[Git][security-tracker-team/security-tracker][master] new mediawiki issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 697f55e9 by Moritz Muehlenhoff at 2020-03-26T23:34:36+01:00 new mediawiki issues - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -14,10 +14,17 @@ CVE-2020-10962 RESERVED CVE-2020-10961 RESERVED -CVE-2020-10960 +CVE-2020-10960 [mediawiki: makeCollapsible allows applying event handler to any CSS selector] RESERVED -CVE-2020-10959 + - mediawiki + [stretch] - mediawiki (Vulnerable code introduced later) + NOTE: https://phabricator.wikimedia.org/T246602 + NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2020-March/093243.html +CVE-2020-10959 [mediawiki: User content can redirect the logout button to different URL] RESERVED + - mediawiki (Vulnerable code introduced later) + NOTE: https://phabricator.wikimedia.org/T232932 + NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2020-March/093243.html CVE-2020-10958 RESERVED CVE-2020-10957 = data/dsa-needed.txt = @@ -19,6 +19,8 @@ libopenmpt linux (carnil) Wait until more issues have piled up -- +mediawiki (jmm) +-- mercurial/oldstable -- netkit-telnet View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/697f55e97774097ad9f2869c54e69958a81fed51 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/697f55e97774097ad9f2869c54e69958a81fed51 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for bluez update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c72b7516 by Salvatore Bonaccorso at 2020-03-26T23:31:43+01:00 Reserve DSA number for bluez update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[26 Mar 2020] DSA-4647-1 bluez - security update + {CVE-2020-0556} + [stretch] - bluez 5.43-2+deb9u2 + [buster] - bluez 5.50-1.2~deb10u1 [25 Mar 2020] DSA-4646-1 icu - security update {CVE-2020-10531} [stretch] - icu 57.1-6+deb9u4 = data/dsa-needed.txt = @@ -11,8 +11,6 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. --- -bluez (carnil) -- jruby/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c72b7516ca3459c3a3c86d5a144c45414cbf4b02 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c72b7516ca3459c3a3c86d5a144c45414cbf4b02 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new rust-bumpalo issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 560699bf by Moritz Muehlenhoff at 2020-03-26T23:13:34+01:00 new rust-bumpalo issue NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,13 @@ +CVE-2020- [RUSTSEC-2020-0006: bumpalo: Flaw in `realloc` allows reading unknown memory] + - rust-bumpalo + NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0006.html + NOTE: https://github.com/fitzgen/bumpalo/issues/69 CVE-2020-10966 (In the Password Reset Module in VESTA Control Panel through 0.9.8-25 a ...) NOT-FOR-US: VESTA Control Panel CVE-2020-10965 (Teradici PCoIP Management Console 20.01.0 and 19.11.1 is vulnerable to ...) NOT-FOR-US: Teradici PCoIP Management Console CVE-2020-10964 (Serendipity before 2.3.4 on Windows allows remote attackers to execute ...) - TODO: check + - serendipity CVE-2020-10963 (FrozenNode Laravel-Administrator through 5.0.12 allows unrestricted fi ...) NOT-FOR-US: FrozenNode Laravel-Administrator CVE-2020-10962 @@ -12463,13 +12467,13 @@ CVE-2020-5562 CVE-2020-5561 (Keijiban Tsumiki v1.15 allows remote attackers to execute arbitrary OS ...) NOT-FOR-US: Keijiban Tsumiki CVE-2020-5560 (WL-Enq 1.11 and 1.12 allows remote attackers to execute arbitrary OS c ...) - TODO: check + NOT-FOR-US: WL-Enq CVE-2020-5559 (Cross-site scripting vulnerability in WL-Enq 1.11 and 1.12 allows remo ...) - TODO: check + NOT-FOR-US: WL-Enq CVE-2020-5558 (CuteNews 2.0.1 allows remote authenticated attackers to execute arbitr ...) - TODO: check + NOT-FOR-US: CuteNews CVE-2020-5557 (Cross-site scripting vulnerability in CuteNews 2.0.1 allows remote att ...) - TODO: check + NOT-FOR-US: CuteNews CVE-2020-5556 (Shihonkanri Plus GOOUT Ver1.5.8 and Ver2.2.10 allows remote attackers ...) NOT-FOR-US: Shihonkanri Plus GOOUT CVE-2020- (Shihonkanri Plus GOOUT Ver1.5.8 and Ver2.2.10 allows remote attackers ...) @@ -13122,7 +13126,7 @@ CVE-2020-5284 CVE-2020-5283 RESERVED CVE-2020-5282 (In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in ...) - TODO: check + NOT-FOR-US: Nick Chan Bot CVE-2020-5281 (In Perun before version 3.9.1, VO or group manager can modify configur ...) TODO: check CVE-2020-5280 (http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file i ...) @@ -17452,63 +17456,63 @@ CVE-2020-3796 CVE-2020-3795 (Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3794 (ColdFusion versions ColdFusion 2016, and ColdFusion 2018 have a file i ...) - TODO: check + NOT-FOR-US: Adobe CVE-2020-3793 (Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2020-3792 (Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2020-3791 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2020-3790 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2020-3789 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2020-3788 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2020-3787 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2020-3786 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2020-3785 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2020-3784 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2020-3783 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2020-3782 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2020-3781 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2020-3780 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2020-3779 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2020-3778 (Adobe Photoshop versions
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-14981/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ce873cf by Salvatore Bonaccorso at 2020-03-26T22:56:26+01:00 Add Debian bug reference for CVE-2019-14981/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38800,7 +38800,7 @@ CVE-2019-14982 (In Exiv2 before v0.27.2, there is an integer overflow vulnerabil NOTE: https://github.com/Exiv2/exiv2/pull/962/commits/e925bc5addd881543fa503470c8a859e112cca62 CVE-2019-14981 (In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is ...) {DLA-1968-1} - - imagemagick + - imagemagick (bug #955025) [buster] - imagemagick (Minor issue) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1552 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ce873cfe13b2db96c7123e06ffa51444e3710e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ce873cfe13b2db96c7123e06ffa51444e3710e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove notes from CVE-2019-19347 which was withdrawn by its CNA
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f5cfb18 by Salvatore Bonaccorso at 2020-03-26T22:24:13+01:00 Remove notes from CVE-2019-19347 which was withdrawn by its CNA - - - - - 145fd94f by Salvatore Bonaccorso at 2020-03-26T22:24:13+01:00 Remove notes from CVE-2016-3181 This was found to be a duplicate of CVE-2016-3182. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23294,7 +23294,6 @@ CVE-2019-19348 NOT-FOR-US: openshift CVE-2019-19347 REJECTED - NOT-FOR-US: openshift CVE-2019-19346 RESERVED NOT-FOR-US: openshift @@ -209046,10 +209045,6 @@ CVE-2016-3182 (The color_esycc_to_rgb function in bin/common/color.c in OpenJPEG NOTE: https://github.com/uclouvain/openjpeg/issues/725 CVE-2016-3181 REJECTED - - openjpeg2 2.1.1-1 - [jessie] - openjpeg2 (Vulnerable code not yet present in 2.1.0) - NOTE: http://www.openwall.com/lists/oss-security/2016/03/14/12 - NOTE: https://github.com/uclouvain/openjpeg/issues/724 CVE-2016-3140 (The digi_port_init function in drivers/usb/serial/digi_acceleport.c in ...) {DSA-3607-1 DLA-516-1} - linux 4.5.1-1 (low) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/08bdb4db5260ceb2f4f66935e2c18981862d3f5b...145fd94f19827889ef5dd7dc7deef2e2dceb98a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/08bdb4db5260ceb2f4f66935e2c18981862d3f5b...145fd94f19827889ef5dd7dc7deef2e2dceb98a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2160-1 for php5
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 08bdb4db by Thorsten Alteholz at 2020-03-26T22:18:30+01:00 Reserve DLA-2160-1 for php5 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Mar 2020] DLA-2160-1 php5 - security update + {CVE-2020-7062 CVE-2020-7063} + [jessie] - php5 5.6.40+dfsg-0+deb8u10 [25 Mar 2020] DLA-2159-1 okular - security update {CVE-2020-9359} [jessie] - okular 4:4.14.2-2+deb8u2 = data/dla-needed.txt = @@ -62,8 +62,6 @@ nss (Thorsten Alteholz) opendmarc (Thorsten Alteholz) NOTE: 20200322: still testing package, original patch does not seem to be enough, still ongoing -- -php5 (Thorsten Alteholz) --- php-horde-form (Roberto C. Sánchez) -- php-horde-trean (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08bdb4db5260ceb2f4f66935e2c18981862d3f5b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08bdb4db5260ceb2f4f66935e2c18981862d3f5b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add Debian bug reference for CVE-2020-8866/php-horde-form
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 35c04080 by Salvatore Bonaccorso at 2020-03-26T22:16:40+01:00 Add Debian bug reference for CVE-2020-8866/php-horde-form - - - - - e2daded6 by Salvatore Bonaccorso at 2020-03-26T22:17:15+01:00 Add Debian bug reference for CVE-2020-8865/php-horde-trean - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4954,12 +4954,12 @@ CVE-2020-8868 (This vulnerability allows remote attackers to execute arbitrary c CVE-2020-8867 RESERVED CVE-2020-8866 (This vulnerability allows remote attackers to create arbitrary files o ...) - - php-horde-form + - php-horde-form (bug #955020) NOTE: https://lists.horde.org/archives/announce/2020/001288.html NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-275/ NOTE: https://github.com/horde/Form/commit/813f8e7e9479fad4546b89c569325ee9eef60b0f CVE-2020-8865 (This vulnerability allows remote attackers to execute local PHP files ...) - - php-horde-trean + - php-horde-trean (bug #955019) [buster] - php-horde-trean (Minor issue) [stretch] - php-horde-trean (Minor issue) NOTE: https://lists.horde.org/archives/announce/2020/001286.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a9e8f6361e3c48f6f26c9b093af7c3ff05db4d0a...e2daded6312725266739137705ad6a2675c15a61 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a9e8f6361e3c48f6f26c9b093af7c3ff05db4d0a...e2daded6312725266739137705ad6a2675c15a61 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-8865/php-horde-trean as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a9e8f636 by Salvatore Bonaccorso at 2020-03-26T22:04:47+01:00 Mark CVE-2020-8865/php-horde-trean as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4960,6 +4960,8 @@ CVE-2020-8866 (This vulnerability allows remote attackers to create arbitrary fi NOTE: https://github.com/horde/Form/commit/813f8e7e9479fad4546b89c569325ee9eef60b0f CVE-2020-8865 (This vulnerability allows remote attackers to execute local PHP files ...) - php-horde-trean + [buster] - php-horde-trean (Minor issue) + [stretch] - php-horde-trean (Minor issue) NOTE: https://lists.horde.org/archives/announce/2020/001286.html NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-276/ NOTE: https://github.com/horde/trean/commit/db0714a0c04d87bda9e2852f1b0d259fc281ca75 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9e8f6361e3c48f6f26c9b093af7c3ff05db4d0a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9e8f6361e3c48f6f26c9b093af7c3ff05db4d0a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add second commit for path traversal prevention in CVE-2020-8865
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 479d3107 by Salvatore Bonaccorso at 2020-03-26T21:49:38+01:00 Add second commit for path traversal prevention in CVE-2020-8865 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4963,6 +4963,7 @@ CVE-2020-8865 (This vulnerability allows remote attackers to execute local PHP f NOTE: https://lists.horde.org/archives/announce/2020/001286.html NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-276/ NOTE: https://github.com/horde/trean/commit/db0714a0c04d87bda9e2852f1b0d259fc281ca75 + NOTE: https://github.com/horde/trean/commit/055029f551501803d7e293a48316e2cf31307908 CVE-2020-8864 (This vulnerability allows network-adjacent attackers to bypass authent ...) NOT-FOR-US: D-Link CVE-2020-8863 (This vulnerability allows network-adjacent attackers to bypass authent ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/479d3107cdcb4b8e8e0424695ec7b4741ad13789 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/479d3107cdcb4b8e8e0424695ec7b4741ad13789 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-1957/shiro
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 74adb179 by Salvatore Bonaccorso at 2020-03-26T21:43:49+01:00 Add Debian bug reference for CVE-2020-1957/shiro - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22206,7 +22206,7 @@ CVE-2020-1959 CVE-2020-1958 RESERVED CVE-2020-1957 (Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic ...) - - shiro + - shiro (bug #955018) NOTE: https://www.openwall.com/lists/oss-security/2020/03/23/2 CVE-2020-1956 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74adb1795d364203047c994a6344ef9ca1b2f327 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74adb1795d364203047c994a6344ef9ca1b2f327 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Slightly reorganize notes
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 77861d94 by Salvatore Bonaccorso at 2020-03-26T20:31:11+01:00 Slightly reorganize notes - - - - - c89756e7 by Salvatore Bonaccorso at 2020-03-26T21:21:53+01:00 Start tracking some new gitlab issues from 2020-03-26 release Not all are actually clear, and some have not yet assigned CVEs and indication for affected versions and releases. Need to look those later up again. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20,14 +20,24 @@ CVE-2020-10957 RESERVED CVE-2020-10956 RESERVED + - gitlab + NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10955 RESERVED + - gitlab + NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10954 RESERVED + - gitlab + NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10953 RESERVED + - gitlab + NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10952 RESERVED + - gitlab + NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10951 RESERVED CVE-2020-10950 @@ -2747,6 +2757,9 @@ CVE-2020-9796 RESERVED CVE-2020-9795 RESERVED + - gitlab + NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ + TODO: check if this is actually an issue in Nokogiri CVE-2020-9794 RESERVED CVE-2020-9793 @@ -110249,10 +110262,11 @@ CVE-2018-9272 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/ - wireshark 2.4.6-1 (low) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) - NOTE: applying patch in jessie/wheezy requires introduction of a new memory management system (wmem) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14487 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6e3b90824a82724f445a0374e99f0b76e4cf5e8b NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html + NOTE: Applying patch for versions 1.12 and older requires introduction of a new + NOTE: memory management system (wmem). CVE-2018-9271 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packe ...) - wireshark 2.4.6-1 (low) [jessie] - wireshark (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/89eee75402cfe90e1172067ff4db5bff742bf95c...c89756e7c076c78cc435d0e16d251f68614447ea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/89eee75402cfe90e1172067ff4db5bff742bf95c...c89756e7c076c78cc435d0e16d251f68614447ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2019-16319 as not-affected
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f27d472 by Thorsten Alteholz at 2020-03-26T16:57:59+01:00 mark CVE-2019-16319 as not-affected - - - - - 6b68c9b4 by Thorsten Alteholz at 2020-03-26T16:58:00+01:00 mark CVE-2020-9428 as not-affected - - - - - 89eee754 by Thorsten Alteholz at 2020-03-26T16:58:01+01:00 mark CVE-2020-9430 as not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3621,7 +3621,7 @@ CVE-2020-9430 (In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, - wireshark 3.2.2-1 [buster] - wireshark (Can be fixed along in next 3.0.x DSA) [stretch] - wireshark (Can be fixed along in next DSA/update to 3.0) - [jessie] - wireshark (Minor issue, can be fixed along in next DLA) + [jessie] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2020-04.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16368 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16383 @@ -3631,7 +3631,7 @@ CVE-2020-9428 (In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, - wireshark 3.2.2-1 (low) [buster] - wireshark (Can be fixed along in next 3.0.x DSA) [stretch] - wireshark (Can be fixed along in next DSA/update to 3.0) - [jessie] - wireshark (Minor issue, can be fixed along in next DLA) + [jessie] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2020-05.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16397 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=9fe2de783dbcbe74144678d60a4e3923367044b2 @@ -34684,7 +34684,7 @@ CVE-2019-16319 (In Wireshark 3.0.0 to 3.0.3 and 2.6.0 to 2.6.10, the Gryphon dis - wireshark 3.0.4-1 (low) [buster] - wireshark (Can be fixed along in next 3.0.x DSA) [stretch] - wireshark (Can be fixed along in next 2.6.x DSA) - [jessie] - wireshark (Can be fixed when more important issues arise) + [jessie] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2019-21.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16020 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=02ddd49885c6a09e936a76aceb726ed06539704a View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/95ca7398d743a409246d0c7b02230faa7af0fc66...89eee75402cfe90e1172067ff4db5bff742bf95c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/95ca7398d743a409246d0c7b02230faa7af0fc66...89eee75402cfe90e1172067ff4db5bff742bf95c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add note for CVE-2018-9272 in jessie
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d2fc86b by Thorsten Alteholz at 2020-03-26T16:33:16+01:00 add note for CVE-2018-9272 in jessie - - - - - bb199c99 by Thorsten Alteholz at 2020-03-26T16:33:16+01:00 claim wireshark - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -110249,6 +110249,7 @@ CVE-2018-9272 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/ - wireshark 2.4.6-1 (low) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) + NOTE: applying patch in jessie/wheezy requires introduction of a new memory management system (wmem) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14487 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6e3b90824a82724f445a0374e99f0b76e4cf5e8b NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html = data/dla-needed.txt = @@ -81,6 +81,8 @@ squid3 (Markus Koschany) -- tika (Anton Gladky) -- +wireshark (Thorsten Alteholz) +-- xcftools NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle) NOTE: 20200316: still no activity on upstream's bug tracker (beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d150d7b4bd0550a1c4119d9b4cbc2fd8eaff6cc8...bb199c994011d7badc6ba0a53330f81eecfc9f11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d150d7b4bd0550a1c4119d9b4cbc2fd8eaff6cc8...bb199c994011d7badc6ba0a53330f81eecfc9f11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Moved libunivalue 1.1.1-2 to unstable addressing CVE-2019-18936
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d150d7b4 by Salvatore Bonaccorso at 2020-03-26T16:10:39+01:00 Moved libunivalue 1.1.1-2 to unstable addressing CVE-2019-18936 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24422,8 +24422,7 @@ CVE-2019-18938 (eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the E-Mail Add CVE-2019-18937 (eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the Script Parser Ad ...) NOT-FOR-US: eQ-3 Homematic CVE-2019-18936 (UniValue::read() in UniValue before 1.0.5 allow attackers to cause a d ...) - [experimental] - libunivalue 1.1.1-1 - - libunivalue (bug #954959) + - libunivalue 1.1.1-2 (bug #954959) [buster] - libunivalue (Minor issue) [stretch] - libunivalue (Minor issue) NOTE: https://github.com/jgarzik/univalue/commit/07aa635c034f3a2accfe4e20a8148c366bccf5bf View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d150d7b4bd0550a1c4119d9b4cbc2fd8eaff6cc8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d150d7b4bd0550a1c4119d9b4cbc2fd8eaff6cc8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-18936/libunivalue as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 29eb855a by Salvatore Bonaccorso at 2020-03-26T14:51:23+01:00 Mark CVE-2019-18936/libunivalue as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24424,6 +24424,8 @@ CVE-2019-18937 (eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the Script Par CVE-2019-18936 (UniValue::read() in UniValue before 1.0.5 allow attackers to cause a d ...) [experimental] - libunivalue 1.1.1-1 - libunivalue (bug #954959) + [buster] - libunivalue (Minor issue) + [stretch] - libunivalue (Minor issue) NOTE: https://github.com/jgarzik/univalue/commit/07aa635c034f3a2accfe4e20a8148c366bccf5bf NOTE: https://github.com/jgarzik/univalue/pull/58 CVE-2019-18935 (Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .N ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29eb855aeb7733cbe600080b2277fee115c6cff0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29eb855aeb7733cbe600080b2277fee115c6cff0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2016-1000111 has been fixed upstream in 16.3.1 and in Debian in 16.4.0-1
Andrej Shadura pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f1afa90 by Andrej Shadura at 2020-03-26T14:23:12+01:00 CVE-2016-1000111 has been fixed upstream in 16.3.1 and in Debian in 16.4.0-1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -201607,7 +201607,7 @@ CVE-2016-5388 (Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the NOTE: https://svn.apache.org/r1756941 (8.0.x) NOTE: https://svn.apache.org/r1756942 (7.0.x) CVE-2016-1000111 (Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1 ...) - - twisted (unimportant) + - twisted 16.4.0-1 (unimportant) [wheezy] - twisted (For wheezy affected file twcgi.py is in src:twisted-web) - twisted-web [wheezy] - twisted-web (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f1afa90454132c5b58bfe91b70e94e1105639b4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f1afa90454132c5b58bfe91b70e94e1105639b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add libperlspeak-perl
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 323d04da by Abhijith PA at 2020-03-26T17:48:16+05:30 data/dla-needed.txt: Add libperlspeak-perl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -34,6 +34,9 @@ libmatio (Adrian Bunk) libmtp (Dylan Aïssi) NOTE: 20200323: WIP. (daissi) -- +libperlspeak-perl + NOTE: 20200326: No patches yet. +-- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/323d04dae7c1abadad4cb6e37d1de52280b34081 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/323d04dae7c1abadad4cb6e37d1de52280b34081 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Track fixed version for CVE-2019-14862/node-knockout
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d1b88ad by Salvatore Bonaccorso at 2020-03-26T12:50:45+01:00 Track fixed version for CVE-2019-14862/node-knockout - - - - - 93db7dfa by Salvatore Bonaccorso at 2020-03-26T12:51:31+01:00 Track proposed update for CVE-2019-14862/node-knockout via buster-pu - - - - - 952d34f1 by Salvatore Bonaccorso at 2020-03-26T12:52:42+01:00 Track proposed update for CVE-2019-14862/node-knockout via stretch-pu - - - - - 3 changed files: - data/CVE/list - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/CVE/list = @@ -39305,7 +39305,7 @@ CVE-2019-14863 (There is a vulnerability in all angular versions before 1.5.0-be NOTE: https://github.com/angular/angular.js/commit/f33ce173c90736e349cf594df717ae3ee41e0f7a NOTE: https://github.com/angular/angular.js/pull/12524 CVE-2019-14862 (There is a vulnerability in knockout before version 3.5.0-beta, where ...) - - node-knockout (unimportant; bug #943560) + - node-knockout 3.4.2-3 (unimportant; bug #943560) NOTE: https://github.com/knockout/knockout/issues/1244 NOTE: https://github.com/knockout/knockout/pull/2345 NOTE: https://github.com/knockout/knockout/commit/7e280b2b8a04cc19176b5171263a5c68bda98efb = data/next-oldstable-point-update.txt = @@ -54,3 +54,5 @@ CVE-2017-5715 [stretch] - amd64-microcode 3.20181128.1~deb9u1 CVE-2020-5267 [stretch] - rails 2:4.2.7.1-1+deb9u2 +CVE-2019-14862 + [stretch] - node-knockout 3.4.2-2+deb9u1 = data/next-point-update.txt = @@ -61,3 +61,5 @@ CVE-2020-8597 [buster] - lwip 2.0.3-3+deb10u1 CVE-2020-7608 [buster] - node-yargs-parser 11.1.1-1+deb10u1 +CVE-2019-14862 + [buster] - node-knockout 3.4.2-2+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/83d7b33fcdc56915a92d5258b5321bd226ad8e47...952d34f186ae3914596ae57a460bd5b111c31478 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/83d7b33fcdc56915a92d5258b5321bd226ad8e47...952d34f186ae3914596ae57a460bd5b111c31478 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] DLA: Claim tika
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 83d7b33f by Anton Gladky at 2020-03-26T10:23:53+01:00 DLA: Claim tika - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -76,7 +76,7 @@ ruby-rack squid3 (Markus Koschany) NOTE: 20200309: Requires more tests. (apo) -- -tika +tika (Anton Gladky) -- xcftools NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83d7b33fcdc56915a92d5258b5321bd226ad8e47 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83d7b33fcdc56915a92d5258b5321bd226ad8e47 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c5361c66 by Salvatore Bonaccorso at 2020-03-26T09:16:08+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,11 @@ CVE-2020-10966 (In the Password Reset Module in VESTA Control Panel through 0.9.8-25 a ...) - TODO: check + NOT-FOR-US: VESTA Control Panel CVE-2020-10965 (Teradici PCoIP Management Console 20.01.0 and 19.11.1 is vulnerable to ...) - TODO: check + NOT-FOR-US: Teradici PCoIP Management Console CVE-2020-10964 (Serendipity before 2.3.4 on Windows allows remote attackers to execute ...) TODO: check CVE-2020-10963 (FrozenNode Laravel-Administrator through 5.0.12 allows unrestricted fi ...) - TODO: check + NOT-FOR-US: FrozenNode Laravel-Administrator CVE-2020-10962 RESERVED CVE-2020-10961 @@ -159,21 +159,21 @@ CVE-2020-10890 CVE-2020-10889 RESERVED CVE-2020-10888 (This vulnerability allows remote attackers to bypass authentication on ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2020-10887 (This vulnerability allows a firewall bypass on affected installations ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2020-10886 (This vulnerability allows remote attackers to execute arbitrary code o ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2020-10885 (This vulnerability allows remote attackers to execute arbitrary code o ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2020-10884 (This vulnerability allows network-adjacent attackers execute arbitrary ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2020-10883 (This vulnerability allows local attackers to escalate privileges on af ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2020-10882 (This vulnerability allows network-adjacent attackers to execute arbitr ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2020-10881 (This vulnerability allows remote attackers to execute arbitrary code o ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2019-20632 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) TODO: check CVE-2019-20631 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) @@ -1796,7 +1796,7 @@ CVE-2020-10247 (MISP 2.4.122 has Persistent XSS in the sighting popover tool. Th CVE-2020-10246 (MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is ...) NOT-FOR-US: MISP CVE-2020-10245 (CODESYS V3 web server before 3.5.15.40, as used in CODESYS Control run ...) - TODO: check + NOT-FOR-US: CODESYS CVE-2020-10244 (JPaseto before 0.3.0 generates weak hashes when using v2.local tokens. ...) NOT-FOR-US: JPaseto CVE-2020-10243 (An issue was discovered in Joomla! before 3.9.16. The lack of type cas ...) @@ -3394,7 +3394,7 @@ CVE-2020-9522 CVE-2020-9521 RESERVED CVE-2020-9520 (A stored XSS vulnerability was discovered in Micro Focus Vibe, affecti ...) - TODO: check + NOT-FOR-US: Micro Focus Vibe CVE-2020-9519 (HTTP methods reveled in Web services vulnerability in Micro Focus Serv ...) NOT-FOR-US: Micro Focus CVE-2020-9518 (Login filter can access configuration files vulnerability in Micro Foc ...) @@ -12445,7 +12445,7 @@ CVE-2020-5563 CVE-2020-5562 RESERVED CVE-2020-5561 (Keijiban Tsumiki v1.15 allows remote attackers to execute arbitrary OS ...) - TODO: check + NOT-FOR-US: Keijiban Tsumiki CVE-2020-5560 (WL-Enq 1.11 and 1.12 allows remote attackers to execute arbitrary OS c ...) TODO: check CVE-2020-5559 (Cross-site scripting vulnerability in WL-Enq 1.11 and 1.12 allows remo ...) @@ -12455,11 +12455,11 @@ CVE-2020-5558 (CuteNews 2.0.1 allows remote authenticated attackers to execute a CVE-2020-5557 (Cross-site scripting vulnerability in CuteNews 2.0.1 allows remote att ...) TODO: check CVE-2020-5556 (Shihonkanri Plus GOOUT Ver1.5.8 and Ver2.2.10 allows remote attackers ...) - TODO: check + NOT-FOR-US: Shihonkanri Plus GOOUT CVE-2020- (Shihonkanri Plus GOOUT Ver1.5.8 and Ver2.2.10 allows remote attackers ...) - TODO: check + NOT-FOR-US: Shihonkanri Plus GOOUT CVE-2020-5554 (Directory traversal vulnerability in Shihonkanri Plus GOOUT Ver1.5.8 a ...) - TODO: check + NOT-FOR-US: Shihonkanri Plus GOOUT CVE-2020-5553 (mailform version 1.04 allows remote attackers to execute arbitrary PHP ...) TODO: check CVE-2020-5552 (Cross-site scripting vulnerability in mailform version 1.04 allows rem ...) @@ -12970,9 +12970,9 @@ CVE-2020-5342 (Dell Digital Delivery versions prior to 3.5.2015 contain an incor CVE-2020-5341 RESERVED CVE-2020-5340 (RSA Authentication Manager versions prior to 8.4 P10 contain a stored ...) - TODO:
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 954870b6 by security tracker role at 2020-03-26T08:10:51+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,33 @@ +CVE-2020-10966 (In the Password Reset Module in VESTA Control Panel through 0.9.8-25 a ...) + TODO: check +CVE-2020-10965 (Teradici PCoIP Management Console 20.01.0 and 19.11.1 is vulnerable to ...) + TODO: check +CVE-2020-10964 (Serendipity before 2.3.4 on Windows allows remote attackers to execute ...) + TODO: check +CVE-2020-10963 (FrozenNode Laravel-Administrator through 5.0.12 allows unrestricted fi ...) + TODO: check +CVE-2020-10962 + RESERVED +CVE-2020-10961 + RESERVED +CVE-2020-10960 + RESERVED +CVE-2020-10959 + RESERVED +CVE-2020-10958 + RESERVED +CVE-2020-10957 + RESERVED +CVE-2020-10956 + RESERVED +CVE-2020-10955 + RESERVED +CVE-2020-10954 + RESERVED +CVE-2020-10953 + RESERVED +CVE-2020-10952 + RESERVED CVE-2020-10951 RESERVED CVE-2020-10950 @@ -128,22 +158,22 @@ CVE-2020-10890 RESERVED CVE-2020-10889 RESERVED -CVE-2020-10888 - RESERVED -CVE-2020-10887 - RESERVED -CVE-2020-10886 - RESERVED -CVE-2020-10885 - RESERVED -CVE-2020-10884 - RESERVED -CVE-2020-10883 - RESERVED -CVE-2020-10882 - RESERVED -CVE-2020-10881 - RESERVED +CVE-2020-10888 (This vulnerability allows remote attackers to bypass authentication on ...) + TODO: check +CVE-2020-10887 (This vulnerability allows a firewall bypass on affected installations ...) + TODO: check +CVE-2020-10886 (This vulnerability allows remote attackers to execute arbitrary code o ...) + TODO: check +CVE-2020-10885 (This vulnerability allows remote attackers to execute arbitrary code o ...) + TODO: check +CVE-2020-10884 (This vulnerability allows network-adjacent attackers execute arbitrary ...) + TODO: check +CVE-2020-10883 (This vulnerability allows local attackers to escalate privileges on af ...) + TODO: check +CVE-2020-10882 (This vulnerability allows network-adjacent attackers to execute arbitr ...) + TODO: check +CVE-2020-10881 (This vulnerability allows remote attackers to execute arbitrary code o ...) + TODO: check CVE-2019-20632 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) TODO: check CVE-2019-20631 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) @@ -1765,8 +1795,8 @@ CVE-2020-10247 (MISP 2.4.122 has Persistent XSS in the sighting popover tool. Th NOT-FOR-US: MISP CVE-2020-10246 (MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is ...) NOT-FOR-US: MISP -CVE-2020-10245 - RESERVED +CVE-2020-10245 (CODESYS V3 web server before 3.5.15.40, as used in CODESYS Control run ...) + TODO: check CVE-2020-10244 (JPaseto before 0.3.0 generates weak hashes when using v2.local tokens. ...) NOT-FOR-US: JPaseto CVE-2020-10243 (An issue was discovered in Joomla! before 3.9.16. The lack of type cas ...) @@ -3363,8 +3393,8 @@ CVE-2020-9522 RESERVED CVE-2020-9521 RESERVED -CVE-2020-9520 - RESERVED +CVE-2020-9520 (A stored XSS vulnerability was discovered in Micro Focus Vibe, affecti ...) + TODO: check CVE-2020-9519 (HTTP methods reveled in Web services vulnerability in Micro Focus Serv ...) NOT-FOR-US: Micro Focus CVE-2020-9518 (Login filter can access configuration files vulnerability in Micro Foc ...) @@ -9614,12 +9644,10 @@ CVE-2020-6818 RESERVED CVE-2020-6817 RESERVED -CVE-2020-6815 - RESERVED +CVE-2020-6815 (Mozilla developers reported memory safety and script safety bugs prese ...) - firefox 74.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2020-6815 -CVE-2020-6814 - RESERVED +CVE-2020-6814 (Mozilla developers reported memory safety bugs present in Firefox and ...) {DSA-4642-1 DSA-4639-1 DLA-2150-1 DLA-2140-1} - firefox 74.0-1 - firefox-esr 68.6.0esr-1 @@ -9627,12 +9655,10 @@ CVE-2020-6814 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-10/#CVE-2020-6814 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/#CVE-2020-6814 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2020-6814 -CVE-2020-6813 - RESERVED +CVE-2020-6813 (When protecting CSS blocks with the nonce feature of Content Security ...) - firefox 74.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2020-6813 -CVE-2020-6812 - RESERVED +CVE-2020-6812 (The first time AirPods are connected to an iPhone, they become named a ...)
[Git][security-tracker-team/security-tracker][master] Add for tracking CVE-2020-8832
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4bb04eac by Salvatore Bonaccorso at 2020-03-26T08:39:17+01:00 Add for tracking CVE-2020-8832 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4996,8 +4996,11 @@ CVE-2020-8834 RESERVED CVE-2020-8833 RESERVED -CVE-2020-8832 +CVE-2020-8832 [incomplete fix for CVE-2019-14615 allows for a local information exposure] RESERVED + - linux + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1817047 + TODO: check (in kernel-sec) if we have incomplete fix CVE-2020-8831 RESERVED CVE-2019-20451 (The HTTP API in Prismview System 9 11.10.17.00 and Prismview Player 11 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bb04eac38f839dfada6c210cc31e567bcf18dac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bb04eac38f839dfada6c210cc31e567bcf18dac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-10688
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d3be7bb8 by Salvatore Bonaccorso at 2020-03-26T08:36:39+01:00 Add CVE-2020-10688 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -775,6 +775,12 @@ CVE-2020-10689 RESERVED CVE-2020-10688 RESERVED + - resteasy + - resteasy3.0 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1814974 + NOTE: https://github.com/quarkusio/quarkus/issues/7248 + NOTE: https://issues.redhat.com/browse/RESTEASY-2519 (restricted) + TODO: check details, not much information provided by Red Hat. CVE-2020-10687 RESERVED CVE-2020-10686 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3be7bb85f967d3da90f5cc1440860421707b7fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3be7bb85f967d3da90f5cc1440860421707b7fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2017-18640/snakeyaml
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 486f950e by Salvatore Bonaccorso at 2020-03-26T07:48:35+01:00 Track fixed version for CVE-2017-18640/snakeyaml - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19172,7 +19172,7 @@ CVE-2019-19727 (SchedMD Slurm before 18.08.9 and 19.x before 19.05.5 has weak sl NOTE: The example file is installed as well in Debian as 0644 and slurmdbd.conf NOTE: not directly installed by the slurmdbd binary package. CVE-2017-18640 (The Alias feature in SnakeYAML 1.18 allows entity expansion during a l ...) - - snakeyaml (bug #952683) + - snakeyaml 1.25+ds-3 (bug #952683) [buster] - snakeyaml (Minor issue) [stretch] - snakeyaml (Minor issue) [jessie] - snakeyaml (unclear security impact) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/486f950e94815b9fb051b5d4e9ff8f1dcd9c9fa4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/486f950e94815b9fb051b5d4e9ff8f1dcd9c9fa4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via experimental for CVE-2019-18936/libunivalue until uploaded to unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f26fb0a by Salvatore Bonaccorso at 2020-03-26T07:47:13+01:00 Track fixed version via experimental for CVE-2019-18936/libunivalue until uploaded to unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24394,6 +24394,7 @@ CVE-2019-18938 (eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the E-Mail Add CVE-2019-18937 (eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the Script Parser Ad ...) NOT-FOR-US: eQ-3 Homematic CVE-2019-18936 (UniValue::read() in UniValue before 1.0.5 allow attackers to cause a d ...) + [experimental] - libunivalue 1.1.1-1 - libunivalue (bug #954959) NOTE: https://github.com/jgarzik/univalue/commit/07aa635c034f3a2accfe4e20a8148c366bccf5bf NOTE: https://github.com/jgarzik/univalue/pull/58 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f26fb0aafcca0b74620adec7c7d3f7bd2142546 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f26fb0aafcca0b74620adec7c7d3f7bd2142546 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits