[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-9549/pdfresurrect via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cc9163cc by Salvatore Bonaccorso at 2020-03-19T06:21:17+01:00 Add fixed version for CVE-2020-9549/pdfresurrect via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2425,7 +2425,7 @@ CVE-2020-9550 (Rubetek SmartHome 2020 devices use unencrypted 433 MHz communicat NOT-FOR-US: Rubetek SmartHome 2020 devices CVE-2020-9549 (In PDFResurrect 0.12 through 0.19, get_type in pdf.c has an out-of-bou ...) {DLA-2134-1} - - pdfresurrect (unimportant; bug #952948) + - pdfresurrect 0.20-1 (unimportant; bug #952948) NOTE: https://github.com/enferex/pdfresurrect/issues/8 NOTE: Crash in CLI tool, no security impact CVE-2020-9548 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc9163cca9337349f5ce74d7b8fadef14644b2bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc9163cca9337349f5ce74d7b8fadef14644b2bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-10674/libperlspeak-perl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c85d9238 by Salvatore Bonaccorso at 2020-03-19T06:05:30+01:00 Add Debian bug reference for CVE-2020-10674/libperlspeak-perl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2020-10674 [shell injection RCE] - - libperlspeak-perl + - libperlspeak-perl (bug #954238) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=132173 CVE-2020-10665 (Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTE ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c85d9238aa84c29a0c05ebc98c664c967c54f2a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c85d9238aa84c29a0c05ebc98c664c967c54f2a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new python-bleach issue (similar to CVE-2020-6802)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7232a76e by Salvatore Bonaccorso at 2020-03-19T05:58:42+01:00 Add new python-bleach issue (similar to CVE-2020-6802) CVE to the Mozilla CNA requested. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2954,6 +2954,11 @@ CVE-2020-9337 (In GolfBuddy Course Manager 1.1, passwords are sent (with base64 NOT-FOR-US: GolfBuddy Course Manager CVE-2020-9336 (fauzantrif eLection 2.0 has XSS via the Admin Dashboard - Settings ...) NOT-FOR-US: fauzantrif eLection +CVE-2020- [mutation XSS vulnerability again] + - python-bleach 3.1.3-1 (bug #954236) + NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1621692 (not public) + NOTE: https://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743 + NOTE: https://github.com/mozilla/bleach/commit/175f67740e7951e1d80cefb7831e6c3e4efeb986 CVE-2020-6802 [mutation XSS vulnerability] RESERVED {DSA-4636-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7232a76e4a55b8c288df1513597a0f96f13f6ee9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7232a76e4a55b8c288df1513597a0f96f13f6ee9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-10674/libperlspeak-perl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 892224d4 by Salvatore Bonaccorso at 2020-03-19T05:49:17+01:00 Add CVE-2020-10674/libperlspeak-perl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2020-10674 [shell injection RCE] + - libperlspeak-perl + NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=132173 CVE-2020-10665 (Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTE ...) TODO: check CVE-2020-10664 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892224d406468aa7a9c3ef9d53eab7bc177a7b51 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892224d406468aa7a9c3ef9d53eab7bc177a7b51 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take icu
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 4cb11c38 by Emilio Pozuelo Monfort at 2020-03-18T23:48:50+01:00 dla: take icu - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,6 +26,8 @@ bluez (Emilio) -- glibc (Mike Gabriel) -- +icu (Emilio) +-- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cb11c387e6f4ab4c88556644fd12839302e1a23 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cb11c387e6f4ab4c88556644fd12839302e1a23 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-20510 confirmed to be REJECTED
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b5f79bf2 by Salvatore Bonaccorso at 2020-03-18T22:58:05+01:00 CVE-2019-20510 confirmed to be REJECTED After query to MITRE, got a confirmation that CVE-2019-20510 will be rejected and this update should be in the next CVE feed update, so mark it already as REJECTED in advance. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -68,10 +68,8 @@ CVE-2020-10651 RESERVED CVE-2020-10650 RESERVED -CVE-2019-20510 (rlm_eap/types/rlm_eap_pwd/eap_pwd.c in the EAP-pwd implementation in F ...) - - freeradius 3.0.20+dfsg-1 - [jessie] - freeradius (Vulnerable code introduced later in version 3.0.0) - NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa (release_3_0_20) +CVE-2019-20510 + REJECTED CVE-2020-10649 RESERVED CVE-2020-10648 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5f79bf27ac89143002178a3effae6993628027a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5f79bf27ac89143002178a3effae6993628027a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 28b82e25 by Salvatore Bonaccorso at 2020-03-18T22:56:47+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,9 +11,9 @@ CVE-2020-10661 CVE-2020-10660 RESERVED CVE-2019-20529 (In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12 ...) - TODO: check + NOT-FOR-US: Frappe Framework CVE-2019-20528 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) - TODO: check + NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20527 RESERVED CVE-2019-20526 @@ -45,11 +45,11 @@ CVE-2019-20514 CVE-2019-20513 RESERVED CVE-2019-20512 (Open edX Ironwood.1 allows support/certificates?course_id= reflected X ...) - TODO: check + NOT-FOR-US: Open edX Ironwood.1 CVE-2019-20511 (ERPNext 11.1.47 allows blog?blog_category= Frame Injection. ...) - TODO: check + NOT-FOR-US: ERPNext CVE-2020-10659 (Entrust Entelligence Security Provider (ESP) before 10.0.60 on Windows ...) - TODO: check + NOT-FOR-US: Entrust Entelligence Security Provider (ESP) CVE-2020-10658 RESERVED CVE-2020-10657 @@ -2987,13 +2987,13 @@ CVE-2020-9327 (In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to tri NOTE: https://www.sqlite.org/cgi/src/info/9d0d4ab95dc0c56e NOTE: https://www.sqlite.org/cgi/src/info/abc473fb8fb99900 CVE-2020-9326 (BeyondTrust Privilege Management for Windows and Mac (aka PMWM; former ...) - TODO: check + NOT-FOR-US: BeyondTrust Privilege Management for Windows and Mac CVE-2020-9325 (Aquaforest TIFF Server 4.0 allows Unauthenticated Arbitrary File Downl ...) - TODO: check + NOT-FOR-US: Aquaforest TIFF Server CVE-2020-9324 (Aquaforest TIFF Server 4.0 allows Unauthenticated SMB Hash Capture via ...) - TODO: check + NOT-FOR-US: Aquaforest TIFF Server CVE-2020-9323 (Aquaforest TIFF Server 4.0 allows Unauthenticated File and Directory E ...) - TODO: check + NOT-FOR-US: Aquaforest TIFF Server CVE-2020-9322 RESERVED CVE-2020-9321 (configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28b82e25ed02d4b1ea6229cf2bf20f81e2060d42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28b82e25ed02d4b1ea6229cf2bf20f81e2060d42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync CVE-2019-15794 with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bffa3ab1 by Salvatore Bonaccorso at 2020-03-18T22:51:53+01:00 Sync CVE-2019-15794 with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35140,6 +35140,10 @@ CVE-2019-15795 [python-apt: Do not use MD5 for verifying downloads] NOTE: https://salsa.debian.org/apt-team/python-apt/commit/e175130e51c2b0424f3dfeb825e3dc598fec1a24 (1.8.5) CVE-2019-15794 RESERVED + - linux + [stretch] - linux (overlayfs passes through mmap) + [jessie] - linux (overlayfs not present) + NOTE: https://bugs.launchpad.net/bugs/1850994 CVE-2019-15793 RESERVED - linux (Ubuntu-specific patch set, shiftfs not in Debian kernels) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bffa3ab180b6119e51df1e93391514685570785a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bffa3ab180b6119e51df1e93391514685570785a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2019-1551/openssl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c695802 by Salvatore Bonaccorso at 2020-03-18T22:39:18+01:00 Track fixed version for CVE-2019-1551/openssl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -78522,7 +78522,7 @@ CVE-2019-1552 (OpenSSL has internal defaults for a directory tree where it can f NOTE: https://www.openssl.org/news/secadv/20190730.txt CVE-2019-1551 (There is an overflow bug in the x64_64 Montgomery squaring procedure u ...) {DSA-4594-1} - - openssl (low; bug #947949) + - openssl 1.1.1e-1 (low; bug #947949) [buster] - openssl (Wait until next upstream security release) [stretch] - openssl (Wait until next upstream security release) [jessie] - openssl (Affected modules are not present in Jessie) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c695802144585d8c36d6477c82cfdeae4bb2988 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c695802144585d8c36d6477c82cfdeae4bb2988 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "data/CVE/list: Mark icu/jessie as not affected by CVE-2020-10531."
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1845fa4d by Salvatore Bonaccorso at 2020-03-18T22:27:17+01:00 Revert data/CVE/list: Mark icu/jessie as not affected by CVE-2020-10531. This reverts commit 6ee790eb8acec279a50c9c1cd88cb20a17ffabb4. The issue is present before but upstream commit 3d77fc18b8b1 (ICU-11317 split out a new doAppend() from the more general doReplace(), each optimizing for different cases)[1] did move code around. [1] https://github.com/unicode-org/icu/commit/3d77fc18b8b1f1fbeb584790ebab1e5259e70b94 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -323,7 +323,6 @@ CVE-2020-10532 (The AD Helper component in WatchGuard Fireware before 5.8.5.1031 CVE-2020-10531 (An issue was discovered in International Components for Unicode (ICU) ...) [experimental] - icu 66.1-2 - icu 63.2-3 (bug #953747) - [jessie] - icu (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=1044570 (not public) NOTE: Upstream ICU bug: https://unicode-org.atlassian.net/browse/ICU-20958 (private) NOTE: Fixed by: https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1845fa4df32cb6fa5788f2ed22caa501af0a4c3f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1845fa4df32cb6fa5788f2ed22caa501af0a4c3f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-20839: Add note on #929116
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 10ea365e by Salvatore Bonaccorso at 2020-03-18T21:41:28+01:00 CVE-2018-20839: Add note on #929116 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -47552,7 +47552,8 @@ CVE-2018-20839 (systemd 242 changes the VT1 mode upon a logout, which allows att NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993 NOTE: https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f NOTE: https://github.com/systemd/systemd/pull/12378 - NOTE: The fix introduced a regression, cf. https://bugs.debian.org/929229 + NOTE: The fix for https://bugs.debian.org/929116 introduced a regression, cf. + NOTE: https://bugs.debian.org/929229 . NOTE: Issue was originally fixed for unstable in 241-4 but was reverted in 241-5 NOTE: https://gitlab.freedesktop.org/xorg/xserver/issues/857 NOTE: Upstream from systemd claimed originally it's not an issue in systemd, but View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10ea365e20a97c2355a3f744a60ff60e559364eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10ea365e20a97c2355a3f744a60ff60e559364eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2147-1 for gdal
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 311330d0 by Utkarsh Gupta at 2020-03-19T02:02:53+05:30 Reserve DLA-2147-1 for gdal - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Mar 2020] DLA-2147-1 gdal - security update + {CVE-2019-17546} + [jessie] - gdal 1.10.1+dfsg-8+deb8u2 [18 Mar 2020] DLA-2146-1 libvncserver - security update {CVE-2019-15690} [jessie] - libvncserver 0.9.9+dfsg2-6.1+deb8u7 = data/dla-needed.txt = @@ -24,8 +24,6 @@ ansible -- bluez (Emilio) -- -gdal (Utkarsh Gupta) --- glibc (Mike Gabriel) -- libmatio (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/311330d0bdc3a029fc265f00de5e30a33867a365 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/311330d0bdc3a029fc265f00de5e30a33867a365 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add icu to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a10de6b by Salvatore Bonaccorso at 2020-03-18T21:27:43+01:00 Add icu to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -14,6 +14,9 @@ If needed, specify the release by adding a slash after the name of the source pa -- bluez (carnil) -- +icu + Maintainer poposed debdiffs for review +-- jruby/oldstable -- libopenmpt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a10de6bcaf1c8b746805929155ac95d469c7603 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a10de6bcaf1c8b746805929155ac95d469c7603 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: da1f3de8 by Salvatore Bonaccorso at 2020-03-18T21:14:32+01:00 Track some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14850,7 +14850,7 @@ CVE-2020-4201 CVE-2020-4200 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.5 ...) NOT-FOR-US: IBM CVE-2020-4199 (IBM Tivoli Netcool/OMNIbus 8.1.0 is vulnerable to cross-site request f ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4198 (IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scrip ...) NOT-FOR-US: IBM CVE-2020-4197 (IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 allows web pages to be stored loc ...) @@ -26564,9 +26564,9 @@ CVE-2019-18584 CVE-2019-18583 REJECTED CVE-2019-18582 (Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions ...) - TODO: check + NOT-FOR-US: EMC CVE-2019-18581 (Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions ...) - TODO: check + NOT-FOR-US: EMC CVE-2019-18580 (Dell EMC Storage Monitoring and Reporting version 4.3.1 contains a Jav ...) NOT-FOR-US: EMC CVE-2019-18579 (Settings for the Dell XPS 13 2-in-1 (7390) BIOS versions prior to 1.1. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da1f3de832083de587f8b6e43ed499d24331ed88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da1f3de832083de587f8b6e43ed499d24331ed88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dccd72c7 by security tracker role at 2020-03-18T20:10:26+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,53 @@ +CVE-2020-10665 (Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTE ...) + TODO: check +CVE-2020-10664 + RESERVED +CVE-2020-10663 + RESERVED +CVE-2020-10662 + RESERVED +CVE-2020-10661 + RESERVED +CVE-2020-10660 + RESERVED +CVE-2019-20529 (In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12 ...) + TODO: check +CVE-2019-20528 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) + TODO: check +CVE-2019-20527 + RESERVED +CVE-2019-20526 + RESERVED +CVE-2019-20525 + RESERVED +CVE-2019-20524 + RESERVED +CVE-2019-20523 + RESERVED +CVE-2019-20522 + RESERVED +CVE-2019-20521 + RESERVED +CVE-2019-20520 + RESERVED +CVE-2019-20519 + RESERVED +CVE-2019-20518 + RESERVED +CVE-2019-20517 + RESERVED +CVE-2019-20516 + RESERVED +CVE-2019-20515 + RESERVED +CVE-2019-20514 + RESERVED +CVE-2019-20513 + RESERVED +CVE-2019-20512 (Open edX Ironwood.1 allows support/certificates?course_id= reflected X ...) + TODO: check +CVE-2019-20511 (ERPNext 11.1.47 allows blog?blog_category= Frame Injection. ...) + TODO: check CVE-2020-10659 (Entrust Entelligence Security Provider (ESP) before 10.0.60 on Windows ...) TODO: check CVE-2020-10658 @@ -1175,11 +1225,11 @@ CVE-2020-10114 (cPanel before 84.0.20 allows stored self-XSS via the HTML file e NOT-FOR-US: cPanel CVE-2020-10113 (cPanel before 84.0.20 allows self XSS via a temporary character-set sp ...) NOT-FOR-US: cPanel -CVE-2020-10112 (Citrix Gateway 11.1, 12.0, and 12.1 allows Cache Poisoning. ...) +CVE-2020-10112 (** DISPUTED ** Citrix Gateway 11.1, 12.0, and 12.1 allows Cache Poison ...) NOT-FOR-US: Citrix -CVE-2020-10111 (Citrix Gateway 11.1, 12.0, and 12.1 has an Inconsistent Interpretation ...) +CVE-2020-10111 (** DISPUTED ** Citrix Gateway 11.1, 12.0, and 12.1 has an Inconsistent ...) NOT-FOR-US: Citrix -CVE-2020-10110 (Citrix Gateway 11.1, 12.0, and 12.1 allows Information Exposure Throug ...) +CVE-2020-10110 (** DISPUTED ** Citrix Gateway 11.1, 12.0, and 12.1 allows Information ...) NOT-FOR-US: Citrix CVE-2020-10109 (In Twisted Web through 19.10.0, there was an HTTP request splitting vu ...) {DLA-2145-1} @@ -2621,8 +2671,8 @@ CVE-2020-9445 RESERVED CVE-2020-9444 RESERVED -CVE-2020-9443 - RESERVED +CVE-2020-9443 (Zulip Desktop before 4.0.3 loaded untrusted content in an Electron web ...) + TODO: check CVE-2020-9442 (OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PRO ...) NOT-FOR-US: OpenVPN Connect on Windows CVE-2020-9441 @@ -2937,14 +2987,14 @@ CVE-2020-9327 (In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to tri NOTE: https://www.sqlite.org/cgi/src/info/4374860b29383380 NOTE: https://www.sqlite.org/cgi/src/info/9d0d4ab95dc0c56e NOTE: https://www.sqlite.org/cgi/src/info/abc473fb8fb99900 -CVE-2020-9326 - RESERVED -CVE-2020-9325 - RESERVED -CVE-2020-9324 - RESERVED -CVE-2020-9323 - RESERVED +CVE-2020-9326 (BeyondTrust Privilege Management for Windows and Mac (aka PMWM; former ...) + TODO: check +CVE-2020-9325 (Aquaforest TIFF Server 4.0 allows Unauthenticated Arbitrary File Downl ...) + TODO: check +CVE-2020-9324 (Aquaforest TIFF Server 4.0 allows Unauthenticated SMB Hash Capture via ...) + TODO: check +CVE-2020-9323 (Aquaforest TIFF Server 4.0 allows Unauthenticated File and Directory E ...) + TODO: check CVE-2020-9322 RESERVED CVE-2020-9321 (configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0. ...) @@ -8255,8 +8305,8 @@ CVE-2020-7004 RESERVED CVE-2020-7003 RESERVED -CVE-2020-7002 - RESERVED +CVE-2020-7002 (Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and prior. ...) + TODO: check CVE-2020-7001 RESERVED CVE-2020-7000 @@ -8307,8 +8357,8 @@ CVE-2020-6978 RESERVED CVE-2020-6977 (A restricted desktop environment escape vulnerability exists in the Ki ...) NOT-FOR-US: GE -CVE-2020-6976 - RESERVED +CVE-2020-6976 (Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and prior. ...) + TODO: check CVE-2020-6975 (Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 (820 ...) NOT-FOR-US: Digi International ConnectPort LTS 32 MEI CVE-2020-6974 @@ -14799,8 +14849,8 @@ CVE-2020-4201 RESERVED CVE-2020-4200 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server)
[Git][security-tracker-team/security-tracker][master] Update note for amd64-microcode
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 92f56be3 by Anton Gladky at 2020-03-18T18:02:47+01:00 Update note for amd64-microcode - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -17,6 +17,7 @@ amd64-microcode (Anton Gladky) NOTE: 20200307: maintainer contacted regarding Jessie-update NOTE: 20200311: ask for review/test NOTE: 20200312: updated package is in testing phase + NOTE: 20200318: Stretch should be updated first to escape higher versions in Jessie, #954023. -- ansible NOTE: 20200219: no upstream fixes yet View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92f56be376df557cdb9acccfe64c1c9eaa4221e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92f56be376df557cdb9acccfe64c1c9eaa4221e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new tika issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bc0495fa by Moritz Muehlenhoff at 2020-03-18T17:41:18+01:00 new tika issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21202,10 +21202,18 @@ CVE-2020-1953 (Apache Commons Configuration uses a third-party library to parse NOTE: https://www.openwall.com/lists/oss-security/2020/03/13/1 CVE-2020-1952 RESERVED -CVE-2020-1951 +CVE-2020-1951 [Infinite Loop (DoS) vulnerability in Apache Tika's PSDParser] RESERVED -CVE-2020-1950 + - tika + [buster] - tika (Minor issue) + [stretch] - tika (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2020/03/18/4 +CVE-2020-1950 [Excessive memory usage (DoS) vulnerability in Apache Tika's PSDParser] RESERVED + - tika + [buster] - tika (Minor issue) + [stretch] - tika (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2020/03/18/3 CVE-2020-1949 RESERVED CVE-2020-1948 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc0495fa97303da265f397e407e3625f7e3294a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc0495fa97303da265f397e407e3625f7e3294a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "CVE-2019-15690/libvncserver: reference embedded copies in...
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bca2ca02 by Moritz Muehlenhoff at 2020-03-18T16:23:12+01:00 Revert CVE-2019-15690/libvncserver: reference embedded copies in italc/ssvnc/tightvnc/veyon/vncsnapshot This reverts commit 77a25a7a8a60d1005185d4a5ba2c2f57c3618830. CVEs from embedded-code-copies must not simply be copied over (otherwise this would be automated), but after validating whether each package embedding is actually affected in terms of build and usage patterns. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35466,11 +35466,6 @@ CVE-2019-15690 RESERVED {DLA-2146-1} - libvncserver (bug #954163) - - italc - - ssvnc - - tightvnc - - veyon 4.3.1+repack1-1 - - vncsnapshot NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/LibVNC/libvncserver/issues/381 NOTE: https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bca2ca0234fbd9f068723d80948522792c869b59 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bca2ca0234fbd9f068723d80948522792c869b59 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revaluate state for CVE-2019-13456/freeradius
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 96e6f728 by Salvatore Bonaccorso at 2020-03-18T15:07:00+01:00 Revaluate state for CVE-2019-13456/freeradius I cannot say for sure where we got first the respective commits related to CVE-2019-11234 and CVE-2019-11235 but as well the description[1] and the relevant reference to the Red Hat bugzilla[2] shows that this is related to the commit[3]. [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13456 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1737663 [3] https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa Contact with MITRE regarding CVE-2019-13456 and CVE-2019-20510 if they are considered on purpose different CVEs. Thanks: Thorsten Alteholz for pointing out this inconsistency. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43878,14 +43878,11 @@ CVE-2019-13457 (An issue was discovered in Open Ticket Request System (OTRS) 7.0 - otrs2 (Only affects 7.x series) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2019-11/ CVE-2019-13456 (In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd h ...) - - freeradius 3.0.17+dfsg-1.1 - [stretch] - freeradius (Minor issue; plugin not enabled by default) - [jessie] - freeradius (Vulnerable code added later) + - freeradius 3.0.20+dfsg-1 + [jessie] - freeradius (Vulnerable code introduced later in version 3.0.0) + NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa (release_3_0_20) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1737663 NOTE: https://wpa3.mathyvanhoef.com/#new - NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/a99746c93b8b3ae3be367af0e46f0d6a9626f566 (master) - NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/85497b5ff37ccb656895b826b88585898c209586 (3.0.x) - NOTE: Issue seems to be treated as different issue than CVE-2019-11234 and CVE-2019-11235 CVE-2019-13455 (In Xymon through 4.3.28, a stack-based buffer overflow vulnerability e ...) {DLA-1898-1} - xymon 4.3.29-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96e6f728c485284b319e7b48e270227b61110940 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96e6f728c485284b319e7b48e270227b61110940 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: libvncserver: reference embedded copies
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 105dfeb7 by Sylvain Beucler at 2020-03-18T14:56:41+01:00 libvncserver: reference embedded copies Builds on initial research at https://lists.debian.org/debian-lts/2019/10/msg00094.html - - - - - 77a25a7a by Sylvain Beucler at 2020-03-18T15:00:30+01:00 CVE-2019-15690/libvncserver: reference embedded copies in italc/ssvnc/tightvnc/veyon/vncsnapshot - - - - - 2 changed files: - data/CVE/list - data/embedded-code-copies Changes: = data/CVE/list = @@ -35466,6 +35466,11 @@ CVE-2019-15690 RESERVED {DLA-2146-1} - libvncserver (bug #954163) + - italc + - ssvnc + - tightvnc + - veyon 4.3.1+repack1-1 + - vncsnapshot NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/LibVNC/libvncserver/issues/381 NOTE: https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed = data/embedded-code-copies = @@ -544,8 +544,18 @@ libmodplug - gst-plugins-bad0.10 0.10.10.2-1 (embed) libvncserver - - vino (embed) - - krfb (embed) + - krfb 4:14.12.2-1 (embed) [libvncserver/rfbserver.c] + - italc (embed) [ica/x11/libvnc*] + - ssvnc (modified-embed) [vnc_unixsrc/*] + NOTE: client code only + - tigervnc (fork) + - tightvnc (fork) + - vncsnapshot (embed) + NOTE: client code only, small files subset + - veyon (embed) [3rdparty/libvncserver/libvncclient/*] + NOTE: uses system-wide libvncserver, but still bundles libvncclient + - vino (embed) [server/libvncserver/*] + NOTE: server code only putty - filezilla (embed) @@ -704,7 +714,7 @@ lzo2 - remmina (embed) - blender (embed) - x11vnc (embed) - - italc (embed) + - italc (embed) - dump (embed) - krfb (embed) - nfdump (embed) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5d73be68c1b8a1cece5e9541cc6725901587dfba...77a25a7a8a60d1005185d4a5ba2c2f57c3618830 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5d73be68c1b8a1cece5e9541cc6725901587dfba...77a25a7a8a60d1005185d4a5ba2c2f57c3618830 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: security_db: don't return duplicated advisories
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e29d4fb by Emilio Pozuelo Monfort at 2020-03-18T12:26:45+01:00 security_db: dont return duplicated advisories This is used to build the advisory table in package views, and it makes no sense to list some advisories (e.g. DSAs that fixed both stable and oldstable) twice. - - - - - 5d73be68 by Salvatore Bonaccorso at 2020-03-18T12:09:08+00:00 Merge branch duplicate-advisories into master security_db: dont return duplicated advisories See merge request security-tracker-team/security-tracker!53 - - - - - 1 changed file: - lib/python/security_db.py Changes: = lib/python/security_db.py = @@ -1872,7 +1872,7 @@ class DB: def getDSAsForSourcePackage(self, cursor, package): bugs_like = self.genDBAdvisoryString("bugs.name", dtsa=False) for row in cursor.execute( -"""SELECT bugs.name, bugs.description +"""SELECT DISTINCT bugs.name, bugs.description FROM bugs, package_notes as p WHERE p.bug_name = bugs.name AND ( """ + bugs_like + """ ) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8f3cc5f7e2d3ed54f5c441143f54bdc0263719df...5d73be68c1b8a1cece5e9541cc6725901587dfba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8f3cc5f7e2d3ed54f5c441143f54bdc0263719df...5d73be68c1b8a1cece5e9541cc6725901587dfba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: mark CVE-2019-20510 as not-affected for Jessie
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 8db2b9e7 by Thorsten Alteholz at 2020-03-18T13:07:07+01:00 mark CVE-2019-20510 as not-affected for Jessie - - - - - 8f3cc5f7 by Thorsten Alteholz at 2020-03-18T13:07:40+01:00 nothing to do - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -20,6 +20,7 @@ CVE-2020-10650 RESERVED CVE-2019-20510 (rlm_eap/types/rlm_eap_pwd/eap_pwd.c in the EAP-pwd implementation in F ...) - freeradius 3.0.20+dfsg-1 + [jessie] - freeradius (Vulnerable code introduced later in version 3.0.0) NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa (release_3_0_20) CVE-2020-10649 RESERVED = data/dla-needed.txt = @@ -27,8 +27,6 @@ gdal (Utkarsh Gupta) -- glibc (Mike Gabriel) -- -freeradius (Thorsten Alteholz) --- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bc8c7e271d522d62d15c6c767445f8f8858f8aa4...8f3cc5f7e2d3ed54f5c441143f54bdc0263719df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bc8c7e271d522d62d15c6c767445f8f8858f8aa4...8f3cc5f7e2d3ed54f5c441143f54bdc0263719df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2020-6581 as not-affected for Jessie
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 84c7e4f0 by Thorsten Alteholz at 2020-03-18T12:17:39+01:00 mark CVE-2020-6581 as not-affected for Jessie - - - - - f368b0ff by Thorsten Alteholz at 2020-03-18T12:18:14+01:00 mark CVE-2020-6582 as no-dsa for Jessie - - - - - bc8c7e27 by Thorsten Alteholz at 2020-03-18T12:18:55+01:00 add freeradius - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -9273,6 +9273,7 @@ CVE-2020-6582 (Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrat - nagios-nrpe 4.0.0-1 [buster] - nagios-nrpe (Minor issue) [stretch] - nagios-nrpe (Minor issue) + [jessie] - nagios-nrpe (Minor issue) NOTE: https://herolab.usd.de/security-advisories/usd-2020-0001/ NOTE: https://github.com/NagiosEnterprises/nrpe/commit/b84f9b8c9d290dd02e139df8dad1c3eb690c1213 NOTE: https://github.com/NagiosEnterprises/nrpe/commit/8e3bea4e1b1937e395a182729762aa8894e8649e @@ -9281,6 +9282,7 @@ CVE-2020-6581 (Nagios NRPE 3.2.1 has Insufficient Filtering because, for example - nagios-nrpe 4.0.0-1 [buster] - nagios-nrpe (Minor issue) [stretch] - nagios-nrpe (Minor issue) + [jessie] - nagios-nrpe (Vulnerable code introduced later) NOTE: https://herolab.usd.de/security-advisories/usd-2020-0002/ NOTE: https://github.com/NagiosEnterprises/nrpe/commit/0db345444d0dcb3e37cca1bcbb0027dcbb764197 (part for proper processing of nasty_metachars) CVE-2020-6580 = data/dla-needed.txt = @@ -27,6 +27,8 @@ gdal (Utkarsh Gupta) -- glibc (Mike Gabriel) -- +freeradius (Thorsten Alteholz) +-- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1c8d1447202a179cfae76585a2e47a66936b8454...bc8c7e271d522d62d15c6c767445f8f8858f8aa4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1c8d1447202a179cfae76585a2e47a66936b8454...bc8c7e271d522d62d15c6c767445f8f8858f8aa4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-20510/freeradius
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c8d1447 by Salvatore Bonaccorso at 2020-03-18T10:32:10+01:00 Add CVE-2019-20510/freeradius - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,8 @@ CVE-2020-10651 CVE-2020-10650 RESERVED CVE-2019-20510 (rlm_eap/types/rlm_eap_pwd/eap_pwd.c in the EAP-pwd implementation in F ...) - TODO: check + - freeradius 3.0.20+dfsg-1 + NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa (release_3_0_20) CVE-2020-10649 RESERVED CVE-2020-10648 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c8d1447202a179cfae76585a2e47a66936b8454 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c8d1447202a179cfae76585a2e47a66936b8454 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fb0f15e by Salvatore Bonaccorso at 2020-03-18T09:58:41+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4597,11 +4597,11 @@ CVE-2020-8602 CVE-2020-8601 (Trend Micro Vulnerability Protection 2.0 is affected by a vulnerabilit ...) NOT-FOR-US: Trend Micro CVE-2020-8600 (Trend Micro Worry-Free Business Security (9.0, 9.5, 10.0) is affected ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2020-8599 (Trend Micro Apex One (2019) and OfficeScan XG server contain a vulnera ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2020-8598 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Sec ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2020-8597 (eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overf ...) {DSA-4632-1 DLA-2097-1} - lwip 2.1.2+dfsg1-5 (bug #951291) @@ -4892,13 +4892,13 @@ CVE-2020-8472 CVE-2020-8471 RESERVED CVE-2020-8470 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Sec ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2020-8469 (Trend Micro Password Manager for Windows version 5.0 is affected by a ...) NOT-FOR-US: Trend Micro CVE-2020-8468 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Sec ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2020-8467 (A migration tool component of Trend Micro Apex One (2019) and OfficeSc ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2020-8466 RESERVED CVE-2020-8465 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fb0f15e113e26346ae7d30a8822cbcf24ed90dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fb0f15e113e26346ae7d30a8822cbcf24ed90dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2019-9460 (withdrawn by CNA)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61de8c51 by Salvatore Bonaccorso at 2020-03-18T09:56:00+01:00 Remove notes from CVE-2019-9460 (withdrawn by CNA) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56199,7 +56199,6 @@ CVE-2019-9461 (In the Android kernel in VPN routing there is a possible informat NOT-FOR-US: Android CVE-2019-9460 REJECTED - NOT-FOR-US: Android Media Server CVE-2019-9459 (In libttspico, there is a possible OOB write due to a heap buffer over ...) NOT-FOR-US: Android CVE-2019-9458 (In the Android kernel in the video driver there is a use after free du ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61de8c517c86e835672e8b71b90dd61e99b780fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61de8c517c86e835672e8b71b90dd61e99b780fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 084c98b9 by security tracker role at 2020-03-18T08:10:18+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,25 @@ +CVE-2020-10659 (Entrust Entelligence Security Provider (ESP) before 10.0.60 on Windows ...) + TODO: check +CVE-2020-10658 + RESERVED +CVE-2020-10657 + RESERVED +CVE-2020-10656 + RESERVED +CVE-2020-10655 + RESERVED +CVE-2020-10654 + RESERVED +CVE-2020-10653 + RESERVED +CVE-2020-10652 + RESERVED +CVE-2020-10651 + RESERVED +CVE-2020-10650 + RESERVED +CVE-2019-20510 (rlm_eap/types/rlm_eap_pwd/eap_pwd.c in the EAP-pwd implementation in F ...) + TODO: check CVE-2020-10649 RESERVED CVE-2020-10648 @@ -4574,12 +4596,12 @@ CVE-2020-8602 RESERVED CVE-2020-8601 (Trend Micro Vulnerability Protection 2.0 is affected by a vulnerabilit ...) NOT-FOR-US: Trend Micro -CVE-2020-8600 - RESERVED -CVE-2020-8599 - RESERVED -CVE-2020-8598 - RESERVED +CVE-2020-8600 (Trend Micro Worry-Free Business Security (9.0, 9.5, 10.0) is affected ...) + TODO: check +CVE-2020-8599 (Trend Micro Apex One (2019) and OfficeScan XG server contain a vulnera ...) + TODO: check +CVE-2020-8598 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Sec ...) + TODO: check CVE-2020-8597 (eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overf ...) {DSA-4632-1 DLA-2097-1} - lwip 2.1.2+dfsg1-5 (bug #951291) @@ -4869,14 +4891,14 @@ CVE-2020-8472 RESERVED CVE-2020-8471 RESERVED -CVE-2020-8470 - RESERVED +CVE-2020-8470 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Sec ...) + TODO: check CVE-2020-8469 (Trend Micro Password Manager for Windows version 5.0 is affected by a ...) NOT-FOR-US: Trend Micro -CVE-2020-8468 - RESERVED -CVE-2020-8467 - RESERVED +CVE-2020-8468 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Sec ...) + TODO: check +CVE-2020-8467 (A migration tool component of Trend Micro Apex One (2019) and OfficeSc ...) + TODO: check CVE-2020-8466 RESERVED CVE-2020-8465 @@ -15988,8 +16010,8 @@ CVE-2020-3924 (DVR firmware in TAT-76 and TAT-77 series of products, provided by NOT-FOR-US: DVR firmware in TAT-76 and TAT-77 series CVE-2020-3923 (DVR firmware in TAT-76 and TAT-77 series of products, provided by TONN ...) NOT-FOR-US: DVR firmware in TAT-76 and TAT-77 series -CVE-2020-3922 - RESERVED +CVE-2020-3922 (LisoMail, by ArmorX, allows SQL Injections, attackers can access the d ...) + TODO: check CVE-2020-3921 RESERVED CVE-2020-3920 @@ -47968,8 +47990,8 @@ CVE-2019-11941 (A remote code execution vulnerability was identified in HPE Inte NOT-FOR-US: HPE CVE-2019-11940 (In the course of decompressing HPACK inside the HTTP2 protocol, an une ...) NOT-FOR-US: Facebook Proxygen -CVE-2019-11939 - RESERVED +CVE-2019-11939 (Golang Facebook Thrift servers would not error upon receiving messages ...) + TODO: check CVE-2019-11938 (Java Facebook Thrift servers would not error upon receiving messages d ...) TODO: check CVE-2019-11937 (In Mcrouter prior to v0.41.0, a large struct input provided to the Car ...) @@ -56175,7 +56197,8 @@ CVE-2019-9462 (In Bluetooth, there is a possible out of bounds read due to an in NOT-FOR-US: Android CVE-2019-9461 (In the Android kernel in VPN routing there is a possible information d ...) NOT-FOR-US: Android -CVE-2019-9460 (In mediaserver, there is a possible out of bounds write due to a missi ...) +CVE-2019-9460 + REJECTED NOT-FOR-US: Android Media Server CVE-2019-9459 (In libttspico, there is a possible OOB write due to a heap buffer over ...) NOT-FOR-US: Android View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/084c98b98994283f60a55b8c75bb1b6b3ca6231c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/084c98b98994283f60a55b8c75bb1b6b3ca6231c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits