date:20191009

[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2019-16884/runc

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4d51b0ef by Salvatore Bonaccorso at 2019-10-10T04:38:49Z
Add fixed version via unstable for CVE-2019-16884/runc

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1162,7 +1162,7 @@ CVE-2019-16886
 CVE-2019-16885
RESERVED
 CVE-2019-16884 (runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce 
and other ...)
-   - runc  (bug #942026)
+   - runc 1.0.0~rc9+dfsg1-1 (bug #942026)
- golang-github-opencontainers-selinux  (bug #942027)
NOTE: https://github.com/opencontainers/runc/issues/2128
 CVE-2019-16883



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4d51b0efeeb37847681ee3a0b21deb6c98b6e6b9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4d51b0efeeb37847681ee3a0b21deb6c98b6e6b9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add new libnbd issue

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ee1f0c22 by Salvatore Bonaccorso at 2019-10-10T04:14:39Z
Add new libnbd issue

Thanks: Paul Wise

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,8 @@
+CVE-2019- [Remote code execution vulnerability]
+   - libnbd 
+   NOTE: 
https://www.redhat.com/archives/libguestfs/2019-October/msg00060.html
+   NOTE: 
https://github.com/libguestfs/libnbd/commit/f75f602a6361c0c5f42debfeea6980f698ce7f09
 (1.1.4)
+   NOTE: 
https://github.com/libguestfs/libnbd/commit/2c1987fc23d6d0f537edc6d4701e95a2387f7917
 (stable-1.0)
 CVE-2019-17406
RESERVED
 CVE-2019-17405



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee1f0c22fa309b47852de6698a6652fca9cff33e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee1f0c22fa309b47852de6698a6652fca9cff33e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-1952-1 for rsyslog

2019-10-09 Thread Chris Lamb



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
25f9df85 by Chris Lamb at 2019-10-10T00:08:10Z
Reserve DLA-1952-1 for rsyslog

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[09 Oct 2019] DLA-1952-1 rsyslog - security update
+   {CVE-2019-17041 CVE-2019-17042}
+   [jessie] - rsyslog 8.4.2-1+deb8u3
 [09 Oct 2019] DLA-1951-1 libtomcrypt - security update
{CVE-2019-17362}
[jessie] - libtomcrypt 1.17-6+deb8u1


=
data/dla-needed.txt
=
@@ -130,8 +130,6 @@ radare2
   NOTE: Support status is being discussed at:
   NOTE: https://lists.debian.org/debian-lts/2019/08/msg00064.html
 --
-rsyslog (Chris Lamb)
---
 ruby-openid (Brian May)
   NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding 
what the issue actually *is*. (lamby)
   NOTE: 20190701: Pinged bug (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/25f9df8512c093b73204e777656ad009f0043c0d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/25f9df8512c093b73204e777656ad009f0043c0d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-1951-1 for libtomcrypt

2019-10-09 Thread Chris Lamb



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b01bca7e by Chris Lamb at 2019-10-09T21:13:48Z
Reserve DLA-1951-1 for libtomcrypt

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[09 Oct 2019] DLA-1951-1 libtomcrypt - security update
+   {CVE-2019-17362}
+   [jessie] - libtomcrypt 1.17-6+deb8u1
 [08 Oct 2019] DLA-1950-1 openjpeg2 - security update
{CVE-2018-21010}
[jessie] - openjpeg2 2.1.0-2+deb8u8


=
data/dla-needed.txt
=
@@ -92,8 +92,6 @@ libsdl1.2 (Hugo Lefeuvre)
   NOTE: regression introduced by the patch for CVE-2019-7637, several games 
broken
   NOTE: see https://lists.debian.org/debian-lts/2019/10/msg00039.html
 --
-libtomcrypt (Chris Lamb)
---
 linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b01bca7e88807e9c08b12603e919c5b6064ddbad

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b01bca7e88807e9c08b12603e919c5b6064ddbad
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update py27 references

2019-10-09 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dccceb52 by Moritz Muehlenhoff at 2019-10-09T20:49:33Z
Update py27 references

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21116,9 +21116,11 @@ CVE-2019-10160 (A security regression of CVE-2019-9636 
was discovered in python
NOTE: Introduced by: 
https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3
 (v3.8.0a4)
NOTE: Fixed by: 
https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e
 (v3.8.0b1)
NOTE: 
https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09
 (3.7)
-   NOTE: 
https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de
 (2.7)
NOTE: https://bugs.python.org/issue36742
-   NOTE: Patch for 2.7 series introduces new problems, cf. 
https://bugs.python.org/issue36742#msg344981
+   NOTE: Patches for 2.7:
+   NOTE: 
https://github.com/python/cpython/commit/98a4dcefbbc3bce5ab07e7c0830a183157250259
+   NOTE: 
https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de
+   NOTE: 
https://github.com/python/cpython/commit/2b578479b96aa3deeeb8bac313a02b5cf3cb1aff
 CVE-2019-10159 (cfme-gemset versions 5.10.4.3 and below, 5.9.9.3 and below are 
vulnera ...)
NOT-FOR-US: Red Hat CloudForms Management Engine
 CVE-2019-10158
@@ -21765,6 +21767,7 @@ CVE-2019-9947 (An issue was discovered in urllib2 in 
Python 2.x through 2.7.16 a
NOTE: https://bugs.python.org/issue35906
NOTE: Introduced by: 
https://github.com/python/cpython/commit/cc54c1c0d2d05fe7404ba64c53df4b1352ed2262
NOTE: CVE-2019-9947 issue fixed with same fix as for CVE-2019-9740
+   NOTE: Patch 2.7: 
https://github.com/python/cpython/commit/bb8071a4cae5ab3fe321481dd3d73662ffb26052
 CVE-2019-9946 (Cloud Native Computing Foundation (CNCF) CNI (Container 
Networking Int ...)
- kubernetes 
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1692712
@@ -23299,6 +23302,8 @@ CVE-2019-9740 (An issue was discovered in urllib2 in 
Python 2.x through 2.7.16 a
[stretch] - python2.7  (Minor issue)
NOTE: https://bugs.python.org/issue36276
NOTE: https://bugs.python.org/issue30458
+   NOTE: CVE-2019-9947 issue fixed with same fix as for CVE-2019-9740
+   NOTE: Patch 2.7: 
https://github.com/python/cpython/commit/bb8071a4cae5ab3fe321481dd3d73662ffb26052
 CVE-2019-9739
RESERVED
 CVE-2019-9738 (jimmykuu Gopher 2.0 has DOM-based XSS via vectors involving the 
'E ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/dccceb521179c9b701887f1a0e56694ecd158c3a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/dccceb521179c9b701887f1a0e56694ecd158c3a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2019-17266/openssh

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8c9d5ab3 by Salvatore Bonaccorso at 2019-10-09T20:38:13Z
Add CVE-2019-17266/openssh

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1084,7 +1084,11 @@ CVE-2019-16907
 CVE-2019-16906
RESERVED
 CVE-2019-16905 (OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with 
an expe ...)
-   TODO: check
+   - openssh  (unimportant)
+   [stretch] - openssh  (Vulnerable code introduced later)
+   [jessie] - openssh  (Vulnerable code introduced later)
+   NOTE: Issue in experimental (and not enabled) XMSS implementation; 
futhermore there
+   NOTE: is not supported way to enable it when building openssh.
 CVE-2019-16904 (TeamPass 2.1.27.36 allows Stored XSS by setting a crafted 
password for ...)
- teampass  (bug #730180)
 CVE-2019-16903 (Platinum UPnP SDK 1.2.0 allows Directory Traversal in 
Core/PltHttpServ ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c9d5ab31aab7679eaa3980ddb2eede60f538ce1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c9d5ab31aab7679eaa3980ddb2eede60f538ce1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process more NFUs

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3fcdb510 by Salvatore Bonaccorso at 2019-10-09T20:33:08Z
Process more NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -54,31 +54,31 @@ CVE-2019-17382 (An issue was discovered in 
zabbix.php?action=dashboard.view
 CVE-2019-17381
RESERVED
 CVE-2019-17380 (cPanel before 82.0.15 allows self XSS in the WHM Update 
Preferences in ...)
-   TODO: check
+   NOT-FOR-US: cPanel
 CVE-2019-17379 (cPanel before 82.0.15 allows self stored XSS in the WHM SSL 
Storage Ma ...)
-   TODO: check
+   NOT-FOR-US: cPanel
 CVE-2019-17378 (cPanel before 82.0.15 allows self XSS in the SSL Key Delete 
interface  ...)
-   TODO: check
+   NOT-FOR-US: cPanel
 CVE-2019-17377 (cPanel before 82.0.15 allows self XSS in LiveAPI example 
scripts (SEC- ...)
-   TODO: check
+   NOT-FOR-US: cPanel
 CVE-2019-17376 (cPanel before 82.0.15 allows self XSS in the SSL Certificate 
Upload in ...)
-   TODO: check
+   NOT-FOR-US: cPanel
 CVE-2019-17375 (cPanel before 82.0.15 allows API token credentials to persist 
after an ...)
-   TODO: check
+   NOT-FOR-US: cPanel
 CVE-2019-17374
RESERVED
 CVE-2019-17373 (Certain NETGEAR devices allow unauthenticated access to 
critical .cgi  ...)
-   TODO: check
+   NOT-FOR-US: NETGEAR
 CVE-2019-17372 (Certain NETGEAR devices allow remote attackers to disable all 
authenti ...)
-   TODO: check
+   NOT-FOR-US: NETGEAR
 CVE-2019-17371 (libpng 1.6.37 has memory leaks in png_malloc_warn and 
png_create_info_ ...)
TODO: check
 CVE-2019-17370 (OTCMS v3.85 allows arbitrary PHP Code Execution because 
admin/sysCheck ...)
-   TODO: check
+   NOT-FOR-US: OTCMS
 CVE-2019-17369 (OTCMS v3.85 has CSRF in the admin/member_deal.php Admin Panel 
page, le ...)
-   TODO: check
+   NOT-FOR-US: OTCMS
 CVE-2019-17368 (S-CMS v1.5 has XSS in tpl.php via the member/member_login.php 
from par ...)
-   TODO: check
+   NOT-FOR-US: S-CMS
 CVE-2019-17367
RESERVED
 CVE-2019-17366
@@ -112,9 +112,9 @@ CVE-2019-17356
 CVE-2019-17355
RESERVED
 CVE-2019-17354 (wan.htm page on Zyxel NBG-418N v2 with firmware version 
V1.00(AARP.9)C ...)
-   TODO: check
+   NOT-FOR-US: Zyxel
 CVE-2019-17353 (An issue discovered on D-Link DIR-615 devices with firmware 
version 20 ...)
-   TODO: check
+   NOT-FOR-US: D-Link
 CVE-2019-17352 (In JFinal cos before 2019-08-13, as used in JFinal 4.4, there 
is a vul ...)
TODO: check
 CVE-2019-17339
@@ -561,7 +561,7 @@ CVE-2019-17133 (In the Linux kernel through 5.3.2, 
cfg80211_mgd_wext_giwessid in
 CVE-2019-17129
RESERVED
 CVE-2019-17128 (Netreo OmniCenter through 12.1.1 allows unauthenticated SQL 
Injection  ...)
-   TODO: check
+   NOT-FOR-US: Netreo OmniCenter
 CVE-2019-17127
RESERVED
 CVE-2019-17126
@@ -569,7 +569,7 @@ CVE-2019-17126
 CVE-2019-17125
RESERVED
 CVE-2019-17124 (Kramer VIAware 2.5.0719.1034 has Incorrect Access Control. ...)
-   TODO: check
+   NOT-FOR-US: Kramer VIAware
 CVE-2019-17123
RESERVED
 CVE-2019-17122



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3fcdb51086541c915ea7e2b8280e4c20cb6d3609

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3fcdb51086541c915ea7e2b8280e4c20cb6d3609
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2019-17401

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
49bfd28e by Salvatore Bonaccorso at 2019-10-09T20:27:31Z
Add CVE-2019-17401

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -9,7 +9,10 @@ CVE-2019-17403
 CVE-2019-17402 (Exiv2 0.27.2 allows attackers to trigger a crash in 
Exiv2::getULong in ...)
TODO: check
 CVE-2019-17401 (libyal liblnk 20191006 has a heap-based buffer over-read in 
the networ ...)
-   TODO: check
+   - liblnk  (low)
+   [buster] - liblnk  (Minor issue)
+   [jessie] - liblnk  (Minor issue)
+   NOTE: https://github.com/libyal/liblnk/issues/40
 CVE-2019-17400
RESERVED
 CVE-2019-17399 (The Shack Forms Pro extension before 4.0.32 for Joomla! allows 
path tr ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/49bfd28edc9d993b25c0338d04698b823f562fd8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/49bfd28edc9d993b25c0338d04698b823f562fd8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process two NFU

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
09733e51 by Salvatore Bonaccorso at 2019-10-09T20:28:41Z
Process two NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -16,7 +16,7 @@ CVE-2019-17401 (libyal liblnk 20191006 has a heap-based 
buffer over-read in the
 CVE-2019-17400
RESERVED
 CVE-2019-17399 (The Shack Forms Pro extension before 4.0.32 for Joomla! allows 
path tr ...)
-   TODO: check
+   NOT-FOR-US: Shack Forms Pro extension for Joomla!
 CVE-2019-17398
RESERVED
 CVE-2019-17397
@@ -36,7 +36,7 @@ CVE-2019-17391
 CVE-2019-17390
RESERVED
 CVE-2019-17389 (In RIOT 2019.07, the MQTT-SN implementation (asymcute) 
mishandles erro ...)
-   TODO: check
+   NOT-FOR-US: RIOT RIOT-OS
 CVE-2019-17388
RESERVED
 CVE-2019-17387



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/09733e513ca85dc6dd5a34bcd00ce9f4c77d3528

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/09733e513ca85dc6dd5a34bcd00ce9f4c77d3528
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process NFUs

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a0c4b38f by Salvatore Bonaccorso at 2019-10-09T20:18:41Z
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -41,9 +41,9 @@ CVE-2019-17387
 CVE-2019-17386
RESERVED
 CVE-2019-17385 (The animate-it plugin before 2.3.5 for WordPress has XSS. ...)
-   TODO: check
+   NOT-FOR-US: animate-it plugin for WordPress
 CVE-2019-17384 (The animate-it plugin before 2.3.4 for WordPress has XSS. ...)
-   TODO: check
+   NOT-FOR-US: animate-it plugin for WordPress
 CVE-2019-17383 (The netaddr gem before 2.0.4 for Ruby has misconfigured file 
permissio ...)
TODO: check
 CVE-2019-17382 (An issue was discovered in 
zabbix.php?action=dashboard.viewdashbo ...)
@@ -36375,7 +36375,7 @@ CVE-2019-4560
 CVE-2019-4559
RESERVED
 CVE-2019-4558 (A security vulnerability has been identified in all levels of 
IBM Spec ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2019-4557
RESERVED
 CVE-2019-4556
@@ -36467,7 +36467,7 @@ CVE-2019-4514 (IBM Security Key Lifecycle Manager 2.6, 
2.7, 3.0, and 3.0.1 discl
 CVE-2019-4513 (IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 
is vul ...)
NOT-FOR-US: IBM
 CVE-2019-4512 (IBM Maximo Asset Management 7.6.1.1 generates an error message 
that in ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2019-4511
RESERVED
 CVE-2019-4510



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a0c4b38fc6017f9fafb73c5515eb020b272a7585

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a0c4b38fc6017f9fafb73c5515eb020b272a7585
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update rationale for no-dsa CVE-2019-16375 in otrs2

2019-10-09 Thread Chris Lamb



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4078fc61 by Chris Lamb at 2019-10-09T20:16:32Z
Update rationale for no-dsa CVE-2019-16375 in otrs2

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2443,7 +2443,7 @@ CVE-2019-16375
- otrs2 6.0.23-1
[buster] - otrs2  (Non-free not supported)
[stretch] - otrs2  (Non-free not supported)
-   [jessie] - otrs2  (Non-free not supported)
+   [jessie] - otrs2  (Minor issue)
NOTE: 
https://community.otrs.com/security-advisory-2019-13-security-update-for-otrs-framework/
NOTE: 
https://github.com/OTRS/otrs/commit/aeb33d800716e2a6653597aa86314c4cbdadb678 
(6.x)
NOTE: 
https://github.com/OTRS/otrs/commit/03ca8f396b1aa9933c212a63f52a9ea26c06e7da 
(5.x)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4078fc611b844663b572dd84407dcd46082b5379

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4078fc611b844663b572dd84407dcd46082b5379
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
66956b59 by security tracker role at 2019-10-09T20:10:20Z
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,81 @@
+CVE-2019-17406
+   RESERVED
+CVE-2019-17405
+   RESERVED
+CVE-2019-17404
+   RESERVED
+CVE-2019-17403
+   RESERVED
+CVE-2019-17402 (Exiv2 0.27.2 allows attackers to trigger a crash in 
Exiv2::getULong in ...)
+   TODO: check
+CVE-2019-17401 (libyal liblnk 20191006 has a heap-based buffer over-read in 
the networ ...)
+   TODO: check
+CVE-2019-17400
+   RESERVED
+CVE-2019-17399 (The Shack Forms Pro extension before 4.0.32 for Joomla! allows 
path tr ...)
+   TODO: check
+CVE-2019-17398
+   RESERVED
+CVE-2019-17397
+   RESERVED
+CVE-2019-17396
+   RESERVED
+CVE-2019-17395
+   RESERVED
+CVE-2019-17394
+   RESERVED
+CVE-2019-17393
+   RESERVED
+CVE-2019-17392
+   RESERVED
+CVE-2019-17391
+   RESERVED
+CVE-2019-17390
+   RESERVED
+CVE-2019-17389 (In RIOT 2019.07, the MQTT-SN implementation (asymcute) 
mishandles erro ...)
+   TODO: check
+CVE-2019-17388
+   RESERVED
+CVE-2019-17387
+   RESERVED
+CVE-2019-17386
+   RESERVED
+CVE-2019-17385 (The animate-it plugin before 2.3.5 for WordPress has XSS. ...)
+   TODO: check
+CVE-2019-17384 (The animate-it plugin before 2.3.4 for WordPress has XSS. ...)
+   TODO: check
+CVE-2019-17383 (The netaddr gem before 2.0.4 for Ruby has misconfigured file 
permissio ...)
+   TODO: check
+CVE-2019-17382 (An issue was discovered in 
zabbix.php?action=dashboard.viewdashbo ...)
+   TODO: check
+CVE-2019-17381
+   RESERVED
+CVE-2019-17380 (cPanel before 82.0.15 allows self XSS in the WHM Update 
Preferences in ...)
+   TODO: check
+CVE-2019-17379 (cPanel before 82.0.15 allows self stored XSS in the WHM SSL 
Storage Ma ...)
+   TODO: check
+CVE-2019-17378 (cPanel before 82.0.15 allows self XSS in the SSL Key Delete 
interface  ...)
+   TODO: check
+CVE-2019-17377 (cPanel before 82.0.15 allows self XSS in LiveAPI example 
scripts (SEC- ...)
+   TODO: check
+CVE-2019-17376 (cPanel before 82.0.15 allows self XSS in the SSL Certificate 
Upload in ...)
+   TODO: check
+CVE-2019-17375 (cPanel before 82.0.15 allows API token credentials to persist 
after an ...)
+   TODO: check
+CVE-2019-17374
+   RESERVED
+CVE-2019-17373 (Certain NETGEAR devices allow unauthenticated access to 
critical .cgi  ...)
+   TODO: check
+CVE-2019-17372 (Certain NETGEAR devices allow remote attackers to disable all 
authenti ...)
+   TODO: check
+CVE-2019-17371 (libpng 1.6.37 has memory leaks in png_malloc_warn and 
png_create_info_ ...)
+   TODO: check
+CVE-2019-17370 (OTCMS v3.85 allows arbitrary PHP Code Execution because 
admin/sysCheck ...)
+   TODO: check
+CVE-2019-17369 (OTCMS v3.85 has CSRF in the admin/member_deal.php Admin Panel 
page, le ...)
+   TODO: check
+CVE-2019-17368 (S-CMS v1.5 has XSS in tpl.php via the member/member_login.php 
from par ...)
+   TODO: check
 CVE-2019-17367
RESERVED
 CVE-2019-17366
@@ -30,10 +108,10 @@ CVE-2019-17356
RESERVED
 CVE-2019-17355
RESERVED
-CVE-2019-17354
-   RESERVED
-CVE-2019-17353
-   RESERVED
+CVE-2019-17354 (wan.htm page on Zyxel NBG-418N v2 with firmware version 
V1.00(AARP.9)C ...)
+   TODO: check
+CVE-2019-17353 (An issue discovered on D-Link DIR-615 devices with firmware 
version 20 ...)
+   TODO: check
 CVE-2019-17352 (In JFinal cos before 2019-08-13, as used in JFinal 4.4, there 
is a vul ...)
TODO: check
 CVE-2019-17339
@@ -184,7 +262,7 @@ CVE-2019-17267 (A Polymorphic Typing issue was discovered 
in FasterXML jackson-d
- jackson-databind 2.10.0-1
NOTE: https://github.com/FasterXML/jackson-databind/issues/2460
NOTE: 
https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2b77edd895ee756b7f75eb
-CVE-2019-17266 (libsoup through 2.68.1 has a heap-based buffer over-read 
because soup_ ...)
+CVE-2019-17266 (libsoup from versions 2.65.1 until 2.68.1 have a heap-based 
buffer ove ...)
- libsoup2.4 2.68.2-1 (bug #941912)
[buster] - libsoup2.4  (Vulnerable code introduced in 
2.65.1)
[stretch] - libsoup2.4  (Vulnerable code introduced in 
2.65.1)
@@ -479,16 +557,16 @@ CVE-2019-17133 (In the Linux kernel through 5.3.2, 
cfg80211_mgd_wext_giwessid in
NOTE: https://marc.info/?l=linux-wireless=157018270915487=2
 CVE-2019-17129
RESERVED
-CVE-2019-17128
-   RESERVED
+CVE-2019-17128 (Netreo OmniCenter through 12.1.1 allows unauthenticated SQL 
Injection  ...)
+   TODO: check
 CVE-2019-17127
RESERVED
 CVE-2019-17126
RESERVED
 CVE-2019-17125
RESERVED
-CVE-2019-17124
-   RESERVED
+CVE-2019-17124 (Kramer VIAware

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-17041/rsyslog

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
602eb5fa by Salvatore Bonaccorso at 2019-10-09T19:13:12Z
Add Debian bug reference for CVE-2019-17041/rsyslog

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -688,7 +688,7 @@ CVE-2019-17042 (An issue was discovered in Rsyslog 
v8.1908.0. contrib/pmcisconam
[stretch] - rsyslog  (Minor issue, pmcisconames module not 
enabled by default)
NOTE: https://github.com/rsyslog/rsyslog/pull/3883
 CVE-2019-17041 (An issue was discovered in Rsyslog v8.1908.0. 
contrib/pmaixforwardedfr ...)
-   - rsyslog 
+   - rsyslog  (bug #942067)
[buster] - rsyslog  (Minor issue, pmaixforwardedfrom module not 
enabled by default)
[stretch] - rsyslog  (Minor issue, pmaixforwardedfrom module 
not enabled by default)
NOTE: https://github.com/rsyslog/rsyslog/pull/3884



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/602eb5fae0d9b31dc1e1f81ada763410853abaeb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/602eb5fae0d9b31dc1e1f81ada763410853abaeb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug tracking information for CVE-2019-17042/rsyslog

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
917138cb by Salvatore Bonaccorso at 2019-10-09T19:10:37Z
Add Debian bug tracking information for CVE-2019-17042/rsyslog

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -683,7 +683,7 @@ CVE-2019-17044
 CVE-2019-17043
RESERVED
 CVE-2019-17042 (An issue was discovered in Rsyslog v8.1908.0. 
contrib/pmcisconames/pmc ...)
-   - rsyslog 
+   - rsyslog  (bug #942065)
[buster] - rsyslog  (Minor issue, pmcisconames module not 
enabled by default)
[stretch] - rsyslog  (Minor issue, pmcisconames module not 
enabled by default)
NOTE: https://github.com/rsyslog/rsyslog/pull/3883



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/917138cb6271f6f625a736adac4c0b0b18c26208

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/917138cb6271f6f625a736adac4c0b0b18c26208
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-17041/rsyslog as no-dsa for buster and stretch

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6dd222e6 by Salvatore Bonaccorso at 2019-10-09T19:07:32Z
Mark CVE-2019-17041/rsyslog as no-dsa for buster and stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -689,6 +689,8 @@ CVE-2019-17042 (An issue was discovered in Rsyslog 
v8.1908.0. contrib/pmcisconam
NOTE: https://github.com/rsyslog/rsyslog/pull/3883
 CVE-2019-17041 (An issue was discovered in Rsyslog v8.1908.0. 
contrib/pmaixforwardedfr ...)
- rsyslog 
+   [buster] - rsyslog  (Minor issue, pmaixforwardedfrom module not 
enabled by default)
+   [stretch] - rsyslog  (Minor issue, pmaixforwardedfrom module 
not enabled by default)
NOTE: https://github.com/rsyslog/rsyslog/pull/3884
 CVE-2019-17040 (contrib/pmdb2diag/pmdb2diag.c in Rsyslog v8.1908.0 allows 
out-of-bound ...)
- rsyslog  (unimportant)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6dd222e6b36f38b8021b51f43a097e1330bdacb2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6dd222e6b36f38b8021b51f43a097e1330bdacb2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-17042/rsyslog as no-dsa

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c6f3f3e5 by Salvatore Bonaccorso at 2019-10-09T19:05:55Z
Mark CVE-2019-17042/rsyslog as no-dsa

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -684,6 +684,8 @@ CVE-2019-17043
RESERVED
 CVE-2019-17042 (An issue was discovered in Rsyslog v8.1908.0. 
contrib/pmcisconames/pmc ...)
- rsyslog 
+   [buster] - rsyslog  (Minor issue, pmcisconames module not 
enabled by default)
+   [stretch] - rsyslog  (Minor issue, pmcisconames module not 
enabled by default)
NOTE: https://github.com/rsyslog/rsyslog/pull/3883
 CVE-2019-17041 (An issue was discovered in Rsyslog v8.1908.0. 
contrib/pmaixforwardedfr ...)
- rsyslog 



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c6f3f3e5bc7807e6543a45378cce4e00ea524db1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c6f3f3e5bc7807e6543a45378cce4e00ea524db1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2019-15753/python-os-vif

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
20c4507f by Salvatore Bonaccorso at 2019-10-09T18:55:18Z
Add fixed version via unstable for CVE-2019-15753/python-os-vif

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4096,7 +4096,7 @@ CVE-2019-15755
 CVE-2019-15754
RESERVED
 CVE-2019-15753 (In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a 
hard-coded MAC ...)
-   - python-os-vif  (low; bug #939288)
+   - python-os-vif 1.15.2-1 (low; bug #939288)
[buster] - python-os-vif  (Vulnerable code introduced in 
1.15.0)
[stretch] - python-os-vif  (Vulnerable code introduced in 
1.15.0)
NOTE: https://security.openstack.org/ossa/OSSA-2019-004.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/20c4507f1847d0c1818516aa5cd23a719d8330c1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/20c4507f1847d0c1818516aa5cd23a719d8330c1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Add Debian bug reference for CVE-2019-16884/runc

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
720206c8 by Salvatore Bonaccorso at 2019-10-09T18:51:57Z
Add Debian bug reference for CVE-2019-16884/runc

- - - - -
4dc41c18 by Salvatore Bonaccorso at 2019-10-09T18:52:49Z
Track golang-github-opencontainers-selinux source for CVE-2019-16884

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1068,7 +1068,8 @@ CVE-2019-16886
 CVE-2019-16885
RESERVED
 CVE-2019-16884 (runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce 
and other ...)
-   - runc 
+   - runc  (bug #942026)
+   - golang-github-opencontainers-selinux  (bug #942027)
NOTE: https://github.com/opencontainers/runc/issues/2128
 CVE-2019-16883
RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/634be0f36f227a7bb376d37a9acab26ba52aab8c...4dc41c18d9aea31ad3c01d5f970c2010d41b958e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/634be0f36f227a7bb376d37a9acab26ba52aab8c...4dc41c18d9aea31ad3c01d5f970c2010d41b958e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update affected status for CVE-2019-17266/libsoup2.4

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
634be0f3 by Salvatore Bonaccorso at 2019-10-09T18:46:39Z
Update affected status for CVE-2019-17266/libsoup2.4

Thanks: Claudio Saavedra

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -186,6 +186,9 @@ CVE-2019-17267 (A Polymorphic Typing issue was discovered 
in FasterXML jackson-d
NOTE: 
https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2b77edd895ee756b7f75eb
 CVE-2019-17266 (libsoup through 2.68.1 has a heap-based buffer over-read 
because soup_ ...)
- libsoup2.4 2.68.2-1 (bug #941912)
+   [buster] - libsoup2.4  (Vulnerable code introduced in 
2.65.1)
+   [stretch] - libsoup2.4  (Vulnerable code introduced in 
2.65.1)
+   [jessie] - libsoup2.4  (Vulnerable code introduced in 
2.65.1)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/issues/173 (private)
 CVE-2019-17265
RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/634be0f36f227a7bb376d37a9acab26ba52aab8c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/634be0f36f227a7bb376d37a9acab26ba52aab8c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Upstream issue for CVE-2019-17266 was later on made private

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d7552b2b by Salvatore Bonaccorso at 2019-10-09T18:43:28Z
Upstream issue for CVE-2019-17266 was later on made private

- - - - -
3c208109 by Salvatore Bonaccorso at 2019-10-09T18:45:00Z
Add fixed version for CVE-2019-17266/libsoup2.4 in unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -185,8 +185,8 @@ CVE-2019-17267 (A Polymorphic Typing issue was discovered 
in FasterXML jackson-d
NOTE: https://github.com/FasterXML/jackson-databind/issues/2460
NOTE: 
https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2b77edd895ee756b7f75eb
 CVE-2019-17266 (libsoup through 2.68.1 has a heap-based buffer over-read 
because soup_ ...)
-   - libsoup2.4  (bug #941912)
-   NOTE: https://gitlab.gnome.org/GNOME/libsoup/issues/173 (embargoed?)
+   - libsoup2.4 2.68.2-1 (bug #941912)
+   NOTE: https://gitlab.gnome.org/GNOME/libsoup/issues/173 (private)
 CVE-2019-17265
RESERVED
 CVE-2019-17264 (In libyal liblnk before 20191006, 
liblnk_location_information_read_dat ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/5781ea472d3aba020168aea2521679fe4767b8c9...3c208109514d22358725d8f7518431e5ceb456da

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/5781ea472d3aba020168aea2521679fe4767b8c9...3c208109514d22358725d8f7518431e5ceb456da
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update note for CVE-2019-17266 - upstream issue appears to be private/embargoed.

2019-10-09 Thread Chris Lamb



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5781ea47 by Chris Lamb at 2019-10-09T16:15:10Z
Update note for CVE-2019-17266 - upstream issue appears to be private/embargoed.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -186,7 +186,7 @@ CVE-2019-17267 (A Polymorphic Typing issue was discovered 
in FasterXML jackson-d
NOTE: 
https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2b77edd895ee756b7f75eb
 CVE-2019-17266 (libsoup through 2.68.1 has a heap-based buffer over-read 
because soup_ ...)
- libsoup2.4  (bug #941912)
-   NOTE: https://gitlab.gnome.org/GNOME/libsoup/issues/173
+   NOTE: https://gitlab.gnome.org/GNOME/libsoup/issues/173 (embargoed?)
 CVE-2019-17265
RESERVED
 CVE-2019-17264 (In libyal liblnk before 20191006, 
liblnk_location_information_read_dat ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/5781ea472d3aba020168aea2521679fe4767b8c9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/5781ea472d3aba020168aea2521679fe4767b8c9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim libtomcrypt.

2019-10-09 Thread Chris Lamb



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
23a6da2c by Chris Lamb at 2019-10-09T16:14:16Z
data/dla-needed.txt: Claim libtomcrypt.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -92,7 +92,7 @@ libsdl1.2 (Hugo Lefeuvre)
   NOTE: regression introduced by the patch for CVE-2019-7637, several games 
broken
   NOTE: see https://lists.debian.org/debian-lts/2019/10/msg00039.html
 --
-libtomcrypt
+libtomcrypt (Chris Lamb)
 --
 linux (Ben Hutchings)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/23a6da2c4ad793a72cbba837fa4a239cbca3f59a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/23a6da2c4ad793a72cbba837fa4a239cbca3f59a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage libtomcrypt for jessie.

2019-10-09 Thread Chris Lamb



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2dd8960e by Chris Lamb at 2019-10-09T16:14:06Z
data/dla-needed.txt: Triage libtomcrypt for jessie.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -92,6 +92,8 @@ libsdl1.2 (Hugo Lefeuvre)
   NOTE: regression introduced by the patch for CVE-2019-7637, several games 
broken
   NOTE: see https://lists.debian.org/debian-lts/2019/10/msg00039.html
 --
+libtomcrypt
+--
 linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2dd8960e6d7410bc5d5672c9a54cbdf36145f53f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2dd8960e6d7410bc5d5672c9a54cbdf36145f53f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim rsyslog.

2019-10-09 Thread Chris Lamb



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
35b81ce9 by Chris Lamb at 2019-10-09T16:12:50Z
data/dla-needed.txt: Claim rsyslog.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -130,7 +130,7 @@ radare2
   NOTE: Support status is being discussed at:
   NOTE: https://lists.debian.org/debian-lts/2019/08/msg00064.html
 --
-rsyslog
+rsyslog (Chris Lamb)
 --
 ruby-openid (Brian May)
   NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding 
what the issue actually *is*. (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/35b81ce934de5562b035fd3cf6c93d1df69d1cea

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/35b81ce934de5562b035fd3cf6c93d1df69d1cea
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage rsyslog for jessie.

2019-10-09 Thread Chris Lamb



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e2fdf8fa by Chris Lamb at 2019-10-09T16:12:36Z
data/dla-needed.txt: Triage rsyslog for jessie.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -130,6 +130,8 @@ radare2
   NOTE: Support status is being discussed at:
   NOTE: https://lists.debian.org/debian-lts/2019/08/msg00064.html
 --
+rsyslog
+--
 ruby-openid (Brian May)
   NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding 
what the issue actually *is*. (lamby)
   NOTE: 20190701: Pinged bug (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e2fdf8fac770f6bffbe7400e1bcb786e20e63407

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e2fdf8fac770f6bffbe7400e1bcb786e20e63407
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage xen for jessie.

2019-10-09 Thread Chris Lamb



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
30d7e2f4 by Chris Lamb at 2019-10-09T16:09:20Z
data/dla-needed.txt: Triage xen for jessie.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -157,6 +157,8 @@ tika
 wordpress
   NOTE: 20190614: No upstream fix yet. (apo)
 --
+xen
+--
 xtrlock (Chris Lamb)
   NOTE: 20190822: WIP on #830726 (lamby)
   NOTE: 20190904: Need to get advice/pointer from libinput2 maintainers for a 
full patch. (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/30d7e2f460b9b574fdcb5fa9a5e5fd3112788cb4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/30d7e2f460b9b574fdcb5fa9a5e5fd3112788cb4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Triage CVE-2019-16760 in cargo for jessie LTS.

2019-10-09 Thread Chris Lamb



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b8442586 by Chris Lamb at 2019-10-09T16:00:44Z
Triage CVE-2019-16760 in cargo for jessie LTS.

- - - - -
cbc66db1 by Chris Lamb at 2019-10-09T16:01:59Z
Triage CVE-2019-16375 in otrs2 for jessie LTS

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1404,6 +1404,7 @@ CVE-2019-16761
 CVE-2019-16760 (Cargo prior to Rust 1.26.0 may download the wrong dependency 
if your p ...)
- cargo 0.27.0-1
[stretch] - cargo  (Upcoming upgrade of Cargo for ESR68 will 
fix this)
+   [jessie] - cargo  (Upcoming upgrade of Cargo for ESR68 will 
fix this)
NOTE: https://rustsec.org/advisories/CVE-2019-16760.html
 CVE-2019-16759 (vBulletin 5.x through 5.5.4 allows remote command execution 
via the wi ...)
NOT-FOR-US: vBulletin
@@ -2356,6 +2357,7 @@ CVE-2019-16375
- otrs2 6.0.23-1
[buster] - otrs2  (Non-free not supported)
[stretch] - otrs2  (Non-free not supported)
+   [jessie] - otrs2  (Non-free not supported)
NOTE: 
https://community.otrs.com/security-advisory-2019-13-security-update-for-otrs-framework/
NOTE: 
https://github.com/OTRS/otrs/commit/aeb33d800716e2a6653597aa86314c4cbdadb678 
(6.x)
NOTE: 
https://github.com/OTRS/otrs/commit/03ca8f396b1aa9933c212a63f52a9ea26c06e7da 
(5.x)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/e2ffc726a333af7694096bd77d21c1f2833fa016...cbc66db1b20e1a951c2040ec2f5f000909f594b5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/e2ffc726a333af7694096bd77d21c1f2833fa016...cbc66db1b20e1a951c2040ec2f5f000909f594b5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2019-3689/nfs-util: fs.protected_symlinks would only help for +t...

2019-10-09 Thread Sylvain Beucler



Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e2ffc726 by Sylvain Beucler at 2019-10-09T15:38:38Z
CVE-2019-3689/nfs-util: fs.protected_symlinks would only help for +t 
directories, which isnt the case for /var/lib/nfs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -38322,7 +38322,6 @@ CVE-2019-3689 (The nfs-utils package in SUSE Linux 
Enterprise Server 12 before a
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1150733
NOTE: When adressing this a related patch to make statd take the 
user-id from
NOTE: /var/lib/nfs/sm is needed, cf. 
https://bugzilla.suse.com/show_bug.cgi?id=1150733#c3
-   NOTE: Neutralised by kernel hardening
 CVE-2019-3688 (The /usr/sbin/pinger binary packaged with squid in SUSE Linux 
Enterpri ...)
TODO: check
 CVE-2019-3687



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e2ffc726a333af7694096bd77d21c1f2833fa016

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e2ffc726a333af7694096bd77d21c1f2833fa016
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla: update CVE-2019-3689/nfs-util

2019-10-09 Thread Sylvain Beucler



Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0fdc2f74 by Sylvain Beucler at 2019-10-09T14:48:14Z
dla: update CVE-2019-3689/nfs-util

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -105,7 +105,7 @@ milkytracker (Utkarsh Gupta)
 mosquitto (Thorsten Alteholz)
 --
 nfs-utils (Sylvain Beucler)
-  NOTE: 20190930: asked plans to package maintainer
+  NOTE: 20191009: proposed patch to upstream and sid, waiting for feedback 
before backport
 --
 nghttp2 (Mike Gabriel)
   NOTE: 20190930: nghttp2 in jessie is likely not affected by 
CVE-2019-95{11,13}.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0fdc2f7480527490e2037e0cc3a4d38d7e94b912

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0fdc2f7480527490e2037e0cc3a4d38d7e94b912
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update version for unstable for CVE-2019-16760

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
461b0e59 by Salvatore Bonaccorso at 2019-10-09T13:18:05Z
Update version for unstable for CVE-2019-16760

Open questions: src:rust-cargo as well an issue? And is it needed to
track as well the rustc package? According to the upstream advisory bot
hat https://rustsec.org/advisories/CVE-2019-16760.html and the
oss-security post
https://marc.info/?l=oss-securitym=157055118009441w=2 mention rust
releases before 1.26.0 as well.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1402,7 +1402,7 @@ CVE-2019-16762
 CVE-2019-16761
RESERVED
 CVE-2019-16760 (Cargo prior to Rust 1.26.0 may download the wrong dependency 
if your p ...)
-   - cargo 0.26.0-1
+   - cargo 0.27.0-1
[stretch] - cargo  (Upcoming upgrade of Cargo for ESR68 will 
fix this)
NOTE: https://rustsec.org/advisories/CVE-2019-16760.html
 CVE-2019-16759 (vBulletin 5.x through 5.5.4 allows remote command execution 
via the wi ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/461b0e59c1c783f6f84e724ef3f83cb9acd7cbb4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/461b0e59c1c783f6f84e724ef3f83cb9acd7cbb4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

2019-10-09 Thread Sebastien Delafond



Sebastien Delafond pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
66991770 by Sébastien Delafond at 2019-10-09T12:30:29Z
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -520,27 +520,27 @@ CVE-2019-17110 (A security issue was discovered in 
kube-state-metrics 1.7.x befo
 CVE-2019-17109
RESERVED
 CVE-2019-17108 (Local file inclusion in brokerPerformance.php in Centreon Web 
before 2 ...)
-   TODO: check
+   NOT-FOR-US: Centreon web UI (not packaged in Debian)
 CVE-2019-17107 (minPlayCommand.php in Centreon Web before 2.8.27 allows 
authenticated  ...)
-   TODO: check
+   NOT-FOR-US: Centreon web UI (not packaged in Debian)
 CVE-2019-17106 (In Centreon Web through 2.8.29, disclosure of external 
components' pas ...)
-   TODO: check
+   NOT-FOR-US: Centreon web UI (not packaged in Debian)
 CVE-2019-17105 (The token generator in index.php in Centreon Web before 2.8.27 
is pred ...)
-   TODO: check
+   NOT-FOR-US: Centreon web UI (not packaged in Debian)
 CVE-2019-17104 (In Centreon VM through 19.04.3, the cookie configuration 
within the Ap ...)
-   TODO: check
+   NOT-FOR-US: Centreon web UI (not packaged in Debian)
 CVE-2018-21025 (In Centreon VM through 19.04.3, centreon-backup.pl allows 
attackers to ...)
-   TODO: check
+   NOT-FOR-US: Centreon web UI (not packaged in Debian)
 CVE-2018-21024 (licenseUpload.php in Centreon Web before 2.8.27 allows 
attackers to up ...)
-   TODO: check
+   NOT-FOR-US: Centreon web UI (not packaged in Debian)
 CVE-2018-21023 (getStats.php in Centreon Web before 2.8.28 allows 
authenticated attack ...)
-   TODO: check
+   NOT-FOR-US: Centreon web UI (not packaged in Debian)
 CVE-2018-21022 (makeXML_ListServices.php in Centreon Web before 2.8.28 allows 
attacker ...)
-   TODO: check
+   NOT-FOR-US: Centreon web UI (not packaged in Debian)
 CVE-2018-21021 (img_gantt.php in Centreon Web before 2.8.27 allows attackers 
to perfor ...)
-   TODO: check
+   NOT-FOR-US: Centreon web UI (not packaged in Debian)
 CVE-2018-21020 (In very rare cases, a PHP type juggling vulnerability in 
centreonAuth. ...)
-   TODO: check
+   NOT-FOR-US: Centreon web UI (not packaged in Debian)
 CVE-2019-17103
RESERVED
 CVE-2019-17102



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/66991770c1d1c8fb4330bd4e7db8deee4f12cab7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/66991770c1d1c8fb4330bd4e7db8deee4f12cab7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

2019-10-09 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
594ef57a by Moritz Muehlenhoff at 2019-10-09T11:54:21Z
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4106,17 +4106,17 @@ CVE-2017-18594 (nse_libssh2.cc in Nmap 7.70 is subject 
to a denial of service co
NOTE: https://github.com/nmap/nmap/issues/1227
NOTE: Crash in CLI tool, no security impact
 CVE-2019-15751 (An unrestricted file upload vulnerability in SITOS six Build 
v6.2.1 al ...)
-   TODO: check
+   NOT-FOR-US: SITOS
 CVE-2019-15750 (A Cross-Site Scripting (XSS) vulnerability in the blog 
function in SIT ...)
-   TODO: check
+   NOT-FOR-US: SITOS
 CVE-2019-15749 (SITOS six Build v6.2.1 allows a user to change their password 
and reco ...)
-   TODO: check
+   NOT-FOR-US: SITOS
 CVE-2019-15748 (SITOS six Build v6.2.1 permits unauthorised users to upload 
and import ...)
-   TODO: check
+   NOT-FOR-US: SITOS
 CVE-2019-15747 (SITOS six Build v6.2.1 allows a user with the user role of 
Seminar Coo ...)
-   TODO: check
+   NOT-FOR-US: SITOS
 CVE-2019-15746 (SITOS six Build v6.2.1 allows an attacker to inject arbitrary 
PHP comm ...)
-   TODO: check
+   NOT-FOR-US: SITOS
 CVE-2019-15745 (The Eques elf smart plug and the mobile app use a hardcoded 
AES 256 bi ...)
NOT-FOR-US: Eques elf smart plug
 CVE-2019-15744
@@ -7517,9 +7517,9 @@ CVE-2019-14659
 CVE-2019-14658
RESERVED
 CVE-2019-14657 (Yealink phones through 2019-08-04 have an issue with OpenVPN 
file uplo ...)
-   TODO: check
+   NOT-FOR-US: Yealink
 CVE-2019-14656 (Yealink phones through 2019-08-04 do not properly check user 
roles in  ...)
-   TODO: check
+   NOT-FOR-US: Yealink
 CVE-2019-14655
REJECTED
 CVE-2019-14654 (In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users 
authoris ...)
@@ -12414,7 +12414,7 @@ CVE-2019-13338 (In WESEEK GROWI before 3.5.0, a remote 
attacker can obtain the p
 CVE-2019-13337 (In WESEEK GROWI before 3.5.0, the site-wide basic 
authentication can b ...)
NOT-FOR-US: WESEEK GROWI
 CVE-2019-13336 (The dbell Wi-Fi Smart Video Doorbell DB01-S Gen 1 allows 
remote attack ...)
-   TODO: check
+   NOT-FOR-US: dbell Wi-Fi Smart Video Doorbell
 CVE-2019-13335 (SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 
7.11.7 has  ...)
NOT-FOR-US: SalesAgility SuiteCRM
 CVE-2019-13334
@@ -13023,7 +13023,7 @@ CVE-2019-13121 [SSRF Vulnerability in Project GitHub 
Integration]
- gitlab 
NOTE: 
https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/
 CVE-2019-13120 (Amazon FreeRTOS up to and including v1.4.8 for AWS lacks 
length checki ...)
-   TODO: check
+   NOT-FOR-US: Amazon FreeRTOS
 CVE-2019-13119
RESERVED
 CVE-2019-13118 (In numbers.c in libxslt 1.1.33, a type holding grouping 
characters of  ...)
@@ -13910,9 +13910,9 @@ CVE-2019-12814 (A Polymorphic Typing issue was 
discovered in FasterXML jackson-d
 CVE-2019-12813 (An issue was discovered in Digital Persona U.are.U 4500 
Fingerprint Re ...)
NOT-FOR-US: Digital Persona U.are.U 4500 Fingerprint Reader
 CVE-2019-12812 (MyBuilder viewer before 6.2.2019.814 allow an attacker to 
execute arbi ...)
-   TODO: check
+   NOT-FOR-US: MyBuilder
 CVE-2019-12811 (ActiveX Control in MyBuilder before 6.2.2019.814 allow an 
attacker to  ...)
-   TODO: check
+   NOT-FOR-US: MyBuilder
 CVE-2019-12810 (A memory corruption vulnerability exists in the .PSD parsing 
functiona ...)
NOT-FOR-US: ALSee
 CVE-2019-12809 (Yes24ViewerX ActiveX Control 1.0.327.50126 and earlier 
versions contai ...)
@@ -18894,7 +18894,7 @@ CVE-2019-10971 (The application (Network Configurator 
for DeviceNet Safety 3.41
 CVE-2019-10970 (In Rockwell Automation PanelView 5510 (all versions 
manufactured befor ...)
NOT-FOR-US: Rockwell Automation PanelView
 CVE-2019-10969 (Moxa EDR 810, all versions 5.1 and prior, allows an 
authenticated atta ...)
-   TODO: check
+   NOT-FOR-US: Moxa
 CVE-2019-10968 (Philips Holter 2010 Plus, all versions. A vulnerability has 
been ident ...)
NOT-FOR-US: Philips Holter 2010 Plus
 CVE-2019-10967 (In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a 
stack-based  ...)
@@ -18906,7 +18906,7 @@ CVE-2019-10965 (In Emerson Ovation OCR400 Controller 
3.3.1 and earlier, a heap-b
 CVE-2019-10964 (In Medtronic MinMed 508 and Medtronic Minimed Paradigm Insulin 
Pumps,  ...)
NOT-FOR-US: Medtronic
 CVE-2019-10963 (Moxa EDR 810, all versions 5.1 and prior, allows an 
unauthenticated at ...)
-   TODO: check
+   NOT-FOR-US: Moxa
 CVE-2019-10962 (BD Alaris Gateway versions, 1.0.13,1.1.3 Build 10,1.1.3 MR 
Build 11,1. ...)
NOT-FOR-US: BD Alaris Gateway
 CVE-2019-10961 (In Advantech WebAccess HMI Designer Version 2.1.9.23

[Git][security-tracker-team/security-tracker][master] new ansible, cargo issues

2019-10-09 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fbb5d20c by Moritz Muehlenhoff at 2019-10-09T11:47:28Z
new ansible, cargo issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1402,7 +1402,9 @@ CVE-2019-16762
 CVE-2019-16761
RESERVED
 CVE-2019-16760 (Cargo prior to Rust 1.26.0 may download the wrong dependency 
if your p ...)
-   TODO: check
+   - cargo 0.26.0-1
+   [stretch] - cargo  (Upcoming upgrade of Cargo for ESR68 will 
fix this)
+   NOTE: https://rustsec.org/advisories/CVE-2019-16760.html
 CVE-2019-16759 (vBulletin 5.x through 5.5.4 allows remote command execution 
via the wi ...)
NOT-FOR-US: vBulletin
 CVE-2019-16758
@@ -6949,7 +6951,8 @@ CVE-2019-14848
 CVE-2019-14847
RESERVED
 CVE-2019-14846 (Ansible, all ansible_engine-2.x versions and 
ansible_engine-3.x up to  ...)
-   TODO: check
+   - ansible  (low)
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1755373
 CVE-2019-14845 (A vulnerability was found in OpenShift builds, versions 4.1 up 
to 4.3. ...)
NOT-FOR-US: OpenShift
 CVE-2019-14844 (A flaw was found in, Fedora versions of krb5 from 1.16.1 to, 
including ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbb5d20c77058550064f67d0a6ee3f9be5ca530a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbb5d20c77058550064f67d0a6ee3f9be5ca530a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2019-17362/libtomcrypt

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5e053950 by Salvatore Bonaccorso at 2019-10-09T11:13:59Z
Add CVE-2019-17362/libtomcrypt

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -9,7 +9,9 @@ CVE-2019-17364
 CVE-2019-17363
RESERVED
 CVE-2019-17362 (In LibTomCrypt through 1.18.2, the der_decode_utf8_string 
function (in ...)
-   TODO: check
+   - libtomcrypt 
+   NOTE: https://github.com/libtom/libtomcrypt/issues/507
+   NOTE: https://github.com/libtom/libtomcrypt/pull/508
 CVE-2019-17361
RESERVED
 CVE-2019-17360



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e05395010d00833a115ae626d0f6f21804cf6f6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e05395010d00833a115ae626d0f6f21804cf6f6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2019-10-09 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
23a00922 by security tracker role at 2019-10-09T08:10:20Z
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,21 @@
+CVE-2019-17367
+   RESERVED
+CVE-2019-17366
+   RESERVED
+CVE-2019-17365
+   RESERVED
+CVE-2019-17364
+   RESERVED
+CVE-2019-17363
+   RESERVED
+CVE-2019-17362 (In LibTomCrypt through 1.18.2, the der_decode_utf8_string 
function (in ...)
+   TODO: check
+CVE-2019-17361
+   RESERVED
+CVE-2019-17360
+   RESERVED
+CVE-2018-21026
+   RESERVED
 CVE-2019-17359 (The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 
can trigge ...)
- bouncycastle  (Vulnerable code introduced n 1.63)
NOTE: Introduced only in 1.63, fixed in 1.64.
@@ -37424,8 +37442,8 @@ CVE-2019-3982
RESERVED
 CVE-2019-3981
RESERVED
-CVE-2019-3980
-   RESERVED
+CVE-2019-3980 (The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 
supports s ...)
+   TODO: check
 CVE-2019-3979
RESERVED
 CVE-2019-3978
@@ -48603,36 +48621,36 @@ CVE-2019-0383
RESERVED
 CVE-2019-0382
RESERVED
-CVE-2019-0381
-   RESERVED
-CVE-2019-0380
-   RESERVED
-CVE-2019-0379
-   RESERVED
-CVE-2019-0378
-   RESERVED
-CVE-2019-0377
-   RESERVED
-CVE-2019-0376
-   RESERVED
-CVE-2019-0375
-   RESERVED
-CVE-2019-0374
-   RESERVED
+CVE-2019-0381 (A binary planting in SAP SQL Anywhere, before version 17.0, SAP 
IQ, be ...)
+   TODO: check
+CVE-2019-0380 (Under certain conditions, SAP Landscape Management enterprise 
edition, ...)
+   TODO: check
+CVE-2019-0379 (In SAP NetWeaver Process Integration (AS2 Adapter), before 
versions 1. ...)
+   TODO: check
+CVE-2019-0378 (SAP BusinessObjects Business Intelligence Platform (Web 
Intelligence H ...)
+   TODO: check
+CVE-2019-0377 (SAP BusinessObjects Business Intelligence Platform (Web 
Intelligence H ...)
+   TODO: check
+CVE-2019-0376 (SAP BusinessObjects Business Intelligence Platform (Web 
Intelligence H ...)
+   TODO: check
+CVE-2019-0375 (SAP BusinessObjects Business Intelligence Platform (Web 
Intelligence H ...)
+   TODO: check
+CVE-2019-0374 (SAP BusinessObjects Business Intelligence Platform (Web 
Intelligence H ...)
+   TODO: check
 CVE-2019-0373
RESERVED
 CVE-2019-0372
RESERVED
 CVE-2019-0371
RESERVED
-CVE-2019-0370
-   RESERVED
-CVE-2019-0369
-   RESERVED
-CVE-2019-0368
-   RESERVED
-CVE-2019-0367
-   RESERVED
+CVE-2019-0370 (Due to missing input validation, SAP Financial Consolidation, 
before v ...)
+   TODO: check
+CVE-2019-0369 (SAP Financial Consolidation, before versions 10.0 and 10.1, 
does not s ...)
+   TODO: check
+CVE-2019-0368 (SAP Customer Relationship Management (Email Management), 
versions: S4C ...)
+   TODO: check
+CVE-2019-0367 (SAP NetWeaver Process Integration (B2B Toolkit), before 
versions 1.0 a ...)
+   TODO: check
 CVE-2019-0366
RESERVED
 CVE-2019-0365 (SAP Kernel (RFC), KRNL32NUC, KRNL32UC and KRNL64NUC before 
versions 7. ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/23a00922c28b74ed5609235216fb7bddb1043795

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/23a00922c28b74ed5609235216fb7bddb1043795
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla-needed: add libsdl1.2

2019-10-09 Thread Hugo Lefeuvre



Hugo Lefeuvre pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
71151a11 by Hugo Lefeuvre at 2019-10-09T08:04:03Z
dla-needed: add libsdl1.2

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -88,6 +88,10 @@ libqb
   NOTE: 20190616: wherever it uses c->pid w/NAME_MAX. (lamby)
   NOTE: 20190619: See https://lists.debian.org/debian-lts/2019/06/msg00015.html
 --
+libsdl1.2 (Hugo Lefeuvre)
+  NOTE: regression introduced by the patch for CVE-2019-7637, several games 
broken
+  NOTE: see https://lists.debian.org/debian-lts/2019/10/msg00039.html
+--
 linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/71151a114c661e9c59a997213924b7d8419a0f11

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/71151a114c661e9c59a997213924b7d8419a0f11
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2018-20847/openjpeg2: add missing commit link

2019-10-09 Thread Hugo Lefeuvre



Hugo Lefeuvre pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a6bff21f by Hugo Lefeuvre at 2019-10-09T06:34:47Z
CVE-2018-20847/openjpeg2: add missing commit link

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13469,8 +13469,9 @@ CVE-2018-20847 (An improper computation of p_tx0, 
p_tx1, p_ty0 and p_ty1 in the
- openjpeg2 2.3.1-1 (low; bug #931294)
[buster] - openjpeg2  (Minor issue)
[stretch] - openjpeg2  (Minor issue)
-   NOTE: 
https://github.com/uclouvain/openjpeg/commit/5d00b719f4b93b1445e6fb4c766b9a9883c57949
NOTE: https://github.com/uclouvain/openjpeg/issues/431
+   NOTE: 
https://github.com/uclouvain/openjpeg/commit/5d00b719f4b93b1445e6fb4c766b9a9883c57949
+   NOTE: 
https://github.com/uclouvain/openjpeg/commit/2d24b6000d5611615e3e6d799e20d5fdbe4e2a1e
NOTE: 
https://github.com/uclouvain/openjpeg/commit/c58df149900df862806d0e892859b41115875845
 CVE-2018-20846 (Out-of-bounds accesses in the functions pi_next_lrcp, 
pi_next_rlcp, pi ...)
- openjpeg2  (unimportant)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6bff21fae65afdfc65ef6dfdcaddb8ad1ed3501

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6bff21fae65afdfc65ef6dfdcaddb8ad1ed3501
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Claim ruby-openid

2019-10-09 Thread Brian May



Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7f28baec by Brian May at 2019-10-09T06:07:26Z
Claim ruby-openid

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -126,7 +126,7 @@ radare2
   NOTE: Support status is being discussed at:
   NOTE: https://lists.debian.org/debian-lts/2019/08/msg00064.html
 --
-ruby-openid
+ruby-openid (Brian May)
   NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding 
what the issue actually *is*. (lamby)
   NOTE: 20190701: Pinged bug (lamby)
   NOTE: 20190705: Pinged bug (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f28baec8c015e852e03be89bb2c44c754f53a94

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f28baec8c015e852e03be89bb2c44c754f53a94
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

38 matches

Mail list logo