[Git][security-tracker-team/security-tracker][master] openjdk-8, tcpdump DSAs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ea8eba9c by Moritz Muehlenhoff at 2019-10-21T21:12:50Z
openjdk-8, tcpdump DSAs
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,10 @@
+[21 Oct 2019] DSA-4548-1 openjdk-8 - security update
+ {CVE-2019-2894 CVE-2019-2945 CVE-2019-2949 CVE-2019-2962 CVE-2019-2964
CVE-2019-2973 CVE-2019-2975 CVE-2019-2978 CVE-2019-2981 CVE-2019-2983
CVE-2019-2987 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999}
+ [stretch] - openjdk-8 8u232-b09-1~deb9u1
+[21 Oct 2019] DSA-4547-1 tcpdump - security update
+ {CVE-2018-10103 CVE-2018-10105 CVE-2018-14461 CVE-2018-14462
CVE-2018-14463 CVE-2018-14464 CVE-2018-14465 CVE-2018-14466 CVE-2018-14467
CVE-2018-14468 CVE-2018-14469 CVE-2018-14470 CVE-2018-14879 CVE-2018-14880
CVE-2018-14881 CVE-2018-14882 CVE-2018-16227 CVE-2018-16228 CVE-2018-16229
CVE-2018-16230 CVE-2018-16300 CVE-2018-16451 CVE-2018-16452 CVE-2019-15166}
+ [stretch] - tcpdump 4.9.3-1~deb9u1
+ [buster] - tcpdump 4.9.3-1~deb10u1
[20 Oct 2019] DSA-4546-1 openjdk-11 - security update
{CVE-2019-2894 CVE-2019-2945 CVE-2019-2949 CVE-2019-2962 CVE-2019-2964
CVE-2019-2973 CVE-2019-2975 CVE-2019-2977 CVE-2019-2978 CVE-2019-2981
CVE-2019-2983 CVE-2019-2987 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992
CVE-2019-2999}
[buster] - openjdk-11 11.0.5+10-1~deb10u1
=
data/dsa-needed.txt
=
@@ -45,8 +45,6 @@ nodejs
nss/oldstable (jmm)
Roberto proposed an update including fixes for CVE-2018-12404 and
CVE-2018-18508
--
-openjdk-8/oldstable (jmm)
---
pam-python
--
poppler (jmm)
@@ -66,9 +64,6 @@ squid3/oldstable
sssd
Maintainer prepared an update and proposed debdiff, acked for upload, but
update needs further testing before release.
--
-tcpdump
- Wait to settle in unstable/testing first
---
wordpress
--
xen/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea8eba9c3c529cac88a1f59bd48a52e2dd2ccaa6
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea8eba9c3c529cac88a1f59bd48a52e2dd2ccaa6
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 97c2f3eb by security tracker role at 2019-10-21T20:10:25Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2019-18225 (An issue was discovered in Citrix Application Delivery Controller (ADC ...) + TODO: check +CVE-2019-18224 (idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a hea ...) + TODO: check +CVE-2019-18223 + RESERVED +CVE-2019-18222 + RESERVED +CVE-2019-18221 + RESERVED +CVE-2019-18220 + RESERVED +CVE-2019-18219 + RESERVED CVE-2019-18218 (cdf_read_property_info in cdf.c in file through 5.37 does not restrict ...) - file NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780 @@ -32,8 +46,8 @@ CVE-2019-18205 RESERVED CVE-2019-18204 RESERVED -CVE-2019-18203 - RESERVED +CVE-2019-18203 (On the RICOH MP 501 printer, HTML Injection and Stored XSS vulnerabili ...) + TODO: check CVE-2019-18202 (Information Disclosure is possible on WAGO Series PFC100 and PFC200 de ...) NOT-FOR-US: WAGO Series PFC100 and PFC200 devices CVE-2019-18201 @@ -3406,7 +3420,7 @@ CVE-2019-17181 RESERVED CVE-2019-17180 (Valve Steam Client before 2019-09-12 allows placing or appending parti ...) NOT-FOR-US: Steam on Windows -CVE-2019-17179 (XSS in library/custom_template/add_template.php in OpenEMR through 5.0 ...) +CVE-2019-17179 (4.1.0, 4.1.1, 4.1.2, 4.1.2.3, 4.1.2.6, 4.1.2.7, 4.2.0, 4.2.1, 4.2.2, 5 ...) NOT-FOR-US: OpenEMR CVE-2019-17178 (HuffmanTree_makeFromFrequencies in lodepng.c in LodePNG through 2019-0 ...) TODO: check @@ -3644,7 +3658,7 @@ CVE-2019-17072 (The new-contact-form-widget (aka Contact Form Widget - Contact Q NOT-FOR-US: new-contact-form-widget (aka Contact Form Widget - Contact Query, Form Maker) plugin for WordPress CVE-2019-17071 (The client-dash (aka Client Dash) plugin 2.1.4 for WordPress allows XS ...) NOT-FOR-US: client-dash (aka Client Dash) plugin for WordPress -CVE-2019-17070 (The liquid-speech-balloon (aka LIQUID SPEECH BALLOON) plugin 1.0.5 for ...) +CVE-2019-17070 (The liquid-speech-balloon (aka LIQUID SPEECH BALLOON) plugin before 1. ...) NOT-FOR-US: liquid-speech-balloon (aka LIQUID SPEECH BALLOON) plugin for WordPress CVE-2019-17069 (PuTTY before 0.73 might allow remote SSH-1 servers to cause a denial o ...) - putty 0.73-1 (unimportant) @@ -3834,34 +3848,34 @@ CVE-2019-16994 (In the Linux kernel before 5.0, a memory leak exists in sit_init NOTE: https://git.kernel.org/linus/07f12b26e21ab359261bf75cfcb424fdc7daeb6d CVE-2019-16992 (The Keybase app 2.13.2 for iOS provides potentially insufficient notic ...) NOT-FOR-US: Keybase -CVE-2019-16991 - RESERVED -CVE-2019-16990 - RESERVED -CVE-2019-16989 - RESERVED -CVE-2019-16988 - RESERVED -CVE-2019-16987 - RESERVED -CVE-2019-16986 - RESERVED -CVE-2019-16985 - RESERVED -CVE-2019-16984 - RESERVED -CVE-2019-16983 - RESERVED -CVE-2019-16982 - RESERVED -CVE-2019-16981 - RESERVED -CVE-2019-16980 - RESERVED -CVE-2019-16979 - RESERVED -CVE-2019-16978 - RESERVED +CVE-2019-16991 (In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an un ...) + TODO: check +CVE-2019-16990 (In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.ph ...) + TODO: check +CVE-2019-16989 (In FusionPBX up to v4.5.7, the file app\conferences_active\conference_ ...) + TODO: check +CVE-2019-16988 (In FusionPBX up to v4.5.7, the file app\basic_operator_panel\resources ...) + TODO: check +CVE-2019-16987 (In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php us ...) + TODO: check +CVE-2019-16986 (In FusionPBX up to v4.5.7, the file resources\download.php uses an uns ...) + TODO: check +CVE-2019-16985 (In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php use ...) + TODO: check +CVE-2019-16984 (In FusionPBX up to v4.5.7, the file app\recordings\recording_play.php ...) + TODO: check +CVE-2019-16983 (In FusionPBX up to v4.5.7, the file resources\paging.php has a paging ...) + TODO: check +CVE-2019-16982 (In FusionPBX up to v4.5.7, the file app\access_controls\access_control ...) + TODO: check +CVE-2019-16981 (In FusionPBX up to v4.5.7, the file app\conference_profiles\conference ...) + TODO: check +CVE-2019-16980 (In FusionPBX up to v4.5.7, the file app\call_broadcast\call_broadcast_ ...) + TODO: check +CVE-2019-16979 (In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses ...) + TODO: check +CVE-2019-16978 (In FusionPBX up to v4.5.7, the file app\devices\device_settings.php us ...) +
[Git][security-tracker-team/security-tracker][master] update note for slurm in dla-needed
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 37d676a3 by Abhijith PA at 2019-10-21T20:02:24Z update note for slurm in dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -117,6 +117,8 @@ ruby-haml (Utkarsh Gupta) -- slurm-llnl NOTE: 20190814: Contacted security of slurm-llnl for relevant commits (abhijith) + NOTE: 20191022: Big chunk to backport afa7d743f407c60a7c8a4bd98a10be32c82988b5 and + NOTE: 20191022: 750cc23edcc6fddfff21d33bdaf4fb7deb28cfda would be a start.(abhijith) -- spip (Thorsten Alteholz) NOTE: 20191013: testing package View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/37d676a34440b8b173b5cf86f80f53f1302403af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/37d676a34440b8b173b5cf86f80f53f1302403af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new file issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9dbb3ce0 by Moritz Muehlenhoff at 2019-10-21T16:11:15Z
new file issue
new proftpd issue
new rpyc issue
new vaguish gridengine issue
new rabbitserver issue
exiv2 n/a
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,7 +1,11 @@
CVE-2019-18218 (cdf_read_property_info in cdf.c in file through 5.37 does not
restrict ...)
- TODO: check
+ - file
+ NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780
+ NOTE:
https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84
CVE-2019-18217 (ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows
remote unauth ...)
- TODO: check
+ - proftpd-dfsg
+ NOTE:
https://github.com/proftpd/proftpd/commit/13fe9462787b9a551152162f46f1641d65fe4df4
+ NOTE: https://github.com/proftpd/proftpd/issues/846
CVE-2019-18216 (** DISPUTED ** The BIOS configuration design on ASUS ROG
Zephyrus M GM ...)
NOT-FOR-US: BIOS configuration design on ASUS ROG Zephyrus M GM501GS
laptops with BIOS 313
CVE-2019-18215
@@ -2928,7 +2932,7 @@ CVE-2019-17411
CVE-2019-17410
RESERVED
CVE-2019-17409 (Reflected XSS exists in interface/forms/eye_mag/view.php in
OpenEMR 5. ...)
- TODO: check
+ NOT-FOR-US: OpenEMR
CVE-2019-17408 (parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3
allows re ...)
NOT-FOR-US: ZZZCMS
CVE-2019-17407
@@ -4252,7 +4256,7 @@ CVE-2019-16864
CVE-2019-16863
RESERVED
CVE-2019-16862 (Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR
5.x befor ...)
- TODO: check
+ NOT-FOR-US: OpenEMR
CVE-2019-16861
RESERVED
CVE-2019-16860
@@ -5569,7 +5573,7 @@ CVE-2019-16330 (In NCH Express Accounts Accounting v7.02,
persistent cross site
CVE-2019-16329
RESERVED
CVE-2019-16328 (In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically
modify ...)
- TODO: check
+ - rpyc
CVE-2019-16327
RESERVED
CVE-2019-16326
@@ -11793,7 +11797,7 @@ CVE-2019-14439 (A Polymorphic Typing issue was
discovered in FasterXML jackson-d
NOTE: https://github.com/FasterXML/jackson-databind/issues/2389
NOTE:
https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b
CVE-2018-20871 (In Univa Grid Engine before 8.6.3, when configured for Docker
jobs and ...)
- TODO: check, might affect src:gridengine as well
+ - gridengine
CVE-2015-9290 (In FreeType before 2.6.1, a buffer over-read occurs in
type1/t1parse.c ...)
{DLA-1887-1}
- freetype 2.6.1-0.1
@@ -12019,7 +12023,7 @@ CVE-2019-14369 (Exiv2::PngImage::readMetadata() in
pngimage.cpp in Exiv2 0.27.99
NOTE: fixed through CVE-2019-13504
NOTE:
https://github.com/Exiv2/exiv2/commit/bd0afe0390439b2c424d881c8c6eb0c5624e31d9
CVE-2019-14368 (Exiv2 0.27.99.0 has a heap-based buffer over-read in
Exiv2::RafImage:: ...)
- TODO: check
+ - exiv2 (Doesn't seem to affect 0.25)
CVE-2019-14367
RESERVED
CVE-2019-14366
@@ -21204,13 +21208,14 @@ CVE-2019-11286
CVE-2019-11285
RESERVED
CVE-2019-11284 (Pivotal Reactor Netty, versions prior to 0.8.11, passes
headers throug ...)
- TODO: check
+ NOT-FOR-US: Pivotal
CVE-2019-11283
RESERVED
CVE-2019-11282
RESERVED
CVE-2019-11281 (Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for
PCF, ver ...)
- TODO: check
+ - rabbitmq-server 3.7.18-1 (low)
+ NOTE: https://pivotal.io/security/cve-2019-11281
CVE-2019-11280 (Pivotal Apps Manager, included in Pivotal Application Service
versions ...)
NOT-FOR-US: Pivotal
CVE-2019-11279 (CF UAA versions prior to 74.1.0 can request scopes for a
client that s ...)
@@ -22801,9 +22806,9 @@ CVE-2019-10718 (BlogEngine.NET 3.3.7.0 and earlier
allows XML External Entity Bl
CVE-2019-10717 (BlogEngine.NET 3.3.7.0 allows /api/filemanager Directory
Traversal via ...)
NOT-FOR-US: BlogEngine.NET
CVE-2019-10716 (An Information Disclosure issue in Verodin Director 3.5.3.1
and earlie ...)
- TODO: check
+ NOT-FOR-US: Verodin Director
CVE-2019-10715 (There is Stored XSS in Verodin Director before 3.5.4.0 via
input field ...)
- TODO: check
+ NOT-FOR-US: Verodin Director
CVE-2019-10714 (LocaleLowercase in MagickCore/locale.c in ImageMagick before
7.0.8-32 ...)
- imagemagick (Vulnerable code introduced later)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1495
@@ -46834,15 +46839,15 @@ CVE-2019-2189 (In the Easel driver, there is possible
memory corruption due to r
CVE-2019-2188 (In the Easel driver, there is possible memory corruption due to
race c ...)
NOT-FOR-US: Android
CVE-2019-2187 (In nfc_ncif_decode_rf_params of nfc_ncif.cc, there is a
[Git][security-tracker-team/security-tracker][master] mark CVE-2017-9354 as not-affected for Jessie and earlier
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 961e0815 by Thorsten Alteholz at 2019-10-21T14:08:37Z mark CVE-2017-9354 as not-affected for Jessie and earlier - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -130545,8 +130545,8 @@ CVE-2017-9355 (XML external entity (XXE) vulnerability in the import playlist fe NOT-FOR-US: Subsonic CVE-2017-9354 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the RGMP dissector co ...) - wireshark 2.2.7-1 (bug #864058) - [jessie] - wireshark (Minor issue) - [wheezy] - wireshark (Minor issue) + [jessie] - wireshark (vulnerable code introduced later) + [wheezy] - wireshark (vulnerable code introduced later) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-32.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13646 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5debcf56eda16064c10f4e22b3db326c8b53406b View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/961e0815e8f5266ac911c050759df393991694c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/961e0815e8f5266ac911c050759df393991694c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reclaim mosquitto
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f16c9086 by Thorsten Alteholz at 2019-10-21T11:50:48Z
reclaim mosquitto
- - - - -
1 changed file:
- data/dla-needed.txt
Changes:
=
data/dla-needed.txt
=
@@ -81,7 +81,7 @@ linux (Ben Hutchings)
--
linux-4.9 (Ben Hutchings)
--
-mosquitto
+mosquitto (Thorsten Alteholz)
--
nghttp2
NOTE: 20190930: nghttp2 in jessie is likely not affected by
CVE-2019-95{11,13}.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f16c908682f1a1cf2d59629aadcf3391e7784f50
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f16c908682f1a1cf2d59629aadcf3391e7784f50
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9fceffb0 by Holger Levsen at 2019-10-21T10:18:40Z
semi-automatic unclaim after 2 weeks of inactivity
Signed-off-by: Holger Levsen hol...@layer-acht.org
- - - - -
1 changed file:
- data/dla-needed.txt
Changes:
=
data/dla-needed.txt
=
@@ -43,7 +43,7 @@ libapache2-mod-auth-openidc
NOTE: 20191011: Upstream patch tightens validation but jessie does not appear
NOTE: 20191011: to have any validation whatsoever on first glance. (lamby)
--
-libav (Mike Gabriel)
+libav
NOTE: 20190831: There are currently 19 CVE issues known for libav in jessie,
NOTE: 20190831: 11 tagged as . These issues have been triaged, no
patch
NOTE: 20190831: has been found, so far. If you pick libav, be prepared to
work
@@ -81,9 +81,9 @@ linux (Ben Hutchings)
--
linux-4.9 (Ben Hutchings)
--
-mosquitto (Thorsten Alteholz)
+mosquitto
--
-nghttp2 (Mike Gabriel)
+nghttp2
NOTE: 20190930: nghttp2 in jessie is likely not affected by
CVE-2019-95{11,13}.
NOTE: 20190930: waiting for feedback from Thorsten and Abhijith as they put
NOTE: 20190930: work into the pkg triaging, too. (sunweaver)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9fceffb03293c446f50ac9e19dfb78fb6aee9339
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9fceffb03293c446f50ac9e19dfb78fb6aee9339
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chacha20 doesn't exist in 1.0.1
Kurt Roeckx pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
dfa79add by Kurt Roeckx at 2019-10-21T09:52:21Z
chacha20 doesnt exist in 1.0.1
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -49293,7 +49293,7 @@ CVE-2019-1544
CVE-2019-1543 (ChaCha20-Poly1305 is an AEAD cipher, and requires a unique
nonce input ...)
{DSA-4475-1}
- openssl 1.1.1c-1 (low)
- [jessie] - openssl (Minor issue, fix along in future DLA)
+ [jessie] - openssl (Vulnerability does not impact 1.0.1
series)
- openssl1.0 (Vulnerability does not impact 1.0.2 series)
NOTE: https://www.openssl.org/news/secadv/20190306.txt
NOTE: OpenSSL_1_1_1-stable:
https://git.openssl.org/?p=openssl.git;a=commit;h=f426625b6ae9a7831010750490a5f0ad689c5ba3
(OpenSSL_1_1_1c)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/dfa79add4cc7c28e5cdc326a983883e90648a861
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/dfa79add4cc7c28e5cdc326a983883e90648a861
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2019-{14981,11470}: remove triage
Hugo Lefeuvre pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
84b9f3a7 by Hugo Lefeuvre at 2019-10-21T08:47:57Z
CVE-2019-{14981,11470}: remove postponed triage
fixed via DLA-1968-1
- - - - -
785616ac by Hugo Lefeuvre at 2019-10-21T08:52:05Z
dsa-needed: add python-reportlab, take it
CVE-2019-17626, remote code execution
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -9605,7 +9605,6 @@ CVE-2019-14982 (In Exiv2 before v0.27.2, there is an
integer overflow vulnerabil
NOTE:
https://github.com/Exiv2/exiv2/pull/962/commits/e925bc5addd881543fa503470c8a859e112cca62
CVE-2019-14981 (In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41,
there is ...)
- imagemagick
- [jessie] - imagemagick (can be fixed along with more
important issues)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1552
NOTE:
https://github.com/ImageMagick/ImageMagick6/commit/b522d2d857d2f75b659936b59b0da9df1682c256
CVE-2019-14980 (In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42,
there is ...)
@@ -20721,7 +20720,6 @@ CVE-2019-11470 (The cineon parsing component in
ImageMagick 7.0.8-26 Q16 allows
- imagemagick (low; bug #927830)
[buster] - imagemagick (Minor issue)
[stretch] - imagemagick (Minor issue)
- [jessie] - imagemagick (can be fixed along with more
important issues)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1472
NOTE:
https://github.com/ImageMagick/ImageMagick6/commit/a0473b29add9521ffd4c74f6f623b418811762b0
CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service
(uncontrol ...)
=
data/dsa-needed.txt
=
@@ -53,6 +53,8 @@ poppler (jmm)
--
python3.5 (jmm)
--
+python-reportlab (hle)
+--
simplesamlphp/oldstable
--
slurm-llnl (jmm)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/0b128825ec0ad730303a944b6d0c446a8d3a9613...785616ac9bdcc615cf3514f61acaebf7881ddc74
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/0b128825ec0ad730303a944b6d0c446a8d3a9613...785616ac9bdcc615cf3514f61acaebf7881ddc74
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1968-1 for imagemagick
Hugo Lefeuvre pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0b128825 by Hugo Lefeuvre at 2019-10-21T08:44:03Z
Reserve DLA-1968-1 for imagemagick
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[21 Oct 2019] DLA-1968-1 imagemagick - security update
+ {CVE-2019-11470 CVE-2019-14981 CVE-2019-15139 CVE-2019-15140}
+ [jessie] - imagemagick 8:6.8.9.9-5+deb8u18
[21 Oct 2019] DLA-1967-1 libpcap - security update
{CVE-2019-15165}
[jessie] - libpcap 1.6.2-2+deb8u1
=
data/dla-needed.txt
=
@@ -32,16 +32,6 @@ hdf5
ibus
NOTE: 20191020: Fix for regression in KDE apps still not available (apo)
--
-imagemagick (Hugo Lefeuvre)
- NOTE: CVE-2019-13391, CVE-2019-13308: patch is large, undocumented and
potentially
- NOTE: insufficient. wait for upstream to answer on bug report, or tag
.
- NOTE: CVE-2019-10131: patch is sufficient, but technically so-so in my
opinion:
- NOTE: instead of avoiding off-by-one reads (check length BEFORE reading, not
after!)
- NOTE: we allocate one more byte. this works, but does not 'obviously' fix
the issue and
- NOTE: can be misleading... DEP3 comments would be nice. (hle)
- NOTE: 20191019: preparing an update for the new batch of CVEs.
- NOTE: CVE-2019-17540: unclear upstream fixes in ImageMagick6, this is very
messy.
---
imapfilter
NOTE: 20190910: No patch exists but a possible solution. Note that openssl in
NOTE: Jessie is < 1.0.2. (apo)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b128825ec0ad730303a944b6d0c446a8d3a9613
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b128825ec0ad730303a944b6d0c446a8d3a9613
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-17626/python-reportlab: add Debian bug report
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: f90538b4 by Hugo Lefeuvre at 2019-10-21T08:32:39Z CVE-2019-17626/python-reportlab: add Debian bug report - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2177,7 +2177,7 @@ CVE-2019-17628 CVE-2019-17627 (The Yale Bluetooth Key application for mobile devices allows unauthori ...) NOT-FOR-US: Yale Bluetooth Key application for mobile devices CVE-2019-17626 (ReportLab through 3.5.26 allows remote code execution because of toCol ...) - - python-reportlab + - python-reportlab (bug #942763) NOTE: https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code CVE-2019-17625 (There is a stored XSS in Rambox 0.6.9 that can lead to code execution. ...) NOT-FOR-US: Rambox View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f90538b473ffdbc897502103c97a66e0fb47ccf3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f90538b473ffdbc897502103c97a66e0fb47ccf3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
fb427565 by security tracker role at 2019-10-21T08:10:13Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,7 @@
+CVE-2019-18218 (cdf_read_property_info in cdf.c in file through 5.37 does not
restrict ...)
+ TODO: check
+CVE-2019-18217 (ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows
remote unauth ...)
+ TODO: check
CVE-2019-18216 (** DISPUTED ** The BIOS configuration design on ASUS ROG
Zephyrus M GM ...)
NOT-FOR-US: BIOS configuration design on ASUS ROG Zephyrus M GM501GS
laptops with BIOS 313
CVE-2019-18215
@@ -2923,8 +2927,8 @@ CVE-2019-17411
RESERVED
CVE-2019-17410
RESERVED
-CVE-2019-17409
- RESERVED
+CVE-2019-17409 (Reflected XSS exists in interface/forms/eye_mag/view.php in
OpenEMR 5. ...)
+ TODO: check
CVE-2019-17408 (parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3
allows re ...)
NOT-FOR-US: ZZZCMS
CVE-2019-17407
@@ -4247,8 +4251,8 @@ CVE-2019-16864
RESERVED
CVE-2019-16863
RESERVED
-CVE-2019-16862
- RESERVED
+CVE-2019-16862 (Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR
5.x befor ...)
+ TODO: check
CVE-2019-16861
RESERVED
CVE-2019-16860
@@ -8895,6 +8899,7 @@ CVE-2019-15166 (lmp_print_data_link_subobjs() in
print-lmp.c in tcpdump before 4
- tcpdump 4.9.3-1 (bug #941698)
NOTE:
https://github.com/the-tcpdump-group/tcpdump/commit/0b661e0aa61850234b64394585cf577aac570bf4
CVE-2019-15165 (sf-pcapng.c in libpcap before 1.9.1 does not properly validate
the PHB ...)
+ {DLA-1967-1}
- libpcap 1.9.1-1 (bug #941697)
NOTE:
https://github.com/the-tcpdump-group/libpcap/commit/87d6bef033062f969e70fa40c43dfd945d5a20ab
NOTE:
https://github.com/the-tcpdump-group/libpcap/commit/a5a36d9e82dde7265e38fe1f87b7f11c461c29f6
@@ -22797,10 +22802,10 @@ CVE-2019-10718 (BlogEngine.NET 3.3.7.0 and earlier
allows XML External Entity Bl
NOT-FOR-US: BlogEngine.NET
CVE-2019-10717 (BlogEngine.NET 3.3.7.0 allows /api/filemanager Directory
Traversal via ...)
NOT-FOR-US: BlogEngine.NET
-CVE-2019-10716
- RESERVED
-CVE-2019-10715
- RESERVED
+CVE-2019-10716 (An Information Disclosure issue in Verodin Director 3.5.3.1
and earlie ...)
+ TODO: check
+CVE-2019-10715 (There is Stored XSS in Verodin Director before 3.5.4.0 via
input field ...)
+ TODO: check
CVE-2019-10714 (LocaleLowercase in MagickCore/locale.c in ImageMagick before
7.0.8-32 ...)
- imagemagick (Vulnerable code introduced later)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1495
@@ -44618,6 +44623,7 @@ CVE-2019-3001 (Vulnerability in the PeopleSoft
Enterprise SCM eProcurement produ
CVE-2019-3000 (Vulnerability in the Oracle Marketing product of Oracle
E-Business Sui ...)
NOT-FOR-US: Oracle
CVE-2019-2999 (Vulnerability in the Java SE product of Oracle Java SE
(component: Jav ...)
+ {DSA-4546-1}
- openjdk-11 11.0.5+10-1
- openjdk-8 8u232-b09-1
- openjdk-7
@@ -44635,6 +44641,7 @@ CVE-2019-2993 (Vulnerability in the MySQL Server
product of Oracle MySQL (compon
- mysql-5.7 (bug #942443)
NOTE:
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL
CVE-2019-2992 (Vulnerability in the Java SE, Java SE Embedded product of
Oracle Java ...)
+ {DSA-4546-1}
- openjdk-11 11.0.5+10-1
- openjdk-8 8u232-b09-1
- openjdk-7
@@ -44643,14 +44650,17 @@ CVE-2019-2991 (Vulnerability in the MySQL Server
product of Oracle MySQL (compon
CVE-2019-2990 (Vulnerability in the Oracle iStore product of Oracle E-Business
Suite ...)
NOT-FOR-US: Oracle
CVE-2019-2989 (Vulnerability in the Oracle GraalVM Enterprise Edition product
of Orac ...)
+ {DSA-4546-1}
- openjdk-11 11.0.5+10-1
- openjdk-8 8u232-b09-1
- openjdk-7
CVE-2019-2988 (Vulnerability in the Java SE, Java SE Embedded product of
Oracle Java ...)
+ {DSA-4546-1}
- openjdk-11 11.0.5+10-1
- openjdk-8 8u232-b09-1
- openjdk-7
CVE-2019-2987 (Vulnerability in the Java SE product of Oracle Java SE
(component: 2D) ...)
+ {DSA-4546-1}
- openjdk-11 11.0.5+10-1
- openjdk-8 8u232-b09-1
CVE-2019-2986 (Vulnerability in the Oracle GraalVM Enterprise Edition product
of Orac ...)
@@ -44661,12 +44671,14 @@ CVE-2019-2984 (Vulnerability in the Oracle VM
VirtualBox product of Oracle Virtu
- virtualbox 6.0.14-dfsg-1
[jessie] - virtualbox (DSA-3699-1)
CVE-2019-2983 (Vulnerability in the Java SE, Java SE Embedded product of
Oracle Java ...)
+ {DSA-4546-1}
- openjdk-11 11.0.5+10-1
- openjdk-8 8u232-b09-1
-
[Git][security-tracker-team/security-tracker][master] dla-needed: take python-reportlab
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 17f106e9 by Hugo Lefeuvre at 2019-10-21T07:59:36Z dla-needed: take python-reportlab - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -113,7 +113,7 @@ polarssl -- python-ecdsa (Markus Koschany) -- -python-reportlab +python-reportlab (Hugo Lefeuvre) -- radare2 NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/17f106e904478cd8139fec6bbae459e1079a5faa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/17f106e904478cd8139fec6bbae459e1079a5faa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
