[Git][security-tracker-team/security-tracker][master] Track fixed version for firefox via unstable for mfsa2020-42
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 142abdeb by Salvatore Bonaccorso at 2020-09-23T07:37:49+02:00 Track fixed version for firefox via unstable for mfsa2020-42 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20918,33 +20918,33 @@ CVE-2020-15679 RESERVED CVE-2020-15678 RESERVED - - firefox + - firefox 81.0-1 - firefox-esr 78.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15678 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/#CVE-2020-15678 CVE-2020-15677 RESERVED - - firefox + - firefox 81.0-1 - firefox-esr 78.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15677 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/#CVE-2020-15677 CVE-2020-15676 RESERVED - - firefox + - firefox 81.0-1 - firefox-esr 78.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15676 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/#CVE-2020-15676 CVE-2020-15675 RESERVED - - firefox + - firefox 81.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15675 CVE-2020-15674 RESERVED - - firefox + - firefox 81.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15674 CVE-2020-15673 RESERVED - - firefox + - firefox 81.0-1 - firefox-esr 78.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15673 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/#CVE-2020-15673 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/142abdebba6a0ae9ba802e554ec41df01a8d4e59 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/142abdebba6a0ae9ba802e554ec41df01a8d4e59 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-25729/zoneminder fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f660cd82 by Salvatore Bonaccorso at 2020-09-23T07:36:32+02:00 CVE-2020-25729/zoneminder fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -162,7 +162,7 @@ CVE-2020-25731 CVE-2020-25730 RESERVED CVE-2020-25729 (ZoneMinder before 1.34.21 has XSS via the connkey parameter to downloa ...) - - zoneminder (unimportant) + - zoneminder 1.34.21-1 (unimportant) NOTE: https://github.com/ZoneMinder/zoneminder/commit/9268db14a79c4ccd444c2bf8d24e62b13207b413 NOTE: Only supported for trusted users/behind auth, see README.debian.security CVE-2020-25728 (The Reset Password add-on before 1.2.0 for Alfresco has a broken algor ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f660cd82cb870796c5a03f9a5ccf8d04649099c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f660cd82cb870796c5a03f9a5ccf8d04649099c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track firefox-esr fixes in unstable for mfsa2020-43
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e2a14fa0 by Salvatore Bonaccorso at 2020-09-23T07:35:05+02:00 Track firefox-esr fixes in unstable for mfsa2020-43 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20919,19 +20919,19 @@ CVE-2020-15679 CVE-2020-15678 RESERVED - firefox - - firefox-esr + - firefox-esr 78.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15678 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/#CVE-2020-15678 CVE-2020-15677 RESERVED - firefox - - firefox-esr + - firefox-esr 78.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15677 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/#CVE-2020-15677 CVE-2020-15676 RESERVED - firefox - - firefox-esr + - firefox-esr 78.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15676 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/#CVE-2020-15676 CVE-2020-15675 @@ -20945,7 +20945,7 @@ CVE-2020-15674 CVE-2020-15673 RESERVED - firefox - - firefox-esr + - firefox-esr 78.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15673 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/#CVE-2020-15673 CVE-2020-15672 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2a14fa0694957bdaceaa7d939d3ec38e48ecb6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2a14fa0694957bdaceaa7d939d3ec38e48ecb6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add Debian bug reference for CVE-2020-17482/pdns
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d78d2153 by Salvatore Bonaccorso at 2020-09-23T06:27:18+02:00 Add Debian bug reference for CVE-2020-17482/pdns - - - - - 24917669 by Salvatore Bonaccorso at 2020-09-23T06:27:57+02:00 CVE-2020-17482/pdns fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16963,7 +16963,7 @@ CVE-2020-17483 RESERVED CVE-2020-17482 [Leaking uninitialised memory through crafted zone records] RESERVED - - pdns + - pdns 4.3.1-1 (bug #970737) [buster] - pdns (Minor issue) NOTE: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html CVE-2020-17481 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e707674012dcdca7cb5a1abf6aca16efe0f9af92...24917669a5206565a60bf1c922478f7ff4dab130 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e707674012dcdca7cb5a1abf6aca16efe0f9af92...24917669a5206565a60bf1c922478f7ff4dab130 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e7076740 by Salvatore Bonaccorso at 2020-09-22T22:37:35+02:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3211,7 +3211,7 @@ CVE-2020-24335 CVE-2020-24334 RESERVED CVE-2020-24333 (A vulnerability in Aristas CloudVision Portal (CVP) prior to 20 ...) - TODO: check + NOT-FOR-US: Arista CVE-2020-24332 (An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon ...) - trousers (unimportant) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1164472 @@ -5007,7 +5007,7 @@ CVE-2020-23448 CVE-2020-23447 RESERVED CVE-2020-23446 (Verint Workforce Optimization suite 15.1 (15.1.0.37634) has Unauthenti ...) - TODO: check + NOT-FOR-US: Verint Workforce Optimization suite CVE-2020-23445 RESERVED CVE-2020-23444 @@ -19640,7 +19640,7 @@ CVE-2020-16204 (The affected product is vulnerable due to an undocumented interf CVE-2020-16203 (Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and ...) NOT-FOR-US: Delta Industrial Automation CVE-2020-16202 (WebAccess Node (All versions prior to 9.0.1) has incorrect permissions ...) - TODO: check + NOT-FOR-US: WebAccess Node CVE-2020-16201 (Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and ...) NOT-FOR-US: Delta Industrial Automation CVE-2020-16200 (Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. Th ...) @@ -20469,7 +20469,7 @@ CVE-2020-15841 (Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack CVE-2020-15840 RESERVED CVE-2020-15839 (Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 an ...) - TODO: check + NOT-FOR-US: Liferay CVE-2020-15838 RESERVED CVE-2020-15837 @@ -25329,25 +25329,25 @@ CVE-2020-14033 (An issue was discovered in janus-gateway (aka Janus WebRTC Serve CVE-2020-14032 RESERVED CVE-2020-14031 (An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The ou ...) - TODO: check + NOT-FOR-US: Ozeki NG SMS Gateway CVE-2020-14030 RESERVED CVE-2020-14029 (An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The RS ...) NOT-FOR-US: Ozeki NG SMS Gateway CVE-2020-14028 (An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. By lev ...) - TODO: check + NOT-FOR-US: Ozeki NG SMS Gateway CVE-2020-14027 (An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The da ...) - TODO: check + NOT-FOR-US: Ozeki NG SMS Gateway CVE-2020-14026 (CSV Injection (aka Excel Macro Injection or Formula Injection) exists ...) - TODO: check + NOT-FOR-US: Ozeki NG SMS Gateway CVE-2020-14025 (Ozeki NG SMS Gateway through 4.17.6 has multiple CSRF vulnerabilities. ...) - TODO: check + NOT-FOR-US: Ozeki NG SMS Gateway CVE-2020-14024 (Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored ...) - TODO: check + NOT-FOR-US: Ozeki NG SMS Gateway CVE-2020-14023 (Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To ...) - TODO: check + NOT-FOR-US: Ozeki NG SMS Gateway CVE-2020-14022 (Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file typ ...) - TODO: check + NOT-FOR-US: Ozeki NG SMS Gateway CVE-2020-14021 (An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The AS ...) NOT-FOR-US: Ozeki NG SMS Gateway CVE-2020-14020 @@ -51952,7 +51952,7 @@ CVE-2020-3979 (InstallBuilder for Qt Windows (versions prior to 20.7.0) installe CVE-2020-3978 RESERVED CVE-2020-3977 (VMware Horizon DaaS (7.x and 8.x before 8.0.1 Update 1) contains a bro ...) - TODO: check + NOT-FOR-US: VMware CVE-2020-3976 (VMware ESXi and vCenter Server contain a partial denial of service vul ...) NOT-FOR-US: VMware CVE-2020-3975 (VMware App Volumes 2.x prior to 2.18.6 and VMware App Volumes 4 prior ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e707674012dcdca7cb5a1abf6aca16efe0f9af92 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e707674012dcdca7cb5a1abf6aca16efe0f9af92 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a6911fa5 by Salvatore Bonaccorso at 2020-09-22T22:24:42+02:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -627,9 +627,9 @@ CVE-2020-25517 CVE-2020-25516 RESERVED CVE-2020-25515 (Sourcecodester Simple Library Management System 1.0 is affected by Ins ...) - TODO: check + NOT-FOR-US: Sourcecodester Simple Library Management System CVE-2020-25514 (Sourcecodester Simple Library Management System 1.0 is affected by Inc ...) - TODO: check + NOT-FOR-US: Sourcecodester Simple Library Management System CVE-2020-25513 RESERVED CVE-2020-25512 @@ -683,7 +683,7 @@ CVE-2020-25489 (A heap overflow in Sqreen PyMiniRacer (aka Python Mini Racer) be CVE-2020-25488 RESERVED CVE-2020-25487 (PHPGURUKUL Zoo Management System Using PHP and MySQL version 1.0 is af ...) - TODO: check + NOT-FOR-US: PHPGURUKUL Zoo Management System CVE-2020-25486 RESERVED CVE-2020-25485 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6911fa518a34655091822e4c11ef8aebd022ac2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6911fa518a34655091822e4c11ef8aebd022ac2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-8252: Add reference to upstream issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a1922ca by Salvatore Bonaccorso at 2020-09-22T22:20:11+02:00 CVE-2020-8252: Add reference to upstream issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41351,6 +41351,7 @@ CVE-2020-8252 (The implementation of realpath in libuv 10.22.1, 12.18. NOTE: https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/#fs-realpath-native-on-may-cause-buffer-overflow-medium-cve-2020-8252 NOTE: Debian's version of nodejs uses the shared system library of libuv1 instead NOTE: of the bundled one. + NOTE: https://github.com/libuv/libuv/issues/2965 NOTE: Introduced by: https://github.com/libuv/libuv/commit/b56d279b172fbe78dee2fb1d29cae9c9c5c6d1c4 (v1.24.0) NOTE: Fixed by: https://github.com/libuv/libuv/commit/0e6e8620496dff0eb285589ef1e37a7f407f3ddd (v1.39.0) CVE-2020-8251 (Node.js 14.11.0 is vulnerable to HTTP denial of service (DoS) att ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a1922ca4da7726b9bf42f99722a41a2bd5fc7f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a1922ca4da7726b9bf42f99722a41a2bd5fc7f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b809a65 by Salvatore Bonaccorso at 2020-09-22T22:13:13+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31547,11 +31547,11 @@ CVE-2020-11859 CVE-2020-11858 RESERVED CVE-2020-11857 (An Authorization Bypass vulnerability on Micro Focus Operation Bridge ...) - TODO: check + NOT-FOR-US: Micro Focus CVE-2020-11856 (Arbitrary code execution vulnerability on Micro Focus Operation Bridge ...) - TODO: check + NOT-FOR-US: Micro Focus CVE-2020-11855 (An Authorization Bypass vulnerability on Micro Focus Operation Bridge ...) - TODO: check + NOT-FOR-US: Micro Focus CVE-2020-11854 RESERVED CVE-2020-11853 @@ -50632,29 +50632,29 @@ CVE-2020-4624 CVE-2020-4623 RESERVED CVE-2020-4622 (IBM Data Risk Manager (iDNA) 2.0.6 contains hard-coded credentials, su ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4621 (IBM Data Risk Manager (iDNA) 2.0.6 could allow an authenticated user t ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4620 (IBM Data Risk Manager (iDNA) 2.0.6 could allow a remote authenticated ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4619 (IBM Data Risk Manager (iDNA) 2.0.6 stores user credentials in plain in ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4618 (IBM Data Risk Manager (iDNA) 2.0.6 could allow a privileged user to ca ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4617 (IBM Data Risk Manager (iDNA) 2.0.6 is vulnerable to cross-site request ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4616 (IBM Data Risk Manager (iDNA) 2.0.6 could disclose sensitive username i ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4615 (IBM Data Risk Manager (iDNA) 2.0.6 is vulnerable to cross-site scripti ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4614 (IBM Data Risk Manager (iDNA) 2.0.6 uses weaker than expected cryptogra ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4613 (IBM Data Risk Manager (iDNA) 2.0.6 uses weaker than expected cryptogra ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4612 (IBM Data Risk Manager (iDNA) 2.0.6 could allow an authenticated user t ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4611 (IBM Data Risk Manager (iDNA) 2.0.6 could allow an authenticated user t ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4610 RESERVED CVE-2020-4609 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b809a65b9b233ee422465f7adc7388c51754446 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b809a65b9b233ee422465f7adc7388c51754446 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ec2ab11 by security tracker role at 2020-09-22T20:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -626,10 +626,10 @@ CVE-2020-25517 RESERVED CVE-2020-25516 RESERVED -CVE-2020-25515 - RESERVED -CVE-2020-25514 - RESERVED +CVE-2020-25515 (Sourcecodester Simple Library Management System 1.0 is affected by Ins ...) + TODO: check +CVE-2020-25514 (Sourcecodester Simple Library Management System 1.0 is affected by Inc ...) + TODO: check CVE-2020-25513 RESERVED CVE-2020-25512 @@ -682,8 +682,8 @@ CVE-2020-25489 (A heap overflow in Sqreen PyMiniRacer (aka Python Mini Racer) be NOT-FOR-US: Sqreen CVE-2020-25488 RESERVED -CVE-2020-25487 - RESERVED +CVE-2020-25487 (PHPGURUKUL Zoo Management System Using PHP and MySQL version 1.0 is af ...) + TODO: check CVE-2020-25486 RESERVED CVE-2020-25485 @@ -2572,8 +2572,8 @@ CVE-2020-24621 RESERVED CVE-2020-24620 RESERVED -CVE-2020-24619 - RESERVED +CVE-2020-24619 (In mainwindow.cpp in Shotcut before 20.09.13, the upgrade check misuse ...) + TODO: check CVE-2020-24618 (In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020. ...) NOT-FOR-US: JetBrains CVE-2020-24617 @@ -3210,8 +3210,8 @@ CVE-2020-24335 RESERVED CVE-2020-24334 RESERVED -CVE-2020-24333 - RESERVED +CVE-2020-24333 (A vulnerability in Aristas CloudVision Portal (CVP) prior to 20 ...) + TODO: check CVE-2020-24332 (An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon ...) - trousers (unimportant) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1164472 @@ -5006,8 +5006,8 @@ CVE-2020-23448 RESERVED CVE-2020-23447 RESERVED -CVE-2020-23446 - RESERVED +CVE-2020-23446 (Verint Workforce Optimization suite 15.1 (15.1.0.37634) has Unauthenti ...) + TODO: check CVE-2020-23445 RESERVED CVE-2020-23444 @@ -19639,8 +19639,8 @@ CVE-2020-16204 (The affected product is vulnerable due to an undocumented interf NOT-FOR-US: N-Tron CVE-2020-16203 (Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and ...) NOT-FOR-US: Delta Industrial Automation -CVE-2020-16202 - RESERVED +CVE-2020-16202 (WebAccess Node (All versions prior to 9.0.1) has incorrect permissions ...) + TODO: check CVE-2020-16201 (Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and ...) NOT-FOR-US: Delta Industrial Automation CVE-2020-16200 (Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. Th ...) @@ -20468,8 +20468,8 @@ CVE-2020-15841 (Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack NOT-FOR-US: Liferay CVE-2020-15840 RESERVED -CVE-2020-15839 - RESERVED +CVE-2020-15839 (Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 an ...) + TODO: check CVE-2020-15838 RESERVED CVE-2020-15837 @@ -25328,26 +25328,26 @@ CVE-2020-14033 (An issue was discovered in janus-gateway (aka Janus WebRTC Serve NOTE: https://github.com/meetecho/janus-gateway/commit/dacb4edfad8e77f73b64d8c175cca0a7796ebf80 CVE-2020-14032 RESERVED -CVE-2020-14031 - RESERVED +CVE-2020-14031 (An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The ou ...) + TODO: check CVE-2020-14030 RESERVED CVE-2020-14029 (An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The RS ...) NOT-FOR-US: Ozeki NG SMS Gateway -CVE-2020-14028 - RESERVED -CVE-2020-14027 - RESERVED -CVE-2020-14026 - RESERVED -CVE-2020-14025 - RESERVED -CVE-2020-14024 - RESERVED -CVE-2020-14023 - RESERVED -CVE-2020-14022 - RESERVED +CVE-2020-14028 (An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. By lev ...) + TODO: check +CVE-2020-14027 (An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The da ...) + TODO: check +CVE-2020-14026 (CSV Injection (aka Excel Macro Injection or Formula Injection) exists ...) + TODO: check +CVE-2020-14025 (Ozeki NG SMS Gateway through 4.17.6 has multiple CSRF vulnerabilities. ...) + TODO: check +CVE-2020-14024 (Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored ...) + TODO: check +CVE-2020-14023 (Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To ...) + TODO: check +CVE-2020-14022 (Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file typ ...) + TODO: check CVE-2020-14021 (An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The AS ...) NOT-FOR-US: Ozeki NG SMS Gateway CVE-2020-14020 @@ -31546,12 +31546,12 @@
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-2469{6,7,8}/pdns
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 12a973b1 by Salvatore Bonaccorso at 2020-09-22T21:47:43+02:00 Add CVE-2020-2469{6,7,8}/pdns - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2394,10 +2394,19 @@ CVE-2020-24699 (The Chamber Dashboard Business Directory plugin 3.2.8 for WordPr NOT-FOR-US: Chamber Dashboard Business Directory plugin for WordPress CVE-2020-24698 RESERVED + - pdns (unimportant) + NOTE: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-06.html + NOTE: Debian packages not built with experimental GSS-TSIG support CVE-2020-24697 RESERVED + - pdns (unimportant) + NOTE: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-06.html + NOTE: Debian packages not built with experimental GSS-TSIG support CVE-2020-24696 RESERVED + - pdns (unimportant) + NOTE: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-06.html + NOTE: Debian packages not built with experimental GSS-TSIG support CVE-2020-24695 RESERVED CVE-2020-24694 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12a973b1b9bcd451ed03b36962c614cc7508b623 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12a973b1b9bcd451ed03b36962c614cc7508b623 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-17482/pdns
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b2a4c558 by Salvatore Bonaccorso at 2020-09-22T21:43:27+02:00 Add CVE-2020-17482/pdns - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16952,8 +16952,11 @@ CVE-2020-17484 RESERVED CVE-2020-17483 RESERVED -CVE-2020-17482 +CVE-2020-17482 [Leaking uninitialised memory through crafted zone records] RESERVED + - pdns + [buster] - pdns (Minor issue) + NOTE: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html CVE-2020-17481 RESERVED CVE-2020-17480 (TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parse ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2a4c558b623ff03c5da635b987d34ce4520d269 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2a4c558b623ff03c5da635b987d34ce4520d269 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2020-8252/libuv1
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4bf7d6eb by Salvatore Bonaccorso at 2020-09-22T21:22:45+02:00 Update information on CVE-2020-8252/libuv1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41337,8 +41337,10 @@ CVE-2020-8253 (Improper authentication in Citrix XenMobile Server 10.12 before R CVE-2020-8252 (The implementation of realpath in libuv 10.22.1, 12.18.4, an ...) - libuv1 1.39.0-1 NOTE: https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/#fs-realpath-native-on-may-cause-buffer-overflow-medium-cve-2020-8252 - NOTE: Debian's version of nodejs uses the shared system library of libuv1 instead of the bundled one - NOTE: https://github.com/libuv/libuv/commit/0e6e8620496dff0eb285589ef1e37a7f407f3ddd + NOTE: Debian's version of nodejs uses the shared system library of libuv1 instead + NOTE: of the bundled one. + NOTE: Introduced by: https://github.com/libuv/libuv/commit/b56d279b172fbe78dee2fb1d29cae9c9c5c6d1c4 (v1.24.0) + NOTE: Fixed by: https://github.com/libuv/libuv/commit/0e6e8620496dff0eb285589ef1e37a7f407f3ddd (v1.39.0) CVE-2020-8251 (Node.js 14.11.0 is vulnerable to HTTP denial of service (DoS) att ...) - nodejs (Only affects 14.x series) NOTE: https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/#denial-of-service-by-resource-exhaustion-cwe-400-due-to-unfinished-http-1-1-requests-critical-cve-2020-8251 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bf7d6eb2533add7189bfcdc5370e98548c85fd4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bf7d6eb2533add7189bfcdc5370e98548c85fd4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2020-2563{5,6}/ansible
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2cfaba45 by Salvatore Bonaccorso at 2020-09-22T21:13:00+02:00 Update information on CVE-2020-2563{5,6}/ansible The connection/aws_ssm plugin is different from the lookup/aws_ssm plugin apparently, where the later is included as plugin in src:ansible. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -351,11 +351,11 @@ CVE-2020-25637 RESERVED CVE-2020-25636 RESERVED - - ansible + - ansible (Vulnerable connection/aws_ssm plugin not included) NOTE: https://github.com/ansible-collections/community.aws/issues/221 CVE-2020-25635 RESERVED - - ansible + - ansible (Vulnerable connection/aws_ssm plugin not included) NOTE: https://github.com/ansible-collections/community.aws/issues/222 CVE-2020-25634 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cfaba45b57b434e33fadf14d627141df31f72c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cfaba45b57b434e33fadf14d627141df31f72c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add libuv1 to dsa-needed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f0ab95fc by Moritz Muehlenhoff at 2020-09-22T20:57:31+02:00 add libuv1 to dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -23,6 +23,8 @@ firefox-esr (jmm) knot-resolver Santiago Ruano Rincón proposed a debdiff for review -- +libuv1 +-- linux (carnil) Wait until more issues have piled up -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0ab95fc27a9a41854e28df32ec32f37323bda1d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0ab95fc27a9a41854e28df32ec32f37323bda1d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one xen issue only for experimental
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e8f39fc1 by Moritz Muehlenhoff at 2020-09-22T20:10:30+02:00 one xen issue only for experimental - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -458,7 +458,8 @@ CVE-2020-25599 [races with evtchn_reset()] NOTE: https://xenbits.xen.org/xsa/advisory-343.html CVE-2020-25598 [Missing unlock in XENMEM_acquire_resource error path] RESERVED - - xen + [experimental] - xen + - xen (No affected version (only > 4.12) ever uploaded to unstable) NOTE: https://xenbits.xen.org/xsa/advisory-334.html CVE-2020-25597 [once valid event channels may not turn invalid] RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8f39fc141a131f3470290d6462e408b33d354a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8f39fc141a131f3470290d6462e408b33d354a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c7ffafe by Moritz Muehlenhoff at 2020-09-22T20:02:29+02:00 buster triage older ntp issue also fixed in sid - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -2640,6 +2640,7 @@ CVE-2020-24585 (An issue was discovered in the DTLS handshake implementation in NOTE: https://github.com/wolfSSL/wolfssl/commit/3be7f3ea3a56d178acf0f7f84ee4ae8cbfee8915 (v4.5.0-stable) CVE-2020-24584 (An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10 ...) - python-django 2:2.2.16-1 (bug #969367) + [buster] - python-django (Fix along in future DSA) [stretch] - python-django (Requires Python 3.7+) NOTE: https://github.com/django/django/commit/1853724acaf17ed7414d54c7d2b5563a25025a71 (master) NOTE: https://github.com/django/django/commit/2b099caa5923afa8cfb5f1e8c0d56b6e0e81915b (3.1.1) @@ -2647,6 +2648,7 @@ CVE-2020-24584 (An issue was discovered in Django 2.2 before 2.2.16, 3.0 before NOTE: https://github.com/django/django/commit/a3aebfdc8153dc230686b6d2454ccd32ed4c9e6f (2.2.16) CVE-2020-24583 (An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10 ...) - python-django 2:2.2.16-1 (bug #969367) + [buster] - python-django (Fix along in future DSA) [stretch] - python-django (Requires Python 3.7+) NOTE: https://github.com/django/django/commit/8d7271578d7b153435b40fe40236ebec43cbf1b9 (master) NOTE: https://github.com/django/django/commit/934430d22aa5d90c2ba33495ff69a6a1d997d584 (3.1.1) @@ -3201,23 +3203,23 @@ CVE-2020-24334 CVE-2020-24333 RESERVED CVE-2020-24332 (An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon ...) - - trousers - [stretch] - trousers (tss service gets started as non-root user via init script) + - trousers (unimportant) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1164472 NOTE: https://sourceforge.net/p/trousers/mailman/message/37015817/ NOTE: https://www.openwall.com/lists/oss-security/2020/08/14/1 + NOTE: In Debian, tcsd gets started under the tss user CVE-2020-24331 (An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon ...) - - trousers - [stretch] - trousers (tss service gets started as non-root user via init script) + - trousers (unimportant) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1164472 NOTE: https://sourceforge.net/p/trousers/mailman/message/37015817/ NOTE: https://www.openwall.com/lists/oss-security/2020/08/14/1 + NOTE: In Debian, tcsd gets started under the tss user CVE-2020-24330 (An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon ...) - - trousers - [stretch] - trousers (tss service gets started as non-root user via init script) + - trousers (unimportant) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1164472 NOTE: https://sourceforge.net/p/trousers/mailman/message/37015817/ NOTE: https://www.openwall.com/lists/oss-security/2020/08/14/1 + NOTE: In Debian, tcsd gets started under the tss user CVE-2020-24329 RESERVED CVE-2020-24328 @@ -19731,6 +19733,7 @@ CVE-2020-16151 RESERVED CVE-2020-16150 (A Lucky 13 timing side channel in mbedtls_ssl_decrypt_buf in library/s ...) - mbedtls + [buster] - mbedtls (Minor issue) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1 CVE-2020-16149 REJECTED @@ -42775,6 +42778,7 @@ CVE-2020-7712 (This affects the package json before 10.0.0. It is possible to in NOT-FOR-US: Node json CVE-2020-7711 (This affects all versions of package github.com/russellhaering/goxmlds ...) - golang-github-russellhaering-goxmldsig (bug #968928) + [buster] - golang-github-russellhaering-goxmldsig (Minor issue) NOTE: https://github.com/russellhaering/goxmldsig/issues/48 CVE-2020-7710 (This affects all versions of package safe-eval. It is possible for an ...) NOT-FOR-US: Node safe-eval @@ -147592,8 +147596,8 @@ CVE-2018-8958 CVE-2018-8957 (CoverCMS v1.1.6 has XSS via the fourth input box to index.php, related ...) NOT-FOR-US: CoverCMS CVE-2018-8956 (ntpd in ntp 4.2.8p10, 4.2.8p11, 4.2.8p12 and 4.2.8p13 allow remote att ...) - - ntp (low) - [buster] - ntp (Minor issue) + - ntp 1:4.2.8p14+dfsg-1 (low) + [buster] - ntp (Minor issue) [stretch] - ntp (Minor issue) [jessie] - ntp (Minor issue, requires being part of same broadcast network, no patch) - ntpsec (Broadcast mode not present, see #961748) = data/dsa-needed.txt
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-25601/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 99cf1e99 by Salvatore Bonaccorso at 2020-09-22T19:34:07+02:00 Add CVE-2020-25601/xen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -444,8 +444,10 @@ CVE-2020-25602 [x86 pv: Crash when handling guest access to MSR_MISC_ENABLE] RESERVED - xen NOTE: https://xenbits.xen.org/xsa/advisory-333.html -CVE-2020-25601 +CVE-2020-25601 [lack of preemption in evtchn_reset() / evtchn_destroy()] RESERVED + - xen + NOTE: https://xenbits.xen.org/xsa/advisory-344.html CVE-2020-25600 [out of bounds event channels available to 32-bit x86 domains] RESERVED - xen View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99cf1e994382aaef385c4a759cc20c558cb99bd1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99cf1e994382aaef385c4a759cc20c558cb99bd1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-25600/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 13f91020 by Salvatore Bonaccorso at 2020-09-22T19:31:52+02:00 Add CVE-2020-25600/xen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -446,8 +446,10 @@ CVE-2020-25602 [x86 pv: Crash when handling guest access to MSR_MISC_ENABLE] NOTE: https://xenbits.xen.org/xsa/advisory-333.html CVE-2020-25601 RESERVED -CVE-2020-25600 +CVE-2020-25600 [out of bounds event channels available to 32-bit x86 domains] RESERVED + - xen + NOTE: https://xenbits.xen.org/xsa/advisory-342.html CVE-2020-25599 RESERVED CVE-2020-25598 [Missing unlock in XENMEM_acquire_resource error path] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13f91020900181621ec3e9d08844683a5ef33e85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13f91020900181621ec3e9d08844683a5ef33e85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-25603/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8bceb873 by Salvatore Bonaccorso at 2020-09-22T19:30:18+02:00 Add CVE-2020-25603/xen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -436,8 +436,10 @@ CVE-2020-25604 [race when migrating timers between x86 HVM vCPU-s] RESERVED - xen NOTE: https://xenbits.xen.org/xsa/advisory-336.html -CVE-2020-25603 +CVE-2020-25603 [Missing memory barriers when accessing/allocating an event channel] RESERVED + - xen + NOTE: https://xenbits.xen.org/xsa/advisory-340.html CVE-2020-25602 [x86 pv: Crash when handling guest access to MSR_MISC_ENABLE] RESERVED - xen View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bceb8731151fc6f6dc2e5ce74ba0bff8c9013d3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bceb8731151fc6f6dc2e5ce74ba0bff8c9013d3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-25596/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b65bbdc by Salvatore Bonaccorso at 2020-09-22T19:29:15+02:00 Add CVE-2020-25596/xen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -456,8 +456,10 @@ CVE-2020-25597 [once valid event channels may not turn invalid] RESERVED - xen NOTE: https://xenbits.xen.org/xsa/advisory-338.html -CVE-2020-25596 +CVE-2020-25596 [x86 pv guest kernel DoS via SYSENTER] RESERVED + - xen + NOTE: https://xenbits.xen.org/xsa/advisory-339.html CVE-2020-25595 [PCI passthrough code reading back hardware registers] RESERVED - xen View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b65bbdc5ea04f78eae5c16db515987c397ba710 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b65bbdc5ea04f78eae5c16db515987c397ba710 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-25597/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ca2083f by Salvatore Bonaccorso at 2020-09-22T19:27:34+02:00 Add CVE-2020-25597/xen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -452,8 +452,10 @@ CVE-2020-25598 [Missing unlock in XENMEM_acquire_resource error path] RESERVED - xen NOTE: https://xenbits.xen.org/xsa/advisory-334.html -CVE-2020-25597 +CVE-2020-25597 [once valid event channels may not turn invalid] RESERVED + - xen + NOTE: https://xenbits.xen.org/xsa/advisory-338.html CVE-2020-25596 RESERVED CVE-2020-25595 [PCI passthrough code reading back hardware registers] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ca2083ff49d632e6a3aa2281d3831f127bd9190 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ca2083ff49d632e6a3aa2281d3831f127bd9190 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-25595/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 248b8a32 by Salvatore Bonaccorso at 2020-09-22T19:26:36+02:00 Add CVE-2020-25595/xen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -456,8 +456,10 @@ CVE-2020-25597 RESERVED CVE-2020-25596 RESERVED -CVE-2020-25595 +CVE-2020-25595 [PCI passthrough code reading back hardware registers] RESERVED + - xen + NOTE: https://xenbits.xen.org/xsa/advisory-337.html CVE-2020-25594 RESERVED CVE-2020-25593 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/248b8a324db5e5ec53bd4edf422b446031209b63 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/248b8a324db5e5ec53bd4edf422b446031209b63 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-25604/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e71425f0 by Salvatore Bonaccorso at 2020-09-22T19:25:28+02:00 Add CVE-2020-25604/xen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -432,8 +432,10 @@ CVE-2020-25606 RESERVED CVE-2020-25605 RESERVED -CVE-2020-25604 +CVE-2020-25604 [race when migrating timers between x86 HVM vCPU-s] RESERVED + - xen + NOTE: https://xenbits.xen.org/xsa/advisory-336.html CVE-2020-25603 RESERVED CVE-2020-25602 [x86 pv: Crash when handling guest access to MSR_MISC_ENABLE] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e71425f069af5c83fa64ae659d4a711b61ea4e02 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e71425f069af5c83fa64ae659d4a711b61ea4e02 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-25598/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d7086d4 by Salvatore Bonaccorso at 2020-09-22T19:24:15+02:00 Add CVE-2020-25598/xen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -446,8 +446,10 @@ CVE-2020-25600 RESERVED CVE-2020-25599 RESERVED -CVE-2020-25598 +CVE-2020-25598 [Missing unlock in XENMEM_acquire_resource error path] RESERVED + - xen + NOTE: https://xenbits.xen.org/xsa/advisory-334.html CVE-2020-25597 RESERVED CVE-2020-25596 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d7086d4dbe4658cd580b41819c2805fd989003f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d7086d4dbe4658cd580b41819c2805fd989003f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-25602/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b72dbcf7 by Salvatore Bonaccorso at 2020-09-22T19:23:12+02:00 Add CVE-2020-25602/xen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -436,8 +436,10 @@ CVE-2020-25604 RESERVED CVE-2020-25603 RESERVED -CVE-2020-25602 +CVE-2020-25602 [x86 pv: Crash when handling guest access to MSR_MISC_ENABLE] RESERVED + - xen + NOTE: https://xenbits.xen.org/xsa/advisory-333.html CVE-2020-25601 RESERVED CVE-2020-25600 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b72dbcf77b21b525c7260f4f30007341d036b862 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b72dbcf77b21b525c7260f4f30007341d036b862 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add firefox-esr issues from mfsa2020-43
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d99eca0e by Salvatore Bonaccorso at 2020-09-22T15:45:32+02:00 Add firefox-esr issues from mfsa2020-43 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20883,15 +20883,21 @@ CVE-2020-15679 CVE-2020-15678 RESERVED - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15678 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/#CVE-2020-15678 CVE-2020-15677 RESERVED - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15677 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/#CVE-2020-15677 CVE-2020-15676 RESERVED - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15676 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/#CVE-2020-15676 CVE-2020-15675 RESERVED - firefox @@ -20903,7 +20909,9 @@ CVE-2020-15674 CVE-2020-15673 RESERVED - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15673 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/#CVE-2020-15673 CVE-2020-15672 RESERVED CVE-2020-15671 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d99eca0e5a958e17d9a5af8357a9ec6c6e32cbcb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d99eca0e5a958e17d9a5af8357a9ec6c6e32cbcb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new firefox issues from mfsa2020-42
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b1962ea7 by Salvatore Bonaccorso at 2020-09-22T15:41:57+02:00 Add new firefox issues from mfsa2020-42 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20882,16 +20882,28 @@ CVE-2020-15679 RESERVED CVE-2020-15678 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15678 CVE-2020-15677 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15677 CVE-2020-15676 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15676 CVE-2020-15675 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15675 CVE-2020-15674 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15674 CVE-2020-15673 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15673 CVE-2020-15672 RESERVED CVE-2020-15671 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1962ea70879cd6f78fcf9fd5d20d1f86ca2864b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1962ea70879cd6f78fcf9fd5d20d1f86ca2864b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add note for CVE-2020-24972 (kleopatra) regarding when the vulnerability was introduced.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 39cbd647 by Chris Lamb at 2020-09-22T12:28:10+01:00 Add note for CVE-2020-24972 (kleopatra) regarding when the vulnerability was introduced. - - - - - 4965ea94 by Chris Lamb at 2020-09-22T12:28:12+01:00 Triage CVE-2020-24973 in kleopatra for stretch LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1802,8 +1802,10 @@ CVE-2020-24973 CVE-2020-24972 (The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG ...) - kleopatra [buster] - kleopatra (Minor issue) + [stretch] - kleopatra (Vulnerable code added to Debian in version 4:18.07.90-1) NOTE: https://dev.gnupg.org/rKLEOPATRAb4bd63c1739900d94c04da03045e9445a5a5f54b NOTE: https://security.gentoo.org/glsa/202008-21 + NOTE: Added in https://dev.gnupg.org/rKLEOPATRAd1cd40bae47eb349e14750601223b6b5d9f71940 (v18.07.80+) CVE-2020-24971 RESERVED CVE-2020-24970 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a5ecbf1d299ab861d2395fee6e2be59857b22f41...4965ea94b92660c552e3d9349719ca0342c0281b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a5ecbf1d299ab861d2395fee6e2be59857b22f41...4965ea94b92660c552e3d9349719ca0342c0281b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ntp fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a5ecbf1d by Moritz Muehlenhoff at 2020-09-22T11:30:05+02:00 ntp fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22483,7 +22483,7 @@ CVE-2020-15027 (ConnectWise Automate through 2020.x has insufficient validation CVE-2020-15026 (Bludit 3.12.0 allows admins to use a /plugin-backup-download?file=../ ...) NOT-FOR-US: Bludit CVE-2020-15025 (ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remo ...) - - ntp (low; bug #963807) + - ntp 1:4.2.8p15-1 (low; bug #963807) [buster] - ntp (Minor issue) [stretch] - ntp (Vulnerable code introduced later) [jessie] - ntp (Vulnerable code introduced later) @@ -22491,6 +22491,7 @@ CVE-2020-15025 (ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allow NOTE: https://support.ntp.org/bin/view/Main/NtpBug3661 NOTE: https://support.ntp.org/bin/view/Main/SecurityNotice#June_2020_ntp_4_2_8p15_NTP_Relea NOTE: https://bugs.ntp.org/show_bug.cgi?id=3661 + NOTE: http://bk.ntp.org/ntp-stable/?PAGE=patch=5e84aa07N2NcL4sE_0dW35Tizc74SA CVE-2020-15024 (An issue was discovered in the Login Password feature of the Password ...) NOT-FOR-US: Avast Antivirus CVE-2020-15023 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5ecbf1d299ab861d2395fee6e2be59857b22f41 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5ecbf1d299ab861d2395fee6e2be59857b22f41 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new spring issue, NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d412c358 by Moritz Muehlenhoff at 2020-09-22T11:14:46+02:00 new spring issue, NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19665,7 +19665,7 @@ CVE-2020-16173 CVE-2020-16172 RESERVED CVE-2020-16171 (An issue was discovered in Acronis Cyber Backup before 12.5 Build 1634 ...) - TODO: check + NOT-FOR-US: Acronis CVE-2020-16170 (Use of Hard-coded Credentials in temi Robox OS prior to 120, temi Andr ...) NOT-FOR-US: Temi application fo Android CVE-2020-16169 (Authentication Bypass Using an Alternate Path or Channel in temi Robox ...) @@ -41326,7 +41326,7 @@ CVE-2020-8239 CVE-2020-8238 RESERVED CVE-2020-8237 (Prototype pollution in json-bigint npm package 1.0.0 may lead to ...) - TODO: check + NOT-FOR-US: Node json-bigint CVE-2020-8236 RESERVED CVE-2020-8235 @@ -41886,7 +41886,7 @@ CVE-2020-8030 CVE-2020-8029 RESERVED CVE-2020-8028 (A Improper Access Control vulnerability in the configuration of salt o ...) - TODO: check + NOT-FOR-US: Salt configuration in SUSE Server Manager CVE-2020-8027 RESERVED CVE-2020-8026 (A Incorrect Default Permissions vulnerability in the packaging of inn ...) @@ -48341,7 +48341,8 @@ CVE-2020-5423 CVE-2020-5422 RESERVED CVE-2020-5421 (In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5. ...) - TODO: check + - libspring-java + NOTE: https://tanzu.vmware.com/security/cve-2020-5421 CVE-2020-5420 (Cloud Foundry Routing (Gorouter) versions prior to 0.206.0 allow a mal ...) NOT-FOR-US: Cloud Foundry CVE-2020-5419 (RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific ...) @@ -64949,7 +64950,7 @@ CVE-2020-0409 CVE-2020-0408 RESERVED CVE-2020-0407 (In various functions in fscrypt_ice.c and related files in some implem ...) - TODO: check + NOT-FOR-US: Android kernel CVE-2020-0406 (In libmpeg2dec, there is a possible out of bounds write due to a missi ...) NOT-FOR-US: Android Media Framework CVE-2020-0405 (In NetworkStackNotifier, there is a possible permissions bypass due to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d412c358fe696ae8adb8ef65cd2bbcf69f319464 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d412c358fe696ae8adb8ef65cd2bbcf69f319464 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add qemu
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: bb4bc678 by Thorsten Alteholz at 2020-09-22T08:51:49+02:00 add qemu - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -134,6 +134,8 @@ php-horde-trean (Mike Gabriel) puma NOTE: 20200708: Vulnerable to (at least) CVE-2020-11076. (lamby) -- +qemu (Thorsten Alteholz) +-- rails -- reel View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb4bc6781ecd591e28d0a6fc95e31bd3e34fbb04 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb4bc6781ecd591e28d0a6fc95e31bd3e34fbb04 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits