[Git][security-tracker-team/security-tracker][master] Reserve DLA-1920-1 for golang-go.crypto
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: a996d3c8 by Brian May at 2019-09-13T05:58:14Z Reserve DLA-1920-1 for golang-go.crypto - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[13 Sep 2019] DLA-1920-1 golang-go.crypto - security update + {CVE-2019-11841} + [jessie] - golang-go.crypto 0.0~hg190-1+deb8u2 [12 Sep 2019] DLA-1919-1 linux-4.9 - security update {CVE-2019-0136 CVE-2019-9506 CVE-2019-11487 CVE-2019-15211 CVE-2019-15212 CVE-2019-15215 CVE-2019-15216 CVE-2019-15218 CVE-2019-15219 CVE-2019-15220 CVE-2019-15221 CVE-2019-15292 CVE-2019-15538 CVE-2019-15666 CVE-2019-15807 CVE-2019-15924 CVE-2019-15926} [jessie] - linux-4.9 4.9.189-3~deb8u1 = data/dla-needed.txt = @@ -35,11 +35,6 @@ freeimage NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html NOTE: 20190707: maintainer is waiting for upstream https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929597 -- -golang-go.crypto (Brian May) - NOTE: 20190707: Check that an upload of this will not require reverse build-deps to also be recompiled (see previous golang uploads?). (lamby) - NOTE: Looks this this patch should be applied also to prevent infinite loop (bam): - NOTE: https://go.googlesource.com/crypto/+/1bae088edb428672a48c02abd9ef6d889afe0af6%5E!/ --- hdf5 NOTE: 20190825: Upstream is aware of currently open issues. Progress is slow, NOTE: wait for the next HDF5 point release and either do full package upgrade View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a996d3c8d548a86d1b9cb4c051c3de0279421daa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a996d3c8d548a86d1b9cb4c051c3de0279421daa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cfd82528 by Salvatore Bonaccorso at 2019-09-12T21:15:20Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6390,9 +6390,9 @@ CVE-2019-14239 CVE-2019-14238 RESERVED CVE-2019-14237 (On NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices, Flash Acce ...) - TODO: check + NOT-FOR-US: NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices CVE-2019-14236 (On STMicroelectronics STM32L0, STM32L1, STM32L4, STM32F4, STM32F7, and ...) - TODO: check + NOT-FOR-US: STMicroelectronics STM32L0, STM32L1, STM32L4, STM32F4, STM32F7, and STM32H7 devices CVE-2019-14235 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before ...) {DSA-4498-1} - python-django 2:2.2.4-1 (bug #934026) @@ -8969,7 +8969,7 @@ CVE-2019-13546 CVE-2019-13545 RESERVED CVE-2019-13544 (Delta Electronics TPEditor, Versions 1.94 and prior. Multiple out-of-b ...) - TODO: check + NOT-FOR-US: Delta Electronics TPEditor CVE-2019-13543 RESERVED CVE-2019-13542 @@ -8977,7 +8977,7 @@ CVE-2019-13542 CVE-2019-13541 RESERVED CVE-2019-13540 (Delta Electronics TPEditor, Versions 1.94 and prior. Multiple stack-ba ...) - TODO: check + NOT-FOR-US: Delta Electronics TPEditor CVE-2019-13539 RESERVED CVE-2019-13538 @@ -8985,11 +8985,11 @@ CVE-2019-13538 CVE-2019-13537 RESERVED CVE-2019-13536 (Delta Electronics TPEditor, Versions 1.94 and prior. Multiple heap-bas ...) - TODO: check + NOT-FOR-US: Delta Electronics TPEditor CVE-2019-13535 RESERVED CVE-2019-13534 (Philips IntelliVue WLAN, portable patient monitors, WLAN Version A, Fi ...) - TODO: check + NOT-FOR-US: Philips CVE-2019-13533 RESERVED CVE-2019-13532 @@ -8997,7 +8997,7 @@ CVE-2019-13532 CVE-2019-13531 RESERVED CVE-2019-13530 (Philips IntelliVue WLAN, portable patient monitors, WLAN Version A, Fi ...) - TODO: check + NOT-FOR-US: Philips CVE-2019-13529 RESERVED CVE-2019-13528 @@ -9132,7 +9132,7 @@ CVE-2019-13475 (In MobaXterm 11.1, the mobaxterm: URI handler has an argument in CVE-2019-13474 RESERVED CVE-2019-13473 (TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110 ...) - TODO: check + NOT-FOR-US: TELESTAR CVE-2019-13472 (PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the ...) NOT-FOR-US: PHPWind CVE-2019-13471 @@ -9409,7 +9409,7 @@ CVE-2019-13363 CVE-2019-13362 (Codedoc v3.2 has a stack-based buffer overflow in add_variable in code ...) NOT-FOR-US: Codedoc CVE-2019-13361 (Smanos W100 1.0.0 devices have Insecure Permissions, exploitable by an ...) - TODO: check + NOT-FOR-US: Smanos W100 1.0.0 devices CVE-2019-13360 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote at ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-13359 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv- ...) @@ -9438,9 +9438,9 @@ CVE-2019-13351 (posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (a CVE-2019-13350 RESERVED CVE-2019-13349 (In Knowage through 6.1.1, an authenticated user that accesses the user ...) - TODO: check + NOT-FOR-US: Knowage CVE-2019-13348 (In Knowage through 6.1.1, an authenticated user who accesses the datas ...) - TODO: check + NOT-FOR-US: Knowage CVE-2019-13347 RESERVED CVE-2019-13346 (In MyT 1.5.1, the User[username] parameter has XSS. ...) @@ -9889,11 +9889,11 @@ CVE-2019-13192 CVE-2019-13191 (A SQL injection vulnerability in IntraMaps MapControl 8 allows attacke ...) TODO: check CVE-2019-13190 (In Knowage through 6.1.1, the sign up page does not invalidate a valid ...) - TODO: check + NOT-FOR-US: Knowage CVE-2019-13189 (In Knowage through 6.1.1, there is XSS via the start_url or user_id fi ...) - TODO: check + NOT-FOR-US: Knowage CVE-2019-13188 (In Knowage through 6.1.1, an unauthenticated user can bypass access co ...) - TODO: check + NOT-FOR-US: Knowage CVE-2019-13187 (The Rich Text Formatter (Redactor) extension through v1.1.1 for Sympho ...) TODO: check CVE-2019-13186 (In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cfd8252801c884a90b0131aa2eb631e20bd07620 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cfd8252801c884a90b0131aa2eb631e20bd07620 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-securit
[Git][security-tracker-team/security-tracker][master] Add new issues for py-lmdb (CVE-2019-1622{4,5,6,7,8)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 571591f7 by Salvatore Bonaccorso at 2019-09-12T20:58:52Z Add new issues for py-lmdb (CVE-2019-1622{4,5,6,7,8) Mark those as undetermned for now. Apparently upstream was not notified about the issues, cf. https://github.com/jnwatson/py-lmdb/issues/210#issuecomment-531004224 . Wait for upstream investigation on https://github.com/jnwatson/py-lmdb/issues/210 . - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -187,14 +187,24 @@ CVE-2019-16229 (drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux kernel 5 - linux NOTE: https://lkml.org/lkml/2019/9/9/487 CVE-2019-16228 (An issue was discovered in py-lmdb 0.97. There is a divide-by-zero err ...) + - py-lmdb + NOTE: https://github.com/jnwatson/py-lmdb/issues/210 TODO: check CVE-2019-16227 (An issue was discovered in py_lmdb 0.97. For certain values of mn_flag ...) + - py-lmdb + NOTE: https://github.com/jnwatson/py-lmdb/issues/210 TODO: check CVE-2019-16226 (An issue was discovered in py-lmdb 0.97. mdb_node_del does not validat ...) + - py-lmdb + NOTE: https://github.com/jnwatson/py-lmdb/issues/210 TODO: check CVE-2019-16225 (An issue was discovered in py-lmdb 0.97. For certain values of mp_flag ...) + - py-lmdb + NOTE: https://github.com/jnwatson/py-lmdb/issues/210 TODO: check CVE-2019-16224 (An issue was discovered in py-lmdb 0.97. For certain values of md_flag ...) + - py-lmdb + NOTE: https://github.com/jnwatson/py-lmdb/issues/210 TODO: check CVE-2019-16223 (WordPress before 5.2.3 allows XSS in post previews by authenticated us ...) - wordpress 5.2.3+dfsg1-1 (bug #939543) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/571591f73828d9d149b7a29181956145ed586cb9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/571591f73828d9d149b7a29181956145ed586cb9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 681080c0 by Moritz Muehlenhoff at 2019-09-12T20:20:00Z NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,7 @@ CVE-2019-16263 CVE-2019-16262 RESERVED CVE-2019-16261 (Tripp Lite PDUMH15AT 12.04.0053 devices allow unauthenticated POST req ...) - TODO: check + NOT-FOR-US: Tripp Lite PDUMH15AT CVE-2019-16260 RESERVED CVE-2019-16259 @@ -33,9 +33,9 @@ CVE-2019-16259 CVE-2019-16258 RESERVED CVE-2019-16257 (Some Motorola devices include the SIMalliance Toolbox Browser (aka S@T ...) - TODO: check + NOT-FOR-US: SIMalliance Toolbox Browser CVE-2019-16256 (Some Samsung devices include the SIMalliance Toolbox Browser (aka S@T ...) - TODO: check + NOT-FOR-US: SIMalliance Toolbox Browser CVE-2017-18633 RESERVED CVE-2017-18632 @@ -158,7 +158,7 @@ CVE-2019-16275 (hostapd before 2.10 and wpa_supplicant before 2.10 allow an inco NOTE: https://www.openwall.com/lists/oss-security/2019/09/11/7 NOTE: https://w1.fi/security/2019-7/ CVE-2019-16238 (Afterlogic Aurora through 8.3.9-build-a3 has XSS that can be leveraged ...) - TODO: check + NOT-FOR-US: Afterlogic Aurora CVE-2019-16237 (Dino before 2019-09-10 does not properly check the source of an MAM me ...) - dino-im 0.0.git20190911.2a70a4e-1 NOTE: https://github.com/dino/dino/commit/307f16cc86dd2b95aa02ab8a85110e4a2d5e7363 @@ -17337,23 +17337,23 @@ CVE-2019-10402 CVE-2019-10401 RESERVED CVE-2019-10400 (A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10399 (A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10398 (Jenkins Beaker Builder Plugin 1.9 and earlier stored credentials unenc ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10397 (Jenkins Aqua Security Serverless Scanner Plugin 1.0.4 and earlier tran ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10396 (Jenkins Dashboard View Plugin 2.11 and earlier did not escape build de ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10395 (Jenkins Build Environment Plugin 1.6 and earlier did not escape variab ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10394 (A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10393 (A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10392 (Jenkins Git Client Plugin 2.8.4 and earlier did not properly restrict ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10391 (Jenkins IBM Application Security on Cloud Plugin 1.2.4 and earlier tra ...) NOT-FOR-US: IBM CVE-2019-10390 (A sandbox bypass vulnerability in Jenkins Splunk Plugin 1.7.4 and earl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/681080c05f8f44ab970ebd0cd5bb1238369fd48c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/681080c05f8f44ab970ebd0cd5bb1238369fd48c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ad8074b by security tracker role at 2019-09-12T20:10:22Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,121 @@ +CVE-2019-16274 + RESERVED +CVE-2019-16273 + RESERVED +CVE-2019-16272 + RESERVED +CVE-2019-16271 + RESERVED +CVE-2019-16270 + RESERVED +CVE-2019-16269 + RESERVED +CVE-2019-16268 + RESERVED +CVE-2019-16267 + RESERVED +CVE-2019-16266 + RESERVED +CVE-2019-16265 + RESERVED +CVE-2019-16264 + RESERVED +CVE-2019-16263 + RESERVED +CVE-2019-16262 + RESERVED +CVE-2019-16261 (Tripp Lite PDUMH15AT 12.04.0053 devices allow unauthenticated POST req ...) + TODO: check +CVE-2019-16260 + RESERVED +CVE-2019-16259 + RESERVED +CVE-2019-16258 + RESERVED +CVE-2019-16257 (Some Motorola devices include the SIMalliance Toolbox Browser (aka S@T ...) + TODO: check +CVE-2019-16256 (Some Samsung devices include the SIMalliance Toolbox Browser (aka S@T ...) + TODO: check +CVE-2017-18633 + RESERVED +CVE-2017-18632 + RESERVED +CVE-2017-18631 + RESERVED +CVE-2017-18630 + RESERVED +CVE-2017-18629 + RESERVED +CVE-2017-18628 + RESERVED +CVE-2017-18627 + RESERVED +CVE-2017-18626 + RESERVED +CVE-2017-18625 + RESERVED +CVE-2017-18624 + RESERVED +CVE-2017-18623 + RESERVED +CVE-2017-18622 + RESERVED +CVE-2017-18621 + RESERVED +CVE-2017-18620 + RESERVED +CVE-2017-18619 + RESERVED +CVE-2017-18618 + RESERVED +CVE-2017-18617 + RESERVED +CVE-2017-18616 + RESERVED +CVE-2017-18615 + RESERVED +CVE-2017-18614 + RESERVED +CVE-2017-18613 + RESERVED +CVE-2017-18612 + RESERVED +CVE-2016-10955 + RESERVED +CVE-2016-10954 + RESERVED +CVE-2016-10953 + RESERVED +CVE-2016-10952 + RESERVED +CVE-2016-10951 + RESERVED +CVE-2016-10950 + RESERVED +CVE-2016-10949 + RESERVED +CVE-2016-10948 + RESERVED +CVE-2016-10947 + RESERVED +CVE-2016-10946 + RESERVED +CVE-2016-10945 + RESERVED +CVE-2016-10944 + RESERVED +CVE-2016-10943 + RESERVED +CVE-2016-10942 + RESERVED +CVE-2016-10941 + RESERVED +CVE-2016-10940 + RESERVED +CVE-2016-10939 + RESERVED +CVE-2016-10938 + RESERVED CVE-2019-16255 RESERVED CVE-2019-16254 @@ -35,12 +153,12 @@ CVE-2019-16239 CVE-2019- [signature bypass with multiple From addresses] - opendmarc (bug #940081) NOTE: https://github.com/trusteddomainproject/OpenDMARC/pull/48 -CVE-2019-16275 [2019-7: AP mode PMF disconnection protection bypass] +CVE-2019-16275 (hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect ...) - wpa (bug #940080) NOTE: https://www.openwall.com/lists/oss-security/2019/09/11/7 NOTE: https://w1.fi/security/2019-7/ -CVE-2019-16238 - RESERVED +CVE-2019-16238 (Afterlogic Aurora through 8.3.9-build-a3 has XSS that can be leveraged ...) + TODO: check CVE-2019-16237 (Dino before 2019-09-10 does not properly check the source of an MAM me ...) - dino-im 0.0.git20190911.2a70a4e-1 NOTE: https://github.com/dino/dino/commit/307f16cc86dd2b95aa02ab8a85110e4a2d5e7363 @@ -245,6 +363,7 @@ CVE-2019-16165 (GNU cflow through 1.6 has a use-after-free in the reference func CVE-2019-16164 (MyHTML through 4.0.5 has a NULL pointer dereference in myhtml_tree_nod ...) NOT-FOR-US: MyHTML CVE-2019-16163 (Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of ...) + {DLA-1918-1} - libonig (low; bug #939988) [buster] - libonig (Minor issue) [stretch] - libonig (Minor issue) @@ -774,6 +893,7 @@ CVE-2019-15927 (An issue was discovered in the Linux kernel before 4.20.2. An ou [jessie] - linux 3.16.68-1 NOTE: https://git.kernel.org/linus/f4351a199cc120ff9d59e06d02e8657d08e6cc46 CVE-2019-15926 (An issue was discovered in the Linux kernel before 5.2.3. Out of bound ...) + {DLA-1919-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.189-1 @@ -799,6 +919,7 @@ CVE-2017-18595 (An issue was discovered in the Linux kernel before 4.14.11. A do [jessie] - linux 3.16.56-1 NOTE: https://git.kernel.org/linus/4397f04575c44e1440ec2e49b6302785c95fd2f8 CVE-2019-15924 (An issue was discovered in the Linux kernel before 5.0.11. fm10k_init_ ...) + {DLA-1919-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.184-1 @@ -1128,6 +1249,7 @@ CVE-2019-15790 CVE-2019-15789 RESERVED CVE-2019-15807 (In the Linux kernel before 5.1.13, there is a memory leak in drivers/s ...) + {DLA-1919-1} - li
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1623{5,6,7}/dino-im tracking
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: efa5bf7b by Salvatore Bonaccorso at 2019-09-12T19:24:05Z Add CVE-2019-1623{5,6,7}/dino-im tracking Furthermore all three CVEs were addressed in the most recent unstable upload already and thus mark it as fixed with the respective version which entered unstable. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42,11 +42,14 @@ CVE-2019-16275 [2019-7: AP mode PMF disconnection protection bypass] CVE-2019-16238 RESERVED CVE-2019-16237 (Dino before 2019-09-10 does not properly check the source of an MAM me ...) - TODO: check + - dino-im 0.0.git20190911.2a70a4e-1 + NOTE: https://github.com/dino/dino/commit/307f16cc86dd2b95aa02ab8a85110e4a2d5e7363 CVE-2019-16236 (Dino before 2019-09-10 does not check roster push authorization in mod ...) - TODO: check + - dino-im 0.0.git20190911.2a70a4e-1 + NOTE: https://github.com/dino/dino/commit/dd33f5f949248d87d34f399e8846d5ee5b8823d9 CVE-2019-16235 (Dino before 2019-09-10 does not properly check the source of a carbons ...) - TODO: check + - dino-im 0.0.git20190911.2a70a4e-1 + NOTE: https://github.com/dino/dino/commit/e84f2c49567e86d2a261ea264d65c4adc549c930 CVE-2019-16234 (drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the Linux kernel 5. ...) - linux NOTE: https://lkml.org/lkml/2019/9/9/487 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/efa5bf7b0878a2147bfa59f5267f0cf5b9076aa7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/efa5bf7b0878a2147bfa59f5267f0cf5b9076aa7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-16275/wpa assigned for 2019-7 advisory issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2279fee9 by Salvatore Bonaccorso at 2019-09-12T19:11:26Z CVE-2019-16275/wpa assigned for 2019-7 advisory issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35,7 +35,7 @@ CVE-2019-16239 CVE-2019- [signature bypass with multiple From addresses] - opendmarc (bug #940081) NOTE: https://github.com/trusteddomainproject/OpenDMARC/pull/48 -CVE-2019- [2019-7: AP mode PMF disconnection protection bypass] +CVE-2019-16275 [2019-7: AP mode PMF disconnection protection bypass] - wpa (bug #940080) NOTE: https://www.openwall.com/lists/oss-security/2019/09/11/7 NOTE: https://w1.fi/security/2019-7/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2279fee98e89e69b569b91528143525fc32362c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2279fee98e89e69b569b91528143525fc32362c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fb261482 by Salvatore Bonaccorso at 2019-09-12T17:41:23Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,13 +9,13 @@ CVE-2019-16252 CVE-2019-16251 RESERVED CVE-2019-16250 (includes/wizard/wizard.php in the Ocean Extra plugin through 1.5.8 for ...) - TODO: check + NOT-FOR-US: Ocean Extra plugin for WordPress CVE-2019-16249 (OpenCV 4.1.1 has an out-of-bounds read in hal_baseline::v_load in core ...) TODO: check CVE-2019-16248 (The "delete for" feature in Telegram before 5.11 on Android does not d ...) TODO: check CVE-2019-16247 (Delta DCISoft 1.21 has a User Mode Write AV starting at CommLib!CCommL ...) - TODO: check + NOT-FOR-US: Delta DCISoft CVE-2019-16246 RESERVED CVE-2019-16245 @@ -141,7 +141,7 @@ CVE-2019-16195 CVE-2019-16194 RESERVED CVE-2019-16193 (In ArcGIS Enterprise 10.6.1, a crafted IFRAME element can be used to t ...) - TODO: check + NOT-FOR-US: ArcGIS Enterprise CVE-2019-16192 (upload_model() in /admini/controllers/system/managemodel.php in DocCms ...) NOT-FOR-US: DocCMS CVE-2019-16191 @@ -399,7 +399,7 @@ CVE-2019-16100 (Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows remote atta CVE-2019-16099 (Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows CSRF via JSON dat ...) NOT-FOR-US: Silver Peak EdgeConnect SD-WAN CVE-2019-16098 (The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys ...) - TODO: check + NOT-FOR-US: Micro-Star MSI Afterburner CVE-2019-16097 (core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users ...) NOT-FOR-US: Harbor CVE-2016-10937 (IMAPFilter through 2.6.12 does not validate the hostname in an SSL cer ...) @@ -3541,13 +3541,13 @@ CVE-2019-15000 CVE-2019-14999 (The Uninstall REST endpoint in Atlassian Universal Plugin Manager befo ...) NOT-FOR-US: Atlassian CVE-2019-14998 (The Webwork action Cross-Site Request Forgery (CSRF) protection implem ...) - TODO: check + NOT-FOR-US: Atlassian Jira CVE-2019-14997 (The AccessLogFilter class in Jira before version 8.4.0 allows remote a ...) - TODO: check + NOT-FOR-US: Atlassian Jira CVE-2019-14996 (The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and ...) - TODO: check + NOT-FOR-US: Atlassian Jira CVE-2019-14995 (The /rest/api/1.0/render resource in Jira before version 8.4.0 allows ...) - TODO: check + NOT-FOR-US: Atlassian Jira CVE-2019-14994 RESERVED CVE-2019-14993 (Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressi ...) @@ -3693,7 +3693,7 @@ CVE-2019-14938 CVE-2019-14937 (REDCap before 9.3.0 allows time-based SQL injection in the edit calend ...) NOT-FOR-US: REDCap CVE-2019-14936 (Easy!Appointments 1.3.2 plugin for WordPress allows Sensitive Informat ...) - TODO: check + NOT-FOR-US: Easy!Appointments plugin for WordPress CVE-2019-14935 (3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA% ...) NOT-FOR-US: 3CX Phone 15 on Windows CVE-2019-14934 (An issue was discovered in PDFResurrect before 0.18. pdf_load_pages_ki ...) @@ -4332,9 +4332,9 @@ CVE-2019-14727 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an CVE-2019-14726 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-14725 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) - TODO: check + NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-14724 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) - TODO: check + NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-14723 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-14722 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) @@ -20870,7 +20870,7 @@ CVE-2019-9490 (A vulnerability in Trend Micro InterScan Web Security Virtual App CVE-2019-9489 (A directory traversal vulnerability in Trend Micro Apex One, OfficeSca ...) NOT-FOR-US: Trend Micro CVE-2019-9488 (Trend Micro Deep Security Manager (10.x, 11.x) and Vulnerability Prote ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2018-20799 (In pfSense 2.4.4_1, blocking of source IP addresses on the basis of fa ...) NOT-FOR-US: pfSense CVE-2018-20798 (The expiretable configuration in pfSense 2.4.4_1 establishes block dur ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fb261482d3cab5009b6f9a1708df38e64436ddc0 -- View it on GitLa
[Git][security-tracker-team/security-tracker][master] CVE-2019-15717/irssi fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1f3cd1ef by Salvatore Bonaccorso at 2019-09-12T17:21:10Z CVE-2019-15717/irssi fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1350,7 +1350,7 @@ CVE-2019-15718 (In systemd 240, bus_open_system_watch_bind_with_description in s NOTE: https://github.com/systemd/systemd/pull/13457 NOTE: https://github.com/systemd/systemd/commit/35e528018f315798d3bffcb592b32a0d8f5162bd CVE-2019-15717 (Irssi 1.2.x before 1.2.2 has a use-after-free if the IRC server sends ...) - - irssi (bug #936074) + - irssi 1.2.2-1 (bug #936074) [buster] - irssi (Minor issue) [stretch] - irssi (Vulnerable code not present) [jessie] - irssi (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1f3cd1efd6c679ce5a62e5f684de83b8f8a87912 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1f3cd1efd6c679ce5a62e5f684de83b8f8a87912 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2017-15124/qemu: reference complementary VNC/SASL patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ab30f6d by Sylvain Beucler at 2019-09-12T15:27:29Z CVE-2017-15124/qemu: reference complementary VNC/SASL patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -106642,6 +106642,8 @@ CVE-2017-15124 (VNC server implementation in Quick Emulator (QEMU) 2.11.0 and ol - qemu-kvm [wheezy] - qemu-kvm (Can be fixed along in later update) NOTE: http://www.openwall.com/lists/oss-security/2017/12/19/4 + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-12/msg03705.html + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-02/msg00796.html CVE-2017-15123 (A flaw was found in the CloudForms web interface, versions 5.8 - 5.10, ...) NOT-FOR-US: CloudForms CVE-2017-15122 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9ab30f6d6b5019c5dc817bcc31884289d7f027f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9ab30f6d6b5019c5dc817bcc31884289d7f027f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim clamav and dnsmasq from dla-needed
Jonas Meurer pushed to branch master at Debian Security Tracker / security-tracker Commits: 12d00673 by Jonas Meurer at 2019-09-12T15:25:37Z Claim clamav and dnsmasq from dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,14 +21,14 @@ ansible (Roberto C. Sánchez) cimg (Thorsten Alteholz) NOTE: inline function load_network_external is affected, variable filename -- -clamav +clamav (Jonas Meurer) NOTE: wait for definitive patch to be available, then upgrade to latest upstream NOTE: release (follow stretch changes) (hle) NOTE: https://lists.debian.org/debian-lts/2019/08/msg00023.html NOTE: 20190822: upstream has released 0.101.4, wait for stretch update (see bug NOTE: report) (hle) -- -dnsmasq +dnsmasq (Jonas Meurer) -- freeimage NOTE: Maintainer will take care of the update. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/12d006732ee51126de26319f07b0fc4e2cd22a0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/12d006732ee51126de26319f07b0fc4e2cd22a0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1919-1 for linux-4.9
Ben Hutchings pushed to branch master at Debian Security Tracker / security-tracker Commits: c600964e by Ben Hutchings at 2019-09-12T14:30:07Z Reserve DLA-1919-1 for linux-4.9 - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[12 Sep 2019] DLA-1919-1 linux-4.9 - security update + {CVE-2019-0136 CVE-2019-9506 CVE-2019-11487 CVE-2019-15211 CVE-2019-15212 CVE-2019-15215 CVE-2019-15216 CVE-2019-15218 CVE-2019-15219 CVE-2019-15220 CVE-2019-15221 CVE-2019-15292 CVE-2019-15538 CVE-2019-15666 CVE-2019-15807 CVE-2019-15924 CVE-2019-15926} + [jessie] - linux-4.9 4.9.189-3~deb8u1 [12 Sep 2019] DLA-1918-1 libonig - security update {CVE-2019-16163} [jessie] - libonig 5.9.5-3.2+deb8u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c600964e138284c43164529e29a0243313d769ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c600964e138284c43164529e29a0243313d769ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-16163/libonig: update jessie status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f3d0fd8 by Sylvain Beucler at 2019-09-12T09:58:12Z CVE-2019-16163/libonig: update jessie status - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -245,7 +245,6 @@ CVE-2019-16163 (Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c beca - libonig (low; bug #939988) [buster] - libonig (Minor issue) [stretch] - libonig (Minor issue) - [jessie] - libonig (Minor issue) NOTE: https://github.com/kkos/oniguruma/issues/147 NOTE: https://github.com/kkos/oniguruma/commit/4097828d7cc87589864fecf452f2cd46c5f37180 CVE-2019-16162 (Onigmo through 6.2.0 has an out-of-bounds read in parse_char_class bec ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f3d0fd8308c8345fce55b66deb8955a9c4e07a1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f3d0fd8308c8345fce55b66deb8955a9c4e07a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1918-1 for libonig
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 3fec19d5 by Sylvain Beucler at 2019-09-12T09:23:12Z Reserve DLA-1918-1 for libonig - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[12 Sep 2019] DLA-1918-1 libonig - security update + {CVE-2019-16163} + [jessie] - libonig 5.9.5-3.2+deb8u3 [12 Sep 2019] DLA-1917-1 curl - security update {CVE-2019-5482} [jessie] - curl 7.38.0-4+deb8u16 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3fec19d50cfa1aa2a2bcc8d9105033d826caa53b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3fec19d50cfa1aa2a2bcc8d9105033d826caa53b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1917-1 for curl
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 23b8cd27 by Chris Lamb at 2019-09-12T08:38:15Z Reserve DLA-1917-1 for curl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[12 Sep 2019] DLA-1917-1 curl - security update + {CVE-2019-5482} + [jessie] - curl 7.38.0-4+deb8u16 [11 Sep 2019] DLA-1916-1 opensc - security update {CVE-2018-16391 CVE-2018-16392 CVE-2018-16393 CVE-2018-16418 CVE-2018-16419 CVE-2018-16420 CVE-2018-16421 CVE-2018-16422 CVE-2018-16423 CVE-2018-16424 CVE-2018-16425 CVE-2018-16426 CVE-2018-16427 CVE-2019-15945 CVE-2019-15946} [jessie] - opensc 0.16.0-3+deb8u1 = data/dla-needed.txt = @@ -28,8 +28,6 @@ clamav NOTE: 20190822: upstream has released 0.101.4, wait for stretch update (see bug NOTE: report) (hle) -- -curl (Chris Lamb) --- dnsmasq -- freeimage View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/23b8cd27af68ce73a0687941f952f73a3e08603e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/23b8cd27af68ce73a0687941f952f73a3e08603e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d83e6b81 by security tracker role at 2019-09-12T08:10:15Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,37 @@ +CVE-2019-16255 + RESERVED +CVE-2019-16254 + RESERVED +CVE-2019-16253 + RESERVED +CVE-2019-16252 + RESERVED +CVE-2019-16251 + RESERVED +CVE-2019-16250 (includes/wizard/wizard.php in the Ocean Extra plugin through 1.5.8 for ...) + TODO: check +CVE-2019-16249 (OpenCV 4.1.1 has an out-of-bounds read in hal_baseline::v_load in core ...) + TODO: check +CVE-2019-16248 (The "delete for" feature in Telegram before 5.11 on Android does not d ...) + TODO: check +CVE-2019-16247 (Delta DCISoft 1.21 has a User Mode Write AV starting at CommLib!CCommL ...) + TODO: check +CVE-2019-16246 + RESERVED +CVE-2019-16245 + RESERVED +CVE-2019-16244 + RESERVED +CVE-2019-16243 + RESERVED +CVE-2019-16242 + RESERVED +CVE-2019-16241 + RESERVED +CVE-2019-16240 + RESERVED +CVE-2019-16239 + RESERVED CVE-2019- [signature bypass with multiple From addresses] - opendmarc (bug #940081) NOTE: https://github.com/trusteddomainproject/OpenDMARC/pull/48 @@ -2490,8 +2524,8 @@ CVE-2019-15304 (Lierda Grill Temperature Monitor V1.00_50006 has a default passw NOT-FOR-US: Lierda Grill Temperature Monitor CVE-2019-15303 RESERVED -CVE-2019-15302 - RESERVED +CVE-2019-15302 (The pad management logic in XWiki labs CryptPad before 3.0.0 allows a ...) + TODO: check CVE-2019-15301 RESERVED CVE-2019-15300 @@ -8790,24 +8824,24 @@ CVE-2019-13546 RESERVED CVE-2019-13545 RESERVED -CVE-2019-13544 - RESERVED +CVE-2019-13544 (Delta Electronics TPEditor, Versions 1.94 and prior. Multiple out-of-b ...) + TODO: check CVE-2019-13543 RESERVED CVE-2019-13542 RESERVED CVE-2019-13541 RESERVED -CVE-2019-13540 - RESERVED +CVE-2019-13540 (Delta Electronics TPEditor, Versions 1.94 and prior. Multiple stack-ba ...) + TODO: check CVE-2019-13539 RESERVED CVE-2019-13538 RESERVED CVE-2019-13537 RESERVED -CVE-2019-13536 - RESERVED +CVE-2019-13536 (Delta Electronics TPEditor, Versions 1.94 and prior. Multiple heap-bas ...) + TODO: check CVE-2019-13535 RESERVED CVE-2019-13534 @@ -13396,8 +13430,8 @@ CVE-2019-11771 (AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs NOT-FOR-US: Eclipse OpenJ9 CVE-2019-11770 (In Eclipse Buildship versions prior to 3.1.1, the build files indicate ...) NOT-FOR-US: Eclipse Buildship -CVE-2019-11769 - RESERVED +CVE-2019-11769 (An issue was discovered in TeamViewer 14.2.2558. Updating the product ...) + TODO: check CVE-2019-11768 (An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability ...) - phpmyadmin (bug #930048) [jessie] - phpmyadmin (vulnerable code is not present) @@ -18167,11 +18201,9 @@ CVE-2019-10076 (A carefully crafted malicious attachment could trigger an XSS vu - jspwiki CVE-2019-10075 RESERVED -CVE-2019-10074 - RESERVED +CVE-2019-10074 (An RCE is possible by entering Freemarker markup in an Apache OFBiz Fo ...) NOT-FOR-US: Apache OFBiz -CVE-2019-10073 - RESERVED +CVE-2019-10073 (The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" ...) NOT-FOR-US: Apache OFBiz CVE-2019-10072 (The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 co ...) - tomcat9 9.0.22-1 (bug #931131) @@ -32019,10 +32051,10 @@ CVE-2019-5057 (An exploitable code execution vulnerability exists in the PCX ima NOTE: https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb CVE-2019-5056 RESERVED -CVE-2019-5055 - RESERVED -CVE-2019-5054 - RESERVED +CVE-2019-5055 (An exploitable denial-of-service vulnerability exists in the Host Acce ...) + TODO: check +CVE-2019-5054 (An exploitable denial-of-service vulnerability exists in the session h ...) + TODO: check CVE-2019-5053 RESERVED CVE-2019-5052 (An exploitable integer overflow vulnerability exists when loading a PC ...) @@ -34944,16 +34976,16 @@ CVE-2019-3765 RESERVED CVE-2019-3764 RESERVED -CVE-2019-3763 - RESERVED +CVE-2019-3763 (The RSA Identity Governance and Lifecycle software and RSA Via Lifecyc ...) + TODO: check CVE-2019-3762 RESERVED -CVE-2019-3761 - RESERVED -CVE-2019-3760 - RESERVED -CVE-2019-3759 - RESERVED +CVE-2019-3761 (The RSA Identity Governance and Lifecycle software and RSA Via Lifecyc ...) + TODO: check +CVE-2019-3760 (The RSA Identity Governance and Lifecycle software and RSA Via Lifecyc ...) + TODO: check +C
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim curl.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: eb186e1e by Chris Lamb at 2019-09-12T07:08:38Z data/dla-needed.txt: Claim curl. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -28,7 +28,7 @@ clamav NOTE: 20190822: upstream has released 0.101.4, wait for stretch update (see bug NOTE: report) (hle) -- -curl +curl (Chris Lamb) -- dnsmasq -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eb186e1e29d01feb12c3b93556078513979e9063 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eb186e1e29d01feb12c3b93556078513979e9063 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits