[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) Fri, 08 Sep 2023 13:12:39 -0700


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
d6141c63 by security tracker role at 2023-09-08T20:12:17+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,4 +1,34 @@
-CVE-2023-4807
+CVE-2023-4843 (Pega Platform versions 7.1 to 8.8.3 are affected by an HTML 
Injection  ...)
+       TODO: check
+CVE-2023-4782 (Terraform version 1.0.8 through 1.5.6 allows arbitrary file 
write duri ...)
+       TODO: check
+CVE-2023-4777 (An incorrect permission check in Qualys Container Scanning 
Connector P ...)
+       TODO: check
+CVE-2023-42268 (Jeecg boot up to v3.5.3 was discovered to contain a SQL 
injection vuln ...)
+       TODO: check
+CVE-2023-41578 (Jeecg boot up to v3.5.3 was discovered to contain an arbitrary 
file re ...)
+       TODO: check
+CVE-2023-41575 (Multiple stored cross-site scripting (XSS) vulnerabilities in 
/bbdms/s ...)
+       TODO: check
+CVE-2023-41338 (Fiber is an Express inspired web framework built in the go 
language. V ...)
+       TODO: check
+CVE-2023-41318 (matrix-media-repo is a highly customizable multi-domain media 
reposito ...)
+       TODO: check
+CVE-2023-40924 (SolarView Compact < 6.00 is vulnerable to Directory Traversal.)
+       TODO: check
+CVE-2023-39712 (Multiple cross-site scripting (XSS) vulnerabilities in Free 
and Open S ...)
+       TODO: check
+CVE-2023-39676 (SimpleImportProduct Prestashop Module v1.0.0 was discovered to 
contain ...)
+       TODO: check
+CVE-2023-39584 (Hexo up to v7.0.0 (RC2) was discovered to contain an arbitrary 
file re ...)
+       TODO: check
+CVE-2023-39076 (Injecting random data into the USB memory area on a General 
Motors (GM ...)
+       TODO: check
+CVE-2023-38736 (IBM QRadar WinCollect Agent 10.0 through 10.1.6, when 
installed to run ...)
+       TODO: check
+CVE-2023-32332 (IBM Maximo Application Suite 8.9, 8.10 and IBM Maximo Asset 
Management ...)
+       TODO: check
+CVE-2023-4807 (Issue summary: The POLY1305 MAC (message authentication code) 
implemen ...)
        - openssl <not-affected> (Windows-specific)
        NOTE: https://www.openssl.org/news/secadv/20230908.txt
 CVE-2023-41775 (Improper access control vulnerability in 'direct' Desktop App 
for macO ...)
@@ -3214,7 +3244,7 @@ CVE-2023-4335 (Broadcom RAID Controller Web server 
(nginx) is serving private se
        NOT-FOR-US: Broadcom RAID Controller web interface
 CVE-2023-4334 (Broadcom RAID Controller Web server (nginx) is serving private 
files w ...)
        NOT-FOR-US: Broadcom RAID Controller web interface
-CVE-2023-4333 (Broadcom RAID Controller web interface is vulnerable  to 
exposure of s ...)
+CVE-2023-4333 (Broadcom RAID Controller web interface doesn\u2019t enforce SSL 
cipher ...)
        NOT-FOR-US: Broadcom RAID Controller web interface
 CVE-2023-4332 (Broadcom RAID Controller web interface is vulnerable due to 
Improper p ...)
        NOT-FOR-US: Broadcom RAID Controller web interface
@@ -16481,7 +16511,7 @@ CVE-2023-30910
        RESERVED
 CVE-2023-30909
        RESERVED
-CVE-2023-30908 (Potential security vulnerabilities have been identified in 
Hewlett Pac ...)
+CVE-2023-30908 (Potential security vulnerability have been identified in 
Hewlett Packa ...)
        NOT-FOR-US: HPE
 CVE-2023-30907
        RESERVED
@@ -20770,22 +20800,22 @@ CVE-2023-29411 (A CWE-306: Missing Authentication for 
Critical Function vulnerab
        NOT-FOR-US: Schneider
 CVE-2023-29410 (A CWE-20: Improper Input Validation vulnerability exists that 
could al ...)
        NOT-FOR-US: Schneider
-CVE-2023-39322 [crypto/tls: panic when processing post-handshake message on 
QUIC connections]
+CVE-2023-39322 (QUIC connections do not set an upper bound on the amount of 
data buffe ...)
        - golang-1.21 1.21.1-1
        NOTE: https://go.dev/issue/62266
        NOTE: 
https://github.com/golang/go/commit/91a4e74b98179f63a27dbff1ad68ddd0ed64363a 
(go1.21.1)
        NOTE: https://groups.google.com/g/golang-announce/c/Fm51GRLNRvM
-CVE-2023-39321 [crypto/tls: panic when processing post-handshake message on 
QUIC connections]
+CVE-2023-39321 (Processing an incomplete post-handshake message for a QUIC 
connection  ...)
        - golang-1.21 1.21.1-1
        NOTE: https://go.dev/issue/62266
        NOTE: 
https://github.com/golang/go/commit/91a4e74b98179f63a27dbff1ad68ddd0ed64363a 
(go1.21.1)
        NOTE: https://groups.google.com/g/golang-announce/c/Fm51GRLNRvM
-CVE-2023-39320 [cmd/go: go.mod toolchain directive allows arbitrary execution]
+CVE-2023-39320 (The go.mod toolchain directive, introduced in Go 1.21, can be 
leverage ...)
        - golang-1.21 1.21.1-1
        NOTE: https://go.dev/issue/62198
        NOTE: 
https://github.com/golang/go/commit/d25a935574efd573668d8ce9ea4cfc530bb63ecb 
(go1.21.1)
        NOTE: https://groups.google.com/g/golang-announce/c/Fm51GRLNRvM
-CVE-2023-39319 [html/template: improper handling of special tags within script 
contexts]
+CVE-2023-39319 (The html/template package does not apply the proper rules for 
handling ...)
        - golang-1.21 1.21.1-1
        - golang-1.20 1.20.8-1
        - golang-1.19 <unfixed>
@@ -20795,7 +20825,7 @@ CVE-2023-39319 [html/template: improper handling of 
special tags within script c
        NOTE: 
https://github.com/golang/go/commit/bbd043ff0d6d59f1a9232d31ecd5eacf6507bf6a 
(go1.21.1)
        NOTE: 
https://github.com/golang/go/commit/2070531d2f53df88e312edace6c8dfc9686ab2f5 
(go1.20.8)
        NOTE: https://groups.google.com/g/golang-announce/c/Fm51GRLNRvM
-CVE-2023-39318 [html/template: improper handling of HTML-like comments within 
script contexts]
+CVE-2023-39318 (The html/template package does not properly handle HTML-like 
"" commen ...)
        - golang-1.21 1.21.1-1
        - golang-1.20 1.20.8-1
        - golang-1.19 <unfixed>
@@ -25835,8 +25865,8 @@ CVE-2023-28012 (HCL BigFix Mobile is vulnerable to a 
command injection attack. A
        NOT-FOR-US: HCL
 CVE-2023-28011
        RESERVED
-CVE-2023-28010
-       RESERVED
+CVE-2023-28010 (In some configuration scenarios, the Domino server host name 
can be ex ...)
+       TODO: check
 CVE-2023-28009 (HCL Workload Automation is vulnerable to an XML External 
Entity Inject ...)
        NOT-FOR-US: HCL
 CVE-2023-28008 (HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to 
an XML Ex ...)
@@ -89843,8 +89873,8 @@ CVE-2022-33166 (IBM Security Directory Suite VA 8.0.1 
through 8.0.1.19 could all
        NOT-FOR-US: IBM
 CVE-2022-33165
        RESERVED
-CVE-2022-33164
-       RESERVED
+CVE-2022-33164 (IBM Security Directory Server 7.2.0 could allow a remote 
attacker to t ...)
+       TODO: check
 CVE-2022-33163 (IBM Security Directory Suite VA 8.0.1 specifies permissions 
for a secu ...)
        NOT-FOR-US: IBM
 CVE-2022-33162
@@ -221812,6 +221842,7 @@ CVE-2020-22219 (Buffer Overflow vulnerability in 
function bitwriter_grow_ in fla
        NOTE: https://github.com/xiph/flac/pull/419 (1.4.0)
        NOTE: Fixed by: 
https://github.com/xiph/flac/commit/21fe95ee828b0b9b944f6aa0bb02d24fbb981815 
(1.4.0)
 CVE-2020-22218 (An issue was discovered in function _libssh2_packet_add in 
libssh2 1.1 ...)
+       {DLA-3559-1}
        - libssh2 1.10.0-2
        [bullseye] - libssh2 <no-dsa> (Minor issue)
        NOTE: https://github.com/libssh2/libssh2/pull/476
@@ -284012,7 +284043,7 @@ CVE-2019-17500
 CVE-2019-17499 (The setter.xml component of the Common Gateway Interface on 
Compal CH7 ...)
        NOT-FOR-US: Compal CH7465LG devices
 CVE-2019-17498 (In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT 
logic i ...)
-       {DLA-2848-1 DLA-1991-1}
+       {DLA-3559-1 DLA-2848-1 DLA-1991-1}
        - libssh2 1.9.0-1 (low; bug #943562)
        NOTE: 
https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c
        NOTE: 
https://securitylab.github.com/research/libssh2-integer-overflow-CVE-2019-17498/
@@ -298575,7 +298606,7 @@ CVE-2019-13117 (In numbers.c in libxslt 1.1.33, an 
xsl:number with certain forma
 CVE-2019-13116 (The MuleSoft Mule Community Edition runtime engine before 3.8 
allows r ...)
        NOT-FOR-US: MuleSoft Mule
 CVE-2019-13115 (In libssh2 before 1.9.0, 
kex_method_diffie_hellman_group_exchange_sha2 ...)
-       {DLA-2848-1 DLA-1730-3}
+       {DLA-3559-1 DLA-2848-1 DLA-1730-3}
        - libssh2 1.9.0-1 (bug #932329)
        NOTE: https://securitylab.github.com/research/libssh2-integer-overflow/
        NOTE: https://github.com/libssh2/libssh2/pull/350



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6141c63a05c684d23577ab6263d3a62f7a68a60

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6141c63a05c684d23577ab6263d3a62f7a68a60
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

Reply via email to