[Git][security-tracker-team/security-tracker][master] Claim awl
Sebastien Delafond pushed to branch master at Debian Security Tracker / security-tracker Commits: c0e5c06a by Sébastien Delafond at 2020-04-21T07:56:13+02:00 Claim awl - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -12,8 +12,9 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. -- -awl +awl (seb) Maintainer proposed update + 2020-04-21: jmm already reviewed -- chromium -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0e5c06ab73254846c39b5d5512beffe0830fff6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0e5c06ab73254846c39b5d5512beffe0830fff6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add tracking for CVE-2020-10687 associated with undertow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c33b916f by Salvatore Bonaccorso at 2020-04-21T06:30:34+02:00 Add tracking for CVE-2020-10687 associated with undertow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4244,6 +4244,8 @@ CVE-2020-10688 TODO: check details, not much information provided by Red Hat. CVE-2020-10687 RESERVED + - undertow + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1785049 CVE-2020-10686 RESERVED CVE-2020-10685 [modules which use files encrypted with vault are not properly cleaned up] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c33b916f58c8e962706d98cf6d10e1c8cb3021d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c33b916f58c8e962706d98cf6d10e1c8cb3021d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync status for some src:linux issues with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: adc88418 by Salvatore Bonaccorso at 2020-04-20T23:13:46+02:00 Sync status for some src:linux issues with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4162,8 +4162,8 @@ CVE-2020-10709 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1824033 CVE-2020-10708 [race condition in kernel/audit.c may allow low privilege users trigger kernel panic] RESERVED - - linux - TODO: further check in kernel-sec + - linux (unimportant) + NOTE: Disputed and negligigle imapct CVE-2020-10707 REJECTED CVE-2020-10706 @@ -8130,6 +8130,8 @@ CVE-2020-8993 RESERVED CVE-2020-8992 (ext4_protect_reserved_inode in fs/ext4/block_validity.c in the Linux k ...) - linux 5.5.13-1 + [stretch] - linux (Vulnerable code not present) + [jessie] - linux (Vulnerable code not present) NOTE: https://patchwork.ozlabs.org/patch/1236118/ CVE-2020-8991 (** DISPUTED ** vg_lookup in daemons/lvmetad/lvmetad-core.c in LVM2 2.0 ...) - lvm2 2.03.01-2 @@ -8505,6 +8507,7 @@ CVE-2020-8833 RESERVED CVE-2020-8832 (The fix for the Linux kernel in Ubuntu 18.04 LTS for CVE-2019-14615 (" ...) - linux 4.16.5-1 + [jessie] - linux (No support for this hardware) NOTE: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1862840 NOTE: The CVE is for an incomplete fix for CVE-2019-14615 which technically only NOTE: affects upstream versions (and downstreams) which applied the fix fo @@ -22719,7 +22722,7 @@ CVE-2019-19769 (In the Linux kernel 5.3.10, there is a use-after-free (read) in NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=205705 NOTE: https://git.kernel.org/linus/6d390e4b5d48ec03bb87e63cf0a2bff5f4e116da CVE-2019-19768 (In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the ...) - - linux + - linux 5.5.13-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=205711 CVE-2019-19767 (The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as d ...) {DLA-2114-1 DLA-2068-1} @@ -27162,7 +27165,8 @@ CVE-2019-19321 CVE-2019-19320 RESERVED CVE-2019-19319 (In the Linux kernel 5.0.21, a setxattr operation, after a mount of a c ...) - - linux 5.3.15-1 + - linux 5.2.6-1 + [buster] - linux 4.19.87-1 CVE-2019-19318 (In the Linux kernel 5.3.11, mounting a crafted btrfs image twice can c ...) - linux 5.4.6-1 CVE-2019-19317 (lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed b ...) @@ -28381,6 +28385,8 @@ CVE-2019-18886 (An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to NOTE: Fixed by: https://github.com/symfony/symfony/commit/7bd4a92fc9cc15d9a9fbb9eb1041e01b977f8332 (v4.2.12) CVE-2019-18885 (fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verif ...) - linux 5.2.6-1 + [stretch] - linux (Vulnerable code not present) + [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/09ba3bc9dd150457c506e4661380a6183af651c1 (5.1-rc1) CVE-2019-18884 (index.php/team_members/add_team_member in RISE Ultimate Project Manage ...) NOT-FOR-US: RISE @@ -33434,6 +33440,9 @@ CVE-2020-0042 (In fpc_ta_hw_auth_unwrap_key of fpc_ta_hw_auth_qsee.c, there is a NOT-FOR-US: FPC components for Android CVE-2020-0041 (In binder_transaction of binder.c, there is a possible out of bounds w ...) - linux 5.4.6-1 + [buster] - linux (Vulnerability introduced later) + [stretch] - linux (Vulnerability introduced later) + [jessie] - linux (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/16981742717b04644a41052570fb502682a315d2 CVE-2020-0040 RESERVED @@ -33504,6 +33513,7 @@ CVE-2020-0010 (In fpc_ta_get_build_info of fpc_ta_kpi.c, there is a possible out NOT-FOR-US: FPC components for Android CVE-2020-0009 (In calc_vm_may_flags of ashmem.c, there is a possible arbitrary write ...) - linux 5.5.13-1 + [jessie] - linux (Driver is not enabled or supported) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1949 CVE-2020-0008 (In LowEnergyClient::MtuChangedCallback of low_energy_client.cc, there ...) NOT-FOR-US: Android View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/adc884184fb84e01edff7d093d265e898bcb3e36 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/adc884184fb84e01edff7d093d265e898bcb3e36 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list
[Git][security-tracker-team/security-tracker][master] Process some more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fd33e83d by Salvatore Bonaccorso at 2020-04-20T22:29:49+02:00 Process some more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1294,7 +1294,7 @@ CVE-2020-11755 CVE-2020-11754 RESERVED CVE-2020-11753 (An issue was discovered in Sonatype Nexus Repository Manager in versio ...) - TODO: check + NOT-FOR-US: Sonatype CVE-2020-11752 RESERVED CVE-2020-11751 @@ -16020,7 +16020,7 @@ CVE-2020-5571 CVE-2020-5570 RESERVED CVE-2020-5569 (An unquoted search path vulnerability exists HDD Password tool (for Wi ...) - TODO: check + NOT-FOR-US: HDD Password tool (CANVIO) CVE-2020-5568 RESERVED CVE-2020-5567 @@ -16676,7 +16676,7 @@ CVE-2020-5295 CVE-2020-5294 (PrestaShop module ps_facetedsearch versions before 2.1.0 has a reflect ...) NOT-FOR-US: PrestaShop CVE-2020-5293 (In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there are improper ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2020-5292 (Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vuln ...) NOT-FOR-US: Leantime CVE-2020-5290 (In RedpwnCTF before version 2.3, there is a session fixation vulnerabi ...) @@ -16684,13 +16684,13 @@ CVE-2020-5290 (In RedpwnCTF before version 2.3, there is a session fixation vuln CVE-2020-5289 (In Elide before 4.5.14, it is possible for an adversary to "guess and ...) NOT-FOR-US: Elide CVE-2020-5288 ("In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there is improper ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2020-5287 (In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is improper ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2020-5286 (In PrestaShop between versions 1.7.4.0 and 1.7.6.5, there is a reflect ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2020-5285 (In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is a reflect ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2020-5284 (Next.js versions before 9.3.2 have a directory traversal vulnerability ...) NOT-FOR-US: next.js CVE-2020-5283 (ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS ...) @@ -16708,13 +16708,13 @@ CVE-2020-5281 (In Perun before version 3.9.1, VO or group manager can modify con CVE-2020-5280 (http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file i ...) NOT-FOR-US: http4s CVE-2020-5279 (In PrestaShop between versions 1.5.0.0 and 1.7.6.5, there are improper ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2020-5278 (In PrestaShop between versions 1.5.4.0 and 1.7.6.5, there is a reflect ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2020-5277 (PrestaShop module ps_facetedsearch versions before 3.5.0 has a reflect ...) NOT-FOR-US: PrestaShop CVE-2020-5276 (In PrestaShop between versions 1.7.1.0 and 1.7.6.5, there is a reflect ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2020-5275 (In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Fire ...) - symfony [buster] - symfony (Introduced in 4.4.0) @@ -16733,13 +16733,13 @@ CVE-2020-5274 (In Symfony before versions 5.0.5 and 4.4.5, some properties of th CVE-2020-5273 (In PrestaShop module ps_linklist versions before 3.1.0, there is a sto ...) NOT-FOR-US: PrestaShop CVE-2020-5272 (In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is a reflect ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2020-5271 (In PrestaShop between versions 1.6.0.0 and 1.7.6.5, there is a reflect ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2020-5270 (In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is an open r ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2020-5269 (In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflect ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2020-5268 RESERVED CVE-2020-5267 (In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible ...) @@ -16752,9 +16752,9 @@ CVE-2020-5267 (In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a pos CVE-2020-5266 (In the ps_link module for PrestaShop before version 3.1.0, there is a ...) NOT-FOR-US: PrestaShop CVE-2020-5265 (In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflect ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2020-5264 (In PrestaShop before version 1.7.6.5, there is a reflected XSS while r ...) - TODO: check + NOT-FOR-US: PrestaShop CVE-2020-5263 (auth0.js (NPM package auth0-js) greater than version 8.0.0 and before ...) NOT-FOR-US: Node auth0-js CVE-2020-5262 (In EasyBuild before version 4.1.2, the
[Git][security-tracker-team/security-tracker][master] take ATS
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b12b561 by Moritz Muehlenhoff at 2020-04-20T22:25:06+02:00 take ATS - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -52,7 +52,7 @@ tomcat8/oldstable -- tomcat9/stable -- -trafficserver +trafficserver (jmm) -- xcftools (hle) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b12b561f10d1cf2549623a11a04f73925e4dbd2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b12b561f10d1cf2549623a11a04f73925e4dbd2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] take nodejs, openjdks
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 02a984e8 by Moritz Muehlenhoff at 2020-04-20T22:22:01+02:00 take nodejs, openjdks - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -29,11 +29,15 @@ linux (carnil) -- mercurial/oldstable -- -nodejs +nodejs (jmm) -- nss/oldstable (jmm) Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508 -- +openjdk-8 (jmm) +-- +openjdk-11 (jmm) +-- poppler (jmm) -- python-reportlab (hle) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02a984e82fbcc06f09a444c8c7237e600bb616b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02a984e82fbcc06f09a444c8c7237e600bb616b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d573d422 by Moritz Muehlenhoff at 2020-04-20T22:21:15+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -303,67 +303,67 @@ CVE-2018-21094 CVE-2018-21093 RESERVED CVE-2017-18852 (Certain NETGEAR devices are affected by CSRF and authentication bypass ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18851 (Certain NETGEAR devices are affected by command injection by an authen ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18850 (Certain NETGEAR devices are affected by authentication bypass. This af ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18849 (Certain NETGEAR devices are affected by command injection. This affect ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18848 (Certain NETGEAR devices are affected by CSRF. This affects R6300v2 bef ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18847 (Certain NETGEAR devices are affected by an attacker's ability to read ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18846 (Certain NETGEAR devices are affected by a stack-based buffer overflow. ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18845 (Certain NETGEAR devices are affected by disclosure of administrative c ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18844 (Certain NETGEAR devices are affected by disclosure of administrative c ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18843 (Certain NETGEAR devices are affected by disclosure of administrative c ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18842 (Certain NETGEAR devices are affected by CSRF. This affects R7300 befor ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18841 (Certain NETGEAR devices are affected by command injection. This affect ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18840 (Certain NETGEAR devices are affected by denial of service. This affect ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18839 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18838 (Certain NETGEAR devices are affected by privilege escalation. This aff ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18837 (Certain NETGEAR devices are affected by vertical privilege escalation. ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18836 (Certain NETGEAR devices are affected by denial of service. This affect ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18835 (Certain NETGEAR devices are affected by reflected XSS. This affects M4 ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18834 (Certain NETGEAR devices are affected by reflected XSS. This affects M4 ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18833 (Certain NETGEAR devices are affected by reflected XSS. This affects M4 ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18832 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18831 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18830 (Certain NETGEAR devices are affected by vertical privilege escalation. ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18829 (Certain NETGEAR devices are affected by vertical privilege escalation. ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18828 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18827 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18826 (Certain NETGEAR devices are affected by vertical privilege escalation. ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18825 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18824 (Certain NETGEAR devices are affected by directory traversal. This affe ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18823 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18822 (Certain NETGEAR devices are affected by vertical privilege escalation. ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2017-18821 RESERVED CVE-2017-18820 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d573d4228f66d840f7d67f3abc22d626ef25142c -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 753b510d by security tracker role at 2020-04-20T20:10:26+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,619 @@ +CVE-2020-11943 + RESERVED +CVE-2020-11942 + RESERVED +CVE-2020-11941 + RESERVED +CVE-2020-11940 + RESERVED +CVE-2020-11939 + RESERVED +CVE-2020-11938 + RESERVED +CVE-2020-11937 + RESERVED +CVE-2020-11936 + RESERVED +CVE-2020-11935 + RESERVED +CVE-2020-11934 + RESERVED +CVE-2020-11933 + RESERVED +CVE-2020-11932 + RESERVED +CVE-2020-11931 + RESERVED +CVE-2018-21231 + RESERVED +CVE-2018-21230 + RESERVED +CVE-2018-21229 + RESERVED +CVE-2018-21228 + RESERVED +CVE-2018-21227 + RESERVED +CVE-2018-21226 + RESERVED +CVE-2018-21225 + RESERVED +CVE-2018-21224 + RESERVED +CVE-2018-21223 + RESERVED +CVE-2018-21222 + RESERVED +CVE-2018-21221 + RESERVED +CVE-2018-21220 + RESERVED +CVE-2018-21219 + RESERVED +CVE-2018-21218 + RESERVED +CVE-2018-21217 + RESERVED +CVE-2018-21216 + RESERVED +CVE-2018-21215 + RESERVED +CVE-2018-21214 + RESERVED +CVE-2018-21213 + RESERVED +CVE-2018-21212 + RESERVED +CVE-2018-21211 + RESERVED +CVE-2018-21210 + RESERVED +CVE-2018-21209 + RESERVED +CVE-2018-21208 + RESERVED +CVE-2018-21207 + RESERVED +CVE-2018-21206 + RESERVED +CVE-2018-21205 + RESERVED +CVE-2018-21204 + RESERVED +CVE-2018-21203 + RESERVED +CVE-2018-21202 + RESERVED +CVE-2018-21201 + RESERVED +CVE-2018-21200 + RESERVED +CVE-2018-21199 + RESERVED +CVE-2018-21198 + RESERVED +CVE-2018-21197 + RESERVED +CVE-2018-21196 + RESERVED +CVE-2018-21195 + RESERVED +CVE-2018-21194 + RESERVED +CVE-2018-21193 + RESERVED +CVE-2018-21192 + RESERVED +CVE-2018-21191 + RESERVED +CVE-2018-21190 + RESERVED +CVE-2018-21189 + RESERVED +CVE-2018-21188 + RESERVED +CVE-2018-21187 + RESERVED +CVE-2018-21186 + RESERVED +CVE-2018-21185 + RESERVED +CVE-2018-21184 + RESERVED +CVE-2018-21183 + RESERVED +CVE-2018-21182 + RESERVED +CVE-2018-21181 + RESERVED +CVE-2018-21180 + RESERVED +CVE-2018-21179 + RESERVED +CVE-2018-21178 + RESERVED +CVE-2018-21177 + RESERVED +CVE-2018-21176 + RESERVED +CVE-2018-21175 + RESERVED +CVE-2018-21174 + RESERVED +CVE-2018-21173 + RESERVED +CVE-2018-21172 + RESERVED +CVE-2018-21171 + RESERVED +CVE-2018-21170 + RESERVED +CVE-2018-21169 + RESERVED +CVE-2018-21168 + RESERVED +CVE-2018-21167 + RESERVED +CVE-2018-21166 + RESERVED +CVE-2018-21165 + RESERVED +CVE-2018-21164 + RESERVED +CVE-2018-21163 + RESERVED +CVE-2018-21162 + RESERVED +CVE-2018-21161 + RESERVED +CVE-2018-21160 + RESERVED +CVE-2018-21159 + RESERVED +CVE-2018-21158 + RESERVED +CVE-2018-21157 + RESERVED +CVE-2018-21156 + RESERVED +CVE-2018-21155 + RESERVED +CVE-2018-21154 + RESERVED +CVE-2018-21153 + RESERVED +CVE-2018-21152 + RESERVED +CVE-2018-21151 + RESERVED +CVE-2018-21150 + RESERVED +CVE-2018-21149 + RESERVED +CVE-2018-21148 + RESERVED +CVE-2018-21147 + RESERVED +CVE-2018-21146 + RESERVED +CVE-2018-21145 + RESERVED +CVE-2018-21144 + RESERVED +CVE-2018-21143 + RESERVED +CVE-2018-21142 + RESERVED +CVE-2018-21141 + RESERVED +CVE-2018-21140 + RESERVED +CVE-2018-21139 + RESERVED +CVE-2018-21138 + RESERVED +CVE-2018-21137 + RESERVED +CVE-2018-21136 + RESERVED +CVE-2018-21135 + RESERVED +CVE-2018-21134 + RESERVED +CVE-2018-21133 + RESERVED +CVE-2018-21132 + RESERVED +CVE-2018-21131 + RESERVED +CVE-2018-21130 + RESERVED +CVE-2018-21129 + RESERVED +CVE-2018-21128 + RESERVED +CVE-2018-21127 + RESERVED +CVE-2018-21126 + RESERVED +CVE-2018-21125 + RESERVED +CVE-2018-21124 + RESERVED +CVE-2018-21123 + RESERVED +CVE-2018-21122 + RESERVED +CVE-2018-21121 + RESERVED +CVE-2018-21120 + RESERVED +CVE-2018-21119 + RESERVED +CVE-2018-21118 + RESERVED +CVE-2018-21117 + RESERVED +CVE-2018-21116 + RESERVED +CVE-2018-21115 + RESERVED +CVE-2018-21114 + RESERVED +CVE-2018-21113 + RESERVED +CVE-2018-21112 + RESERVED +CVE-2018-2 + RESERVED +CVE-2018-21110 + RESERVED +CVE-2018-21109 + RESERVED +CVE-2018-21108 + RESERVED +CVE-2018-21107 + RESERVED +CVE-2018-21106 + RESERVED +CVE-2018-21105 + RESERVED +CVE-2018-21104 +
[Git][security-tracker-team/security-tracker][master] Associate CVE-2019-1002162 with atomic-reactor
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ddb1b24e by Salvatore Bonaccorso at 2020-04-20T21:13:37+02:00 Associate CVE-2019-1002162 with atomic-reactor The issue appears rather in use of atomic-reactor, where its use of skopeo was changed to use the authfile option instead of using username and password to authenticate and so not leaking credentials in the logs for atomic-reactor. Cf. https://github.com/containerbuildsystem/atomic-reactor/pull/1186 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56862,7 +56862,7 @@ CVE-2019-10263 (An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1 CVE-2019-10262 (A SQL Injection issue was discovered in BlueCMS 1.6. The variable $ad_ ...) NOT-FOR-US: BlueCMS CVE-2019-1002162 - - skopeo + NOT-FOR-US: atomic-reactor CVE-2019-1002101 (The kubectl cp command allows copying files between containers and the ...) - kubernetes (Vulnerable code introduced later) NOTE: Introduced by: https://github.com/kubernetes/kubernetes/commit/b1f85e2dfec6e64d8e1bc272251277df0058ab20 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddb1b24e42da04690b2075ff1b8aab0e64e03fbd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddb1b24e42da04690b2075ff1b8aab0e64e03fbd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference advisory for CVE-2020-11008/git
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eba95904 by Salvatore Bonaccorso at 2020-04-20T21:03:37+02:00 Reference advisory for CVE-2020-11008/git - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2608,6 +2608,7 @@ CVE-2020-11008 RESERVED - git 1:2.26.2-1 NOTE: https://lore.kernel.org/lkml/xmqq4kterq5s@gitster.c.googlers.com/ + NOTE: https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7 NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=a88dbd2f8c7fd8c1e2f63483da03bd6928e8791f NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=73aafe9bc27585554181c58871a25e6d0f58a3dc NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=24036686c4af84c9e84e486ef3debab6e6d8e6b5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eba95904318a6e17cbc5ff7c1542731bd100292c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eba95904318a6e17cbc5ff7c1542731bd100292c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for git update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5016338a by Salvatore Bonaccorso at 2020-04-20T20:43:23+02:00 Reserve DSA number for git update - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[20 Apr 2020] DSA-4659-1 git - security update + {CVE-2020-11008} + [stretch] - git 1:2.11.0-3+deb9u7 + [buster] - git 1:2.20.1-2+deb10u3 [16 Apr 2020] DSA-4658-1 webkit2gtk - security update {CVE-2020-11793} [buster] - webkit2gtk 2.26.4-1~deb10u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5016338a4bff958fb4d80386321d1f9cc92f4f47 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5016338a4bff958fb4d80386321d1f9cc92f4f47 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-11008/git fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f9033ef2 by Salvatore Bonaccorso at 2020-04-20T20:35:24+02:00 CVE-2020-11008/git fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2606,7 +2606,7 @@ CVE-2020-11009 RESERVED CVE-2020-11008 RESERVED - - git + - git 1:2.26.2-1 NOTE: https://lore.kernel.org/lkml/xmqq4kterq5s@gitster.c.googlers.com/ NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=a88dbd2f8c7fd8c1e2f63483da03bd6928e8791f NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=73aafe9bc27585554181c58871a25e6d0f58a3dc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9033ef29aab02516b8116cf17d039d48cad0acf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9033ef29aab02516b8116cf17d039d48cad0acf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream announce for CVE-2020-11008/git
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8dca5f07 by Salvatore Bonaccorso at 2020-04-20T20:27:12+02:00 Add upstream announce for CVE-2020-11008/git - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2607,6 +2607,7 @@ CVE-2020-11009 CVE-2020-11008 RESERVED - git + NOTE: https://lore.kernel.org/lkml/xmqq4kterq5s@gitster.c.googlers.com/ NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=a88dbd2f8c7fd8c1e2f63483da03bd6928e8791f NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=73aafe9bc27585554181c58871a25e6d0f58a3dc NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=24036686c4af84c9e84e486ef3debab6e6d8e6b5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8dca5f07b4c406d8de6928a9416861a7f2c4217c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8dca5f07b4c406d8de6928a9416861a7f2c4217c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2020-11008/git
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 24fb0453 by Salvatore Bonaccorso at 2020-04-20T17:03:21+02:00 Add CVE-2020-11008/git - - - - - dc14c105 by Salvatore Bonaccorso at 2020-04-20T20:25:57+02:00 Merge branch embargoed/git-CVE-2020-11008 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2606,6 +2606,16 @@ CVE-2020-11009 RESERVED CVE-2020-11008 RESERVED + - git + NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=a88dbd2f8c7fd8c1e2f63483da03bd6928e8791f + NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=73aafe9bc27585554181c58871a25e6d0f58a3dc + NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=24036686c4af84c9e84e486ef3debab6e6d8e6b5 + NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=8ba8ed568e2a3b75ee84c49ddffb026fde1a0a91 + NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=a2b26ffb1a81aa23dd14453f4db05d8fe24ee7cc + NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=fe29a9b7b0236d3d45c254965580d6aff7fa8504 + NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=c44088ecc4b0722636e0a305f9608d3047197282 + NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=e7fab62b736cca3416660636e46f0be8386a5030 + NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=1a3609e402a062ef7b11f197fe96c28cabca132c CVE-2020-11007 (In Shopizer before version 2.11.0, using API or Controller based versi ...) NOT-FOR-US: Shopizer CVE-2020-11006 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/16708ea693e86313569034cd91f64069a8b24390...dc14c10505aeb5ffd9c09b5f2954f62c2b1082b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/16708ea693e86313569034cd91f64069a8b24390...dc14c10505aeb5ffd9c09b5f2954f62c2b1082b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream change for CVE-2020-11868/ntp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 16708ea6 by Salvatore Bonaccorso at 2020-04-20T20:22:57+02:00 Reference upstream change for CVE-2020-11868/ntp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -141,6 +141,7 @@ CVE-2020-11868 (ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an o - ntpsec (Doesn't affect ntpsec per upstream, #958027) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3592 NOTE: http://bugs.ntp.org/3592 + NOTE: http://bk.ntp.org/ntp-stable/?PAGE=patch=5df73278nIf5dNbaR_vTeCY43_h7Vg NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1716665 NOTE: https://gitlab.com/NTPsec/ntpsec/issues/651 CVE-2020-11867 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16708ea693e86313569034cd91f64069a8b24390 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16708ea693e86313569034cd91f64069a8b24390 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ntpsec n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 53d8e3d7 by Moritz Muehlenhoff at 2020-04-20T19:07:28+02:00 ntpsec n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -138,10 +138,11 @@ CVE-2020-11868 (ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an o - ntp 1:4.2.8p14+dfsg-1 [buster] - ntp (Minor issue) [stretch] - ntp (Minor issue) - - ntpsec (bug #958027) + - ntpsec (Doesn't affect ntpsec per upstream, #958027) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3592 NOTE: http://bugs.ntp.org/3592 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1716665 + NOTE: https://gitlab.com/NTPsec/ntpsec/issues/651 CVE-2020-11867 RESERVED CVE-2020-11866 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53d8e3d73b899322ec3276785fa7a0008512f3d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53d8e3d73b899322ec3276785fa7a0008512f3d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note for ntp
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: bfa66648 by Utkarsh Gupta at 2020-04-20T22:25:39+05:30 Add note for ntp - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,7 +54,8 @@ mumble (Abhijith PA) nginx (Mike Gabriel) -- ntp (Adrian Bunk) - NOTE: 20200420: no patch available yet + NOTE: 20200420: no patch available yet (alteholz) + NOTE: 20200420: pinged ntp security team for relevant commits (utkarsh) -- opendmarc (Thorsten Alteholz) NOTE: 20200420: still testing package, original patch does not seem to be enough, still ongoing View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfa66648d1c2dbc3e64a4541a1e4b183a7c4cdeb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfa66648d1c2dbc3e64a4541a1e4b183a7c4cdeb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] skopeo entered the archive, move from itp status to unfixed for further checks
László Böszörményi pushed to branch master at Debian Security Tracker / security-tracker Commits: e979f601 by Laszlo Boszormenyi (GCS) at 2020-04-20T16:45:20+00:00 skopeo entered the archive, move from itp status to unfixed for further checks - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56848,7 +56848,7 @@ CVE-2019-10263 (An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1 CVE-2019-10262 (A SQL Injection issue was discovered in BlueCMS 1.6. The variable $ad_ ...) NOT-FOR-US: BlueCMS CVE-2019-1002162 - - skopeo (bug #880199) + - skopeo CVE-2019-1002101 (The kubectl cp command allows copying files between containers and the ...) - kubernetes (Vulnerable code introduced later) NOTE: Introduced by: https://github.com/kubernetes/kubernetes/commit/b1f85e2dfec6e64d8e1bc272251277df0058ab20 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e979f601bbe636bbc7f8b4de7d72cbde881fe3df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e979f601bbe636bbc7f8b4de7d72cbde881fe3df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Processing 9ab4df7bc62bead1d4eaa2acc0c73379c02d395f failed
The error message was: data/CVE/list:56850: ITPed package skopeo is in the archive make: *** [Makefile:34: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bf017044 by Moritz Muehlenhoff at 2020-04-20T18:37:32+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30817,9 +30817,9 @@ CVE-2020-0560 (Improper permissions in the installer for the Intel(R) Renesas El CVE-2020-0559 RESERVED CVE-2020-0558 (Improper buffer restrictions in kernel mode driver for Intel(R) PROSet ...) - TODO: check + NOT-FOR-US: Intel CVE-2020-0557 (Insecure inherited permissions in Intel(R) PROSet/Wireless WiFi produc ...) - TODO: check + NOT-FOR-US: Intel CVE-2020-0556 (Improper access control in subsystem for BlueZ before version 5.54 may ...) {DSA-4647-1} - bluez 5.50-1.1 (bug #953770) @@ -30870,7 +30870,7 @@ CVE-2020-0548 (Cleanup errors in some Intel(R) Processors may allow an authentic NOTE: https://software.intel.com/security-software-guidance/software-guidance/vector-register-sampling NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00329.html CVE-2020-0547 (Incorrect default permissions in the installer for Intel(R) Data Migra ...) - TODO: check + NOT-FOR-US: Intel CVE-2020-0546 (Unquoted service path in Intel(R) Optane(TM) DC Persistent Memory Modu ...) NOT-FOR-US: Intel CVE-2020-0545 @@ -31445,7 +31445,7 @@ CVE-2019-18378 (Symantec Messaging Gateway, prior to 10.7.3, may be susceptible CVE-2019-18377 (Symantec Messaging Gateway, prior to 10.7.3, may be susceptible to a p ...) NOT-FOR-US: Symantec CVE-2019-18376 (A CSRF token disclosure vulnerability allows a remote attacker, with a ...) - TODO: check + NOT-FOR-US: Broadcom CVE-2019-18375 (The ASG and ProxySG management consoles are susceptible to a session h ...) NOT-FOR-US: ASG and ProxySG management consoles CVE-2019-18374 (Symantec Critical System Protection (CSP), versions 8.0, 8.0 HF1 ...) @@ -32723,9 +32723,9 @@ CVE-2020-0081 (In finalize of AssetManager.java, there is possible memory corrup CVE-2020-0080 (In onOpActiveChanged and related methods of AppOpsControllerImpl.java, ...) NOT-FOR-US: Android CVE-2020-0079 (In decrypt_1_2 of CryptoPlugin.cpp, there is a possible out of bounds ...) - TODO: check + NOT-FOR-US: Android CVE-2020-0078 (In releaseSecureStops of DrmPlugin.cpp, there is a possible out of bou ...) - TODO: check + NOT-FOR-US: Android CVE-2020-0077 (In authorize_enroll of the FPC IRIS TrustZone app, there is a possible ...) NOT-FOR-US: Android CVE-2020-0076 (In get_auth_result of the FPC IRIS TrustZone app, there is a possible ...) @@ -32745,7 +32745,7 @@ CVE-2020-0070 (In rw_t2t_update_lock_attributes of rw_t2t_ndef.cc, there is a po CVE-2020-0069 (In the ioctl handlers of the Mediatek Command Queue driver, there is a ...) NOT-FOR-US: Mediatek components for Android CVE-2020-0068 (In crus_afe_get_param of msm-cirrus-playback.c, there is a possible ou ...) - TODO: check + NOT-FOR-US: Android CVE-2020-0067 (In f2fs_xattr_generic_list of xattr.c, there is a possible out of boun ...) - linux 5.5.13-1 NOTE: https://git.kernel.org/linus/688078e7f36c293dae25b338ddc9e0a2790f6e06 @@ -45369,7 +45369,7 @@ CVE-2019-14118 CVE-2019-14117 RESERVED CVE-2019-14116 (Privilege escalation by using an altered debug policy image can occur ...) - TODO: check + NOT-FOR-US: Snapdragon CVE-2019-14115 RESERVED CVE-2019-14114 (Buffer overflow in WLAN firmware while parsing GTK IE containing GTK k ...) @@ -45796,7 +45796,7 @@ CVE-2019-13917 (Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code exec NOTE: https://www.exim.org/static/doc/security/CVE-2019-13917.txt NOTE: https://git.exim.org/exim.git/commit/21aa05977abff1eaa69bb97ef99080220915f7c0 CVE-2019-13916 (An issue was discovered in Cypress (formerly Broadcom) WICED Studio 6. ...) - TODO: check + NOT-FOR-US: Cypress CVE-2019-13915 (b3log Wide before 1.6.0 allows three types of attacks to access arbitr ...) NOT-FOR-US: b3log Wide CVE-2019-13914 @@ -52078,13 +52078,13 @@ CVE-2019-12004 CVE-2019-12003 RESERVED CVE-2019-12002 (A remote session reuse vulnerability leading to access restriction byp ...) - TODO: check + NOT-FOR-US: HPE CVE-2019-12001 (A remote session reuse vulnerability leading to access restriction byp ...) - TODO: check + NOT-FOR-US: HPE CVE-2019-12000 RESERVED CVE-2019-11999 (Potential security vulnerabilities have been identified in HPE OpenCal ...) - TODO: check + NOT-FOR-US: HPE CVE-2019-11998 (HPE Superdome Flex Server is vulnerable to multiple remote vulnerabili ...) NOT-FOR-US: HPE Superdome Flex Server CVE-2019-11997 (A potential
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ab4df7b by Moritz Muehlenhoff at 2020-04-20T18:30:58+02:00 NFUs new ming issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31,7 +31,7 @@ CVE-2020-11916 CVE-2020-11915 RESERVED CVE-2019-20786 (handleIncomingPacket in conn.go in Pion DTLS before 1.5.2 lacks a chec ...) - TODO: check + NOT-FOR-US: Pion DTLS CVE-2020-11914 RESERVED CVE-2020-11913 @@ -71,9 +71,11 @@ CVE-2020-11897 CVE-2020-11896 RESERVED CVE-2020-11895 (Ming (aka libming) 0.4.8 has a heap-based buffer over-read (2 bytes) i ...) - TODO: check + - ming + NOTE: https://github.com/libming/libming/issues/197 CVE-2020-11894 (Ming (aka libming) 0.4.8 has a heap-based buffer over-read (8 bytes) i ...) - TODO: check + - ming + NOTE: https://github.com/libming/libming/issues/196 CVE-2020-11893 RESERVED CVE-2020-11892 @@ -95,7 +97,7 @@ CVE-2020-11885 (WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerabilit CVE-2020-11884 RESERVED CVE-2020-11883 (In Divante vue-storefront-api through 1.11.1 and storefront-api throug ...) - TODO: check + NOT-FOR-US: Divante vue-storefront-api CVE-2020-11882 RESERVED CVE-2020-11881 @@ -125,7 +127,7 @@ CVE-2020-11874 (An issue was discovered on LG mobile devices with Android OS 8.0 CVE-2020-11873 (An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, ...) NOT-FOR-US: LG mobile devices CVE-2020-11872 (The Cloud Functions subsystem in OpenTrace 1.0 might allow fabrication ...) - TODO: check + NOT-FOR-US: OpenTrace CVE-2020-11871 RESERVED CVE-2020-11870 @@ -257,7 +259,7 @@ CVE-2020-11828 CVE-2020-11827 RESERVED CVE-2020-11826 (Users can lock their notes with a password in Memono version 3.8. Thus ...) - TODO: check + NOT-FOR-US: Memono CVE-2020-11825 (In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF ...) - dolibarr CVE-2020-11824 @@ -795,7 +797,7 @@ CVE-2020-11712 (Open Upload through 0.4.3 allows XSS via index.php?action=u and CVE-2020-11711 RESERVED CVE-2020-11710 (An issue was discovered in docker-kong (for Kong) through 2.0.3. The a ...) - TODO: check + NOT-FOR-US: docker-kong CVE-2020-11709 (cpp-httplib through 0.5.8 does not filter \r\n in parameters passed in ...) TODO: check CVE-2020-11708 (An issue was discovered in ProVide (formerly zFTPServer) through 13.1. ...) @@ -2607,13 +2609,13 @@ CVE-2020-11007 (In Shopizer before version 2.11.0, using API or Controller based CVE-2020-11006 RESERVED CVE-2020-11005 (The WindowsHello open source library (NuGet HaemmerElectronics.SeppPen ...) - TODO: check + NOT-FOR-US: WindowsHello CVE-2020-11004 RESERVED CVE-2020-11003 (Oasis before version 2.15.0 has a potential DNS rebinding or CSRF vuln ...) NOT-FOR-US: Oasis (not the same as src:oasis) CVE-2020-11002 (dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote co ...) - TODO: check + NOT-FOR-US: dropwizard-validation CVE-2020-11001 (In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XS ...) NOT-FOR-US: Wagtail CVE-2020-11000 (GreenBrowser before version 1.2 has a vulnerability where apps that re ...) @@ -2769,7 +2771,7 @@ CVE-2020-10949 CVE-2020-10948 (Jon Hedley AlienForm2 (typically installed as af.cgi or alienform.cgi) ...) NOT-FOR-US: Jon Hedley AlienForm2 CVE-2020-10947 (Mac Endpoint for Sophos Central before 9.9.6 and Mac Endpoint for Soph ...) - TODO: check + NOT-FOR-US: Sophos CVE-2020-10946 RESERVED CVE-2020-10945 @@ -3283,9 +3285,9 @@ CVE-2020-10816 CVE-2020-10815 RESERVED CVE-2020-10814 (A buffer overflow vulnerability in Code::Blocks 17.12 allows an attack ...) - TODO: check + NOT-FOR-US: Code::Blocks CVE-2020-10813 (A buffer overflow vulnerability in FTPDMIN 0.96 allows attackers to cr ...) - TODO: check + NOT-FOR-US: FTPDMIN CVE-2020-10812 (An issue was discovered in HDF5 through 1.12.0. A NULL pointer derefer ...) - hdf5 NOTE: https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_4 @@ -4331,7 +4333,7 @@ CVE-2020-10379 CVE-2020-10378 RESERVED CVE-2020-10377 (A weak encryption vulnerability in Mitel MiVoice Connect Client before ...) - TODO: check + NOT-FOR-US: Mitel CVE-2020-10376 (Technicolor TC7337NET 08.89.17.23.03 devices allow remote attackers to ...) NOT-FOR-US: Technicolor CVE-2020-10375 @@ -4689,7 +4691,7 @@ CVE-2020-10213 (An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. Th CVE-2020-10212 (upload.php in Responsive FileManager 9.13.4 and 9.14.0 allows SSRF via ...)
Processing 5e5006a3b740191c3887959e74699a10b46cab48 failed
The error message was: data/CVE/list:56848: ITPed package skopeo is in the archive make: *** [Makefile:34: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take ntp
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e5006a3 by Adrian Bunk at 2020-04-20T18:31:55+03:00 dla: take ntp - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -53,7 +53,7 @@ mumble (Abhijith PA) -- nginx (Mike Gabriel) -- -ntp +ntp (Adrian Bunk) NOTE: 20200420: no patch available yet -- opendmarc (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e5006a3b740191c3887959e74699a10b46cab48 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e5006a3b740191c3887959e74699a10b46cab48 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f62d0e7d by Salvatore Bonaccorso at 2020-04-20T16:17:54+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2020-11930 (The GTranslate plugin before 2.8.52 for WordPress has Reflected XSS vi ...) - TODO: check + NOT-FOR-US: GTranslate plugin for WordPress CVE-2020-11929 RESERVED CVE-2020-11928 (In the media-library-assistant plugin before 2.82 for WordPress, Remot ...) - TODO: check + NOT-FOR-US: media-library-assistant plugin for WordPress CVE-2020-11927 RESERVED CVE-2020-11926 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f62d0e7d7d417e3edfb884395c50c5aa9218f185 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f62d0e7d7d417e3edfb884395c50c5aa9218f185 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add ntp
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a460338 by Thorsten Alteholz at 2020-04-20T16:11:57+02:00 add ntp - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -53,6 +53,9 @@ mumble (Abhijith PA) -- nginx (Mike Gabriel) -- +ntp + NOTE: 20200420: no patch available yet +-- opendmarc (Thorsten Alteholz) NOTE: 20200420: still testing package, original patch does not seem to be enough, still ongoing -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a4603384e8e39c210f567bc443bcd59ce719e95 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a4603384e8e39c210f567bc443bcd59ce719e95 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add and claim openvpn
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: cc913051 by Utkarsh Gupta at 2020-04-20T16:36:50+05:30 Add and claim openvpn - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -58,6 +58,8 @@ opendmarc (Thorsten Alteholz) -- openjdk-7 (Roberto C. Sánchez) -- +openvpn (Utkarsh Gupta) +-- otrs2 (Abhijith PA) NOTE: 20200412: Asked upstream for clarity in CVE-2020-1769 patch (abhijith) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc913051e4535b69a8447485c7e6a8133aad4ae0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc913051e4535b69a8447485c7e6a8133aad4ae0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update note for bluez in jessie LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f2c6a6a by Chris Lamb at 2020-04-20T11:28:10+01:00 Update note for bluez in jessie LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -15,7 +15,10 @@ ansible (Sylvain Beucler) NOTE: 20200416: 8 of 9 CVEs have upstream patches now (sunweaver) -- bluez - NOTE: 20200330: wip + NOTE: 20200330: wip (Emilio) + NOTE: 20200420: Many upstream refactorings make this hard to see where the + NOTE: 20200420: check for bonded connections should go. (eg. 7d9718cfc, + NOTE: 20200420: 718bad60d, etc.) (lamby) -- dom4j (Utkarsh Gupta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f2c6a6a3177f0553b6f26e5b88abd253d6086d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f2c6a6a3177f0553b6f26e5b88abd253d6086d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: fd2a4c24 by Thorsten Alteholz at 2020-04-20T11:02:31+02:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -50,8 +50,8 @@ mumble (Abhijith PA) -- nginx (Mike Gabriel) -- -opendmarc - NOTE: 20200406: still testing package, original patch does not seem to be enough, still ongoing +opendmarc (Thorsten Alteholz) + NOTE: 20200420: still testing package, original patch does not seem to be enough, still ongoing -- openjdk-7 (Roberto C. Sánchez) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd2a4c248203642aa78c3f33aea6cb68e27aa91a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd2a4c248203642aa78c3f33aea6cb68e27aa91a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a35dd6c by Holger Levsen at 2020-04-20T10:25:07+02:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Holger Levsen hol...@layer-acht.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -14,7 +14,7 @@ ansible (Sylvain Beucler) NOTE: 20200219: no upstream fixes yet NOTE: 20200416: 8 of 9 CVEs have upstream patches now (sunweaver) -- -bluez (Emilio) +bluez NOTE: 20200330: wip -- dom4j (Utkarsh Gupta) @@ -50,7 +50,7 @@ mumble (Abhijith PA) -- nginx (Mike Gabriel) -- -opendmarc (Thorsten Alteholz) +opendmarc NOTE: 20200406: still testing package, original patch does not seem to be enough, still ongoing -- openjdk-7 (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a35dd6c65c97b50e5afc7bc977abdfd4d0c6887 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a35dd6c65c97b50e5afc7bc977abdfd4d0c6887 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d89dbb7c by security tracker role at 2020-04-20T08:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,37 @@ +CVE-2020-11930 (The GTranslate plugin before 2.8.52 for WordPress has Reflected XSS vi ...) + TODO: check +CVE-2020-11929 + RESERVED +CVE-2020-11928 (In the media-library-assistant plugin before 2.82 for WordPress, Remot ...) + TODO: check +CVE-2020-11927 + RESERVED +CVE-2020-11926 + RESERVED +CVE-2020-11925 + RESERVED +CVE-2020-11924 + RESERVED +CVE-2020-11923 + RESERVED +CVE-2020-11922 + RESERVED +CVE-2020-11921 + RESERVED +CVE-2020-11920 + RESERVED +CVE-2020-11919 + RESERVED +CVE-2020-11918 + RESERVED +CVE-2020-11917 + RESERVED +CVE-2020-11916 + RESERVED +CVE-2020-11915 + RESERVED +CVE-2019-20786 (handleIncomingPacket in conn.go in Pion DTLS before 1.5.2 lacks a chec ...) + TODO: check CVE-2020-11914 RESERVED CVE-2020-11913 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d89dbb7cbfa66fe490be1f8063a054a0211a667b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d89dbb7cbfa66fe490be1f8063a054a0211a667b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new vague resteasy issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 040099cb by Moritz Muehlenhoff at 2020-04-20T08:24:43+02:00 new vague resteasy issue new freeipa non issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26332,6 +26332,9 @@ CVE-2020-1704 (An insecure modification vulnerability in the /etc/passwd file wa NOT-FOR-US: openshift CVE-2020-1703 RESERVED + - freeipa (unimportant) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1793049 + NOTE: Disputed by upstream, works as intended CVE-2020-1702 RESERVED NOT-FOR-US: Red Hat container manager tooling @@ -26363,6 +26366,9 @@ CVE-2020-1696 (A flaw was found in the all pki-core 10.x.x versions, where Token NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1780707 CVE-2020-1695 RESERVED + - resteasy + - resteasy3.0 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1730462 CVE-2020-1694 RESERVED CVE-2020-1693 (A flaw was found in Spacewalk up to version 2.9 where it was vulnerabl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/040099cbcfd8e319d47a88e965d182b797a8600c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/040099cbcfd8e319d47a88e965d182b797a8600c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new openvpn issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: edb479a9 by Moritz Muehlenhoff at 2020-04-20T08:04:34+02:00 new openvpn issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -256,6 +256,10 @@ CVE-2020-11811 (In qdPM 9.1, an attacker can upload a malicious .php file to the NOT-FOR-US: qdPM CVE-2020-11810 RESERVED + - openvpn 2.4.9-1 (low) + [buster] - openvpn (Minor issue) + [stretch] - openvpn (Minor issue) + NOTE: https://github.com/OpenVPN/openvpn/commit/37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab CVE-2020-11809 RESERVED CVE-2020-11808 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edb479a96872759954fd7744d56834908dd44439 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edb479a96872759954fd7744d56834908dd44439 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits