[Git][security-tracker-team/security-tracker][master] Add temporary entry for spip issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 07478e45 by Salvatore Bonaccorso at 2019-09-17T04:58:41Z Add temporary entry for spip issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2019- [multiple spip issues] + - spip 3.2.5-1 + TODO: CVE for individual issues need to be requested (identify requiring changes) and entry split up CVE-2019-16374 RESERVED CVE-2019-16373 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/07478e45684ba0b82919481e49bc55fdd760100f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/07478e45684ba0b82919481e49bc55fdd760100f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] opendmarc issue fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bbb941fe by Salvatore Bonaccorso at 2019-09-17T04:37:57Z opendmarc issue fixed in unstable Thanks: Scott Kitterman - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -406,7 +406,7 @@ CVE-2019-16240 CVE-2019-16239 RESERVED CVE-2019- [signature bypass with multiple From addresses] - - opendmarc (bug #940081) + - opendmarc 1.3.2-7 (bug #940081) NOTE: https://github.com/trusteddomainproject/OpenDMARC/pull/48 CVE-2019-16275 (hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect ...) {DLA-1922-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bbb941fed5f68bf62514e292082cf9b0f6ca77d2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bbb941fed5f68bf62514e292082cf9b0f6ca77d2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reject of CVE-2019-9457 confirmed and will be in next list update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e6a3680 by Salvatore Bonaccorso at 2019-09-17T04:34:34Z Reject of CVE-2019-9457 confirmed and will be in next list update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21372,11 +21372,8 @@ CVE-2019-9458 (In the Android kernel in the video driver there is a use after fr [stretch] - linux 4.9.135-1 [jessie] - linux 3.16.64-1 NOTE: https://git.kernel.org/linus/ad608fbcf166fec809e402d548761768f602702c -CVE-2019-9457 (In the Android kernel in ELF file loading there is possible memory cor ...) - - linux 4.12.6-1 - [stretch] - linux 4.9.47-1 - [jessie] - linux 3.16.59-1 - NOTE: From commit point of view this is a duplicate of CVE-2018-14634 +CVE-2019-9457 + REJECTED CVE-2019-9456 (In the Android kernel in Pixel C USB monitor driver there is a possibl ...) - linux 4.15.11-1 [stretch] - linux 4.9.88-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e6a3680c985652c98efd7d8fe3d7dc843b5e7cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e6a3680c985652c98efd7d8fe3d7dc843b5e7cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2016-10937/imapfilter: Reference commit for hostname validation for older openssl versions
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 31d78bc8 by Salvatore Bonaccorso at 2019-09-17T04:24:01Z CVE-2016-10937/imapfilter: Reference commit for hostname validation for older openssl versions Reference the additional commit wihch add support for hostname validation for OpenSSL 1.0.2 and later. Upstream as well released a new upstream version with the required fixes. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -803,6 +803,8 @@ CVE-2016-10937 (IMAPFilter through 2.6.12 does not validate the hostname in an S NOTE: https://github.com/lefcha/imapfilter/issues/142 NOTE: Patch for support for hostname validation (requrires OpenSSL 1.1.0 and later): NOTE: https://github.com/lefcha/imapfilter/commit/bf2515da752eddd54973adb0853c6aa289e921b6 + NOTE: Patch for support for hostname validation (for OpenSSL 1.0.2 and later): + NOTE: https://github.com/lefcha/imapfilter/commit/3daa2692e37fc52ce630e39a3fb6faf270c054b1 CVE-2019-16096 (Kilo 0.0.1 has a heap-based buffer overflow because there is an intege ...) NOT-FOR-US: Kilo CVE-2019-16095 (Symonics libmysofa 0.7 has an invalid read in getDimension in hrtf/rea ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/31d78bc838c7f647112a46d552e953991767adb0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/31d78bc838c7f647112a46d552e953991767adb0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add dino ref
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 84676619 by Moritz Muehlenhoff at 2019-09-16T20:55:10Z add dino ref - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -419,14 +419,17 @@ CVE-2019-16237 (Dino before 2019-09-10 does not properly check the source of an {DSA-4524-1} - dino-im 0.0.git20190911.2a70a4e-1 NOTE: https://github.com/dino/dino/commit/307f16cc86dd2b95aa02ab8a85110e4a2d5e7363 + NOTE: https://gultsch.de/dino_multiple.html CVE-2019-16236 (Dino before 2019-09-10 does not check roster push authorization in mod ...) {DSA-4524-1} - dino-im 0.0.git20190911.2a70a4e-1 NOTE: https://github.com/dino/dino/commit/dd33f5f949248d87d34f399e8846d5ee5b8823d9 + NOTE: https://gultsch.de/dino_multiple.html CVE-2019-16235 (Dino before 2019-09-10 does not properly check the source of a carbons ...) {DSA-4524-1} - dino-im 0.0.git20190911.2a70a4e-1 NOTE: https://github.com/dino/dino/commit/e84f2c49567e86d2a261ea264d65c4adc549c930 + NOTE: https://gultsch.de/dino_multiple.html CVE-2019-16234 (drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the Linux kernel 5. ...) - linux NOTE: https://lkml.org/lkml/2019/9/9/487 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/84676619aa403fa570cc61657015ccb242054ad0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/84676619aa403fa570cc61657015ccb242054ad0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1924-1 for python3.4
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: c410fcde by Roberto C. Sánchez at 2019-09-16T20:31:09Z Reserve DLA-1924-1 for python3.4 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[16 Sep 2019] DLA-1924-1 python3.4 - security update + {CVE-2019-16056} + [jessie] - python3.4 3.4.2-1+deb8u7 [16 Sep 2019] DLA-1923-1 ansible - security update {CVE-2015-3908 CVE-2015-6240 CVE-2018-10875 CVE-2019-10156} [jessie] - ansible 1.7.2+dfsg-2+deb8u2 = data/dla-needed.txt = @@ -108,8 +108,6 @@ poppler (Thorsten Alteholz) -- python2.7 (Roberto C. Sánchez) -- -python3.4 (Roberto C. Sánchez) --- qemu (Sylvain Beucler) NOTE: 20190913: An upload candidate is waiting for being tested on real hardware. NOTE: 20190913: https://www.beuc.net/tmp/debian-lts/qemu/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c410fcde6ea409398ea4f3a056fea27b7244193a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c410fcde6ea409398ea4f3a056fea27b7244193a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1925-1 for python2.7
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: c2c57dc6 by Roberto C. Sánchez at 2019-09-16T20:31:32Z Reserve DLA-1925-1 for python2.7 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[16 Sep 2019] DLA-1925-1 python2.7 - security update + {CVE-2019-16056} + [jessie] - python2.7 2.7.9-2+deb8u5 [16 Sep 2019] DLA-1924-1 python3.4 - security update {CVE-2019-16056} [jessie] - python3.4 3.4.2-1+deb8u7 = data/dla-needed.txt = @@ -106,8 +106,6 @@ php5 (Roberto C. Sánchez) -- poppler (Thorsten Alteholz) -- -python2.7 (Roberto C. Sánchez) --- qemu (Sylvain Beucler) NOTE: 20190913: An upload candidate is waiting for being tested on real hardware. NOTE: 20190913: https://www.beuc.net/tmp/debian-lts/qemu/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c2c57dc6dcc9d2499ecaff7f29ab8ae2eb41d081 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c2c57dc6dcc9d2499ecaff7f29ab8ae2eb41d081 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] AddCVE-2019-16197/dolibarr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 669df538 by Salvatore Bonaccorso at 2019-09-16T20:18:44Z AddCVE-2019-16197/dolibarr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -523,7 +523,7 @@ CVE-2019-16199 CVE-2019-16198 RESERVED CVE-2019-16197 (In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the User-A ...) - TODO: check + - dolibarr CVE-2019-16196 RESERVED CVE-2019-16195 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/669df538e768da991a1892edb0efb1089aeb445f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/669df538e768da991a1892edb0efb1089aeb445f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8567d6bb by Salvatore Bonaccorso at 2019-09-16T20:18:17Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,7 @@ CVE-2019-16373 CVE-2019-16372 RESERVED CVE-2019-16371 (LogMeIn LastPass before 4.33.0 allows attackers to construct a crafted ...) - TODO: check + NOT-FOR-US: LogMeIn LastPass CVE-2019-16370 (The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algori ...) TODO: check CVE-2019-16369 @@ -37,11 +37,11 @@ CVE-2019-16357 CVE-2019-16356 RESERVED CVE-2019-16355 (The File Session Manager in Beego 1.10.0 allows local users to read se ...) - TODO: check + NOT-FOR-US: Beego CVE-2019-16354 (The File Session Manager in Beego 1.10.0 allows local users to read se ...) - TODO: check + NOT-FOR-US: Beego CVE-2019-16353 (Emerson GE Automation Proficy Machine Edition 8.0 allows an access vio ...) - TODO: check + NOT-FOR-US: Emerson GE Automation Proficy Machine Edition CVE-2019-16352 (ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load ...) TODO: check CVE-2019-16351 (ffjpeg before 2019-08-18 has a NULL pointer dereference in huffman_dec ...) @@ -49,13 +49,13 @@ CVE-2019-16351 (ffjpeg before 2019-08-18 has a NULL pointer dereference in huffm CVE-2019-16350 (ffjpeg before 2019-08-18 has a NULL pointer dereference in idct2d8x8() ...) TODO: check CVE-2019-16349 (Bento4 1.5.1-628 has a NULL pointer dereference in AP4_ByteStream::Rea ...) - TODO: check + NOT-FOR-US: Bento4 CVE-2019-16348 (marc-q libwav through 2019-08-15 has a NULL pointer dereference in gai ...) - TODO: check + NOT-FOR-US: libwav CVE-2019-16347 (ngiflib 0.4 has a heap-based buffer overflow in WritePixels() in ngifl ...) - TODO: check + NOT-FOR-US: ngiflib CVE-2019-16346 (ngiflib 0.4 has a heap-based buffer overflow in WritePixel() in ngifli ...) - TODO: check + NOT-FOR-US: ngiflib CVE-2019-16345 RESERVED CVE-2019-16344 @@ -238,7 +238,7 @@ CVE-2016-10959 (The estatik plugin before 2.3.1 for WordPress has authenticated CVE-2016-10958 (The estatik plugin before 2.3.0 for WordPress has unauthenticated arbi ...) NOT-FOR-US: estatik plugin for WordPress CVE-2016-10957 (The Akal theme through 2016-08-22 for WordPress has XSS via the framew ...) - TODO: check + NOT-FOR-US: Akal theme for WordPress CVE-2016-10956 (The mail-masta plugin 1.0 for WordPress has local file inclusion in co ...) NOT-FOR-US: mail-masta plugin for WordPress CVE-2010-5333 (The web server in Integard Pro and Home before 2.0.0.9037 and 2.2.x be ...) @@ -274,7 +274,7 @@ CVE-2019-16266 CVE-2019-16265 RESERVED CVE-2019-16264 (In Escuela de Gestion Publica Plurinacional (EGPP) Sistema Integrado d ...) - TODO: check + NOT-FOR-US: Escuela de Gestion Publica Plurinacional (EGPP) Sistema Integrado de Gestion Academica (GESAC) CVE-2019-16263 RESERVED CVE-2019-16262 @@ -880,7 +880,7 @@ CVE-2019-16058 (An issue was discovered in the pam_p11 component 0.2.0 and 0.3.0 - pam-p11 (bug #939664) NOTE: https://github.com/OpenSC/pam_p11/commit/d150b60e1e14c261b113f55681419ad1dfa8a76c CVE-2019-16057 (The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnera ...) - TODO: check + NOT-FOR-US: D-Link CVE-2019-16056 (An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3 ...) - python3.8 3.8.0~b4-1 - python3.7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8567d6bb45651c24d1cca33d5b9a50baa2e42448 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8567d6bb45651c24d1cca33d5b9a50baa2e42448 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: deea5fcb by Salvatore Bonaccorso at 2019-09-16T20:12:43Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -204,43 +204,43 @@ CVE-2019-16278 CVE-2019-16277 (PicoC 2.1 has a heap-based buffer overflow in StringStrcpy in cstdlib/ ...) TODO: check CVE-2017-18634 (The newspaper theme before 6.7.2 for WordPress has script injection vi ...) - TODO: check + NOT-FOR-US: newspaper theme for WordPress CVE-2016-10973 (The Brafton plugin before 3.4.8 for WordPress has XSS via the wp-admin ...) - TODO: check + NOT-FOR-US: Brafton plugin for WordPress CVE-2016-10972 (The newspaper theme before 6.7.2 for WordPress has a lack of options a ...) - TODO: check + NOT-FOR-US: newspaper theme for WordPress CVE-2016-10971 (The MemberSonic Lite plugin before 1.302 for WordPress has incorrect l ...) - TODO: check + NOT-FOR-US: MemberSonic Lite plugin for WordPress CVE-2016-10970 (The supportflow plugin before 0.7 for WordPress has XSS via a ticket e ...) - TODO: check + NOT-FOR-US: supportflow plugin for WordPress CVE-2016-10969 (The supportflow plugin before 0.7 for WordPress has XSS via a discussi ...) - TODO: check + NOT-FOR-US: supportflow plugin for WordPress CVE-2016-10968 (The peepso-core plugin before 1.6.1 for WordPress has PeepSoProfilePre ...) - TODO: check + NOT-FOR-US: peepso-core plugin for WordPress CVE-2016-10967 (The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-c ...) - TODO: check + NOT-FOR-US: real3d-flipbook-lite plugin for WordPress CVE-2016-10966 (The real3d-flipbook-lite plugin 1.0 for WordPress has bookName=../ dir ...) - TODO: check + NOT-FOR-US: real3d-flipbook-lite plugin for WordPress CVE-2016-10965 (The real3d-flipbook-lite plugin 1.0 for WordPress has deleteBook=../ d ...) - TODO: check + NOT-FOR-US: real3d-flipbook-lite plugin for WordPress CVE-2016-10964 (The dwnldr plugin before 1.01 for WordPress has XSS via the User-Agent ...) - TODO: check + NOT-FOR-US: dwnldr plugin for WordPress CVE-2016-10963 (The icegram plugin before 1.9.19 for WordPress has XSS. ...) - TODO: check + NOT-FOR-US: icegram plugin for WordPress CVE-2016-10962 (The icegram plugin before 1.9.19 for WordPress has CSRF via the wp-adm ...) - TODO: check + NOT-FOR-US: icegram plugin for WordPress CVE-2016-10961 (The colorway theme before 3.4.2 for WordPress has XSS via the contactN ...) - TODO: check + NOT-FOR-US: colorway theme for WordPress CVE-2016-10960 (The wsecure plugin before 2.4 for WordPress has remote code execution ...) - TODO: check + NOT-FOR-US: wsecure plugin for WordPress CVE-2016-10959 (The estatik plugin before 2.3.1 for WordPress has authenticated arbitr ...) - TODO: check + NOT-FOR-US: estatik plugin for WordPress CVE-2016-10958 (The estatik plugin before 2.3.0 for WordPress has unauthenticated arbi ...) - TODO: check + NOT-FOR-US: estatik plugin for WordPress CVE-2016-10957 (The Akal theme through 2016-08-22 for WordPress has XSS via the framew ...) TODO: check CVE-2016-10956 (The mail-masta plugin 1.0 for WordPress has local file inclusion in co ...) - TODO: check + NOT-FOR-US: mail-masta plugin for WordPress CVE-2010-5333 (The web server in Integard Pro and Home before 2.0.0.9037 and 2.2.x be ...) NOT-FOR-US: Integard CVE-2019-16319 (In Wireshark 3.0.0 to 3.0.3 and 2.6.0 to 2.6.10, the Gryphon dissector ...) @@ -34370,7 +34370,7 @@ CVE-2019-4149 (IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2 and CVE-2019-4148 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 is vu ...) NOT-FOR-US: IBM CVE-2019-4147 (IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4146 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 could ...) NOT-FOR-US: IBM CVE-2019-4145 (IBM Security Access Manager 9.0.1 through 9.0.6 could reveal highly se ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/deea5fcbfde0bff2042b82b5b97a6509979d023e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/deea5fcbfde0bff2042b82b5b97a6509979d023e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aa8c43c8 by security tracker role at 2019-09-16T20:10:23Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,73 @@ +CVE-2019-16374 + RESERVED +CVE-2019-16373 + RESERVED +CVE-2019-16372 + RESERVED +CVE-2019-16371 (LogMeIn LastPass before 4.33.0 allows attackers to construct a crafted ...) + TODO: check +CVE-2019-16370 (The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algori ...) + TODO: check +CVE-2019-16369 + RESERVED +CVE-2019-16368 + RESERVED +CVE-2019-16367 + RESERVED +CVE-2019-16366 (In XS 9.0.0 in Moddable SDK OS180329, there is a heap-based buffer ove ...) + TODO: check +CVE-2019-16365 + RESERVED +CVE-2019-16364 + RESERVED +CVE-2019-16363 + RESERVED +CVE-2019-16362 + RESERVED +CVE-2019-16361 + RESERVED +CVE-2019-16360 + RESERVED +CVE-2019-16359 + RESERVED +CVE-2019-16358 + RESERVED +CVE-2019-16357 + RESERVED +CVE-2019-16356 + RESERVED +CVE-2019-16355 (The File Session Manager in Beego 1.10.0 allows local users to read se ...) + TODO: check +CVE-2019-16354 (The File Session Manager in Beego 1.10.0 allows local users to read se ...) + TODO: check +CVE-2019-16353 (Emerson GE Automation Proficy Machine Edition 8.0 allows an access vio ...) + TODO: check +CVE-2019-16352 (ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load ...) + TODO: check +CVE-2019-16351 (ffjpeg before 2019-08-18 has a NULL pointer dereference in huffman_dec ...) + TODO: check +CVE-2019-16350 (ffjpeg before 2019-08-18 has a NULL pointer dereference in idct2d8x8() ...) + TODO: check +CVE-2019-16349 (Bento4 1.5.1-628 has a NULL pointer dereference in AP4_ByteStream::Rea ...) + TODO: check +CVE-2019-16348 (marc-q libwav through 2019-08-15 has a NULL pointer dereference in gai ...) + TODO: check +CVE-2019-16347 (ngiflib 0.4 has a heap-based buffer overflow in WritePixels() in ngifl ...) + TODO: check +CVE-2019-16346 (ngiflib 0.4 has a heap-based buffer overflow in WritePixel() in ngifli ...) + TODO: check +CVE-2019-16345 + RESERVED +CVE-2019-16344 + RESERVED +CVE-2019-16343 + RESERVED +CVE-2018-21017 (GPAC 0.7.1 has a memory leak in dinf_Read in isomedia/box_code_base.c. ...) + TODO: check +CVE-2018-21016 (audio_sample_entry_AddBox() at isomedia/box_code_base.c in GPAC 0.7.1 ...) + TODO: check +CVE-2018-21015 (AVC_DuplicateConfig() at isomedia/avc_ext.c in GPAC 0.7.1 allows remot ...) + TODO: check CVE-2019-16342 RESERVED CVE-2019-16341 @@ -133,44 +203,44 @@ CVE-2019-16278 RESERVED CVE-2019-16277 (PicoC 2.1 has a heap-based buffer overflow in StringStrcpy in cstdlib/ ...) TODO: check -CVE-2017-18634 - RESERVED -CVE-2016-10973 - RESERVED -CVE-2016-10972 - RESERVED -CVE-2016-10971 - RESERVED -CVE-2016-10970 - RESERVED -CVE-2016-10969 - RESERVED -CVE-2016-10968 - RESERVED -CVE-2016-10967 - RESERVED -CVE-2016-10966 - RESERVED -CVE-2016-10965 - RESERVED -CVE-2016-10964 - RESERVED -CVE-2016-10963 - RESERVED -CVE-2016-10962 - RESERVED -CVE-2016-10961 - RESERVED -CVE-2016-10960 - RESERVED -CVE-2016-10959 - RESERVED -CVE-2016-10958 - RESERVED -CVE-2016-10957 - RESERVED -CVE-2016-10956 - RESERVED +CVE-2017-18634 (The newspaper theme before 6.7.2 for WordPress has script injection vi ...) + TODO: check +CVE-2016-10973 (The Brafton plugin before 3.4.8 for WordPress has XSS via the wp-admin ...) + TODO: check +CVE-2016-10972 (The newspaper theme before 6.7.2 for WordPress has a lack of options a ...) + TODO: check +CVE-2016-10971 (The MemberSonic Lite plugin before 1.302 for WordPress has incorrect l ...) + TODO: check +CVE-2016-10970 (The supportflow plugin before 0.7 for WordPress has XSS via a ticket e ...) + TODO: check +CVE-2016-10969 (The supportflow plugin before 0.7 for WordPress has XSS via a discussi ...) + TODO: check +CVE-2016-10968 (The peepso-core plugin before 1.6.1 for WordPress has PeepSoProfilePre ...) + TODO: check +CVE-2016-10967 (The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-c ...) + TODO: check +CVE-2016-10966 (The real3d-flipbook-lite plugin 1.0 for WordPress has bookName=../ dir ...) + TODO: check +CVE-2016-10965 (The real3d-flipbook-lite plugin 1.0 for WordPress has deleteBook=../ d ...) + TODO: check +CVE-2016-10964 (The dwnldr plugin before 1.01 for WordPress has XSS via the User-Agent ...) + TODO: check +CVE-2016-10963 (The icegram plugin before 1.9.19 for WordPress has XSS. ...) + TODO: check
[Git][security-tracker-team/security-tracker][master] Add cloned bug for CVE-2019-16159/bird2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: abfcce36 by Salvatore Bonaccorso at 2019-09-16T19:47:42Z Add cloned bug for CVE-2019-16159/bird2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -575,7 +575,7 @@ CVE-2019-16159 (BIRD Internet Routing Daemon 1.6.x through 1.6.7 and 2.x through - bird 1.6.8-1 (bug #939990) [stretch] - bird (Vulnerable code introduced later) [jessie] - bird (Vulnerable code introduced later) - - bird2 2.0.6-1 + - bird2 2.0.6-1 (bug #940522) NOTE: https://gitlab.labs.nic.cz/labs/bird/commit/1657c41c96b3c07d9265b07dd4912033ead4124b (1.6.x) NOTE: https://gitlab.labs.nic.cz/labs/bird/commit/8388f5a7e14108a1458fea35bfbb5a453e2c563c (2.0.x) CVE-2019-16158 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/abfcce360742445cf08b23f83eb278c6b60a088d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/abfcce360742445cf08b23f83eb278c6b60a088d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dino-im DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c651cbb8 by Moritz Muehlenhoff at 2019-09-16T19:45:10Z dino-im DSA - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[16 Sep 2019] DSA-4524-1 dino-im - security update + {CVE-2019-16235 CVE-2019-16236 CVE-2019-16237} + [buster] - dino-im 0.0.git20181129-1+deb10u1 [15 Sep 2019] DSA-4523-1 thunderbird - security update {CVE-2019-11739 CVE-2019-11740 CVE-2019-11742 CVE-2019-11743 CVE-2019-11744 CVE-2019-11746 CVE-2019-11752} [stretch] - thunderbird 1:60.9.0-1~deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c651cbb8d810f50c6a266808e76af9bc645ce2d3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c651cbb8d810f50c6a266808e76af9bc645ce2d3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add as well src:bird2 for CVE-2019-16159 tracking
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 34db1f1b by Salvatore Bonaccorso at 2019-09-16T19:43:54Z Add as well src:bird2 for CVE-2019-16159 tracking - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -575,6 +575,7 @@ CVE-2019-16159 (BIRD Internet Routing Daemon 1.6.x through 1.6.7 and 2.x through - bird 1.6.8-1 (bug #939990) [stretch] - bird (Vulnerable code introduced later) [jessie] - bird (Vulnerable code introduced later) + - bird2 2.0.6-1 NOTE: https://gitlab.labs.nic.cz/labs/bird/commit/1657c41c96b3c07d9265b07dd4912033ead4124b (1.6.x) NOTE: https://gitlab.labs.nic.cz/labs/bird/commit/8388f5a7e14108a1458fea35bfbb5a453e2c563c (2.0.x) CVE-2019-16158 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/34db1f1bd17d97137968c45fe2d1f14dec596a3a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/34db1f1bd17d97137968c45fe2d1f14dec596a3a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove leftover TODO item
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fde8ebf1 by Salvatore Bonaccorso at 2019-09-16T19:39:26Z Remove leftover TODO item - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21337,7 +21337,6 @@ CVE-2019-9453 (In the Android kernel in F2FS touch driver there is a possible ou - linux 5.2.6-1 [buster] - linux 4.19.67-1 NOTE: https://git.kernel.org/linus/2777e654371dd4207a3a7f4fb5fa39550053a080 - TODO: check CVE-2019-9452 (In the Android kernel in SEC_TS touch driver there is a possible out o ...) TODO: check CVE-2019-9451 (In the Android kernel in the touchscreen driver there is a possible ou ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fde8ebf147acc97d9560b343399effebb1da14fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fde8ebf147acc97d9560b343399effebb1da14fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-12175/bro (and respective fixed version)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b234a1a9 by Salvatore Bonaccorso at 2019-09-16T19:37:39Z Add CVE-2019-12175/bro (and respective fixed version) The CVEs for Zeek Network Security Monitor might need careful investigation in future and montitor for a src:zeek package. For now at time of wrinting the commit message, in Debian the respective source package is still named src:bro. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12865,7 +12865,7 @@ CVE-2019-12177 (Privilege escalation due to insecure directory permissions affec CVE-2019-12176 (Privilege escalation in the "HTC Account Service" and "ViveportDesktop ...) NOT-FOR-US: HTC VIVEPORT CVE-2019-12175 (In Zeek Network Security Monitor (formerly known as Bro) before 2.6.2, ...) - TODO: check + - bro 2.6.4+ds1-1 CVE-2019-12174 (hide.me before 2.4.4 on macOS suffers from a privilege escalation vuln ...) NOT-FOR-US: hide.me CVE-2019-12173 (MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, w ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b234a1a9541843dcd21beb7c9957352b5c0ab73a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b234a1a9541843dcd21beb7c9957352b5c0ab73a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1336{3,4}/piwigo
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8744012b by Salvatore Bonaccorso at 2019-09-16T19:37:11Z Add CVE-2019-1336{3,4}/piwigo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9614,9 +9614,9 @@ CVE-2019-13366 CVE-2019-13365 RESERVED CVE-2019-13364 (admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat ...) - TODO: check + - piwigo CVE-2019-13363 (admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nb ...) - TODO: check + - piwigo CVE-2019-13362 (Codedoc v3.2 has a stack-based buffer overflow in add_variable in code ...) NOT-FOR-US: Codedoc CVE-2019-13361 (Smanos W100 1.0.0 devices have Insecure Permissions, exploitable by an ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8744012b3136edba1cf3378b48448ee5080f8e22 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8744012b3136edba1cf3378b48448ee5080f8e22 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5cba99b4 by Salvatore Bonaccorso at 2019-09-16T19:36:39Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9228,13 +9228,13 @@ CVE-2019-13522 (An attacker could use a specially crafted project file to corrup CVE-2019-13521 RESERVED CVE-2019-13520 (Multiple buffer overflow issues have been identified in Alpha5 Smart L ...) - TODO: check + NOT-FOR-US: Fuji Electric CVE-2019-13519 RESERVED CVE-2019-13518 (An attacker could use a specially crafted project file to overflow the ...) - TODO: check + NOT-FOR-US: EZAutomation CVE-2019-13517 (In Pyxis ES Versions 1.3.4 through to 1.6.1 and Pyxis Enterprise Serve ...) - TODO: check + NOT-FOR-US: Pyxis CVE-2019-13516 (In OSIsoft PI Web API and prior, the affected product is vulnerable to ...) NOT-FOR-US: OSIsoft LLC CVE-2019-13515 (OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive in ...) @@ -10195,7 +10195,7 @@ CVE-2019-13158 CVE-2019-13157 RESERVED CVE-2019-13156 (NDrive(1.2.2).sys in Naver Cloud Explorer has a stack-based buffer ove ...) - TODO: check + NOT-FOR-US: Naver Cloud Explorer CVE-2019-13155 (An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11 ...) NOT-FOR-US: TRENDnet TEW-827DRU firmware CVE-2019-13154 (An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11 ...) @@ -10831,9 +10831,9 @@ CVE-2019-12945 CVE-2019-12944 RESERVED CVE-2019-12943 (TTLock devices do not properly restrict password-reset attempts, leadi ...) - TODO: check + NOT-FOR-US: TTLock devices CVE-2019-12942 (TTLock devices do not properly block guest access in certain situation ...) - TODO: check + NOT-FOR-US: TTLock devices CVE-2019-12941 RESERVED CVE-2019-12940 (LiveZilla Server before 8.0.1.1 is vulnerable to Denial Of Service (me ...) @@ -11175,7 +11175,7 @@ CVE-2019-12812 CVE-2019-12811 RESERVED CVE-2019-12810 (A memory corruption vulnerability exists in the .PSD parsing functiona ...) - TODO: check + NOT-FOR-US: ALSee CVE-2019-12809 (Yes24ViewerX ActiveX Control 1.0.327.50126 and earlier versions contai ...) NOT-FOR-US: Yes24ViewerX ActiveX Control CVE-2019-12808 (ALTOOLS update service 18.1 and earlier versions contains a local priv ...) @@ -11831,7 +11831,7 @@ CVE-2019-12534 CVE-2019-12533 RESERVED CVE-2019-12532 (Improper access control in the Insyde software tools may allow an auth ...) - TODO: check + NOT-FOR-US: Insyde software tools CVE-2019-12531 RESERVED CVE-2019-12530 (Incorrect access control was discovered in the stdonato Dashboard plug ...) @@ -13490,9 +13490,9 @@ CVE-2019-11901 CVE-2019-11900 RESERVED CVE-2019-11899 (An unauthenticated attacker can achieve unauthorized access to sensiti ...) - TODO: check + NOT-FOR-US: Bosch Access Professional Edition CVE-2019-11898 (Unauthorized APE administration privileges can be achieved by reverse ...) - TODO: check + NOT-FOR-US: Bosch Access Professional Edition CVE-2019-11897 (A Server-Side Request Forgery (SSRF) vulnerability in the backup ...) TODO: check CVE-2019-11896 (A potential incorrect privilege assignment vulnerability exists in the ...) @@ -13791,7 +13791,7 @@ CVE-2019-11771 (AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs CVE-2019-11770 (In Eclipse Buildship versions prior to 3.1.1, the build files indicate ...) NOT-FOR-US: Eclipse Buildship CVE-2019-11769 (An issue was discovered in TeamViewer 14.2.2558. Updating the product ...) - TODO: check + NOT-FOR-US: TeamViewer CVE-2019-11768 (An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability ...) - phpmyadmin (bug #930048) [jessie] - phpmyadmin (vulnerable code is not present) @@ -14439,11 +14439,11 @@ CVE-2019-11605 (An issue was discovered in GitLab Community and Enterprise Editi CVE-2019-11604 (An issue was discovered in Quest KACE Systems Management Appliance bef ...) NOT-FOR-US: Quest KACE Systems Management Appliance CVE-2019-11603 (A HTTP Traversal Attack in earlier versions than ProSyst mBS SDK 8.2.6 ...) - TODO: check + NOT-FOR-US: ProSyst mBS SDK and Bosch IoT Gateway Software CVE-2019-11602 (Leakage of stack traces in remote access to backup restore in ea ...) - TODO: check + NOT-FOR-US: ProSyst mBS SDK and Bosch IoT Gateway Software CVE-2019-11601 (A directory traversal vulnerability in remote access to backup r ...) - TODO: check + NOT-FOR-US: ProSyst mBS SDK and Bosch IoT Gateway Software CVE-2019-11600 (A SQL injection vulnerability in the activities API in OpenProject bef ...)
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-9445/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: df669198 by Salvatore Bonaccorso at 2019-09-16T19:09:46Z Add CVE-2019-9445/linux For now mark it as undetermined. The Android bulleting eferences a full merge of various f2fs changes. This might be a duplicate of an already assigned CVE furthermore for the f2fs driver. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21353,7 +21353,8 @@ CVE-2019-9447 (In the Android kernel in the FingerTipS touchscreen driver there CVE-2019-9446 (In the Android kernel in the FingerTipS touchscreen driver there is a ...) NOT-FOR-US: Android kernel CVE-2019-9445 (In the Android kernel in F2FS driver there is a possible out of bounds ...) - TODO: check + - linux + TODO: check, not very clear which commit Android security team is referring to CVE-2019-9444 (In the Android kernel in sync debug fs driver there is a kernel pointe ...) TODO: check CVE-2019-9443 (In the Android kernel in the vl53L0 driver there is a possible out of ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df669198cec07e6d09850f8120b95eb31ecb032c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df669198cec07e6d09850f8120b95eb31ecb032c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-9454/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ef7babd2 by Salvatore Bonaccorso at 2019-09-16T19:04:42Z Add CVE-2019-9454/linux This is most likely a duplicate of CVE-2017-18551 unless Android security team wanted to cover another angle of the issue. Asked for clarification to the Android security team. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21328,7 +21328,11 @@ CVE-2019-9455 (In the Android kernel in the video driver there is a kernel point [stretch] - linux 4.9.168-1 NOTE: https://git.kernel.org/linus/5e99456c20f712dcc13d9f6ca4278937d5367355 CVE-2019-9454 (In the Android kernel in i2c driver there is a possible out of bounds ...) - TODO: check + - linux 4.14.17-1 + [stretch] - linux 4.9.168-1 + [jessie] - linux 3.16.56-1 + NOTE: https://git.kernel.org/linus/89c6efa61f5709327ecfa24bff18e57a4e80c7fa + NOTE: Commit wise a duplicate of CVE-2017-18551 CVE-2019-9453 (In the Android kernel in F2FS touch driver there is a possible out of ...) - linux 5.2.6-1 [buster] - linux 4.19.67-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ef7babd22517e576ba645a4bcd3da34b9990df53 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ef7babd22517e576ba645a4bcd3da34b9990df53 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-9456/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 10a9d80d by Salvatore Bonaccorso at 2019-09-16T18:58:22Z Add CVE-2019-9456/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21319,7 +21319,10 @@ CVE-2019-9457 (In the Android kernel in ELF file loading there is possible memor [jessie] - linux 3.16.59-1 NOTE: From commit point of view this is a duplicate of CVE-2018-14634 CVE-2019-9456 (In the Android kernel in Pixel C USB monitor driver there is a possibl ...) - TODO: check + - linux 4.15.11-1 + [stretch] - linux 4.9.88-1 + [jessie] - linux 3.16.57-1 + NOTE: https://git.kernel.org/linus/a5f596830e27e15f7a0ecd6be55e433d776986d8 CVE-2019-9455 (In the Android kernel in the video driver there is a kernel pointer le ...) - linux 4.19.37-1 [stretch] - linux 4.9.168-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10a9d80d9c234c86abc47d66c215ce7dd0d71574 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10a9d80d9c234c86abc47d66c215ce7dd0d71574 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-9457/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e56003e2 by Salvatore Bonaccorso at 2019-09-16T18:51:48Z Add CVE-2019-9457/linux This is likely a duplicate of CVE-2018-14634 but maybe Android security team wanted to cover another angle. Asked for confirmation to the Android security team about the CVE. In any case the commit is included in the mentioned versions in Debian branches. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21314,7 +21314,10 @@ CVE-2019-9458 (In the Android kernel in the video driver there is a use after fr [jessie] - linux 3.16.64-1 NOTE: https://git.kernel.org/linus/ad608fbcf166fec809e402d548761768f602702c CVE-2019-9457 (In the Android kernel in ELF file loading there is possible memory cor ...) - TODO: check + - linux 4.12.6-1 + [stretch] - linux 4.9.47-1 + [jessie] - linux 3.16.59-1 + NOTE: From commit point of view this is a duplicate of CVE-2018-14634 CVE-2019-9456 (In the Android kernel in Pixel C USB monitor driver there is a possibl ...) TODO: check CVE-2019-9455 (In the Android kernel in the video driver there is a kernel pointer le ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e56003e26c708fe09faab1152e439bb90f93f327 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e56003e26c708fe09faab1152e439bb90f93f327 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-2180/jessie: fixed prior CVE assignment
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d4ee2d3 by Sylvain Beucler at 2019-09-16T16:39:37Z CVE-2019-2180/jessie: fixed prior CVE assignment - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -88,7 +88,7 @@ {CVE-2019-1010247} [jessie] - libapache2-mod-auth-openidc 1.6.0-1+deb8u1 [22 Aug 2019] DLA-1893-1 cups - security update - {CVE-2019-8675 CVE-2019-8696} + {CVE-2019-8675 CVE-2019-8696 CVE-2019-2180} [jessie] - cups 1.7.5-11+deb8u5 [21 Aug 2019] DLA-1886-2 openjdk-7 - regression update [jessie] - openjdk-7 7u231-2.6.19-1~deb8u2 = data/dla-needed.txt = @@ -24,8 +24,6 @@ clamav (Jonas Meurer) NOTE: 20190822: upstream has released 0.101.4, wait for stretch update (see bug NOTE: report) (hle) -- -cups (Sylvain Beucler) --- freeimage NOTE: Maintainer will take care of the update. NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2d4ee2d3b6ca5ed59164b04e59fcbf34b294a47c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2d4ee2d3b6ca5ed59164b04e59fcbf34b294a47c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim cups
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 586da80b by Sylvain Beucler at 2019-09-16T16:22:34Z dla: claim cups - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -24,6 +24,8 @@ clamav (Jonas Meurer) NOTE: 20190822: upstream has released 0.101.4, wait for stretch update (see bug NOTE: report) (hle) -- +cups (Sylvain Beucler) +-- freeimage NOTE: Maintainer will take care of the update. NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/586da80be58b9079dd60d6f6d8c26dc15a4cdd3e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/586da80be58b9079dd60d6f6d8c26dc15a4cdd3e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-9458/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a18915c by Salvatore Bonaccorso at 2019-09-16T16:10:04Z Add CVE-2019-9458/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21309,7 +21309,10 @@ CVE-2019-9460 CVE-2019-9459 RESERVED CVE-2019-9458 (In the Android kernel in the video driver there is a use after free du ...) - TODO: check + - linux 4.18.20-1 + [stretch] - linux 4.9.135-1 + [jessie] - linux 3.16.64-1 + NOTE: https://git.kernel.org/linus/ad608fbcf166fec809e402d548761768f602702c CVE-2019-9457 (In the Android kernel in ELF file loading there is possible memory cor ...) TODO: check CVE-2019-9456 (In the Android kernel in Pixel C USB monitor driver there is a possibl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4a18915c44be04209b666040b928b5ea88e37d26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4a18915c44be04209b666040b928b5ea88e37d26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-9245/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 842ca6c5 by Salvatore Bonaccorso at 2019-09-16T16:02:57Z Add CVE-2019-9245/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21740,7 +21740,8 @@ CVE-2019-9247 CVE-2019-9246 RESERVED CVE-2019-9245 (In the Android kernel in the f2fs driver there is a possible out of bo ...) - TODO: check + - linux 4.19.16-1 + NOTE: https://git.kernel.org/linus/64beba0558fce7b59e9a8a7afd77290e82a22163 CVE-2019-9244 RESERVED CVE-2019-9243 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/842ca6c59761971b55e14b819ac58850843046bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/842ca6c59761971b55e14b819ac58850843046bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-9453/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b9fbbfe2 by Salvatore Bonaccorso at 2019-09-16T15:54:31Z Add CVE-2019-9453/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21321,6 +21321,9 @@ CVE-2019-9455 (In the Android kernel in the video driver there is a kernel point CVE-2019-9454 (In the Android kernel in i2c driver there is a possible out of bounds ...) TODO: check CVE-2019-9453 (In the Android kernel in F2FS touch driver there is a possible out of ...) + - linux 5.2.6-1 + [buster] - linux 4.19.67-1 + NOTE: https://git.kernel.org/linus/2777e654371dd4207a3a7f4fb5fa39550053a080 TODO: check CVE-2019-9452 (In the Android kernel in SEC_TS touch driver there is a possible out o ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b9fbbfe2b58a667167cb95890c6f7da959d6b913 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b9fbbfe2b58a667167cb95890c6f7da959d6b913 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track CVE-2019-915{3,4,5} with node-openpgp RFP/ITP
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 86c6d750 by Salvatore Bonaccorso at 2019-09-16T15:49:39Z Track CVE-2019-915{3,4,5} with node-openpgp RFP/ITP - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22039,11 +22039,11 @@ CVE-2019-9162 (In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snm NOTE: Fixed by: https://git.kernel.org/linus/c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1776 CVE-2019-9155 (A cryptographic issue in OpenPGP.js =4.2.0 allows an attacker who ...) - NOT-FOR-US: OpenPGP.js (not used by Enigmail in Debian) + - node-openpgp (bug #787774) CVE-2019-9154 (Improper Verification of a Cryptographic Signature in OpenPGP.js = ...) - NOT-FOR-US: OpenPGP.js (not used by Enigmail in Debian) + - node-openpgp (bug #787774) CVE-2019-9153 (Improper Verification of a Cryptographic Signature in OpenPGP.js = ...) - NOT-FOR-US: OpenPGP.js (not used by Enigmail in Debian) + - node-openpgp (bug #787774) CVE-2019-9152 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an ou ...) - hdf5 [buster] - hdf5 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/86c6d7500772e581e43565ea5d0b916af1c1d9fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/86c6d7500772e581e43565ea5d0b916af1c1d9fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Correct tracking of source package in CVE-2015-8013
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 024ea980 by Salvatore Bonaccorso at 2019-09-16T15:48:29Z Correct tracking of source package in CVE-2015-8013 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -185143,7 +185143,7 @@ CVE-2015-7872 (The key_gc_unused_keys function in security/keys/gc.c in the Linu NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 (v4.3-rc7) NOTE: http://www.openwall.com/lists/oss-security/2015/10/20/5 CVE-2015-8013 (s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of pas ...) - - libjs-openpgp (bug #787774) + - node-openpgp (bug #787774) NOTE: http://www.openwall.com/lists/oss-security/2015/10/13/7 CVE-2015-7840 (The command line management console (CMC) in SolarWinds Log and Event ...) NOT-FOR-US: SolarWinds View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/024ea9809c2fe713f5af95de9d64b600c8d7f620 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/024ea9809c2fe713f5af95de9d64b600c8d7f620 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove trailing whitespaces
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 80206c5c by Salvatore Bonaccorso at 2019-09-16T15:46:30Z Remove trailing whitespaces - - - - - cae659af by Salvatore Bonaccorso at 2019-09-16T15:46:30Z Reference upstream commit for CVE-2019-2181 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12284,11 +12284,11 @@ CVE-2019-12387 (In Twisted before 19.2.1, twisted.web did not validate or saniti NOTE: https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2 CVE-2019-12386 (An issue was discovered in Ampache through 3.9.1. A stored XSS exists ...) - ampache -NOTE: https://github.com/ampache/ampache/issues/1872 +NOTE: https://github.com/ampache/ampache/issues/1872 NOTE: according to the github issue, it is not really fixed yet CVE-2019-12385 (An issue was discovered in Ampache through 3.9.1. The search engine is ...) - ampache -NOTE: https://github.com/ampache/ampache/issues/1872 +NOTE: https://github.com/ampache/ampache/issues/1872 NOTE: according to the github issue, it is not really fixed yet CVE-2019-12384 (FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to ...) {DLA-1831-1} @@ -30085,7 +30085,7 @@ CVE-2019-5995 (Missing authorization vulnerability exists in EOS series digital CVE-2019-5994 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digit ...) NOT-FOR-US: Canon CVE-2019-5993 (Cross-site request forgery (CSRF) vulnerability in Category Specific R ...) - NOT-FOR-US: Category Specific RSS feed Subscription + NOT-FOR-US: Category Specific RSS feed Subscription CVE-2019-5992 (Cross-site request forgery (CSRF) vulnerability in WordPress Ultra Sim ...) NOT-FOR-US: WordPress Ultra Simple Paypal Shopping Cart CVE-2019-5991 (SQL injection vulnerability in the Cybozu Garoon 4.0.0 to 4.10.3 allow ...) @@ -40779,11 +40779,12 @@ CVE-2019-2182 (In the Android kernel in the kernel MMU code there is a possible NOTE: Fixed by: https://git.kernel.org/linus/15122ee2c515a253b0c66a3e618bc7ebe35105eb CVE-2019-2181 (In binder_transaction of binder.c in the Android kernel, there is a po ...) - linux 5.2.6-1 + NOTE: Fixed by: https://git.kernel.org/linus/0b0509508beff65c1d50541861bc0d4973487dc5 CVE-2019-2180 (In ippSetValueTag of ipp.c in Android 8.0, 8.1 and 9, there is a possi ...) - cups 2.2.12-1 (bug #934957) [buster] - cups 2.2.10-6+deb10u1 [stretch] - cups 2.2.1-8+deb9u4 - NOTE: Covers the "Fixed IPP buffer overflow (rdar://50035411)" angle of + NOTE: Covers the "Fixed IPP buffer overflow (rdar://50035411)" angle of NOTE: https://github.com/apple/cups/commit/f24e6cf6a39300ad0c3726a41a4aab51ad54c109 CVE-2019-2179 (In NDEF_MsgValidate of ndef_utils in Android 7.1.1, 7.1.2, 8.0, 8.1 an ...) NOT-FOR-US: Android View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/39e3a038c8ae8bd13f9ff36b3e9be01e492c548a...cae659af6f60b90a721c0f4d00be97ac1519a0f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/39e3a038c8ae8bd13f9ff36b3e9be01e492c548a...cae659af6f60b90a721c0f4d00be97ac1519a0f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add earlier bird fix
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 39e3a038 by Moritz Muehlenhoff at 2019-09-16T15:44:23Z add earlier bird fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -572,7 +572,7 @@ CVE-2019-16161 (Onigmo through 6.2.0 has a NULL pointer dereference in onig_erro CVE-2019-16160 RESERVED CVE-2019-16159 (BIRD Internet Routing Daemon 1.6.x through 1.6.7 and 2.x through 2.0.5 ...) - - bird 2.0.6-1 (bug #939990) + - bird 1.6.8-1 (bug #939990) [stretch] - bird (Vulnerable code introduced later) [jessie] - bird (Vulnerable code introduced later) NOTE: https://gitlab.labs.nic.cz/labs/bird/commit/1657c41c96b3c07d9265b07dd4912033ead4124b (1.6.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/39e3a038c8ae8bd13f9ff36b3e9be01e492c548a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/39e3a038c8ae8bd13f9ff36b3e9be01e492c548a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bird fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b27309e by Moritz Muehlenhoff at 2019-09-16T15:42:17Z bird fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -572,7 +572,7 @@ CVE-2019-16161 (Onigmo through 6.2.0 has a NULL pointer dereference in onig_erro CVE-2019-16160 RESERVED CVE-2019-16159 (BIRD Internet Routing Daemon 1.6.x through 1.6.7 and 2.x through 2.0.5 ...) - - bird (bug #939990) + - bird 2.0.6-1 (bug #939990) [stretch] - bird (Vulnerable code introduced later) [jessie] - bird (Vulnerable code introduced later) NOTE: https://gitlab.labs.nic.cz/labs/bird/commit/1657c41c96b3c07d9265b07dd4912033ead4124b (1.6.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8b27309ecf37c0ee64b23eb1468ade2639e0f82e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8b27309ecf37c0ee64b23eb1468ade2639e0f82e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new linux issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ee93f0a by Moritz Muehlenhoff at 2019-09-16T15:36:18Z new linux issue cups CVE assigned NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16393,9 +16393,9 @@ CVE-2019-10894 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the GSS CVE-2019-10893 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open So ...) NOT-FOR-US: CentOS-WebPanel.com CVE-2019-10892 (hnap_main in /htdocs/cgibin on D-link DIR-806 v1.0 devices has a stack ...) - TODO: check + NOT-FOR-US: D-Link CVE-2019-10891 (D-Link DIR-806 devices allow remote attackers to execute arbitrary she ...) - TODO: check + NOT-FOR-US: D-Link CVE-2019-10890 RESERVED CVE-2019-10889 @@ -16710,7 +16710,7 @@ CVE-2019-10751 (All versions of the HTTPie package prior to version 1.0.3 are vu NOTE: https://snyk.io/vuln/SNYK-PYTHON-HTTPIE-460107 NOTE: https://github.com/jakubroztocil/httpie/commit/df36d6255df5793129b02ac82f1010171bd8a0a8 CVE-2019-10750 (deeply is vulnerable to Prototype Pollution in versions before 3.1.0. ...) - TODO: check + NOT-FOR-US: deeply CVE-2019-10749 RESERVED CVE-2019-10748 @@ -16792,7 +16792,7 @@ CVE-2019-10726 CVE-2019-10725 RESERVED CVE-2019-10724 (There is a vulnerability with the Dolby DAX2 API system services in wh ...) - TODO: check + NOT-FOR-US: Dolby CVE-2019-10723 (An issue was discovered in PoDoFo 0.9.6. The PdfPagesTreeCache class i ...) - libpodofo (low; bug #926667) [buster] - libpodofo (Minor issue) @@ -16934,7 +16934,7 @@ CVE-2019-10711 (Incorrect access control in the RTSP stream and web portal on al CVE-2019-10710 (Insecure permissions in the Web management portal on all IP cameras ba ...) NOT-FOR-US: IP cameras based on Hisilicon Hi3510 firmware CVE-2019-10709 (AsusPTPFilter.sys on Asus Precision TouchPad 11.0.0.25 hardware has a ...) - TODO: check + NOT-FOR-US: Asus CVE-2019-10708 (S-CMS PHP v1.0 has SQL injection via the 4/js/scms.php?action=unlike i ...) NOT-FOR-US: S-CMS PHP CVE-2019-10707 (MKCMS V5.0 has SQL injection via the bplay.php play parameter. ...) @@ -21331,11 +21331,11 @@ CVE-2019-9450 (In the Android kernel in the FingerTipS touchscreen driver there CVE-2019-9449 (In the Android kernel in FingerTipS touchscreen driver there is a poss ...) TODO: check CVE-2019-9448 (In the Android kernel in the FingerTipS touchscreen driver there is a ...) - TODO: check + NOT-FOR-US: Android kernel CVE-2019-9447 (In the Android kernel in the FingerTipS touchscreen driver there is a ...) - TODO: check + NOT-FOR-US: Android kernel CVE-2019-9446 (In the Android kernel in the FingerTipS touchscreen driver there is a ...) - TODO: check + NOT-FOR-US: Android kernel CVE-2019-9445 (In the Android kernel in F2FS driver there is a possible out of bounds ...) TODO: check CVE-2019-9444 (In the Android kernel in sync debug fs driver there is a kernel pointe ...) @@ -21355,7 +21355,7 @@ CVE-2019-9438 CVE-2019-9437 RESERVED CVE-2019-9436 (In the Android kernel in the bootloader there is a possible secure boo ...) - TODO: check + NOT-FOR-US: LG components for Android CVE-2019-9435 RESERVED CVE-2019-9434 @@ -21375,7 +21375,7 @@ CVE-2019-9428 CVE-2019-9427 RESERVED CVE-2019-9426 (In the Android kernel in Bluetooth there is a possible out of bounds w ...) - TODO: check + NOT-FOR-US: Broadcom components for Android CVE-2019-9425 RESERVED CVE-2019-9424 @@ -22039,11 +22039,11 @@ CVE-2019-9162 (In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snm NOTE: Fixed by: https://git.kernel.org/linus/c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1776 CVE-2019-9155 (A cryptographic issue in OpenPGP.js =4.2.0 allows an attacker who ...) - TODO: check + NOT-FOR-US: OpenPGP.js (not used by Enigmail in Debian) CVE-2019-9154 (Improper Verification of a Cryptographic Signature in OpenPGP.js = ...) - TODO: check + NOT-FOR-US: OpenPGP.js (not used by Enigmail in Debian) CVE-2019-9153 (Improper Verification of a Cryptographic Signature in OpenPGP.js = ...) - TODO: check + NOT-FOR-US: OpenPGP.js (not used by Enigmail in Debian) CVE-2019-9152 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an ou ...) - hdf5 [buster] - hdf5 (Minor issue) @@ -23969,11 +23969,11 @@ CVE-2019-8453 (Some of the DLLs loaded by Check Point ZoneAlarm up to 15.4.062 a CVE-2019-8452 (A hard-link created from log file archive of Check Point ZoneAlarm up ...) NOT-FOR-US: Check Point ZoneAlarm
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-9455/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 649fe011 by Salvatore Bonaccorso at 2019-09-16T15:26:32Z Add CVE-2019-9455/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21315,7 +21315,9 @@ CVE-2019-9457 (In the Android kernel in ELF file loading there is possible memor CVE-2019-9456 (In the Android kernel in Pixel C USB monitor driver there is a possibl ...) TODO: check CVE-2019-9455 (In the Android kernel in the video driver there is a kernel pointer le ...) - TODO: check + - linux 4.19.37-1 + [stretch] - linux 4.9.168-1 + NOTE: https://git.kernel.org/linus/5e99456c20f712dcc13d9f6ca4278937d5367355 CVE-2019-9454 (In the Android kernel in i2c driver there is a possible out of bounds ...) TODO: check CVE-2019-9453 (In the Android kernel in F2FS touch driver there is a possible out of ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/649fe011af46374169f1bf4db51527d524fc93e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/649fe011af46374169f1bf4db51527d524fc93e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-2182/linux information according to kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d43c4361 by Salvatore Bonaccorso at 2019-09-16T15:18:54Z Add CVE-2019-2182/linux information according to kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40768,7 +40768,8 @@ CVE-2019-2184 CVE-2019-2183 RESERVED CVE-2019-2182 (In the Android kernel in the kernel MMU code there is a possible execu ...) - TODO: check + - linux 4.16.5-1 + NOTE: Fixed by: https://git.kernel.org/linus/15122ee2c515a253b0c66a3e618bc7ebe35105eb CVE-2019-2181 (In binder_transaction of binder.c in the Android kernel, there is a po ...) TODO: check CVE-2019-2180 (In ippSetValueTag of ipp.c in Android 8.0, 8.1 and 9, there is a possi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d43c4361d35a8365da28cf568029eb3f4a21db59 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d43c4361d35a8365da28cf568029eb3f4a21db59 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add note for ampache issues
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: de89d35b by Thorsten Alteholz at 2019-09-16T14:14:59Z add note for ampache issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12284,8 +12284,12 @@ CVE-2019-12387 (In Twisted before 19.2.1, twisted.web did not validate or saniti NOTE: https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2 CVE-2019-12386 (An issue was discovered in Ampache through 3.9.1. A stored XSS exists ...) - ampache +NOTE: https://github.com/ampache/ampache/issues/1872 +NOTE: according to the github issue, it is not really fixed yet CVE-2019-12385 (An issue was discovered in Ampache through 3.9.1. The search engine is ...) - ampache +NOTE: https://github.com/ampache/ampache/issues/1872 +NOTE: according to the github issue, it is not really fixed yet CVE-2019-12384 (FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to ...) {DLA-1831-1} - jackson-databind 2.9.8-3 (bug #930750) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/de89d35b3fe98f50b70476e17ef127a20b0a9987 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/de89d35b3fe98f50b70476e17ef127a20b0a9987 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: follow security team and mark adplug CVEs as no-dsa
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: eefebce9 by Thorsten Alteholz at 2019-09-16T14:04:28Z follow security team and mark adplug CVEs as no-dsa - - - - - b905e78c by Thorsten Alteholz at 2019-09-16T14:04:49Z only no-dsa issues for adplug - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3296,6 +3296,7 @@ CVE-2019-15151 (AdPlug 2.3.1 has a double free in the Cu6mPlayer class in u6m.h. - adplug [buster] - adplug (Minor issue) [stretch] - adplug (Minor issue) + [jessie] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/91 CVE-2019-15150 (In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulner ...) NOT-FOR-US: OAuth2 Client MediaWiki extension @@ -4651,16 +4652,19 @@ CVE-2019-14734 (AdPlug 2.3.1 has multiple heap-based buffer overflows in CmtkLoa - adplug [buster] - adplug (Minor issue) [stretch] - adplug (Minor issue) + [jessie] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/90 CVE-2019-14733 (AdPlug 2.3.1 has multiple heap-based buffer overflows in CradLoader::l ...) - adplug [buster] - adplug (Minor issue) [stretch] - adplug (Minor issue) + [jessie] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/89 CVE-2019-14732 (AdPlug 2.3.1 has multiple heap-based buffer overflows in Ca2mLoader::l ...) - adplug [buster] - adplug (Minor issue) [stretch] - adplug (Minor issue) + [jessie] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/88 CVE-2019-14731 (An issue was discovered in ZenTao 11.5.1. There is an XSS (stored) vul ...) NOT-FOR-US: ZenTao CMS @@ -4742,16 +4746,19 @@ CVE-2019-14692 (AdPlug 2.3.1 has a heap-based buffer overflow in CmkjPlayer::loa - adplug [buster] - adplug (Minor issue) [stretch] - adplug (Minor issue) + [jessie] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/87 CVE-2019-14691 (AdPlug 2.3.1 has a heap-based buffer overflow in CdtmLoader::load() in ...) - adplug [buster] - adplug (Minor issue) [stretch] - adplug (Minor issue) + [jessie] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/86 CVE-2019-14690 (AdPlug 2.3.1 has a heap-based buffer overflow in CxadbmfPlayer::__bmf_ ...) - adplug [buster] - adplug (Minor issue) [stretch] - adplug (Minor issue) + [jessie] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/85 CVE-2019-14697 (musl libc through 1.1.23 has an x87 floating-point stack adjustment im ...) - musl 1.1.23-2 = data/dla-needed.txt = @@ -9,8 +9,6 @@ To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues --- -adplug -- ampache NOTE: package only in Jessie View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7c276f89617ee6cd7e2a37478720be5f255e1810...b905e78c24b34b14b2559ac274347f1df3a33a9a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7c276f89617ee6cd7e2a37478720be5f255e1810...b905e78c24b34b14b2559ac274347f1df3a33a9a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian tracking bug for CVE-2019-14540 and CVE-2019-16335
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c276f89 by Salvatore Bonaccorso at 2019-09-16T13:31:17Z Add Debian tracking bug for CVE-2019-14540 and CVE-2019-16335 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,7 +13,7 @@ CVE-2019-16337 CVE-2019-16336 RESERVED CVE-2019-16335 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) - - jackson-databind + - jackson-databind (bug #940498) NOTE: https://github.com/FasterXML/jackson-databind/issues/2449 NOTE: https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db CVE-2019-16334 (In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categ ...) @@ -5112,7 +5112,7 @@ CVE-2019-14541 (GnuCOBOL 2.2 has a stack-based buffer overflow in cb_encode_prog [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/584/ CVE-2019-14540 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) - - jackson-databind + - jackson-databind (bug #940498) NOTE: https://github.com/FasterXML/jackson-databind/issues/2410 NOTE: https://github.com/FasterXML/jackson-databind/issues/2449 NOTE: https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c276f89617ee6cd7e2a37478720be5f255e1810 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c276f89617ee6cd7e2a37478720be5f255e1810 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e40b454 by Holger Levsen at 2019-09-16T13:16:55Z semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Holger Levsen hol...@layer-acht.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -53,7 +53,7 @@ imapfilter NOTE: 20190910: No patch exists but a possible solution. Note that openssl in NOTE: Jessie is < 1.0.2. (apo) -- -libav (Mike Gabriel) +libav NOTE: 20190831: There are currently 19 CVE issues known for libav in jessie, NOTE: 20190831: 11 tagged as . These issues have been triaged, no patch NOTE: 20190831: has been found, so far. If you pick libav, be prepared to work @@ -67,7 +67,7 @@ libav (Mike Gabriel) -- libcrypto++ -- -libgcrypt20 (Mike Gabriel) +libgcrypt20 -- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. @@ -97,7 +97,7 @@ linux-4.9 (Ben Hutchings) milkytracker NOTE: 20190830: Several issues open for jessie. -- -nghttp2 (Abhijith PA) +nghttp2 -- openssl -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e40b4540f30e2d058d1f703c36565246376d9aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e40b4540f30e2d058d1f703c36565246376d9aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference commit for CVE-2019-14540
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ec1de3a by Salvatore Bonaccorso at 2019-09-16T13:14:40Z Reference commit for CVE-2019-14540 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5115,6 +5115,7 @@ CVE-2019-14540 (A Polymorphic Typing issue was discovered in FasterXML jackson-d - jackson-databind NOTE: https://github.com/FasterXML/jackson-databind/issues/2410 NOTE: https://github.com/FasterXML/jackson-databind/issues/2449 + NOTE: https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de CVE-2019-14539 RESERVED CVE-2019-14538 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7ec1de3a60f38b2c0fab19635dd81fddae3eebf1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7ec1de3a60f38b2c0fab19635dd81fddae3eebf1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-14540/jackson-databind
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b062af15 by Salvatore Bonaccorso at 2019-09-16T13:11:18Z Add CVE-2019-14540/jackson-databind - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5112,7 +5112,9 @@ CVE-2019-14541 (GnuCOBOL 2.2 has a stack-based buffer overflow in cb_encode_prog [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/584/ CVE-2019-14540 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) - TODO: check + - jackson-databind + NOTE: https://github.com/FasterXML/jackson-databind/issues/2410 + NOTE: https://github.com/FasterXML/jackson-databind/issues/2449 CVE-2019-14539 RESERVED CVE-2019-14538 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b062af153671cd643f7de3a9268e5bbd6426d6bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b062af153671cd643f7de3a9268e5bbd6426d6bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-16335/jackson-databind
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d021ba38 by Salvatore Bonaccorso at 2019-09-16T13:06:18Z Add CVE-2019-16335/jackson-databind - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,7 +13,9 @@ CVE-2019-16337 CVE-2019-16336 RESERVED CVE-2019-16335 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) - TODO: check + - jackson-databind + NOTE: https://github.com/FasterXML/jackson-databind/issues/2449 + NOTE: https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db CVE-2019-16334 (In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categ ...) NOT-FOR-US: Bludit CVE-2019-16333 (GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in adm ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d021ba38c5092aba99476c35149feff0a9408b98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d021ba38c5092aba99476c35149feff0a9408b98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove no-dsa tagged entries for ansible which got an update in DLA-1923-1
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 21e25131 by Salvatore Bonaccorso at 2019-09-16T12:50:20Z Remove no-dsa tagged entries for ansible which got an update in DLA-1923-1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18269,7 +18269,6 @@ CVE-2019-10156 (A flaw was discovered in the way Ansible templating was implemen - ansible 2.8.3+dfsg-1 (low; bug #930065) [buster] - ansible (Minor issue) [stretch] - ansible (Minor issue) - [jessie] - ansible (Minor issue, most likely not affected) NOTE: https://github.com/ansible/ansible/pull/57188 CVE-2019-10155 (The Libreswan Project has found a vulnerability in the processing of I ...) - libreswan 3.27-6 (bug #930338) @@ -69626,7 +69625,6 @@ CVE-2018-10876 (A flaw was found in Linux kernel in the ext4 filesystem code. A CVE-2018-10875 (A flaw was found in ansible. ansible.cfg is read from the current work ...) {DSA-4396-1} - ansible 2.6.1+dfsg-1 - [jessie] - ansible (Too intrusive to backport) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1596533 NOTE: https://github.com/ansible/ansible/pull/42070 NOTE: https://github.com/ansible/ansible/commit/4cecbe81adbc655d7ab734165d3ac539f8ba5981 @@ -191442,7 +191440,6 @@ CVE-2015-5516 (Memory leak in the last hop kernel module in F5 BIG-IP LTM, GTM, NOT-FOR-US: F5 BIG-IP CVE-2015-6240 (The chroot, jail, and zone connection plugins in ansible before 1.9.2 ...) - ansible 1.9.2+dfsg-1 (low) - [jessie] - ansible (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/07/14/3 CVE-2015-5515 (The Views Bulk Operations (VBO) module 6.x-1.x and 7.x-3.x before 7.x- ...) NOT-FOR-US: Drupal addon not packaged in Debian @@ -196109,7 +196106,6 @@ CVE-2015-3909 RESERVED CVE-2015-3908 (Ansible before 1.9.2 does not verify that the server hostname matches ...) - ansible 1.9.2+dfsg-1 (low) - [jessie] - ansible (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/07/14/4 NOTE: Fixed in commit https://github.com/ansible/ansible/commit/be7c59c7bbe2c7cfaad0151c42693ebd0ea4243f CVE-2015-3907 (CodeIgniter Rest Server (aka codeigniter-restserver) 2.7.1 allows XXE ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/21e251316f792d3da6ed4edd7dbb196cb1508a83 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/21e251316f792d3da6ed4edd7dbb196cb1508a83 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2019-15031/linux in stretch and jessie
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 26719de3 by Salvatore Bonaccorso at 2019-09-16T12:47:56Z Update status for CVE-2019-15031/linux in stretch and jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3742,6 +3742,8 @@ CVE-2019-15032 RESERVED CVE-2019-15031 (In the Linux kernel through 5.2.14 on the powerpc platform, a local us ...) - linux + [stretch] - linux (Vulnerable code introduced later) + [jessie] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/a8318c13e79badb92bc6640704a64cc022a6eb97 CVE-2019-15030 (In the Linux kernel through 5.2.14 on the powerpc platform, a local us ...) - linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/26719de36c1102825c0311d3a4b37870aca8d478 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/26719de36c1102825c0311d3a4b37870aca8d478 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage open CVE for libsixel/Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 480184ed by Markus Koschany at 2019-09-16T12:44:58Z Triage open CVE for libsixel/Jessie. Most issues do not affect Jessie because the vulnerable code does not exist or only exist when the fsanitize flag is used. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42818,18 +42818,21 @@ CVE-2018-19763 (There is a heap-based buffer over-read at writer.c (function: wr - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) + [jessie] - libsixel (The vulnerable code is not present) NOTE: https://github.com/saitoha/libsixel/issues/82 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649201 (reproducer) CVE-2018-19762 (There is a heap-based buffer overflow at fromsixel.c (function: image_ ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) + [jessie] - libsixel (The vulnerable code is not present) NOTE: https://github.com/saitoha/libsixel/issues/81 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649199 (reproducer) CVE-2018-19761 (There is an illegal address access at fromsixel.c (function: sixel_dec ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) + [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/78 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649200 (reproducer) CVE-2018-19760 (cfg_init in confuse.c in libConfuse 3.2.2 has a memory leak. ...) @@ -42843,6 +42846,7 @@ CVE-2018-19759 (There is a heap-based buffer over-read at stb_image_write.h (fun - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) + [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/77 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649202 (reproducer) CVE-2018-19758 (There is a heap-based buffer over-read at wav.c in wav_write_header in ...) @@ -42857,12 +42861,14 @@ CVE-2018-19757 (There is a NULL pointer dereference at function sixel_helper_set - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) + [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/79 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649197 (reproducer) CVE-2018-19756 (There is a heap-based buffer over-read at stb_image.h (function: stbi_ ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) + [jessie] - libsixel (The vulnerable code is not present) NOTE: https://github.com/saitoha/libsixel/issues/80 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649198 (reproducer) CVE-2018-19755 (There is an illegal address access at asm/preproc.c (function: is_mmac ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/480184edc1fbeff50a51879b247bddd2bb2594a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/480184edc1fbeff50a51879b247bddd2bb2594a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1923-1 for ansible
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: fae35d1c by Roberto C. Sánchez at 2019-09-16T12:21:47Z Reserve DLA-1923-1 for ansible - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[16 Sep 2019] DLA-1923-1 ansible - security update + {CVE-2015-3908 CVE-2015-6240 CVE-2018-10875 CVE-2019-10156} + [jessie] - ansible 1.7.2+dfsg-2+deb8u2 [15 Sep 2019] DLA-1922-1 wpa - security update {CVE-2019-16275} [jessie] - wpa 2.3-1+deb8u9 = data/dla-needed.txt = @@ -15,9 +15,6 @@ adplug ampache NOTE: package only in Jessie -- -ansible (Roberto C. Sánchez) - NOTE: 20190906: update is ready; sent request for testing to debian-lts@; intend to upload on 20190916 (roberto) --- cimg (Thorsten Alteholz) NOTE: inline function load_network_external is affected, variable filename NOTE: 20190916: also taking care of no-dsa View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fae35d1ce5a34ccbe9a6a13367b5b62eb6bd2d34 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fae35d1ce5a34ccbe9a6a13367b5b62eb6bd2d34 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4edd7587 by Moritz Muehlenhoff at 2019-09-16T09:52:52Z NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,11 +15,11 @@ CVE-2019-16336 CVE-2019-16335 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) TODO: check CVE-2019-16334 (In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categ ...) - TODO: check + NOT-FOR-US: Bludit CVE-2019-16333 (GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in adm ...) - TODO: check + NOT-FOR-US: GetSimple CMS CVE-2019-16332 (In the api-bearer-auth plugin before 20190907 for WordPress, the serve ...) - TODO: check + NOT-FOR-US: Wordpress plugin CVE-2019- [Remotely exploitable null pointer dereference bug] - libapreq2 2.13-6 (bug #939937) NOTE: http://svn.apache.org/r1866760 @@ -44,9 +44,9 @@ CVE-2019-16323 CVE-2019-16322 RESERVED CVE-2019-16321 (ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a ...) - TODO: check + NOT-FOR-US: ScadaBR CVE-2019-16320 (Cobham Sea Tel v170 224521 through v194 225444 devices allow attackers ...) - TODO: check + NOT-FOR-US: Cobham Sea Tel CVE-2019-16318 (In Pimcore before 5.7.1, an attacker with limited privileges can bypas ...) NOT-FOR-US: Pimcore CVE-2019-16317 (In Pimcore before 5.7.1, an attacker with limited privileges can trigg ...) @@ -70,15 +70,15 @@ CVE-2019-16309 (FlameCMS 3.3.5 has SQL injection in account/login.php via accoun CVE-2019-16308 RESERVED CVE-2019-16307 (A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx modu ...) - TODO: check + NOT-FOR-US: Fuji CVE-2019-16306 RESERVED CVE-2019-16305 (In MobaXterm 11.1 and 12.1, the protocol handler is vulnerable to comm ...) - TODO: check + NOT-FOR-US: MobaXterm CVE-2019-16304 RESERVED CVE-2019-16303 (A class generated by the Generator in JHipster before 6.3.0 and JHipst ...) - TODO: check + NOT-FOR-US: JHipster CVE-2019-16302 RESERVED CVE-2019-16301 @@ -96,7 +96,7 @@ CVE-2019-16296 CVE-2019-16295 RESERVED CVE-2019-16294 (SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote ...) - TODO: check + NOT-FOR-US: Notepad++ CVE-2019-16293 (The Create Discoveries feature of Open-AudIT before 3.2.0 allows an au ...) NOT-FOR-US: Open-AudIT CVE-2019-16292 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4edd7587888da8c6197fab302584a995e2985aa9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4edd7587888da8c6197fab302584a995e2985aa9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 095823b9 by security tracker role at 2019-09-16T08:10:26Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,25 @@ +CVE-2019-16342 + RESERVED +CVE-2019-16341 + RESERVED +CVE-2019-16340 + RESERVED +CVE-2019-16339 + RESERVED +CVE-2019-16338 + RESERVED +CVE-2019-16337 + RESERVED +CVE-2019-16336 + RESERVED +CVE-2019-16335 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) + TODO: check +CVE-2019-16334 (In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categ ...) + TODO: check +CVE-2019-16333 (GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in adm ...) + TODO: check +CVE-2019-16332 (In the api-bearer-auth plugin before 20190907 for WordPress, the serve ...) + TODO: check CVE-2019- [Remotely exploitable null pointer dereference bug] - libapreq2 2.13-6 (bug #939937) NOTE: http://svn.apache.org/r1866760 @@ -149,7 +171,7 @@ CVE-2016-10956 RESERVED CVE-2010-5333 (The web server in Integard Pro and Home before 2.0.0.9037 and 2.2.x be ...) NOT-FOR-US: Integard -CVE-2019-16319 [wireshark wnpa-sec-2019-21] +CVE-2019-16319 (In Wireshark 3.0.0 to 3.0.3 and 2.6.0 to 2.6.10, the Gryphon dissector ...) - wireshark 3.0.4-1 (low) [buster] - wireshark (Can be fixed along in next 3.0.x DSA) [stretch] - wireshark (Can be fixed along in next 2.6.x DSA) @@ -5085,8 +5107,8 @@ CVE-2019-14541 (GnuCOBOL 2.2 has a stack-based buffer overflow in cb_encode_prog [stretch] - open-cobol (Minor issue) [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/584/ -CVE-2019-14540 - RESERVED +CVE-2019-14540 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) + TODO: check CVE-2019-14539 RESERVED CVE-2019-14538 @@ -13802,7 +13824,7 @@ CVE-2019-11753 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-29/#CVE-2019-11753 CVE-2019-11752 RESERVED - {DSA-4516-1 DLA-1910-1} + {DSA-4523-1 DSA-4516-1 DLA-1910-1} - firefox 69.0-1 - firefox-esr 68.1.0esr-1 - thunderbird 1:60.9.0-1 @@ -13854,7 +13876,7 @@ CVE-2019-11747 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11747 CVE-2019-11746 RESERVED - {DSA-4516-1 DLA-1910-1} + {DSA-4523-1 DSA-4516-1 DLA-1910-1} - firefox 69.0-1 - firefox-esr 68.1.0esr-1 - thunderbird 1:60.9.0-1 @@ -13866,7 +13888,7 @@ CVE-2019-11745 RESERVED CVE-2019-11744 RESERVED - {DSA-4516-1 DLA-1910-1} + {DSA-4523-1 DSA-4516-1 DLA-1910-1} - firefox 69.0-1 - firefox-esr 68.1.0esr-1 - thunderbird 1:60.9.0-1 @@ -13876,7 +13898,7 @@ CVE-2019-11744 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-29/#CVE-2019-11744 CVE-2019-11743 RESERVED - {DSA-4516-1 DLA-1910-1} + {DSA-4523-1 DSA-4516-1 DLA-1910-1} - firefox 69.0-1 - firefox-esr 68.1.0esr-1 - thunderbird 1:60.9.0-1 @@ -13885,7 +13907,7 @@ CVE-2019-11743 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/#CVE-2019-11743 CVE-2019-11742 RESERVED - {DSA-4516-1 DLA-1910-1} + {DSA-4523-1 DSA-4516-1 DLA-1910-1} - firefox 69.0-1 - firefox-esr 68.1.0esr-1 - thunderbird 1:60.9.0-1 @@ -13899,7 +13921,7 @@ CVE-2019-11741 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11741 CVE-2019-11740 RESERVED - {DSA-4516-1 DLA-1910-1} + {DSA-4523-1 DSA-4516-1 DLA-1910-1} - firefox 69.0-1 - firefox-esr 68.1.0esr-1 - thunderbird 1:60.9.0-1 @@ -13909,6 +13931,7 @@ CVE-2019-11740 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-29/#CVE-2019-11740 CVE-2019-11739 RESERVED + {DSA-4523-1} - thunderbird 1:60.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-29/#CVE-2019-11739 CVE-2019-11738 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/095823b9d4cb675878fda88c4a8a8919c864c693 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/095823b9d4cb675878fda88c4a8a8919c864c693 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim poppler
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2407fd97 by Thorsten Alteholz at 2019-09-16T07:35:20Z claim poppler - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -109,7 +109,7 @@ php-pecl-http (Roberto C. Sánchez) php5 (Roberto C. Sánchez) NOTE: 20190910: Also investigate/(fix?) https://bugs.debian.org/939981 -- -poppler +poppler (Thorsten Alteholz) -- python2.7 (Roberto C. Sánchez) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2407fd97cedf2b82be1d7254097f0e73a158e5ff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2407fd97cedf2b82be1d7254097f0e73a158e5ff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 134ad1ab by Thorsten Alteholz at 2019-09-16T06:14:09Z update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -20,6 +20,7 @@ ansible (Roberto C. Sánchez) -- cimg (Thorsten Alteholz) NOTE: inline function load_network_external is affected, variable filename + NOTE: 20190916: also taking care of no-dsa -- clamav (Jonas Meurer) NOTE: wait for definitive patch to be available, then upgrade to latest upstream View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/134ad1ab35df2b99164c589b1463291ace75bc96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/134ad1ab35df2b99164c589b1463291ace75bc96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits