[Git][security-tracker-team/security-tracker][master] update note in dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: be35f774 by Abhijith PA at 2020-09-07T10:27:46+05:30 update note in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -25,6 +25,7 @@ ark (Abhijith PA) NOTE: 20200731: given PoC not working as intended. (abhijith) NOTE: 20200801: though testing with other PoC's available over internet seems exploitable (abhijith) NOTE: 20200820: pinged upstream for help (abhijith) + NOTE: 20200907: patch https://people.debian.org/~abhijith/upload/backport_to_1608.patch crashes (abhijith) -- cacti NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be35f774f7fd1d9599eb4dfa95cb7e4c9a79bc15 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be35f774f7fd1d9599eb4dfa95cb7e4c9a79bc15 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-7729/grunt fixed in unstable via new upstream version
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61a9352a by Salvatore Bonaccorso at 2020-09-07T06:32:48+02:00 CVE-2020-7729/grunt fixed in unstable via new upstream version - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41329,7 +41329,7 @@ CVE-2020-7731 CVE-2020-7730 (The package bestzip before 2.1.7 are vulnerable to Command Injection v ...) NOT-FOR-US: bestzip nodejs module CVE-2020-7729 (The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execut ...) - - grunt (bug #969668) + - grunt 1.3.0-1 (bug #969668) NOTE: https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7 NOTE: https://snyk.io/vuln/SNYK-JS-GRUNT-597546 CVE-2020-7728 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61a9352a792a7fa67303f54e7ea445a0147245a3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61a9352a792a7fa67303f54e7ea445a0147245a3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove no-dsa tags from imagemagick for upcoming update.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 242ebfe7 by Markus Koschany at 2020-09-07T00:17:38+02:00 Remove no-dsa tags from imagemagick for upcoming update. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -73023,7 +73023,6 @@ CVE-2019-15140 (coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers CVE-2019-15139 (The XWD image (X Window System window dumping file) parsing component ...) {DSA-4712-1 DLA-1968-1} - imagemagick 8:6.9.11.24+dfsg-1 (bug #941670) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/commit/c78993d138bf480ab4652b5a48379d4ff75ba5f7 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/6d46f0a046a58e7c4567a86ba1b9cb847d5b1968 NOTE: ImageMagick6: followup, partly reverts previous patch: @@ -79906,7 +79905,6 @@ CVE-2019-13392 (A reflected Cross-Site Scripting (XSS) vulnerability in MindPale CVE-2019-13391 (In ImageMagick 7.0.8-50 Q16, ComplexImages in MagickCore/fourier.c has ...) {DSA-4712-1} - imagemagick 8:6.9.11.24+dfsg-1 (low; bug #931633) - [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (minor, wait for upstream to clear patch-related questions) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1588 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/f6ffc702c6eecd963587273a429dcd608c648984 @@ -80126,7 +80124,6 @@ CVE-2019-13309 (ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory CVE-2019-13308 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow in MagickCor ...) {DSA-4712-1} - imagemagick 8:6.9.11.24+dfsg-1 (low; bug #931447) - [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (minor, wait for upstream to clear patch-related questions) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1595 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/19651f3db63fa1511ed83a348c4c82fa553f8d01 @@ -80639,7 +80636,6 @@ CVE-2019-13136 (ImageMagick before 7.0.8-50 has an integer overflow vulnerabilit CVE-2019-13135 (ImageMagick before 7.0.8-50 has a "use of uninitialized value" vulnera ...) {DSA-4712-1 DLA-1888-1} - imagemagick 8:6.9.11.24+dfsg-1 (bug #932079) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1599 NOTE: https://github.com/ImageMagick/ImageMagick/commit/cdb383749ef7b68a38891440af8cc23e0115306d (7.x) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/1e59b29e520d2beab73e8c78aacd5f1c0d76196d (6.x) @@ -85039,7 +85035,6 @@ CVE-2019-11599 (The coredump implementation in the Linux kernel before 5.0.10 do CVE-2019-11598 (In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in ...) {DSA-4712-1 DLA-1785-1} - imagemagick 8:6.9.11.24+dfsg-1 (bug #928206) - [stretch] - imagemagick (Fix along in next DSA) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1540 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e2a21735e3a3f3930bd431585ec36334c4c2eb77 NOTE: patch introduces new (potentially security relevant) bugs, see: @@ -122085,7 +122080,6 @@ CVE-2018-18026 (IMFCameraProtect.sys in IObit Malware Fighter 6.2 (and possibly CVE-2018-18025 (In ImageMagick 7.0.8-13 Q16, there is a heap-based buffer over-read in ...) {DLA-1574-1} - imagemagick 8:6.9.10.14+dfsg-1 (low; bug #911435) - [stretch] - imagemagick (Fix along in next DSA) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1335 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1a22fc0c8837838e60daecc0bf01648f359dd6fd NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/394b3e6edf74d1337ce338927da053bb40c00ae9 @@ -125705,7 +125699,6 @@ CVE-2018-16644 (There is a missing check for length in the functions ReadDCMImag CVE-2018-16643 (The functions ReadDCMImage in coders/dcm.c, ReadPWPImage in coders/pwp ...) {DLA-1530-1} - imagemagick 8:6.9.10.8+dfsg-1 (low) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/commit/6b6bff054d569a77973f2140c0e86366e6168a6c NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/11d9dac3d991c62289d1ef7a097670166480e76c NOTE: https://github.com/ImageMagick/ImageMagick/issues/1199 @@ -140153,7 +140146,6 @@ CVE-2018-1000400 (Kubernetes CRI-O version prior to 1.9 contains a Privilege Con CVE-2017-18273 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulner ...) {DLA-1785-1 DLA-1381-1} - imagemagick 8:6.9.9.34+dfsg-3 (low) - [stretch] - imagemagick (Minor issue)
[Git][security-tracker-team/security-tracker][master] CVE-2019-11841 add reference to upstream bug report
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: a0e3fd8c by Brian May at 2020-09-07T08:06:51+10:00 CVE-2019-11841 add reference to upstream bug report - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -84115,6 +84115,7 @@ CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsi NOTE: Patch fixes the second part of the CVE ("prepend arbitrary text") NOTE: but not the first ("ignores the value of [the Hash] header"), as hinted at reporter's 2019-05-09 note: NOTE: https://packetstormsecurity.com/files/152840/Go-Cryptography-Libraries-Cleartext-Message-Spoofing.html + NOTE: Upstream feels that this is not a security issue. See https://github.com/golang/go/issues/41200. CVE-2019-11840 (An issue was discovered in supplementary Go cryptography libraries, ak ...) {DLA-1840-1} - golang-go.crypto 1:0.0~git20200221.2aa609c-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0e3fd8c6c7b46edf519d32554723fa9e99b46bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0e3fd8c6c7b46edf519d32554723fa9e99b46bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark node-jquery issues as no-dsa for buster
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 49553eb2 by Salvatore Bonaccorso at 2020-09-06T22:16:04+02:00 Mark node-jquery issues as no-dsa for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32828,6 +32828,7 @@ CVE-2020-11023 (In jQuery versions greater than or equal to 1.0.3 and before 3.5 - drupal7 [jessie] - drupal7 (Vulnerable code not embedded) - node-jquery 3.5.0+dfsg-2 + [buster] - node-jquery (Minor issue) NOTE: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6 NOTE: https://www.drupal.org/sa-core-2020-002 CVE-2020-11022 (In jQuery versions greater than or equal to 1.2 and before 3.5.0, pass ...) @@ -32837,6 +32838,7 @@ CVE-2020-11022 (In jQuery versions greater than or equal to 1.2 and before 3.5.0 [stretch] - jquery (Minor issue) [jessie] - jquery (Vulnerable code note present) - node-jquery 3.5.0+dfsg-2 + [buster] - node-jquery (Minor issue) - drupal7 [jessie] - drupal7 (Vulnerable code not embedded) NOTE: https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49553eb2a5b5d9d5dcff61b25b9b7b36ef60fff2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49553eb2a5b5d9d5dcff61b25b9b7b36ef60fff2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-7720/node-node-forge
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4aa2067e by Salvatore Bonaccorso at 2020-09-06T22:09:53+02:00 Add Debian bug reference for CVE-2020-7720/node-node-forge - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41347,7 +41347,7 @@ CVE-2020-7722 (All versions of package nodee-utils are vulnerable to Prototype P CVE-2020-7721 (All versions of package node-oojs are vulnerable to Prototype Pollutio ...) TODO: check CVE-2020-7720 (The package node-forge before 0.10.0 is vulnerable to Prototype Pollut ...) - - node-node-forge + - node-node-forge (bug #969669) NOTE: https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677 NOTE: https://github.com/digitalbazaar/forge/commit/6a1e3ef74f6eb345bcff1b82184201d1e28b6756 CVE-2020-7719 (Versions of package locutus before 2.0.12 are vulnerable to prototype ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4aa2067efbd42723ac27418dce33dc4fb5f61c8f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4aa2067efbd42723ac27418dce33dc4fb5f61c8f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-7729/grunt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 48874a65 by Salvatore Bonaccorso at 2020-09-06T22:06:07+02:00 Add Debian bug reference for CVE-2020-7729/grunt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41327,7 +41327,7 @@ CVE-2020-7731 CVE-2020-7730 (The package bestzip before 2.1.7 are vulnerable to Command Injection v ...) NOT-FOR-US: bestzip nodejs module CVE-2020-7729 (The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execut ...) - - grunt + - grunt (bug #969668) NOTE: https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7 NOTE: https://snyk.io/vuln/SNYK-JS-GRUNT-597546 CVE-2020-7728 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48874a657d8d778f0d18757f133938dc946d5094 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48874a657d8d778f0d18757f133938dc946d5094 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference covering four wolfssl CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c067811 by Salvatore Bonaccorso at 2020-09-06T21:16:59+02:00 Add Debian bug reference covering four wolfssl CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1229,7 +1229,7 @@ CVE-2020-24616 (FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the in CVE-2020-24615 RESERVED CVE-2020-24613 (wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_C ...) - - wolfssl + - wolfssl (bug #969663) NOTE: https://research.nccgroup.com/2020/08/24/technical-advisory-wolfssl-tls-1-3-client-man-in-the-middle-attack/ CVE-2020-24612 (An issue was discovered in the selinux-policy (aka Reference Policy) p ...) - refpolicy (Debian package doesn't ship pam-u2f config) @@ -1286,7 +1286,7 @@ CVE-2020-24587 CVE-2020-24586 RESERVED CVE-2020-24585 (An issue was discovered in the DTLS handshake implementation in wolfSS ...) - - wolfssl + - wolfssl (bug #969663) NOTE: https://github.com/wolfSSL/wolfssl/pull/3219 NOTE: https://github.com/wolfSSL/wolfssl/commit/3be7f3ea3a56d178acf0f7f84ee4ae8cbfee8915 (v4.5.0-stable) CVE-2020-24584 (An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10 ...) @@ -20486,7 +20486,7 @@ CVE-2020-15311 (Stash 1.0.3 allows SQL Injection via the downloadmp3.php downloa CVE-2020-15310 RESERVED CVE-2020-15309 (An issue was discovered in wolfSSL before 4.5.0, when single precision ...) - - wolfssl + - wolfssl (bug #969663) NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v4.5.0-stable CVE-2020-15308 (Support Incident Tracker (aka SiT! or SiTracker) 3.67 p2 allows post-a ...) NOT-FOR-US: Support Incident Tracker @@ -27895,7 +27895,7 @@ CVE-2020-12458 (An information-disclosure flaw was found in Grafana through 6.7. NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1827765 NOTE: https://github.com/grafana/grafana/issues/8283 CVE-2020-12457 (An issue was discovered in wolfSSL before 4.5.0. It mishandles the cha ...) - - wolfssl + - wolfssl (bug #969663) NOTE: https://github.com/wolfSSL/wolfssl/commit/df1b7f34f173cfc2968ce12e8fcd2fd8bcc61a59 (v4.5.0-stable) NOTE: https://github.com/wolfSSL/wolfssl/pull/2927 CVE-2020-12456 (A remote code execution vulnerability in Mitel MiVoice Connect Client ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c0678112f57e9001ce61279f43997d78744e0d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c0678112f57e9001ce61279f43997d78744e0d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference(s) for CVE-2020-24553/golang
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e4b3fc28 by Salvatore Bonaccorso at 2020-09-06T21:10:22+02:00 Add Debian bug reference(s) for CVE-2020-24553/golang - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1368,8 +1368,8 @@ CVE-2020-24555 CVE-2020-24554 (The redirect module in Liferay Portal before 7.3.3 does not limit the ...) NOT-FOR-US: Liferay CVE-2020-24553 (Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html ...) - - golang-1.15 - - golang-1.14 + - golang-1.15 (bug #969661) + - golang-1.14 (bug #969662) - golang-1.11 - golang-1.8 - golang-1.7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4b3fc2869e0e3dd35f2011ce053761ad1ad7c03 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4b3fc2869e0e3dd35f2011ce053761ad1ad7c03 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: status update
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 59a112ae by Adrian Bunk at 2020-09-06T21:41:33+03:00 dla: status update - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -122,10 +122,12 @@ qemu (Abhijith PA) qt4-x11 (Adrian Bunk) NOTE: 20200815: Minor issue, but easy to fix (CVE-2020-17507). Low prio. NOTE: 20200815: One could possibly look at the other issues and decide whether they are worth fixing along. (sunweaver) + NOTE: 20200906: packages are being tested (bunk) -- qtbase-opensource-src (Adrian Bunk) NOTE: 20200815: Minor issue, but easy to fix (CVE-2020-17507). Low prio. NOTE: 20200815: One could possibly look at the other issues and decide whether they are worth fixing along. (sunweaver) + NOTE: 20200906: packages are being tested (bunk) -- ruby-actionpack-page-caching NOTE: 20200819: Upstream's patch on does not apply due to subsequent View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59a112aeb3af97d2b038e465d277f587a0669e0a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59a112aeb3af97d2b038e465d277f587a0669e0a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: qemu DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c7f1c5bd by Moritz Muehlenhoff at 2020-09-06T19:43:49+02:00 qemu DSA - - - - - 01503b3b by Moritz Muehlenhoff at 2020-09-06T19:45:38+02:00 drop one ID; already fixed - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -18518,7 +18518,6 @@ CVE-2020-16093 RESERVED CVE-2020-16092 (In QEMU through 5.0.0, an assertion failure can occur in the network p ...) - qemu 1:5.1+dfsg-1 - [buster] - qemu (Minor issue, fix along in future DSA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1860283 NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=035e69b063835a5fd23cacabd63690a3d84532a8 CVE-2020-16091 @@ -19038,7 +19037,6 @@ CVE-2020-15864 CVE-2020-15863 (hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2 ...) {DLA-2288-1} - qemu 1:5.0-12 - [buster] - qemu (Minor issue, can be fixed along in next DSA) NOTE: https://www.openwall.com/lists/oss-security/2020/07/22/1 NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555 CVE-2020-15861 (Net-SNMP through 5.7.3 allows Escalation of Privileges because of UNIX ...) @@ -26932,7 +26930,6 @@ CVE-2020-12830 RESERVED CVE-2020-12829 (In QEMU through 5.0.0, an integer overflow was found in the SM501 disp ...) - qemu 1:5.0-12 (low; bug #961451) - [buster] - qemu (Minor issue) [stretch] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1808510 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1786026 = data/DSA/list = @@ -1,3 +1,6 @@ +[06 Sep 2020] DSA-4760-1 qemu - security update + {CVE-2020-12829 CVE-2020-14364 CVE-2020-15863 CVE-2020-16092} + [buster] - qemu 1:3.1+dfsg-8+deb10u8 [04 Sep 2020] DSA-4759-1 ark - security update {CVE-2020-24654} [buster] - ark 4:18.08.3-1+deb10u2 = data/dsa-needed.txt = @@ -22,8 +22,6 @@ knot-resolver linux (carnil) Wait until more issues have piled up -- -qemu (jmm) --- rails (jmm) Sylvain Beucler proposed to help for the update, remaining CVEs to be done -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/850bba5284d066dfd1b06cba61cc666df1ce4800...01503b3b7129958abcc6a0ac09d555f24c3ef688 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/850bba5284d066dfd1b06cba61cc666df1ce4800...01503b3b7129958abcc6a0ac09d555f24c3ef688 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-13802: Add upstream commit reference
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 850bba52 by Salvatore Bonaccorso at 2020-09-06T16:06:52+02:00 CVE-2020-13802: Add upstream commit reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24475,6 +24475,7 @@ CVE-2020-13803 (An issue was discovered in Foxit PhantomPDF Mac and Foxit Reader CVE-2020-13802 (Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command in ...) - rebar3 (bug #824773) NOTE: https://github.com/erlang/rebar3/pull/2302 + NOTE: https://github.com/erlang/rebar3/commit/2e2d1a6bb141a969b6483e082a2afd361fc2ece2 TODO: check, whether this affects src:rebar (but the security implications seems a little far-fetched anyway) CVE-2020-13801 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/850bba5284d066dfd1b06cba61cc666df1ce4800 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/850bba5284d066dfd1b06cba61cc666df1ce4800 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-24659/gnutls28 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a657cee by Salvatore Bonaccorso at 2020-09-06T10:40:18+02:00 Add fixed version for CVE-2020-24659/gnutls28 via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1128,7 +1128,7 @@ CVE-2020-24661 (GNOME Geary before 3.36.3 mishandles pinned TLS certificate veri CVE-2020-24660 RESERVED CVE-2020-24659 (An issue was discovered in GnuTLS before 3.6.15. A server can trigger ...) - - gnutls28 (bug #969547) + - gnutls28 3.6.15-1 (bug #969547) NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04 NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1071 NOTE: https://gitlab.com/gnutls/gnutls/-/commit/29ee67c205855e848a0a26e6d0e4f65b6b943e0a View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a657cee2a719c4e16d1195c898e071ff98e4e07 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a657cee2a719c4e16d1195c898e071ff98e4e07 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits