[Git][security-tracker-team/security-tracker][master] Track fixed versions for CVE fixes for linux/5.5.13-1 upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 88024286 by Salvatore Bonaccorso at 2020-03-30T06:05:28+02:00 Track fixed versions for CVE fixes for linux/5.5.13-1 upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -142,7 +142,7 @@ CVE-2019-20633 (GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Fr - patch (Incomplete fix for CVE-2018-6952 not applied) NOTE: https://savannah.gnu.org/bugs/index.php?56683 CVE-2020-10942 (In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net. ...) - - linux + - linux 5.5.13-1 NOTE: https://git.kernel.org/linus/42d84c8490f9f0931786f1623191fcab397c3d64 (5.6-rc4) CVE-2020-10941 (Arm Mbed TLS before 2.6.15 allows attackers to obtain sensitive inform ...) - mbedtls 2.16.5-1 @@ -3819,7 +3819,7 @@ CVE-2020-9387 CVE-2020-9386 (In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before ...) - mahara CVE-2020-9391 (An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 ...) - - linux + - linux 5.5.13-1 [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) @@ -3829,7 +3829,7 @@ CVE-2020-9385 (A NULL Pointer Dereference exists in libzint in Zint 2.7.1 becaus CVE-2020-9384 RESERVED CVE-2020-9383 (An issue was discovered in the Linux kernel through 5.5.6. set_fdc in ...) - - linux + - linux 5.5.13-1 NOTE: https://git.kernel.org/linus/2e90ca68b0d2f5548804f22f0dd61145516171e3 CVE-2020-9382 (An issue was discovered in the Widgets extension through 1.4.0 for Med ...) NOT-FOR-US: Widgets extension for MediaWiki @@ -4774,7 +4774,7 @@ CVE-2020-8994 (An issue was discovered on XIAOMI AI speaker MDZ-25-DT 1.34.36, a CVE-2020-8993 RESERVED CVE-2020-8992 (ext4_protect_reserved_inode in fs/ext4/block_validity.c in the Linux k ...) - - linux + - linux 5.5.13-1 NOTE: https://patchwork.ozlabs.org/patch/1236118/ CVE-2020-8991 (** DISPUTED ** vg_lookup in daemons/lvmetad/lvmetad-core.c in LVM2 2.0 ...) - lvm2 2.03.01-2 @@ -5562,13 +5562,13 @@ CVE-2020-8641 (Lotus Core CMS 1.0.1 allows authenticated Local File Inclusion of CVE-2019-20447 (Jobberbase 2.0 has SQL injection via the PATH_INFO to the jobs-in endp ...) NOT-FOR-US: Jobberbase CMS CVE-2020-8649 (There is a use-after-free vulnerability in the Linux kernel through 5. ...) - - linux + - linux 5.5.13-1 NOTE: https://git.kernel.org/linus/513dc792d6060d5ef572e43852683097a8420f56 CVE-2020-8648 (There is a use-after-free vulnerability in the Linux kernel through 5. ...) - - linux + - linux 5.5.13-1 NOTE: https://git.kernel.org/linus/07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 CVE-2020-8647 (There is a use-after-free vulnerability in the Linux kernel through 5. ...) - - linux + - linux 5.5.13-1 NOTE: https://git.kernel.org/linus/513dc792d6060d5ef572e43852683097a8420f56 CVE-2020-8640 RESERVED @@ -19197,7 +19197,7 @@ CVE-2019-19770 (In the Linux kernel 4.19.83, there is a use-after-free (read) in - linux NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=205713 CVE-2019-19769 (In the Linux kernel 5.3.10, there is a use-after-free (read) in the pe ...) - - linux + - linux 5.5.13-1 [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) @@ -20092,7 +20092,7 @@ CVE-2020-2733 RESERVED CVE-2020-2732 [kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources] RESERVED - - linux + - linux 5.5.13-1 NOTE: https://git.kernel.org/linus/07721feee46b4b248402133228235318199b05ec NOTE: https://git.kernel.org/linus/35a571346a94fb93b5b3b6a599675ef3384bc75c NOTE: https://git.kernel.org/linus/e71237d3ff1abf9f3388337cfebf53b96df2020d @@ -29837,7 +29837,7 @@ CVE-2020-0011 (In get_auth_result of fpc_ta_hw_auth.c, there is a possible out o CVE-2020-0010 (In fpc_ta_get_build_info of fpc_ta_kpi.c, there is a possible out of b ...) NOT-FOR-US: FPC components for Android CVE-2020-0009 (In calc_vm_may_flags of ashmem.c, there is a possible arbitrary write ...) - - linux + - linux 5.5.13-1 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1949 CVE-2020-0008 (In LowEnergyClient::MtuChangedCallback of low_energy_client.cc, there ...) NOT-FOR-US: Android View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8802428660e63aee1fb814d0973ec9bec9823443 -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2162-1 for php-horde-form
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d1ba425 by Roberto C. Sánchez at 2020-03-29T17:46:25-04:00 Reserve DLA-2162-1 for php-horde-form - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Mar 2020] DLA-2162-1 php-horde-form - security update + {CVE-2020-8866} + [jessie] - php-horde-form 2.0.8-2+deb8u2 [28 Mar 2020] DLA-2161-1 tika - security update {CVE-2020-1950 CVE-2020-1951} [jessie] - tika 1.5-1+deb8u1 = data/dla-needed.txt = @@ -68,8 +68,6 @@ opendmarc (Thorsten Alteholz) -- otrs2 (Abhijith PA) -- -php-horde-form (Roberto C. Sánchez) --- qtbase-opensource-src (Mike Gabriel) NOTE: 20200224: No upstream fix available, yet. (sunweaver) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d1ba4257c24b45f22f3679554617bac68fe9073 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d1ba4257c24b45f22f3679554617bac68fe9073 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added comment for EOL entries for xen and tor for jessie.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: ebd93992 by Ola Lundqvist at 2020-03-29T22:45:12+02:00 Added comment for EOL entries for xen and tor for jessie. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1165,7 +1165,7 @@ CVE-2020-10592 (Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0. {DSA-4644-1} - tor 0.4.2.7-1 [stretch] - tor (See DSA 4644) - [jessie] - tor + [jessie] - tor (Not supported in jessie LTS) NOTE: https://blog.torproject.org/new-releases-03510-0419-0427 NOTE: https://bugs.torproject.org/33120 CVE-2020-10591 (An issue was discovered in Walmart Labs Concord before 1.44.0. CORS Ac ...) @@ -22042,37 +22042,38 @@ CVE-2019-19584 CVE-2019-19583 (An issue was discovered in Xen through 4.12.x allowing x86 HVM/PVH gue ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) - [jessie] - xen + [jessie] - xen (Not supported in jessie LTS) + NOTE: https://xenbits.xen.org/xsa/advisory-308.html CVE-2019-19582 (An issue was discovered in Xen through 4.12.x allowing x86 guest OS us ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) - [jessie] - xen + [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-307.html CVE-2019-19581 (An issue was discovered in Xen through 4.12.x allowing 32-bit Arm gues ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) - [jessie] - xen + [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-307.html CVE-2019-19580 (An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) - [jessie] - xen + [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-310.html CVE-2019-19578 (An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) - [jessie] - xen + [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-309.html CVE-2019-19577 (An issue was discovered in Xen through 4.12.x allowing x86 AMD HVM gue ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) - [jessie] - xen + [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-311.html CVE-2019-19579 (An issue was discovered in Xen through 4.12.x allowing attackers to ga ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) - [jessie] - xen + [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-306.html CVE-2019-19576 (class.upload.php in verot.net class.upload before 1.0.3 and 2.x before ...) NOT-FOR-US: K2 extension for Joomla! @@ -28278,32 +28279,32 @@ CVE-2019-18426 (A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 w CVE-2019-18425 (An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) - [jessie] - xen + [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-298.html CVE-2019-18424 (An issue was discovered in Xen through 4.12.x allowing attackers to ga ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) - [jessie] - xen + [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-302.html CVE-2019-18423 (An issue was discovered in Xen through 4.12.x allowing ARM guest OS us ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) - [jessie] - xen + [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-301.html CVE-2019-18422 (An issue was discovered in Xen through 4.12.x allowing ARM guest OS us ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) - [jessie] - xen + [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-303.html CVE-2019-18421 (An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) - [jessie] - xen + [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-299.html CVE-2019-18420 (An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) - [jessie] - xen + [jessie] -
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: triage CVE-2020-8865/php-horde-trean as no-dsa for jessie
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 58d3784c by Roberto C. Sánchez at 2020-03-29T16:05:18-04:00 LTS: triage CVE-2020-8865/php-horde-trean as no-dsa for jessie - - - - - 212f681f by Roberto C. Sánchez at 2020-03-29T16:06:34-04:00 LTS: remove php-horde-trean from dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -5053,6 +5053,7 @@ CVE-2020-8865 (This vulnerability allows remote attackers to execute local PHP f - php-horde-trean (bug #955019) [buster] - php-horde-trean (Minor issue) [stretch] - php-horde-trean (Minor issue) + [jessie] - php-horde-trean (Minor issue) NOTE: https://lists.horde.org/archives/announce/2020/001286.html NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-276/ NOTE: https://github.com/horde/trean/commit/db0714a0c04d87bda9e2852f1b0d259fc281ca75 = data/dla-needed.txt = @@ -70,8 +70,6 @@ otrs2 (Abhijith PA) -- php-horde-form (Roberto C. Sánchez) -- -php-horde-trean (Roberto C. Sánchez) --- qtbase-opensource-src (Mike Gabriel) NOTE: 20200224: No upstream fix available, yet. (sunweaver) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3f4f9ab137eb248a08bbd4d7599ae92bbe3efe89...212f681f2b2c5d09bad655ad4603842dab488aca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3f4f9ab137eb248a08bbd4d7599ae92bbe3efe89...212f681f2b2c5d09bad655ad4603842dab488aca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] One more entry marked as EOL for xen in jessie.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f4f9ab1 by Ola Lundqvist at 2020-03-29T21:18:58+02:00 One more entry marked as EOL for xen in jessie. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22071,6 +22071,7 @@ CVE-2019-19577 (An issue was discovered in Xen through 4.12.x allowing x86 AMD H CVE-2019-19579 (An issue was discovered in Xen through 4.12.x allowing attackers to ga ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) + [jessie] - xen NOTE: https://xenbits.xen.org/xsa/advisory-306.html CVE-2019-19576 (class.upload.php in verot.net class.upload before 1.0.3 and 2.x before ...) NOT-FOR-US: K2 extension for Joomla! View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f4f9ab137eb248a08bbd4d7599ae92bbe3efe89 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f4f9ab137eb248a08bbd4d7599ae92bbe3efe89 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked quite a few CVEs for xen as EOL.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: f67a5ebe by Ola Lundqvist at 2020-03-29T21:09:37+02:00 Marked quite a few CVEs for xen as EOL. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22041,26 +22041,32 @@ CVE-2019-19584 CVE-2019-19583 (An issue was discovered in Xen through 4.12.x allowing x86 HVM/PVH gue ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) + [jessie] - xen NOTE: https://xenbits.xen.org/xsa/advisory-308.html CVE-2019-19582 (An issue was discovered in Xen through 4.12.x allowing x86 guest OS us ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) + [jessie] - xen NOTE: https://xenbits.xen.org/xsa/advisory-307.html CVE-2019-19581 (An issue was discovered in Xen through 4.12.x allowing 32-bit Arm gues ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) + [jessie] - xen NOTE: https://xenbits.xen.org/xsa/advisory-307.html CVE-2019-19580 (An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) + [jessie] - xen NOTE: https://xenbits.xen.org/xsa/advisory-310.html CVE-2019-19578 (An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) + [jessie] - xen NOTE: https://xenbits.xen.org/xsa/advisory-309.html CVE-2019-19577 (An issue was discovered in Xen through 4.12.x allowing x86 AMD HVM gue ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) + [jessie] - xen NOTE: https://xenbits.xen.org/xsa/advisory-311.html CVE-2019-19579 (An issue was discovered in Xen through 4.12.x allowing attackers to ga ...) {DSA-4602-1} @@ -28270,26 +28276,32 @@ CVE-2019-18426 (A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 w CVE-2019-18425 (An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) + [jessie] - xen NOTE: https://xenbits.xen.org/xsa/advisory-298.html CVE-2019-18424 (An issue was discovered in Xen through 4.12.x allowing attackers to ga ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) + [jessie] - xen NOTE: https://xenbits.xen.org/xsa/advisory-302.html CVE-2019-18423 (An issue was discovered in Xen through 4.12.x allowing ARM guest OS us ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) + [jessie] - xen NOTE: https://xenbits.xen.org/xsa/advisory-301.html CVE-2019-18422 (An issue was discovered in Xen through 4.12.x allowing ARM guest OS us ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) + [jessie] - xen NOTE: https://xenbits.xen.org/xsa/advisory-303.html CVE-2019-18421 (An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) + [jessie] - xen NOTE: https://xenbits.xen.org/xsa/advisory-299.html CVE-2019-18420 (An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) + [jessie] - xen NOTE: https://xenbits.xen.org/xsa/advisory-296.html CVE-2019-18419 (A cross-site scripting (XSS) vulnerability in index.php in ClonOS WEB ...) NOT-FOR-US: ClonOS @@ -51527,6 +51539,7 @@ CVE-2019-11135 (TSX Asynchronous Abort condition on some CPUs utilizing speculat - linux 5.3.9-2 - intel-microcode 3.20191112.1 - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) + [jessie] - xen NOTE: https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort NOTE: https://xenbits.xen.org/xsa/advisory-305.html NOTE: The 3.20191112.1 release for intel-microcode did contain most updates, additional @@ -56918,10 +56931,12 @@ CVE-2019-9577 CVE-2019-17350 (An issue was discovered in Xen through 4.12.x allowing Arm domU attack ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 + [jessie] - xen NOTE: https://xenbits.xen.org/xsa/advisory-295.html CVE-2019-17349 (An issue was discovered in Xen through 4.12.x allowing Arm domU attack ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 + [jessie] - xen NOTE: https://xenbits.xen.org/xsa/advisory-295.html CVE-2019-17348 (An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS ...) - xen 4.11.1+92-g6c33308a8d-1 (bug #929992) @@ -56931,6 +56946,7 @@
[Git][security-tracker-team/security-tracker][master] Tor EOL for jessie.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a7d574a by Ola Lundqvist at 2020-03-29T21:02:10+02:00 Tor EOL for jessie. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1165,6 +1165,7 @@ CVE-2020-10592 (Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0. {DSA-4644-1} - tor 0.4.2.7-1 [stretch] - tor (See DSA 4644) + [jessie] - tor NOTE: https://blog.torproject.org/new-releases-03510-0419-0427 NOTE: https://bugs.torproject.org/33120 CVE-2020-10591 (An issue was discovered in Walmart Labs Concord before 1.44.0. CORS Ac ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a7d574a354dec3c69d3247ccaca7f14763d518a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a7d574a354dec3c69d3247ccaca7f14763d518a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nothing todo for nss
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: b0ba60a1 by Thorsten Alteholz at 2020-03-29T20:05:08+02:00 nothing todo for nss - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -63,8 +63,6 @@ netkit-telnet-ssl NOTE: 20200327: Pinged issue on the ~new upstream. (lamby) NOTE: 20200329: Turns out this is not actually the new upstream (which is MIA). (lamby) -- -nss (Thorsten Alteholz) --- opendmarc (Thorsten Alteholz) NOTE: 20200322: still testing package, original patch does not seem to be enough, still ongoing -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0ba60a18e5ac3c896cad20ef6e9215ca192f427 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0ba60a18e5ac3c896cad20ef6e9215ca192f427 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Fix source package ordering for old CVE-2016-5319
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 39b30653 by Salvatore Bonaccorso at 2020-03-29T17:17:27+02:00 Fix source package ordering for old CVE-2016-5319 - - - - - a3f567d2 by Salvatore Bonaccorso at 2020-03-29T17:18:49+02:00 Update information on CVE-2017-17942 Mark the issue as unimportant as it had negligible security impact in the bmp2tiff tool, which furthermore was not anymore installed since 4.0.6-3. Add reference to the new upstream issue after bugzilla moved entries to gitlab issues. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -126844,14 +126844,14 @@ CVE-2017-17944 (The ASUS Vivobaby application before 1.1.09 for Android has Miss CVE-2017-17943 RESERVED CVE-2017-17942 (In LibTIFF 4.0.9, there is a heap-based buffer over-read in the functi ...) - - tiff (low; bug #885579) - [buster] - tiff (Minor issue, revisit once fixed upstream) - [stretch] - tiff (Minor issue, revisit once fixed upstream) - [jessie] - tiff (Minor issue, revisit once fixed upstream) - [wheezy] - tiff (Minor issue, revisit once fixed upstream) - - tiff3 - [wheezy] - tiff3 (Minor issue, revisit once fixed upstream) + - tiff 4.0.6-3 (unimportant; bug #885579) + [jessie] - tiff 4.0.3-12.3+deb8u2 + - tiff3 (unimportant) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2767 + NOTE: https://gitlab.com/libtiff/libtiff/issues/120 + NOTE: No patch available. Marked as wontfix by upstream. + NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed + NOTE: although technically still present in the source package. CVE-2017-17941 (PHP Scripts Mall Single Theater Booking has SQL Injection via the admi ...) NOT-FOR-US: PHP Scripts Mall Single Theater Booking CVE-2017-17940 (PHP Scripts Mall Single Theater Booking has XSS via the title paramete ...) @@ -202504,8 +202504,8 @@ CVE-2014-9855 CVE-2016-5319 (Heap-based buffer overflow in tif_packbits.c in libtiff 4.0.6 and earl ...) {DLA-693-1} - tiff 4.0.6-3 (bug #842046) - - tiff3 [jessie] - tiff 4.0.3-12.3+deb8u2 + - tiff3 [wheezy] - tiff3 (tools like bmp2tiff not shipped by tiff3 source package) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2562 NOTE: Reproducer http://bugzilla.maptools.org/attachment.cgi?id=652 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dcc7227524badfbd2d6aea33b9c6c397d4f007fe...a3f567d2b97d0418c96710622512f79385924d5f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dcc7227524badfbd2d6aea33b9c6c397d4f007fe...a3f567d2b97d0418c96710622512f79385924d5f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed versions for gitlab via experimental until uploaded to unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dcc72275 by Salvatore Bonaccorso at 2020-03-29T15:16:26+02:00 Track fixed versions for gitlab via experimental until uploaded to unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -102,18 +102,22 @@ CVE-2020-10958 CVE-2020-10957 RESERVED CVE-2020-10956 (GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a proje ...) + [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10955 (GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on ...) + [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10954 (GitLab through 12.9 is affected by a potential DoS in repository archi ...) - gitlab + [experimental] - gitlab 12.8.8-1 NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10953 (In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a pat ...) - gitlab (Only affects GitLab EE 11.7 and later) NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10952 (GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push doc ...) + [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10951 @@ -2841,6 +2845,7 @@ CVE-2020-9796 RESERVED CVE-2020-9795 RESERVED + [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ TODO: check if this is actually an issue in Nokogiri View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcc7227524badfbd2d6aea33b9c6c397d4f007fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcc7227524badfbd2d6aea33b9c6c397d4f007fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2020-1953
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 03c9db99 by Salvatore Bonaccorso at 2020-03-29T15:12:20+02:00 Add fixed version via unstable for CVE-2020-1953 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22303,7 +22303,7 @@ CVE-2020-1955 CVE-2020-1954 RESERVED CVE-2020-1953 (Apache Commons Configuration uses a third-party library to parse YAML ...) - - commons-configuration2 (bug #954713) + - commons-configuration2 2.7-1 (bug #954713) NOTE: https://www.openwall.com/lists/oss-security/2020/03/13/1 CVE-2020-1952 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03c9db994c6e6b2dfcd95bf2fbcb1683b1fcbaec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03c9db994c6e6b2dfcd95bf2fbcb1683b1fcbaec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for shiro in jessie LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: aaa1bfe0 by Chris Lamb at 2020-03-29T10:52:37+01:00 Update notes for shiro in jessie LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -83,7 +83,8 @@ ruby-rack NOTE: 20200216: Discussion ongoing on -lts list. (lamby) -- shiro - NOTE: 20200329: https://github.com/apache/shiro/pull/203 + NOTE: 20200329: https://github.com/apache/shiro/pull/203 (lamby) + NOTE: 20200329: See 53dc30bf6823c98 in this repo. (lamby) -- squid3 (Markus Koschany) NOTE: 20200309: Requires more tests. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aaa1bfe0865de13a653731e025177f0a40703a42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aaa1bfe0865de13a653731e025177f0a40703a42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update note for netkit-telnet and netkit-telnet-ssl for jessie LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ef0b46c by Chris Lamb at 2020-03-29T10:50:09+01:00 Update note for netkit-telnet and netkit-telnet-ssl for jessie LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -55,11 +55,13 @@ netkit-telnet NOTE: 20200310: No patch available, yet. Only PoC. (sunweaver) NOTE: 20200320: Upstream's dead, keep an eye on other distros and krb5-appl (embed). (beuc) NOTE: 20200327: Pinged issue on the ~new upstream. (lamby) + NOTE: 20200329: Turns out this is not actually the new upstream (which is MIA). (lamby) -- netkit-telnet-ssl NOTE: 20200310: No patch available, yet. Only PoC. (sunweaver) NOTE: 20200320: Upstream's dead, keep an eye on other distros and krb5-appl (embed). (beuc) NOTE: 20200327: Pinged issue on the ~new upstream. (lamby) + NOTE: 20200329: Turns out this is not actually the new upstream (which is MIA). (lamby) -- nss (Thorsten Alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ef0b46c0b815c320b875052b54565f296982be4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ef0b46c0b815c320b875052b54565f296982be4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add and claim otrs2
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a965efc by Abhijith PA at 2020-03-29T13:19:00+05:30 data/dla-needed.txt: Add and claim otrs2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -66,6 +66,8 @@ nss (Thorsten Alteholz) opendmarc (Thorsten Alteholz) NOTE: 20200322: still testing package, original patch does not seem to be enough, still ongoing -- +otrs2 (Abhijith PA) +-- php-horde-form (Roberto C. Sánchez) -- php-horde-trean (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a965efcc1f0ee3b7ebaeaaf0a90e0a61b5d7332 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a965efcc1f0ee3b7ebaeaaf0a90e0a61b5d7332 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2019-19050 and CVE-2019-19252
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9757a74f by Salvatore Bonaccorso at 2020-03-29T09:41:54+02:00 Add fixed version via unstable for CVE-2019-19050 and CVE-2019-19252 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23697,7 +23697,7 @@ CVE-2019-19253 RESERVED NOT-FOR-US: Apereo CAS CVE-2019-19252 (vcs_write in drivers/tty/vt/vc_screen.c in the Linux kernel through 5. ...) - - linux + - linux 5.4.6-1 [buster] - linux 4.19.98-1 [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) @@ -24272,7 +24272,7 @@ CVE-2019-19051 (A memory leak in the i2400m_op_rfkill_sw_toggle() function in dr [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/6f3ef5c25cc762687a7341c18cbea5af54461407 CVE-2019-19050 (A memory leak in the crypto_reportstat() function in crypto/crypto_use ...) - - linux + - linux 5.4.6-1 [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9757a74fa1fa464bda703c5228bef717a354fca0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9757a74fa1fa464bda703c5228bef717a354fca0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add shiro
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b3ff383 by Abhijith PA at 2020-03-29T12:33:52+05:30 data/dla-needed.txt: Add shiro - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -78,6 +78,9 @@ ruby-rack NOTE: slight possibility of this patch inducing a backdoor on its own. (utkarsh2102) NOTE: 20200216: Discussion ongoing on -lts list. (lamby) -- +shiro + NOTE: 20200329: https://github.com/apache/shiro/pull/203 +-- squid3 (Markus Koschany) NOTE: 20200309: Requires more tests. (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b3ff383847b1583614ae5f6407520e2d19c9a02 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b3ff383847b1583614ae5f6407520e2d19c9a02 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits