[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-9549/pdfresurrect via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
cc9163cc by Salvatore Bonaccorso at 2020-03-19T06:21:17+01:00
Add fixed version for CVE-2020-9549/pdfresurrect via unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -2425,7 +2425,7 @@ CVE-2020-9550 (Rubetek SmartHome 2020 devices use
unencrypted 433 MHz communicat
NOT-FOR-US: Rubetek SmartHome 2020 devices
CVE-2020-9549 (In PDFResurrect 0.12 through 0.19, get_type in pdf.c has an
out-of-bou ...)
{DLA-2134-1}
- - pdfresurrect (unimportant; bug #952948)
+ - pdfresurrect 0.20-1 (unimportant; bug #952948)
NOTE: https://github.com/enferex/pdfresurrect/issues/8
NOTE: Crash in CLI tool, no security impact
CVE-2020-9548 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the
interact ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc9163cca9337349f5ce74d7b8fadef14644b2bf
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc9163cca9337349f5ce74d7b8fadef14644b2bf
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-10674/libperlspeak-perl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c85d9238 by Salvatore Bonaccorso at 2020-03-19T06:05:30+01:00 Add Debian bug reference for CVE-2020-10674/libperlspeak-perl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2020-10674 [shell injection RCE] - - libperlspeak-perl + - libperlspeak-perl (bug #954238) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=132173 CVE-2020-10665 (Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTE ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c85d9238aa84c29a0c05ebc98c664c967c54f2a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c85d9238aa84c29a0c05ebc98c664c967c54f2a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new python-bleach issue (similar to CVE-2020-6802)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7232a76e by Salvatore Bonaccorso at 2020-03-19T05:58:42+01:00
Add new python-bleach issue (similar to CVE-2020-6802)
CVE to the Mozilla CNA requested.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -2954,6 +2954,11 @@ CVE-2020-9337 (In GolfBuddy Course Manager 1.1,
passwords are sent (with base64
NOT-FOR-US: GolfBuddy Course Manager
CVE-2020-9336 (fauzantrif eLection 2.0 has XSS via the Admin Dashboard -
Settings ...)
NOT-FOR-US: fauzantrif eLection
+CVE-2020- [mutation XSS vulnerability again]
+ - python-bleach 3.1.3-1 (bug #954236)
+ NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1621692 (not public)
+ NOTE:
https://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743
+ NOTE:
https://github.com/mozilla/bleach/commit/175f67740e7951e1d80cefb7831e6c3e4efeb986
CVE-2020-6802 [mutation XSS vulnerability]
RESERVED
{DSA-4636-1}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7232a76e4a55b8c288df1513597a0f96f13f6ee9
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7232a76e4a55b8c288df1513597a0f96f13f6ee9
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-10674/libperlspeak-perl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 892224d4 by Salvatore Bonaccorso at 2020-03-19T05:49:17+01:00 Add CVE-2020-10674/libperlspeak-perl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2020-10674 [shell injection RCE] + - libperlspeak-perl + NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=132173 CVE-2020-10665 (Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTE ...) TODO: check CVE-2020-10664 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892224d406468aa7a9c3ef9d53eab7bc177a7b51 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892224d406468aa7a9c3ef9d53eab7bc177a7b51 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take icu
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 4cb11c38 by Emilio Pozuelo Monfort at 2020-03-18T23:48:50+01:00 dla: take icu - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,6 +26,8 @@ bluez (Emilio) -- glibc (Mike Gabriel) -- +icu (Emilio) +-- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cb11c387e6f4ab4c88556644fd12839302e1a23 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cb11c387e6f4ab4c88556644fd12839302e1a23 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-20510 confirmed to be REJECTED
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b5f79bf2 by Salvatore Bonaccorso at 2020-03-18T22:58:05+01:00 CVE-2019-20510 confirmed to be REJECTED After query to MITRE, got a confirmation that CVE-2019-20510 will be rejected and this update should be in the next CVE feed update, so mark it already as REJECTED in advance. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -68,10 +68,8 @@ CVE-2020-10651 RESERVED CVE-2020-10650 RESERVED -CVE-2019-20510 (rlm_eap/types/rlm_eap_pwd/eap_pwd.c in the EAP-pwd implementation in F ...) - - freeradius 3.0.20+dfsg-1 - [jessie] - freeradius (Vulnerable code introduced later in version 3.0.0) - NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa (release_3_0_20) +CVE-2019-20510 + REJECTED CVE-2020-10649 RESERVED CVE-2020-10648 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5f79bf27ac89143002178a3effae6993628027a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5f79bf27ac89143002178a3effae6993628027a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 28b82e25 by Salvatore Bonaccorso at 2020-03-18T22:56:47+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,9 +11,9 @@ CVE-2020-10661 CVE-2020-10660 RESERVED CVE-2019-20529 (In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12 ...) - TODO: check + NOT-FOR-US: Frappe Framework CVE-2019-20528 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) - TODO: check + NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20527 RESERVED CVE-2019-20526 @@ -45,11 +45,11 @@ CVE-2019-20514 CVE-2019-20513 RESERVED CVE-2019-20512 (Open edX Ironwood.1 allows support/certificates?course_id= reflected X ...) - TODO: check + NOT-FOR-US: Open edX Ironwood.1 CVE-2019-20511 (ERPNext 11.1.47 allows blog?blog_category= Frame Injection. ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2020-10659 (Entrust Entelligence Security Provider (ESP) before 10.0.60 on Windows ...) - TODO: check + NOT-FOR-US: Entrust Entelligence Security Provider (ESP) CVE-2020-10658 RESERVED CVE-2020-10657 @@ -2987,13 +2987,13 @@ CVE-2020-9327 (In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to tri NOTE: https://www.sqlite.org/cgi/src/info/9d0d4ab95dc0c56e NOTE: https://www.sqlite.org/cgi/src/info/abc473fb8fb99900 CVE-2020-9326 (BeyondTrust Privilege Management for Windows and Mac (aka PMWM; former ...) - TODO: check + NOT-FOR-US: BeyondTrust Privilege Management for Windows and Mac CVE-2020-9325 (Aquaforest TIFF Server 4.0 allows Unauthenticated Arbitrary File Downl ...) - TODO: check + NOT-FOR-US: Aquaforest TIFF Server CVE-2020-9324 (Aquaforest TIFF Server 4.0 allows Unauthenticated SMB Hash Capture via ...) - TODO: check + NOT-FOR-US: Aquaforest TIFF Server CVE-2020-9323 (Aquaforest TIFF Server 4.0 allows Unauthenticated File and Directory E ...) - TODO: check + NOT-FOR-US: Aquaforest TIFF Server CVE-2020-9322 RESERVED CVE-2020-9321 (configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28b82e25ed02d4b1ea6229cf2bf20f81e2060d42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28b82e25ed02d4b1ea6229cf2bf20f81e2060d42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync CVE-2019-15794 with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bffa3ab1 by Salvatore Bonaccorso at 2020-03-18T22:51:53+01:00 Sync CVE-2019-15794 with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35140,6 +35140,10 @@ CVE-2019-15795 [python-apt: Do not use MD5 for verifying downloads] NOTE: https://salsa.debian.org/apt-team/python-apt/commit/e175130e51c2b0424f3dfeb825e3dc598fec1a24 (1.8.5) CVE-2019-15794 RESERVED + - linux + [stretch] - linux (overlayfs passes through mmap) + [jessie] - linux (overlayfs not present) + NOTE: https://bugs.launchpad.net/bugs/1850994 CVE-2019-15793 RESERVED - linux (Ubuntu-specific patch set, shiftfs not in Debian kernels) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bffa3ab180b6119e51df1e93391514685570785a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bffa3ab180b6119e51df1e93391514685570785a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2019-1551/openssl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9c695802 by Salvatore Bonaccorso at 2020-03-18T22:39:18+01:00
Track fixed version for CVE-2019-1551/openssl
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -78522,7 +78522,7 @@ CVE-2019-1552 (OpenSSL has internal defaults for a
directory tree where it can f
NOTE: https://www.openssl.org/news/secadv/20190730.txt
CVE-2019-1551 (There is an overflow bug in the x64_64 Montgomery squaring
procedure u ...)
{DSA-4594-1}
- - openssl (low; bug #947949)
+ - openssl 1.1.1e-1 (low; bug #947949)
[buster] - openssl (Wait until next upstream security
release)
[stretch] - openssl (Wait until next upstream security
release)
[jessie] - openssl (Affected modules are not present in
Jessie)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c695802144585d8c36d6477c82cfdeae4bb2988
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c695802144585d8c36d6477c82cfdeae4bb2988
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "data/CVE/list: Mark icu/jessie as not affected by CVE-2020-10531."
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1845fa4d by Salvatore Bonaccorso at 2020-03-18T22:27:17+01:00 Revert data/CVE/list: Mark icu/jessie as not affected by CVE-2020-10531. This reverts commit 6ee790eb8acec279a50c9c1cd88cb20a17ffabb4. The issue is present before but upstream commit 3d77fc18b8b1 (ICU-11317 split out a new doAppend() from the more general doReplace(), each optimizing for different cases)[1] did move code around. [1] https://github.com/unicode-org/icu/commit/3d77fc18b8b1f1fbeb584790ebab1e5259e70b94 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -323,7 +323,6 @@ CVE-2020-10532 (The AD Helper component in WatchGuard Fireware before 5.8.5.1031 CVE-2020-10531 (An issue was discovered in International Components for Unicode (ICU) ...) [experimental] - icu 66.1-2 - icu 63.2-3 (bug #953747) - [jessie] - icu (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=1044570 (not public) NOTE: Upstream ICU bug: https://unicode-org.atlassian.net/browse/ICU-20958 (private) NOTE: Fixed by: https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1845fa4df32cb6fa5788f2ed22caa501af0a4c3f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1845fa4df32cb6fa5788f2ed22caa501af0a4c3f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-20839: Add note on #929116
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 10ea365e by Salvatore Bonaccorso at 2020-03-18T21:41:28+01:00 CVE-2018-20839: Add note on #929116 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -47552,7 +47552,8 @@ CVE-2018-20839 (systemd 242 changes the VT1 mode upon a logout, which allows att NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993 NOTE: https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f NOTE: https://github.com/systemd/systemd/pull/12378 - NOTE: The fix introduced a regression, cf. https://bugs.debian.org/929229 + NOTE: The fix for https://bugs.debian.org/929116 introduced a regression, cf. + NOTE: https://bugs.debian.org/929229 . NOTE: Issue was originally fixed for unstable in 241-4 but was reverted in 241-5 NOTE: https://gitlab.freedesktop.org/xorg/xserver/issues/857 NOTE: Upstream from systemd claimed originally it's not an issue in systemd, but View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10ea365e20a97c2355a3f744a60ff60e559364eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10ea365e20a97c2355a3f744a60ff60e559364eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2147-1 for gdal
Utkarsh Gupta pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
311330d0 by Utkarsh Gupta at 2020-03-19T02:02:53+05:30
Reserve DLA-2147-1 for gdal
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[19 Mar 2020] DLA-2147-1 gdal - security update
+ {CVE-2019-17546}
+ [jessie] - gdal 1.10.1+dfsg-8+deb8u2
[18 Mar 2020] DLA-2146-1 libvncserver - security update
{CVE-2019-15690}
[jessie] - libvncserver 0.9.9+dfsg2-6.1+deb8u7
=
data/dla-needed.txt
=
@@ -24,8 +24,6 @@ ansible
--
bluez (Emilio)
--
-gdal (Utkarsh Gupta)
---
glibc (Mike Gabriel)
--
libmatio (Adrian Bunk)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/311330d0bdc3a029fc265f00de5e30a33867a365
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/311330d0bdc3a029fc265f00de5e30a33867a365
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add icu to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a10de6b by Salvatore Bonaccorso at 2020-03-18T21:27:43+01:00 Add icu to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -14,6 +14,9 @@ If needed, specify the release by adding a slash after the name of the source pa -- bluez (carnil) -- +icu + Maintainer poposed debdiffs for review +-- jruby/oldstable -- libopenmpt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a10de6bcaf1c8b746805929155ac95d469c7603 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a10de6bcaf1c8b746805929155ac95d469c7603 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: da1f3de8 by Salvatore Bonaccorso at 2020-03-18T21:14:32+01:00 Track some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14850,7 +14850,7 @@ CVE-2020-4201 CVE-2020-4200 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.5 ...) NOT-FOR-US: IBM CVE-2020-4199 (IBM Tivoli Netcool/OMNIbus 8.1.0 is vulnerable to cross-site request f ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4198 (IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scrip ...) NOT-FOR-US: IBM CVE-2020-4197 (IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 allows web pages to be stored loc ...) @@ -26564,9 +26564,9 @@ CVE-2019-18584 CVE-2019-18583 REJECTED CVE-2019-18582 (Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions ...) - TODO: check + NOT-FOR-US: EMC CVE-2019-18581 (Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions ...) - TODO: check + NOT-FOR-US: EMC CVE-2019-18580 (Dell EMC Storage Monitoring and Reporting version 4.3.1 contains a Jav ...) NOT-FOR-US: EMC CVE-2019-18579 (Settings for the Dell XPS 13 2-in-1 (7390) BIOS versions prior to 1.1. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da1f3de832083de587f8b6e43ed499d24331ed88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da1f3de832083de587f8b6e43ed499d24331ed88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
dccd72c7 by security tracker role at 2020-03-18T20:10:26+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,53 @@
+CVE-2020-10665 (Docker Desktop allows local privilege escalation to NT
AUTHORITY\SYSTE ...)
+ TODO: check
+CVE-2020-10664
+ RESERVED
+CVE-2020-10663
+ RESERVED
+CVE-2020-10662
+ RESERVED
+CVE-2020-10661
+ RESERVED
+CVE-2020-10660
+ RESERVED
+CVE-2019-20529 (In core/doctype/prepared_report/prepared_report.py in Frappe
11 and 12 ...)
+ TODO: check
+CVE-2019-20528 (Ignite Realtime Openfire 4.4.1 allows XSS via the
setup/setup-datasour ...)
+ TODO: check
+CVE-2019-20527
+ RESERVED
+CVE-2019-20526
+ RESERVED
+CVE-2019-20525
+ RESERVED
+CVE-2019-20524
+ RESERVED
+CVE-2019-20523
+ RESERVED
+CVE-2019-20522
+ RESERVED
+CVE-2019-20521
+ RESERVED
+CVE-2019-20520
+ RESERVED
+CVE-2019-20519
+ RESERVED
+CVE-2019-20518
+ RESERVED
+CVE-2019-20517
+ RESERVED
+CVE-2019-20516
+ RESERVED
+CVE-2019-20515
+ RESERVED
+CVE-2019-20514
+ RESERVED
+CVE-2019-20513
+ RESERVED
+CVE-2019-20512 (Open edX Ironwood.1 allows support/certificates?course_id=
reflected X ...)
+ TODO: check
+CVE-2019-20511 (ERPNext 11.1.47 allows blog?blog_category= Frame Injection.
...)
+ TODO: check
CVE-2020-10659 (Entrust Entelligence Security Provider (ESP) before 10.0.60 on
Windows ...)
TODO: check
CVE-2020-10658
@@ -1175,11 +1225,11 @@ CVE-2020-10114 (cPanel before 84.0.20 allows stored
self-XSS via the HTML file e
NOT-FOR-US: cPanel
CVE-2020-10113 (cPanel before 84.0.20 allows self XSS via a temporary
character-set sp ...)
NOT-FOR-US: cPanel
-CVE-2020-10112 (Citrix Gateway 11.1, 12.0, and 12.1 allows Cache Poisoning.
...)
+CVE-2020-10112 (** DISPUTED ** Citrix Gateway 11.1, 12.0, and 12.1 allows
Cache Poison ...)
NOT-FOR-US: Citrix
-CVE-2020-10111 (Citrix Gateway 11.1, 12.0, and 12.1 has an Inconsistent
Interpretation ...)
+CVE-2020-10111 (** DISPUTED ** Citrix Gateway 11.1, 12.0, and 12.1 has an
Inconsistent ...)
NOT-FOR-US: Citrix
-CVE-2020-10110 (Citrix Gateway 11.1, 12.0, and 12.1 allows Information
Exposure Throug ...)
+CVE-2020-10110 (** DISPUTED ** Citrix Gateway 11.1, 12.0, and 12.1 allows
Information ...)
NOT-FOR-US: Citrix
CVE-2020-10109 (In Twisted Web through 19.10.0, there was an HTTP request
splitting vu ...)
{DLA-2145-1}
@@ -2621,8 +2671,8 @@ CVE-2020-9445
RESERVED
CVE-2020-9444
RESERVED
-CVE-2020-9443
- RESERVED
+CVE-2020-9443 (Zulip Desktop before 4.0.3 loaded untrusted content in an
Electron web ...)
+ TODO: check
CVE-2020-9442 (OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions
for %PRO ...)
NOT-FOR-US: OpenVPN Connect on Windows
CVE-2020-9441
@@ -2937,14 +2987,14 @@ CVE-2020-9327 (In SQLite 3.31.1,
isAuxiliaryVtabOperator allows attackers to tri
NOTE: https://www.sqlite.org/cgi/src/info/4374860b29383380
NOTE: https://www.sqlite.org/cgi/src/info/9d0d4ab95dc0c56e
NOTE: https://www.sqlite.org/cgi/src/info/abc473fb8fb99900
-CVE-2020-9326
- RESERVED
-CVE-2020-9325
- RESERVED
-CVE-2020-9324
- RESERVED
-CVE-2020-9323
- RESERVED
+CVE-2020-9326 (BeyondTrust Privilege Management for Windows and Mac (aka PMWM;
former ...)
+ TODO: check
+CVE-2020-9325 (Aquaforest TIFF Server 4.0 allows Unauthenticated Arbitrary
File Downl ...)
+ TODO: check
+CVE-2020-9324 (Aquaforest TIFF Server 4.0 allows Unauthenticated SMB Hash
Capture via ...)
+ TODO: check
+CVE-2020-9323 (Aquaforest TIFF Server 4.0 allows Unauthenticated File and
Directory E ...)
+ TODO: check
CVE-2020-9322
RESERVED
CVE-2020-9321 (configurationwatcher.go in Traefik 2.x before 2.1.4 and
TraefikEE 2.0. ...)
@@ -8255,8 +8305,8 @@ CVE-2020-7004
RESERVED
CVE-2020-7003
RESERVED
-CVE-2020-7002
- RESERVED
+CVE-2020-7002 (Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and
prior. ...)
+ TODO: check
CVE-2020-7001
RESERVED
CVE-2020-7000
@@ -8307,8 +8357,8 @@ CVE-2020-6978
RESERVED
CVE-2020-6977 (A restricted desktop environment escape vulnerability exists in
the Ki ...)
NOT-FOR-US: GE
-CVE-2020-6976
- RESERVED
+CVE-2020-6976 (Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and
prior. ...)
+ TODO: check
CVE-2020-6975 (Digi International ConnectPort LTS 32 MEI, Firmware Version
1.4.3 (820 ...)
NOT-FOR-US: Digi International ConnectPort LTS 32 MEI
CVE-2020-6974
@@ -14799,8 +14849,8 @@ CVE-2020-4201
RESERVED
CVE-2020-4200 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect
Server)
[Git][security-tracker-team/security-tracker][master] Update note for amd64-microcode
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 92f56be3 by Anton Gladky at 2020-03-18T18:02:47+01:00 Update note for amd64-microcode - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -17,6 +17,7 @@ amd64-microcode (Anton Gladky) NOTE: 20200307: maintainer contacted regarding Jessie-update NOTE: 20200311: ask for review/test NOTE: 20200312: updated package is in testing phase + NOTE: 20200318: Stretch should be updated first to escape higher versions in Jessie, #954023. -- ansible NOTE: 20200219: no upstream fixes yet View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92f56be376df557cdb9acccfe64c1c9eaa4221e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92f56be376df557cdb9acccfe64c1c9eaa4221e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new tika issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bc0495fa by Moritz Muehlenhoff at 2020-03-18T17:41:18+01:00 new tika issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21202,10 +21202,18 @@ CVE-2020-1953 (Apache Commons Configuration uses a third-party library to parse NOTE: https://www.openwall.com/lists/oss-security/2020/03/13/1 CVE-2020-1952 RESERVED -CVE-2020-1951 +CVE-2020-1951 [Infinite Loop (DoS) vulnerability in Apache Tika's PSDParser] RESERVED -CVE-2020-1950 + - tika + [buster] - tika (Minor issue) + [stretch] - tika (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2020/03/18/4 +CVE-2020-1950 [Excessive memory usage (DoS) vulnerability in Apache Tika's PSDParser] RESERVED + - tika + [buster] - tika (Minor issue) + [stretch] - tika (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2020/03/18/3 CVE-2020-1949 RESERVED CVE-2020-1948 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc0495fa97303da265f397e407e3625f7e3294a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc0495fa97303da265f397e407e3625f7e3294a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "CVE-2019-15690/libvncserver: reference embedded copies in...
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
bca2ca02 by Moritz Muehlenhoff at 2020-03-18T16:23:12+01:00
Revert CVE-2019-15690/libvncserver: reference embedded copies in
italc/ssvnc/tightvnc/veyon/vncsnapshot
This reverts commit 77a25a7a8a60d1005185d4a5ba2c2f57c3618830. CVEs from
embedded-code-copies must not simply be copied over (otherwise this would
be automated), but after validating whether each package embedding is
actually affected in terms of build and usage patterns.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -35466,11 +35466,6 @@ CVE-2019-15690
RESERVED
{DLA-2146-1}
- libvncserver (bug #954163)
- - italc
- - ssvnc
- - tightvnc
- - veyon 4.3.1+repack1-1
- - vncsnapshot
NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2
NOTE: https://github.com/LibVNC/libvncserver/issues/381
NOTE:
https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bca2ca0234fbd9f068723d80948522792c869b59
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bca2ca0234fbd9f068723d80948522792c869b59
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revaluate state for CVE-2019-13456/freeradius
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
96e6f728 by Salvatore Bonaccorso at 2020-03-18T15:07:00+01:00
Revaluate state for CVE-2019-13456/freeradius
I cannot say for sure where we got first the respective commits related
to CVE-2019-11234 and CVE-2019-11235 but as well the description[1] and
the relevant reference to the Red Hat bugzilla[2] shows that this is
related to the commit[3].
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13456
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1737663
[3]
https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa
Contact with MITRE regarding CVE-2019-13456 and CVE-2019-20510 if they
are considered on purpose different CVEs.
Thanks: Thorsten Alteholz for pointing out this inconsistency.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -43878,14 +43878,11 @@ CVE-2019-13457 (An issue was discovered in Open
Ticket Request System (OTRS) 7.0
- otrs2 (Only affects 7.x series)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2019-11/
CVE-2019-13456 (In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048
EAP-pwd h ...)
- - freeradius 3.0.17+dfsg-1.1
- [stretch] - freeradius (Minor issue; plugin not enabled by
default)
- [jessie] - freeradius (Vulnerable code added later)
+ - freeradius 3.0.20+dfsg-1
+ [jessie] - freeradius (Vulnerable code introduced later
in version 3.0.0)
+ NOTE:
https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa
(release_3_0_20)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1737663
NOTE: https://wpa3.mathyvanhoef.com/#new
- NOTE:
https://github.com/FreeRADIUS/freeradius-server/commit/a99746c93b8b3ae3be367af0e46f0d6a9626f566
(master)
- NOTE:
https://github.com/FreeRADIUS/freeradius-server/commit/85497b5ff37ccb656895b826b88585898c209586
(3.0.x)
- NOTE: Issue seems to be treated as different issue than CVE-2019-11234
and CVE-2019-11235
CVE-2019-13455 (In Xymon through 4.3.28, a stack-based buffer overflow
vulnerability e ...)
{DLA-1898-1}
- xymon 4.3.29-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96e6f728c485284b319e7b48e270227b61110940
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96e6f728c485284b319e7b48e270227b61110940
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: libvncserver: reference embedded copies
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
105dfeb7 by Sylvain Beucler at 2020-03-18T14:56:41+01:00
libvncserver: reference embedded copies
Builds on initial research at
https://lists.debian.org/debian-lts/2019/10/msg00094.html
- - - - -
77a25a7a by Sylvain Beucler at 2020-03-18T15:00:30+01:00
CVE-2019-15690/libvncserver: reference embedded copies in
italc/ssvnc/tightvnc/veyon/vncsnapshot
- - - - -
2 changed files:
- data/CVE/list
- data/embedded-code-copies
Changes:
=
data/CVE/list
=
@@ -35466,6 +35466,11 @@ CVE-2019-15690
RESERVED
{DLA-2146-1}
- libvncserver (bug #954163)
+ - italc
+ - ssvnc
+ - tightvnc
+ - veyon 4.3.1+repack1-1
+ - vncsnapshot
NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2
NOTE: https://github.com/LibVNC/libvncserver/issues/381
NOTE:
https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed
=
data/embedded-code-copies
=
@@ -544,8 +544,18 @@ libmodplug
- gst-plugins-bad0.10 0.10.10.2-1 (embed)
libvncserver
- - vino (embed)
- - krfb (embed)
+ - krfb 4:14.12.2-1 (embed) [libvncserver/rfbserver.c]
+ - italc (embed) [ica/x11/libvnc*]
+ - ssvnc (modified-embed) [vnc_unixsrc/*]
+ NOTE: client code only
+ - tigervnc (fork)
+ - tightvnc (fork)
+ - vncsnapshot (embed)
+ NOTE: client code only, small files subset
+ - veyon (embed) [3rdparty/libvncserver/libvncclient/*]
+ NOTE: uses system-wide libvncserver, but still bundles libvncclient
+ - vino (embed) [server/libvncserver/*]
+ NOTE: server code only
putty
- filezilla (embed)
@@ -704,7 +714,7 @@ lzo2
- remmina (embed)
- blender (embed)
- x11vnc (embed)
- - italc (embed)
+ - italc (embed)
- dump (embed)
- krfb (embed)
- nfdump (embed)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5d73be68c1b8a1cece5e9541cc6725901587dfba...77a25a7a8a60d1005185d4a5ba2c2f57c3618830
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5d73be68c1b8a1cece5e9541cc6725901587dfba...77a25a7a8a60d1005185d4a5ba2c2f57c3618830
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: security_db: don't return duplicated advisories
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5e29d4fb by Emilio Pozuelo Monfort at 2020-03-18T12:26:45+01:00
security_db: dont return duplicated advisories
This is used to build the advisory table in package views, and it makes
no sense to list some advisories (e.g. DSAs that fixed both stable and
oldstable) twice.
- - - - -
5d73be68 by Salvatore Bonaccorso at 2020-03-18T12:09:08+00:00
Merge branch duplicate-advisories into master
security_db: dont return duplicated advisories
See merge request security-tracker-team/security-tracker!53
- - - - -
1 changed file:
- lib/python/security_db.py
Changes:
=
lib/python/security_db.py
=
@@ -1872,7 +1872,7 @@ class DB:
def getDSAsForSourcePackage(self, cursor, package):
bugs_like = self.genDBAdvisoryString("bugs.name", dtsa=False)
for row in cursor.execute(
-"""SELECT bugs.name, bugs.description
+"""SELECT DISTINCT bugs.name, bugs.description
FROM bugs, package_notes as p
WHERE p.bug_name = bugs.name
AND ( """ + bugs_like + """ )
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8f3cc5f7e2d3ed54f5c441143f54bdc0263719df...5d73be68c1b8a1cece5e9541cc6725901587dfba
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8f3cc5f7e2d3ed54f5c441143f54bdc0263719df...5d73be68c1b8a1cece5e9541cc6725901587dfba
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: mark CVE-2019-20510 as not-affected for Jessie
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 8db2b9e7 by Thorsten Alteholz at 2020-03-18T13:07:07+01:00 mark CVE-2019-20510 as not-affected for Jessie - - - - - 8f3cc5f7 by Thorsten Alteholz at 2020-03-18T13:07:40+01:00 nothing to do - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -20,6 +20,7 @@ CVE-2020-10650 RESERVED CVE-2019-20510 (rlm_eap/types/rlm_eap_pwd/eap_pwd.c in the EAP-pwd implementation in F ...) - freeradius 3.0.20+dfsg-1 + [jessie] - freeradius (Vulnerable code introduced later in version 3.0.0) NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa (release_3_0_20) CVE-2020-10649 RESERVED = data/dla-needed.txt = @@ -27,8 +27,6 @@ gdal (Utkarsh Gupta) -- glibc (Mike Gabriel) -- -freeradius (Thorsten Alteholz) --- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bc8c7e271d522d62d15c6c767445f8f8858f8aa4...8f3cc5f7e2d3ed54f5c441143f54bdc0263719df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bc8c7e271d522d62d15c6c767445f8f8858f8aa4...8f3cc5f7e2d3ed54f5c441143f54bdc0263719df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2020-6581 as not-affected for Jessie
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 84c7e4f0 by Thorsten Alteholz at 2020-03-18T12:17:39+01:00 mark CVE-2020-6581 as not-affected for Jessie - - - - - f368b0ff by Thorsten Alteholz at 2020-03-18T12:18:14+01:00 mark CVE-2020-6582 as no-dsa for Jessie - - - - - bc8c7e27 by Thorsten Alteholz at 2020-03-18T12:18:55+01:00 add freeradius - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -9273,6 +9273,7 @@ CVE-2020-6582 (Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrat - nagios-nrpe 4.0.0-1 [buster] - nagios-nrpe (Minor issue) [stretch] - nagios-nrpe (Minor issue) + [jessie] - nagios-nrpe (Minor issue) NOTE: https://herolab.usd.de/security-advisories/usd-2020-0001/ NOTE: https://github.com/NagiosEnterprises/nrpe/commit/b84f9b8c9d290dd02e139df8dad1c3eb690c1213 NOTE: https://github.com/NagiosEnterprises/nrpe/commit/8e3bea4e1b1937e395a182729762aa8894e8649e @@ -9281,6 +9282,7 @@ CVE-2020-6581 (Nagios NRPE 3.2.1 has Insufficient Filtering because, for example - nagios-nrpe 4.0.0-1 [buster] - nagios-nrpe (Minor issue) [stretch] - nagios-nrpe (Minor issue) + [jessie] - nagios-nrpe (Vulnerable code introduced later) NOTE: https://herolab.usd.de/security-advisories/usd-2020-0002/ NOTE: https://github.com/NagiosEnterprises/nrpe/commit/0db345444d0dcb3e37cca1bcbb0027dcbb764197 (part for proper processing of nasty_metachars) CVE-2020-6580 = data/dla-needed.txt = @@ -27,6 +27,8 @@ gdal (Utkarsh Gupta) -- glibc (Mike Gabriel) -- +freeradius (Thorsten Alteholz) +-- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1c8d1447202a179cfae76585a2e47a66936b8454...bc8c7e271d522d62d15c6c767445f8f8858f8aa4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1c8d1447202a179cfae76585a2e47a66936b8454...bc8c7e271d522d62d15c6c767445f8f8858f8aa4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-20510/freeradius
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c8d1447 by Salvatore Bonaccorso at 2020-03-18T10:32:10+01:00 Add CVE-2019-20510/freeradius - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,8 @@ CVE-2020-10651 CVE-2020-10650 RESERVED CVE-2019-20510 (rlm_eap/types/rlm_eap_pwd/eap_pwd.c in the EAP-pwd implementation in F ...) - TODO: check + - freeradius 3.0.20+dfsg-1 + NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa (release_3_0_20) CVE-2020-10649 RESERVED CVE-2020-10648 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c8d1447202a179cfae76585a2e47a66936b8454 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c8d1447202a179cfae76585a2e47a66936b8454 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8fb0f15e by Salvatore Bonaccorso at 2020-03-18T09:58:41+01:00
Process NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -4597,11 +4597,11 @@ CVE-2020-8602
CVE-2020-8601 (Trend Micro Vulnerability Protection 2.0 is affected by a
vulnerabilit ...)
NOT-FOR-US: Trend Micro
CVE-2020-8600 (Trend Micro Worry-Free Business Security (9.0, 9.5, 10.0) is
affected ...)
- TODO: check
+ NOT-FOR-US: Trend Micro
CVE-2020-8599 (Trend Micro Apex One (2019) and OfficeScan XG server contain a
vulnera ...)
- TODO: check
+ NOT-FOR-US: Trend Micro
CVE-2020-8598 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free
Business Sec ...)
- TODO: check
+ NOT-FOR-US: Trend Micro
CVE-2020-8597 (eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname
buffer overf ...)
{DSA-4632-1 DLA-2097-1}
- lwip 2.1.2+dfsg1-5 (bug #951291)
@@ -4892,13 +4892,13 @@ CVE-2020-8472
CVE-2020-8471
RESERVED
CVE-2020-8470 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free
Business Sec ...)
- TODO: check
+ NOT-FOR-US: Trend Micro
CVE-2020-8469 (Trend Micro Password Manager for Windows version 5.0 is
affected by a ...)
NOT-FOR-US: Trend Micro
CVE-2020-8468 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free
Business Sec ...)
- TODO: check
+ NOT-FOR-US: Trend Micro
CVE-2020-8467 (A migration tool component of Trend Micro Apex One (2019) and
OfficeSc ...)
- TODO: check
+ NOT-FOR-US: Trend Micro
CVE-2020-8466
RESERVED
CVE-2020-8465
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fb0f15e113e26346ae7d30a8822cbcf24ed90dd
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fb0f15e113e26346ae7d30a8822cbcf24ed90dd
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2019-9460 (withdrawn by CNA)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61de8c51 by Salvatore Bonaccorso at 2020-03-18T09:56:00+01:00 Remove notes from CVE-2019-9460 (withdrawn by CNA) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56199,7 +56199,6 @@ CVE-2019-9461 (In the Android kernel in VPN routing there is a possible informat NOT-FOR-US: Android CVE-2019-9460 REJECTED - NOT-FOR-US: Android Media Server CVE-2019-9459 (In libttspico, there is a possible OOB write due to a heap buffer over ...) NOT-FOR-US: Android CVE-2019-9458 (In the Android kernel in the video driver there is a use after free du ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61de8c517c86e835672e8b71b90dd61e99b780fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61de8c517c86e835672e8b71b90dd61e99b780fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
084c98b9 by security tracker role at 2020-03-18T08:10:18+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,25 @@
+CVE-2020-10659 (Entrust Entelligence Security Provider (ESP) before 10.0.60 on
Windows ...)
+ TODO: check
+CVE-2020-10658
+ RESERVED
+CVE-2020-10657
+ RESERVED
+CVE-2020-10656
+ RESERVED
+CVE-2020-10655
+ RESERVED
+CVE-2020-10654
+ RESERVED
+CVE-2020-10653
+ RESERVED
+CVE-2020-10652
+ RESERVED
+CVE-2020-10651
+ RESERVED
+CVE-2020-10650
+ RESERVED
+CVE-2019-20510 (rlm_eap/types/rlm_eap_pwd/eap_pwd.c in the EAP-pwd
implementation in F ...)
+ TODO: check
CVE-2020-10649
RESERVED
CVE-2020-10648
@@ -4574,12 +4596,12 @@ CVE-2020-8602
RESERVED
CVE-2020-8601 (Trend Micro Vulnerability Protection 2.0 is affected by a
vulnerabilit ...)
NOT-FOR-US: Trend Micro
-CVE-2020-8600
- RESERVED
-CVE-2020-8599
- RESERVED
-CVE-2020-8598
- RESERVED
+CVE-2020-8600 (Trend Micro Worry-Free Business Security (9.0, 9.5, 10.0) is
affected ...)
+ TODO: check
+CVE-2020-8599 (Trend Micro Apex One (2019) and OfficeScan XG server contain a
vulnera ...)
+ TODO: check
+CVE-2020-8598 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free
Business Sec ...)
+ TODO: check
CVE-2020-8597 (eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname
buffer overf ...)
{DSA-4632-1 DLA-2097-1}
- lwip 2.1.2+dfsg1-5 (bug #951291)
@@ -4869,14 +4891,14 @@ CVE-2020-8472
RESERVED
CVE-2020-8471
RESERVED
-CVE-2020-8470
- RESERVED
+CVE-2020-8470 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free
Business Sec ...)
+ TODO: check
CVE-2020-8469 (Trend Micro Password Manager for Windows version 5.0 is
affected by a ...)
NOT-FOR-US: Trend Micro
-CVE-2020-8468
- RESERVED
-CVE-2020-8467
- RESERVED
+CVE-2020-8468 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free
Business Sec ...)
+ TODO: check
+CVE-2020-8467 (A migration tool component of Trend Micro Apex One (2019) and
OfficeSc ...)
+ TODO: check
CVE-2020-8466
RESERVED
CVE-2020-8465
@@ -15988,8 +16010,8 @@ CVE-2020-3924 (DVR firmware in TAT-76 and TAT-77 series
of products, provided by
NOT-FOR-US: DVR firmware in TAT-76 and TAT-77 series
CVE-2020-3923 (DVR firmware in TAT-76 and TAT-77 series of products, provided
by TONN ...)
NOT-FOR-US: DVR firmware in TAT-76 and TAT-77 series
-CVE-2020-3922
- RESERVED
+CVE-2020-3922 (LisoMail, by ArmorX, allows SQL Injections, attackers can
access the d ...)
+ TODO: check
CVE-2020-3921
RESERVED
CVE-2020-3920
@@ -47968,8 +47990,8 @@ CVE-2019-11941 (A remote code execution vulnerability
was identified in HPE Inte
NOT-FOR-US: HPE
CVE-2019-11940 (In the course of decompressing HPACK inside the HTTP2
protocol, an une ...)
NOT-FOR-US: Facebook Proxygen
-CVE-2019-11939
- RESERVED
+CVE-2019-11939 (Golang Facebook Thrift servers would not error upon receiving
messages ...)
+ TODO: check
CVE-2019-11938 (Java Facebook Thrift servers would not error upon receiving
messages d ...)
TODO: check
CVE-2019-11937 (In Mcrouter prior to v0.41.0, a large struct input provided to
the Car ...)
@@ -56175,7 +56197,8 @@ CVE-2019-9462 (In Bluetooth, there is a possible out of
bounds read due to an in
NOT-FOR-US: Android
CVE-2019-9461 (In the Android kernel in VPN routing there is a possible
information d ...)
NOT-FOR-US: Android
-CVE-2019-9460 (In mediaserver, there is a possible out of bounds write due to
a missi ...)
+CVE-2019-9460
+ REJECTED
NOT-FOR-US: Android Media Server
CVE-2019-9459 (In libttspico, there is a possible OOB write due to a heap
buffer over ...)
NOT-FOR-US: Android
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/084c98b98994283f60a55b8c75bb1b6b3ca6231c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/084c98b98994283f60a55b8c75bb1b6b3ca6231c
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
