date:20200731

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-16094 as no-dsa. Move zabbix, lib-phpmailer to dla-needed

2020-07-31 Thread Abhijith PA



Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b3cec52e by Abhijith PA at 2020-08-01T10:39:21+05:30
Mark CVE-2020-16094 as no-dsa. Move zabbix, lib-phpmailer to dla-needed

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -337,6 +337,7 @@ CVE-2020-16095 (The dlf (aka Kitodo.Presentation) extension 
before 3.1.2 for TYP
 CVE-2020-16094 (In imap_scan_tree_recursive in Claws Mail through 3.17.6, a 
malicious  ...)
- claws-mail  (bug #966630)
[buster] - claws-mail  (Minor issue)
+   [stretch] - claws-mail  (Minor issue)
NOTE: 
https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4313
 CVE-2020-16093
RESERVED


=
data/dla-needed.txt
=
@@ -79,6 +79,8 @@ libopenmpt (Utkarsh Gupta)
 libpam-radius-auth (Utkarsh Gupta)
   NOTE: 20200727: WIP. (utkarsh)
 --
+libphp-phpmailer (Abhijith PA)
+--
 linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)
@@ -162,3 +164,5 @@ xcftools
 --
 xrdp
 --
+zabbix
+--



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3cec52e4598125a25145b126ba9a9f066d99bab

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3cec52e4598125a25145b126ba9a9f066d99bab
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2303-1 for libssh

2020-07-31 Thread Markus Koschany



Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
23207fbd by Markus Koschany at 2020-07-31T23:54:23+02:00
Reserve DLA-2303-1 for libssh

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[31 Jul 2020] DLA-2303-1 libssh - security update
+   {CVE-2020-16135}
+   [stretch] - libssh 0.7.3-2+deb9u3
 [31 Jul 2020] DLA-2302-1 libjpeg-turbo - security update
{CVE-2018-1152 CVE-2018-14498 CVE-2020-13790 CVE-2020-14152}
[stretch] - libjpeg-turbo 1:1.5.1-2+deb9u1


=
data/dla-needed.txt
=
@@ -79,8 +79,6 @@ libopenmpt (Utkarsh Gupta)
 libpam-radius-auth (Utkarsh Gupta)
   NOTE: 20200727: WIP. (utkarsh)
 --
-libssh (Markus Koschany)
---
 linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23207fbd62ef079e393d8f45e125457a2b5f8017

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23207fbd62ef079e393d8f45e125457a2b5f8017
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process NFUs

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
05da1489 by Salvatore Bonaccorso at 2020-07-31T22:17:26+02:00
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2597,7 +2597,7 @@ CVE-2020-15130 (In SLPJS (npm package slpjs) before 
version 0.27.4, there is a v
 CVE-2020-15129 (In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there 
exists  ...)
NOT-FOR-US: Traefik
 CVE-2020-15128 (In OctoberCMS before version 1.0.468, encrypted cookie values 
were not ...)
-   TODO: check
+   NOT-FOR-US: October CMS
 CVE-2020-15127
RESERVED
 CVE-2020-15126 (In parser-server from version 3.5.0 and before 4.3.0, an 
authenticated ...)
@@ -3942,7 +3942,7 @@ CVE-2020-14522
 CVE-2020-14521
RESERVED
 CVE-2020-14520 (The affected product is vulnerable to an information leak, 
which may a ...)
-   TODO: check
+   NOT-FOR-US: Inductive Automation Ignition
 CVE-2020-14519
RESERVED
 CVE-2020-14518
@@ -10331,7 +10331,7 @@ CVE-2020-12083
 CVE-2020-12082
RESERVED
 CVE-2020-12081 (An information disclosure vulnerability has been identified in 
FlexNet ...)
-   TODO: check
+   NOT-FOR-US: FlexNet Publisher lmadmin.exe
 CVE-2020-12080
RESERVED
 CVE-2019-20788 (libvncclient/cursor.c in LibVNCServer through 0.9.12 has a 
HandleCurso ...)
@@ -18957,9 +18957,9 @@ CVE-2020-9251 (HUAWEI Mate 20 smartphones with versions 
earlier than 10.1.0.160(
 CVE-2020-9250
RESERVED
 CVE-2020-9249 (HUAWEI P30 smartphones with versions earlier than 
10.1.0.160(C00E160R2 ...)
-   TODO: check
+   NOT-FOR-US: Huawei
 CVE-2020-9248 (Huawei FusionComput 8.0.0 have an improper authorization 
vulnerability ...)
-   TODO: check
+   NOT-FOR-US: Huawei
 CVE-2020-9247
RESERVED
 CVE-2020-9246



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05da14893a469059547694eead038a52962adfe1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05da14893a469059547694eead038a52962adfe1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] ark DSA

2020-07-31 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
87b2fd82 by Moritz Muehlenhoff at 2020-07-31T22:14:11+02:00
ark DSA

- - - - -


2 changed files:

- data/DSA/list
- data/dsa-needed.txt


Changes:

=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[31 Jul 2020] DSA-4738-1 ark - security update
+   {CVE-2020-16116}
+   [buster] - ark 4:18.08.3-1+deb10u1
 [30 Jul 2020] DSA-4735-2 grub2 - regression update
[buster] - grub2 2.02+dfsg1-20+deb10u2
 [29 Jul 2020] DSA-4737-1 xrdp - security update


=
data/dsa-needed.txt
=
@@ -11,8 +11,6 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source 
package.
 
---
-ark (jmm)
 --
 chromium
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87b2fd8220aaaeafa373412f268291c4b74cbf30

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87b2fd8220aaaeafa373412f268291c4b74cbf30
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1ba4106e by security tracker role at 2020-07-31T20:10:56+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,121 @@
+CVE-2020-16254
+   RESERVED
+CVE-2020-16253
+   RESERVED
+CVE-2020-16252
+   RESERVED
+CVE-2020-16251
+   RESERVED
+CVE-2020-16250
+   RESERVED
+CVE-2020-16249
+   RESERVED
+CVE-2020-16248
+   RESERVED
+CVE-2020-16247
+   RESERVED
+CVE-2020-16246
+   RESERVED
+CVE-2020-16245
+   RESERVED
+CVE-2020-16244
+   RESERVED
+CVE-2020-16243
+   RESERVED
+CVE-2020-16242
+   RESERVED
+CVE-2020-16241
+   RESERVED
+CVE-2020-16240
+   RESERVED
+CVE-2020-16239
+   RESERVED
+CVE-2020-16238
+   RESERVED
+CVE-2020-16237
+   RESERVED
+CVE-2020-16236
+   RESERVED
+CVE-2020-16235
+   RESERVED
+CVE-2020-16234
+   RESERVED
+CVE-2020-16233
+   RESERVED
+CVE-2020-16232
+   RESERVED
+CVE-2020-16231
+   RESERVED
+CVE-2020-16230
+   RESERVED
+CVE-2020-16229
+   RESERVED
+CVE-2020-16228
+   RESERVED
+CVE-2020-16227
+   RESERVED
+CVE-2020-16226
+   RESERVED
+CVE-2020-16225
+   RESERVED
+CVE-2020-16224
+   RESERVED
+CVE-2020-16223
+   RESERVED
+CVE-2020-16222
+   RESERVED
+CVE-2020-16221
+   RESERVED
+CVE-2020-16220
+   RESERVED
+CVE-2020-16219
+   RESERVED
+CVE-2020-16218
+   RESERVED
+CVE-2020-16217
+   RESERVED
+CVE-2020-16216
+   RESERVED
+CVE-2020-16215
+   RESERVED
+CVE-2020-16214
+   RESERVED
+CVE-2020-16213
+   RESERVED
+CVE-2020-16212
+   RESERVED
+CVE-2020-16211
+   RESERVED
+CVE-2020-16210
+   RESERVED
+CVE-2020-16209
+   RESERVED
+CVE-2020-16208
+   RESERVED
+CVE-2020-16207
+   RESERVED
+CVE-2020-16206
+   RESERVED
+CVE-2020-16205
+   RESERVED
+CVE-2020-16204
+   RESERVED
+CVE-2020-16203
+   RESERVED
+CVE-2020-16202
+   RESERVED
+CVE-2020-16201
+   RESERVED
+CVE-2020-16200
+   RESERVED
+CVE-2020-16199
+   RESERVED
+CVE-2020-16198
+   RESERVED
+CVE-2020-16197
+   RESERVED
+CVE-2020-16196
+   RESERVED
 CVE-2020-16195
RESERVED
 CVE-2020-16194
@@ -117,8 +235,8 @@ CVE-2020-16138
RESERVED
 CVE-2020-16137
RESERVED
-CVE-2020-16136
-   RESERVED
+CVE-2020-16136 (In tgstation-server 4.4.0 and 4.4.1, an authenticated user 
with permis ...)
+   TODO: check
 CVE-2020-16135 (libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if 
ssh_buf ...)
- libssh  (bug #966560)
NOTE: https://bugs.libssh.org/T232
@@ -2466,10 +2584,10 @@ CVE-2020-15136
RESERVED
 CVE-2020-15135
RESERVED
-CVE-2020-15134
-   RESERVED
-CVE-2020-15133
-   RESERVED
+CVE-2020-15134 (Faye before version 1.4.0, there is a lack of certification 
validation ...)
+   TODO: check
+CVE-2020-15133 (In faye-websocket before version 0.11.0, there is a lack of 
certificat ...)
+   TODO: check
 CVE-2020-15132
RESERVED
 CVE-2020-15131 (In SLP Validate (npm package slp-validate) before version 
1.2.2, there ...)
@@ -2478,8 +2596,8 @@ CVE-2020-15130 (In SLPJS (npm package slpjs) before 
version 0.27.4, there is a v
NOT-FOR-US: Node slpjs
 CVE-2020-15129 (In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there 
exists  ...)
NOT-FOR-US: Traefik
-CVE-2020-15128
-   RESERVED
+CVE-2020-15128 (In OctoberCMS before version 1.0.468, encrypted cookie values 
were not ...)
+   TODO: check
 CVE-2020-15127
RESERVED
 CVE-2020-15126 (In parser-server from version 3.5.0 and before 4.3.0, an 
authenticated ...)
@@ -3823,8 +3941,8 @@ CVE-2020-14522
RESERVED
 CVE-2020-14521
RESERVED
-CVE-2020-14520
-   RESERVED
+CVE-2020-14520 (The affected product is vulnerable to an information leak, 
which may a ...)
+   TODO: check
 CVE-2020-14519
RESERVED
 CVE-2020-14518
@@ -4551,16 +4669,14 @@ CVE-2020-14339 [leak of /dev/mapper/control into QEMU 
guests]
NOTE: Proposed patch: 
https://www.redhat.com/archives/libvir-list/2020-July/msg01501.html
 CVE-2020-14338
RESERVED
-CVE-2020-14337
-   RESERVED
+CVE-2020-14337 (A data exposure flaw was found in Tower, where sensitive data 
was reve ...)
NOT-FOR-US: Ansible Tower
 CVE-2020-14336
RESERVED
NOT-FOR-US: OpenShift
 CVE-2020-14335
RESERVED
-CVE-2020-14334
-   RESERVED
+CVE-2020-14334 (A flaw was found in Red Hat Satellite 6 which allows 
privileged attack ...)
- foreman  (bug #663101)
 CVE-2020-14333
RESERVED
@@ -5026,6 +5142,7 @@ CVE-2020-14153 (In IJG JPEG (aka libjpeg) before 9d, 
jdhuff.c has an out-of-boun
- libjpeg-turbo  (Vulnerable code not present; 
problematic condition cannot be reached)
NOTE:

[Git][security-tracker-team/security-tracker][master] Process NFUs

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f8f3f8f0 by Salvatore Bonaccorso at 2020-07-31T21:29:15+02:00
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -27642,11 +27642,11 @@ CVE-2020-5616
 CVE-2020-5615
RESERVED
 CVE-2020-5614 (Directory traversal vulnerability in KonaWiki 3.1.0 and earlier 
allows ...)
-   TODO: check
+   NOT-FOR-US: KonaWiki
 CVE-2020-5613 (Cross-site scripting vulnerability in KonaWiki 3.1.0 and 
earlier allow ...)
-   TODO: check
+   NOT-FOR-US: KonaWiki
 CVE-2020-5612 (Cross-site scripting vulnerability in KonaWiki 2.2.0 and 
earlier allow ...)
-   TODO: check
+   NOT-FOR-US: KonaWiki
 CVE-2020-5611 (Cross-site request forgery (CSRF) vulnerability in Social 
Sharing Plug ...)
NOT-FOR-US: Social Sharing Plugin for WordPress
 CVE-2020-5610 (Global TechStream (GTS) for TOYOTA dealers version 15.10.032 
and earli ...)
@@ -31999,23 +31999,23 @@ CVE-2019-20035
 CVE-2019-20034
RESERVED
 CVE-2019-20033 (On Aspire-derived NEC PBXes, including all versions of SV8100 
devices, ...)
-   TODO: check
+   NOT-FOR-US: NEC devices
 CVE-2019-20032 (An attacker with access to an InMail voicemail box equipped 
with the f ...)
-   TODO: check
+   NOT-FOR-US: NEC devices
 CVE-2019-20031 (NEC UM8000, UM4730 and prior non-InMail voicemail systems with 
all kno ...)
-   TODO: check
+   NOT-FOR-US: NEC devices
 CVE-2019-20030 (An attacker with knowledge of the modem access number on a NEC 
UM8000  ...)
-   TODO: check
+   NOT-FOR-US: NEC devices
 CVE-2019-20029 (An exploitable privilege escalation vulnerability exists in 
the WebPro ...)
-   TODO: check
+   NOT-FOR-US: NEC devices
 CVE-2019-20028 (Aspire-derived NEC PBXes operating InMail software, including 
all vers ...)
-   TODO: check
+   NOT-FOR-US: NEC devices
 CVE-2019-20027 (Aspire-derived NEC PBXes, including the SV8100, SV9100, SL1100 
and SL2 ...)
-   TODO: check
+   NOT-FOR-US: NEC devices
 CVE-2019-20026 (The WebPro interface in NEC SV9100 software releases 7.0 or 
higher all ...)
-   TODO: check
+   NOT-FOR-US: NEC devices
 CVE-2019-20025 (Certain builds of NEC SV9100 software could allow an 
unauthenticated,  ...)
-   TODO: check
+   NOT-FOR-US: NEC devices
 CVE-2019-20024 (A heap-based buffer overflow was discovered in 
image_buffer_resize in  ...)
- libsixel 1.8.6-1 (low; bug #948103)
[buster] - libsixel  (Minor issue)
@@ -33814,11 +33814,11 @@ CVE-2020-3464
 CVE-2020-3463
RESERVED
 CVE-2020-3462 (A vulnerability in the web-based management interface of Cisco 
Data Ce ...)
-   TODO: check
+   NOT-FOR-US: Cisco
 CVE-2020-3461 (A vulnerability in the web-based management interface of Cisco 
Data Ce ...)
-   TODO: check
+   NOT-FOR-US: Cisco
 CVE-2020-3460 (A vulnerability in the web-based management interface of Cisco 
Data Ce ...)
-   TODO: check
+   NOT-FOR-US: Cisco
 CVE-2020-3459
RESERVED
 CVE-2020-3458
@@ -33966,15 +33966,15 @@ CVE-2020-3388 (A vulnerability in the CLI of Cisco 
SD-WAN vManage Software could
 CVE-2020-3387 (A vulnerability in Cisco SD-WAN vManage Software could allow an 
authen ...)
NOT-FOR-US: Cisco
 CVE-2020-3386 (A vulnerability in the REST API endpoint of Cisco Data Center 
Network  ...)
-   TODO: check
+   NOT-FOR-US: Cisco
 CVE-2020-3385 (A vulnerability in the deep packet inspection (DPI) engine of 
Cisco SD ...)
NOT-FOR-US: Cisco
 CVE-2020-3384 (A vulnerability in specific REST API endpoints of Cisco Data 
Center Ne ...)
-   TODO: check
+   NOT-FOR-US: Cisco
 CVE-2020-3383 (A vulnerability in the archive utility of Cisco Data Center 
Network Ma ...)
-   TODO: check
+   NOT-FOR-US: Cisco
 CVE-2020-3382 (A vulnerability in the REST API of Cisco Data Center Network 
Manager ( ...)
-   TODO: check
+   NOT-FOR-US: Cisco
 CVE-2020-3381 (A vulnerability in the web management interface of Cisco SD-WAN 
vManag ...)
NOT-FOR-US: Cisco
 CVE-2020-3380 (A vulnerability in the CLI of Cisco Data Center Network Manager 
(DCNM) ...)
@@ -33984,13 +33984,13 @@ CVE-2020-3379 (A vulnerability in Cisco SD-WAN 
Solution Software could allow an
 CVE-2020-3378 (A vulnerability in the web-based management interface for Cisco 
SD-WAN ...)
NOT-FOR-US: Cisco
 CVE-2020-3377 (A vulnerability in the Device Manager application of Cisco Data 
Center ...)
-   TODO: check
+   NOT-FOR-US: Cisco
 CVE-2020-3376 (A vulnerability in the Device Manager application of Cisco Data 
Center ...)
-   TODO: check
+   NOT-FOR-US: Cisco
 CVE-2020-3375 (A vulnerability in Cisco SD-WAN Solution Software could allow 
an unaut ...)
-   TODO: check
+   NOT-FOR-US: Cisco
 CVE-2020-3374 (A vulnerability in the web-based management

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-9488/apache-log4j2 as no-dsa

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
eb3289f1 by Salvatore Bonaccorso at 2020-07-31T21:00:39+02:00
Mark CVE-2020-9488/apache-log4j2 as no-dsa

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -18179,6 +18179,7 @@ CVE-2020-9489 (A carefully crafted or corrupt file may 
trigger a System.exit in
NOTE: https://www.openwall.com/lists/oss-security/2020/04/24/1
 CVE-2020-9488 (Improper validation of certificate with host mismatch in Apache 
Log4j  ...)
- apache-log4j2  (bug #959450)
+   [buster] - apache-log4j2  (Minor issue)
[jessie] - apache-log4j2  (Minor issue; set 
mail.smtp.ssl.checkserveridentity to true to enable hostname verification)
NOTE: https://www.openwall.com/lists/oss-security/2020/04/25/1
NOTE: https://issues.apache.org/jira/browse/LOG4J2-2819



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb3289f18cfd51baca82ee633a11d05651d348ad

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb3289f18cfd51baca82ee633a11d05651d348ad
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-16094/claws-mail

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bfb7dd64 by Salvatore Bonaccorso at 2020-07-31T20:54:48+02:00
Add Debian bug reference for CVE-2020-16094/claws-mail

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -217,7 +217,7 @@ CVE-2020-16096
 CVE-2020-16095 (The dlf (aka Kitodo.Presentation) extension before 3.1.2 for 
TYPO3 all ...)
NOT-FOR-US: dlf for TYPO3
 CVE-2020-16094 (In imap_scan_tree_recursive in Claws Mail through 3.17.6, a 
malicious  ...)
-   - claws-mail 
+   - claws-mail  (bug #966630)
[buster] - claws-mail  (Minor issue)
NOTE: 
https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4313
 CVE-2020-16093



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfb7dd645ecdc0db768b36a4cf28a2f159e8afd8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfb7dd645ecdc0db768b36a4cf28a2f159e8afd8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-16094/claws-mail as no-dsa for buster

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
74c5a15b by Salvatore Bonaccorso at 2020-07-31T20:48:56+02:00
Mark CVE-2020-16094/claws-mail as no-dsa for buster

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -218,6 +218,7 @@ CVE-2020-16095 (The dlf (aka Kitodo.Presentation) extension 
before 3.1.2 for TYP
NOT-FOR-US: dlf for TYPO3
 CVE-2020-16094 (In imap_scan_tree_recursive in Claws Mail through 3.17.6, a 
malicious  ...)
- claws-mail 
+   [buster] - claws-mail  (Minor issue)
NOTE: 
https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4313
 CVE-2020-16093
RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74c5a15bd6f5dd068ca0becaac38168b5e80f99e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74c5a15bd6f5dd068ca0becaac38168b5e80f99e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-14347/xorg-server

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bc4a9322 by Salvatore Bonaccorso at 2020-07-31T20:18:35+02:00
Add CVE-2020-14347/xorg-server

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4508,8 +4508,11 @@ CVE-2020-14349
RESERVED
 CVE-2020-14348
RESERVED
-CVE-2020-14347
+CVE-2020-14347 [X Server Pixel Data Uninitialized Memory Information 
Disclosure]
RESERVED
+   - xorg-server 
+   NOTE: https://lists.x.org/archives/xorg-announce/2020-July/003051.html
+   NOTE: 
https://gitlab.freedesktop.org/xorg/xserver/-/commit/aac28e162e5108510065ad4c323affd6deffd816
 CVE-2020-14346
RESERVED
 CVE-2020-14345



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc4a932287d1699059b58a9fade238c868e13c26

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc4a932287d1699059b58a9fade238c868e13c26
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-14344/libx11

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9f44724a by Salvatore Bonaccorso at 2020-07-31T20:15:41+02:00
Add CVE-2020-14344/libx11

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4514,8 +4514,15 @@ CVE-2020-14346
RESERVED
 CVE-2020-14345
RESERVED
-CVE-2020-14344
-   RESERVED
+CVE-2020-14344 [Heap corruption in the X input method client in libX11]
+   RESERVED
+   - libx11 
+   NOTE: https://lists.x.org/archives/xorg-announce/2020-July/003050.html
+   NOTE: 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/0e6561efcfaa0ae7b5c74eac7e064b76d687544e
+   NOTE: 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
+   NOTE: 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
+   NOTE: 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
+   NOTE: 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
 CVE-2020-14343 [.load() and FullLoader still vulnerable to fairly trivial RCE]
RESERVED
- pyyaml  (bug #966233)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f44724a8902981260f58aeea9fee89f1039bfa3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f44724a8902981260f58aeea9fee89f1039bfa3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2302-1 for libjpeg-turbo

2020-07-31 Thread Adrian Bunk



Adrian Bunk pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
564cff24 by Adrian Bunk at 2020-07-31T20:28:09+03:00
Reserve DLA-2302-1 for libjpeg-turbo

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -6051,7 +6051,6 @@ CVE-2020-13791 (hw/pci/pci.c in QEMU 4.2.0 allows guest 
OS users to trigger an o
 CVE-2020-13790 (libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based 
buffer over-r ...)
- libjpeg-turbo 1:2.0.5-1 (bug #962829)
[buster] - libjpeg-turbo  (Minor issue)
-   [stretch] - libjpeg-turbo  (Minor issue)
[jessie] - libjpeg-turbo  (No package in Debian jessie uses 
the TurboJPEG API)
NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/433
NOTE: 
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/1bfb0b5247f4fc8f6677639781ce468543490216
 (1.5.x)
@@ -112364,7 +112363,6 @@ CVE-2018-14498 (get_8bit_row in rdbmp.c in 
libjpeg-turbo through 1.5.90 and MozJ
{DLA-1719-1}
- libjpeg-turbo 1:2.0.5-1 (low; bug #924678)
[buster] - libjpeg-turbo  (Minor issue)
-   [stretch] - libjpeg-turbo  (Minor issue)
- mozjpeg  (bug #741487)
NOTE: 
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55
NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258
@@ -150090,7 +150088,6 @@ CVE-2018-1152 (libjpeg-turbo 1.5.90 is vulnerable to 
a denial of service vulnera
{DLA-1638-1}
- libjpeg-turbo 1:2.0.5-1 (low; bug #902950)
[buster] - libjpeg-turbo  (Minor issue)
-   [stretch] - libjpeg-turbo  (Minor issue)
NOTE: 
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61bc6
 CVE-2018-1151 (The web server on Western Digital TV Media Player 1.03.07 and 
TV Live  ...)
NOT-FOR-US: web server on Western Digital TV Media Player and TV Live 
Hub


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[31 Jul 2020] DLA-2302-1 libjpeg-turbo - security update
+   {CVE-2018-1152 CVE-2018-14498 CVE-2020-13790 CVE-2020-14152}
+   [stretch] - libjpeg-turbo 1:1.5.1-2+deb9u1
 [30 Jul 2020] DLA-2301-1 json-c - security update
{CVE-2020-12762}
[stretch] - json-c 0.12.1-1.1+deb9u1


=
data/dla-needed.txt
=
@@ -73,9 +73,6 @@ jruby (Adrian Bunk)
 jupyter-notebook
   NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby)
 --
-libjpeg-turbo (Adrian Bunk)
-  NOTE: 20200727: work is ongoing (bunk)
---
 libopenmpt (Utkarsh Gupta)
   NOTE: 20200727: WIP. (utkarsh)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/564cff24bb951d740731a44a239d9ac253cec77d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/564cff24bb951d740731a44a239d9ac253cec77d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2019-2201: Add note that the description is wrong

2020-07-31 Thread Adrian Bunk



Adrian Bunk pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
28343f07 by Adrian Bunk at 2020-07-31T19:31:01+03:00
CVE-2019-2201: Add note that the description is wrong

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -93057,6 +93057,8 @@ CVE-2019-2201 (In generate_jsimd_ycc_rgb_convert_neon 
of jsimd_arm64_neon.S, the
NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361
NOTE: 
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2a9e3bd7430cfda1bc812d139e0609c6aca0b884
NOTE: 
https://github.com/clearlinux-pkgs/libjpeg-turbo/commit/0a5d06c3dd4a64754d7e6ffa081fd9132714f74c
+   NOTE: The description text is wrong, this CVE is about gigapixel images 
 not ARM NEON SIMD code.
+   NOTE: See https://bugs.gentoo.org/show_bug.cgi?id=CVE-2019-2201#c12
 CVE-2019-2200 (In updatePermissions of PermissionManagerService.java, it may 
be possi ...)
NOT-FOR-US: Android
 CVE-2019-2199 (In createSessionInternal of PackageInstallerService.java, there 
is a p ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28343f0767bad1127718f347fe5ca379b6af80ad

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28343f0767bad1127718f347fe5ca379b6af80ad
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Triage stretch

2020-07-31 Thread Abhijith PA



Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
29a58e4c by Abhijith PA at 2020-07-31T20:48:18+05:30
Triage stretch

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -161,6 +161,7 @@ CVE-2020-16119
 CVE-2020-16118 (In GNOME Balsa before 2.6.0, a malicious server operator or 
man in the ...)
- balsa 2.6.0-1
[buster] - balsa  (Minor issue)
+   [stretch] - balsa  (Minor issue)
NOTE: 
https://gitlab.gnome.org/GNOME/balsa/-/commit/4e245d758e1c826a01080d40c22ca8706f0339e5
NOTE: https://gitlab.gnome.org/GNOME/balsa/-/issues/23
 CVE-2020-16117 (In GNOME evolution-data-server before 3.35.91, a malicious 
server can  ...)


=
data/dla-needed.txt
=
@@ -112,12 +112,17 @@ puma
 --
 python2.7 (Thorsten Alteholz)
 --
+qemu
+--
 ruby-kramdown (Abhijith PA)
 --
 ruby-zip
   NOTE: 20200710: Vulnerable to at least CVE-2018-1000544. (lamby)
   NOTE: 20200710: Was fixed in jessie LTS via DLA-1467-1. (lamby)
 --
+sane-backends
+  NOTE: 20200731: Most issues either fixed or  in jessie. 
(abhijith)
+--
 samba (Roberto C. Sánchez)
   NOTE: 20200703: Check with security team so that there's no clash for 
Stretch update. (utkarsh)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29a58e4c62d1ffabedadc110a203bb3d83d3fa9a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29a58e4c62d1ffabedadc110a203bb3d83d3fa9a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update note in dla-needed.txt

2020-07-31 Thread Abhijith PA



Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b8b44b56 by Abhijith PA at 2020-07-31T20:40:52+05:30
Update note in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -22,6 +22,7 @@ ansible
   NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794
 --
 ark (Abhijith PA)
+  NOTE: 20200731: given PoC not working as intended. (abhijith)
 --
 cacti
   NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for 
jessie version (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8b44b56cdb0e8dff5b3fc9226350fd5dfb6c523

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8b44b56cdb0e8dff5b3fc9226350fd5dfb6c523
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

2020-07-31 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fd6fa804 by Moritz Muehlenhoff at 2020-07-31T14:53:05+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -232,7 +232,7 @@ CVE-2020-16090
 CVE-2020-16089
RESERVED
 CVE-2020-16088 (iked in OpenIKED, as used in OpenBSD through 6.7, allows 
authenticatio ...)
-   TODO: check
+   NOT-FOR-US: OpenIKED
 CVE-2020-16087
RESERVED
 CVE-2020-16086
@@ -2471,9 +2471,9 @@ CVE-2020-15133
 CVE-2020-15132
RESERVED
 CVE-2020-15131 (In SLP Validate (npm package slp-validate) before version 
1.2.2, there ...)
-   TODO: check
+   NOT-FOR-US: Node slp-validate
 CVE-2020-15130 (In SLPJS (npm package slpjs) before version 0.27.4, there is a 
vulnera ...)
-   TODO: check
+   NOT-FOR-US: Node slpjs
 CVE-2020-15129 (In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there 
exists  ...)
NOT-FOR-US: Traefik
 CVE-2020-15128
@@ -2483,7 +2483,7 @@ CVE-2020-15127
 CVE-2020-15126 (In parser-server from version 3.5.0 and before 4.3.0, an 
authenticated ...)
NOT-FOR-US: Node parser-server
 CVE-2020-15125 (In auth0 (npm package) versions before 2.27.1, a DenyList of 
specific  ...)
-   TODO: check
+   NOT-FOR-US: Node auth0
 CVE-2020-15124 (In Goobi Viewer Core before version 4.8.3, a path traversal 
vulnerabil ...)
NOT-FOR-US: Goobi Viewer Core
 CVE-2020-15123 (In codecov (npm package) before version 3.7.1 the upload 
method has a  ...)
@@ -21204,7 +21204,7 @@ CVE-2020-8217 (A cross site scripting (XSS) 
vulnerability in Pulse Connect Secur
 CVE-2020-8216 (An information disclosure vulnerability in meeting of Pulse 
Connect Se ...)
NOT-FOR-US: Pulse
 CVE-2020-8215 (A buffer overflow is present in canvas version = 1.6.9, 
which coul ...)
-   TODO: check
+   NOT-FOR-US: Node canvas
 CVE-2020-8214 (A path traversal vulnerability in servey version  3 allows 
an atta ...)
NOT-FOR-US: servey
 CVE-2020-8213 (An information exposure vulnerability exists in UniFi Protect 
v1.13.3  ...)
@@ -21233,7 +21233,7 @@ CVE-2020-8203 (Prototype pollution attack when using 
_.zipObjectDeep in lodash &
[stretch] - node-lodash  (Nodejs in stretch not covered by 
security support)
NOTE: https://hackerone.com/reports/712065
 CVE-2020-8202 (Improper check of inputs in Nextcloud Preferred Providers app 
v1.6.0 a ...)
-   TODO: check
+   NOT-FOR-US: Nextcloud Preferred Providers app
 CVE-2020-8201
RESERVED
 CVE-2020-8200
@@ -21253,7 +21253,7 @@ CVE-2020-8194 (Reflected code injection in Citrix ADC 
and Citrix Gateway version
 CVE-2020-8193 (Improper access control in Citrix ADC and Citrix Gateway 
versions befo ...)
NOT-FOR-US: Citrix
 CVE-2020-8192 (A denial of service vulnerability exists in Fastify v2.14.1 and 
v3.0.0 ...)
-   TODO: check
+   NOT-FOR-US: Node fastify
 CVE-2020-8191 (Improper input validation in Citrix ADC and Citrix Gateway 
versions be ...)
NOT-FOR-US: Citrix
 CVE-2020-8190 (Incorrect file permissions in Citrix ADC and Citrix Gateway 
before ver ...)
@@ -21297,7 +21297,7 @@ CVE-2020-8177
 CVE-2020-8176 (A cross-site scripting vulnerability exists in koa-shopify-auth 
v3.1.6 ...)
NOT-FOR-US: koa-shopify-auth
 CVE-2020-8175 (Uncontrolled resource consumption in `jpeg-js` before 0.4.0 may 
allow  ...)
-   TODO: check
+   NOT-FOR-US: Node jimp
 CVE-2020-8174 (napi_get_value_string_*() allows various kinds of memory 
corruption in ...)
{DSA-4696-1}
- nodejs 10.21.0~dfsg-1 (bug #962145)
@@ -22551,7 +22551,7 @@ CVE-2020-7701
 CVE-2020-7700
RESERVED
 CVE-2020-7699 (This affects the package express-fileupload before 1.1.8. If 
the parse ...)
-   TODO: check
+   NOT-FOR-US: express-fileupload
 CVE-2020-7698 (This affects the package Gerapy from 0 and before 0.9.3. The 
input bei ...)
TODO: check
 CVE-2020-7697 (This affects all versions of package mock2easy. a malicious 
user could ...)
@@ -212195,9 +212195,9 @@ CVE-2016-7066 (It was found that the improper default 
permissions on /tmp/auth d
 CVE-2016-7065 (The JMX servlet in Red Hat JBoss Enterprise Application 
Platform (EAP) ...)
NOT-FOR-US: Red Hat JBoss EAP
 CVE-2016-7064 (A flaw was found in pritunl-client before version 1.0.1116.6. A 
lack o ...)
-   TODO: check
+   NOT-FOR-US: pritunl-client
 CVE-2016-7063 (A flaw was found in pritunl-client before version 1.0.1116.6. 
Arbitrar ...)
-   TODO: check
+   NOT-FOR-US: pritunl-client
 CVE-2016-7062 (rhscon-ceph in Red Hat Storage Console 2 x86_64 and Red Hat 
Storage Co ...)
NOT-FOR-US: Red Hat rhscon-core
 CVE-2016-7061 (An information disclosure vulnerability was found in JBoss 
Enterprise  ...)
@@ -282523,7 +282523,7 @@ CVE-2014-1424 (apparmor_parser in the apparmor 
package before

[Git][security-tracker-team/security-tracker][master] CVE-2020-15862: Add note on commit to make extend mib read-only

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
352d2163 by Salvatore Bonaccorso at 2020-07-31T13:59:26+02:00
CVE-2020-15862: Add note on commit to make extend mib read-only

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -845,6 +845,9 @@ CVE-2020-15862 [privilege escalation]
NOTE: possible to enable the MIB via --with-mib-modules configure 
option.
NOTE: Upstream reverted the change and the solution is to make 
NET-SNMP-EXTEND-MIB
NOTE: read-only, cf. https://bugs.debian.org/966544
+   NOTE: Disabling was reverted with: 
https://github.com/net-snmp/net-snmp/commit/4097a311e952d3b5c12610102bb4cc2fe72b56e5
+   NOTE: Makes extended mib read-only:
+   NOTE: 
https://github.com/net-snmp/net-snmp/commit/77f6c60f57dba0aaea5d8ef1dd94bcd0c8e6d205
 CVE-2020-15816 (In Western Digital WD Discovery before 4.0.251.0, a malicious 
applicat ...)
NOT-FOR-US: Western Digital WD Discovery
 CVE-2020-15815



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/352d2163cd08783ba9546cd893b915635f0ca6f4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/352d2163cd08783ba9546cd893b915635f0ca6f4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-15861/net-snmp

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
13874c34 by Salvatore Bonaccorso at 2020-07-31T13:17:16+02:00
Add fixed version for CVE-2020-15861/net-snmp

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -739,7 +739,7 @@ CVE-2020-15863 (hw/net/xgmac.c in the XGMAC Ethernet 
controller in QEMU before 0
NOTE: 
https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555
 CVE-2020-15861 [Elevation of Privileges due to symlink handling]
RESERVED
-   - net-snmp  (bug #966599)
+   - net-snmp 5.8+dfsg-5 (bug #966599)
NOTE: https://github.com/net-snmp/net-snmp/issues/145
NOTE: 
https://github.com/net-snmp/net-snmp/commit/4fd9a450444a434a993bc72f7c3486ccce41f602
 CVE-2020-15860 (Parallels Remote Application Server (RAS) 17.1.1 has a 
Business Logic  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13874c34abf43524864ef2166c357baa9f80a1d4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13874c34abf43524864ef2166c357baa9f80a1d4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Expand note for CVE-2020-15862/net-snmp

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
06054d95 by Salvatore Bonaccorso at 2020-07-31T13:15:31+02:00
Expand note for CVE-2020-15862/net-snmp

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -843,6 +843,8 @@ CVE-2020-15862 [privilege escalation]
NOTE: The commit 
https://github.com/net-snmp/net-snmp/commit/c2b96ee744392243782094432f657ded4e985a07
NOTE: disables NET-SNMP-EXTEND-MIB support by default. But it is still
NOTE: possible to enable the MIB via --with-mib-modules configure 
option.
+   NOTE: Upstream reverted the change and the solution is to make 
NET-SNMP-EXTEND-MIB
+   NOTE: read-only, cf. https://bugs.debian.org/966544
 CVE-2020-15816 (In Western Digital WD Discovery before 4.0.251.0, a malicious 
applicat ...)
NOT-FOR-US: Western Digital WD Discovery
 CVE-2020-15815



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06054d95d4656fa3177991e206200a476c2d9385

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06054d95d4656fa3177991e206200a476c2d9385
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-15861/net-snmp

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6732988d by Salvatore Bonaccorso at 2020-07-31T11:00:46+02:00
Add CVE-2020-15861/net-snmp

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -737,8 +737,11 @@ CVE-2020-15863 (hw/net/xgmac.c in the XGMAC Ethernet 
controller in QEMU before 0
[buster] - qemu  (Minor issue, can be fixed along in next 
DSA)
NOTE: https://www.openwall.com/lists/oss-security/2020/07/22/1
NOTE: 
https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555
-CVE-2020-15861
+CVE-2020-15861 [Elevation of Privileges due to symlink handling]
RESERVED
+   - net-snmp  (bug #966599)
+   NOTE: https://github.com/net-snmp/net-snmp/issues/145
+   NOTE: 
https://github.com/net-snmp/net-snmp/commit/4fd9a450444a434a993bc72f7c3486ccce41f602
 CVE-2020-15860 (Parallels Remote Application Server (RAS) 17.1.1 has a 
Business Logic  ...)
NOT-FOR-US: Parallels
 CVE-2020-15859 (QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c 
because a gues ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6732988d58e9bb1e7249629cec815996bcb59b8b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6732988d58e9bb1e7249629cec815996bcb59b8b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Move uploads which wont happend to the end of the list for further tracking

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e38d2fa9 by Salvatore Bonaccorso at 2020-07-31T10:31:58+02:00
Move uploads which wont happend to the end of the list for further tracking

- - - - -


1 changed file:

- data/next-point-update.txt


Changes:

=
data/next-point-update.txt
=
@@ -1,23 +1,7 @@
 CVE-2019-19919
[buster] - node-handlebars 3:4.1.0-1+deb10u1
-CVE-2019-18277
-   [buster] - haproxy 1.8.19-1+deb10u3
-CVE-2019-14267
-   [buster] - pdfresurrect 0.15-2+deb10u1
-CVE-2019-1020014
-   [buster] - golang-github-docker-docker-credential-helpers 
0.6.1-2+deb10u1
-CVE-2019-17134
-   [buster] - octavia 3.0.0-3+deb10u1
-CVE-2019-14433
-   [buster] - nova 2:18.1.0-6+deb10u1
-CVE-2019-14857
-   [buster] - libapache2-mod-auth-openidc 2.3.10.2-1+deb10u1
 CVE-2019-20372
[buster] - nginx 1.14.2-2+deb10u2
-CVE-2020-5258
-   [buster] - dojo 1.15.0+dfsg1-1+deb10u2
-CVE-2020-5259
-   [buster] - dojo 1.15.0+dfsg1-1+deb10u2
 CVE-2020-7598
[buster] - node-minimist 1.2.0-1+deb10u1
 CVE-2019-13453
@@ -194,8 +178,6 @@ CVE-2018-10756
[buster] - transmission 2.94-2+deb10u1
 CVE-2019-14868
[buster] - ksh 93u+20120801-3.4+deb10u1
-CVE-2019-20446
-   [buster] - librsvg 2.44.10-2.1+deb10u1
 CVE-2020-11538
[buster] - pillow 5.4.1-2+deb10u2
 CVE-2020-10378
@@ -210,3 +192,21 @@ CVE-2020-14422
[buster] - python3.7 3.7.3-2+deb10u2
 CVE-2020-8492
[buster] - python3.7 3.7.3-2+deb10u2
+CVE-2019-18277
+   [buster] - haproxy 1.8.19-1+deb10u3
+CVE-2019-14267
+   [buster] - pdfresurrect 0.15-2+deb10u1
+CVE-2019-1020014
+   [buster] - golang-github-docker-docker-credential-helpers 
0.6.1-2+deb10u1
+CVE-2019-17134
+   [buster] - octavia 3.0.0-3+deb10u1
+CVE-2019-14433
+   [buster] - nova 2:18.1.0-6+deb10u1
+CVE-2019-14857
+   [buster] - libapache2-mod-auth-openidc 2.3.10.2-1+deb10u1
+CVE-2020-5258
+   [buster] - dojo 1.15.0+dfsg1-1+deb10u2
+CVE-2020-5259
+   [buster] - dojo 1.15.0+dfsg1-1+deb10u2
+CVE-2019-20446
+   [buster] - librsvg 2.44.10-2.1+deb10u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e38d2fa908fcba5d05d88901946400493f6a0d5b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e38d2fa908fcba5d05d88901946400493f6a0d5b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8c83d259 by security tracker role at 2020-07-31T08:10:25+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,4 +1,62 @@
-CVE-2020-16166 [random32: update the net random state on interrupt and 
activity]
+CVE-2020-16195
+   RESERVED
+CVE-2020-16194
+   RESERVED
+CVE-2020-16193
+   RESERVED
+CVE-2020-16192
+   RESERVED
+CVE-2020-16191
+   RESERVED
+CVE-2020-16190
+   RESERVED
+CVE-2020-16189
+   RESERVED
+CVE-2020-16188
+   RESERVED
+CVE-2020-16187
+   RESERVED
+CVE-2020-16186
+   RESERVED
+CVE-2020-16185
+   RESERVED
+CVE-2020-16184
+   RESERVED
+CVE-2020-16183
+   RESERVED
+CVE-2020-16182
+   RESERVED
+CVE-2020-16181
+   RESERVED
+CVE-2020-16180
+   RESERVED
+CVE-2020-16179
+   RESERVED
+CVE-2020-16178
+   RESERVED
+CVE-2020-16177
+   RESERVED
+CVE-2020-16176
+   RESERVED
+CVE-2020-16175
+   RESERVED
+CVE-2020-16174
+   RESERVED
+CVE-2020-16173
+   RESERVED
+CVE-2020-16172
+   RESERVED
+CVE-2020-16171
+   RESERVED
+CVE-2020-16170
+   RESERVED
+CVE-2020-16169
+   RESERVED
+CVE-2020-16168
+   RESERVED
+CVE-2020-16167
+   RESERVED
+CVE-2020-16166 (The Linux kernel through 5.7.11 allows remote attackers to 
make observ ...)
- linux 
NOTE: 
https://git.kernel.org/linus/f227e3ec3b5cad859ad15666874405e8c1bbc1d4
 CVE-2020-16165 (The DAO/DTO implementation in SpringBlade through 2.7.1 allows 
SQL Inj ...)
@@ -33015,8 +33073,8 @@ CVE-2020-3683
RESERVED
 CVE-2020-3682
RESERVED
-CVE-2020-3681
-   RESERVED
+CVE-2020-3681 (Authenticated and encrypted payload MMEs can be forged and 
remotely se ...)
+   TODO: check
 CVE-2020-3680 (A race condition can occur when using the fastrpc memory 
mapping API.  ...)
NOT-FOR-US: Qualcomm components for Android
 CVE-2020-3679
@@ -33735,12 +33793,12 @@ CVE-2020-3464
RESERVED
 CVE-2020-3463
RESERVED
-CVE-2020-3462
-   RESERVED
-CVE-2020-3461
-   RESERVED
-CVE-2020-3460
-   RESERVED
+CVE-2020-3462 (A vulnerability in the web-based management interface of Cisco 
Data Ce ...)
+   TODO: check
+CVE-2020-3461 (A vulnerability in the web-based management interface of Cisco 
Data Ce ...)
+   TODO: check
+CVE-2020-3460 (A vulnerability in the web-based management interface of Cisco 
Data Ce ...)
+   TODO: check
 CVE-2020-3459
RESERVED
 CVE-2020-3458
@@ -33887,16 +33945,16 @@ CVE-2020-3388 (A vulnerability in the CLI of Cisco 
SD-WAN vManage Software could
NOT-FOR-US: Cisco
 CVE-2020-3387 (A vulnerability in Cisco SD-WAN vManage Software could allow an 
authen ...)
NOT-FOR-US: Cisco
-CVE-2020-3386
-   RESERVED
+CVE-2020-3386 (A vulnerability in the REST API endpoint of Cisco Data Center 
Network  ...)
+   TODO: check
 CVE-2020-3385 (A vulnerability in the deep packet inspection (DPI) engine of 
Cisco SD ...)
NOT-FOR-US: Cisco
-CVE-2020-3384
-   RESERVED
-CVE-2020-3383
-   RESERVED
-CVE-2020-3382
-   RESERVED
+CVE-2020-3384 (A vulnerability in specific REST API endpoints of Cisco Data 
Center Ne ...)
+   TODO: check
+CVE-2020-3383 (A vulnerability in the archive utility of Cisco Data Center 
Network Ma ...)
+   TODO: check
+CVE-2020-3382 (A vulnerability in the REST API of Cisco Data Center Network 
Manager ( ...)
+   TODO: check
 CVE-2020-3381 (A vulnerability in the web management interface of Cisco SD-WAN 
vManag ...)
NOT-FOR-US: Cisco
 CVE-2020-3380 (A vulnerability in the CLI of Cisco Data Center Network Manager 
(DCNM) ...)
@@ -33905,14 +33963,14 @@ CVE-2020-3379 (A vulnerability in Cisco SD-WAN 
Solution Software could allow an
NOT-FOR-US: Cisco
 CVE-2020-3378 (A vulnerability in the web-based management interface for Cisco 
SD-WAN ...)
NOT-FOR-US: Cisco
-CVE-2020-3377
-   RESERVED
-CVE-2020-3376
-   RESERVED
-CVE-2020-3375
-   RESERVED
-CVE-2020-3374
-   RESERVED
+CVE-2020-3377 (A vulnerability in the Device Manager application of Cisco Data 
Center ...)
+   TODO: check
+CVE-2020-3376 (A vulnerability in the Device Manager application of Cisco Data 
Center ...)
+   TODO: check
+CVE-2020-3375 (A vulnerability in Cisco SD-WAN Solution Software could allow 
an unaut ...)
+   TODO: check
+CVE-2020-3374 (A vulnerability in the web-based management interface of Cisco 
SD-WAN  ...)
+   TODO: check
 CVE-2020-3373
RESERVED
 CVE-2020-3372 (A vulnerability in the web-based management interface of Cisco 
SD-WAN  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c83d259619a7ff4a6257559fabf69bac8f170df

-- 
View it on GitLab:

[Git][security-tracker-team/security-tracker][master] stretch triage

2020-07-31 Thread Abhijith PA



Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a04d0d85 by Abhijith PA at 2020-07-31T12:37:48+05:30
stretch triage

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -21,6 +21,8 @@ ansible
   NOTE: 20200508: bam: Upstream fix was reverted - 
https://github.com/ansible/ansible/pull/68983
   NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794
 --
+ark (Abhijith PA)
+--
 cacti
   NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for 
jessie version (abhijith)
   NOTE: 20200620: WIP (abhijith)
@@ -109,6 +111,8 @@ puma
 --
 python2.7 (Thorsten Alteholz)
 --
+ruby-kramdown (Abhijith PA)
+--
 ruby-zip
   NOTE: 20200710: Vulnerable to at least CVE-2018-1000544. (lamby)
   NOTE: 20200710: Was fixed in jessie LTS via DLA-1467-1. (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a04d0d8503f2be5402253aed087a988d3007481a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a04d0d8503f2be5402253aed087a988d3007481a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-16166/linux

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
01e53eff by Salvatore Bonaccorso at 2020-07-31T08:44:00+02:00
Add CVE-2020-16166/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,6 @@
+CVE-2020-16166 [random32: update the net random state on interrupt and 
activity]
+   - linux 
+   NOTE: 
https://git.kernel.org/linus/f227e3ec3b5cad859ad15666874405e8c1bbc1d4
 CVE-2020-16165 (The DAO/DTO implementation in SpringBlade through 2.7.1 allows 
SQL Inj ...)
NOT-FOR-US: SpringBlade
 CVE-2020-16164 (** DISPUTED ** An issue was discovered in RIPE NCC RPKI 
Validator 3.x  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01e53effa7967434a1fa6dd1d41ce74f8c2bb3dc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01e53effa7967434a1fa6dd1d41ce74f8c2bb3dc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add tracking of source package for CVE-2020-6098/freediameter

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9a96a5aa by Salvatore Bonaccorso at 2020-07-31T08:34:20+02:00
Add tracking of source package for CVE-2020-6098/freediameter

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -26505,6 +26505,8 @@ CVE-2020-6100 (An exploitable memory corruption 
vulnerability exists in AMD atid
 CVE-2020-6099
RESERVED
 CVE-2020-6098 (An exploitable denial of service vulnerability exists in the 
freeDiame ...)
+   - freediameter 
+   NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1030
TODO: check
 CVE-2020-6097
RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a96a5aa4c4f1d0df07d0418767283f6b4015bfd

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a96a5aa4c4f1d0df07d0418767283f6b4015bfd
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-14337 as NFU

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b8d17e9e by Salvatore Bonaccorso at 2020-07-31T08:17:59+02:00
Add CVE-2020-14337 as NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4472,6 +4472,7 @@ CVE-2020-14338
RESERVED
 CVE-2020-14337
RESERVED
+   NOT-FOR-US: Ansible Tower
 CVE-2020-14336
RESERVED
NOT-FOR-US: OpenShift



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8d17e9ea1248cdf355ffb022b7bb599b76f1d94

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8d17e9ea1248cdf355ffb022b7bb599b76f1d94
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Sync CVE-2020-15899 NFU wording in related entries

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4555f7f1 by Salvatore Bonaccorso at 2020-07-31T08:16:59+02:00
Sync CVE-2020-15899 NFU wording in related entries

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -574,7 +574,7 @@ CVE-2020-15900 (A memory corruption issue was found in 
Artifex Ghostscript 9.50
NOTE: Introduced by: 
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff
 (9.28rc1)
NOTE: Fixed by: 
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b
 CVE-2020-15899 (Grin 3.0.0 before 4.0.0 has insufficient validation of data 
related to ...)
-   NOT-FOR-US: grin
+   NOT-FOR-US: Grin
 CVE-2020-15898
RESERVED
 CVE-2020-15897



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4555f7f18d3b9a11062e623b0636909690cf6c9b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4555f7f18d3b9a11062e623b0636909690cf6c9b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-16092/qemu

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
64ba9e40 by Salvatore Bonaccorso at 2020-07-31T08:15:37+02:00
Add CVE-2020-16092/qemu

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -159,8 +159,11 @@ CVE-2020-16094 (In imap_scan_tree_recursive in Claws Mail 
through 3.17.6, a mali
NOTE: 
https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4313
 CVE-2020-16093
RESERVED
-CVE-2020-16092
+CVE-2020-16092 [reachable assertion failure in net_tx_pkt_add_raw_fragment() 
in hw/net/net_tx_pkt.c ]
RESERVED
+   - qemu 
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1860283
+   TODO: check details
 CVE-2020-16091
RESERVED
 CVE-2020-16090



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64ba9e405ae6e199a7801930204a3e4ca1f23ee1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64ba9e405ae6e199a7801930204a3e4ca1f23ee1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dd CVE-2020-6070/f2fs-tools

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
97d072a7 by Salvatore Bonaccorso at 2020-07-31T08:10:06+02:00
dd CVE-2020-6070/f2fs-tools

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -26602,6 +26602,8 @@ CVE-2020-6071 (An exploitable denial-of-service 
vulnerability exists in the reso
NOTE: These were addressed on the source level in 3.0.9, but 3.0.8-4 
disables the plugin
 CVE-2020-6070
RESERVED
+   - f2fs-tools 
+   NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2020-0988
 CVE-2020-6069 (An exploitable out-of-bounds write vulnerability exists in the 
igcore1 ...)
NOT-FOR-US: Accusoft ImageGear
 CVE-2020-6068 (An exploitable out-of-bounds write vulnerability exists in the 
igcore1 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97d072a72c45f888f9d1fd534436d3f5889d3292

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97d072a72c45f888f9d1fd534436d3f5889d3292
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process NFUs

2020-07-31 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1d337436 by Salvatore Bonaccorso at 2020-07-31T08:04:13+02:00
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,11 +1,11 @@
 CVE-2020-16165 (The DAO/DTO implementation in SpringBlade through 2.7.1 allows 
SQL Inj ...)
-   TODO: check
+   NOT-FOR-US: SpringBlade
 CVE-2020-16164 (** DISPUTED ** An issue was discovered in RIPE NCC RPKI 
Validator 3.x  ...)
-   TODO: check
+   NOT-FOR-US: RIPE NCC RPKI Validator
 CVE-2020-16163 (** DISPUTED ** An issue was discovered in RIPE NCC RPKI 
Validator 3.x  ...)
-   TODO: check
+   NOT-FOR-US: RIPE NCC RPKI Validator
 CVE-2020-16162 (** DISPUTED ** An issue was discovered in RIPE NCC RPKI 
Validator 3.x  ...)
-   TODO: check
+   NOT-FOR-US: RIPE NCC RPKI Validator
 CVE-2020-16161
RESERVED
 CVE-2020-16160
@@ -430,7 +430,7 @@ CVE-2020-15959
 CVE-2020-15958
RESERVED
 CVE-2020-15957 (An issue was discovered in DP3T-Backend-SDK before 1.1.1 for 
Decentral ...)
-   TODO: check
+   NOT-FOR-US: DP3T-Backend-SDK for Decentralised Privacy-Preserving 
Proximity Tracing (DP3T)
 CVE-2020-15956
RESERVED
 CVE-2020-15955
@@ -4915,7 +4915,7 @@ CVE-2020-14160
 CVE-2020-14159 (By using an Automate API in ConnectWise Automate before 
2020.5.178, a  ...)
NOT-FOR-US: ConnectWise
 CVE-2020-14158 (The ABUS Secvest FUMO50110 hybrid module does not have any 
security me ...)
-   TODO: check
+   NOT-FOR-US: ABUS Secvest FUMO50110 hybrid module
 CVE-2020-14157 (The wireless-communication feature of the ABUS Secvest 
FUBE50001 devic ...)
NOT-FOR-US: ABUS
 CVE-2020-14156 (user_channel/passwd_mgr.cpp in OpenBMC phosphor-host-ipmid 
before 2020 ...)
@@ -21135,7 +21135,7 @@ CVE-2020-8215 (A buffer overflow is present in canvas 
version = 1.6.9, which
 CVE-2020-8214 (A path traversal vulnerability in servey version  3 allows 
an atta ...)
NOT-FOR-US: servey
 CVE-2020-8213 (An information exposure vulnerability exists in UniFi Protect 
v1.13.3  ...)
-   TODO: check
+   NOT-FOR-US: UniFi Protect
 CVE-2020-8212
RESERVED
 CVE-2020-8211
@@ -22218,11 +22218,11 @@ CVE-2020-7831
 CVE-2020-7830
RESERVED
 CVE-2020-7829 (DaviewIndy 8.98.4 and earlier version contain Heap-based 
overflow vuln ...)
-   TODO: check
+   NOT-FOR-US: DaviewIndy
 CVE-2020-7828 (DaviewIndy 8.98.4 and earlier version contain Heap-based 
overflow vuln ...)
-   TODO: check
+   NOT-FOR-US: DaviewIndy
 CVE-2020-7827 (DaviewIndy 8.98.7 and earlier version contain Use-After-Free 
vulnerabi ...)
-   TODO: check
+   NOT-FOR-US: DaviewIndy
 CVE-2020-7826 (EyeSurfer BflyInstallerX.ocx v1.0.0.16 and earlier versions 
contain a  ...)
NOT-FOR-US: EyeSurfer BflyInstallerX.ocx
 CVE-2020-7825 (A vulnerability exists that could allow the execution of 
operating sys ...)
@@ -23585,7 +23585,7 @@ CVE-2020-7207
 CVE-2020-7206 (HP nagios plugin for iLO (nagios-plugins-hpilo v1.50 and 
earlier) has  ...)
TODO: check
 CVE-2020-7205 (A potential security vulnerability has been identified in HPE 
Intellig ...)
-   TODO: check
+   NOT-FOR-US: HPE
 CVE-2020-7204
RESERVED
 CVE-2020-7203
@@ -27255,13 +27255,13 @@ CVE-2020-5765 (Nessus 8.10.0 and earlier were found 
to contain a Stored XSS vuln
 CVE-2020-5764 (MX Player Android App versions prior to v1.24.5, are vulnerable 
to a d ...)
NOT-FOR-US: MX Player Android App
 CVE-2020-5763 (Grandstream HT800 series firmware version 1.0.17.5 and below 
contain a ...)
-   TODO: check
+   NOT-FOR-US: Grandstream
 CVE-2020-5762 (Grandstream HT800 series firmware version 1.0.17.5 and below is 
vulner ...)
-   TODO: check
+   NOT-FOR-US: Grandstream
 CVE-2020-5761 (Grandstream HT800 series firmware version 1.0.17.5 and below is 
vulner ...)
-   TODO: check
+   NOT-FOR-US: Grandstream
 CVE-2020-5760 (Grandstream HT800 series firmware version 1.0.17.5 and below is 
vulner ...)
-   TODO: check
+   NOT-FOR-US: Grandstream
 CVE-2020-5759 (Grandstream UCM6200 series firmware version 1.0.20.23 and below 
is vul ...)
NOT-FOR-US: Grandstream
 CVE-2020-5758 (Grandstream UCM6200 series firmware version 1.0.20.23 and below 
is vul ...)
@@ -27559,9 +27559,9 @@ CVE-2020-5613 (Cross-site scripting vulnerability in 
KonaWiki 3.1.0 and earlier
 CVE-2020-5612 (Cross-site scripting vulnerability in KonaWiki 2.2.0 and 
earlier allow ...)
TODO: check
 CVE-2020-5611 (Cross-site request forgery (CSRF) vulnerability in Social 
Sharing Plug ...)
-   TODO: check
+   NOT-FOR-US: Social Sharing Plugin for WordPress
 CVE-2020-5610 (Global TechStream (GTS) for TOYOTA dealers version 15.10.032 
and earli ...)
-   TODO: check
+   NOT-FOR-US: Global TechStream (GTS) for TOYOTA dealers
 CVE-2020-5609

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-16094 as no-dsa. Move zabbix, lib-phpmailer to dla-needed

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2303-1 for libssh

[Git][security-tracker-team/security-tracker][master] Process NFUs

[Git][security-tracker-team/security-tracker][master] ark DSA

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] Process NFUs

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-9488/apache-log4j2 as no-dsa

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-16094/claws-mail

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-16094/claws-mail as no-dsa for buster

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-14347/xorg-server

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-14344/libx11

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2302-1 for libjpeg-turbo

[Git][security-tracker-team/security-tracker][master] CVE-2019-2201: Add note that the description is wrong

[Git][security-tracker-team/security-tracker][master] Triage stretch

[Git][security-tracker-team/security-tracker][master] Update note in dla-needed.txt

[Git][security-tracker-team/security-tracker][master] NFUs

[Git][security-tracker-team/security-tracker][master] CVE-2020-15862: Add note on commit to make extend mib read-only

[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-15861/net-snmp

[Git][security-tracker-team/security-tracker][master] Expand note for CVE-2020-15862/net-snmp

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-15861/net-snmp

[Git][security-tracker-team/security-tracker][master] Move uploads which wont happend to the end of the list for further tracking

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] stretch triage

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-16166/linux

[Git][security-tracker-team/security-tracker][master] Add tracking of source package for CVE-2020-6098/freediameter

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-14337 as NFU

[Git][security-tracker-team/security-tracker][master] Sync CVE-2020-15899 NFU wording in related entries

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-16092/qemu

[Git][security-tracker-team/security-tracker][master] dd CVE-2020-6070/f2fs-tools

[Git][security-tracker-team/security-tracker][master] Process NFUs

30 matches

Site Navigation

Mail list logo

Footer information