Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d5a4a21b by security tracker role at 2024-01-05T08:12:10+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,4 +1,38 @@
-CVE-2024-22051 [integer overflow in cmark-gfm's table row parsing may lead to
heap memory corruption]
+CVE-2024-22088 (Lotos WebServer through 0.1.1 (commit 3eb36cc) has a
use-after-free in ...)
+ TODO: check
+CVE-2024-22087 (route in main.c in Pico HTTP Server in C through f3b69a6 has
an sprint ...)
+ TODO: check
+CVE-2024-22086 (handle_request in http.c in cherry through 4b877df has an
sscanf stack ...)
+ TODO: check
+CVE-2024-22075 (Firefly III (aka firefly-iii) before 6.1.1 allows webhooks
HTML Inject ...)
+ TODO: check
+CVE-2024-22050 (Path traversal in the static file service in Iodine less than
0.7.33 a ...)
+ TODO: check
+CVE-2024-22049 (httparty before 0.21.0 is vulnerable to an assumed-immutable
web param ...)
+ TODO: check
+CVE-2024-22048 (govuk_tech_docs versions from 2.0.2 to before 3.3.1 are
vulnerable to ...)
+ TODO: check
+CVE-2024-21636 (view_component is a framework for building reusable, testable,
and enc ...)
+ TODO: check
+CVE-2024-0241 (encoded_id-rails versions before 1.0.0.beta2 are affected by an
uncont ...)
+ TODO: check
+CVE-2023-6493 (The Depicter Slider \u2013 Responsive Image Slider, Video
Slider & Pos ...)
+ TODO: check
+CVE-2023-52323 (PyCryptodome and pycryptodomex before 3.19.1 allow
side-channel leakag ...)
+ TODO: check
+CVE-2023-52184 (Cross-Site Request Forgery (CSRF) vulnerability in WP Job
Portal WP Jo ...)
+ TODO: check
+CVE-2023-52178 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2023-52150 (Cross-Site Request Forgery (CSRF) vulnerability in Ovation
S.R.L. Dyna ...)
+ TODO: check
+CVE-2023-51502 (Authorization Bypass Through User-Controlled Key vulnerability
in WooC ...)
+ TODO: check
+CVE-2023-51277 (nbviewer-app (aka Jupyter Notebook Viewer) before 0.1.6 has
the get-ta ...)
+ TODO: check
+CVE-2023-41782 (There is a DLL hijacking vulnerability in ZTE ZXCLOUD iRAI, an
attacke ...)
+ TODO: check
+CVE-2024-22051 (CommonMarker versions prior to 0.23.4 are at risk of an
integer overfl ...)
- ruby-commonmarker 0.23.4-1
[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
[buster] - ruby-commonmarker <no-dsa> (Minor issue)
@@ -7,7 +41,7 @@ CVE-2024-22051 [integer overflow in cmark-gfm's table row
parsing may lead to he
NOTE:
https://github.com/gjtorikian/commonmarker/commit/ab4504fd17460627a6ab255bc3c63e8e5fc6aed3
(v0.23.4)
NOTE: This is a specific CVE assignment for the issue covered in
CVE-2022-24724
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2256887
-CVE-2024-22047
+CVE-2024-22047 (A race condition exists in Audited 4.0.0 to 5.3.3 that can
result in a ...)
NOT-FOR-US: audited ruby gem
CVE-2024-21625 (SideQuest is a place to get virtual reality applications for
Oculus Qu ...)
NOT-FOR-US: SideQuest
@@ -1498,6 +1532,7 @@ CVE-2023-51767 (OpenSSH through 9.6, when common types of
DRAM are used, might a
[buster] - openssh <postponed> (Revisit once hardening/mitigation for
Rowhammer type of attack exists)
NOTE: https://arxiv.org/abs/2309.02545
CVE-2023-51766 (Exim before 4.97.1 allows SMTP smuggling in certain
PIPELINING/CHUNKIN ...)
+ {DSA-5597-1}
- exim4 4.97-3 (bug #1059387)
NOTE:
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6
@@ -3637,7 +3672,7 @@ CVE-2023-49820 (Improper Neutralization of Input During
Web Page Generation ('Cr
CVE-2023-49813 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
NOT-FOR-US: WordPress plugin
CVE-2023-49786 (Asterisk is an open source private branch exchange and
telephony toolk ...)
- {DLA-3696-1}
+ {DSA-5596-1 DLA-3696-1}
- asterisk 1:20.5.1~dfsg+~cs6.13.40431414-1 (bug #1059033)
NOTE:
https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq
NOTE:
https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05
@@ -3661,7 +3696,7 @@ CVE-2023-49708 (SQLi vulnerability in Starshop component
for Joomla.)
CVE-2023-49707 (SQLi vulnerability in S5 Register module for Joomla.)
NOT-FOR-US: Joomla module
CVE-2023-49294 (Asterisk is an open source private branch exchange and
telephony toolk ...)
- {DLA-3696-1}
+ {DSA-5596-1 DLA-3696-1}
- asterisk 1:20.5.1~dfsg+~cs6.13.40431414-1 (bug #1059032)
NOTE:
https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f
NOTE:
https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5
@@ -3782,7 +3817,7 @@ CVE-2023-40628 (A reflected XSS vulnerability was
discovered in the Extplorer co
CVE-2023-40627 (A reflected XSS vulnerability was discovered in the LivingWord
compone ...)
NOT-FOR-US: Joomla module
CVE-2023-37457 (Asterisk is an open source private branch exchange and
telephony toolk ...)
- {DLA-3696-1}
+ {DSA-5596-1 DLA-3696-1}
- asterisk <unfixed> (bug #1059303)
NOTE:
https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh
NOTE:
https://github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa
@@ -15835,7 +15870,7 @@ CVE-2023-40008 (Cross-Site Request Forgery (CSRF)
vulnerability in Gangesh Matta
CVE-2023-3725 (Potential buffer overflow vulnerability in the Zephyr CAN bus
subsyste ...)
NOT-FOR-US: Zephyr RTOS (unrelated to src:zephyr)
CVE-2023-38703 (PJSIP is a free and open source multimedia communication
library writt ...)
- {DLA-3696-1}
+ {DSA-5596-1 DLA-3696-1}
- asterisk <unfixed> (bug #1059303)
- pjproject <removed>
- ring <unfixed> (bug #1059307)
@@ -141694,6 +141729,7 @@ CVE-2022-22997 (Addressed a remote code execution
vulnerability by resolving a c
CVE-2022-22996 (The G-RAID 4/8 Software Utility setups for Windows were
affected by a ...)
NOT-FOR-US: Western Digital Windows setup
CVE-2022-22995 (The combination of primitives offered by SMB and AFP in their
default ...)
+ {DLA-3706-1}
- netatalk 3.1.18~ds-1 (bug #1053545)
[bullseye] - netatalk <no-dsa> (Minor issue)
NOTE: https://netatalk.sourceforge.io/CVE-2022-22995.php
@@ -261896,10 +261932,10 @@ CVE-2020-13881 (In support.c in pam_tacplus 1.3.8
through 1.5.1, the TACACS+ sha
NOTE: https://github.com/kravietz/pam_tacplus/issues/149
CVE-2020-13880
RESERVED
-CVE-2020-13879
- RESERVED
-CVE-2020-13878
- RESERVED
+CVE-2020-13879 (IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+214f
heap-bas ...)
+ TODO: check
+CVE-2020-13878 (IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+27ef
heap-bas ...)
+ TODO: check
CVE-2020-13877 (SQL Injection issues in various ASPX pages of ResourceXpress
Meeting M ...)
NOT-FOR-US: ResourceXpress Meeting Monitor
CVE-2020-13876
@@ -517096,7 +517132,7 @@ CVE-2015-1030 (Memory leak in the rfc2553_connect_to
function in jbsocket.c in P
[wheezy] - privoxy <not-affected> (Introduced in 3.0.21)
NOTE: http://www.privoxy.org/announce.txt
NOTE:
http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/cgisimple.c?view=patch&r1=1.130&r2=1.131&pathrev=v_3_0_22
-CVE-2023-7207 [Path traversal vulnerability due to partial revert of fix for
CVE-2015-1197]
+CVE-2023-7207 (Debian's cpio contains a path traversal vulnerability. This
issue was ...)
- cpio 2.14+dfsg-1 (bug #1059163)
[bookworm] - cpio <no-dsa> (Minor issue)
[bullseye] - cpio <no-dsa> (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a4a21be33fea2fca1a88e55961c969eb61d622
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a4a21be33fea2fca1a88e55961c969eb61d622
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
