[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 132d700b by Henri Salo at 2020-05-12T08:36:58+03:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28381,6 +28381,7 @@ CVE-2020-1940 (The optional initial password change and password expiration feat NOT-FOR-US: Apache Jackrabbit Oak CVE-2020-1939 RESERVED + NOT-FOR-US: Apache NuttX CVE-2020-1938 (When using the Apache JServ Protocol (AJP), care must be taken when tr ...) {DSA-4680-1 DSA-4673-1 DLA-2209-1 DLA-2133-1} - tomcat9 9.0.31-1 (bug #952437) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/132d700b3126899badf4fa2219450b7eec199a28 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/132d700b3126899badf4fa2219450b7eec199a28 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-12761,imlib2: Fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 33ef355b by Markus Koschany at 2020-05-12T01:19:53+02:00 CVE-2020-12761,imlib2: Fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -84,7 +84,7 @@ CVE-2020-12762 (json-c through 0.14 has an integer overflow and out-of-bounds wr NOTE: https://github.com/json-c/json-c/commit/099016b7e8d70a6d5dd814e788bba08d33d48426 NOTE: https://github.com/json-c/json-c/commit/d07b91014986900a3a75f306d302e13e005e9d67 CVE-2020-12761 (modules/loaders/loader_ico.c in imlib2 1.6.0 has an integer overflow ( ...) - - imlib2 (bug #960192) + - imlib2 1.6.1-2 (bug #960192) [buster] - imlib2 (Vulnerable code introduced later) [stretch] - imlib2 (Vulnerable code introduced later) [jessie] - imlib2 (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33ef355b5bd5c2483c317e963755c2e730edf799 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33ef355b5bd5c2483c317e963755c2e730edf799 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] php-horde-data got reintroduced in Debian
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 67cda407 by Salvatore Bonaccorso at 2020-05-11T22:33:04+02:00 php-horde-data got reintroduced in Debian - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11478,7 +11478,7 @@ CVE-2020-8519 RESERVED CVE-2020-8518 (Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary P ...) {DLA-2174-1} - - php-horde-data (bug #951537) + - php-horde-data (bug #951537) [buster] - php-horde-data 2.1.4-5+deb10u1 [stretch] - php-horde-data (Minor issue) NOTE: https://lists.horde.org/archives/announce/2020/001285.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67cda407e813b149d0ad9db2e24f54f8a326f193 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67cda407e813b149d0ad9db2e24f54f8a326f193 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fix via experimental for openexr issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e4f7080b by Salvatore Bonaccorso at 2020-05-11T22:30:02+02:00 Track fix via experimental for openexr issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3279,39 +3279,46 @@ CVE-2020-11767 (Istio through 1.5.1 and Envoy through 1.14.1 have a data-leak is CVE-2020-11766 RESERVED CVE-2020-11765 (An issue was discovered in OpenEXR before 2.4.1. There is an off-by-on ...) + [experimental] - openexr 2.5.0-1 - openexr (bug #959444) [jessie] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/3eda5d70aba127bae9bd6bae9956fcf024b64031 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/2ae5f8376b0a6c3e2bb100042f5de79503ba837a CVE-2020-11764 (An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bo ...) + [experimental] - openexr 2.5.0-1 - openexr (bug #959444) [jessie] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/e7c26f6ef5bf7ae8ea21ecf19963186cd1391720 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/a6408c90339bdf19f89476578d7f936b741be9b2 CVE-2020-11763 (An issue was discovered in OpenEXR before 2.4.1. There is an std::vect ...) + [experimental] - openexr 2.5.0-1 - openexr (bug #959444) [jessie] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 TODO: check fixing commit CVE-2020-11762 (An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bo ...) + [experimental] - openexr 2.5.0-1 - openexr (bug #959444) [jessie] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/3eda5d70aba127bae9bd6bae9956fcf024b64031 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/2ae5f8376b0a6c3e2bb100042f5de79503ba837a CVE-2020-11761 (An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bo ...) + [experimental] - openexr 2.5.0-1 - openexr (bug #959444) [jessie] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/b1c34c496b62117115b1089b18a44e0031800a09 CVE-2020-11760 (An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bo ...) + [experimental] - openexr 2.5.0-1 - openexr (bug #959444) [jessie] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/37750013830def57f19f3c3b7faaa9fc1dae81b3 CVE-2020-11759 (An issue was discovered in OpenEXR before 2.4.1. Because of integer ov ...) + [experimental] - openexr 2.5.0-1 - openexr (bug #959444) [jessie] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 @@ -3319,6 +3326,7 @@ CVE-2020-11759 (An issue was discovered in OpenEXR before 2.4.1. Because of inte NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/acad98d6d3e787f36012a3737c23c42c7f43a00f TODO: check completeness for upstream commits to cover CVE-2020-11759 CVE-2020-11758 (An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bo ...) + [experimental] - openexr 2.5.0-1 - openexr (bug #959444) [jessie] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4f7080baa499bfebea14175b7d58aed45320d12 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4f7080baa499bfebea14175b7d58aed45320d12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-1186{3,4,5,6}/libemf
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c5d255d by Salvatore Bonaccorso at 2020-05-11T22:20:42+02:00 Add CVE-2020-1186{3,4,5,6}/libemf - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2772,13 +2772,13 @@ CVE-2020-11868 (ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an o CVE-2020-11867 RESERVED CVE-2020-11866 (libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows a use-aft ...) - TODO: check + - libemf 1.0.12-1 CVE-2020-11865 (libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows out-of-bo ...) - TODO: check + - libemf 1.0.12-1 CVE-2020-11864 (libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of ...) - TODO: check + - libemf 1.0.12-1 CVE-2020-11863 (libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of ...) - TODO: check + - libemf 1.0.12-1 CVE-2019-20785 (An issue was discovered on LG mobile devices with Android OS 8.0 and 8 ...) NOT-FOR-US: LG mobile devices CVE-2019-20784 (An issue was discovered on LG mobile devices with Android OS 7.0, 7.1, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c5d255d866b2d193f69297c399f1bd174d7d865 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c5d255d866b2d193f69297c399f1bd174d7d865 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 46845545 by Salvatore Bonaccorso at 2020-05-11T22:18:23+02:00 Process some more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2020-12790 (In the SEOmatic plugin before 3.2.49 for Craft CMS, helpers/DynamicMet ...) - TODO: check + NOT-FOR-US: SEOmatic plugin for Craft CMS CVE-2020-12789 RESERVED CVE-2020-12788 @@ -90,7 +90,7 @@ CVE-2020-12761 (modules/loaders/loader_ico.c in imlib2 1.6.0 has an integer over [jessie] - imlib2 (Vulnerable code introduced later) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=c95f938ff1effaf91729c050a0f1c8684da4dd63 CVE-2020-12760 (An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian ...) - TODO: check + NOT-FOR-US: OpenNMS CVE-2020-12759 RESERVED CVE-2020-12758 @@ -108,9 +108,9 @@ CVE-2019-20794 (An issue was discovered in the Linux kernel 4.18 through 5.6.11 - linux NOTE: https://sourceforge.net/p/fuse/mailman/message/36598753/ CVE-2020-12754 (An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, ...) - TODO: check + NOT-FOR-US: LG mobile devices CVE-2020-12753 (An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, ...) - TODO: check + NOT-FOR-US: LG mobile devices CVE-2020-12752 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-12751 (An issue was discovered on Samsung mobile devices with O(8.X), P(9.0), ...) @@ -130,7 +130,7 @@ CVE-2020-12745 (An issue was discovered on Samsung mobile devices with Q(10.0) s CVE-2020-12744 RESERVED CVE-2020-12743 (An issue was discovered in Gazie 7.32. A successful installation does ...) - TODO: check + NOT-FOR-US: Gazie CVE-2020-12742 RESERVED CVE-2020-12741 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4684554517ff8f0927880388b9225fbde9001f55 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4684554517ff8f0927880388b9225fbde9001f55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: adc13951 by Salvatore Bonaccorso at 2020-05-11T22:12:20+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,9 +9,9 @@ CVE-2020-12787 CVE-2020-12786 RESERVED CVE-2020-12785 (cPanel before 86.0.14 allows attackers to obtain access to the current ...) - TODO: check + NOT-FOR-US: cPanel CVE-2020-12784 (cPanel before 86.0.14 allows remote attackers to trigger a bandwidth s ...) - TODO: check + NOT-FOR-US: cPanel CVE-2020-12782 RESERVED CVE-2020-12781 @@ -112,21 +112,21 @@ CVE-2020-12754 (An issue was discovered on LG mobile devices with Android OS 7.2 CVE-2020-12753 (An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, ...) TODO: check CVE-2020-12752 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) - TODO: check + NOT-FOR-US: Samsung mobile devices CVE-2020-12751 (An issue was discovered on Samsung mobile devices with O(8.X), P(9.0), ...) - TODO: check + NOT-FOR-US: Samsung mobile devices CVE-2020-12750 (An issue was discovered on Samsung mobile devices with Q(10.0) softwar ...) - TODO: check + NOT-FOR-US: Samsung mobile devices CVE-2020-12749 (An issue was discovered on Samsung mobile devices with P(9.0) (Exynos ...) - TODO: check + NOT-FOR-US: Samsung mobile devices CVE-2020-12748 (An issue was discovered on Samsung mobile devices with Q(10.0) softwar ...) - TODO: check + NOT-FOR-US: Samsung mobile devices CVE-2020-12747 (An issue was discovered on Samsung mobile devices with Q(10.0) (Exynos ...) - TODO: check + NOT-FOR-US: Samsung mobile devices CVE-2020-12746 (An issue was discovered on Samsung mobile devices with O(8.X), P(9.0), ...) - TODO: check + NOT-FOR-US: Samsung mobile devices CVE-2020-12745 (An issue was discovered on Samsung mobile devices with Q(10.0) softwar ...) - TODO: check + NOT-FOR-US: Samsung mobile devices CVE-2020-12744 RESERVED CVE-2020-12743 (An issue was discovered in Gazie 7.32. A successful installation does ...) @@ -73816,7 +73816,7 @@ CVE-2019-5502 (SMB in Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 h CVE-2019-5501 (Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 may disclose ...) NOT-FOR-US: Data ONTAP CVE-2019-5500 (Certain versions of the NetApp Service Processor and Baseboard Managem ...) - TODO: check + NOT-FOR-US: NetApp CVE-2019-5499 REJECTED CVE-2019-5498 (OnCommand Insight versions through 7.3.6 may disclose sensitive accoun ...) @@ -75726,7 +75726,7 @@ CVE-2019-4669 (IBM Business Process Manager 8.5.7.0 through 8.5.7.0 2017.06, 8.6 CVE-2019-4668 (IBM UrbanCode Deploy (UCD) 7.0.4.0 stores user credentials in plain in ...) NOT-FOR-US: IBM CVE-2019-4667 (IBM UrbanCode Deploy (UCD) 7.0.5.2 could allow a remote attacker to ob ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4666 (IBM UrbanCode Deploy (UCD) 7.0.3 and IBM UrbanCode Build 6.1.5 could a ...) NOT-FOR-US: IBM CVE-2019-4665 (IBM Spectrum Scale 4.2 and 5.0 is vulnerable to cross-site scripting. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/adc139511518e89144a9b23d1dc0637f1d9b2936 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/adc139511518e89144a9b23d1dc0637f1d9b2936 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7217e547 by security tracker role at 2020-05-11T20:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,38 @@ -CVE-2020-12783 [Out-of-bound buffer read leads to Authentication Bypass in Exim SPA authentication method] +CVE-2020-12790 (In the SEOmatic plugin before 3.2.49 for Craft CMS, helpers/DynamicMet ...) + TODO: check +CVE-2020-12789 + RESERVED +CVE-2020-12788 + RESERVED +CVE-2020-12787 + RESERVED +CVE-2020-12786 + RESERVED +CVE-2020-12785 (cPanel before 86.0.14 allows attackers to obtain access to the current ...) + TODO: check +CVE-2020-12784 (cPanel before 86.0.14 allows remote attackers to trigger a bandwidth s ...) + TODO: check +CVE-2020-12782 + RESERVED +CVE-2020-12781 + RESERVED +CVE-2020-12780 + RESERVED +CVE-2020-12779 + RESERVED +CVE-2020-12778 + RESERVED +CVE-2020-12777 + RESERVED +CVE-2020-12776 + RESERVED +CVE-2020-12775 + RESERVED +CVE-2020-12774 + RESERVED +CVE-2020-12773 + RESERVED +CVE-2020-12783 (Exim through 4.93 has an out-of-bounds read in the SPA authenticator t ...) - exim4 4.93-16 NOTE: https://bugs.exim.org/show_bug.cgi?id=2571 NOTE: https://git.exim.org/exim.git/commitdiff/57aa14b216432be381b6295c312065b2fd034f86 @@ -55,8 +89,8 @@ CVE-2020-12761 (modules/loaders/loader_ico.c in imlib2 1.6.0 has an integer over [stretch] - imlib2 (Vulnerable code introduced later) [jessie] - imlib2 (Vulnerable code introduced later) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=c95f938ff1effaf91729c050a0f1c8684da4dd63 -CVE-2020-12760 - RESERVED +CVE-2020-12760 (An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian ...) + TODO: check CVE-2020-12759 RESERVED CVE-2020-12758 @@ -73,30 +107,30 @@ CVE-2020-12755 (fishProtocol::establishConnection in fish/fish.cpp in KDE kio-ex CVE-2019-20794 (An issue was discovered in the Linux kernel 4.18 through 5.6.11 when u ...) - linux NOTE: https://sourceforge.net/p/fuse/mailman/message/36598753/ -CVE-2020-12754 - RESERVED -CVE-2020-12753 - RESERVED -CVE-2020-12752 - RESERVED -CVE-2020-12751 - RESERVED -CVE-2020-12750 - RESERVED -CVE-2020-12749 - RESERVED -CVE-2020-12748 - RESERVED -CVE-2020-12747 - RESERVED -CVE-2020-12746 - RESERVED -CVE-2020-12745 - RESERVED +CVE-2020-12754 (An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, ...) + TODO: check +CVE-2020-12753 (An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, ...) + TODO: check +CVE-2020-12752 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) + TODO: check +CVE-2020-12751 (An issue was discovered on Samsung mobile devices with O(8.X), P(9.0), ...) + TODO: check +CVE-2020-12750 (An issue was discovered on Samsung mobile devices with Q(10.0) softwar ...) + TODO: check +CVE-2020-12749 (An issue was discovered on Samsung mobile devices with P(9.0) (Exynos ...) + TODO: check +CVE-2020-12748 (An issue was discovered on Samsung mobile devices with Q(10.0) softwar ...) + TODO: check +CVE-2020-12747 (An issue was discovered on Samsung mobile devices with Q(10.0) (Exynos ...) + TODO: check +CVE-2020-12746 (An issue was discovered on Samsung mobile devices with O(8.X), P(9.0), ...) + TODO: check +CVE-2020-12745 (An issue was discovered on Samsung mobile devices with Q(10.0) softwar ...) + TODO: check CVE-2020-12744 RESERVED -CVE-2020-12743 - RESERVED +CVE-2020-12743 (An issue was discovered in Gazie 7.32. A successful installation does ...) + TODO: check CVE-2020-12742 RESERVED CVE-2020-12741 @@ -323,7 +357,7 @@ CVE-2020-12652 (The __mptctl_ioctl function in drivers/message/fusion/mptctl.c i CVE-2020-12651 RESERVED CVE-2020-12650 - RESERVED + REJECTED CVE-2020-12649 (Gurbalib through 2020-04-30 allows lib/cmds/player/help.c directory tr ...) NOT-FOR-US: Gurbalib CVE-2020-12648 @@ -2737,14 +2771,14 @@ CVE-2020-11868 (ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an o NOTE: https://gitlab.com/NTPsec/ntpsec/issues/651 CVE-2020-11867 RESERVED -CVE-2020-11866 - RESERVED -CVE-2020-11865 - RESERVED -CVE-2020-11864 - RESERVED -CVE-2020-11863 - RESERVED +CVE-2020-11866 (libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows a use-aft ...) + TODO: check +CVE-2020-11865 (libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows out-of-bo ...) + TODO: check +CVE-2020-11864 (libEMF (aka ECMA-234 Metafile Library)
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2020-11713/wolfssl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a8ad95f3 by Salvatore Bonaccorso at 2020-05-11T22:03:40+02:00 Add fixed version via unstable for CVE-2020-11713/wolfssl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3419,7 +3419,7 @@ CVE-2020-11715 CVE-2020-11714 (eten PSG-6528VM 1.1 devices allow XSS via System Contact or System Loc ...) NOT-FOR-US: eten PSG-6528VM 1.1 devices CVE-2020-11713 (wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does n ...) - - wolfssl (bug #960190) + - wolfssl 4.4.0+dfsg-1 (bug #960190) NOTE: https://github.com/wolfSSL/wolfssl/pull/2894/ CVE-2020-11712 (Open Upload through 0.4.3 allows XSS via index.php?action=u and the fi ...) NOT-FOR-US: Open Upload View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8ad95f39c6798738275288baa91a84e526ab30d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8ad95f39c6798738275288baa91a84e526ab30d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-12762/json-c
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e581bd78 by Salvatore Bonaccorso at 2020-05-11T22:01:40+02:00 Add Debian bug reference for CVE-2020-12762/json-c - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -44,7 +44,7 @@ CVE-2020-12764 (Gnuteca 3.8 allows file.php?folder=/file= Directory Travers CVE-2020-12763 RESERVED CVE-2020-12762 (json-c through 0.14 has an integer overflow and out-of-bounds write vi ...) - - json-c + - json-c (bug #960326) NOTE: https://github.com/json-c/json-c/pull/592 NOTE: https://github.com/json-c/json-c/commit/77d935b7ae7871a1940cd827e850e6063044ec45 NOTE: https://github.com/json-c/json-c/commit/099016b7e8d70a6d5dd814e788bba08d33d48426 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e581bd781e296f523f605652982e51f412523dad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e581bd781e296f523f605652982e51f412523dad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim libdatetime-timezone-perl and tzdata in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: a1b277d1 by Roberto C. Sánchez at 2020-05-11T14:21:17-04:00 LTS: claim libdatetime-timezone-perl and tzdata in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -43,7 +43,7 @@ freerdp (Utkarsh Gupta) -- imagemagick (Markus Koschany) -- -libdatetime-timezone-perl +libdatetime-timezone-perl (Roberto C. Sánchez) -- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. @@ -92,7 +92,7 @@ squid3 (Markus Koschany) NOTE: 20200427: Working on squid3 in Stretch which will be used for Jessie NOTE: 20200427: and Stretch. It seems more useful for the future. -- -tzdata +tzdata (Roberto C. Sánchez) -- varnish (Sylvain Beucler) NOTE: 20200410: There was a reworking of the functions in cache_req_fsm.c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1b277d1d52c1824073d46d35d9a87d187891ef8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1b277d1d52c1824073d46d35d9a87d187891ef8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-12755/kio-extras
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 76b37e33 by Salvatore Bonaccorso at 2020-05-11T19:16:58+02:00 Add Debian bug reference for CVE-2020-12755/kio-extras - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66,7 +66,7 @@ CVE-2020-12757 CVE-2020-12756 RESERVED CVE-2020-12755 (fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras t ...) - - kio-extras (low) + - kio-extras (low; bug #960306) [buster] - kio-extras (Minor issue) [stretch] - kio-extras (Minor issue) NOTE: https://cgit.kde.org/kio-extras.git/commit/?id=d813cef3cecdec9af1532a40d677a203ff979145 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76b37e335dfcee225964e322ff86acfb75ffbb74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76b37e335dfcee225964e322ff86acfb75ffbb74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add tracking for CVE-2018-1285/log4net
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a9c50c6 by Salvatore Bonaccorso at 2020-05-11T19:15:52+02:00 Add tracking for CVE-2018-1285/log4net - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -139859,6 +139859,9 @@ CVE-2018-1286 (In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileg NOT-FOR-US: Apache OpenMeetings CVE-2018-1285 RESERVED + - log4net + NOTE: https://issues.apache.org/jira/browse/LOG4NET-575 + NOTE: https://github.com/apache/logging-log4net/commit/d0b4b0157d4af36b23c24a23739c47925c3bd8d7 CVE-2018-1284 (In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs ...) NOT-FOR-US: Apache Hive CVE-2018-1283 (In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to for ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a9c50c63b16585b0444e4142de8088ad4b5821f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a9c50c63b16585b0444e4142de8088ad4b5821f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new kio-extras issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 91213024 by Moritz Muehlenhoff at 2020-05-11T18:08:17+02:00 new kio-extras issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66,7 +66,10 @@ CVE-2020-12757 CVE-2020-12756 RESERVED CVE-2020-12755 (fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras t ...) - TODO: check + - kio-extras (low) + [buster] - kio-extras (Minor issue) + [stretch] - kio-extras (Minor issue) + NOTE: https://cgit.kde.org/kio-extras.git/commit/?id=d813cef3cecdec9af1532a40d677a203ff979145 CVE-2019-20794 (An issue was discovered in the Linux kernel 4.18 through 5.6.11 when u ...) - linux NOTE: https://sourceforge.net/p/fuse/mailman/message/36598753/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/912130241e13ff7026d47b65178962153ffa9402 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/912130241e13ff7026d47b65178962153ffa9402 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim imagemagick in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 135c2275 by Markus Koschany at 2020-05-11T17:23:36+02:00 Claim imagemagick in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -41,6 +41,8 @@ condor freerdp (Utkarsh Gupta) NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) -- +imagemagick (Markus Koschany) +-- libdatetime-timezone-perl -- libmatio (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/135c2275e8f82b6e022c52dcbe88c93f9cfbc1a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/135c2275e8f82b6e022c52dcbe88c93f9cfbc1a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove no-dsa flag from Tomcat 8 / Jessie in CVE list.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cc058251 by Markus Koschany at 2020-05-11T17:15:25+02:00 Remove no-dsa flag from Tomcat 8 / Jessie in CVE list. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28341,7 +28341,6 @@ CVE-2020-1938 (When using the Apache JServ Protocol (AJP), care must be taken wh {DSA-4680-1 DSA-4673-1 DLA-2133-1} - tomcat9 9.0.31-1 (bug #952437) - tomcat8 (bug #952438) - [jessie] - tomcat8 (backport is intrusive because of API changes) - tomcat7 (bug #952436) NOTE: AJP disabled in Debian in default configuration since 2008 NOTE: fixed in upstream versions 9.0.31, 8.5.51, 7.0.100 @@ -28368,7 +28367,6 @@ CVE-2020-1935 (In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to {DSA-4680-1 DSA-4673-1 DLA-2133-1} - tomcat9 9.0.31-1 - tomcat8 - [jessie] - tomcat8 (backport is too intrusive) - tomcat7 NOTE: https://github.com/apache/tomcat/commit/8bfb0ff7f25fe7555a5eb2f7984f73546c11aa26 (9.0.31) NOTE: https://github.com/apache/tomcat/commit/8fbe2e962f0ea138d92361921643fe5abe0c4f56 (8.5.51) @@ -37325,7 +37323,6 @@ CVE-2019-17563 (When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9. {DSA-4680-1 DSA-4596-1 DLA-2077-1} - tomcat9 9.0.31-1 - tomcat8 - [jessie] - tomcat8 (low risk, backport is intrusive) - tomcat7 NOTE: https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652 (9.0.30) NOTE: https://github.com/apache/tomcat/commit/e19a202ee43b6e2a538be5515ae0ab32d8ef112c (8.5.50) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc05825194b70c8a7e9a81aec45617813775d81e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc05825194b70c8a7e9a81aec45617813775d81e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove imlib2 from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2da4be8d by Markus Koschany at 2020-05-11T17:13:53+02:00 Remove imlib2 from dla-needed.txt - - - - - d8fb8968 by Markus Koschany at 2020-05-11T17:14:43+02:00 Reserve DLA-2209-1 for tomcat8 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[11 May 2020] DLA-2209-1 tomcat8 - security update + {CVE-2019-17563 CVE-2020-1935 CVE-2020-1938} + [jessie] - tomcat8 8.0.14-1+deb8u17 [10 May 2020] DLA-2208-1 wordpress - security update {CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029} [jessie] - wordpress 4.1.30+dfsg-0+deb8u1 = data/dla-needed.txt = @@ -41,8 +41,6 @@ condor freerdp (Utkarsh Gupta) NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) -- -imlib2 (Markus Koschany) --- libdatetime-timezone-perl -- libmatio (Adrian Bunk) @@ -92,9 +90,6 @@ squid3 (Markus Koschany) NOTE: 20200427: Working on squid3 in Stretch which will be used for Jessie NOTE: 20200427: and Stretch. It seems more useful for the future. -- -tomcat8 - NOTE: 20200413: Forwarded patches for review to Abhijith --- tzdata -- varnish (Sylvain Beucler) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cada380ee1580a57a1d95a6d265639d0d4825f8a...d8fb8968ba9d89b4fd62e6570ad78b2efa8b7635 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cada380ee1580a57a1d95a6d265639d0d4825f8a...d8fb8968ba9d89b4fd62e6570ad78b2efa8b7635 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Add new exim4 issue (AUTH bypass in SPA authentication method)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 69db1206 by Salvatore Bonaccorso at 2020-05-11T08:40:14+02:00 Add new exim4 issue (AUTH bypass in SPA authentication method) - - - - - 3f6433de by Salvatore Bonaccorso at 2020-05-11T16:45:02+02:00 CVE-2020-12783/exim4 assigned - - - - - cada380e by Salvatore Bonaccorso at 2020-05-11T16:46:54+02:00 Merge branch exim4-SPA-auth-bypass-bug2571 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,8 @@ +CVE-2020-12783 [Out-of-bound buffer read leads to Authentication Bypass in Exim SPA authentication method] + - exim4 4.93-16 + NOTE: https://bugs.exim.org/show_bug.cgi?id=2571 + NOTE: https://git.exim.org/exim.git/commitdiff/57aa14b216432be381b6295c312065b2fd034f86 + NOTE: https://git.exim.org/exim.git/commitdiff/a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0 CVE-2020-12772 RESERVED CVE-2020-12767 (exif_entry_get_value in exif-entry.c in libexif 0.6.21 has a divide-by ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ae5798379cad3e966c1bc26981e0ce6c243b53c...cada380ee1580a57a1d95a6d265639d0d4825f8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ae5798379cad3e966c1bc26981e0ce6c243b53c...cada380ee1580a57a1d95a6d265639d0d4825f8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-9489/tika as ignored instead of no-dsa
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ae57983 by Utkarsh Gupta at 2020-05-11T19:28:21+05:30 Mark CVE-2020-9489/tika as ignored instead of no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9109,7 +9109,7 @@ CVE-2020-9490 RESERVED CVE-2020-9489 (A carefully crafted or corrupt file may trigger a System.exit in Tika' ...) - tika - [jessie] - tika (the fix is too invasive to backport) + [jessie] - tika (the fix is too invasive to backport) NOTE: https://www.openwall.com/lists/oss-security/2020/04/24/1 CVE-2020-9488 (Improper validation of certificate with host mismatch in Apache Log4j ...) - apache-log4j2 (bug #959450) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ae5798379cad3e966c1bc26981e0ce6c243b53c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ae5798379cad3e966c1bc26981e0ce6c243b53c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix typo to actually mark CVE-2020-11025/wordpress as not-affected in Jessie
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 372c298b by Utkarsh Gupta at 2020-05-11T19:01:18+05:30 Fix typo to actually mark CVE-2020-11025/wordpress as not-affected in Jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5285,7 +5285,7 @@ CVE-2020-11026 (In affected versions of WordPress, files with a specially crafte CVE-2020-11025 (In affected versions of WordPress, a cross-site scripting (XSS) vulner ...) {DSA-4677-1} - wordpress 5.4.1+dfsg1-1 (bug #959391) - [jessie] - wordress (Vulnerable code not present) + [jessie] - wordpress (Vulnerable code not present) NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c NOTE: https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates NOTE: https://core.trac.wordpress.org/changeset/47633 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/372c298b82faacd241b53f6e8531f396482b85a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/372c298b82faacd241b53f6e8531f396482b85a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new qutebrowser issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b74c5b0 by Moritz Muehlenhoff at 2020-05-11T14:56:37+02:00 new qutebrowser issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5157,7 +5157,10 @@ CVE-2020-11056 (In Sprout Forms before 3.9.0, there is a potential Server-Side T CVE-2020-11055 (In BookStack greater than or equal to 0.18.0 and less than 0.29.2, the ...) NOT-FOR-US: BookStack CVE-2020-11054 (In qutebrowser versions less than 1.11.1, reloading a page with certif ...) - TODO: check + - qutebrowser 1.11.1.post1-1 (unimportant) + NOTE: https://github.com/qutebrowser/qutebrowser/issues/5403 + NOTE: https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j + NOTE: Depends on qtwebkit, which is not covered by security support CVE-2020-11053 (In OAuth2 Proxy before 5.1.1, there is an open redirect vulnerability. ...) NOT-FOR-US: OAuth2 Proxy CVE-2020-11052 (In Sorcery before 0.15.0, there is a brute force vulnerability when us ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b74c5b0b2a0bad5cd72ea051330e873ef85c4a3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b74c5b0b2a0bad5cd72ea051330e873ef85c4a3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: 0bb7e9e8 by Holger Levsen at 2020-05-11T13:51:07+02:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Holger Levsen hol...@layer-acht.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -43,7 +43,7 @@ freerdp (Utkarsh Gupta) -- imlib2 (Markus Koschany) -- -libdatetime-timezone-perl (Emilio) +libdatetime-timezone-perl -- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. @@ -95,7 +95,7 @@ squid3 (Markus Koschany) tomcat8 NOTE: 20200413: Forwarded patches for review to Abhijith -- -tzdata (Emilio) +tzdata -- varnish (Sylvain Beucler) NOTE: 20200410: There was a reworking of the functions in cache_req_fsm.c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bb7e9e8c3ee47afe3505329f1b45eccaf82f012 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bb7e9e8c3ee47afe3505329f1b45eccaf82f012 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new json-c issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b21874d by Moritz Muehlenhoff at 2020-05-11T13:27:38+02:00 new json-c issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39,7 +39,11 @@ CVE-2020-12764 (Gnuteca 3.8 allows file.php?folder=/file= Directory Travers CVE-2020-12763 RESERVED CVE-2020-12762 (json-c through 0.14 has an integer overflow and out-of-bounds write vi ...) - TODO: check + - json-c + NOTE: https://github.com/json-c/json-c/pull/592 + NOTE: https://github.com/json-c/json-c/commit/77d935b7ae7871a1940cd827e850e6063044ec45 + NOTE: https://github.com/json-c/json-c/commit/099016b7e8d70a6d5dd814e788bba08d33d48426 + NOTE: https://github.com/json-c/json-c/commit/d07b91014986900a3a75f306d302e13e005e9d67 CVE-2020-12761 (modules/loaders/loader_ico.c in imlib2 1.6.0 has an integer overflow ( ...) - imlib2 (bug #960192) [buster] - imlib2 (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b21874d7344c7720cbb4bd5cb24b337e9724c45 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b21874d7344c7720cbb4bd5cb24b337e9724c45 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one systemd issue unimportant
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ce08d76d by Moritz Muehlenhoff at 2020-05-11T13:00:53+02:00 one systemd issue unimportant add tracking for fex issue mark edk2 issues as ignored for stretch - - - - - 2 changed files: - data/CVE/list - data/next-oldstable-point-update.txt Changes: = data/CVE/list = @@ -13,6 +13,10 @@ CVE-2019-20795 (iproute2 before 5.1.0 has a use-after-free in get_netnsid_from_n [jessie] - iproute2 (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=9bf2c538a0eb10d66e2365a655bf6c52f5ba3d10 (v5.1.0) NOTE: Introduced in: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=86bf43c7c2fdc33d7c021b4a1add1c8facbca51c (v4.15.0) +CVE-2020- [unspecified fexsrv security issue] + - fex 20160919-2 + [buster] - fex 20160919-2~deb10u1 + [stretch] - fex (Non-free not supported) CVE-2020-12771 (An issue was discovered in the Linux kernel through 5.6.11. btree_gc_c ...) - linux NOTE: https://lkml.org/lkml/2020/4/26/87 @@ -14330,11 +14334,10 @@ CVE-2020-7240 (** DISPUTED ** Meinberg Lantime M300 and M1000 devices allow atta CVE-2020-7239 (The conversation-watson plugin before 0.8.21 for WordPress has a DOM-b ...) NOT-FOR-US: conversation-watson plugin for WordPress CVE-2019-20386 (An issue was discovered in button_open in login/logind-button.c in sys ...) - - systemd 243-5 - [buster] - systemd (Minor issue) - [stretch] - systemd (Minor issue) - [jessie] - systemd (Minor issue) + - systemd 243-5 (unimportant) NOTE: https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad + NOTE: Negligible security impact, requires root or physical access to plug in a device, + NOTE: at which point you can just as well DoS the computer with a hammer instead CVE-2019-20385 (The CSV upload feature in /supervisor/procesa_carga.php on Logaritmo A ...) NOT-FOR-US: Logaritmo Aware CallManager 2012 devices CVE-2019-20384 (Gentoo Portage through 2.3.84 allows local users to place a Trojan hor ...) @@ -46416,13 +46419,13 @@ CVE-2019-14587 RESERVED - edk2 0~20200229.4c0f6e34-1 [buster] - edk2 0~20181115.85588389-3+deb10u1 - [stretch] - edk2 (Minor issue) + [stretch] - edk2 (Minor issue) [jessie] - edk2 (non-free) CVE-2019-14586 RESERVED - edk2 0~20200229.4c0f6e34-1 [buster] - edk2 0~20181115.85588389-3+deb10u1 - [stretch] - edk2 (Minor issue) + [stretch] - edk2 (Minor issue) [jessie] - edk2 (non-free) CVE-2019-14585 RESERVED @@ -46448,7 +46451,7 @@ CVE-2019-14575 [DxeImageVerificationHandler() fails open in case of dbx signatur RESERVED - edk2 0~20200229.4c0f6e34-1 (low; bug #952935) [buster] - edk2 0~20181115.85588389-3+deb10u1 - [stretch] - edk2 (Minor issue) + [stretch] - edk2 (Minor issue) [jessie] - edk2 (non-free) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 CVE-2019-14574 (Out of bounds read in a subsystem for Intel(R) Graphics Driver version ...) @@ -46477,7 +46480,7 @@ CVE-2019-14563 [numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib] RESERVED - edk2 0~20200229.4c0f6e34-1 (low; bug #952934) [buster] - edk2 0~20181115.85588389-3+deb10u1 - [stretch] - edk2 (Minor issue) + [stretch] - edk2 (Minor issue) [jessie] - edk2 (non-free) NOTE: https://github.com/tianocore/edk2/commit/322ac05f8bbc1bce066af1dabd1b70ccdbe28891 NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2001 @@ -46491,7 +46494,7 @@ CVE-2019-14559 [memory leak in ArpOnFrameRcvdDpc] RESERVED - edk2 0~20200229.4c0f6e34-1 (bug #952926; low) [buster] - edk2 0~20181115.85588389-3+deb10u1 - [stretch] - edk2 (Minor issue) + [stretch] - edk2 (Minor issue) [jessie] - edk2 (non-free) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2550 NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2031 @@ -46499,7 +46502,7 @@ CVE-2019-14558 RESERVED - edk2 0~20200229.4c0f6e34-1 [buster] - edk2 0~20181115.85588389-3+deb10u1 - [stretch] - edk2 (Minor issue) + [stretch] - edk2 (Minor issue) [jessie] - edk2 (non-free) CVE-2019-14557 RESERVED @@ -89779,13 +89782,13 @@ CVE-2019-0162 (Memory access in virtual memory mapping for some microprocessors NOT-FOR-US: F5 CVE-2019-0161 (Stack overflow in XHCI for EDK II may allow an unauthenticated user to ...) - edk2 0~20180803.dd4cae4d-1 (low) - [stretch] - edk2 (Minor issue) + [stretch] - edk2 (Minor issue) [jessie] - edk2
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add attributes to recent notes.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 8edf543e by Chris Lamb at 2020-05-11T10:12:08+01:00 data/dla-needed.txt: Add attributes to recent notes. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -55,7 +55,7 @@ libmatio (Adrian Bunk) NOTE: 20190428: is likely vulnerable NOTE: 20190428: some CVE testcases still fail after applying the fix, NOTE: 20190428: older changes seem to also be required for them - NOTE: 20200503: work is ongoing + NOTE: 20200503: work is ongoing (bunk) -- libsixel (Dylan Aïssi) NOTE: 20200416 minor issue(s), not patch(es), yet. @@ -75,15 +75,15 @@ nginx NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby) -- opendmarc (Thorsten Alteholz) - NOTE: 20200420: still testing package, original patch does not seem to be enough, still ongoing - NOTE: 20200511: new CVEs arrived + NOTE: 20200420: still testing package, original patch does not seem to be enough, still ongoing (thorsten) + NOTE: 20200511: new CVEs arrived (thorsten) -- php5 (Thorsten Alteholz) NOTE: 20200427: embedded software "file" needs fix for CVE-2019-18218 NOTE: 20200511: still trying to determine how this CVE affects php -- qemu (Adrian Bunk) - NOTE: 20200511: work is ongoing + NOTE: 20200511: work is ongoing (bunk) -- salt (Abhijith PA) NOTE: 20200501: Upstream fix for CVE-CVE-2020-11651 causes a regression. Should be fixed too. (Ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8edf543e9e24e77321054dd4a6249d45c3b98883 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8edf543e9e24e77321054dd4a6249d45c3b98883 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cb6aa8a5 by Moritz Muehlenhoff at 2020-05-11T10:58:37+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,11 +27,11 @@ CVE-2020-12768 (An issue was discovered in the Linux kernel before 5.6. svm_cpu_ - linux 5.6.7-1 NOTE: https://git.kernel.org/linus/d80b64ff297e40c2b6f7d7abc1b3eba70d22a068 (5.6-rc4) CVE-2020-12766 (Gnuteca 3.8 allows action=main:search:simpleSearch SQL Injection via t ...) - TODO: check + NOT-FOR-US: Gnuteca CVE-2020-12765 (Solis Miolo 2.0 allows index.php?module=installaction=viewit ...) - TODO: check + NOT-FOR-US: Solis Miolo CVE-2020-12764 (Gnuteca 3.8 allows file.php?folder=/file= Directory Traversal. ...) - TODO: check + NOT-FOR-US: Gnuteca CVE-2020-12763 RESERVED CVE-2020-12762 (json-c through 0.14 has an integer overflow and out-of-bounds write vi ...) @@ -5145,19 +5145,19 @@ CVE-2020-11058 CVE-2020-11057 RESERVED CVE-2020-11056 (In Sprout Forms before 3.9.0, there is a potential Server-Side Templat ...) - TODO: check + NOT-FOR-US: Sprout Forms CVE-2020-11055 (In BookStack greater than or equal to 0.18.0 and less than 0.29.2, the ...) - TODO: check + NOT-FOR-US: BookStack CVE-2020-11054 (In qutebrowser versions less than 1.11.1, reloading a page with certif ...) TODO: check CVE-2020-11053 (In OAuth2 Proxy before 5.1.1, there is an open redirect vulnerability. ...) - TODO: check + NOT-FOR-US: OAuth2 Proxy CVE-2020-11052 (In Sorcery before 0.15.0, there is a brute force vulnerability when us ...) - TODO: check + NOT-FOR-US: Sorcery CVE-2020-11051 (In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor ...) NOT-FOR-US: Wiki.js CVE-2020-11050 (In Java-WebSocket less than or equal to 1.4.1, there is an Improper Va ...) - TODO: check + NOT-FOR-US: Java-WebSocket, different from src:websocket-api CVE-2020-11049 (In FreeRDP after 1.1 and before 2.0.0, there is an out-of-bound read o ...) - freerdp2 - freerdp @@ -5337,7 +5337,7 @@ CVE-2020-11008 (Affected versions of Git have a vulnerability whereby Git can be CVE-2020-11007 (In Shopizer before version 2.11.0, using API or Controller based versi ...) NOT-FOR-US: Shopizer CVE-2020-11006 (In Shopizer before version 2.11.0, a script can be injected in various ...) - TODO: check + NOT-FOR-US: Shopizer CVE-2020-11005 (The WindowsHello open source library (NuGet HaemmerElectronics.SeppPen ...) NOT-FOR-US: WindowsHello CVE-2020-11004 (SQL Injection was discovered in Admidio before version 3.3.13. The mai ...) @@ -9566,9 +9566,9 @@ CVE-2020-9317 CVE-2020-9316 RESERVED CVE-2020-9315 (** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7. ...) - TODO: check + NOT-FOR-US: Oracle CVE-2020-9314 (** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7. ...) - TODO: check + NOT-FOR-US: Oracle CVE-2020-9313 RESERVED CVE-2020-9312 @@ -13144,7 +13144,7 @@ CVE-2020-7805 (An issue was discovered on KT Slim egg IML500 (R7283, R8112, R842 CVE-2020-7804 (ActiveX Control(HShell.dll) in Handy Groupware 1.7.3.1 for Windows 7, ...) NOT-FOR-US: Handy Groupware CVE-2020-7803 (IMGTech Co,Ltd ZInsX.ocx ActiveX Control in Zoneplayer 2.0.1.3, versio ...) - TODO: check + NOT-FOR-US: Zoneplayer CVE-2020-7802 (The Synergy Systems Solutions (SSS) HUSKY RTU 6049-E70, with fir ...) NOT-FOR-US: Synergy Systems & Solutions (SSS) CVE-2020-7801 (The Synergy Systems Solutions (SSS) HUSKY RTU 6049-E70, with fir ...) @@ -15844,9 +15844,9 @@ CVE-2020-6654 CVE-2020-6653 RESERVED CVE-2020-6652 (Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Po ...) - TODO: check + NOT-FOR-US: Eaton CVE-2020-6651 (Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v ...) - TODO: check + NOT-FOR-US: Eaton CVE-2020-6650 (UPS companion software v1.05 Prior is affected by Eval In ...) NOT-FOR-US: UPS companion software CVE-2020-6649 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb6aa8a503f50e0286b19c68e8f0f2a2f55a2c83 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb6aa8a503f50e0286b19c68e8f0f2a2f55a2c83 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 34abb718 by security tracker role at 2020-05-11T08:10:12+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2020-12772 + RESERVED CVE-2020-12767 (exif_entry_get_value in exif-entry.c in libexif 0.6.21 has a divide-by ...) - libexif (bug #960199) [buster] - libexif (Minor issue) @@ -9563,10 +9565,10 @@ CVE-2020-9317 RESERVED CVE-2020-9316 RESERVED -CVE-2020-9315 - RESERVED -CVE-2020-9314 - RESERVED +CVE-2020-9315 (** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7. ...) + TODO: check +CVE-2020-9314 (** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7. ...) + TODO: check CVE-2020-9313 RESERVED CVE-2020-9312 @@ -18347,8 +18349,8 @@ CVE-2020-5540 RESERVED CVE-2020-5539 (GRANDIT Ver.1.6, Ver.2.0, Ver.2.1, Ver.2.2, Ver.2.3, and Ver.3.0 do no ...) NOT-FOR-US: GRANDIT -CVE-2020-5538 - RESERVED +CVE-2020-5538 (Improper Access Control in PALLET CONTROL Ver. 6.3 and earlier allows ...) + TODO: check CVE-2020-5537 RESERVED CVE-2020-5536 (OpenBlocks IoT VX2 prior to Ver.4.0.0 (Ver.3 Series) allows an attacke ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/34abb718ee877704f0eed971ab82e1bb42f78b37 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/34abb718ee877704f0eed971ab82e1bb42f78b37 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 9bf9723e by Thorsten Alteholz at 2020-05-11T08:39:40+02:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -76,9 +76,11 @@ nginx -- opendmarc (Thorsten Alteholz) NOTE: 20200420: still testing package, original patch does not seem to be enough, still ongoing + NOTE: 20200511: new CVEs arrived -- php5 (Thorsten Alteholz) NOTE: 20200427: embedded software "file" needs fix for CVE-2019-18218 + NOTE: 20200511: still trying to determine how this CVE affects php -- qemu (Adrian Bunk) NOTE: 20200511: work is ongoing View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bf9723e53cc2b53fa98cb90602a92effcf3d20e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bf9723e53cc2b53fa98cb90602a92effcf3d20e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits