[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2019-16884/runc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d51b0ef by Salvatore Bonaccorso at 2019-10-10T04:38:49Z Add fixed version via unstable for CVE-2019-16884/runc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1162,7 +1162,7 @@ CVE-2019-16886 CVE-2019-16885 RESERVED CVE-2019-16884 (runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other ...) - - runc (bug #942026) + - runc 1.0.0~rc9+dfsg1-1 (bug #942026) - golang-github-opencontainers-selinux (bug #942027) NOTE: https://github.com/opencontainers/runc/issues/2128 CVE-2019-16883 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4d51b0efeeb37847681ee3a0b21deb6c98b6e6b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4d51b0efeeb37847681ee3a0b21deb6c98b6e6b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new libnbd issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ee1f0c22 by Salvatore Bonaccorso at 2019-10-10T04:14:39Z Add new libnbd issue Thanks: Paul Wise - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,8 @@ +CVE-2019- [Remote code execution vulnerability] + - libnbd + NOTE: https://www.redhat.com/archives/libguestfs/2019-October/msg00060.html + NOTE: https://github.com/libguestfs/libnbd/commit/f75f602a6361c0c5f42debfeea6980f698ce7f09 (1.1.4) + NOTE: https://github.com/libguestfs/libnbd/commit/2c1987fc23d6d0f537edc6d4701e95a2387f7917 (stable-1.0) CVE-2019-17406 RESERVED CVE-2019-17405 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee1f0c22fa309b47852de6698a6652fca9cff33e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee1f0c22fa309b47852de6698a6652fca9cff33e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1952-1 for rsyslog
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 25f9df85 by Chris Lamb at 2019-10-10T00:08:10Z Reserve DLA-1952-1 for rsyslog - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Oct 2019] DLA-1952-1 rsyslog - security update + {CVE-2019-17041 CVE-2019-17042} + [jessie] - rsyslog 8.4.2-1+deb8u3 [09 Oct 2019] DLA-1951-1 libtomcrypt - security update {CVE-2019-17362} [jessie] - libtomcrypt 1.17-6+deb8u1 = data/dla-needed.txt = @@ -130,8 +130,6 @@ radare2 NOTE: Support status is being discussed at: NOTE: https://lists.debian.org/debian-lts/2019/08/msg00064.html -- -rsyslog (Chris Lamb) --- ruby-openid (Brian May) NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding what the issue actually *is*. (lamby) NOTE: 20190701: Pinged bug (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/25f9df8512c093b73204e777656ad009f0043c0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/25f9df8512c093b73204e777656ad009f0043c0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1951-1 for libtomcrypt
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: b01bca7e by Chris Lamb at 2019-10-09T21:13:48Z Reserve DLA-1951-1 for libtomcrypt - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Oct 2019] DLA-1951-1 libtomcrypt - security update + {CVE-2019-17362} + [jessie] - libtomcrypt 1.17-6+deb8u1 [08 Oct 2019] DLA-1950-1 openjpeg2 - security update {CVE-2018-21010} [jessie] - openjpeg2 2.1.0-2+deb8u8 = data/dla-needed.txt = @@ -92,8 +92,6 @@ libsdl1.2 (Hugo Lefeuvre) NOTE: regression introduced by the patch for CVE-2019-7637, several games broken NOTE: see https://lists.debian.org/debian-lts/2019/10/msg00039.html -- -libtomcrypt (Chris Lamb) --- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b01bca7e88807e9c08b12603e919c5b6064ddbad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b01bca7e88807e9c08b12603e919c5b6064ddbad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update py27 references
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: dccceb52 by Moritz Muehlenhoff at 2019-10-09T20:49:33Z Update py27 references - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21116,9 +21116,11 @@ CVE-2019-10160 (A security regression of CVE-2019-9636 was discovered in python NOTE: Introduced by: https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3 (v3.8.0a4) NOTE: Fixed by: https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e (v3.8.0b1) NOTE: https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09 (3.7) - NOTE: https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de (2.7) NOTE: https://bugs.python.org/issue36742 - NOTE: Patch for 2.7 series introduces new problems, cf. https://bugs.python.org/issue36742#msg344981 + NOTE: Patches for 2.7: + NOTE: https://github.com/python/cpython/commit/98a4dcefbbc3bce5ab07e7c0830a183157250259 + NOTE: https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de + NOTE: https://github.com/python/cpython/commit/2b578479b96aa3deeeb8bac313a02b5cf3cb1aff CVE-2019-10159 (cfme-gemset versions 5.10.4.3 and below, 5.9.9.3 and below are vulnera ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2019-10158 @@ -21765,6 +21767,7 @@ CVE-2019-9947 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 a NOTE: https://bugs.python.org/issue35906 NOTE: Introduced by: https://github.com/python/cpython/commit/cc54c1c0d2d05fe7404ba64c53df4b1352ed2262 NOTE: CVE-2019-9947 issue fixed with same fix as for CVE-2019-9740 + NOTE: Patch 2.7: https://github.com/python/cpython/commit/bb8071a4cae5ab3fe321481dd3d73662ffb26052 CVE-2019-9946 (Cloud Native Computing Foundation (CNCF) CNI (Container Networking Int ...) - kubernetes NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1692712 @@ -23299,6 +23302,8 @@ CVE-2019-9740 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 a [stretch] - python2.7 (Minor issue) NOTE: https://bugs.python.org/issue36276 NOTE: https://bugs.python.org/issue30458 + NOTE: CVE-2019-9947 issue fixed with same fix as for CVE-2019-9740 + NOTE: Patch 2.7: https://github.com/python/cpython/commit/bb8071a4cae5ab3fe321481dd3d73662ffb26052 CVE-2019-9739 RESERVED CVE-2019-9738 (jimmykuu Gopher 2.0 has DOM-based XSS via vectors involving the 'E ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dccceb521179c9b701887f1a0e56694ecd158c3a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dccceb521179c9b701887f1a0e56694ecd158c3a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-17266/openssh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c9d5ab3 by Salvatore Bonaccorso at 2019-10-09T20:38:13Z Add CVE-2019-17266/openssh - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1084,7 +1084,11 @@ CVE-2019-16907 CVE-2019-16906 RESERVED CVE-2019-16905 (OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an expe ...) - TODO: check + - openssh (unimportant) + [stretch] - openssh (Vulnerable code introduced later) + [jessie] - openssh (Vulnerable code introduced later) + NOTE: Issue in experimental (and not enabled) XMSS implementation; futhermore there + NOTE: is not supported way to enable it when building openssh. CVE-2019-16904 (TeamPass 2.1.27.36 allows Stored XSS by setting a crafted password for ...) - teampass (bug #730180) CVE-2019-16903 (Platinum UPnP SDK 1.2.0 allows Directory Traversal in Core/PltHttpServ ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c9d5ab31aab7679eaa3980ddb2eede60f538ce1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c9d5ab31aab7679eaa3980ddb2eede60f538ce1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3fcdb510 by Salvatore Bonaccorso at 2019-10-09T20:33:08Z Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54,31 +54,31 @@ CVE-2019-17382 (An issue was discovered in zabbix.php?action=dashboard.view CVE-2019-17381 RESERVED CVE-2019-17380 (cPanel before 82.0.15 allows self XSS in the WHM Update Preferences in ...) - TODO: check + NOT-FOR-US: cPanel CVE-2019-17379 (cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Ma ...) - TODO: check + NOT-FOR-US: cPanel CVE-2019-17378 (cPanel before 82.0.15 allows self XSS in the SSL Key Delete interface ...) - TODO: check + NOT-FOR-US: cPanel CVE-2019-17377 (cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC- ...) - TODO: check + NOT-FOR-US: cPanel CVE-2019-17376 (cPanel before 82.0.15 allows self XSS in the SSL Certificate Upload in ...) - TODO: check + NOT-FOR-US: cPanel CVE-2019-17375 (cPanel before 82.0.15 allows API token credentials to persist after an ...) - TODO: check + NOT-FOR-US: cPanel CVE-2019-17374 RESERVED CVE-2019-17373 (Certain NETGEAR devices allow unauthenticated access to critical .cgi ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2019-17372 (Certain NETGEAR devices allow remote attackers to disable all authenti ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2019-17371 (libpng 1.6.37 has memory leaks in png_malloc_warn and png_create_info_ ...) TODO: check CVE-2019-17370 (OTCMS v3.85 allows arbitrary PHP Code Execution because admin/sysCheck ...) - TODO: check + NOT-FOR-US: OTCMS CVE-2019-17369 (OTCMS v3.85 has CSRF in the admin/member_deal.php Admin Panel page, le ...) - TODO: check + NOT-FOR-US: OTCMS CVE-2019-17368 (S-CMS v1.5 has XSS in tpl.php via the member/member_login.php from par ...) - TODO: check + NOT-FOR-US: S-CMS CVE-2019-17367 RESERVED CVE-2019-17366 @@ -112,9 +112,9 @@ CVE-2019-17356 CVE-2019-17355 RESERVED CVE-2019-17354 (wan.htm page on Zyxel NBG-418N v2 with firmware version V1.00(AARP.9)C ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2019-17353 (An issue discovered on D-Link DIR-615 devices with firmware version 20 ...) - TODO: check + NOT-FOR-US: D-Link CVE-2019-17352 (In JFinal cos before 2019-08-13, as used in JFinal 4.4, there is a vul ...) TODO: check CVE-2019-17339 @@ -561,7 +561,7 @@ CVE-2019-17133 (In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in CVE-2019-17129 RESERVED CVE-2019-17128 (Netreo OmniCenter through 12.1.1 allows unauthenticated SQL Injection ...) - TODO: check + NOT-FOR-US: Netreo OmniCenter CVE-2019-17127 RESERVED CVE-2019-17126 @@ -569,7 +569,7 @@ CVE-2019-17126 CVE-2019-17125 RESERVED CVE-2019-17124 (Kramer VIAware 2.5.0719.1034 has Incorrect Access Control. ...) - TODO: check + NOT-FOR-US: Kramer VIAware CVE-2019-17123 RESERVED CVE-2019-17122 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3fcdb51086541c915ea7e2b8280e4c20cb6d3609 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3fcdb51086541c915ea7e2b8280e4c20cb6d3609 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-17401
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 49bfd28e by Salvatore Bonaccorso at 2019-10-09T20:27:31Z Add CVE-2019-17401 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,10 @@ CVE-2019-17403 CVE-2019-17402 (Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in ...) TODO: check CVE-2019-17401 (libyal liblnk 20191006 has a heap-based buffer over-read in the networ ...) - TODO: check + - liblnk (low) + [buster] - liblnk (Minor issue) + [jessie] - liblnk (Minor issue) + NOTE: https://github.com/libyal/liblnk/issues/40 CVE-2019-17400 RESERVED CVE-2019-17399 (The Shack Forms Pro extension before 4.0.32 for Joomla! allows path tr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/49bfd28edc9d993b25c0338d04698b823f562fd8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/49bfd28edc9d993b25c0338d04698b823f562fd8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 09733e51 by Salvatore Bonaccorso at 2019-10-09T20:28:41Z Process two NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16,7 +16,7 @@ CVE-2019-17401 (libyal liblnk 20191006 has a heap-based buffer over-read in the CVE-2019-17400 RESERVED CVE-2019-17399 (The Shack Forms Pro extension before 4.0.32 for Joomla! allows path tr ...) - TODO: check + NOT-FOR-US: Shack Forms Pro extension for Joomla! CVE-2019-17398 RESERVED CVE-2019-17397 @@ -36,7 +36,7 @@ CVE-2019-17391 CVE-2019-17390 RESERVED CVE-2019-17389 (In RIOT 2019.07, the MQTT-SN implementation (asymcute) mishandles erro ...) - TODO: check + NOT-FOR-US: RIOT RIOT-OS CVE-2019-17388 RESERVED CVE-2019-17387 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/09733e513ca85dc6dd5a34bcd00ce9f4c77d3528 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/09733e513ca85dc6dd5a34bcd00ce9f4c77d3528 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a0c4b38f by Salvatore Bonaccorso at 2019-10-09T20:18:41Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41,9 +41,9 @@ CVE-2019-17387 CVE-2019-17386 RESERVED CVE-2019-17385 (The animate-it plugin before 2.3.5 for WordPress has XSS. ...) - TODO: check + NOT-FOR-US: animate-it plugin for WordPress CVE-2019-17384 (The animate-it plugin before 2.3.4 for WordPress has XSS. ...) - TODO: check + NOT-FOR-US: animate-it plugin for WordPress CVE-2019-17383 (The netaddr gem before 2.0.4 for Ruby has misconfigured file permissio ...) TODO: check CVE-2019-17382 (An issue was discovered in zabbix.php?action=dashboard.viewdashbo ...) @@ -36375,7 +36375,7 @@ CVE-2019-4560 CVE-2019-4559 RESERVED CVE-2019-4558 (A security vulnerability has been identified in all levels of IBM Spec ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4557 RESERVED CVE-2019-4556 @@ -36467,7 +36467,7 @@ CVE-2019-4514 (IBM Security Key Lifecycle Manager 2.6, 2.7, 3.0, and 3.0.1 discl CVE-2019-4513 (IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 is vul ...) NOT-FOR-US: IBM CVE-2019-4512 (IBM Maximo Asset Management 7.6.1.1 generates an error message that in ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4511 RESERVED CVE-2019-4510 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a0c4b38fc6017f9fafb73c5515eb020b272a7585 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a0c4b38fc6017f9fafb73c5515eb020b272a7585 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update rationale for no-dsa CVE-2019-16375 in otrs2
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 4078fc61 by Chris Lamb at 2019-10-09T20:16:32Z Update rationale for no-dsa CVE-2019-16375 in otrs2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2443,7 +2443,7 @@ CVE-2019-16375 - otrs2 6.0.23-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) - [jessie] - otrs2 (Non-free not supported) + [jessie] - otrs2 (Minor issue) NOTE: https://community.otrs.com/security-advisory-2019-13-security-update-for-otrs-framework/ NOTE: https://github.com/OTRS/otrs/commit/aeb33d800716e2a6653597aa86314c4cbdadb678 (6.x) NOTE: https://github.com/OTRS/otrs/commit/03ca8f396b1aa9933c212a63f52a9ea26c06e7da (5.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4078fc611b844663b572dd84407dcd46082b5379 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4078fc611b844663b572dd84407dcd46082b5379 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 66956b59 by security tracker role at 2019-10-09T20:10:20Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,81 @@ +CVE-2019-17406 + RESERVED +CVE-2019-17405 + RESERVED +CVE-2019-17404 + RESERVED +CVE-2019-17403 + RESERVED +CVE-2019-17402 (Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in ...) + TODO: check +CVE-2019-17401 (libyal liblnk 20191006 has a heap-based buffer over-read in the networ ...) + TODO: check +CVE-2019-17400 + RESERVED +CVE-2019-17399 (The Shack Forms Pro extension before 4.0.32 for Joomla! allows path tr ...) + TODO: check +CVE-2019-17398 + RESERVED +CVE-2019-17397 + RESERVED +CVE-2019-17396 + RESERVED +CVE-2019-17395 + RESERVED +CVE-2019-17394 + RESERVED +CVE-2019-17393 + RESERVED +CVE-2019-17392 + RESERVED +CVE-2019-17391 + RESERVED +CVE-2019-17390 + RESERVED +CVE-2019-17389 (In RIOT 2019.07, the MQTT-SN implementation (asymcute) mishandles erro ...) + TODO: check +CVE-2019-17388 + RESERVED +CVE-2019-17387 + RESERVED +CVE-2019-17386 + RESERVED +CVE-2019-17385 (The animate-it plugin before 2.3.5 for WordPress has XSS. ...) + TODO: check +CVE-2019-17384 (The animate-it plugin before 2.3.4 for WordPress has XSS. ...) + TODO: check +CVE-2019-17383 (The netaddr gem before 2.0.4 for Ruby has misconfigured file permissio ...) + TODO: check +CVE-2019-17382 (An issue was discovered in zabbix.php?action=dashboard.viewdashbo ...) + TODO: check +CVE-2019-17381 + RESERVED +CVE-2019-17380 (cPanel before 82.0.15 allows self XSS in the WHM Update Preferences in ...) + TODO: check +CVE-2019-17379 (cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Ma ...) + TODO: check +CVE-2019-17378 (cPanel before 82.0.15 allows self XSS in the SSL Key Delete interface ...) + TODO: check +CVE-2019-17377 (cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC- ...) + TODO: check +CVE-2019-17376 (cPanel before 82.0.15 allows self XSS in the SSL Certificate Upload in ...) + TODO: check +CVE-2019-17375 (cPanel before 82.0.15 allows API token credentials to persist after an ...) + TODO: check +CVE-2019-17374 + RESERVED +CVE-2019-17373 (Certain NETGEAR devices allow unauthenticated access to critical .cgi ...) + TODO: check +CVE-2019-17372 (Certain NETGEAR devices allow remote attackers to disable all authenti ...) + TODO: check +CVE-2019-17371 (libpng 1.6.37 has memory leaks in png_malloc_warn and png_create_info_ ...) + TODO: check +CVE-2019-17370 (OTCMS v3.85 allows arbitrary PHP Code Execution because admin/sysCheck ...) + TODO: check +CVE-2019-17369 (OTCMS v3.85 has CSRF in the admin/member_deal.php Admin Panel page, le ...) + TODO: check +CVE-2019-17368 (S-CMS v1.5 has XSS in tpl.php via the member/member_login.php from par ...) + TODO: check CVE-2019-17367 RESERVED CVE-2019-17366 @@ -30,10 +108,10 @@ CVE-2019-17356 RESERVED CVE-2019-17355 RESERVED -CVE-2019-17354 - RESERVED -CVE-2019-17353 - RESERVED +CVE-2019-17354 (wan.htm page on Zyxel NBG-418N v2 with firmware version V1.00(AARP.9)C ...) + TODO: check +CVE-2019-17353 (An issue discovered on D-Link DIR-615 devices with firmware version 20 ...) + TODO: check CVE-2019-17352 (In JFinal cos before 2019-08-13, as used in JFinal 4.4, there is a vul ...) TODO: check CVE-2019-17339 @@ -184,7 +262,7 @@ CVE-2019-17267 (A Polymorphic Typing issue was discovered in FasterXML jackson-d - jackson-databind 2.10.0-1 NOTE: https://github.com/FasterXML/jackson-databind/issues/2460 NOTE: https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2b77edd895ee756b7f75eb -CVE-2019-17266 (libsoup through 2.68.1 has a heap-based buffer over-read because soup_ ...) +CVE-2019-17266 (libsoup from versions 2.65.1 until 2.68.1 have a heap-based buffer ove ...) - libsoup2.4 2.68.2-1 (bug #941912) [buster] - libsoup2.4 (Vulnerable code introduced in 2.65.1) [stretch] - libsoup2.4 (Vulnerable code introduced in 2.65.1) @@ -479,16 +557,16 @@ CVE-2019-17133 (In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in NOTE: https://marc.info/?l=linux-wireless=157018270915487=2 CVE-2019-17129 RESERVED -CVE-2019-17128 - RESERVED +CVE-2019-17128 (Netreo OmniCenter through 12.1.1 allows unauthenticated SQL Injection ...) + TODO: check CVE-2019-17127 RESERVED CVE-2019-17126 RESERVED CVE-2019-17125 RESERVED -CVE-2019-17124 - RESERVED +CVE-2019-17124 (Kramer VIAware
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-17041/rsyslog
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 602eb5fa by Salvatore Bonaccorso at 2019-10-09T19:13:12Z Add Debian bug reference for CVE-2019-17041/rsyslog - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -688,7 +688,7 @@ CVE-2019-17042 (An issue was discovered in Rsyslog v8.1908.0. contrib/pmcisconam [stretch] - rsyslog (Minor issue, pmcisconames module not enabled by default) NOTE: https://github.com/rsyslog/rsyslog/pull/3883 CVE-2019-17041 (An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfr ...) - - rsyslog + - rsyslog (bug #942067) [buster] - rsyslog (Minor issue, pmaixforwardedfrom module not enabled by default) [stretch] - rsyslog (Minor issue, pmaixforwardedfrom module not enabled by default) NOTE: https://github.com/rsyslog/rsyslog/pull/3884 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/602eb5fae0d9b31dc1e1f81ada763410853abaeb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/602eb5fae0d9b31dc1e1f81ada763410853abaeb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug tracking information for CVE-2019-17042/rsyslog
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 917138cb by Salvatore Bonaccorso at 2019-10-09T19:10:37Z Add Debian bug tracking information for CVE-2019-17042/rsyslog - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -683,7 +683,7 @@ CVE-2019-17044 CVE-2019-17043 RESERVED CVE-2019-17042 (An issue was discovered in Rsyslog v8.1908.0. contrib/pmcisconames/pmc ...) - - rsyslog + - rsyslog (bug #942065) [buster] - rsyslog (Minor issue, pmcisconames module not enabled by default) [stretch] - rsyslog (Minor issue, pmcisconames module not enabled by default) NOTE: https://github.com/rsyslog/rsyslog/pull/3883 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/917138cb6271f6f625a736adac4c0b0b18c26208 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/917138cb6271f6f625a736adac4c0b0b18c26208 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-17041/rsyslog as no-dsa for buster and stretch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6dd222e6 by Salvatore Bonaccorso at 2019-10-09T19:07:32Z Mark CVE-2019-17041/rsyslog as no-dsa for buster and stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -689,6 +689,8 @@ CVE-2019-17042 (An issue was discovered in Rsyslog v8.1908.0. contrib/pmcisconam NOTE: https://github.com/rsyslog/rsyslog/pull/3883 CVE-2019-17041 (An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfr ...) - rsyslog + [buster] - rsyslog (Minor issue, pmaixforwardedfrom module not enabled by default) + [stretch] - rsyslog (Minor issue, pmaixforwardedfrom module not enabled by default) NOTE: https://github.com/rsyslog/rsyslog/pull/3884 CVE-2019-17040 (contrib/pmdb2diag/pmdb2diag.c in Rsyslog v8.1908.0 allows out-of-bound ...) - rsyslog (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6dd222e6b36f38b8021b51f43a097e1330bdacb2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6dd222e6b36f38b8021b51f43a097e1330bdacb2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-17042/rsyslog as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c6f3f3e5 by Salvatore Bonaccorso at 2019-10-09T19:05:55Z Mark CVE-2019-17042/rsyslog as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -684,6 +684,8 @@ CVE-2019-17043 RESERVED CVE-2019-17042 (An issue was discovered in Rsyslog v8.1908.0. contrib/pmcisconames/pmc ...) - rsyslog + [buster] - rsyslog (Minor issue, pmcisconames module not enabled by default) + [stretch] - rsyslog (Minor issue, pmcisconames module not enabled by default) NOTE: https://github.com/rsyslog/rsyslog/pull/3883 CVE-2019-17041 (An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfr ...) - rsyslog View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c6f3f3e5bc7807e6543a45378cce4e00ea524db1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c6f3f3e5bc7807e6543a45378cce4e00ea524db1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2019-15753/python-os-vif
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 20c4507f by Salvatore Bonaccorso at 2019-10-09T18:55:18Z Add fixed version via unstable for CVE-2019-15753/python-os-vif - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4096,7 +4096,7 @@ CVE-2019-15755 CVE-2019-15754 RESERVED CVE-2019-15753 (In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC ...) - - python-os-vif (low; bug #939288) + - python-os-vif 1.15.2-1 (low; bug #939288) [buster] - python-os-vif (Vulnerable code introduced in 1.15.0) [stretch] - python-os-vif (Vulnerable code introduced in 1.15.0) NOTE: https://security.openstack.org/ossa/OSSA-2019-004.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20c4507f1847d0c1818516aa5cd23a719d8330c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20c4507f1847d0c1818516aa5cd23a719d8330c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add Debian bug reference for CVE-2019-16884/runc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 720206c8 by Salvatore Bonaccorso at 2019-10-09T18:51:57Z Add Debian bug reference for CVE-2019-16884/runc - - - - - 4dc41c18 by Salvatore Bonaccorso at 2019-10-09T18:52:49Z Track golang-github-opencontainers-selinux source for CVE-2019-16884 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1068,7 +1068,8 @@ CVE-2019-16886 CVE-2019-16885 RESERVED CVE-2019-16884 (runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other ...) - - runc + - runc (bug #942026) + - golang-github-opencontainers-selinux (bug #942027) NOTE: https://github.com/opencontainers/runc/issues/2128 CVE-2019-16883 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/634be0f36f227a7bb376d37a9acab26ba52aab8c...4dc41c18d9aea31ad3c01d5f970c2010d41b958e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/634be0f36f227a7bb376d37a9acab26ba52aab8c...4dc41c18d9aea31ad3c01d5f970c2010d41b958e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update affected status for CVE-2019-17266/libsoup2.4
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 634be0f3 by Salvatore Bonaccorso at 2019-10-09T18:46:39Z Update affected status for CVE-2019-17266/libsoup2.4 Thanks: Claudio Saavedra - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -186,6 +186,9 @@ CVE-2019-17267 (A Polymorphic Typing issue was discovered in FasterXML jackson-d NOTE: https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2b77edd895ee756b7f75eb CVE-2019-17266 (libsoup through 2.68.1 has a heap-based buffer over-read because soup_ ...) - libsoup2.4 2.68.2-1 (bug #941912) + [buster] - libsoup2.4 (Vulnerable code introduced in 2.65.1) + [stretch] - libsoup2.4 (Vulnerable code introduced in 2.65.1) + [jessie] - libsoup2.4 (Vulnerable code introduced in 2.65.1) NOTE: https://gitlab.gnome.org/GNOME/libsoup/issues/173 (private) CVE-2019-17265 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/634be0f36f227a7bb376d37a9acab26ba52aab8c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/634be0f36f227a7bb376d37a9acab26ba52aab8c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Upstream issue for CVE-2019-17266 was later on made private
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d7552b2b by Salvatore Bonaccorso at 2019-10-09T18:43:28Z Upstream issue for CVE-2019-17266 was later on made private - - - - - 3c208109 by Salvatore Bonaccorso at 2019-10-09T18:45:00Z Add fixed version for CVE-2019-17266/libsoup2.4 in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -185,8 +185,8 @@ CVE-2019-17267 (A Polymorphic Typing issue was discovered in FasterXML jackson-d NOTE: https://github.com/FasterXML/jackson-databind/issues/2460 NOTE: https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2b77edd895ee756b7f75eb CVE-2019-17266 (libsoup through 2.68.1 has a heap-based buffer over-read because soup_ ...) - - libsoup2.4 (bug #941912) - NOTE: https://gitlab.gnome.org/GNOME/libsoup/issues/173 (embargoed?) + - libsoup2.4 2.68.2-1 (bug #941912) + NOTE: https://gitlab.gnome.org/GNOME/libsoup/issues/173 (private) CVE-2019-17265 RESERVED CVE-2019-17264 (In libyal liblnk before 20191006, liblnk_location_information_read_dat ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/5781ea472d3aba020168aea2521679fe4767b8c9...3c208109514d22358725d8f7518431e5ceb456da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/5781ea472d3aba020168aea2521679fe4767b8c9...3c208109514d22358725d8f7518431e5ceb456da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update note for CVE-2019-17266 - upstream issue appears to be private/embargoed.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 5781ea47 by Chris Lamb at 2019-10-09T16:15:10Z Update note for CVE-2019-17266 - upstream issue appears to be private/embargoed. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -186,7 +186,7 @@ CVE-2019-17267 (A Polymorphic Typing issue was discovered in FasterXML jackson-d NOTE: https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2b77edd895ee756b7f75eb CVE-2019-17266 (libsoup through 2.68.1 has a heap-based buffer over-read because soup_ ...) - libsoup2.4 (bug #941912) - NOTE: https://gitlab.gnome.org/GNOME/libsoup/issues/173 + NOTE: https://gitlab.gnome.org/GNOME/libsoup/issues/173 (embargoed?) CVE-2019-17265 RESERVED CVE-2019-17264 (In libyal liblnk before 20191006, liblnk_location_information_read_dat ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5781ea472d3aba020168aea2521679fe4767b8c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5781ea472d3aba020168aea2521679fe4767b8c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim libtomcrypt.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 23a6da2c by Chris Lamb at 2019-10-09T16:14:16Z data/dla-needed.txt: Claim libtomcrypt. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -92,7 +92,7 @@ libsdl1.2 (Hugo Lefeuvre) NOTE: regression introduced by the patch for CVE-2019-7637, several games broken NOTE: see https://lists.debian.org/debian-lts/2019/10/msg00039.html -- -libtomcrypt +libtomcrypt (Chris Lamb) -- linux (Ben Hutchings) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/23a6da2c4ad793a72cbba837fa4a239cbca3f59a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/23a6da2c4ad793a72cbba837fa4a239cbca3f59a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage libtomcrypt for jessie.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 2dd8960e by Chris Lamb at 2019-10-09T16:14:06Z data/dla-needed.txt: Triage libtomcrypt for jessie. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -92,6 +92,8 @@ libsdl1.2 (Hugo Lefeuvre) NOTE: regression introduced by the patch for CVE-2019-7637, several games broken NOTE: see https://lists.debian.org/debian-lts/2019/10/msg00039.html -- +libtomcrypt +-- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2dd8960e6d7410bc5d5672c9a54cbdf36145f53f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2dd8960e6d7410bc5d5672c9a54cbdf36145f53f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim rsyslog.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 35b81ce9 by Chris Lamb at 2019-10-09T16:12:50Z data/dla-needed.txt: Claim rsyslog. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -130,7 +130,7 @@ radare2 NOTE: Support status is being discussed at: NOTE: https://lists.debian.org/debian-lts/2019/08/msg00064.html -- -rsyslog +rsyslog (Chris Lamb) -- ruby-openid (Brian May) NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding what the issue actually *is*. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/35b81ce934de5562b035fd3cf6c93d1df69d1cea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/35b81ce934de5562b035fd3cf6c93d1df69d1cea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage rsyslog for jessie.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: e2fdf8fa by Chris Lamb at 2019-10-09T16:12:36Z data/dla-needed.txt: Triage rsyslog for jessie. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -130,6 +130,8 @@ radare2 NOTE: Support status is being discussed at: NOTE: https://lists.debian.org/debian-lts/2019/08/msg00064.html -- +rsyslog +-- ruby-openid (Brian May) NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding what the issue actually *is*. (lamby) NOTE: 20190701: Pinged bug (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e2fdf8fac770f6bffbe7400e1bcb786e20e63407 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e2fdf8fac770f6bffbe7400e1bcb786e20e63407 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage xen for jessie.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 30d7e2f4 by Chris Lamb at 2019-10-09T16:09:20Z data/dla-needed.txt: Triage xen for jessie. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -157,6 +157,8 @@ tika wordpress NOTE: 20190614: No upstream fix yet. (apo) -- +xen +-- xtrlock (Chris Lamb) NOTE: 20190822: WIP on #830726 (lamby) NOTE: 20190904: Need to get advice/pointer from libinput2 maintainers for a full patch. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/30d7e2f460b9b574fdcb5fa9a5e5fd3112788cb4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/30d7e2f460b9b574fdcb5fa9a5e5fd3112788cb4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Triage CVE-2019-16760 in cargo for jessie LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: b8442586 by Chris Lamb at 2019-10-09T16:00:44Z Triage CVE-2019-16760 in cargo for jessie LTS. - - - - - cbc66db1 by Chris Lamb at 2019-10-09T16:01:59Z Triage CVE-2019-16375 in otrs2 for jessie LTS - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1404,6 +1404,7 @@ CVE-2019-16761 CVE-2019-16760 (Cargo prior to Rust 1.26.0 may download the wrong dependency if your p ...) - cargo 0.27.0-1 [stretch] - cargo (Upcoming upgrade of Cargo for ESR68 will fix this) + [jessie] - cargo (Upcoming upgrade of Cargo for ESR68 will fix this) NOTE: https://rustsec.org/advisories/CVE-2019-16760.html CVE-2019-16759 (vBulletin 5.x through 5.5.4 allows remote command execution via the wi ...) NOT-FOR-US: vBulletin @@ -2356,6 +2357,7 @@ CVE-2019-16375 - otrs2 6.0.23-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) + [jessie] - otrs2 (Non-free not supported) NOTE: https://community.otrs.com/security-advisory-2019-13-security-update-for-otrs-framework/ NOTE: https://github.com/OTRS/otrs/commit/aeb33d800716e2a6653597aa86314c4cbdadb678 (6.x) NOTE: https://github.com/OTRS/otrs/commit/03ca8f396b1aa9933c212a63f52a9ea26c06e7da (5.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e2ffc726a333af7694096bd77d21c1f2833fa016...cbc66db1b20e1a951c2040ec2f5f000909f594b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e2ffc726a333af7694096bd77d21c1f2833fa016...cbc66db1b20e1a951c2040ec2f5f000909f594b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-3689/nfs-util: fs.protected_symlinks would only help for +t...
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e2ffc726 by Sylvain Beucler at 2019-10-09T15:38:38Z CVE-2019-3689/nfs-util: fs.protected_symlinks would only help for +t directories, which isnt the case for /var/lib/nfs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38322,7 +38322,6 @@ CVE-2019-3689 (The nfs-utils package in SUSE Linux Enterprise Server 12 before a NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1150733 NOTE: When adressing this a related patch to make statd take the user-id from NOTE: /var/lib/nfs/sm is needed, cf. https://bugzilla.suse.com/show_bug.cgi?id=1150733#c3 - NOTE: Neutralised by kernel hardening CVE-2019-3688 (The /usr/sbin/pinger binary packaged with squid in SUSE Linux Enterpri ...) TODO: check CVE-2019-3687 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e2ffc726a333af7694096bd77d21c1f2833fa016 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e2ffc726a333af7694096bd77d21c1f2833fa016 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update CVE-2019-3689/nfs-util
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 0fdc2f74 by Sylvain Beucler at 2019-10-09T14:48:14Z dla: update CVE-2019-3689/nfs-util - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -105,7 +105,7 @@ milkytracker (Utkarsh Gupta) mosquitto (Thorsten Alteholz) -- nfs-utils (Sylvain Beucler) - NOTE: 20190930: asked plans to package maintainer + NOTE: 20191009: proposed patch to upstream and sid, waiting for feedback before backport -- nghttp2 (Mike Gabriel) NOTE: 20190930: nghttp2 in jessie is likely not affected by CVE-2019-95{11,13}. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0fdc2f7480527490e2037e0cc3a4d38d7e94b912 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0fdc2f7480527490e2037e0cc3a4d38d7e94b912 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update version for unstable for CVE-2019-16760
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 461b0e59 by Salvatore Bonaccorso at 2019-10-09T13:18:05Z Update version for unstable for CVE-2019-16760 Open questions: src:rust-cargo as well an issue? And is it needed to track as well the rustc package? According to the upstream advisory bot hat https://rustsec.org/advisories/CVE-2019-16760.html and the oss-security post https://marc.info/?l=oss-securitym=157055118009441w=2 mention rust releases before 1.26.0 as well. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1402,7 +1402,7 @@ CVE-2019-16762 CVE-2019-16761 RESERVED CVE-2019-16760 (Cargo prior to Rust 1.26.0 may download the wrong dependency if your p ...) - - cargo 0.26.0-1 + - cargo 0.27.0-1 [stretch] - cargo (Upcoming upgrade of Cargo for ESR68 will fix this) NOTE: https://rustsec.org/advisories/CVE-2019-16760.html CVE-2019-16759 (vBulletin 5.x through 5.5.4 allows remote command execution via the wi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/461b0e59c1c783f6f84e724ef3f83cb9acd7cbb4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/461b0e59c1c783f6f84e724ef3f83cb9acd7cbb4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Sebastien Delafond pushed to branch master at Debian Security Tracker / security-tracker Commits: 66991770 by Sébastien Delafond at 2019-10-09T12:30:29Z NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -520,27 +520,27 @@ CVE-2019-17110 (A security issue was discovered in kube-state-metrics 1.7.x befo CVE-2019-17109 RESERVED CVE-2019-17108 (Local file inclusion in brokerPerformance.php in Centreon Web before 2 ...) - TODO: check + NOT-FOR-US: Centreon web UI (not packaged in Debian) CVE-2019-17107 (minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated ...) - TODO: check + NOT-FOR-US: Centreon web UI (not packaged in Debian) CVE-2019-17106 (In Centreon Web through 2.8.29, disclosure of external components' pas ...) - TODO: check + NOT-FOR-US: Centreon web UI (not packaged in Debian) CVE-2019-17105 (The token generator in index.php in Centreon Web before 2.8.27 is pred ...) - TODO: check + NOT-FOR-US: Centreon web UI (not packaged in Debian) CVE-2019-17104 (In Centreon VM through 19.04.3, the cookie configuration within the Ap ...) - TODO: check + NOT-FOR-US: Centreon web UI (not packaged in Debian) CVE-2018-21025 (In Centreon VM through 19.04.3, centreon-backup.pl allows attackers to ...) - TODO: check + NOT-FOR-US: Centreon web UI (not packaged in Debian) CVE-2018-21024 (licenseUpload.php in Centreon Web before 2.8.27 allows attackers to up ...) - TODO: check + NOT-FOR-US: Centreon web UI (not packaged in Debian) CVE-2018-21023 (getStats.php in Centreon Web before 2.8.28 allows authenticated attack ...) - TODO: check + NOT-FOR-US: Centreon web UI (not packaged in Debian) CVE-2018-21022 (makeXML_ListServices.php in Centreon Web before 2.8.28 allows attacker ...) - TODO: check + NOT-FOR-US: Centreon web UI (not packaged in Debian) CVE-2018-21021 (img_gantt.php in Centreon Web before 2.8.27 allows attackers to perfor ...) - TODO: check + NOT-FOR-US: Centreon web UI (not packaged in Debian) CVE-2018-21020 (In very rare cases, a PHP type juggling vulnerability in centreonAuth. ...) - TODO: check + NOT-FOR-US: Centreon web UI (not packaged in Debian) CVE-2019-17103 RESERVED CVE-2019-17102 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/66991770c1d1c8fb4330bd4e7db8deee4f12cab7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/66991770c1d1c8fb4330bd4e7db8deee4f12cab7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 594ef57a by Moritz Muehlenhoff at 2019-10-09T11:54:21Z NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4106,17 +4106,17 @@ CVE-2017-18594 (nse_libssh2.cc in Nmap 7.70 is subject to a denial of service co NOTE: https://github.com/nmap/nmap/issues/1227 NOTE: Crash in CLI tool, no security impact CVE-2019-15751 (An unrestricted file upload vulnerability in SITOS six Build v6.2.1 al ...) - TODO: check + NOT-FOR-US: SITOS CVE-2019-15750 (A Cross-Site Scripting (XSS) vulnerability in the blog function in SIT ...) - TODO: check + NOT-FOR-US: SITOS CVE-2019-15749 (SITOS six Build v6.2.1 allows a user to change their password and reco ...) - TODO: check + NOT-FOR-US: SITOS CVE-2019-15748 (SITOS six Build v6.2.1 permits unauthorised users to upload and import ...) - TODO: check + NOT-FOR-US: SITOS CVE-2019-15747 (SITOS six Build v6.2.1 allows a user with the user role of Seminar Coo ...) - TODO: check + NOT-FOR-US: SITOS CVE-2019-15746 (SITOS six Build v6.2.1 allows an attacker to inject arbitrary PHP comm ...) - TODO: check + NOT-FOR-US: SITOS CVE-2019-15745 (The Eques elf smart plug and the mobile app use a hardcoded AES 256 bi ...) NOT-FOR-US: Eques elf smart plug CVE-2019-15744 @@ -7517,9 +7517,9 @@ CVE-2019-14659 CVE-2019-14658 RESERVED CVE-2019-14657 (Yealink phones through 2019-08-04 have an issue with OpenVPN file uplo ...) - TODO: check + NOT-FOR-US: Yealink CVE-2019-14656 (Yealink phones through 2019-08-04 do not properly check user roles in ...) - TODO: check + NOT-FOR-US: Yealink CVE-2019-14655 REJECTED CVE-2019-14654 (In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authoris ...) @@ -12414,7 +12414,7 @@ CVE-2019-13338 (In WESEEK GROWI before 3.5.0, a remote attacker can obtain the p CVE-2019-13337 (In WESEEK GROWI before 3.5.0, the site-wide basic authentication can b ...) NOT-FOR-US: WESEEK GROWI CVE-2019-13336 (The dbell Wi-Fi Smart Video Doorbell DB01-S Gen 1 allows remote attack ...) - TODO: check + NOT-FOR-US: dbell Wi-Fi Smart Video Doorbell CVE-2019-13335 (SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 7.11.7 has ...) NOT-FOR-US: SalesAgility SuiteCRM CVE-2019-13334 @@ -13023,7 +13023,7 @@ CVE-2019-13121 [SSRF Vulnerability in Project GitHub Integration] - gitlab NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13120 (Amazon FreeRTOS up to and including v1.4.8 for AWS lacks length checki ...) - TODO: check + NOT-FOR-US: Amazon FreeRTOS CVE-2019-13119 RESERVED CVE-2019-13118 (In numbers.c in libxslt 1.1.33, a type holding grouping characters of ...) @@ -13910,9 +13910,9 @@ CVE-2019-12814 (A Polymorphic Typing issue was discovered in FasterXML jackson-d CVE-2019-12813 (An issue was discovered in Digital Persona U.are.U 4500 Fingerprint Re ...) NOT-FOR-US: Digital Persona U.are.U 4500 Fingerprint Reader CVE-2019-12812 (MyBuilder viewer before 6.2.2019.814 allow an attacker to execute arbi ...) - TODO: check + NOT-FOR-US: MyBuilder CVE-2019-12811 (ActiveX Control in MyBuilder before 6.2.2019.814 allow an attacker to ...) - TODO: check + NOT-FOR-US: MyBuilder CVE-2019-12810 (A memory corruption vulnerability exists in the .PSD parsing functiona ...) NOT-FOR-US: ALSee CVE-2019-12809 (Yes24ViewerX ActiveX Control 1.0.327.50126 and earlier versions contai ...) @@ -18894,7 +18894,7 @@ CVE-2019-10971 (The application (Network Configurator for DeviceNet Safety 3.41 CVE-2019-10970 (In Rockwell Automation PanelView 5510 (all versions manufactured befor ...) NOT-FOR-US: Rockwell Automation PanelView CVE-2019-10969 (Moxa EDR 810, all versions 5.1 and prior, allows an authenticated atta ...) - TODO: check + NOT-FOR-US: Moxa CVE-2019-10968 (Philips Holter 2010 Plus, all versions. A vulnerability has been ident ...) NOT-FOR-US: Philips Holter 2010 Plus CVE-2019-10967 (In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a stack-based ...) @@ -18906,7 +18906,7 @@ CVE-2019-10965 (In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a heap-b CVE-2019-10964 (In Medtronic MinMed 508 and Medtronic Minimed Paradigm Insulin Pumps, ...) NOT-FOR-US: Medtronic CVE-2019-10963 (Moxa EDR 810, all versions 5.1 and prior, allows an unauthenticated at ...) - TODO: check + NOT-FOR-US: Moxa CVE-2019-10962 (BD Alaris Gateway versions, 1.0.13,1.1.3 Build 10,1.1.3 MR Build 11,1. ...) NOT-FOR-US: BD Alaris Gateway CVE-2019-10961 (In Advantech WebAccess HMI Designer Version 2.1.9.23
[Git][security-tracker-team/security-tracker][master] new ansible, cargo issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fbb5d20c by Moritz Muehlenhoff at 2019-10-09T11:47:28Z new ansible, cargo issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1402,7 +1402,9 @@ CVE-2019-16762 CVE-2019-16761 RESERVED CVE-2019-16760 (Cargo prior to Rust 1.26.0 may download the wrong dependency if your p ...) - TODO: check + - cargo 0.26.0-1 + [stretch] - cargo (Upcoming upgrade of Cargo for ESR68 will fix this) + NOTE: https://rustsec.org/advisories/CVE-2019-16760.html CVE-2019-16759 (vBulletin 5.x through 5.5.4 allows remote command execution via the wi ...) NOT-FOR-US: vBulletin CVE-2019-16758 @@ -6949,7 +6951,8 @@ CVE-2019-14848 CVE-2019-14847 RESERVED CVE-2019-14846 (Ansible, all ansible_engine-2.x versions and ansible_engine-3.x up to ...) - TODO: check + - ansible (low) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1755373 CVE-2019-14845 (A vulnerability was found in OpenShift builds, versions 4.1 up to 4.3. ...) NOT-FOR-US: OpenShift CVE-2019-14844 (A flaw was found in, Fedora versions of krb5 from 1.16.1 to, including ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbb5d20c77058550064f67d0a6ee3f9be5ca530a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbb5d20c77058550064f67d0a6ee3f9be5ca530a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-17362/libtomcrypt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e053950 by Salvatore Bonaccorso at 2019-10-09T11:13:59Z Add CVE-2019-17362/libtomcrypt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,9 @@ CVE-2019-17364 CVE-2019-17363 RESERVED CVE-2019-17362 (In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in ...) - TODO: check + - libtomcrypt + NOTE: https://github.com/libtom/libtomcrypt/issues/507 + NOTE: https://github.com/libtom/libtomcrypt/pull/508 CVE-2019-17361 RESERVED CVE-2019-17360 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e05395010d00833a115ae626d0f6f21804cf6f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e05395010d00833a115ae626d0f6f21804cf6f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 23a00922 by security tracker role at 2019-10-09T08:10:20Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,21 @@ +CVE-2019-17367 + RESERVED +CVE-2019-17366 + RESERVED +CVE-2019-17365 + RESERVED +CVE-2019-17364 + RESERVED +CVE-2019-17363 + RESERVED +CVE-2019-17362 (In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in ...) + TODO: check +CVE-2019-17361 + RESERVED +CVE-2019-17360 + RESERVED +CVE-2018-21026 + RESERVED CVE-2019-17359 (The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigge ...) - bouncycastle (Vulnerable code introduced n 1.63) NOTE: Introduced only in 1.63, fixed in 1.64. @@ -37424,8 +37442,8 @@ CVE-2019-3982 RESERVED CVE-2019-3981 RESERVED -CVE-2019-3980 - RESERVED +CVE-2019-3980 (The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports s ...) + TODO: check CVE-2019-3979 RESERVED CVE-2019-3978 @@ -48603,36 +48621,36 @@ CVE-2019-0383 RESERVED CVE-2019-0382 RESERVED -CVE-2019-0381 - RESERVED -CVE-2019-0380 - RESERVED -CVE-2019-0379 - RESERVED -CVE-2019-0378 - RESERVED -CVE-2019-0377 - RESERVED -CVE-2019-0376 - RESERVED -CVE-2019-0375 - RESERVED -CVE-2019-0374 - RESERVED +CVE-2019-0381 (A binary planting in SAP SQL Anywhere, before version 17.0, SAP IQ, be ...) + TODO: check +CVE-2019-0380 (Under certain conditions, SAP Landscape Management enterprise edition, ...) + TODO: check +CVE-2019-0379 (In SAP NetWeaver Process Integration (AS2 Adapter), before versions 1. ...) + TODO: check +CVE-2019-0378 (SAP BusinessObjects Business Intelligence Platform (Web Intelligence H ...) + TODO: check +CVE-2019-0377 (SAP BusinessObjects Business Intelligence Platform (Web Intelligence H ...) + TODO: check +CVE-2019-0376 (SAP BusinessObjects Business Intelligence Platform (Web Intelligence H ...) + TODO: check +CVE-2019-0375 (SAP BusinessObjects Business Intelligence Platform (Web Intelligence H ...) + TODO: check +CVE-2019-0374 (SAP BusinessObjects Business Intelligence Platform (Web Intelligence H ...) + TODO: check CVE-2019-0373 RESERVED CVE-2019-0372 RESERVED CVE-2019-0371 RESERVED -CVE-2019-0370 - RESERVED -CVE-2019-0369 - RESERVED -CVE-2019-0368 - RESERVED -CVE-2019-0367 - RESERVED +CVE-2019-0370 (Due to missing input validation, SAP Financial Consolidation, before v ...) + TODO: check +CVE-2019-0369 (SAP Financial Consolidation, before versions 10.0 and 10.1, does not s ...) + TODO: check +CVE-2019-0368 (SAP Customer Relationship Management (Email Management), versions: S4C ...) + TODO: check +CVE-2019-0367 (SAP NetWeaver Process Integration (B2B Toolkit), before versions 1.0 a ...) + TODO: check CVE-2019-0366 RESERVED CVE-2019-0365 (SAP Kernel (RFC), KRNL32NUC, KRNL32UC and KRNL64NUC before versions 7. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/23a00922c28b74ed5609235216fb7bddb1043795 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/23a00922c28b74ed5609235216fb7bddb1043795 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: add libsdl1.2
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 71151a11 by Hugo Lefeuvre at 2019-10-09T08:04:03Z dla-needed: add libsdl1.2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -88,6 +88,10 @@ libqb NOTE: 20190616: wherever it uses c->pid w/NAME_MAX. (lamby) NOTE: 20190619: See https://lists.debian.org/debian-lts/2019/06/msg00015.html -- +libsdl1.2 (Hugo Lefeuvre) + NOTE: regression introduced by the patch for CVE-2019-7637, several games broken + NOTE: see https://lists.debian.org/debian-lts/2019/10/msg00039.html +-- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/71151a114c661e9c59a997213924b7d8419a0f11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/71151a114c661e9c59a997213924b7d8419a0f11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-20847/openjpeg2: add missing commit link
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: a6bff21f by Hugo Lefeuvre at 2019-10-09T06:34:47Z CVE-2018-20847/openjpeg2: add missing commit link - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13469,8 +13469,9 @@ CVE-2018-20847 (An improper computation of p_tx0, p_tx1, p_ty0 and p_ty1 in the - openjpeg2 2.3.1-1 (low; bug #931294) [buster] - openjpeg2 (Minor issue) [stretch] - openjpeg2 (Minor issue) - NOTE: https://github.com/uclouvain/openjpeg/commit/5d00b719f4b93b1445e6fb4c766b9a9883c57949 NOTE: https://github.com/uclouvain/openjpeg/issues/431 + NOTE: https://github.com/uclouvain/openjpeg/commit/5d00b719f4b93b1445e6fb4c766b9a9883c57949 + NOTE: https://github.com/uclouvain/openjpeg/commit/2d24b6000d5611615e3e6d799e20d5fdbe4e2a1e NOTE: https://github.com/uclouvain/openjpeg/commit/c58df149900df862806d0e892859b41115875845 CVE-2018-20846 (Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi ...) - openjpeg2 (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6bff21fae65afdfc65ef6dfdcaddb8ad1ed3501 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6bff21fae65afdfc65ef6dfdcaddb8ad1ed3501 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim ruby-openid
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f28baec by Brian May at 2019-10-09T06:07:26Z Claim ruby-openid - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -126,7 +126,7 @@ radare2 NOTE: Support status is being discussed at: NOTE: https://lists.debian.org/debian-lts/2019/08/msg00064.html -- -ruby-openid +ruby-openid (Brian May) NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding what the issue actually *is*. (lamby) NOTE: 20190701: Pinged bug (lamby) NOTE: 20190705: Pinged bug (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f28baec8c015e852e03be89bb2c44c754f53a94 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f28baec8c015e852e03be89bb2c44c754f53a94 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits