[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: f64dc2b2 by Holger Levsen at 2020-02-17T08:35:49+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Holger Levsen hol...@layer-acht.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -10,7 +10,7 @@ this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- -clamav (Hugo Lefeuvre) +clamav NOTE: 20200127: waiting for 0.102.1 to enter stretch/buster. NOTE: 0.102.* introduces a fair amount of ABI changes, and the migration NOTE: does not seem very smooth from the perspective of users. The release @@ -68,7 +68,7 @@ php5 (Thorsten Alteholz) python-pysaml2 (Abhijith PA) NOTE: 2020203: test fails already for the one in archive (abhijith) -- -python-reportlab (Hugo Lefeuvre) +python-reportlab NOTE: 20200127: upstream fix was published, but potentially unsuitable. currently investigating. -- qemu (Utkarsh Gupta) @@ -89,7 +89,7 @@ ruby-rack NOTE: slight possibility of this patch inducing a backdoor on its own. (utkarsh2102) NOTE: 20200216: Discussion ongoing on -lts list. (lamby) -- -salt (Mike Gabriel) +salt NOTE: 20200118: about CVE-2019-17361... Compared to the upstream fix, there is a NOTE: 20200118: very similar code passage in salt/jessie's salt/client/api.py file. NOTE: 20200118: Needs to be checked, if that code is vulnerable or not. @@ -100,7 +100,7 @@ slurm-llnl NOTE: 20191125: up for testing https://people.debian.org/~abhijith/upload/slurm-llnl_14.03.9-5+deb8u5.dsc NOTE: Regression found. (abhijith) -- -spamassassin (Mike Gabriel) +spamassassin NOTE: 20200131: Code not checked whether it is actually vulnerable since it likely is. (ola) NOTE: 20200131: Contacted SA maintainer: https://lists.debian.org/debian-lts/2020/01/msg00076.html (sunweaver) -- @@ -128,7 +128,7 @@ wordpress NOTE: 20200118: Maybe affected, needs deeper triaging, no obvious commits NOTE: 20200118: referenced upstream. (sunweaver) -- -xcftools (Hugo Lefeuvre) +xcftools NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for review. NOTE: but I might just not receive any review any time soon, so I will now attempt to NOTE: fix the second issue and move on with the update. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f64dc2b2022bd15b223ebc2ac4291969884f66d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f64dc2b2022bd15b223ebc2ac4291969884f66d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d6376a02 by Salvatore Bonaccorso at 2020-02-17T06:26:39+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2020-9007 (Codoforum 4.8.8 allows self-XSS via the title of a new topic. ...) - TODO: check + NOT-FOR-US: Codoforum CVE-2020-9006 RESERVED CVE-2020-9005 @@ -19,11 +19,11 @@ CVE-2020-8999 CVE-2020-8998 RESERVED CVE-2020-8997 (Abbott FreeStyle Libre 14-day before February 2020 and FreeStyle Libre ...) - TODO: check + NOT-FOR-US: Abbott FreeStyle Libre CVE-2020-8996 (AnyShare Cloud 6.0.9 allows authenticated directory traversal to read ...) - TODO: check + NOT-FOR-US: AnyShare Cloud CVE-2019-20456 (Goverlan Reach Console before 9.50, Goverlan Reach Server before 3.50, ...) - TODO: check + NOT-FOR-US: Goverlan CVE-2020-8995 RESERVED CVE-2019-20455 (Gateways/Gateway.php in Heartland Global Payments PHP SDK before ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d6376a02321ea01d0e09497d646f24fcc3010a75 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d6376a02321ea01d0e09497d646f24fcc3010a75 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-20044/zsh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c04bccb by Salvatore Bonaccorso at 2020-02-17T06:23:33+01:00 Add CVE-2019-20044/zsh - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11650,8 +11650,10 @@ CVE-2019-20046 (The Synergy Systems Solutions PLC RTU system has a v NOT-FOR-US: Synergy Systems & Solutions PLC & RTU system CVE-2019-20045 (The Synergy Systems Solutions PLC RTU system has a vulnera ...) NOT-FOR-US: Synergy Systems & Solutions PLC & RTU system -CVE-2019-20044 +CVE-2019-20044 [insecure dropping of privileges when unsetting PRIVILEGED option] RESERVED + - zsh 5.8-1 (bug #951458) + NOTE: https://www.zsh.org/mla/zsh-announce/141 CVE-2019-20040 RESERVED CVE-2019-20039 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0c04bccb3d240acf4a53418d637ab731cb4f2177 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0c04bccb3d240acf4a53418d637ab731cb4f2177 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 67506d25 by Thorsten Alteholz at 2020-02-16T22:58:01+01:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -58,7 +58,7 @@ netty-3.9 (Sylvain Beucler) nodejs -- opendmarc (Thorsten Alteholz) - NOTE: 20200119: still testing package, original patch does not seem to be enough, still ongoing + NOTE: 20200216: still testing package, original patch does not seem to be enough, still ongoing -- openjdk-7 (Emilio) NOTE: 20200203: waiting for icedtea release View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/67506d258dc6a030e489d6aa7e18822af2b6ed4b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/67506d258dc6a030e489d6aa7e18822af2b6ed4b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: beb8d41f by security tracker role at 2020-02-16T20:10:14+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,29 @@ +CVE-2020-9007 (Codoforum 4.8.8 allows self-XSS via the title of a new topic. ...) + TODO: check +CVE-2020-9006 + RESERVED +CVE-2020-9005 + RESERVED +CVE-2020-9004 + RESERVED +CVE-2020-9003 + RESERVED +CVE-2020-9002 + RESERVED +CVE-2020-9001 + RESERVED +CVE-2020-9000 + RESERVED +CVE-2020-8999 + RESERVED +CVE-2020-8998 + RESERVED +CVE-2020-8997 (Abbott FreeStyle Libre 14-day before February 2020 and FreeStyle Libre ...) + TODO: check +CVE-2020-8996 (AnyShare Cloud 6.0.9 allows authenticated directory traversal to read ...) + TODO: check +CVE-2019-20456 (Goverlan Reach Console before 9.50, Goverlan Reach Server before 3.50, ...) + TODO: check CVE-2020-8995 RESERVED CVE-2019-20455 (Gateways/Gateway.php in Heartland Global Payments PHP SDK before ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/beb8d41f3fb34b3a30eb144a807f854f0b29f3c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/beb8d41f3fb34b3a30eb144a807f854f0b29f3c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Add and claim libpam-radius-auth
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: f84dc82a by Utkarsh Gupta at 2020-02-16T15:56:52+05:30 LTS: Add and claim libpam-radius-auth - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -43,6 +43,8 @@ libmatio (Adrian Bunk) NOTE: 20190428: older changes seem to also be required for them NOTE: 20200210: work is ongoing -- +libpam-radius-auth (Utkarsh Gupta) +-- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f84dc82afc1624c566feb7e9134535e766c1040a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f84dc82afc1624c566feb7e9134535e766c1040a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 903d8ac9 by security tracker role at 2020-02-16T08:10:19+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4877,7 +4877,7 @@ CVE-2020-6801 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-05/#CVE-2020-6801 CVE-2020-6800 RESERVED - {DSA-4620-1 DLA-2102-1} + {DSA-4625-1 DSA-4620-1 DLA-2102-1} - firefox 73.0-1 - firefox-esr 68.5.0esr-1 - thunderbird 1:68.5.0-1 @@ -4892,7 +4892,7 @@ CVE-2020-6799 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-06/#CVE-2020-6799 CVE-2020-6798 RESERVED - {DSA-4620-1 DLA-2102-1} + {DSA-4625-1 DSA-4620-1 DLA-2102-1} - firefox 73.0-1 - firefox-esr 68.5.0esr-1 - thunderbird 1:68.5.0-1 @@ -4916,18 +4916,22 @@ CVE-2020-6796 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-06/#CVE-2020-6796 CVE-2020-6795 RESERVED + {DSA-4625-1} - thunderbird 1:68.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/#CVE-2020-6795 CVE-2020-6794 RESERVED + {DSA-4625-1} - thunderbird 1:68.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/#CVE-2020-6794 CVE-2020-6793 RESERVED + {DSA-4625-1} - thunderbird 1:68.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/#CVE-2020-6793 CVE-2020-6792 RESERVED + {DSA-4625-1} - thunderbird 1:68.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/#CVE-2020-6792 CVE-2020-6791 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/903d8ac9c358524dec971d302d0e6cd62990cbe0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/903d8ac9c358524dec971d302d0e6cd62990cbe0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits