[Git][security-tracker-team/security-tracker][master] Update note in dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: da91d339 by Abhijith PA at 2020-04-12T10:32:51+05:30 Update note in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -57,6 +57,7 @@ opendmarc (Thorsten Alteholz) NOTE: 20200406: still testing package, original patch does not seem to be enough, still ongoing -- otrs2 (Abhijith PA) + NOTE: 20200412: Asked upstream for clarity in CVE-2020-1769 patch (abhijith) -- php5 (Thorsten Alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da91d339f2e8c2efac3bdb897c40cfa1380d76d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da91d339f2e8c2efac3bdb897c40cfa1380d76d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2018-20669
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5fd812d9 by Salvatore Bonaccorso at 2020-04-11T22:51:28+02:00 Update information on CVE-2018-20669 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -73181,7 +73181,7 @@ CVE-2019-3907 (Premisys Identicard version 3.1.190 stores user credentials and o CVE-2019-3906 (Premisys Identicard version 3.1.190 contains hardcoded credentials in ...) NOT-FOR-US: Premisys Identicard CVE-2018-20669 (An issue where a provided address with access_ok() is not checked was ...) - - linux (unimportant) + - linux 5.2.6-1 (unimportant) NOTE: Fixed by: https://git.kernel.org/linus/594cc251fdd0d231d342d88b2fdff4bc42fb0690 CVE-2018-20668 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fd812d9831ab9ad86d094921e3727ae743ab23c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fd812d9831ab9ad86d094921e3727ae743ab23c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Update note for shiro.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: fee07f19 by Chris Lamb at 2020-04-11T13:57:16+01:00 dla-needed.txt: Update note for shiro. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,6 +74,7 @@ shiro (Chris Lamb) NOTE: 20200329: See 53dc30bf6823c98 in this repo. (lamby) NOTE: 20200402: Prepared a package but difficult running tests. Have asked NOTE: 20200402: the Debian maintainer at https://bugs.debian.org/955018#12 + NOTE: 20200411: Pinged maintainer and LTS list. (lamby) -- squid3 (Markus Koschany) NOTE: 20200330: There is still an issue with CVE-2019-12523 but the rest View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fee07f1967d6f2b976ac1a4907defd4316585fc4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fee07f1967d6f2b976ac1a4907defd4316585fc4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-1745: Fixed undertow version has already been uploaded
Florian Weimer pushed to branch master at Debian Security Tracker / security-tracker Commits: cc588255 by Florian Weimer at 2020-04-11T13:15:39+02:00 CVE-2020-1745: Fixed undertow version has already been uploaded - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25249,7 +25249,7 @@ CVE-2020-1746 NOTE: https://github.com/ansible/ansible/pull/67866 CVE-2020-1745 [AJP File Read/Inclusion Vulnerability] RESERVED - - undertow + - undertow 2.0.30-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1807305 NOTE: Variant of the Ghostcat Tomcat vulnerability, CVE-2020-1938. NOTE: According to https://lists.jboss.org/pipermail/undertow-dev/2020-March/002422.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc588255ce309e9b524e8f1294ecf8ac2b37e60a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc588255ce309e9b524e8f1294ecf8ac2b37e60a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-1745: Reference upstream pull request
Florian Weimer pushed to branch master at Debian Security Tracker / security-tracker Commits: 2781883e by Florian Weimer at 2020-04-11T13:10:25+02:00 CVE-2020-1745: Reference upstream pull request - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25251,6 +25251,9 @@ CVE-2020-1745 [AJP File Read/Inclusion Vulnerability] RESERVED - undertow NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1807305 + NOTE: Variant of the Ghostcat Tomcat vulnerability, CVE-2020-1938. + NOTE: According to https://lists.jboss.org/pipermail/undertow-dev/2020-March/002422.html + NOTE: the fix is: https://github.com/undertow-io/undertow/pull/859 CVE-2020-1744 (A flaw was found in keycloak before version 9.0.1. When configuring an ...) NOT-FOR-US: Keycloak CVE-2020-1743 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2781883e75332b7889e319e41f3de7fc9935376d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2781883e75332b7889e319e41f3de7fc9935376d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bb1e7cac by security tracker role at 2020-04-11T08:10:19+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2020-11700 + RESERVED +CVE-2020-11699 + RESERVED +CVE-2020-11698 + RESERVED +CVE-2020-11697 + RESERVED +CVE-2020-11696 + RESERVED +CVE-2020-11695 + RESERVED +CVE-2020-11694 (In JetBrains PyCharm 2019.2.5 and 2019.3 on Windows, Apple Notarizatio ...) + TODO: check CVE-2020-11693 RESERVED CVE-2020-11692 @@ -100,8 +114,7 @@ CVE-2020-11649 RESERVED CVE-2020-11648 RESERVED -CVE-2020-11647 - RESERVED +CVE-2020-11647 (In Wireshark 3.2.0 to 3.2.2, 3.0.0 to 3.0.9, and 2.6.0 to 2.6.15, the ...) - wireshark NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16474 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6f56fc9496db158218243ea87e3660c874a0bab0 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb1e7cac3b6cb76468c695e0483d65bed8e22f52 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb1e7cac3b6cb76468c695e0483d65bed8e22f52 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Patch for CVE-2020-1773 implements a new way for random number
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: cab123bd by Abhijith PA at 2020-04-11T12:37:03+05:30 Patch for CVE-2020-1773 implements a new way for random number generation which need a lot of perl modules to be backported. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25021,6 +25021,7 @@ CVE-2020-1773 (An attacker with the ability to generate session IDs or password - otrs2 6.0.27-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) + [jessie] - otrs2 (Too intrusive to backport) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-10/ NOTE: Fixed in 7.0.16, 6.0.27, 5.0.42 NOTE: OTRS6: https://github.com/OTRS/otrs/commit/ab253734bc211541309b9f8ea2b8b70389c4a64e View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cab123bd7c49c77100a0e5c92dec628f32d858c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cab123bd7c49c77100a0e5c92dec628f32d858c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add wiereshark issue from wnpa-sec-2020-07
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ad08941 by Salvatore Bonaccorso at 2020-04-11T08:45:04+02:00 Add wiereshark issue from wnpa-sec-2020-07 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -102,6 +102,10 @@ CVE-2020-11648 RESERVED CVE-2020-11647 RESERVED + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16474 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6f56fc9496db158218243ea87e3660c874a0bab0 + NOTE: https://www.wireshark.org/security/wnpa-sec-2020-07.html CVE-2019-20637 (An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6 ...) - varnish (bug #956305) NOTE: http://varnish-cache.org/security/VSV4.html#vsv4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ad089411c750d03a563fe66a03e3cf3735c73d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ad089411c750d03a563fe66a03e3cf3735c73d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c0290e2 by Salvatore Bonaccorso at 2020-04-11T08:43:15+02:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6434,7 +6434,7 @@ CVE-2020-9058 CVE-2020-9057 RESERVED CVE-2020-9056 (Periscope BuySpeed version 14.5 is vulnerable to stored cross-site scr ...) - TODO: check + NOT-FOR-US: Periscope BuySpeed CVE-2020-9055 (Versiant LYNX Customer Service Portal (CSP), version 3.5.2, is vulnera ...) NOT-FOR-US: Versiant LYNX Customer Service Portal CVE-2020-9054 (Multiple ZyXEL network-attached storage (NAS) devices running firmware ...) @@ -11845,7 +11845,7 @@ CVE-2020-6767 (A path traversal vulnerability in the Bosch Video Management Syst CVE-2020-6766 RESERVED CVE-2020-6765 (D-Link DSL-GS225 J1 AU_1.0.4 devices allow an admin to execute OS comm ...) - TODO: check + NOT-FOR-US: D-Link CVE-2020-6764 REJECTED CVE-2020-6763 @@ -14899,7 +14899,7 @@ CVE-2020-5408 CVE-2020-5407 RESERVED CVE-2020-5406 (VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6. ...) - TODO: check + NOT-FOR-US: VMware CVE-2020-5405 (Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x pri ...) NOT-FOR-US: Spring Cloud Config CVE-2020-5404 (The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and ...) @@ -18404,7 +18404,7 @@ CVE-2020-3954 CVE-2020-3953 RESERVED CVE-2020-3952 (Under certain conditions, vmdir that ships with VMware vCenter Server, ...) - TODO: check + NOT-FOR-US: VMware CVE-2020-3951 (VMware Workstation (15.x before 15.5.2) and Horizon Client for Windows ...) NOT-FOR-US: VMware CVE-2020-3950 (VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11. ...) @@ -24795,9 +24795,9 @@ CVE-2020-1804 CVE-2020-1803 RESERVED CVE-2020-1802 (There is an insufficient integrity validation vulnerability in several ...) - TODO: check + NOT-FOR-US: Huawei CVE-2020-1801 (There is an improper authentication vulnerability in several smartphon ...) - TODO: check + NOT-FOR-US: Huawei CVE-2020-1800 (HUAWEI smartphones P30 with versions earlier than 10.0.0.185(C00E85R1P ...) NOT-FOR-US: Huawei CVE-2020-1799 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c0290e23de4a6f1787ce06c7c6de347581927cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c0290e23de4a6f1787ce06c7c6de347581927cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a78aa910 by Salvatore Bonaccorso at 2020-04-11T08:37:27+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,9 +17,9 @@ CVE-2020-11686 CVE-2020-11685 RESERVED CVE-2015-9547 (An issue was discovered on Samsung mobile devices with JBP(4.3) and KK ...) - TODO: check + NOT-FOR-US: Samsung mobile devices CVE-2015-9546 (An issue was discovered on Samsung mobile devices with KK(4.4) and lat ...) - TODO: check + NOT-FOR-US: Samsung mobile devices CVE-2020-11684 RESERVED CVE-2020-11683 @@ -15075,7 +15075,7 @@ CVE-2020-5332 CVE-2020-5331 RESERVED CVE-2020-5330 (Dell EMC Networking X-Series firmware versions 3.0.1.2 and older, Dell ...) - TODO: check + NOT-FOR-US: EMC CVE-2020-5329 RESERVED CVE-2020-5328 (Dell EMC Isilon OneFS versions prior to 8.2.0 contain an unauthorized ...) @@ -17584,7 +17584,7 @@ CVE-2020-4364 CVE-2020-4363 RESERVED CVE-2020-4362 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4361 RESERVED CVE-2020-4360 @@ -220015,7 +220015,7 @@ CVE-2015-8548 (Multiple unspecified vulnerabilities in Google V8 before 4.7.80.2 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2015-8546 (An issue was discovered on Samsung mobile devices with software throug ...) - TODO: check + NOT-FOR-US: Samsung mobile devices CVE-2015-8545 RESERVED CVE-2015-8544 (NetApp SnapDrive for Windows before 7.0.2P4, 7.0.3, and 7.1 before 7.1 ...) @@ -230125,7 +230125,7 @@ CVE-2015-5526 CVE-2015-5525 RESERVED CVE-2015-5524 (An issue was discovered on Samsung mobile devices with KK(4.4) and lat ...) - TODO: check + NOT-FOR-US: Samsung mobile devices CVE-2015-5531 (Directory traversal vulnerability in Elasticsearch before 1.6.1 allows ...) - elasticsearch 1.6.1+dfsg-1 (bug #792617) [jessie] - elasticsearch (No longer supported, see DSA 3389) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a78aa9103763bc2b0f89c470eab8c9edb55229b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a78aa9103763bc2b0f89c470eab8c9edb55229b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
