[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Mon Mar 25 08:12:19 GMT 2024
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
5d55976a by security tracker role at 2024-03-25T08:12:02+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,53 @@
+CVE-2024-2863 (This vulnerability allows remote attackers to traverse paths via file ...)
+ TODO: check
+CVE-2024-2862 (This vulnerability allows remote attackers to reset the password of an ...)
+ TODO: check
+CVE-2024-29216 (Exposed IOCTL with insufficient access control issue exists in cg6kwin ...)
+ TODO: check
+CVE-2024-29194 (OneUptime is a solution for monitoring and managing online services. T ...)
+ TODO: check
+CVE-2024-29188 (WiX toolset lets developers create installers for Windows Installer, t ...)
+ TODO: check
+CVE-2024-29187 (WiX toolset lets developers create installers for Windows Installer, t ...)
+ TODO: check
+CVE-2024-29071 (HGW BL1500HM Ver 002.001.013 and earlier contains a use of week creden ...)
+ TODO: check
+CVE-2024-29034 (CarrierWave is a solution for file uploads for Rails, Sinatra and othe ...)
+ TODO: check
+CVE-2024-29009 (Cross-site request forgery (CSRF) vulnerability in easy-popup-show all ...)
+ TODO: check
+CVE-2024-28041 (HGW BL1500HM Ver 002.001.013 and earlier allows a network-adjacent una ...)
+ TODO: check
+CVE-2024-24899 (Improper Neutralization of Special Elements used in an OS Command ('OS ...)
+ TODO: check
+CVE-2024-24897 (Improper Neutralization of Special Elements used in a Command ('Comman ...)
+ TODO: check
+CVE-2024-24892 (Improper Neutralization of Special Elements used in an OS Command ('OS ...)
+ TODO: check
+CVE-2024-24890 (Improper Neutralization of Special Elements used in an OS Command ('OS ...)
+ TODO: check
+CVE-2024-21865 (HGW BL1500HM Ver 002.001.013 and earlier contains a use of week creden ...)
+ TODO: check
+CVE-2024-21505 (Versions of the package web3-utils before 4.2.1 are vulnerable to Prot ...)
+ TODO: check
+CVE-2024-1962 (The CM Download Manager WordPress plugin before 2.9.1 does not have C ...)
+ TODO: check
+CVE-2024-1564 (The wp-schema-pro WordPress plugin before 2.7.16 does not validate pos ...)
+ TODO: check
+CVE-2024-1232 (The CM Download Manager WordPress plugin before 2.9.0 does not have C ...)
+ TODO: check
+CVE-2024-1231 (The CM Download Manager WordPress plugin before 2.9.0 does not have C ...)
+ TODO: check
+CVE-2023-37886 (Missing Authorization vulnerability in InspiryThemes RealHomes.This is ...)
+ TODO: check
+CVE-2023-37885 (Missing Authorization vulnerability in InspiryThemes RealHomes.This is ...)
+ TODO: check
+CVE-2023-33923 (Missing Authorization vulnerability in HashThemes Viral News, HashThem ...)
+ TODO: check
+CVE-2020-36826 (A vulnerability was found in AwesomestCode LiveBot. It has been classi ...)
+ TODO: check
+CVE-2020-36825 (A vulnerability has been found in cyberaz0r WebRAT up to 20191222 and ...)
+ TODO: check
CVE-2024-27281 [RCE vulnerability with .rdoc_options in RDoc]
- ruby3.2 <unfixed>
- ruby3.1 <unfixed>
@@ -62,7 +112,7 @@ CVE-2018-25100 (The Mojolicious module before 7.66 for Perl may leak cookies in
NOTE: https://github.com/mojolicious/mojo/pull/1192
NOTE: https://github.com/mojolicious/mojo/issues/1185
NOTE: https://github.com/mojolicious/mojo/commit/c16a56a9d6575ddc53d15e76d58f0ebcb0eeb149 (v7.66)
-CVE-2024-30187 [possibility to reset password for suspended accounts]
+CVE-2024-30187 (Anope before 2.0.15 does not prevent resetting the password of a suspe ...)
- anope 2.0.15-1
NOTE: https://github.com/anope/anope/issues/351
NOTE: https://github.com/anope/anope/commit/2b7872139c40ea5b0ca96c1d6595b7d5f9fa60a5 (2.0.15)
@@ -1068,6 +1118,7 @@ CVE-2024-1145 (User enumeration vulnerability in Devklan's Alma Blog that affect
CVE-2024-1144 (Improper access control vulnerability in Devklan's Alma Blog that affe ...)
NOT-FOR-US: Devklan's Alma Blog
CVE-2024-0450 (An issue was found in the CPython `zipfile` module affecting versions ...)
+ {DLA-3772-1 DLA-3771-1}
- python3.12 3.12.2-1
- python3.11 3.11.8-1
- python3.10 <unfixed>
@@ -1084,6 +1135,7 @@ CVE-2024-0450 (An issue was found in the CPython `zipfile` module affecting vers
NOTE: https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51 (v3.9.19)
NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
CVE-2023-6597 (An issue was found in the CPython `tempfile.TemporaryDirectory` class ...)
+ {DLA-3772-1}
- python3.12 3.12.1-1
- python3.11 3.11.8-1
- python3.10 <unfixed>
@@ -19756,7 +19808,7 @@ CVE-2023-49356 (A stack buffer overflow vulnerability in MP3Gain v1.6.2 allows a
NOTE: https://github.com/linzc21/bug-reports/blob/main/reports/mp3gain/1.6.2/stack-buffer-overflow/CVE-2023-49356.md
NOTE: Likely the same and duplicate of CVE-2018-10777 and covered by the same fixes applied
CVE-2023-49088 (Cacti is an open source operational monitoring and fault management fr ...)
- {DLA-3765-1}
+ {DSA-5646-1 DLA-3765-1}
- cacti 1.2.26+ds1-1
NOTE: Caused by an incomplete fix for CVE-2023-39515
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-q7g7-gcf6-wh4x
@@ -19766,7 +19818,7 @@ CVE-2023-49088 (Cacti is an open source operational monitoring and fault managem
NOTE: https://github.com/Cacti/cacti/commit/59e39b34f8f1d80b28d38a391d7aa6e7a3302f5b (release/1.2.26)
NOTE: https://github.com/Cacti/cacti/commit/56f9d99e6e5ab434ea18fa344236f41e78f99c59 (1.2.x)
CVE-2023-49085 (Cacti provides an operational monitoring and fault management framewor ...)
- {DLA-3765-1}
+ {DSA-5646-1 DLA-3765-1}
- cacti 1.2.26+ds1-1
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855
NOTE: https://github.com/Cacti/cacti/commit/5f451bc680d7584525d18026836af2a1e31b2188 (release/1.2.26)
@@ -19885,12 +19937,12 @@ CVE-2023-49678
CVE-2023-49677 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...)
NOT-FOR-US: Job Portal
CVE-2023-49086 (Cacti is a robust performance and fault management framework and a fro ...)
- {DLA-3765-1}
+ {DSA-5646-1 DLA-3765-1}
- cacti 1.2.26+ds1-1 (bug #1059254)
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr
NOTE: https://github.com/Cacti/cacti/commit/56f9d99e6e5ab434ea18fa344236f41e78f99c59 (1.2.x)
CVE-2023-49084 (Cacti is a robust performance and fault management framework and a fro ...)
- {DLA-3765-1}
+ {DSA-5646-1 DLA-3765-1}
- cacti 1.2.26+ds1-1 (bug #1059254)
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp
NOTE: https://github.com/Cacti/cacti/commit/5f451bc680d7584525d18026836af2a1e31b2188 (release/1.2.26)
@@ -33523,7 +33575,7 @@ CVE-2023-42669 (A vulnerability was found in Samba's "rpcecho" development serve
[buster] - samba <ignored> (Domain controller functionality is EOLed, see DSA-5015-1)
NOTE: https://www.samba.org/samba/security/CVE-2023-42669.html
CVE-2023-4091 (A vulnerability was discovered in Samba, where the flaw allows SMB cli ...)
- {DSA-5525-1}
+ {DSA-5647-1 DSA-5525-1}
- samba 2:4.19.1+dfsg-1
NOTE: https://www.samba.org/samba/security/CVE-2023-4091.html
NOTE: In scope for continued Samba support
@@ -38582,7 +38634,7 @@ CVE-2023-39514 (Cacti is an open source operational monitoring and fault managem
NOTE: https://github.com/Cacti/cacti/commit/8d8aeec0eca3be7b10a12e6c2a78e6560bcef43e (release/1.2.25)
NOTE: Introduced by: https://github.com/Cacti/cacti/commit/75c147b70493d188ad85313569f86e33e13988b2 (release/1.2.17)
CVE-2023-39513 (Cacti is an open source operational monitoring and fault management fr ...)
- {DLA-3765-1}
+ {DSA-5646-1 DLA-3765-1}
- cacti 1.2.25+ds1-1
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-9fj7-8f2j-2rw2
NOTE: Initial fix (partially reverted): https://github.com/Cacti/cacti/commit/976f44dd8dfb2410e0dba00de9c4bbca17ee8910 (release/1.2.25)
@@ -38641,7 +38693,7 @@ CVE-2023-39361 (Cacti is an open source operational monitoring and fault managem
NOTE: but the patch still fixes multiple similar issues including one present in earlier versions.
NOTE: Additional hardening with CVE-2023-39365.
CVE-2023-39360 (Cacti is an open source operational monitoring and fault management fr ...)
- {DLA-3765-1}
+ {DSA-5646-1 DLA-3765-1}
- cacti 1.2.25+ds1-1
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4
NOTE: Initial fix: https://github.com/cacti/cacti/commit/9696bbd8060c7332b11b709f4dd17e6c3776bba2 (release/1.2.25)
@@ -45164,7 +45216,7 @@ CVE-2023-3347 (A vulnerability was found in Samba's SMB2 packet signing mechanis
[buster] - samba <not-affected> (Vulnerable code not present)
NOTE: https://www.samba.org/samba/security/CVE-2023-3347.html
CVE-2023-34968 (A path disclosure vulnerability was found in Samba. As part of the Spo ...)
- {DSA-5477-1}
+ {DSA-5647-1 DSA-5477-1}
- samba 2:4.18.5+dfsg-1
[buster] - samba <ignored> (spotlight enabled in 4.13.13+dfsg-1 - bullseye)
NOTE: https://www.samba.org/samba/security/CVE-2023-34968.html
@@ -45177,13 +45229,13 @@ CVE-2023-42464 (A Type Confusion vulnerability was found in the Spotlight RPC fu
NOTE: Fixed by: https://github.com/Netatalk/netatalk/commit/a0ee3c246ee9e082436192290610a4d812fc0b7f (main)
NOTE: Fixed by: https://github.com/Netatalk/netatalk/commit/f6364ef0e5f1b7de88c5e837434af8a5df4c4c75 (netatalk-3-1-17)
CVE-2023-34967 (A Type Confusion vulnerability was found in Samba's mdssvc RPC service ...)
- {DSA-5477-1}
+ {DSA-5647-1 DSA-5477-1}
- samba 2:4.18.5+dfsg-1
[buster] - samba <ignored> (spotlight enabled in 4.13.13+dfsg-1 - bullseye)
NOTE: https://www.samba.org/samba/security/CVE-2023-34967.html
NOTE: severity:unimportant for buster backwards, but we don't have suite-specific severity annotations
CVE-2023-34966 (An infinite loop vulnerability was found in Samba's mdssvc RPC service ...)
- {DSA-5477-1}
+ {DSA-5647-1 DSA-5477-1}
- samba 2:4.18.5+dfsg-1
[buster] - samba <ignored> (spotlight enabled in 4.13.13+dfsg-1 - bullseye)
NOTE: https://www.samba.org/samba/security/CVE-2023-34966.html
@@ -56638,8 +56690,8 @@ CVE-2023-30482 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerabi
NOT-FOR-US: WordPress plugin
CVE-2023-30481 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Alexey G ...)
NOT-FOR-US: WordPress plugin
-CVE-2023-30480
- RESERVED
+CVE-2023-30480 (Missing Authorization vulnerability in Sparkle WP Educenter.This issue ...)
+ TODO: check
CVE-2023-30479
RESERVED
CVE-2023-30478 (Cross-Site Request Forgery (CSRF) vulnerability in Tribulant Newslette ...)
@@ -102730,7 +102782,7 @@ CVE-2022-42705 (A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28
CVE-2022-42704 (A cross-site scripting (XSS) vulnerability in Employee Service Center ...)
NOT-FOR-US: Employee Service Center
CVE-2022-3437 (A heap-based buffer overflow vulnerability was found in Samba within t ...)
- {DSA-5287-1 DLA-3206-1}
+ {DSA-5647-1 DSA-5287-1 DLA-3206-1}
- samba 2:4.16.6+dfsg-1
- heimdal 7.8.git20221115.a6cf945+dfsg-1 (bug #1024187)
NOTE: https://www.samba.org/samba/security/CVE-2022-3437.html
@@ -119735,8 +119787,8 @@ CVE-2018-25045 (Django REST framework (aka django-rest-framework) before 3.9.1 a
{DSA-5186-1}
- djangorestframework 3.10.2-1
NOTE: https://github.com/encode/django-rest-framework/commit/4bb9a3c48427867ef1e46f7dee945a4c25a4f9b8 (3.9.1)
-CVE-2022-36407
- RESERVED
+CVE-2022-36407 (Insertion of Sensitive Information into Log File vulnerability in Hita ...)
+ TODO: check
CVE-2022-36389 (Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Mes ...)
NOT-FOR-US: WordPress plugin
CVE-2022-36386 (Authenticated Arbitrary Code Execution vulnerability in Soflyy Import ...)
@@ -126688,7 +126740,7 @@ CVE-2022-2129 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.)
CVE-2022-2128 (Unrestricted Upload of File with Dangerous Type in GitHub repository p ...)
NOT-FOR-US: Trudesk
CVE-2022-2127 (An out-of-bounds read vulnerability was found in Samba due to insuffic ...)
- {DSA-5477-1}
+ {DSA-5647-1 DSA-5477-1}
- samba 2:4.18.5+dfsg-1
NOTE: https://www.samba.org/samba/security/CVE-2022-2127.html
NOTE: In scope for continued Samba support
@@ -175868,7 +175920,7 @@ CVE-2021-42741
CVE-2021-42740 (The shell-quote package before 1.7.3 for Node.js allows command inject ...)
- node-shell-quote 1.7.3+~1.7.1-1 (bug #998418)
NOTE: https://github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe (1.7.3)
-CVE-2021-42739 (A heap-based buffer overflow flaw was found in the Linux kernel FireDT ...)
+CVE-2021-42739 (The firewire subsystem in the Linux kernel through 5.14.13 has a buffe ...)
{DSA-5096-1 DLA-2941-1 DLA-2843-1}
- linux 5.14.16-1
[bullseye] - linux 5.10.84-1
@@ -200115,8 +200167,8 @@ CVE-2021-33634 (iSulad uses the lcr+lxc runtime (default) to run malicious image
NOT-FOR-US: OpenEuler lcr
CVE-2021-33633 (Improper Neutralization of Special Elements used in an OS Command ('OS ...)
NOT-FOR-US: openEuler aops-ceres
-CVE-2021-33632
- RESERVED
+CVE-2021-33632 (Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in ope ...)
+ TODO: check
CVE-2021-33631 (Integer Overflow or Wraparound vulnerability in openEuler kernel on Li ...)
- linux 6.1.4-1
[bullseye] - linux 5.10.178-1
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d55976a1e042c0466e5028e30db1e910a577c8b
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d55976a1e042c0466e5028e30db1e910a577c8b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240325/b84b42e8/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list