[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-1923{2,4}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cf453284 by Salvatore Bonaccorso at 2019-12-23T06:59:14Z Add Debian bug reference for CVE-2019-1923{2,4} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6246,14 +6246,14 @@ CVE-2019-19236 CVE-2019-19235 (AsLdrSrv.exe in ASUS ATK Package before V1.0.0061 (for Windows 10 note ...) NOT-FOR-US: ASUS CVE-2019-19234 (In Sudo through 1.8.29, the fact that a user has been blocked (e.g., b ...) - - sudo + - sudo (bug #947225) [buster] - sudo (Minor issue) [stretch] - sudo (Minor issue) NOTE: https://www.sudo.ws/devel.html#1.8.30b2 CVE-2019-19233 RESERVED CVE-2019-19232 (In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer ...) - - sudo + - sudo (bug #947225) [buster] - sudo (Minor issue) [stretch] - sudo (Minor issue) NOTE: https://www.sudo.ws/devel.html#1.8.30b2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cf453284c01bb5ff617b153dc0623b019bfb2ea5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cf453284c01bb5ff617b153dc0623b019bfb2ea5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Several tightvnc issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7990e1f2 by Salvatore Bonaccorso at 2019-12-23T06:05:24Z Several tightvnc issues fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18783,7 +18783,7 @@ CVE-2019-15681 (LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a co [stretch] - libvncserver (Minor issue) - italc [stretch] - italc (Minor issue) - - tightvnc + - tightvnc 1:1.3.9-9.1 [buster] - tightvnc (Minor issue) [stretch] - tightvnc (Minor issue) - vino (bug #945784) @@ -18792,20 +18792,20 @@ CVE-2019-15681 (LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a co NOTE: https://github.com/LibVNC/libvncserver/commit/d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a CVE-2019-15680 (TightVNC code version 1.3.10 contains null pointer dereference in Hand ...) {DLA-2045-1} - - tightvnc (unimportant; bug #945364) + - tightvnc 1:1.3.9-9.1 (unimportant; bug #945364) - italc (unimportant) - libvncserver (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2018/12/10/5 NOTE: https://github.com/sunweaver/libvncserver/commit/85d00057b5daf71675462c9b175d8cb2d47cd0e1 CVE-2019-15679 (TightVNC code version 1.3.10 contains heap buffer overflow in Initiali ...) {DLA-2045-1} - - tightvnc (bug #945364) + - tightvnc 1:1.3.9-9.1 (bug #945364) NOTE: https://www.openwall.com/lists/oss-security/2018/12/10/5 NOTE: https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 NOTE: part of CVE-2018-20748/libvncserver CVE-2019-15678 (TightVNC code version 1.3.10 contains heap buffer overflow in rfbServe ...) {DLA-2045-1} - - tightvnc (bug #945364) + - tightvnc 1:1.3.9-9.1 (bug #945364) NOTE: https://www.openwall.com/lists/oss-security/2018/12/10/5 NOTE: https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a NOTE: part of CVE-2018-20748/libvnvserver @@ -42259,7 +42259,7 @@ CVE-2019-8288 (Vulnerability in Online Store v1.0, Stored XSS in user_view.php w NOT-FOR-US: Online Store System CVE-2019-8287 (TightVNC code version 1.3.10 contains global buffer overflow in Handle ...) {DLA-2045-1} - - tightvnc (bug #945364) + - tightvnc 1:1.3.9-9.1 (bug #945364) NOTE: https://www.openwall.com/lists/oss-security/2018/12/10/5 NOTE: same as CVE-2018-20020/libvncserver CVE-2019-8286 (Information Disclosure in Kaspersky Anti-Virus, Kaspersky Internet Sec ...) @@ -59241,7 +59241,7 @@ CVE-2018-20022 (LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc - ssvnc 1.0.29-5 (bug #945827) - - tightvnc + - tightvnc 1:1.3.9-9.1 - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/252 NOTE: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 @@ -59251,7 +59251,7 @@ CVE-2018-20021 (LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c co - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc - ssvnc 1.0.29-5 (bug #945827) - - tightvnc + - tightvnc 1:1.3.9-9.1 - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/251 NOTE: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c @@ -97832,7 +97832,7 @@ CVE-2018-7225 (An issue was discovered in LibVNCServer through 0.9.11. rfbProces {DSA-4221-1 DLA-2045-1 DLA-2014-1 DLA-1979-1 DLA-1332-1} - libvncserver 0.9.11+dfsg-1.1 (bug #894045) - italc - - tightvnc + - tightvnc 1:1.3.9-9.1 - vino (bug #945784) NOTE: https://github.com/LibVNC/libvncserver/issues/218 NOTE: https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee @@ -235762,7 +235762,7 @@ CVE-2014-6053 (The rfbProcessClientNormalMessage function in libvncserver/rfbser {DSA-3081-1 DLA-2045-1 DLA-2014-1 DLA-1979-1 DLA-197-1} - libvncserver 0.9.9+dfsg-6.1 (bug #762745) - italc 1:3.0.1+dfsg1-1 - - tightvnc + - tightvnc 1:1.3.9-9.1 - vino (bug #945784) NOTE: https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28 CVE-2014-6052 (The HandleRFBServerMessage function in libvncclient/rfbproto.c in LibV ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7990e1f212b6b15e09d66daa6f6598b3e072b3a9 -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-19791/lemonldap-ng
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: abf1dbd0 by Salvatore Bonaccorso at 2019-12-23T05:48:55Z Add CVE-2019-19791/lemonldap-ng - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -969,8 +969,13 @@ CVE-2019-19793 (In Cyxtera AppGate SDP Client 4.1.x through 4.3.x before 4.3.2 o NOT-FOR-US: Cyxtera AppGate SDP Client CVE-2019-19792 RESERVED -CVE-2019-19791 +CVE-2019-19791 [Apache access rules and SOAP/REST endpoints issue] RESERVED + - lemonldap-ng + [buster] - lemonldap-ng (Minor issue) + [stretch] - lemonldap-ng (Minor issue) + NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943 + NOTE: https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-7-is-out/ CVE-2019-19790 (Path traversal in RadChart in Telerik UI for ASP.NET AJAX allows a rem ...) NOT-FOR-US: Telerik UI for ASP.NET AJAX CVE-2019-19789 (3S-Smart CODESYS SP Realtime NT before V2.3.7.28, CODESYS Runtime Tool ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/abf1dbd0fedf6dda04a0c742f67835210b1c689d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/abf1dbd0fedf6dda04a0c742f67835210b1c689d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-16787 confirmed REJECTED and remote notes
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f3c52c6 by Salvatore Bonaccorso at 2019-12-23T05:19:22Z CVE-2019-16787 confirmed REJECTED and remote notes Should be in MITRE feed in one of the next updates accordingly. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -110,10 +110,8 @@ CVE-2019-19906 (cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write le - cyrus-sasl2 (bug #947043) NOTE: https://github.com/cyrusimap/cyrus-sasl/issues/587 NOTE: https://www.openldap.org/its/index.cgi/Incoming?id=9123 -CVE-2019-16787 (In NatHack between 3.6.0 and 3.6.3, a buffer overflow issue exists whe ...) - NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-3cm7-rgh5-9pq5 - NOTE: Duplicate of CVE-2019-19905 - TODO: wait for MITRE CNA on feedback +CVE-2019-16787 + REJECTED CVE-2019-19905 (NetHack before 3.6.4 is prone to a buffer overflow vulnerability when ...) - nethack (low; bug #947005) [buster] - nethack (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f3c52c6e1a8419d26a039e0fac45da6a669bbf6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f3c52c6e1a8419d26a039e0fac45da6a669bbf6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: still ongoing
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 81bc7576 by Adrian Bunk at 2019-12-22T23:03:11Z dla: still ongoing - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -56,7 +56,7 @@ libmatio (Adrian Bunk) NOTE: 20190428: is likely vulnerable NOTE: 20190428: some CVE testcases still fail after applying the fix, NOTE: 20190428: older changes seem to also be required for them - NOTE: 20191208: work is ongoing + NOTE: 20191223: work is ongoing -- linux (Ben Hutchings) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/81bc757680c2a23663a26517e1200a45c5761e8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/81bc757680c2a23663a26517e1200a45c5761e8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a3ab39f by Thorsten Alteholz at 2019-12-22T22:35:06Z update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -77,7 +77,7 @@ nethack (Abhijith PA) NOTE: 20191220: E.g. fixes in proc_wizkit_line() need to go into read_wizkit(), etc. (sunweaver) -- opendmarc (Thorsten Alteholz) - NOTE: 20191208: still testing package, original patch does not seem to be enough, still ongoing + NOTE: 20191222: still testing package, original patch does not seem to be enough, still ongoing -- otrs2 (Abhijith PA) NOTE: otrs2 is in jessie/main so it should be taken care off View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6a3ab39f7ca1c3a4333b117c151b366cd7b854c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6a3ab39f7ca1c3a4333b117c151b366cd7b854c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2047-1 for cups
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: bf16b932 by Thorsten Alteholz at 2019-12-22T22:20:18Z Reserve DLA-2047-1 for cups - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Dec 2019] DLA-2047-1 cups - security update + {CVE-2019-2228} + [jessie] - cups 1.7.5-11+deb8u7 [22 Dec 2019] DLA-2038-2 x2goclient - regression update [jessie] - x2goclient 4.0.3.1-4+deb8u1 [22 Dec 2019] DLA-2046-1 opensc - security update = data/dla-needed.txt = @@ -22,8 +22,6 @@ apache-log4j1.2 (Chris Lamb) clamav (Hugo Lefeuvre) NOTE: 20191216: waiting for 0.102.1 to enter stretch/buster. -- -cups (Thorsten Alteholz) --- git (Roberto C. Sánchez) -- ibus (Emilio) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf16b93267df263eb8fc7a35c6c042694f6587d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf16b93267df263eb8fc7a35c6c042694f6587d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed fixed for npm via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d4352bd by Salvatore Bonaccorso at 2019-12-22T21:51:30Z Track proposed fixed for npm via buster-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -51,6 +51,12 @@ CVE-2019-3866 [buster] - python-mistral-lib 1.0.0-1+deb10u1 CVE-2019-5429 [buster] - filezilla 3.39.0-2+deb10u1 +CVE-2019-16775 + [buster] - npm 5.8.0+ds6-4+deb10u1 +CVE-2019-16776 + [buster] - npm 5.8.0+ds6-4+deb10u1 +CVE-2019-16777 + [buster] - npm 5.8.0+ds6-4+deb10u1 CVE-2019-14814 [buster] - linux 4.19.87-1 CVE-2019-14815 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8d4352bda5127d2aa6b059a4fb77b0b4796f73fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8d4352bda5127d2aa6b059a4fb77b0b4796f73fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-19922/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 08ec72f4 by Salvatore Bonaccorso at 2019-12-22T20:32:36Z Add CVE-2019-19922/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2019-19922 (kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quo ...) - TODO: check + - linux 5.3.9-1 + NOTE: https://git.kernel.org/linus/de53fd7aedb100f03e5d2231cfce0e4993282425 CVE-2019-19921 RESERVED CVE-2019-19919 (Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Poll ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/08ec72f4548f6e724c781bf802fd250b6a45ffd3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/08ec72f4548f6e724c781bf802fd250b6a45ffd3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync pending CVEs for src:linux via buster-pu with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 20cbc7ae by Salvatore Bonaccorso at 2019-12-22T20:29:40Z Sync pending CVEs for src:linux via buster-pu with kernel-sec - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -139,6 +139,8 @@ CVE-2019-19534 [buster] - linux 4.19.87-1 CVE-2019-19537 [buster] - linux 4.19.87-1 +CVE-2019-19922 + [buster] - linux 4.19.87-1 CVE-2019-19060 [buster] - linux 4.19.87-1 CVE-2019-19075 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20cbc7aec8cc2f9d99a0213370a0f80d44e779ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20cbc7aec8cc2f9d99a0213370a0f80d44e779ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d23dfd81 by security tracker role at 2019-12-22T20:10:21Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2019-19922 (kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quo ...) + TODO: check +CVE-2019-19921 + RESERVED CVE-2019-19919 (Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Poll ...) - node-handlebars NOTE: https://www.npmjs.com/advisories/1164 @@ -85087,7 +85091,7 @@ CVE-2018-1000183 (A exposure of sensitive information vulnerability exists in Je NOT-FOR-US: Jenkins plugin CVE-2018-1000182 (A server-side request forgery vulnerability exists in Jenkins Git Plug ...) NOT-FOR-US: Jenkins plugin -CVE-2019-19920 +CVE-2019-19920 (sa-exim 4.2.1 allows attackers to execute arbitrary code if they can w ...) - sa-exim (bug #947198) [buster] - sa-exim (Minor issue; can be fixed via point release) [stretch] - sa-exim (Minor issue; can be fixed via point release) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d23dfd81b523f72e040d58f89939cfbaa141dc74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d23dfd81b523f72e040d58f89939cfbaa141dc74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Clarify that sa-exim issues are documented in README.greylisting.gz
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 55c1e2f8 by Salvatore Bonaccorso at 2019-12-22T20:07:11Z Clarify that sa-exim issues are documented in README.greylisting.gz - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -85096,7 +85096,8 @@ CVE-2019-19920 NOTE: https://marc.info/?l=spamassassin-users=157668305026635=2 NOTE: The issue is "effectively" mitigating due to the CVE-2018-11805 fix in NOTE: spamassassin, making the Greylisting.pm non-functional (and so a functional - NOTE: regression as well as tracked in #946829) + NOTE: regression as well as tracked in #946829). The security implications are + NOTE: as well documented in /usr/share/doc/sa-exim/README.greylisting.gz CVE-2018-11805 (In Apache SpamAssassin before 3.4.3, nefarious CF files can be configu ...) {DSA-4584-1 DLA-2037-1} - spamassassin 3.4.3~rc6-1 (bug #946652) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/55c1e2f83e5b1702a8adbdcf80a495b44ddd897f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/55c1e2f83e5b1702a8adbdcf80a495b44ddd897f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2019-19920/sa-exim
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 28d182f6 by Salvatore Bonaccorso at 2019-12-22T19:41:27Z Add CVE-2019-19920/sa-exim - - - - - a0978ba4 by Salvatore Bonaccorso at 2019-12-22T19:47:23Z Add Debian bug reference for CVE-2019-19920/sa-exim - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -85087,6 +85087,16 @@ CVE-2018-1000183 (A exposure of sensitive information vulnerability exists in Je NOT-FOR-US: Jenkins plugin CVE-2018-1000182 (A server-side request forgery vulnerability exists in Jenkins Git Plug ...) NOT-FOR-US: Jenkins plugin +CVE-2019-19920 + - sa-exim (bug #947198) + [buster] - sa-exim (Minor issue; can be fixed via point release) + [stretch] - sa-exim (Minor issue; can be fixed via point release) + NOTE: https://bugs.debian.org/946829#24 + NOTE: https://marc.info/?l=spamassassin-users=157668107325768=2 + NOTE: https://marc.info/?l=spamassassin-users=157668305026635=2 + NOTE: The issue is "effectively" mitigating due to the CVE-2018-11805 fix in + NOTE: spamassassin, making the Greylisting.pm non-functional (and so a functional + NOTE: regression as well as tracked in #946829) CVE-2018-11805 (In Apache SpamAssassin before 3.4.3, nefarious CF files can be configu ...) {DSA-4584-1 DLA-2037-1} - spamassassin 3.4.3~rc6-1 (bug #946652) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/608c1e324e9949553b9d6ef57302fbbc89b21b4b...a0978ba4edfea846f64a7182e7149ec26a84b508 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/608c1e324e9949553b9d6ef57302fbbc89b21b4b...a0978ba4edfea846f64a7182e7149ec26a84b508 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-14870/heimdal
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 071a9dd4 by Salvatore Bonaccorso at 2019-12-22T13:59:18Z Add fixed version for CVE-2019-14870/heimdal - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21378,7 +21378,7 @@ CVE-2019-14870 (All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 an [buster] - samba (Minor issue) [stretch] - samba (Minor issue) [jessie] - samba (Minor issue) - - heimdal (bug #946786) + - heimdal 7.7.0+dfsg-1 (bug #946786) [buster] - heimdal (Minor issue) [stretch] - heimdal (Minor issue) [jessie] - heimdal (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/071a9dd4df78b7794ca75e53b21c7461839f5b34 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/071a9dd4df78b7794ca75e53b21c7461839f5b34 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim apache-log4j1.2 with the intention to investigate EOLing it.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d93d77c by Chris Lamb at 2019-12-22T13:15:25Z data/dla-needed.txt: Claim apache-log4j1.2 with the intention to investigate EOLing it. (Avoiding potential for duplicate work) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -15,7 +15,7 @@ ansible NOTE: CVE-2019-14846 should be an easy fix. NOTE: CVE-2019-14858's upstream patch is too big; fails to work properly. (utkarsh2102) -- -apache-log4j1.2 +apache-log4j1.2 (Chris Lamb) NOTE: 20191221: Someone with more Java knowledge, please consider eol'ing this package NOTE: 20191221: as recommended for oldstable by the secteam. (sunweaver) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d93d77c1317621c4d77689e0070bc651c68744a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d93d77c1317621c4d77689e0070bc651c68744a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1923{2,4}/sudo
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: df0ba219 by Salvatore Bonaccorso at 2019-12-22T10:47:31Z Add CVE-2019-1923{2,4}/sudo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6238,11 +6238,17 @@ CVE-2019-19236 CVE-2019-19235 (AsLdrSrv.exe in ASUS ATK Package before V1.0.0061 (for Windows 10 note ...) NOT-FOR-US: ASUS CVE-2019-19234 (In Sudo through 1.8.29, the fact that a user has been blocked (e.g., b ...) - TODO: check + - sudo + [buster] - sudo (Minor issue) + [stretch] - sudo (Minor issue) + NOTE: https://www.sudo.ws/devel.html#1.8.30b2 CVE-2019-19233 RESERVED CVE-2019-19232 (In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer ...) - TODO: check + - sudo + [buster] - sudo (Minor issue) + [stretch] - sudo (Minor issue) + NOTE: https://www.sudo.ws/devel.html#1.8.30b2 CVE-2019-19231 (An insecure file access vulnerability exists in CA Client Automation 1 ...) NOT-FOR-US: CA Client Automation CVE-2019-19230 (An unsafe deserialization vulnerability exists in CA Release Automatio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df0ba219fcc09d0aebeaff29bec6e8c417f44e83 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df0ba219fcc09d0aebeaff29bec6e8c417f44e83 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-19630/htmldoc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d463cb32 by Salvatore Bonaccorso at 2019-12-22T10:34:35Z Add fixed version for CVE-2019-19630/htmldoc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3600,7 +3600,7 @@ CVE-2019-19631 RESERVED CVE-2019-19630 (HTMLDOC 1.9.7 allows a stack-based buffer overflow in the hd_strlcpy() ...) {DLA-2026-1} - - htmldoc (low) + - htmldoc 1.9.7-1 (low) [buster] - htmldoc (Minor issue) [stretch] - htmldoc (Minor issue) NOTE: https://github.com/michaelrsweet/htmldoc/issues/370 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d463cb32dc7d456b43b064292aec4980926e3c2d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d463cb32dc7d456b43b064292aec4980926e3c2d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits