[Git][security-tracker-team/security-tracker][master] Add CVE-2020-1752/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e3c031e by Salvatore Bonaccorso at 2020-03-07T08:54:02+01:00 Add CVE-2020-1752/glibc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20812,8 +20812,11 @@ CVE-2020-1754 RESERVED CVE-2020-1753 RESERVED -CVE-2020-1752 +CVE-2020-1752 [use-after-free in glob() function when expanding ~user] RESERVED + - glibc + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25414 + NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c CVE-2020-1751 [array overflow in backtrace on powerpc] RESERVED - glibc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e3c031e183f608c1fbf1c208093ff0f9ef127e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e3c031e183f608c1fbf1c208093ff0f9ef127e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-202-1751/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f073b1a2 by Salvatore Bonaccorso at 2020-03-07T08:50:14+01:00 Add CVE-202-1751/glibc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20814,8 +20814,13 @@ CVE-2020-1753 RESERVED CVE-2020-1752 RESERVED -CVE-2020-1751 +CVE-2020-1751 [array overflow in backtrace on powerpc] RESERVED + - glibc + [buster] - glibc (Minor issue) + [stretch] - glibc (Minor issue) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25423 + NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d93769405996dfc11d216ddbe415946617b5a494 CVE-2020-1750 RESERVED CVE-2020-1749 [net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f073b1a225e9f6b5009445daf283d9c4ca3bdece -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f073b1a225e9f6b5009445daf283d9c4ca3bdece You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-7212/python-urllib3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d3558372 by Salvatore Bonaccorso at 2020-03-07T08:19:21+01:00 Add CVE-2020-7212/python-urllib3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6682,8 +6682,15 @@ CVE-2020-7214 RESERVED CVE-2020-7213 (Parallels 13 uses cleartext HTTP as part of the update process, allowi ...) NOT-FOR-US: Parallels -CVE-2020-7212 +CVE-2020-7212 [denial of service (CPU consumption) because of inefficient algorithm in _encode_invalid_chars function] RESERVED + - python-urllib3 + [buster] - python-urllib3 (Vulnerable code introduced later) + [stretch] - python-urllib3 (Vulnerable code introduced later) + [jessie] - python-urllib3 (Vulnerable code introduced later) + NOTE: https://github.com/urllib3/urllib3/pull/1787 + NOTE: Introduced by: https://github.com/urllib3/urllib3/commit/a74c9cfbaed9f811e7563cfc3dce894928e0221a (1.25.2) + NOTE: Fixed by: https://github.com/urllib3/urllib3/commit/a2697e7c6b275f05879b60f593c5854a816489f0 (1.25.8) CVE-2020-7211 (tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ ...) - libslirp (unimportant) NOTE: https://bugs.launchpad.net/qemu/+bug/1812451 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d35583723f309a0255eb3b510a18e2c3ee1002f3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d35583723f309a0255eb3b510a18e2c3ee1002f3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for pyyaml, CVE-2020-1747
Scott Kitterman pushed to branch master at Debian Security Tracker / security-tracker Commits: 547cb423 by Scott Kitterman at 2020-03-06T22:08:44-05:00 Add fixed version for pyyaml, CVE-2020-1747 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20819,7 +20819,7 @@ CVE-2020-1748 RESERVED CVE-2020-1747 [arbitrary command execution through python/object/new when FullLoader is used] RESERVED - - pyyaml (bug #953013) + - pyyaml 5.3-2 (bug #953013) [buster] - pyyaml (Loader/Constructor classes are unsafe in this version) [stretch] - pyyaml (Loader/Constructor classes are unsafe in this version) [jessie] - pyyaml (Loader/Constructor classes are unsafe in this version) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/547cb423032a8c8b8071b8946613526636108f0a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/547cb423032a8c8b8071b8946613526636108f0a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-10188/netkit-telnet
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a2f3b9a by Salvatore Bonaccorso at 2020-03-06T23:28:45+01:00 Add CVE-2020-10188/netkit-telnet - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,7 +7,10 @@ CVE-2020-10190 CVE-2020-10189 (Zoho ManageEngine Desktop Central 10 allows remote code execution beca ...) NOT-FOR-US: Zoho ManageEngine CVE-2020-10188 (utility.c in telnetd in netkit telnet through 0.17 allows remote attac ...) - TODO: check + - netkit-telnet + - netkit-telnet-ssl + NOTE: https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html + TODO: check further details CVE-2019-20503 (usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_address ...) - libusrsctp (bug #953270) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1992 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a2f3b9abf7344a42a3528443b544190fe6518c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a2f3b9abf7344a42a3528443b544190fe6518c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-10174/timeshift
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 440c534b by Salvatore Bonaccorso at 2020-03-06T23:04:28+01:00 Add CVE-2020-10174/timeshift - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -46,7 +46,10 @@ CVE-2020-10176 CVE-2020-10175 RESERVED CVE-2020-10174 (init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely ...) - TODO: check + - timeshift + NOTE: https://www.openwall.com/lists/oss-security/2020/03/06/3 + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1165802 + NOTE: https://github.com/teejee2008/timeshift/commit/335b3d5398079278b8f7094c77bfd148b315b462 CVE-2020-10173 (Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m devices have Mult ...) NOT-FOR-US: Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m devices CVE-2020-10172 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/440c534b75056b24071fe515fb50f7d6e79e9943 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/440c534b75056b24071fe515fb50f7d6e79e9943 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update note for CVE-2020-0040
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ad54e2b5 by Salvatore Bonaccorso at 2020-03-06T22:10:11+01:00 Update note for CVE-2020-0040 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27399,7 +27399,7 @@ CVE-2020-0041 NOTE: https://git.kernel.org/linus/16981742717b04644a41052570fb502682a315d2 CVE-2020-0040 RESERVED - NOTE: Duplicate of CVE-2019-15239, should be rejected + NOTE: Duplicate of CVE-2019-15239, will be rejected CVE-2020-0039 RESERVED NOT-FOR-US: Android View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad54e2b5e33c820b8baa9d94e4d0da5b54d5b7a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad54e2b5e33c820b8baa9d94e4d0da5b54d5b7a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-20503/libusrsctp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 280c95e0 by Salvatore Bonaccorso at 2020-03-06T21:52:09+01:00 Add Debian bug reference for CVE-2019-20503/libusrsctp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,7 @@ CVE-2020-10189 (Zoho ManageEngine Desktop Central 10 allows remote code executio CVE-2020-10188 (utility.c in telnetd in netkit telnet through 0.17 allows remote attac ...) TODO: check CVE-2019-20503 (usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_address ...) - - libusrsctp + - libusrsctp (bug #953270) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1992 NOTE: https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467 TODO: check, other sources firefox, firefox-esr, thunderbird and chromium ebed the library View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/280c95e0c3951178ebef1634eab47384bd18dc73 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/280c95e0c3951178ebef1634eab47384bd18dc73 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-20503/libusrsctp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c99d669 by Salvatore Bonaccorso at 2020-03-06T21:26:38+01:00 Add CVE-2019-20503/libusrsctp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,10 @@ CVE-2020-10189 (Zoho ManageEngine Desktop Central 10 allows remote code executio CVE-2020-10188 (utility.c in telnetd in netkit telnet through 0.17 allows remote attac ...) TODO: check CVE-2019-20503 (usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_address ...) - TODO: check + - libusrsctp + NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1992 + NOTE: https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467 + TODO: check, other sources firefox, firefox-esr, thunderbird and chromium ebed the library CVE-2020-10187 RESERVED CVE-2020-10186 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c99d669de1506c1717d903bfc811f51f796c076 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c99d669de1506c1717d903bfc811f51f796c076 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f5573a3 by Salvatore Bonaccorso at 2020-03-06T21:20:12+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,7 @@ CVE-2020-10191 CVE-2020-10190 RESERVED CVE-2020-10189 (Zoho ManageEngine Desktop Central 10 allows remote code execution beca ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2020-10188 (utility.c in telnetd in netkit telnet through 0.17 allows remote attac ...) TODO: check CVE-2019-20503 (usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_address ...) @@ -1538,15 +1538,15 @@ CVE-2020-9460 CVE-2020-9459 (Multiple Stored Cross-site scripting (XSS) vulnerabilities in the Webn ...) NOT-FOR-US: Webnus Modern Events Calendar Lite plugin for WordPress CVE-2020-9458 (In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the exp ...) - TODO: check + NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2020-9457 (The RegistrationMagic plugin through 4.6.0.3 for WordPress allows remo ...) - TODO: check + NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2020-9456 (In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the use ...) - TODO: check + NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2020-9455 (The RegistrationMagic plugin through 4.6.0.3 for WordPress allows remo ...) - TODO: check + NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2020-9454 (A CSRF vulnerability in the RegistrationMagic plugin through 4.6.0.3 f ...) - TODO: check + NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2020-9453 RESERVED CVE-2020-9452 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f5573a3764cc3019a7829fdd843ce8fd7174ed1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f5573a3764cc3019a7829fdd843ce8fd7174ed1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 84a1ef86 by security tracker role at 2020-03-06T20:10:25+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,15 @@ +CVE-2020-10192 + RESERVED +CVE-2020-10191 + RESERVED +CVE-2020-10190 + RESERVED +CVE-2020-10189 (Zoho ManageEngine Desktop Central 10 allows remote code execution beca ...) + TODO: check +CVE-2020-10188 (utility.c in telnetd in netkit telnet through 0.17 allows remote attac ...) + TODO: check +CVE-2019-20503 (usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_address ...) + TODO: check CVE-2020-10187 RESERVED CVE-2020-10186 @@ -898,8 +910,8 @@ CVE-2020-9758 RESERVED CVE-2020-9757 (The Seomatic component before 3.2.46 for Craft CMS allows Server-Side ...) NOT-FOR-US: Seomatic component for Craft CMS -CVE-2020-9756 - RESERVED +CVE-2020-9756 (Patriot Viper RGB Driver 1.1 and prior exposes IOCTL and allows insuff ...) + TODO: check CVE-2020-9755 RESERVED CVE-2020-9754 @@ -1371,10 +1383,10 @@ CVE-2020-9533 RESERVED CVE-2020-9532 RESERVED -CVE-2020-9531 - RESERVED -CVE-2020-9530 - RESERVED +CVE-2020-9531 (An issue was discovered on Xiaomi MIUI V11.0.5.0.QFAEUXM devices. In t ...) + TODO: check +CVE-2020-9530 (An issue was discovered on Xiaomi MIUI V11.0.5.0.QFAEUXM devices. The ...) + TODO: check CVE-2020-9529 RESERVED CVE-2020-9528 @@ -1525,16 +1537,16 @@ CVE-2020-9460 RESERVED CVE-2020-9459 (Multiple Stored Cross-site scripting (XSS) vulnerabilities in the Webn ...) NOT-FOR-US: Webnus Modern Events Calendar Lite plugin for WordPress -CVE-2020-9458 - RESERVED -CVE-2020-9457 - RESERVED -CVE-2020-9456 - RESERVED -CVE-2020-9455 - RESERVED -CVE-2020-9454 - RESERVED +CVE-2020-9458 (In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the exp ...) + TODO: check +CVE-2020-9457 (The RegistrationMagic plugin through 4.6.0.3 for WordPress allows remo ...) + TODO: check +CVE-2020-9456 (In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the use ...) + TODO: check +CVE-2020-9455 (The RegistrationMagic plugin through 4.6.0.3 for WordPress allows remo ...) + TODO: check +CVE-2020-9454 (A CSRF vulnerability in the RegistrationMagic plugin through 4.6.0.3 f ...) + TODO: check CVE-2020-9453 RESERVED CVE-2020-9452 @@ -2654,7 +2666,7 @@ CVE-2020-8993 CVE-2020-8992 (ext4_protect_reserved_inode in fs/ext4/block_validity.c in the Linux k ...) - linux NOTE: https://patchwork.ozlabs.org/patch/1236118/ -CVE-2020-8991 (vg_lookup in daemons/lvmetad/lvmetad-core.c in LVM2 2.02 mismanages me ...) +CVE-2020-8991 (** DISPUTED ** vg_lookup in daemons/lvmetad/lvmetad-core.c in LVM2 2.0 ...) - lvm2 2.03.01-2 [stretch] - lvm2 (Minor issue) [jessie] - lvm2 (Minor issue) @@ -4588,8 +4600,7 @@ CVE-2020-8115 (A reflected XSS vulnerability has been discovered in the publicly CVE-2020-8114 (GitLab EE 8.9 and later through 12.7.2 has Insecure Permission ...) - gitlab NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ -CVE-2020-8113 - RESERVED +CVE-2020-8113 (GitLab 10.7 and later through 12.7.2 has Incorrect Access Control. ...) - gitlab NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-8112 (opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through ...) @@ -4941,7 +4952,7 @@ CVE-2020-7976 (GitLab EE 12.4 and later through 12.7.2 has Incorrect Access Cont - gitlab (Only affects Gitlab EE 12.4 and later) NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ CVE-2020-7975 - RESERVED + REJECTED CVE-2020-7974 (GitLab EE 10.1 through 12.7.2 allows Information Disclosure. ...) - gitlab (Only affects Gitlab EE 10.1 and later) NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/84a1ef86eada2111c5a7c1ab16fa5a3fa278ab8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/84a1ef86eada2111c5a7c1ab16fa5a3fa278ab8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8dfcfa0f by Moritz Muehlenhoff at 2020-03-06T19:59:40+01:00 chromium fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8456,7 +8456,7 @@ CVE-2020-6421 RESERVED CVE-2020-6420 RESERVED - - chromium + - chromium 80.0.3987.132-1 [stretch] - chromium (see DSA 4562) CVE-2020-6419 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8dfcfa0fcab5aa2386f82ea6c143a460a5772e59 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8dfcfa0fcab5aa2386f82ea6c143a460a5772e59 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add commit refs for yubikey-val
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 70f30597 by Moritz Muehlenhoff at 2020-03-06T19:51:04+01:00 add commit refs for yubikey-val imagemagick triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,9 +5,11 @@ CVE-2020-10186 CVE-2020-10185 (The sync endpoint in YubiKey Validation Server before 2.40 allows remo ...) - yubikey-val NOTE: https://www.yubico.com/support/security-advisories/ysa-2020-01/ + NOTE: https://github.com/Yubico/yubikey-val/commit/d0e4db3245deb5ce0c8d7d26069c78071a140286 CVE-2020-10184 (The verify endpoint in YubiKey Validation Server before 2.40 does not ...) - yubikey-val NOTE: https://www.yubico.com/support/security-advisories/ysa-2020-01/ + NOTE: https://github.com/Yubico/yubikey-val/commit/d0e4db3245deb5ce0c8d7d26069c78071a140286 CVE-2020-10183 RESERVED CVE-2020-10182 @@ -35963,6 +35965,8 @@ CVE-2019-15140 (coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers CVE-2019-15139 (The XWD image (X Window System window dumping file) parsing component ...) {DLA-1968-1} - imagemagick (bug #941670) + [buster] - imagemagick (Minor issue) + [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/commit/c78993d138bf480ab4652b5a48379d4ff75ba5f7 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/6d46f0a046a58e7c4567a86ba1b9cb847d5b1968 NOTE: ImageMagick6: followup, partly reverts previous patch: @@ -36541,6 +36545,8 @@ CVE-2019-14982 (In Exiv2 before v0.27.2, there is an integer overflow vulnerabil CVE-2019-14981 (In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is ...) {DLA-1968-1} - imagemagick + [buster] - imagemagick (Minor issue) + [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1552 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/b522d2d857d2f75b659936b59b0da9df1682c256 CVE-2019-14980 (In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is ...) @@ -43016,6 +43022,8 @@ CVE-2019-13309 (ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory NOTE: https://github.com/ImageMagick/ImageMagick6/commit/5982632109cad48bc6dab867298fdea4dea57c51 CVE-2019-13308 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow in MagickCor ...) - imagemagick (bug #931447) + [buster] - imagemagick (Needs further clarification on patch) + [stretch] - imagemagick (Needs further clarification on patch) [jessie] - imagemagick (minor, wait for upstream to clear patch-related questions) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1595 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/19651f3db63fa1511ed83a348c4c82fa553f8d01 @@ -43984,11 +43992,15 @@ CVE-2019-12980 (In Ming (aka libming) 0.4.8, there is an integer overflow (cause NOTE: https://github.com/libming/libming/pull/179/commits/2223f7a1e431455a1411bee77c90db94a6f8e8fe CVE-2019-12979 (ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability ...) - imagemagick (bug #931189) + [buster] - imagemagick (Minor issue) + [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (minor security impact) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1522 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/27b1c74979ac473a430e266ff6c4b645664bc805 CVE-2019-12978 (ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability ...) - - imagemagick (bug #931190) + - imagemagick (low; bug #931190) + [buster] - imagemagick (Minor issue) + [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (minor security impact) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1519 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/ae1ded6140bfa8ae9f6dcba5413b72d98ed94614 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70f305972a917bf1a6b70bee7ad757facfdd16ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70f305972a917bf1a6b70bee7ad757facfdd16ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new yubikey-val issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a53f32aa by Moritz Muehlenhoff at 2020-03-06T17:27:54+01:00 new yubikey-val issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,9 +3,11 @@ CVE-2020-10187 CVE-2020-10186 RESERVED CVE-2020-10185 (The sync endpoint in YubiKey Validation Server before 2.40 allows remo ...) - TODO: check + - yubikey-val + NOTE: https://www.yubico.com/support/security-advisories/ysa-2020-01/ CVE-2020-10184 (The verify endpoint in YubiKey Validation Server before 2.40 does not ...) - TODO: check + - yubikey-val + NOTE: https://www.yubico.com/support/security-advisories/ysa-2020-01/ CVE-2020-10183 RESERVED CVE-2020-10182 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a53f32aa1229d3a8847a16ce4fcc8d09f76fd41c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a53f32aa1229d3a8847a16ce4fcc8d09f76fd41c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-6438,CVE-2019-12838/slurm-llnl: reference patches, precise triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: cad2d9f9 by Sylvain Beucler at 2020-03-06T14:13:32+01:00 CVE-2019-6438,CVE-2019-12838/slurm-llnl: reference patches, precise triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -44390,6 +44390,7 @@ CVE-2019-12838 (SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allo [jessie] - slurm-llnl (Too intrusive to backport) NOTE: https://github.com/SchedMD/slurm/commit/afa7d743f407c60a7c8a4bd98a10be32c82988b5 NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2019/25.html + NOTE: https://people.debian.org/~abhijith/upload/slurm-llnl_14.03.9-5+deb8u5.debian.tar.xz (backport) CVE-2019-12837 (The Java API in accesuniversitat.gencat.cat 1.7.5 allows remote attack ...) NOT-FOR-US: Java API in Generalitat de Catalunya accesuniversitat.gencat.cat CVE-2019-12836 (The Bobronix JEditor editor before 3.0.6 for Jira allows an attacker t ...) @@ -62790,9 +62791,11 @@ CVE-2019-6439 (examples/benchmark/tls_bench.c in a benchmark tool in wolfSSL thr CVE-2019-6438 (SchedMD Slurm before 17.11.13 and 18.x before 18.08.5 mishandles 32-bi ...) - slurm-llnl 18.08.5.2-1 (low; bug #920997) [stretch] - slurm-llnl 16.05.9-1+deb9u3 - [jessie] - slurm-llnl (Minor issue) + [jessie] - slurm-llnl (Minor issue, 32-bit only) NOTE: https://www.schedmd.com/news.php?id=213 NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2019/18.html + NOTE: https://github.com/SchedMD/slurm/commit/750cc23edcc6fddfff21d33bdaf4fb7deb28cfda + NOTE: https://github.com/SchedMD/slurm/commit/a8159065d1a57d6eadf802efa6837ebf4e56f671 CVE-2019-6437 RESERVED CVE-2019-6436 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cad2d9f93751cd837396320a5b5b93c38c73b9ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cad2d9f93751cd837396320a5b5b93c38c73b9ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add one Apache OFBiz NFU entry
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ac5a3055 by Salvatore Bonaccorso at 2020-03-06T14:12:05+01:00 Add one Apache OFBiz NFU entry - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20001,6 +20001,7 @@ CVE-2020-1944 RESERVED CVE-2020-1943 RESERVED + NOT-FOR-US: Apache OFBiz CVE-2020-1942 (In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated ...) NOT-FOR-US: Apache NiFi CVE-2020-1941 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac5a30553ad1bfd7bf09e9b36c9e5d7a22d337d9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac5a30553ad1bfd7bf09e9b36c9e5d7a22d337d9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim xerces-c, update status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e623c53 by Sylvain Beucler at 2020-03-06T13:42:47+01:00 dla: claim xerces-c, update status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -100,8 +100,6 @@ xen (Roberto C. Sánchez) NOTE: 20200302: xen 4.4 EOL'd, needs public announcement (roberto) NOTE: 20200302: https://lists.debian.org/debian-lts/2020/03/msg00024.html -- -xerces-c - NOTE: 20191231: There is no upstream patch yet. (apo) - NOTE: 20200118: There is still no upstream patch. (lamby) - NOTE: 20200210: working on a patch, see ML (hle) +xerces-c (Sylvain Beucler) + NOTE: 20200306: no sanctionned patch, pinging upstream (beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e623c53befcd1ed7f1f58a21c919cbb8f1ef80a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e623c53befcd1ed7f1f58a21c919cbb8f1ef80a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61ec016d by security tracker role at 2020-03-06T08:10:14+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,19 @@ +CVE-2020-10187 + RESERVED +CVE-2020-10186 + RESERVED +CVE-2020-10185 (The sync endpoint in YubiKey Validation Server before 2.40 allows remo ...) + TODO: check +CVE-2020-10184 (The verify endpoint in YubiKey Validation Server before 2.40 does not ...) + TODO: check +CVE-2020-10183 + RESERVED +CVE-2020-10182 + RESERVED +CVE-2020-10181 + RESERVED +CVE-2019-20502 (An issue was discovered in EFS Easy Chat Server 3.1. There is a buffer ...) + TODO: check CVE-2020-10180 (The ESET AV parsing engine allows virus-detection bypass via a crafted ...) NOT-FOR-US: ESET AV parsing engine CVE-2020-10179 @@ -1306,16 +1322,19 @@ CVE-2020-9549 (In PDFResurrect 0.12 through 0.19, get_type in pdf.c has an out-o NOTE: https://github.com/enferex/pdfresurrect/issues/8 NOTE: Crash in CLI tool, no security impact CVE-2020-9548 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) + {DLA-2135-1} - jackson-databind NOTE: https://github.com/FasterXML/jackson-databind/issues/2634 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by NOTE: but still an issue when Default Typing is enabled. CVE-2020-9547 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) + {DLA-2135-1} - jackson-databind NOTE: https://github.com/FasterXML/jackson-databind/issues/2634 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by NOTE: but still an issue when Default Typing is enabled. CVE-2020-9546 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) + {DLA-2135-1} - jackson-databind NOTE: https://github.com/FasterXML/jackson-databind/issues/2631 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by @@ -7176,8 +7195,8 @@ CVE-2020-6988 RESERVED CVE-2020-6987 RESERVED -CVE-2020-6986 - RESERVED +CVE-2020-6986 (In all versions of Omron PLC CJ Series, an attacker can send a series ...) + TODO: check CVE-2020-6985 RESERVED CVE-2020-6984 @@ -7206,8 +7225,8 @@ CVE-2020-6973 (Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 NOT-FOR-US: Digi International ConnectPort LTS 32 MEI CVE-2020-6972 RESERVED -CVE-2020-6971 - RESERVED +CVE-2020-6971 (In Emerson ValveLink v12.0.264 to v13.4.118, a vulnerability in the Va ...) + TODO: check CVE-2020-6970 (A Heap-based Buffer Overflow was found in Emerson OpenEnterprise SCADA ...) NOT-FOR-US: Emerson OpenEnterprise SCADA Server CVE-2020-6969 (It is possible to unmask credentials and other sensitive information o ...) @@ -9438,8 +9457,8 @@ CVE-2020-5959 RESERVED CVE-2020-5958 RESERVED -CVE-2020-5957 - RESERVED +CVE-2020-5957 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) + TODO: check CVE-2019-20358 (Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below ...) NOT-FOR-US: Trend Micro CVE-2019-20357 (A Persistent Arbitrary Code Execution vulnerability exists in the Tren ...) @@ -28545,10 +28564,10 @@ CVE-2019-17649 RESERVED CVE-2019-17648 RESERVED -CVE-2019-17647 - RESERVED -CVE-2019-17646 - RESERVED +CVE-2019-17647 (An issue was discovered in Centreon before 2.8.30, 18.10.8, 19.04.5, a ...) + TODO: check +CVE-2019-17646 (An issue was discovered in Centreon before 18.10.8, 19.04.5, and 19.10 ...) + TODO: check CVE-2019-17645 (An issue was discovered in Centreon before 2.8.31, 18.10.9, 19.04.6, a ...) - centreon-web (bug #913903) CVE-2019-17644 (An issue was discovered in Centreon before 2.8-30, 18.10-8, 19.04-5, a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ec016d611b8ec64cd8ebbbae5f948a2785985e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ec016d611b8ec64cd8ebbbae5f948a2785985e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits