799ca2e4590773fd0e63aaa4229e50c06 (6.6-rc7)
CVE-2023-5678 (Issue summary: Generating excessively long X9.42 DH keys or checking e ...)
- openssl 3.0.12-2 (bug #1055473)
- [bookworm] - openssl <no-dsa> (Minor issue; can be fixed along with future update)
+ [bookworm] - openssl 3.0.13-1~deb12u1
[bullseye] - openssl <no-dsa> (Minor issue; can be fixed along with future update)
[buster] - openssl <postponed> (Minor issue; can be fixed along with future update)
NOTE: https://www.openssl.org/news/secadv/20231106.txt
@@ -70417,7 +70418,6 @@ CVE-2023-40930 (An issue in the directory /system/bin/blkid of Skyworth v3.0 all
CVE-2023-40619 (phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization of untr ...)
{DLA-3644-1}
- phppgadmin 7.14.7+dfsg-1 (bug #1053004)
- [bookworm] - phppgadmin <ignored> (Package in stable is broken and will be removed)
[bullseye] - phppgadmin <ignored> (Package is broken and will be removed)
NOTE: https://github.com/phppgadmin/phppgadmin/issues/174
NOTE: https://github.com/hestiacp/phppgadmin/pull/4
@@ -72980,7 +72980,7 @@ CVE-2023-37826 (A cross-site scripting (XSS) vulnerability in General Solutions
NOT-FOR-US: General Solutions Steiner GmbH CASE 3 Taskmanagement
CVE-2023-36328 (Integer Overflow vulnerability in mp_grow in libtom libtommath before ...)
- libtommath 1.2.1-1 (bug #1051100)
- [bookworm] - libtommath <no-dsa> (Minor issue)
+ [bookworm] - libtommath 1.2.0-6+deb12u1
[bullseye] - libtommath <no-dsa> (Minor issue)
[buster] - libtommath <no-dsa> (Minor issue)
NOTE: https://github.com/libtom/libtommath/pull/546
@@ -74232,7 +74232,7 @@ CVE-2023-40217 (An issue was discovered in Python before 3.8.18, 3.9.x before 3.
{DLA-3614-1 DLA-3575-1}
- python3.12 3.12.0~rc1-2
- python3.11 3.11.5-1
- [bookworm] - python3.11 <no-dsa> (Minor issue)
+ [bookworm] - python3.11 3.11.2-6+deb12u2
- python3.10 3.10.13-1
- python3.9 <removed>
[bullseye] - python3.9 <no-dsa> (Minor issue)
@@ -74240,7 +74240,7 @@ CVE-2023-40217 (An issue was discovered in Python before 3.8.18, 3.9.x before 3.
- python2.7 <removed>
[bullseye] - python2.7 2.7.18-8+deb11u1
- pypy3 7.3.13+dfsg-1
- [bookworm] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 7.3.11+dfsg-2+deb12u2
[bullseye] - pypy3 <no-dsa> (Minor issue)
[buster] - pypy3 <no-dsa> (Minor issue)
NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/
@@ -74472,7 +74472,7 @@ CVE-2023-4041 (Buffer Copy without Checking Size of Input ('Classic Buffer Overf
CVE-2023-41105 (An issue was discovered in Python 3.11 through 3.11.4. If a path conta ...)
- python3.12 3.12.0~rc1-2
- python3.11 3.11.5-1
- [bookworm] - python3.11 <no-dsa> (Minor issue)
+ [bookworm] - python3.11 3.11.2-6+deb12u2
- python3.10 <not-affected> (Vulnerable code introduced in 3.11.y)
- python3.9 <not-affected> (Vulnerable code introduced in 3.11.y)
- python3.7 <not-affected> (Vulnerable code introduced in 3.11.y)
@@ -77967,7 +77967,7 @@ CVE-2023-37369 (In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x
[bookworm] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
[bullseye] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
- qtbase-opensource-src 5.15.10+dfsg-3
- [bookworm] - qtbase-opensource-src <no-dsa> (Minor issue)
+ [bookworm] - qtbase-opensource-src 5.15.8+dfsg-11+deb12u1
[bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
- qt4-x11 <removed>
NOTE: https://www.qt.io/blog/security-advisory-qxmlstreamreader
@@ -79736,7 +79736,7 @@ CVE-2023-38197 (An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10,
[bookworm] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
[bullseye] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
- qtbase-opensource-src 5.15.10+dfsg-3 (bug #1041105)
- [bookworm] - qtbase-opensource-src <no-dsa> (Minor issue)
+ [bookworm] - qtbase-opensource-src 5.15.8+dfsg-11+deb12u1
[bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
- qt4-x11 <removed>
NOTE: https://www.qt.io/blog/security-advisory-qxmlstreamreader-1
@@ -81418,7 +81418,7 @@ CVE-2023-3395 (All versions of the TWinSoft Configuration Tool store encrypted p
CVE-2023-37378 (Nullsoft Scriptable Install System (NSIS) before 3.09 mishandles acces ...)
{DLA-3483-1}
- nsis 3.09-1 (bug #1040880)
- [bookworm] - nsis <no-dsa> (Minor issue)
+ [bookworm] - nsis 3.08-3+deb12u1
[bullseye] - nsis <no-dsa> (Minor issue)
NOTE: https://github.com/kichik/nsis/commit/c40cf78994e74a1a3a381a850c996b251e3277c0 (v309)
NOTE: https://github.com/kichik/nsis/commit/409b5841479c44fbf33a6ba97c1146e46f965467 (v309)
@@ -84057,7 +84057,7 @@ CVE-2023-2866 (If an attacker can trick an authenticated user into loading a mal
NOT-FOR-US: Advantech
CVE-2023-3153 (A flaw was found in Open Virtual Network where the service monitor MAC ...)
- ovn 23.09.0-1 (bug #1043598)
- [bookworm] - ovn <no-dsa> (Minor issue)
+ [bookworm] - ovn 23.03.1-1~deb12u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2213279
NOTE: https://github.com/ovn-org/ovn/issues/198
NOTE: https://mail.openvswitch.org/pipermail/ovs-announce/2023-August/000327.html
@@ -84676,7 +84676,7 @@ CVE-2023-34410 (An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9,
- qt6-base 6.4.2+dfsg-11 (bug #1037209)
[bookworm] - qt6-base <no-dsa> (Minor issue)
- qtbase-opensource-src 5.15.8+dfsg-12 (bug #1037210)
- [bookworm] - qtbase-opensource-src <no-dsa> (Minor issue)
+ [bookworm] - qtbase-opensource-src 5.15.8+dfsg-11+deb12u1
[bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
[buster] - qtbase-opensource-src <no-dsa> (Minor issue)
- qtbase-opensource-src-gles 5.15.10+dfsg-2
@@ -97640,7 +97640,7 @@ CVE-2023-1371 (The W4 Post List WordPress plugin before 2.4.6 does not ensure th
CVE-2023-1370 ([Json-smart](https://netplex.github.io/json-smart/) is a performance f ...)
{DLA-3373-1}
- json-smart 2.2-3 (bug #1033474)
- [bookworm] - json-smart <no-dsa> (Minor issue)
+ [bookworm] - json-smart 2.2-2+deb12u1
[bullseye] - json-smart <no-dsa> (Minor issue)
NOTE: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
NOTE: https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a (2.4.9)
@@ -100285,7 +100285,7 @@ CVE-2023-27350 (This vulnerability allows remote attackers to bypass authenticat
CVE-2023-27349 (BlueZ Audio Profile AVRCP Improper Validation of Array Index Remote Co ...)
{DLA-3820-1}
- bluez 5.68-1
- [bookworm] - bluez <no-dsa> (Minor issue)
+ [bookworm] - bluez 5.66-1+deb12u2
[bullseye] - bluez <no-dsa> (Minor issue)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-386/
NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f54299a850676d92c3dafd83e9174fcfe420ccc9 (5.67)
@@ -109279,7 +109279,7 @@ CVE-2023-24330 (Command Injection vulnerability in D-Link Dir 882 with firmware
CVE-2023-24329 (An issue in the urllib.parse component of Python before 3.11.4 allows ...)
{DLA-3575-1}
- python3.11 3.11.4-1
- [bookworm] - python3.11 <no-dsa> (Minor issue)
+ [bookworm] - python3.11 3.11.2-6+deb12u2
- python3.9 <removed>
[bullseye] - python3.9 <no-dsa> (Minor issue)
- python3.7 <removed>
@@ -109287,7 +109287,7 @@ CVE-2023-24329 (An issue in the urllib.parse component of Python before 3.11.4 a
- python2.7 <removed>
[bullseye] - python2.7 2.7.18-8+deb11u1
- pypy3 7.3.12+dfsg-1
- [bookworm] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 7.3.11+dfsg-2+deb12u2
[bullseye] - pypy3 <no-dsa> (Minor issue)
[buster] - pypy3 <no-dsa> (Minor issue)
NOTE: https://pointernull.com/security/python-url-parse-problem.html
@@ -239321,6 +239321,7 @@ CVE-2021-31685
CVE-2021-31684 (A vulnerability was discovered in the indexOf function of JSONParserBy ...)
{DLA-3373-1}
- json-smart <unfixed> (unimportant)
+ [bookworm] - json-smart 2.2-2+deb12u1
NOTE: https://github.com/netplex/json-smart-v2/issues/67
NOTE: https://github.com/netplex/json-smart-v2/commit/6ecff1c2974eaaab2e74e441bdf5ba8495227bf5
NOTE: Security impact disputed by upstream
@@ -377963,7 +377964,6 @@ CVE-2019-10785 (dojox is vulnerable to Cross-site Scripting in all versions befo
NOTE: https://github.com/dojo/dojox/pull/315
CVE-2019-10784 (phppgadmin through 7.12.1 allows sensitive actions to be performed wit ...)
- phppgadmin 7.14.7+dfsg-1 (bug #953945)
- [bookworm] - phppgadmin <ignored> (Package in stable is broken and will be removed)
[bullseye] - phppgadmin <no-dsa> (Minor issue)
[buster] - phppgadmin <no-dsa> (Minor issue)
[stretch] - phppgadmin <no-dsa> (Minor issue)
=====================================
data/next-point-update.txt
=====================================
@@ -1,161 +1,3 @@
-CVE-2023-37378
- [bookworm] - nsis 3.08-3+deb12u1
-CVE-2023-3153
- [bookworm] - ovn 23.03.1-1~deb12u1
-CVE-2023-34410
- [bookworm] - qtbase-opensource-src 5.15.8+dfsg-11+deb12u1
-CVE-2023-37369
- [bookworm] - qtbase-opensource-src 5.15.8+dfsg-11+deb12u1
-CVE-2023-38197
- [bookworm] - qtbase-opensource-src 5.15.8+dfsg-11+deb12u1
-CVE-2023-49208
- [bookworm] - glewlwyd 2.7.5-3+deb12u1
-CVE-2024-25715
- [bookworm] - glewlwyd 2.7.5-3+deb12u1
-CVE-2024-20290
- [bookworm] - clamav 1.0.5+dfsg-1~deb12u1
-CVE-2024-20328
- [bookworm] - clamav 1.0.5+dfsg-1~deb12u1
-CVE-2024-25189
- [bookworm] - libjwt 1.10.2-1+deb12u1
-CVE-2023-50387
- [bookworm] - systemd 252.23-1~deb12u1
-CVE-2023-50868
- [bookworm] - systemd 252.23-1~deb12u1
-CVE-2024-27354
- [bookworm] - php-phpseclib 2.0.42-1+deb12u2
- [bookworm] - php-phpseclib3 3.0.19-1+deb12u3
- [bookworm] - phpseclib 1.0.20-1+deb12u2
-CVE-2024-27355
- [bookworm] - php-phpseclib 2.0.42-1+deb12u2
- [bookworm] - php-phpseclib3 3.0.19-1+deb12u3
- [bookworm] - phpseclib 1.0.20-1+deb12u2
-CVE-2024-0074
- [bookworm] - nvidia-graphics-drivers-tesla-470 470.239.06-1~deb12u1
-CVE-2024-0078
- [bookworm] - nvidia-graphics-drivers-tesla-470 470.239.06-1~deb12u1
-CVE-2023-5678
- [bookworm] - openssl 3.0.13-1~deb12u1
-CVE-2023-6129
- [bookworm] - openssl 3.0.13-1~deb12u1
-CVE-2023-6237
- [bookworm] - openssl 3.0.13-1~deb12u1
-CVE-2024-0727
- [bookworm] - openssl 3.0.13-1~deb12u1
-CVE-2024-2182
- [bookworm] - ovn 23.03.1-1~deb12u2
-CVE-2024-28054
- [bookworm] - amavisd-new 1:2.13.0-3+deb12u1
-CVE-2023-52159
- [bookworm] - gross 1.0.2-4.1~deb12u1
-CVE-2023-39368
- [bookworm] - intel-microcode 3.20240312.1~deb12u1
-CVE-2023-38575
- [bookworm] - intel-microcode 3.20240312.1~deb12u1
-CVE-2023-28746
- [bookworm] - intel-microcode 3.20240312.1~deb12u1
-CVE-2023-22655
- [bookworm] - intel-microcode 3.20240312.1~deb12u1
-CVE-2023-43490
- [bookworm] - intel-microcode 3.20240312.1~deb12u1
-CVE-2024-2004
- [bookworm] - curl 7.88.1-10+deb12u6
-CVE-2024-2398
- [bookworm] - curl 7.88.1-10+deb12u6
-CVE-2023-36328
- [bookworm] - libtommath 1.2.0-6+deb12u1
-CVE-2023-50472
- [bookworm] - cjson 1.7.15-1+deb12u1
-CVE-2023-50471
- [bookworm] - cjson 1.7.15-1+deb12u1
-CVE-2021-31684
- [bookworm] - json-smart 2.2-2+deb12u1
-CVE-2023-1370
- [bookworm] - json-smart 2.2-2+deb12u1
-CVE-2024-24814:
- [bookworm] - libapache2-mod-auth-openidc 2.4.12.3-2+deb12u1
-CVE-2023-52723
- [bookworm] - libkf5ksieve 4:22.12.3-1+deb12u1
-CVE-2023-52160
- [bookworm] - wpa 2:2.10-12+deb12u1
-CVE-2024-25580
- [bookworm] - qtbase-opensource-src 5.15.8+dfsg-11+deb12u2
-CVE-2023-51714
- [bookworm] - qtbase-opensource-src 5.15.8+dfsg-11+deb12u2
-CVE-2023-24329
- [bookworm] - pypy3 7.3.11+dfsg-2+deb12u2
-CVE-2023-40217
- [bookworm] - pypy3 7.3.11+dfsg-2+deb12u2
-CVE-2023-6597
- [bookworm] - pypy3 7.3.11+dfsg-2+deb12u2
-CVE-2024-0450
- [bookworm] - pypy3 7.3.11+dfsg-2+deb12u2
-CVE-2024-0450
- [bookworm] - python3.11 3.11.2-6+deb12u2
-CVE-2023-6597
- [bookworm] - python3.11 3.11.2-6+deb12u2
-CVE-2023-41105
- [bookworm] - python3.11 3.11.2-6+deb12u2
-CVE-2023-40217
- [bookworm] - python3.11 3.11.2-6+deb12u2
-CVE-2023-24329
- [bookworm] - python3.11 3.11.2-6+deb12u2
-CVE-2024-28102
- [bookworm] - python-jwcrypto 1.1.0-1+deb12u1
-CVE-2024-XXXX [tryton zipbomb DoS]
- [bookworm] - tryton-server 6.0.29-2+deb12u2
-CVE-2024-3446
- [bookworm] - qemu 1:7.2+dfsg-7+deb12u6
-CVE-2024-3447
- [bookworm] - qemu 1:7.2+dfsg-7+deb12u6
-CVE-2024-26327
- [bookworm] - qemu 1:7.2+dfsg-7+deb12u6
-CVE-2024-26328
- [bookworm] - qemu 1:7.2+dfsg-7+deb12u6
-CVE-2023-51765
- [bookworm] - sendmail 8.17.1.9-2+deb12u1
-CVE-2023-47855
- [bookworm] - intel-microcode 3.20240514.1~deb12u1
-CVE-2023-45745
- [bookworm] - intel-microcode 3.20240514.1~deb12u1
-CVE-2023-46103
- [bookworm] - intel-microcode 3.20240514.1~deb12u1
-CVE-2023-45733
- [bookworm] - intel-microcode 3.20240514.1~deb12u1
-CVE-2024-5742
- [bookworm] - nano 7.2-1+deb12u1
-CVE-2024-0090
- [bookworm] - nvidia-graphics-drivers-tesla-470 470.256.02-1~deb12u1
-CVE-2024-0092
- [bookworm] - nvidia-graphics-drivers-tesla-470 470.256.02-1~deb12u1
-CVE-2024-3651
- [bookworm] - python-idna 3.3-1+deb12u1
-CVE-2024-27305
- [bookworm] - python-aiosmtpd 1.4.3-1.1+deb12u1
-CVE-2024-34083
- [bookworm] - python-aiosmtpd 1.4.3-1.1+deb12u1
-CVE-2022-48622
- [bookworm] - gdk-pixbuf 2.42.10+dfsg-1+deb12u1
-CVE-2023-27349
- [bookworm] - bluez 5.66-1+deb12u2
-CVE-2023-50229
- [bookworm] - bluez 5.66-1+deb12u2
-CVE-2023-50230
- [bookworm] - bluez 5.66-1+deb12u2
-CVE-2024-28834
- [bookworm] - gnutls28 3.7.9-2+deb12u3
-CVE-2024-28835
- [bookworm] - gnutls28 3.7.9-2+deb12u3
-CVE-2024-5629
- [bookworm] - pymongo 3.11.0-1+deb12u1
-CVE-2024-0092
- [bookworm] - nvidia-graphics-drivers 535.183.01-1~deb12u1
-CVE-2024-0090
- [bookworm] - nvidia-graphics-drivers 535.183.01-1~deb12u1
-CVE-2024-0090
- [bookworm] - nvidia-open-gpu-kernel-modules 535.183.01-1~deb12u1
-CVE-2024-0092
- [bookworm] - nvidia-open-gpu-kernel-modules 535.183.01-1~deb12u1
CVE-2023-43040
[bookworm] - ceph 16.2.11+ds-2+deb12u1
CVE-2023-40481
@@ -204,14 +46,10 @@ CVE-2024-1141
[bookworm] - python-glance-store 4.1.1-0+deb12u1
CVE-2023-4237
[bookworm] - ansible 7.7.0+dfsg-3+deb12u1
-CVE-2024-XXXX [validate a server certificate in a TLS-based server-server connection]
- [bookworm] - ngircd 26.1-1+deb12u1
CVE-2024-31755
[bookworm] - cjson 1.7.15-1+deb12u2
CVE-2023-52890
[bookworm] - ntfs-3g 1:2022.10.3-1+deb12u1
-CVE-2023-50967
- [bookworm] - jose 11-2+deb12u1
CVE-2023-40546
[bookworm] - shim 15.8-1~deb12u1
CVE-2023-40547
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b5b7075ca3798275d8414c8a34bcd341f496679a...c6d104e2206acca12e2e3897aeb61cb71aa4bc51
--
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b5b7075ca3798275d8414c8a34bcd341f496679a...c6d104e2206acca12e2e3897aeb61cb71aa4bc51
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240629/4ff24587/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list