[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Wed Feb 5 20:12:09 GMT 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ca9fee9b by security tracker role at 2025-02-05T20:12:02+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,27 +1,143 @@
-CVE-2023-52925 [netfilter: nf_tables: don't fail inserts if duplicate has expired]
+CVE-2025-24805 (Mobile Security Framework (MobSF) is an automated, all-in-one mobile a ...)
+ TODO: check
+CVE-2025-24804 (Mobile Security Framework (MobSF) is an automated, all-in-one mobile a ...)
+ TODO: check
+CVE-2025-24803 (Mobile Security Framework (MobSF) is an automated, all-in-one mobile a ...)
+ TODO: check
+CVE-2025-24497 (When URL categorization is configured on a virtual server, undisclosed ...)
+ TODO: check
+CVE-2025-24372 (CKAN is an open-source DMS (data management system) for powering data ...)
+ TODO: check
+CVE-2025-24326 (When BIG-IP Advanced WAF/ASM Behavioral DoS (BADoS) TLS Signatures fea ...)
+ TODO: check
+CVE-2025-24320 (A stored cross-site scripting (XSS) vulnerability exists in an undiscl ...)
+ TODO: check
+CVE-2025-24319 (When BIG-IP Next Central Manager is running, undisclosed requests to t ...)
+ TODO: check
+CVE-2025-24312 (When BIG-IP AFM is provisioned with IPS module enabled and protocol in ...)
+ TODO: check
+CVE-2025-23419 (When multiple server blocks are configured to share the same IP addres ...)
+ TODO: check
+CVE-2025-23415 (An insufficient verification of data authenticity vulnerability exists ...)
+ TODO: check
+CVE-2025-23413 (When users log in through the webUI or API using local authentication, ...)
+ TODO: check
+CVE-2025-23412 (When BIG-IP APM Access Profile is configured on a virtual server, undi ...)
+ TODO: check
+CVE-2025-23239 (When running in Appliance mode, an authenticated remote command inject ...)
+ TODO: check
+CVE-2025-22891 (When BIG-IP PEM Control Plane listener Virtual Server is configured wi ...)
+ TODO: check
+CVE-2025-22846 (When SIP Session and Router ALG profiles are configured on a Message R ...)
+ TODO: check
+CVE-2025-21117 (Dell Avamar, version 19.4 or later, contains an access token reuse vul ...)
+ TODO: check
+CVE-2025-21091 (When SNMP v1 or v2c are disabled on the BIG-IP, undisclosed requests c ...)
+ TODO: check
+CVE-2025-21087 (When Client or Server SSL profiles are configured on a Virtual Server, ...)
+ TODO: check
+CVE-2025-20207 (A vulnerability in Simple Network Management Protocol (SNMP) polling f ...)
+ TODO: check
+CVE-2025-20205 (A vulnerability in the web-based management interface of Cisco Identit ...)
+ TODO: check
+CVE-2025-20204 (A vulnerability in the web-based management interface of Cisco Identit ...)
+ TODO: check
+CVE-2025-20185 (A vulnerability in the implementation of the remote access functionali ...)
+ TODO: check
+CVE-2025-20184 (A vulnerability in the web-based management interface of Cisco AsyncOS ...)
+ TODO: check
+CVE-2025-20183 (A vulnerability in a policy-based Cisco Application Visibility and Con ...)
+ TODO: check
+CVE-2025-20180 (A vulnerability in the web-based management interface of Cisco AsyncOS ...)
+ TODO: check
+CVE-2025-20179 (A vulnerability in the web-based management interface of Cisco Express ...)
+ TODO: check
+CVE-2025-20176 (A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco ...)
+ TODO: check
+CVE-2025-20175 (A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco ...)
+ TODO: check
+CVE-2025-20174 (A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco ...)
+ TODO: check
+CVE-2025-20173 (A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco ...)
+ TODO: check
+CVE-2025-20172 (A vulnerability in the SNMP subsystem of Cisco IOS Software, Cisco IOS ...)
+ TODO: check
+CVE-2025-20171 (A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco ...)
+ TODO: check
+CVE-2025-20170 (A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco ...)
+ TODO: check
+CVE-2025-20169 (A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco ...)
+ TODO: check
+CVE-2025-20125 (A vulnerability in an API of Cisco ISE could allow an authenticated, r ...)
+ TODO: check
+CVE-2025-20124 (A vulnerability in an API of Cisco ISE could allow an authenticated, r ...)
+ TODO: check
+CVE-2025-20058 (When a BIG-IP message routing profile is configured on a virtual serve ...)
+ TODO: check
+CVE-2025-20045 (When SIP session Application Level Gateway mode (ALG) profile with Pas ...)
+ TODO: check
+CVE-2025-20029 (Command injection vulnerability exists in iControl REST and BIG-IP TMO ...)
+ TODO: check
+CVE-2025-0858 (A vulnerability was discovered in the firmware builds up to 8.2.1.0820 ...)
+ TODO: check
+CVE-2024-9631 (An issue was discovered in GitLab CE/EE affecting all versions startin ...)
+ TODO: check
+CVE-2024-9097 (ManageEngine Endpoint Central versions before11.3.2440.09 are vulnerab ...)
+ TODO: check
+CVE-2024-6356 (An issue was discovered in GitLab EE affecting all versions starting f ...)
+ TODO: check
+CVE-2024-56135 (Improper Input Validation vulnerability of Authenticated User in Progr ...)
+ TODO: check
+CVE-2024-56134 (Improper Input Validation vulnerability of Authenticated User in Progr ...)
+ TODO: check
+CVE-2024-56133 (Improper Input Validation vulnerability of Authenticated User in Progr ...)
+ TODO: check
+CVE-2024-56132 (Improper Input Validation vulnerability of Authenticated User in Progr ...)
+ TODO: check
+CVE-2024-56131 (Improper Input Validation vulnerability of Authenticated User in Progr ...)
+ TODO: check
+CVE-2024-52365 (IBM Cloud Pak for Business Automation18.0.0, 18.0.1, 18.0.2, 19.0.1, 1 ...)
+ TODO: check
+CVE-2024-52364 (IBM Cloud Pak for Business Automation18.0.0, 18.0.1, 18.0.2, 19.0.1, 1 ...)
+ TODO: check
+CVE-2024-49352 (IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 1 ...)
+ TODO: check
+CVE-2024-49348 (IBM Cloud Pak for Business Automation18.0.0, 18.0.1, 18.0.2, 19.0.1, 1 ...)
+ TODO: check
+CVE-2024-42207 (HCL iAutomate is affected by a session fixation vulnerability. An atta ...)
+ TODO: check
+CVE-2024-3976 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
+ TODO: check
+CVE-2024-39564 (This is a similar, but different vulnerability than the issue reported ...)
+ TODO: check
+CVE-2024-2878 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
+ TODO: check
+CVE-2024-1539 (An issue has been discovered in GitLab EE affecting all versions start ...)
+ TODO: check
+CVE-2023-52925 (In the Linux kernel, the following vulnerability has been resolved: n ...)
- linux 6.4.13-1
[bookworm] - linux <not-affected> (Vulnerable code not present)
[bullseye] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/7845914f45f066497ac75b30c50dbc735e84e884 (6.5-rc7)
-CVE-2023-52924 [netfilter: nf_tables: don't skip expired elements during walk]
+CVE-2023-52924 (In the Linux kernel, the following vulnerability has been resolved: n ...)
- linux 6.4.11-1
[bookworm] - linux 6.1.64-1
[bullseye] - linux 5.10.205-1
NOTE: https://git.kernel.org/linus/24138933b97b055d486e8064b4a1721702442a9b (6.5-rc6)
-CVE-2025-0167 [netrc and default credential leak]
+CVE-2025-0167 (When asked to use a `.netrc` file for credentials **and** to follow HT ...)
- curl <unfixed>
[bullseye] - curl <not-affected> (Vulnerable code introduced later)
NOTE: https://curl.se/docs/CVE-2025-0167.html
NOTE: Introduced with: https://github.com/curl/curl/commit/46620b97431e19c53ce82e55055c85830f088cf4 (curl-7_76_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e319e5ce4b8080d8eb (curl-8_12_0)
-CVE-2025-0665 [eventfd double close]
+CVE-2025-0665 (libcurl would wrongly close the same eventfd file descriptor twice whe ...)
- curl <unfixed>
[bookworm] - curl <not-affected> (Vulnerable code not present)
[bullseye] - curl <not-affected> (Vulnerable code not present)
NOTE: https://curl.se/docs/CVE-2025-0665.html
NOTE: Introduced with: https://github.com/curl/curl/commit/92124838c6b7e09e3f35ff84e1eb63cf0105c9b5 (curl-8_11_1)
NOTE: Fixed by: https://github.com/curl/curl/commit/ff5091aa9f73802e894b1cbdf24ab84e103200e2 (curl-8_12_0)
-CVE-2025-0725 [gzip integer overflow]
+CVE-2025-0725 (When libcurl is asked to perform automatic gzip decompression of conte ...)
- curl <unfixed> (unimportant)
NOTE: https://curl.se/docs/CVE-2025-0725.html
NOTE: Introduced with: https://github.com/curl/curl/commit/019c4088cfcca0d2b7c5cc4f52ca5dac0c616089 (curl-7_10_5)
@@ -217,6 +333,7 @@ CVE-2025-1020 (Memory safety bugs present in Firefox 134 and Thunderbird 134. So
- firefox 135.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-07/#CVE-2025-1020
CVE-2025-1017 (Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ES ...)
+ {DSA-5858-1}
- firefox 135.0-1
- firefox-esr 128.7.0esr-1
- thunderbird <unfixed>
@@ -224,6 +341,7 @@ CVE-2025-1017 (Memory safety bugs present in Firefox 134, Thunderbird 134, Firef
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-09/#CVE-2025-1017
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-10/#CVE-2025-1017
CVE-2025-1016 (Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ES ...)
+ {DSA-5858-1}
- firefox 135.0-1
- firefox-esr 128.7.0esr-1
- thunderbird <unfixed>
@@ -234,6 +352,7 @@ CVE-2025-1015 (The Thunderbird Address Book URI fields contained unsanitized lin
- thunderbird <unfixed>
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-10/#CVE-2025-1015
CVE-2025-1014 (Certificate length was not properly checked when added to a certificat ...)
+ {DSA-5858-1}
- firefox 135.0-1
- firefox-esr 128.7.0esr-1
- thunderbird <unfixed>
@@ -241,6 +360,7 @@ CVE-2025-1014 (Certificate length was not properly checked when added to a certi
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-09/#CVE-2025-1014
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-10/#CVE-2025-1014
CVE-2025-1013 (A race condition could have led to private browsing tabs being opened ...)
+ {DSA-5858-1}
- firefox 135.0-1
- firefox-esr 128.7.0esr-1
- thunderbird <unfixed>
@@ -251,6 +371,7 @@ CVE-2025-1019 (The z-order of the browser windows could be manipulated to hide t
- firefox 135.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-07/#CVE-2025-1019
CVE-2025-1012 (A race during concurrent delazification could have led to a use-after- ...)
+ {DSA-5858-1}
- firefox 135.0-1
- firefox-esr 128.7.0esr-1
- thunderbird <unfixed>
@@ -258,6 +379,7 @@ CVE-2025-1012 (A race during concurrent delazification could have led to a use-a
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-09/#CVE-2025-1012
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-10/#CVE-2025-1012
CVE-2025-1011 (A bug in WebAssembly code generation could have lead to a crash. It ma ...)
+ {DSA-5858-1}
- firefox 135.0-1
- firefox-esr 128.7.0esr-1
- thunderbird <unfixed>
@@ -268,6 +390,7 @@ CVE-2025-1018 (The fullscreen notification is prematurely hidden when fullscreen
- firefox 135.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-07/#CVE-2025-1018
CVE-2025-1010 (An attacker could have caused a use-after-free via the Custom Highligh ...)
+ {DSA-5858-1}
- firefox 135.0-1
- firefox-esr 128.7.0esr-1
- thunderbird <unfixed>
@@ -275,6 +398,7 @@ CVE-2025-1010 (An attacker could have caused a use-after-free via the Custom Hig
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-09/#CVE-2025-1010
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2025-10/#CVE-2025-1010
CVE-2025-1009 (An attacker could have caused a use-after-free via crafted XSLT data, ...)
+ {DSA-5858-1}
- firefox 135.0-1
- firefox-esr 128.7.0esr-1
- thunderbird <unfixed>
@@ -4816,7 +4940,7 @@ CVE-2024-10498 (CWE-119: Improper Restriction of Operations within the Bounds of
NOT-FOR-US: Schneider Electric
CVE-2024-10497 (CWE-639: Authorization Bypass Through User-Controlled Key vulnerabilit ...)
NOT-FOR-US: Schneider Electric
-CVE-2024-7596 [networkmanager: UDP encapsulation protocol excessive trust]
+CVE-2024-7596 (Proposed Generic UDP Encapsulation (GUE) (IETF Draft) do not validate ...)
NOT-FOR-US: IP tunnel protocol issue
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2317264
NOTE: https://papers.mathyvanhoef.com/usenix2025-tunnels.pdf
@@ -4824,7 +4948,7 @@ CVE-2024-7596 [networkmanager: UDP encapsulation protocol excessive trust]
NOTE: https://www.top10vpn.com/research/tunneling-protocol-vulnerability/
NOTE: https://kb.cert.org/vuls/id/199397
NOTE: https://www.openwall.com/lists/oss-security/2025/01/21/10
-CVE-2024-7595 [networkmanager: GRE & GRE6 protocol excessive trust]
+CVE-2024-7595 (GRE and GRE6 Protocols (RFC2784) do not validate or verify the source ...)
NOT-FOR-US: IP tunnel protocol issue
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2317262
NOTE: https://papers.mathyvanhoef.com/usenix2025-tunnels.pdf
@@ -19559,6 +19683,7 @@ CVE-2024-11698 (A flaw in handling fullscreen transitions may have inadvertently
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-64/#CVE-2024-11698
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-68/#CVE-2024-11698
CVE-2024-11704 (A double-free issue could have occurred in `sec_pkcs7_decoder_start_de ...)
+ {DSA-5858-1}
- firefox 134.0-1
- firefox-esr <unfixed>
- thunderbird <unfixed>
@@ -51733,7 +51858,8 @@ CVE-2024-41072 (In the Linux kernel, the following vulnerability has been resolv
- linux 6.9.11-1
[bookworm] - linux 6.1.106-1
NOTE: https://git.kernel.org/linus/6ef09cdc5ba0f93826c09d810c141a8d103a80fc (6.10-rc5)
-CVE-2024-41071 (In the Linux kernel, the following vulnerability has been resolved: w ...)
+CVE-2024-41071
+ REJECTED
{DLA-4008-1}
- linux 6.9.11-1
[bookworm] - linux 6.1.115-1
@@ -55846,7 +55972,7 @@ CVE-2024-0619 (The Payflex Payment Gateway plugin for WordPress is vulnerable to
CVE-2016-15039 (A vulnerability classified as critical was found in mhuertos phpLDAPad ...)
- phpldapadmin 1.2.6.3-0.1
NOTE: https://github.com/leenooks/phpLDAPadmin/commit/dd6e9583a2eb2ca085583765e8a63df5904cb036 (1.2.4)
-CVE-2024-5528
+CVE-2024-5528 (An issue was discovered in GitLab CE/EE affecting all versions prior t ...)
[experimental] - gitlab 16.11.6-1
- gitlab <unfixed>
CVE-2024-2880 (An issue was discovered in GitLab CE/EE affecting all versions startin ...)
@@ -103674,7 +103800,7 @@ CVE-2024-1300 (A vulnerability in the Eclipse Vert.x toolkit causes a memory lea
CVE-2024-1066 (An issue has been discovered in GitLab EE affecting all versions from ...)
- gitlab 16.6.7-1
NOTE: https://about.gitlab.com/releases/2024/02/07/security-release-gitlab-16-8-2-released/#resource-exhaustion-using-graphql-vulnerabilitiescountbyday
-CVE-2023-6386 [ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax]
+CVE-2023-6386 (A denial of service vulnerability was identified in GitLab CE/EE, affe ...)
- gitlab 16.6.7-1
NOTE: https://about.gitlab.com/releases/2024/02/07/security-release-gitlab-16-8-2-released/#redos-in-ci/cd-pipeline-editor-while-verifying-pipeline-syntax
CVE-2023-6840 (An issue has been discovered in GitLab EE affecting all versions from ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca9fee9beb502444d5e9dbeb6a8a7b9f40509204
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca9fee9beb502444d5e9dbeb6a8a7b9f40509204
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250205/777f1d29/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list