[Git][security-tracker-team/security-tracker][master] openjdk-8, tcpdump DSAs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ea8eba9c by Moritz Muehlenhoff at 2019-10-21T21:12:50Z openjdk-8, tcpdump DSAs - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,10 @@ +[21 Oct 2019] DSA-4548-1 openjdk-8 - security update + {CVE-2019-2894 CVE-2019-2945 CVE-2019-2949 CVE-2019-2962 CVE-2019-2964 CVE-2019-2973 CVE-2019-2975 CVE-2019-2978 CVE-2019-2981 CVE-2019-2983 CVE-2019-2987 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999} + [stretch] - openjdk-8 8u232-b09-1~deb9u1 +[21 Oct 2019] DSA-4547-1 tcpdump - security update + {CVE-2018-10103 CVE-2018-10105 CVE-2018-14461 CVE-2018-14462 CVE-2018-14463 CVE-2018-14464 CVE-2018-14465 CVE-2018-14466 CVE-2018-14467 CVE-2018-14468 CVE-2018-14469 CVE-2018-14470 CVE-2018-14879 CVE-2018-14880 CVE-2018-14881 CVE-2018-14882 CVE-2018-16227 CVE-2018-16228 CVE-2018-16229 CVE-2018-16230 CVE-2018-16300 CVE-2018-16451 CVE-2018-16452 CVE-2019-15166} + [stretch] - tcpdump 4.9.3-1~deb9u1 + [buster] - tcpdump 4.9.3-1~deb10u1 [20 Oct 2019] DSA-4546-1 openjdk-11 - security update {CVE-2019-2894 CVE-2019-2945 CVE-2019-2949 CVE-2019-2962 CVE-2019-2964 CVE-2019-2973 CVE-2019-2975 CVE-2019-2977 CVE-2019-2978 CVE-2019-2981 CVE-2019-2983 CVE-2019-2987 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999} [buster] - openjdk-11 11.0.5+10-1~deb10u1 = data/dsa-needed.txt = @@ -45,8 +45,6 @@ nodejs nss/oldstable (jmm) Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508 -- -openjdk-8/oldstable (jmm) --- pam-python -- poppler (jmm) @@ -66,9 +64,6 @@ squid3/oldstable sssd Maintainer prepared an update and proposed debdiff, acked for upload, but update needs further testing before release. -- -tcpdump - Wait to settle in unstable/testing first --- wordpress -- xen/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea8eba9c3c529cac88a1f59bd48a52e2dd2ccaa6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea8eba9c3c529cac88a1f59bd48a52e2dd2ccaa6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 97c2f3eb by security tracker role at 2019-10-21T20:10:25Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2019-18225 (An issue was discovered in Citrix Application Delivery Controller (ADC ...) + TODO: check +CVE-2019-18224 (idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a hea ...) + TODO: check +CVE-2019-18223 + RESERVED +CVE-2019-18222 + RESERVED +CVE-2019-18221 + RESERVED +CVE-2019-18220 + RESERVED +CVE-2019-18219 + RESERVED CVE-2019-18218 (cdf_read_property_info in cdf.c in file through 5.37 does not restrict ...) - file NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780 @@ -32,8 +46,8 @@ CVE-2019-18205 RESERVED CVE-2019-18204 RESERVED -CVE-2019-18203 - RESERVED +CVE-2019-18203 (On the RICOH MP 501 printer, HTML Injection and Stored XSS vulnerabili ...) + TODO: check CVE-2019-18202 (Information Disclosure is possible on WAGO Series PFC100 and PFC200 de ...) NOT-FOR-US: WAGO Series PFC100 and PFC200 devices CVE-2019-18201 @@ -3406,7 +3420,7 @@ CVE-2019-17181 RESERVED CVE-2019-17180 (Valve Steam Client before 2019-09-12 allows placing or appending parti ...) NOT-FOR-US: Steam on Windows -CVE-2019-17179 (XSS in library/custom_template/add_template.php in OpenEMR through 5.0 ...) +CVE-2019-17179 (4.1.0, 4.1.1, 4.1.2, 4.1.2.3, 4.1.2.6, 4.1.2.7, 4.2.0, 4.2.1, 4.2.2, 5 ...) NOT-FOR-US: OpenEMR CVE-2019-17178 (HuffmanTree_makeFromFrequencies in lodepng.c in LodePNG through 2019-0 ...) TODO: check @@ -3644,7 +3658,7 @@ CVE-2019-17072 (The new-contact-form-widget (aka Contact Form Widget - Contact Q NOT-FOR-US: new-contact-form-widget (aka Contact Form Widget - Contact Query, Form Maker) plugin for WordPress CVE-2019-17071 (The client-dash (aka Client Dash) plugin 2.1.4 for WordPress allows XS ...) NOT-FOR-US: client-dash (aka Client Dash) plugin for WordPress -CVE-2019-17070 (The liquid-speech-balloon (aka LIQUID SPEECH BALLOON) plugin 1.0.5 for ...) +CVE-2019-17070 (The liquid-speech-balloon (aka LIQUID SPEECH BALLOON) plugin before 1. ...) NOT-FOR-US: liquid-speech-balloon (aka LIQUID SPEECH BALLOON) plugin for WordPress CVE-2019-17069 (PuTTY before 0.73 might allow remote SSH-1 servers to cause a denial o ...) - putty 0.73-1 (unimportant) @@ -3834,34 +3848,34 @@ CVE-2019-16994 (In the Linux kernel before 5.0, a memory leak exists in sit_init NOTE: https://git.kernel.org/linus/07f12b26e21ab359261bf75cfcb424fdc7daeb6d CVE-2019-16992 (The Keybase app 2.13.2 for iOS provides potentially insufficient notic ...) NOT-FOR-US: Keybase -CVE-2019-16991 - RESERVED -CVE-2019-16990 - RESERVED -CVE-2019-16989 - RESERVED -CVE-2019-16988 - RESERVED -CVE-2019-16987 - RESERVED -CVE-2019-16986 - RESERVED -CVE-2019-16985 - RESERVED -CVE-2019-16984 - RESERVED -CVE-2019-16983 - RESERVED -CVE-2019-16982 - RESERVED -CVE-2019-16981 - RESERVED -CVE-2019-16980 - RESERVED -CVE-2019-16979 - RESERVED -CVE-2019-16978 - RESERVED +CVE-2019-16991 (In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an un ...) + TODO: check +CVE-2019-16990 (In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.ph ...) + TODO: check +CVE-2019-16989 (In FusionPBX up to v4.5.7, the file app\conferences_active\conference_ ...) + TODO: check +CVE-2019-16988 (In FusionPBX up to v4.5.7, the file app\basic_operator_panel\resources ...) + TODO: check +CVE-2019-16987 (In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php us ...) + TODO: check +CVE-2019-16986 (In FusionPBX up to v4.5.7, the file resources\download.php uses an uns ...) + TODO: check +CVE-2019-16985 (In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php use ...) + TODO: check +CVE-2019-16984 (In FusionPBX up to v4.5.7, the file app\recordings\recording_play.php ...) + TODO: check +CVE-2019-16983 (In FusionPBX up to v4.5.7, the file resources\paging.php has a paging ...) + TODO: check +CVE-2019-16982 (In FusionPBX up to v4.5.7, the file app\access_controls\access_control ...) + TODO: check +CVE-2019-16981 (In FusionPBX up to v4.5.7, the file app\conference_profiles\conference ...) + TODO: check +CVE-2019-16980 (In FusionPBX up to v4.5.7, the file app\call_broadcast\call_broadcast_ ...) + TODO: check +CVE-2019-16979 (In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses ...) + TODO: check +CVE-2019-16978 (In FusionPBX up to v4.5.7, the file app\devices\device_settings.php us ...) +
[Git][security-tracker-team/security-tracker][master] update note for slurm in dla-needed
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 37d676a3 by Abhijith PA at 2019-10-21T20:02:24Z update note for slurm in dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -117,6 +117,8 @@ ruby-haml (Utkarsh Gupta) -- slurm-llnl NOTE: 20190814: Contacted security of slurm-llnl for relevant commits (abhijith) + NOTE: 20191022: Big chunk to backport afa7d743f407c60a7c8a4bd98a10be32c82988b5 and + NOTE: 20191022: 750cc23edcc6fddfff21d33bdaf4fb7deb28cfda would be a start.(abhijith) -- spip (Thorsten Alteholz) NOTE: 20191013: testing package View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/37d676a34440b8b173b5cf86f80f53f1302403af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/37d676a34440b8b173b5cf86f80f53f1302403af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new file issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9dbb3ce0 by Moritz Muehlenhoff at 2019-10-21T16:11:15Z new file issue new proftpd issue new rpyc issue new vaguish gridengine issue new rabbitserver issue exiv2 n/a NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,11 @@ CVE-2019-18218 (cdf_read_property_info in cdf.c in file through 5.37 does not restrict ...) - TODO: check + - file + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780 + NOTE: https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84 CVE-2019-18217 (ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauth ...) - TODO: check + - proftpd-dfsg + NOTE: https://github.com/proftpd/proftpd/commit/13fe9462787b9a551152162f46f1641d65fe4df4 + NOTE: https://github.com/proftpd/proftpd/issues/846 CVE-2019-18216 (** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM ...) NOT-FOR-US: BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 CVE-2019-18215 @@ -2928,7 +2932,7 @@ CVE-2019-17411 CVE-2019-17410 RESERVED CVE-2019-17409 (Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5. ...) - TODO: check + NOT-FOR-US: OpenEMR CVE-2019-17408 (parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 allows re ...) NOT-FOR-US: ZZZCMS CVE-2019-17407 @@ -4252,7 +4256,7 @@ CVE-2019-16864 CVE-2019-16863 RESERVED CVE-2019-16862 (Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x befor ...) - TODO: check + NOT-FOR-US: OpenEMR CVE-2019-16861 RESERVED CVE-2019-16860 @@ -5569,7 +5573,7 @@ CVE-2019-16330 (In NCH Express Accounts Accounting v7.02, persistent cross site CVE-2019-16329 RESERVED CVE-2019-16328 (In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify ...) - TODO: check + - rpyc CVE-2019-16327 RESERVED CVE-2019-16326 @@ -11793,7 +11797,7 @@ CVE-2019-14439 (A Polymorphic Typing issue was discovered in FasterXML jackson-d NOTE: https://github.com/FasterXML/jackson-databind/issues/2389 NOTE: https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b CVE-2018-20871 (In Univa Grid Engine before 8.6.3, when configured for Docker jobs and ...) - TODO: check, might affect src:gridengine as well + - gridengine CVE-2015-9290 (In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c ...) {DLA-1887-1} - freetype 2.6.1-0.1 @@ -12019,7 +12023,7 @@ CVE-2019-14369 (Exiv2::PngImage::readMetadata() in pngimage.cpp in Exiv2 0.27.99 NOTE: fixed through CVE-2019-13504 NOTE: https://github.com/Exiv2/exiv2/commit/bd0afe0390439b2c424d881c8c6eb0c5624e31d9 CVE-2019-14368 (Exiv2 0.27.99.0 has a heap-based buffer over-read in Exiv2::RafImage:: ...) - TODO: check + - exiv2 (Doesn't seem to affect 0.25) CVE-2019-14367 RESERVED CVE-2019-14366 @@ -21204,13 +21208,14 @@ CVE-2019-11286 CVE-2019-11285 RESERVED CVE-2019-11284 (Pivotal Reactor Netty, versions prior to 0.8.11, passes headers throug ...) - TODO: check + NOT-FOR-US: Pivotal CVE-2019-11283 RESERVED CVE-2019-11282 RESERVED CVE-2019-11281 (Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, ver ...) - TODO: check + - rabbitmq-server 3.7.18-1 (low) + NOTE: https://pivotal.io/security/cve-2019-11281 CVE-2019-11280 (Pivotal Apps Manager, included in Pivotal Application Service versions ...) NOT-FOR-US: Pivotal CVE-2019-11279 (CF UAA versions prior to 74.1.0 can request scopes for a client that s ...) @@ -22801,9 +22806,9 @@ CVE-2019-10718 (BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Bl CVE-2019-10717 (BlogEngine.NET 3.3.7.0 allows /api/filemanager Directory Traversal via ...) NOT-FOR-US: BlogEngine.NET CVE-2019-10716 (An Information Disclosure issue in Verodin Director 3.5.3.1 and earlie ...) - TODO: check + NOT-FOR-US: Verodin Director CVE-2019-10715 (There is Stored XSS in Verodin Director before 3.5.4.0 via input field ...) - TODO: check + NOT-FOR-US: Verodin Director CVE-2019-10714 (LocaleLowercase in MagickCore/locale.c in ImageMagick before 7.0.8-32 ...) - imagemagick (Vulnerable code introduced later) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1495 @@ -46834,15 +46839,15 @@ CVE-2019-2189 (In the Easel driver, there is possible memory corruption due to r CVE-2019-2188 (In the Easel driver, there is possible memory corruption due to race c ...) NOT-FOR-US: Android CVE-2019-2187 (In nfc_ncif_decode_rf_params of nfc_ncif.cc, there is a
[Git][security-tracker-team/security-tracker][master] mark CVE-2017-9354 as not-affected for Jessie and earlier
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 961e0815 by Thorsten Alteholz at 2019-10-21T14:08:37Z mark CVE-2017-9354 as not-affected for Jessie and earlier - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -130545,8 +130545,8 @@ CVE-2017-9355 (XML external entity (XXE) vulnerability in the import playlist fe NOT-FOR-US: Subsonic CVE-2017-9354 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the RGMP dissector co ...) - wireshark 2.2.7-1 (bug #864058) - [jessie] - wireshark (Minor issue) - [wheezy] - wireshark (Minor issue) + [jessie] - wireshark (vulnerable code introduced later) + [wheezy] - wireshark (vulnerable code introduced later) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-32.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13646 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5debcf56eda16064c10f4e22b3db326c8b53406b View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/961e0815e8f5266ac911c050759df393991694c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/961e0815e8f5266ac911c050759df393991694c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reclaim mosquitto
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: f16c9086 by Thorsten Alteholz at 2019-10-21T11:50:48Z reclaim mosquitto - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -81,7 +81,7 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- -mosquitto +mosquitto (Thorsten Alteholz) -- nghttp2 NOTE: 20190930: nghttp2 in jessie is likely not affected by CVE-2019-95{11,13}. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f16c908682f1a1cf2d59629aadcf3391e7784f50 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f16c908682f1a1cf2d59629aadcf3391e7784f50 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fceffb0 by Holger Levsen at 2019-10-21T10:18:40Z semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Holger Levsen hol...@layer-acht.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -43,7 +43,7 @@ libapache2-mod-auth-openidc NOTE: 20191011: Upstream patch tightens validation but jessie does not appear NOTE: 20191011: to have any validation whatsoever on first glance. (lamby) -- -libav (Mike Gabriel) +libav NOTE: 20190831: There are currently 19 CVE issues known for libav in jessie, NOTE: 20190831: 11 tagged as . These issues have been triaged, no patch NOTE: 20190831: has been found, so far. If you pick libav, be prepared to work @@ -81,9 +81,9 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- -mosquitto (Thorsten Alteholz) +mosquitto -- -nghttp2 (Mike Gabriel) +nghttp2 NOTE: 20190930: nghttp2 in jessie is likely not affected by CVE-2019-95{11,13}. NOTE: 20190930: waiting for feedback from Thorsten and Abhijith as they put NOTE: 20190930: work into the pkg triaging, too. (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9fceffb03293c446f50ac9e19dfb78fb6aee9339 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9fceffb03293c446f50ac9e19dfb78fb6aee9339 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chacha20 doesn't exist in 1.0.1
Kurt Roeckx pushed to branch master at Debian Security Tracker / security-tracker Commits: dfa79add by Kurt Roeckx at 2019-10-21T09:52:21Z chacha20 doesnt exist in 1.0.1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49293,7 +49293,7 @@ CVE-2019-1544 CVE-2019-1543 (ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input ...) {DSA-4475-1} - openssl 1.1.1c-1 (low) - [jessie] - openssl (Minor issue, fix along in future DLA) + [jessie] - openssl (Vulnerability does not impact 1.0.1 series) - openssl1.0 (Vulnerability does not impact 1.0.2 series) NOTE: https://www.openssl.org/news/secadv/20190306.txt NOTE: OpenSSL_1_1_1-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=f426625b6ae9a7831010750490a5f0ad689c5ba3 (OpenSSL_1_1_1c) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dfa79add4cc7c28e5cdc326a983883e90648a861 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dfa79add4cc7c28e5cdc326a983883e90648a861 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2019-{14981,11470}: remove triage
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 84b9f3a7 by Hugo Lefeuvre at 2019-10-21T08:47:57Z CVE-2019-{14981,11470}: remove postponed triage fixed via DLA-1968-1 - - - - - 785616ac by Hugo Lefeuvre at 2019-10-21T08:52:05Z dsa-needed: add python-reportlab, take it CVE-2019-17626, remote code execution - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -9605,7 +9605,6 @@ CVE-2019-14982 (In Exiv2 before v0.27.2, there is an integer overflow vulnerabil NOTE: https://github.com/Exiv2/exiv2/pull/962/commits/e925bc5addd881543fa503470c8a859e112cca62 CVE-2019-14981 (In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is ...) - imagemagick - [jessie] - imagemagick (can be fixed along with more important issues) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1552 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/b522d2d857d2f75b659936b59b0da9df1682c256 CVE-2019-14980 (In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is ...) @@ -20721,7 +20720,6 @@ CVE-2019-11470 (The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows - imagemagick (low; bug #927830) [buster] - imagemagick (Minor issue) [stretch] - imagemagick (Minor issue) - [jessie] - imagemagick (can be fixed along with more important issues) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1472 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/a0473b29add9521ffd4c74f6f623b418811762b0 CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrol ...) = data/dsa-needed.txt = @@ -53,6 +53,8 @@ poppler (jmm) -- python3.5 (jmm) -- +python-reportlab (hle) +-- simplesamlphp/oldstable -- slurm-llnl (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0b128825ec0ad730303a944b6d0c446a8d3a9613...785616ac9bdcc615cf3514f61acaebf7881ddc74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0b128825ec0ad730303a944b6d0c446a8d3a9613...785616ac9bdcc615cf3514f61acaebf7881ddc74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1968-1 for imagemagick
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b128825 by Hugo Lefeuvre at 2019-10-21T08:44:03Z Reserve DLA-1968-1 for imagemagick - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[21 Oct 2019] DLA-1968-1 imagemagick - security update + {CVE-2019-11470 CVE-2019-14981 CVE-2019-15139 CVE-2019-15140} + [jessie] - imagemagick 8:6.8.9.9-5+deb8u18 [21 Oct 2019] DLA-1967-1 libpcap - security update {CVE-2019-15165} [jessie] - libpcap 1.6.2-2+deb8u1 = data/dla-needed.txt = @@ -32,16 +32,6 @@ hdf5 ibus NOTE: 20191020: Fix for regression in KDE apps still not available (apo) -- -imagemagick (Hugo Lefeuvre) - NOTE: CVE-2019-13391, CVE-2019-13308: patch is large, undocumented and potentially - NOTE: insufficient. wait for upstream to answer on bug report, or tag . - NOTE: CVE-2019-10131: patch is sufficient, but technically so-so in my opinion: - NOTE: instead of avoiding off-by-one reads (check length BEFORE reading, not after!) - NOTE: we allocate one more byte. this works, but does not 'obviously' fix the issue and - NOTE: can be misleading... DEP3 comments would be nice. (hle) - NOTE: 20191019: preparing an update for the new batch of CVEs. - NOTE: CVE-2019-17540: unclear upstream fixes in ImageMagick6, this is very messy. --- imapfilter NOTE: 20190910: No patch exists but a possible solution. Note that openssl in NOTE: Jessie is < 1.0.2. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b128825ec0ad730303a944b6d0c446a8d3a9613 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b128825ec0ad730303a944b6d0c446a8d3a9613 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-17626/python-reportlab: add Debian bug report
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: f90538b4 by Hugo Lefeuvre at 2019-10-21T08:32:39Z CVE-2019-17626/python-reportlab: add Debian bug report - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2177,7 +2177,7 @@ CVE-2019-17628 CVE-2019-17627 (The Yale Bluetooth Key application for mobile devices allows unauthori ...) NOT-FOR-US: Yale Bluetooth Key application for mobile devices CVE-2019-17626 (ReportLab through 3.5.26 allows remote code execution because of toCol ...) - - python-reportlab + - python-reportlab (bug #942763) NOTE: https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code CVE-2019-17625 (There is a stored XSS in Rambox 0.6.9 that can lead to code execution. ...) NOT-FOR-US: Rambox View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f90538b473ffdbc897502103c97a66e0fb47ccf3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f90538b473ffdbc897502103c97a66e0fb47ccf3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fb427565 by security tracker role at 2019-10-21T08:10:13Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2019-18218 (cdf_read_property_info in cdf.c in file through 5.37 does not restrict ...) + TODO: check +CVE-2019-18217 (ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauth ...) + TODO: check CVE-2019-18216 (** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM ...) NOT-FOR-US: BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 CVE-2019-18215 @@ -2923,8 +2927,8 @@ CVE-2019-17411 RESERVED CVE-2019-17410 RESERVED -CVE-2019-17409 - RESERVED +CVE-2019-17409 (Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5. ...) + TODO: check CVE-2019-17408 (parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 allows re ...) NOT-FOR-US: ZZZCMS CVE-2019-17407 @@ -4247,8 +4251,8 @@ CVE-2019-16864 RESERVED CVE-2019-16863 RESERVED -CVE-2019-16862 - RESERVED +CVE-2019-16862 (Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x befor ...) + TODO: check CVE-2019-16861 RESERVED CVE-2019-16860 @@ -8895,6 +8899,7 @@ CVE-2019-15166 (lmp_print_data_link_subobjs() in print-lmp.c in tcpdump before 4 - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/0b661e0aa61850234b64394585cf577aac570bf4 CVE-2019-15165 (sf-pcapng.c in libpcap before 1.9.1 does not properly validate the PHB ...) + {DLA-1967-1} - libpcap 1.9.1-1 (bug #941697) NOTE: https://github.com/the-tcpdump-group/libpcap/commit/87d6bef033062f969e70fa40c43dfd945d5a20ab NOTE: https://github.com/the-tcpdump-group/libpcap/commit/a5a36d9e82dde7265e38fe1f87b7f11c461c29f6 @@ -22797,10 +22802,10 @@ CVE-2019-10718 (BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Bl NOT-FOR-US: BlogEngine.NET CVE-2019-10717 (BlogEngine.NET 3.3.7.0 allows /api/filemanager Directory Traversal via ...) NOT-FOR-US: BlogEngine.NET -CVE-2019-10716 - RESERVED -CVE-2019-10715 - RESERVED +CVE-2019-10716 (An Information Disclosure issue in Verodin Director 3.5.3.1 and earlie ...) + TODO: check +CVE-2019-10715 (There is Stored XSS in Verodin Director before 3.5.4.0 via input field ...) + TODO: check CVE-2019-10714 (LocaleLowercase in MagickCore/locale.c in ImageMagick before 7.0.8-32 ...) - imagemagick (Vulnerable code introduced later) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1495 @@ -44618,6 +44623,7 @@ CVE-2019-3001 (Vulnerability in the PeopleSoft Enterprise SCM eProcurement produ CVE-2019-3000 (Vulnerability in the Oracle Marketing product of Oracle E-Business Sui ...) NOT-FOR-US: Oracle CVE-2019-2999 (Vulnerability in the Java SE product of Oracle Java SE (component: Jav ...) + {DSA-4546-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 - openjdk-7 @@ -44635,6 +44641,7 @@ CVE-2019-2993 (Vulnerability in the MySQL Server product of Oracle MySQL (compon - mysql-5.7 (bug #942443) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL CVE-2019-2992 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) + {DSA-4546-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 - openjdk-7 @@ -44643,14 +44650,17 @@ CVE-2019-2991 (Vulnerability in the MySQL Server product of Oracle MySQL (compon CVE-2019-2990 (Vulnerability in the Oracle iStore product of Oracle E-Business Suite ...) NOT-FOR-US: Oracle CVE-2019-2989 (Vulnerability in the Oracle GraalVM Enterprise Edition product of Orac ...) + {DSA-4546-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 - openjdk-7 CVE-2019-2988 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) + {DSA-4546-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 - openjdk-7 CVE-2019-2987 (Vulnerability in the Java SE product of Oracle Java SE (component: 2D) ...) + {DSA-4546-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 CVE-2019-2986 (Vulnerability in the Oracle GraalVM Enterprise Edition product of Orac ...) @@ -44661,12 +44671,14 @@ CVE-2019-2984 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtu - virtualbox 6.0.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2983 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) + {DSA-4546-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 -
[Git][security-tracker-team/security-tracker][master] dla-needed: take python-reportlab
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 17f106e9 by Hugo Lefeuvre at 2019-10-21T07:59:36Z dla-needed: take python-reportlab - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -113,7 +113,7 @@ polarssl -- python-ecdsa (Markus Koschany) -- -python-reportlab +python-reportlab (Hugo Lefeuvre) -- radare2 NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/17f106e904478cd8139fec6bbae459e1079a5faa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/17f106e904478cd8139fec6bbae459e1079a5faa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits