date:20201012

[Git][security-tracker-team/security-tracker][master] sqlite spu

2020-10-12 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4bfb1d4a by Moritz Muehlenhoff at 2020-10-12T22:54:18+02:00
sqlite spu

- - - - -


2 changed files:

- data/CVE/list
- data/next-point-update.txt


Changes:

=
data/CVE/list
=
@@ -29222,6 +29222,7 @@ CVE-2020-13633 (Fork before 5.8.3 allows XSS via 
navigation_title or title. ...)
 CVE-2020-13632 (ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL 
pointer der ...)
{DLA-2340-1}
- sqlite3 3.32.0-1
+   [buster] - sqlite3  (Minor issue, will be fixed in point 
release)
[jessie] - sqlite3  (Vulnerable code not present)
NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=1080459
NOTE: https://sqlite.org/src/info/a4dd148928ea65bd
@@ -29236,6 +29237,7 @@ CVE-2020-13631 (SQLite before 3.32.0 allows a virtual 
table to be renamed to the
 CVE-2020-13630 (ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free 
in fts3Ev ...)
{DLA-2340-1}
- sqlite3 3.32.0-1
+   [buster] - sqlite3  (Minor issue, will be fixed in point 
release)
[jessie] - sqlite3  (Vulnerable code not found)
NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=1080459
NOTE: https://sqlite.org/src/info/0d69f76f0865f962


=
data/next-point-update.txt
=
@@ -36,3 +36,23 @@ CVE-2020-9359
[buster] - okular 4:17.12.2-2.2+deb10u1
 CVE-2018-1000825
[buster] - freecol 0.11.6+dfsg2-2+deb10u1
+CVE-2019-19923
+   [buster] - sqlite3 3.27.2-3+deb10u1
+CVE-2019-19925
+   [buster] - sqlite3 3.27.2-3+deb10u1
+CVE-2019-19959
+   [buster] - sqlite3 3.27.2-3+deb10u1
+CVE-2019-20218
+   [buster] - sqlite3 3.27.2-3+deb10u1
+CVE-2020-13434
+   [buster] - sqlite3 3.27.2-3+deb10u1
+CVE-2020-13435
+   [buster] - sqlite3 3.27.2-3+deb10u1
+CVE-2020-13630
+   [buster] - sqlite3 3.27.2-3+deb10u1
+CVE-2020-13632
+   [buster] - sqlite3 3.27.2-3+deb10u1
+CVE-2020-15358
+   [buster] - sqlite3 3.27.2-3+deb10u1
+CVE-2019-16168
+   [buster] - sqlite3 3.27.2-3+deb10u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bfb1d4a1ae30cb65c6ebe9827e4c17bf6ed1b93

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bfb1d4a1ae30cb65c6ebe9827e4c17bf6ed1b93
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for sympa issues

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3d990635 by Salvatore Bonaccorso at 2020-10-12T22:23:02+02:00
Add Debian bug reference for sympa issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -281,7 +281,7 @@ CVE-2020-26882
 CVE-2020-26881
RESERVED
 CVE-2020-26880 (Sympa through 6.2.57b.2 allows a local privilege escalation 
from the s ...)
-   - sympa 
+   - sympa  (bug #972114)
NOTE: https://github.com/sympa-community/sympa/issues/1009
NOTE: 
https://github.com/sympa-community/sympa/issues/943#issuecomment-704779420
NOTE: 
https://github.com/sympa-community/sympa/issues/943#issuecomment-704842235



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d99063527719329c785ce04ee3cc8711dee0004

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d99063527719329c785ce04ee3cc8711dee0004
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add new webmin issues

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e378209a by Salvatore Bonaccorso at 2020-10-12T22:21:47+02:00
Add new webmin issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -31595,7 +31595,7 @@ CVE-2020-12672 (GraphicsMagick through 1.3.35 has a 
heap-based buffer overflow i
 CVE-2020-12671
RESERVED
 CVE-2020-12670 (XSS exists in Webmin 1.941 and earlier affecting the Save 
function of  ...)
-   TODO: check
+   - webmin 
 CVE-2020-12669 (core/get_menudiv.php in Dolibarr before 11.0.4 allows remote 
authentic ...)
- dolibarr 
 CVE-2020-12668
@@ -42849,9 +42849,9 @@ CVE-2020-8823 (htmlfile in lib/transport/htmlfile.js in 
SockJS before 3.0 is vul
 CVE-2020-8822 (Digi TransPort WR21 5.2.2.3, WR44 5.1.6.4, and WR44v2 5.1.6.9 
devices  ...)
NOT-FOR-US: Digi TransPort
 CVE-2020-8821 (An Improper Data Validation Vulnerability exists in Webmin 
1.941 and e ...)
-   TODO: check
+   - webmin 
 CVE-2020-8820 (An XSS Vulnerability exists in Webmin 1.941 and earlier 
affecting the  ...)
-   TODO: check
+   - webmin 
 CVE-2020-8819 (An issue was discovered in the CardGate Payments plugin through 
3.1.15 ...)
NOT-FOR-US: CardGate Payments plugin for WooCommerce
 CVE-2020-8818 (An issue was discovered in the CardGate Payments plugin through 
2.0.30 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e378209a8075c35334d7d310c9f4f3c51473d757

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e378209a8075c35334d7d310c9f4f3c51473d757
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process NFUs

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cb06a587 by Salvatore Bonaccorso at 2020-10-12T22:19:42+02:00
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -307,11 +307,11 @@ CVE-2020-26870 (Cure53 DOMPurify before 2.0.17 allows 
mutation XSS. This occurs
- dompurify.js 
NOTE: 
https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/
 CVE-2020-26869 (An information exposure vulnerability exists in PcVue 12, 
allowing a n ...)
-   TODO: check
+   NOT-FOR-US: PcVue
 CVE-2020-26868 (A Denial Of Service vulnerability exists in PcVue from version 
8.10 on ...)
-   TODO: check
+   NOT-FOR-US: PcVue
 CVE-2020-26867 (A Remote Code Execution vulnerability exists in PcVue from 
version 8.1 ...)
-   TODO: check
+   NOT-FOR-US: PcVue
 CVE-2020-26866
RESERVED
 CVE-2020-26865
@@ -994,7 +994,7 @@ CVE-2020-26548
 CVE-2020-26547
RESERVED
 CVE-2020-26546 (** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in 
HelpDeskZ 1 ...)
-   TODO: check
+   NOT-FOR-US: HelpDeskZ
 CVE-2020-26545
RESERVED
 CVE-2020-26544
@@ -2530,7 +2530,7 @@ CVE-2020-25827 (An issue was discovered in the OATHAuth 
extension in MediaWiki b
 CVE-2020-25826 (PingID Integration for Windows Login before 2.4.2 allows local 
users t ...)
NOT-FOR-US: PingID Integration for Windows Login
 CVE-2020-25825 (In Octopus Deploy 3.1.0 to 2020.4.0, certain scripts can 
reveal sensit ...)
-   TODO: check
+   NOT-FOR-US: Octopus Deploy
 CVE-2020-25824
RESERVED
 CVE-2020-25823
@@ -41878,11 +41878,11 @@ CVE-2020-9242 (FusionCompute 8.0.0 have a command 
injection vulnerability. The s
 CVE-2020-9241 (Huawei 5G Mobile WiFi E6878-370 with versions of 
10.0.3.1(H563SP1C00), ...)
NOT-FOR-US: Huawei
 CVE-2020-9240 (Taurus-AN00B versions earlier than 10.1.0.156(C00E155R7P2) have 
a buff ...)
-   TODO: check
+   NOT-FOR-US: Huawei
 CVE-2020-9239 (Huawei smartphones BLA-A09 versions 8.0.0.123(C212),versions 
earlier t ...)
NOT-FOR-US: Huawei
 CVE-2020-9238 (Taurus-AN00B versions earlier than 10.1.0.156(C00E155R7P2) have 
a buff ...)
-   TODO: check
+   NOT-FOR-US: Huawei
 CVE-2020-9237 (Huawei smartphone Taurus-AL00B with versions earlier than 
10.1.0.126(C ...)
NOT-FOR-US: Huawei
 CVE-2020-9236
@@ -41898,7 +41898,7 @@ CVE-2020-9232
 CVE-2020-9231
RESERVED
 CVE-2020-9230 (WS5800-10 version 10.0.3.25 has a denial of service 
vulnerability. Due ...)
-   TODO: check
+   NOT-FOR-US: Huawei
 CVE-2020-9229 (FusionCompute 8.0.0 has an information disclosure 
vulnerability. Due t ...)
NOT-FOR-US: Huawei
 CVE-2020-9228 (FusionCompute 8.0.0 has an information disclosure 
vulnerability. Due t ...)
@@ -42112,9 +42112,9 @@ CVE-2020-9125
 CVE-2020-9124
RESERVED
 CVE-2020-9123 (HUAWEI P30 Pro versions earlier than 10.1.0.160(C00E160R2P8) 
and versi ...)
-   TODO: check
+   NOT-FOR-US: Huawei
 CVE-2020-9122 (Some Huawei products have an insufficient input verification 
vulnerabi ...)
-   TODO: check
+   NOT-FOR-US: Huawei
 CVE-2020-9121
RESERVED
 CVE-2020-9120
@@ -42138,15 +42138,15 @@ CVE-2020-9112
 CVE-2020-9111
RESERVED
 CVE-2020-9110 (Taurus-AN00B versions earlier than 10.1.0.156(C00E155R7P2) have 
an inf ...)
-   TODO: check
+   NOT-FOR-US: Huawei
 CVE-2020-9109 (There is an information disclosure vulnerability in several 
smartphone ...)
-   TODO: check
+   NOT-FOR-US: Huawei
 CVE-2020-9108 (HUAWEI P30 Pro versions earlier than 10.1.0.160(C00E160R2P8) 
have an o ...)
-   TODO: check
+   NOT-FOR-US: Huawei
 CVE-2020-9107 (HUAWEI P30 Pro versions earlier than 10.1.0.160(C00E160R2P8) 
have an o ...)
-   TODO: check
+   NOT-FOR-US: Huawei
 CVE-2020-9106 (HUAWEI P30 Pro versions earlier than 10.1.0.160(C00E160R2P8) 
have a pa ...)
-   TODO: check
+   NOT-FOR-US: Huawei
 CVE-2020-9105 (Taurus-AN00B versions earlier than 10.1.0.156(C00E155R7P2) have 
an ins ...)
NOT-FOR-US: Huawei
 CVE-2020-9104 (HUAWEI P30 smartphones with Versions earlier than 
10.1.0.123(C431E22R2 ...)
@@ -42176,7 +42176,7 @@ CVE-2020-9093
 CVE-2020-9092
RESERVED
 CVE-2020-9091 (Taurus-AN00B versions earlier than 10.1.0.156(C00E155R7P2) have 
an out ...)
-   TODO: check
+   NOT-FOR-US: Huawei
 CVE-2020-9090 (FusionAccess version 6.5.1 has an improper authorization 
vulnerability ...)
TODO: check
 CVE-2020-9089
@@ -42184,7 +42184,7 @@ CVE-2020-9089
 CVE-2020-9088
RESERVED
 CVE-2020-9087 (Taurus-AL00A version 10.0.0.1(C00E1R1P1) has an out-of-bounds 
read vul ...)
-   TODO: check
+   NOT-FOR-US: Huawei
 CVE-2020-9086
RESERVED
 CVE-2020-9085
@@ -45442,7 +45442,7 @@ CVE-2020-7813 (Ezhttptrans.ocx ActiveX Control in Kaoni 
ezHTTPTrans

[Git][security-tracker-team/security-tracker][master] Add CVE-020-13341/gitlab

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1388e732 by Salvatore Bonaccorso at 2020-10-12T22:21:09+02:00
Add CVE-020-13341/gitlab

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -29895,7 +29895,7 @@ CVE-2020-13343 (An issue has been discovered in GitLab 
affecting all versions st
 CVE-2020-13342 (An issue has been discovered in GitLab affecting versions 
prior to 13. ...)
- gitlab 13.2.10-1
 CVE-2020-13341 (An issue has been discovered in GitLab affecting all versions 
prior to ...)
-   TODO: check
+   - gitlab 
 CVE-2020-13340 (An issue has been discovered in GitLab affecting all versions 
prior to ...)
- gitlab 13.2.10-1
 CVE-2020-13339 (An issue has been discovered in GitLab affecting all versions 
before 1 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1388e73238fd6bef253876686c073a43f7b6b75d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1388e73238fd6bef253876686c073a43f7b6b75d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process NFUs

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
faa815e5 by Salvatore Bonaccorso at 2020-10-12T22:13:00+02:00
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -53193,25 +53193,25 @@ CVE-2020-4783
 CVE-2020-4782
RESERVED
 CVE-2020-4781 (An improper input validation before calling java readLine() 
method may ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4780 (OOTB build scripts does not set the secure attribute on session 
cookie ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4779 (A HTTP Verb Tampering vulnerability may impact IBM Curam Social 
Progra ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4778 (IBM Curam Social Program Management 7.0.9 and 7.0.10 uses MD5 
algorith ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4777
RESERVED
 CVE-2020-4776 (A path traversal vulnerability may impact IBM Curam Social 
Program Man ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4775 (A cross-site scripting (XSS) vulnerability may impact IBM Curam 
Social ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4774 (An XPath vulnerability may impact IBM Curam Social Program 
Management  ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4773 (A cross-site request forgery (CSRF) vulnerability may impact 
IBM Curam ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4772 (An XML External Entity Injection (XXE) vulnerability may impact 
IBM Cu ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4771
RESERVED
 CVE-2020-4770
@@ -53273,9 +53273,9 @@ CVE-2020-4743
 CVE-2020-4742
RESERVED
 CVE-2020-4741 (IBM InfoSphere Information Server 11.5 and 11.7 is vulnerable 
to store ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4740 (IBM InfoSphere Information Server 11.5 and 11.7 is vulnerable 
to HTML  ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4739
RESERVED
 CVE-2020-4738
@@ -53357,7 +53357,7 @@ CVE-2020-4701
 CVE-2020-4700
RESERVED
 CVE-2020-4699 (IBM Security Access Manager 9.0.7 and IBM Security Verify 
Access 10.0. ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4698 (IBM Business Process Manager 8.5, 8.6 and IBM Business 
Automation Work ...)
NOT-FOR-US: IBM
 CVE-2020-4697
@@ -53377,7 +53377,7 @@ CVE-2020-4691
 CVE-2020-4690
RESERVED
 CVE-2020-4689 (IBM Security Guardium 11.2 is vulnerable to CVS Injection. A 
remote pr ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4688
RESERVED
 CVE-2020-4687 (IBM Content Navigator 3.0.7 and 3.0.8 could allow an 
authenticated use ...)
@@ -53393,13 +53393,13 @@ CVE-2020-4683
 CVE-2020-4682
RESERVED
 CVE-2020-4681 (IBM Security Guardium 11.2 is vulnerable to cross-site 
scripting. This ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4680 (IBM Security Guardium 11.2 is vulnerable to cross-site 
scripting. This ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4679 (IBM Security Guardium 11.2 is vulnerable to cross-site 
scripting. This ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4678 (IBM Security Guardium 11.2 could allow an attacker with admin 
access t ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4677
RESERVED
 CVE-2020-4676
@@ -53433,9 +53433,9 @@ CVE-2020-4663
 CVE-2020-4662 (IBM Event Streams 10.0.0 could allow an authenticated user to 
perform  ...)
NOT-FOR-US: IBM
 CVE-2020-4661 (IBM Security Access Manager 9.0.7 and IBM Security Verify 
Access 10.0. ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4660 (IBM Security Access Manager 9.0.7 and IBM Security Verify 
Access 10.0. ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4659
RESERVED
 CVE-2020-4658
@@ -53979,7 +53979,7 @@ CVE-2020-4390
 CVE-2020-4389
RESERVED
 CVE-2020-4388 (IBM Cognos Analytics 11.0 and 11.1 could be vulnerable to a 
denial of  ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4387 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect 
Server) 9.7, ...)
NOT-FOR-US: IBM
 CVE-2020-4386 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect 
Server) 9.7, ...)
@@ -54151,7 +54151,7 @@ CVE-2020-4304 (IBM WebSphere Application Server - 
Liberty 17.0.0.3 through 20.0.
 CVE-2020-4303 (IBM WebSphere Application Server - Liberty 17.0.0.3 through 
20.0.0.3 i ...)
NOT-FOR-US: IBM
 CVE-2020-4302 (IBM Cognos Analytics 11.0 and 11.1 could allow a remote 
attacker to ex ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4301
RESERVED
 CVE-2020-4300



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/faa815e5d21b8ed49636cd731dd629dead318b0b

-- 
View it on GitLab:

[Git][security-tracker-team/security-tracker][master] automatic update

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
373878db by security tracker role at 2020-10-12T20:10:36+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,145 @@
+CVE-2020-27020
+   RESERVED
+CVE-2020-27019
+   RESERVED
+CVE-2020-27018
+   RESERVED
+CVE-2020-27017
+   RESERVED
+CVE-2020-27016
+   RESERVED
+CVE-2020-27015
+   RESERVED
+CVE-2020-27014
+   RESERVED
+CVE-2020-27013
+   RESERVED
+CVE-2020-27012
+   RESERVED
+CVE-2020-27011
+   RESERVED
+CVE-2020-27010
+   RESERVED
+CVE-2020-27009
+   RESERVED
+CVE-2020-27008
+   RESERVED
+CVE-2020-27007
+   RESERVED
+CVE-2020-27006
+   RESERVED
+CVE-2020-27005
+   RESERVED
+CVE-2020-27004
+   RESERVED
+CVE-2020-27003
+   RESERVED
+CVE-2020-27002
+   RESERVED
+CVE-2020-27001
+   RESERVED
+CVE-2020-27000
+   RESERVED
+CVE-2020-26999
+   RESERVED
+CVE-2020-26998
+   RESERVED
+CVE-2020-26997
+   RESERVED
+CVE-2020-26996
+   RESERVED
+CVE-2020-26995
+   RESERVED
+CVE-2020-26994
+   RESERVED
+CVE-2020-26993
+   RESERVED
+CVE-2020-26992
+   RESERVED
+CVE-2020-26991
+   RESERVED
+CVE-2020-26990
+   RESERVED
+CVE-2020-26989
+   RESERVED
+CVE-2020-26988
+   RESERVED
+CVE-2020-26987
+   RESERVED
+CVE-2020-26986
+   RESERVED
+CVE-2020-26985
+   RESERVED
+CVE-2020-26984
+   RESERVED
+CVE-2020-26983
+   RESERVED
+CVE-2020-26982
+   RESERVED
+CVE-2020-26981
+   RESERVED
+CVE-2020-26980
+   RESERVED
+CVE-2020-26979
+   RESERVED
+CVE-2020-26978
+   RESERVED
+CVE-2020-26977
+   RESERVED
+CVE-2020-26976
+   RESERVED
+CVE-2020-26975
+   RESERVED
+CVE-2020-26974
+   RESERVED
+CVE-2020-26973
+   RESERVED
+CVE-2020-26972
+   RESERVED
+CVE-2020-26971
+   RESERVED
+CVE-2020-26970
+   RESERVED
+CVE-2020-26969
+   RESERVED
+CVE-2020-26968
+   RESERVED
+CVE-2020-26967
+   RESERVED
+CVE-2020-26966
+   RESERVED
+CVE-2020-26965
+   RESERVED
+CVE-2020-26964
+   RESERVED
+CVE-2020-26963
+   RESERVED
+CVE-2020-26962
+   RESERVED
+CVE-2020-26961
+   RESERVED
+CVE-2020-26960
+   RESERVED
+CVE-2020-26959
+   RESERVED
+CVE-2020-26958
+   RESERVED
+CVE-2020-26957
+   RESERVED
+CVE-2020-26956
+   RESERVED
+CVE-2020-26955
+   RESERVED
+CVE-2020-26954
+   RESERVED
+CVE-2020-26953
+   RESERVED
+CVE-2020-26952
+   RESERVED
+CVE-2020-26951
+   RESERVED
+CVE-2020-26950
+   RESERVED
 CVE-2020-26949
RESERVED
 CVE-2020-26948 (Emby Server before 4.5.0 allows SSRF via the 
Items/RemoteSearch/Image  ...)
@@ -164,12 +306,12 @@ CVE-2020-26871
 CVE-2020-26870 (Cure53 DOMPurify before 2.0.17 allows mutation XSS. This 
occurs becaus ...)
- dompurify.js 
NOTE: 
https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/
-CVE-2020-26869
-   RESERVED
-CVE-2020-26868
-   RESERVED
-CVE-2020-26867
-   RESERVED
+CVE-2020-26869 (An information exposure vulnerability exists in PcVue 12, 
allowing a n ...)
+   TODO: check
+CVE-2020-26868 (A Denial Of Service vulnerability exists in PcVue from version 
8.10 on ...)
+   TODO: check
+CVE-2020-26867 (A Remote Code Execution vulnerability exists in PcVue from 
version 8.1 ...)
+   TODO: check
 CVE-2020-26866
RESERVED
 CVE-2020-26865
@@ -851,8 +993,8 @@ CVE-2020-26548
RESERVED
 CVE-2020-26547
RESERVED
-CVE-2020-26546
-   RESERVED
+CVE-2020-26546 (** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in 
HelpDeskZ 1 ...)
+   TODO: check
 CVE-2020-26545
RESERVED
 CVE-2020-26544
@@ -2387,8 +2529,8 @@ CVE-2020-25827 (An issue was discovered in the OATHAuth 
extension in MediaWiki b
NOTE: https://phabricator.wikimedia.org/T251661
 CVE-2020-25826 (PingID Integration for Windows Login before 2.4.2 allows local 
users t ...)
NOT-FOR-US: PingID Integration for Windows Login
-CVE-2020-25825
-   RESERVED
+CVE-2020-25825 (In Octopus Deploy 3.1.0 to 2020.4.0, certain scripts can 
reveal sensit ...)
+   TODO: check
 CVE-2020-25824
RESERVED
 CVE-2020-25823
@@ -2405,7 +2547,7 @@ CVE-2020-25818
RESERVED
 CVE-2020-25817
RESERVED
-CVE-2020-25816 (HashiCorp Vault and Vault Enterprise 1.0 before 1.5.4 have 
Incorrect A ...)
+CVE-2020-25816 (HashiCorp Vault and Vault Enterprise versions 1.0 and newer 
allowed le ...)
NOT-FOR-US: HashiCorp Vault
 CVE-2020-25815 (An issue was discovered in MediaWiki 1.32.x through 1.34.x 
before 1.34 ...)
- mediawiki 1:1.35.0-1
@@ -24609,8 +24751,8 @@ CVE-2020-15252
RESERVED
 CVE-2020-15251
RESERVED
-CVE-2020-15250
-   RESERVED
+CVE-2020-15250 (In JUnit4 before version 4.13.1, the test rule TemporaryFolder

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-26159/libonig

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9d51eaa0 by Salvatore Bonaccorso at 2020-10-12T22:01:02+02:00
Add Debian bug reference for CVE-2020-26159/libonig

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1647,7 +1647,7 @@ CVE-2020-26160 (jwt-go before 4.0.0-preview1 allows 
attackers to bypass intended
NOTE: https://github.com/dgrijalva/jwt-go/issues/422
NOTE: https://github.com/dgrijalva/jwt-go/pull/426
 CVE-2020-26159 (In Oniguruma 6.9.5_rev1, an attacker able to supply a regular 
expressi ...)
-   - libonig 
+   - libonig  (bug #972113)
NOTE: 
https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0
NOTE: https://github.com/kkos/oniguruma/issues/207
 CVE-2019-20922 (Handlebars before 4.4.5 allows Regular Expression Denial of 
Service (R ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d51eaa0f8f1542bfa02977fc35587d5c0fef522

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d51eaa0f8f1542bfa02977fc35587d5c0fef522
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Fix small typo in postponed note

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
db2d80ef by Salvatore Bonaccorso at 2020-10-12T21:17:32+02:00
Fix small typo in postponed note

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -46940,7 +46940,7 @@ CVE-2020-7070 (In PHP versions 7.2.x below 7.2.34, 
7.3.x below 7.3.23 and 7.4.x
{DLA-2397-1}
- php7.4 7.4.11-1
- php7.3 
-   [buster] - php7.3  (Minor issue, likely to introduce 
tegressions, wait for one more 7.3 upstream release)
+   [buster] - php7.3  (Minor issue, likely to introduce 
egressions, wait for one more 7.3 upstream release)
- php7.0 
NOTE: Fixed in PHP 7.4.11, 7.3.23, 7.2.34
NOTE: PHP Bug: https://bugs.php.net/79699



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db2d80ef645cc294a4c4f3c7aa90ac76435ca8e8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db2d80ef645cc294a4c4f3c7aa90ac76435ca8e8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-1107{6,7}/puma

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
44b57d85 by Salvatore Bonaccorso at 2020-10-12T21:09:14+02:00
Add Debian bug reference for CVE-2020-1107{6,7}/puma

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -36672,11 +36672,11 @@ CVE-2020-11078 (In httplib2 before version 0.18.0, an 
attacker controlling unesc
NOTE: 
https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e
 CVE-2020-11077 (In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could 
smuggle a re ...)
{DLA-2398-1}
-   - puma 
+   - puma  (bug #972102)
NOTE: 
https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm
 CVE-2020-11076 (In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could 
smuggle a ...)
{DLA-2398-1}
-   - puma 
+   - puma  (bug #972102)
NOTE: 
https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
NOTE: 
https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd
 CVE-2020-11075 (In Anchore Engine version 0.7.0, a specially crafted container 
image m ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44b57d85b31a0c9f149624f0106dfc0fe9300ea2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44b57d85b31a0c9f149624f0106dfc0fe9300ea2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] lua, rust-ncurses bugs

2020-10-12 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5570cbf6 by Moritz Muehlenhoff at 2020-10-12T20:15:10+02:00
lua, rust-ncurses bugs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -22931,7 +22931,7 @@ CVE-2020-15889 (Lua through 5.4.0 has a getobjname 
heap-based buffer over-read b
NOTE: 
https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312
NOTE: Introduced in 5.4
 CVE-2020-15888 (Lua through 5.4.0 mishandles the interaction between stack 
resizes and ...)
-   - lua5.4 
+   - lua5.4  (bug #972101)
NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00053.html
NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00054.html
NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00071.html
@@ -75960,10 +75960,10 @@ CVE-2019-15550 (An issue was discovered in the 
simd-json crate before 0.1.15 for
 CVE-2019-15549 (An issue was discovered in the asn1_der crate before 0.6.2 for 
Rust. A ...)
NOT-FOR-US: Rust crate asn1_der
 CVE-2019-15548 (An issue was discovered in the ncurses crate through 5.99.0 
for Rust.  ...)
-   - rust-ncurses 
+   - rust-ncurses  (bug #972100)
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0006.html
 CVE-2019-15547 (An issue was discovered in the ncurses crate through 5.99.0 
for Rust.  ...)
-   - rust-ncurses 
+   - rust-ncurses  (bug #972100)
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0006.html
 CVE-2019-15546 (An issue was discovered in the pancurses crate through 0.16.1 
for Rust ...)
NOT-FOR-US: Rust crate pancurses



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5570cbf6dd2449a83184efe3efe34ff62c73fa61

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5570cbf6dd2449a83184efe3efe34ff62c73fa61
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] adplug fixed in sid

2020-10-12 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fd9a8acd by Moritz Muehlenhoff at 2020-10-12T20:07:08+02:00
adplug fixed in sid
qemu bug

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -78840,23 +78840,26 @@ CVE-2019-14736
 CVE-2019-14735
RESERVED
 CVE-2019-14734 (AdPlug 2.3.1 has multiple heap-based buffer overflows in 
CmtkLoader::l ...)
-   - adplug 
+   - adplug 2.3.3+dfsg-2
[buster] - adplug  (Minor issue)
[stretch] - adplug  (Minor issue)
[jessie] - adplug  (Minor issue)
NOTE: https://github.com/adplug/adplug/issues/90
+   NOTE: 
https://github.com/adplug/adplug/commit/8342139c09178823dba3f3bbd8b53d0ea0c72de9
 CVE-2019-14733 (AdPlug 2.3.1 has multiple heap-based buffer overflows in 
CradLoader::l ...)
-   - adplug 
+   - adplug 2.3.3+dfsg-2
[buster] - adplug  (Minor issue)
[stretch] - adplug  (Minor issue)
[jessie] - adplug  (Minor issue)
NOTE: https://github.com/adplug/adplug/issues/89
+   NOTE: 
https://github.com/adplug/adplug/commit/cb715174f95187bf544c11ca2a2ecd091b7fbb8a
 (eventually got replaced by rad2.cpp rewrite)
 CVE-2019-14732 (AdPlug 2.3.1 has multiple heap-based buffer overflows in 
Ca2mLoader::l ...)
-   - adplug 
+   - adplug 2.3.3+dfsg-2
[buster] - adplug  (Minor issue)
[stretch] - adplug  (Minor issue)
[jessie] - adplug  (Minor issue)
NOTE: https://github.com/adplug/adplug/issues/88
+   NOTE: 
https://github.com/adplug/adplug/commit/30ddcfe9bd1cce3e02f8135961bceb411419dbdb
 CVE-2019-14731 (An issue was discovered in ZenTao 11.5.1. There is an XSS 
(stored) vul ...)
NOT-FOR-US: ZenTao CMS
 CVE-2019-14730 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, 
an insecu ...)
@@ -87852,7 +87855,7 @@ CVE-2019-12068 (In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 
1:2.8+dfsg-6+deb9u8, 1:3.
NOTE: 
https://git.qemu.org/?p=qemu.git;a=commit;h=de594e47659029316bbf9391efb79da0a1a08e08
 CVE-2019-12067 [ide: ahci: add check to avoid null dereference]
RESERVED
-   - qemu  (low)
+   - qemu  (low; bug #972099)
[buster] - qemu  (Minor issue, revisit when fixed upstream)
[stretch] - qemu  (Minor issue, can be fixed along in future 
update)
[jessie] - qemu  (Minor issue, can be fixed along in future 
update)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd9a8acdaf45361355aaacbc86b04c54e4f8f2c9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd9a8acdaf45361355aaacbc86b04c54e4f8f2c9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] buster triage

2020-10-12 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
116f39de by Moritz Muehlenhoff at 2020-10-12T19:45:22+02:00
buster triage
reviewed the status of some old issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1769,6 +1769,7 @@ CVE-2020-26116 (http.client in Python 3.x before 3.5.10, 
3.6.x before 3.6.12, 3.
- python3.9 3.9.0~b5-1
- python3.8 3.8.5-1
- python3.7 
+   [buster] - python3.7  (Minor issue)
- python3.5 
NOTE: https://bugs.python.org/issue39603
NOTE: 
https://python-security.readthedocs.io/vuln/http-header-injection-method.html
@@ -2606,6 +2607,7 @@ CVE-2020-25740
 CVE-2020-25739 (An issue was discovered in the gon gem before gon-6.4.0 for 
Ruby. Mult ...)
{DLA-2380-1}
- ruby-gon  (bug #970938)
+   [buster] - ruby-gon  (Minor issue)
NOTE: 
https://github.com/gazay/gon/commit/fe3c7b2191a992386dc9edd37de5447a4e809bc7
 CVE-2020-25738
RESERVED
@@ -2825,6 +2827,7 @@ CVE-2020-25638
 CVE-2020-25637 (A double free memory issue was found to occur in the libvirt 
API, in v ...)
{DLA-2395-1}
- libvirt  (bug #971555)
+   [buster] - libvirt  (Minor issue)
NOTE: Introduced by: 
https://libvirt.org/git/?p=libvirt.git;a=commit;h=0977b8aa071de550e1a013d35e2c72615e65d520
 (v1.2.14-rc1)
NOTE: Fixed by: 
https://libvirt.org/git/?p=libvirt.git;a=commit;h=955029bd0ad7ef96000f529ac38204a8f4a96401
 (v6.8.0)
NOTE: Fixed by: 
https://libvirt.org/git/?p=libvirt.git;a=commit;h=50864dcda191eb35732dbd80fb6ca251a6bba923
 (v6.8.0)
@@ -22336,11 +22339,13 @@ CVE-2020-16122
RESERVED
{DLA-2399-1}
- packagekit 
+   [buster] - packagekit  (Minor issue)
NOTE: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098
 CVE-2020-16121
RESERVED
{DLA-2399-1}
- packagekit 
+   [buster] - packagekit  (Minor issue)
NOTE: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/187
 CVE-2020-16120
RESERVED
@@ -46935,6 +46940,7 @@ CVE-2020-7070 (In PHP versions 7.2.x below 7.2.34, 
7.3.x below 7.3.23 and 7.4.x
{DLA-2397-1}
- php7.4 7.4.11-1
- php7.3 
+   [buster] - php7.3  (Minor issue, likely to introduce 
tegressions, wait for one more 7.3 upstream release)
- php7.0 
NOTE: Fixed in PHP 7.4.11, 7.3.23, 7.2.34
NOTE: PHP Bug: https://bugs.php.net/79699
@@ -46942,8 +46948,7 @@ CVE-2020-7070 (In PHP versions 7.2.x below 7.2.34, 
7.3.x below 7.3.23 and 7.4.x
 CVE-2020-7069 (In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 
7.4.x below ...)
- php7.4 7.4.11-1
- php7.3 
-   - php7.0 
-   [stretch] - php7.0  (Affected code not present)
+   - php7.0  (Affected code not present)
NOTE: Fixed in PHP 7.4.11, 7.3.23, 7.2.34
NOTE: PHP Bug: https://bugs.php.net/79601
NOTE: 
https://git.php.net/?p=php-src.git;a=commit;h=0216630ea2815a5789a24279a1211ac398d4de79
@@ -51686,12 +51691,14 @@ CVE-2020-5218 (Affected versions of Sylius give 
attackers the ability to switch
NOT-FOR-US: Sylius
 CVE-2020-5217 (In Secure Headers (RubyGem secure_headers), a directive 
injection vuln ...)
- ruby-secure-headers 6.3.1-1 (bug #94)
+   [buster] - ruby-secure-headers  (Minor issue)
NOTE: 
https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c
NOTE: 
https://github.com/twitter/secure_headers/commit/936a160e3e9659737a9f9eafce13eea36b5c9fa3
NOTE: https://github.com/twitter/secure_headers/issues/418
NOTE: https://github.com/twitter/secure_headers/pull/421
 CVE-2020-5216 (In Secure Headers (RubyGem secure_headers), a directive 
injection vuln ...)
- ruby-secure-headers 6.3.1-1 (bug #949998)
+   [buster] - ruby-secure-headers  (Minor issue)
NOTE: 
https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg
NOTE: 
https://github.com/twitter/secure_headers/commit/301695706f6a70517c2a90c6ef9b32178440a2d0
 CVE-2020-5215 (In TensorFlow before 1.15.2 and 2.0.1, converting a string 
(from Pytho ...)
@@ -129333,8 +129340,9 @@ CVE-2018-16849 (A flaw was found in 
openstack-mistral. By manipulating the SSH p
[stretch] - mistral 3.0.0-4+deb9u1
NOTE: https://bugs.launchpad.net/mistral/+bug/1783708
 CVE-2018-16848 (A Denial of Service (DoS) condition is possible in OpenStack 
Mistral i ...)
-   - mistral 
+   - mistral 10.0.0~rc1-2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1645332
+   NOTE: https://bugs.launchpad.net/mistral/%2Bbug/1785657
 CVE-2018-16847 (An OOB heap buffer r/w access issue was found in the NVM 
Express Contr ...)
- qemu 1:3.1+dfsg-1 (bug #912655)
[stretch] - qemu  (support for Controller Memory

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-13943/tomcat

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ca70b35a by Salvatore Bonaccorso at 2020-10-12T17:58:26+02:00
Add CVE-2020-13943/tomcat

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -28170,6 +28170,10 @@ CVE-2020-13944 (In Apache Airflow  1.10.12, the 
"origin" parameter passed to
- airflow  (bug #819700)
 CVE-2020-13943
RESERVED
+   - tomcat9 9.0.38-1
+   - tomcat8 
+   NOTE: 
https://github.com/apache/tomcat/commit/55911430df13f8c9998fbdee1f9716994d2db59b
 (9.0.38)
+   NOTE: 
https://github.com/apache/tomcat/commit/9d7def063b47407a09a2f9202beed99f4dcb292a
 (8.5.58)
 CVE-2020-13942
RESERVED
 CVE-2020-13941 (Reported in SOLR-14515 (private) and fixed in SOLR-14561 
(public), rel ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca70b35a9f431a0faa0274b8706188fe9fed4c96

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca70b35a9f431a0faa0274b8706188fe9fed4c96
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-11979/ant

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
55698feb by Salvatore Bonaccorso at 2020-10-12T17:52:01+02:00
Add fixed version for CVE-2020-11979/ant

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -33254,7 +33254,7 @@ CVE-2020-11981 (An issue was found in Apache Airflow 
versions 1.10.10 and below.
 CVE-2020-11980 (In Karaf, JMX authentication takes place using JAAS and 
authorization  ...)
- apache-karaf  (bug #881297)
 CVE-2020-11979 (As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the 
permissi ...)
-   - ant  (bug #971612)
+   - ant 1.10.9-1 (bug #971612)
[buster] - ant  (Vulnerability not present as 
CVE-2020-1945 not addressed)
[stretch] - ant  (Vulnerability not present as 
CVE-2020-1945 not addressed)
NOTE: 
https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55698feba74aa5c8d8cd9debe91947e80b821b51

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55698feba74aa5c8d8cd9debe91947e80b821b51
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process one NFUs

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cd652998 by Salvatore Bonaccorso at 2020-10-12T17:32:24+02:00
Process one NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -61043,7 +61043,7 @@ CVE-2020-1916
 CVE-2020-1915
RESERVED
 CVE-2020-1914 (A logic vulnerability when handling the SaveGeneratorLong 
instruction  ...)
-   TODO: check
+   NOT-FOR-US: Facebook Hermes
 CVE-2020-1913 (An Integer signedness error in the JavaScript Interpreter in 
Facebook  ...)
NOT-FOR-US: Facebook Hermes
 CVE-2020-1912 (An out-of-bounds read/write vulnerability when executing lazily 
compil ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd652998ceb4cc945094156bf6b05dd5360fa18e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd652998ceb4cc945094156bf6b05dd5360fa18e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

2020-10-12 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3d0da7e0 by Moritz Muehlenhoff at 2020-10-12T16:07:53+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3,7 +3,7 @@ CVE-2020-26949
 CVE-2020-26948 (Emby Server before 4.5.0 allows SSRF via the 
Items/RemoteSearch/Image  ...)
NOT-FOR-US: Emby Server
 CVE-2020-26947 (monero-wallet-gui in Monero GUI 0.17.0.1 includes the . 
directory in a ...)
-   TODO: check
+   NOT-FOR-US: monero-wallet-gui
 CVE-2020-26946
RESERVED
 CVE-2020-26945 (MyBatis before 3.5.6 mishandles deserialization of object 
streams. ...)
@@ -111,7 +111,7 @@ CVE-2020-26896
 CVE-2020-26895
RESERVED
 CVE-2020-26894 (Faulkner Wildlife Issues in the New Millennium 18.0.160 on 
Windows all ...)
-   TODO: check
+   NOT-FOR-US: New Millennium
 CVE-2020-26893
RESERVED
 CVE-2020-26892
@@ -31394,7 +31394,7 @@ CVE-2020-12678
 CVE-2020-12677 (An issue was discovered in Progress MOVEit Automation Web 
Admin. A Web ...)
NOT-FOR-US: Progress MOVEit Automation Web Admin
 CVE-2020-12676 (FusionAuth fusionauth-samlv2 0.2.3 allows remote attackers to 
forge me ...)
-   TODO: check
+   NOT-FOR-US: FusionAuth
 CVE-2020-12675 (The mappress-google-maps-for-wordpress plugin before 2.54.6 
for WordPr ...)
NOT-FOR-US: mappress-google-maps-for-wordpress plugin for WordPress
 CVE-2020-12692 (An issue was discovered in OpenStack Keystone before 15.0.1, 
and 16.0. ...)
@@ -42112,7 +42112,7 @@ CVE-2020-9050
 CVE-2020-9049
RESERVED
 CVE-2020-9048 (A vulnerability in victor Web Client versions up to and 
including v5.4 ...)
-   TODO: check
+   NOT-FOR-US: Johnson Controls
 CVE-2020-9047 (A vulnerability exists that could allow the execution of 
unauthorized  ...)
NOT-FOR-US: exacqVision Web Service
 CVE-2020-9046 (A vulnerability in all versions of Kantech EntraPass Editions 
could po ...)
@@ -45430,15 +45430,15 @@ CVE-2020-7744
 CVE-2020-7743
RESERVED
 CVE-2020-7742 (This affects the package simpl-schema before 1.10.2. ...)
-   TODO: check
+   NOT-FOR-US: Node simpl-schema
 CVE-2020-7741 (This affects the package hellojs before 1.18.6. The code get 
the param ...)
-   TODO: check
+   NOT-FOR-US: hello.js
 CVE-2020-7740 (This affects all versions of package node-pdf-generator. Due to 
lack o ...)
-   TODO: check
+   NOT-FOR-US: Node pdf-generator
 CVE-2020-7739 (This affects all versions of package phantomjs-seo. It is 
possible for ...)
-   TODO: check
+   NOT-FOR-US: Node phantomjs-seo
 CVE-2020-7738 (All versions of package shiba are vulnerable to Arbitrary Code 
Executi ...)
-   TODO: check
+   NOT-FOR-US: Node shiba
 CVE-2020-7737 (All versions of package safetydance are vulnerable to Prototype 
Pollut ...)
TODO: check
 CVE-2020-7736 (The package bmoor before 0.8.12 are vulnerable to Prototype 
Pollution  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d0da7e0e64247878593215592ae69f10023b8f6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d0da7e0e64247878593215592ae69f10023b8f6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add upstream reference for CVE-2019-20922

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dcafd2ab by Salvatore Bonaccorso at 2020-10-12T15:20:48+02:00
Add upstream reference for CVE-2019-20922

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1653,6 +1653,7 @@ CVE-2020-26159 (In Oniguruma 6.9.5_rev1, an attacker able 
to supply a regular ex
 CVE-2019-20922 (Handlebars before 4.4.5 allows Regular Expression Denial of 
Service (R ...)
- node-handlebars  (Introduced in 4.4.4 and fixed in 
4.4.5, no vulnerable version uploaded)
- libjs-handlebars  (Introduced in 4.4.4 and fixed in 
4.4.5, no vulnerable version uploaded)
+   NOTE: https://github.com/handlebars-lang/handlebars.js/issues/1579
NOTE: 
https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b
NOTE: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388
NOTE: https://www.npmjs.com/advisories/1300



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcafd2abede24d4a96d0b8cd7d6d1eb31c5948bd

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcafd2abede24d4a96d0b8cd7d6d1eb31c5948bd
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Add yaws to dsa-needed list

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
02773334 by Salvatore Bonaccorso at 2020-10-12T15:10:34+02:00
Add yaws to dsa-needed list

- - - - -
cd83091d by Salvatore Bonaccorso at 2020-10-12T15:11:03+02:00
Take yaws from dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -32,3 +32,5 @@ python-flask-cors
 xcftools
   Hugo proposed to work on this update
 --
+yaws (carnil)
+--



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c8964697bce5fe24eb517e03fc43200ee55300bf...cd83091dc56af1b3627ecb955c3d924696315949

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c8964697bce5fe24eb517e03fc43200ee55300bf...cd83091dc56af1b3627ecb955c3d924696315949
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] new otrs issues

2020-10-12 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c8964697 by Moritz Muehlenhoff at 2020-10-12T13:28:06+02:00
new otrs issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -36914,8 +36914,11 @@ CVE-2020-11023 (In jQuery versions greater than or 
equal to 1.0.3 and before 3.5
[jessie] - drupal7  (Vulnerable code not embedded)
- node-jquery 3.5.0+dfsg-2
[buster] - node-jquery  (Minor issue)
+   - otrs2 6.0.30-1
+   [buster] - otrs2  (Non-free not supported)
NOTE: 
https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6
NOTE: https://www.drupal.org/sa-core-2020-002
+   NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-14/
 CVE-2020-11022 (In jQuery versions greater than or equal to 1.2 and before 
3.5.0, pass ...)
{DSA-4693-1}
- jquery 
@@ -36926,9 +36929,12 @@ CVE-2020-11022 (In jQuery versions greater than or 
equal to 1.2 and before 3.5.0
[buster] - node-jquery  (Minor issue)
- drupal7 
[jessie] - drupal7  (Vulnerable code not embedded)
+   - otrs2 6.0.30-1
+   [buster] - otrs2  (Non-free not supported)
NOTE: 
https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
NOTE: 
https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
NOTE: https://www.drupal.org/sa-core-2020-002
+   NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-14/
 CVE-2020-11021 (Actions Http-Client (NPM @actions/http-client) before version 
1.0.8 ca ...)
NOT-FOR-US: Actions Http-Client
 CVE-2020-11020 (Faye (NPM, RubyGem) versions greater than 0.5.0 and before 
1.0.4, 1.1. ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8964697bce5fe24eb517e03fc43200ee55300bf

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8964697bce5fe24eb517e03fc43200ee55300bf
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2019-20922 n/a, thanks yadd

2020-10-12 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4ffcbba6 by Moritz Muehlenhoff at 2020-10-12T12:32:50+02:00
CVE-2019-20922 n/a, thanks yadd

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1651,9 +1651,8 @@ CVE-2020-26159 (In Oniguruma 6.9.5_rev1, an attacker able 
to supply a regular ex
NOTE: 
https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0
NOTE: https://github.com/kkos/oniguruma/issues/207
 CVE-2019-20922 (Handlebars before 4.4.5 allows Regular Expression Denial of 
Service (R ...)
-   - node-handlebars 3:4.7.2-1
-   - libjs-handlebars 
-   [stretch] - libjs-handlebars  (Only reverse depends was 
diaspora which not in stretch)
+   - node-handlebars  (Introduced in 4.4.4 and fixed in 
4.4.5, no vulnerable version uploaded)
+   - libjs-handlebars  (Introduced in 4.4.4 and fixed in 
4.4.5, no vulnerable version uploaded)
NOTE: 
https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b
NOTE: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388
NOTE: https://www.npmjs.com/advisories/1300



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ffcbba60f857d3c3546ffbee4783f1286d6d155

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ffcbba60f857d3c3546ffbee4783f1286d6d155
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] more gitlab fixes

2020-10-12 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9bd99e08 by Moritz Muehlenhoff at 2020-10-12T11:10:23+02:00
more gitlab fixes

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -29737,11 +29737,11 @@ CVE-2020-13347 (A command injection vulnerability was 
discovered in Gitlab runne
 CVE-2020-13346 (Membership changes are not reflected in ToDo subscriptions in 
GitLab v ...)
- gitlab 13.2.10-1
 CVE-2020-13345 (An issue has been discovered in GitLab affecting all versions 
starting ...)
-   - gitlab 
+   - gitlab 13.2.10-1
 CVE-2020-13344 (An issue has been discovered in GitLab affecting all versions 
prior to ...)
- gitlab 13.2.10-1
 CVE-2020-13343 (An issue has been discovered in GitLab affecting all versions 
starting ...)
-   - gitlab 
+   - gitlab 13.2.10-1
 CVE-2020-13342 (An issue has been discovered in GitLab affecting versions 
prior to 13. ...)
- gitlab 13.2.10-1
 CVE-2020-13341
@@ -29757,7 +29757,7 @@ CVE-2020-13337 (An issue has been discovered in GitLab 
affecting versions from 1
- gitlab  (Only affected 12.10 to 12.10.12)
NOTE: https://gitlab.com/gitlab-org/gitlab/-/issues/199049
 CVE-2020-13336 (An issue has been discovered in GitLab affecting versions from 
11.8 be ...)
-   - gitlab 
+   - gitlab  (Only affected 11.x/12.x while unstable on 13.x)
 CVE-2020-13335 (Improper group membership validation when deleting a user 
account in G ...)
- gitlab 13.2.10-1
 CVE-2020-13334 (In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, 
improper autho ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bd99e0890fc729c8a7616f72cd1d2e1e1cf06ea

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bd99e0890fc729c8a7616f72cd1d2e1e1cf06ea
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update information on CVE-2019-14888/undertow

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4485d8c8 by Salvatore Bonaccorso at 2020-10-12T10:41:16+02:00
Update information on CVE-2019-14888/undertow

Upstream is not very transparent here, but the fixed version is noted in
the CVE description as 2.0.28.SP1 (which is possibly after
2.0.28.Final). Checking trough the commits of 2.0.28.Final and
2.0.29.Final reveals one commit matching a denial of service due to a
deadlock in the http2 code.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -78201,8 +78201,12 @@ CVE-2019-14889 (A flaw was found with the libssh API 
function ssh_scp_new() in v
NOTE: https://bugs.debian.org/947129
NOTE: 
https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d163a943737fe4160f7233925df2eee1f9a
 CVE-2019-14888 (A vulnerability was found in the Undertow HTTP server in 
versions befo ...)
-   - undertow 2.0.28-1
+   - undertow 2.0.30-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1772464
+   NOTE: https://issues.redhat.com/browse/UNDERTOW-1623
+   NOTE: 
https://github.com/undertow-io/undertow/commit/846c50ead09f7d0b38965b4726ba0b6c5582bf7f
 (and followups)
+   NOTE: https://github.com/undertow-io/undertow/pull/828
+   NOTE: https://github.com/undertow-io/undertow/pull/852
 CVE-2019-14887 (A flaw was found when an OpenSSL security provider is used 
with Wildfl ...)
- wildfly  (bug #752018)
 CVE-2019-14886 (A vulnerability was found in business-central, as shipped in 
rhdm-7.5. ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4485d8c84632762fc13960bfe6573a2af83e5900

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4485d8c84632762fc13960bfe6573a2af83e5900
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process one NFU

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
391e53be by Salvatore Bonaccorso at 2020-10-12T10:25:32+02:00
Process one NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -27513,7 +27513,7 @@ CVE-2020-14186
 CVE-2020-14185
RESERVED
 CVE-2020-14184 (Affected versions of Atlassian Jira Server allow remote 
attackers to i ...)
-   TODO: check
+   NOT-FOR-US: Atlassian
 CVE-2020-14183 (Affected versions of Jira Server  Data Center allow a 
remote atta ...)
NOT-FOR-US: Atlassian
 CVE-2020-14182



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/391e53becd88bedebba48a6c79bb949211c07b4e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/391e53becd88bedebba48a6c79bb949211c07b4e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] gitlab fixed in sid

2020-10-12 Thread Moritz Muehlenhoff



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ca1c1d80 by Moritz Muehlenhoff at 2020-10-12T10:12:59+02:00
gitlab fixed in sid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -29735,21 +29735,21 @@ CVE-2020-13348
 CVE-2020-13347 (A command injection vulnerability was discovered in Gitlab 
runner vers ...)
- gitlab-ci-multi-runner  (Only affects gitlab-runner 
when configured on Windows)
 CVE-2020-13346 (Membership changes are not reflected in ToDo subscriptions in 
GitLab v ...)
-   - gitlab 
+   - gitlab 13.2.10-1
 CVE-2020-13345 (An issue has been discovered in GitLab affecting all versions 
starting ...)
- gitlab 
 CVE-2020-13344 (An issue has been discovered in GitLab affecting all versions 
prior to ...)
-   - gitlab 
+   - gitlab 13.2.10-1
 CVE-2020-13343 (An issue has been discovered in GitLab affecting all versions 
starting ...)
- gitlab 
 CVE-2020-13342 (An issue has been discovered in GitLab affecting versions 
prior to 13. ...)
-   - gitlab 
+   - gitlab 13.2.10-1
 CVE-2020-13341
RESERVED
 CVE-2020-13340 (An issue has been discovered in GitLab affecting all versions 
prior to ...)
-   - gitlab 
+   - gitlab 13.2.10-1
 CVE-2020-13339 (An issue has been discovered in GitLab affecting all versions 
before 1 ...)
-   - gitlab 
+   - gitlab 13.2.10-1
 CVE-2020-13338 (An issue has been discovered in GitLab affecting versions 
prior to 12. ...)
- gitlab 13.2.3-2
NOTE: https://gitlab.com/gitlab-org/gitlab/-/issues/213273
@@ -29759,13 +29759,13 @@ CVE-2020-13337 (An issue has been discovered in 
GitLab affecting versions from 1
 CVE-2020-13336 (An issue has been discovered in GitLab affecting versions from 
11.8 be ...)
- gitlab 
 CVE-2020-13335 (Improper group membership validation when deleting a user 
account in G ...)
-   - gitlab 
+   - gitlab 13.2.10-1
 CVE-2020-13334 (In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, 
improper autho ...)
-   - gitlab 
+   - gitlab 13.2.10-1
 CVE-2020-1 (A potential DOS vulnerability was discovered in GitLab 
versions 13.1,  ...)
-   - gitlab 
+   - gitlab 13.2.10-1
 CVE-2020-13332 (Improper access expiration date validation in GitLab version 
=8.11 ...)
-   - gitlab 
+   - gitlab 13.2.10-1
 CVE-2020-13331 (An issue has been discovered in GitLab affecting versions 
prior to 12. ...)
- gitlab 13.2.3-2
 CVE-2020-13330 (An issue has been discovered in GitLab affecting versions 
prior to 12. ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca1c1d8ff46a1391fa65a8e946d91ab8fd57

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca1c1d8ff46a1391fa65a8e946d91ab8fd57
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
099d742e by security tracker role at 2020-10-12T08:10:19+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -27512,8 +27512,8 @@ CVE-2020-14186
RESERVED
 CVE-2020-14185
RESERVED
-CVE-2020-14184
-   RESERVED
+CVE-2020-14184 (Affected versions of Atlassian Jira Server allow remote 
attackers to i ...)
+   TODO: check
 CVE-2020-14183 (Affected versions of Jira Server  Data Center allow a 
remote atta ...)
NOT-FOR-US: Atlassian
 CVE-2020-14182



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/099d742e6590e83d6377ec13296a110d85ea5d77

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/099d742e6590e83d6377ec13296a110d85ea5d77
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-11800/zabbix

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e0c9950a by Salvatore Bonaccorso at 2020-10-12T09:00:49+02:00
Add CVE-2020-11800/zabbix

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -34319,7 +34319,10 @@ CVE-2020-11801
 CVE-2019-20768 (ServiceNow IT Service Management Kingston through Patch 14-1, 
London t ...)
NOT-FOR-US: ServiceNow IT Service Management Kingston
 CVE-2020-11800 (Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows 
remote att ...)
-   TODO: check
+   - zabbix 1:4.0.0+dfsg-1
+   NOTE: https://support.zabbix.com/browse/DEV-1538
+   NOTE: https://support.zabbix.com/browse/ZBX-17600
+   NOTE: https://support.zabbix.com/browse/ZBXSEC-30 (not public)
 CVE-2020-11799 (Z-Cron 5.6 Build 04 allows an unprivileged attacker to elevate 
privile ...)
NOT-FOR-US: Z-Cron
 CVE-2020-11798 (A Directory Traversal vulnerability in the web conference 
component of ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0c9950ab56bddcaff4edd8bf451786d278e91b1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0c9950ab56bddcaff4edd8bf451786d278e91b1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update note

2020-10-12 Thread Thorsten Alteholz



Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e0a1bf9d by Thorsten Alteholz at 2020-10-12T08:57:08+02:00
update note

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -124,6 +124,7 @@ php-horde-trean
 phpmyadmin (Abhijith PA)
 --
 python3.5 (Thorsten Alteholz)
+  NOTE: 20201011: testing package
 --
 pluxml
   NOTE: 20201011: issue is still open upstream. Also low priority for us 
(abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0a1bf9d75c0ee7cf71722ab23d5385286e16a40

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0a1bf9d75c0ee7cf71722ab23d5385286e16a40
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-15866/mruby

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
537007de by Salvatore Bonaccorso at 2020-10-12T08:47:52+02:00
Add Debian bug reference for CVE-2020-15866/mruby

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -22977,7 +22977,7 @@ CVE-2020-15868 (Sonatype Nexus Repository Manager 
OSS/Pro before 3.26.0 has Inco
 CVE-2020-15867
RESERVED
 CVE-2020-15866 (mruby through 2.1.2-rc has a heap-based buffer overflow in the 
mrb_yie ...)
-   - mruby 
+   - mruby  (bug #972051)
[buster] - mruby  (Minor issue)
[stretch] - mruby  (Minor issue)
NOTE: https://github.com/mruby/mruby/issues/5042



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/537007de83cc047e76173b99e5ac6f74c26b2488

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/537007de83cc047e76173b99e5ac6f74c26b2488
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-15476/ndpi

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1ef63ccb by Salvatore Bonaccorso at 2020-10-12T08:46:26+02:00
Add Debian bug reference for CVE-2020-15476/ndpi

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -24070,28 +24070,28 @@ CVE-2020-15477 (The WebControl in RaspberryTortoise 
through 2012-10-28 is vulner
NOT-FOR-US: RaspberryTortoise
 CVE-2020-15476 (In nDPI through 3.2, the Oracle protocol dissector has a 
heap-based bu ...)
{DLA-2354-1}
-   - ndpi 
+   - ndpi  (bug #972050)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21780
NOTE: 
https://github.com/ntop/nDPI/commit/b69177be2fbe01c2442239a61832c44e40136c05
 CVE-2020-15475 (In nDPI through 3.2, ndpi_reset_packet_line_info in 
lib/ndpi_main.c om ...)
-   - ndpi 
+   - ndpi  (bug #972050)
[stretch] - ndpi  (Vulnerable code not present, 
content_disposition_line introduced later)
NOTE: 
https://github.com/ntop/nDPI/commit/6a9f5e4f7c3fd5ddab3e6727b071904d76773952
 CVE-2020-15474 (In nDPI through 3.2, there is a stack overflow in 
extractRDNSequence i ...)
-   - ndpi 
+   - ndpi  (bug #972050)
[buster] - ndpi  (Vulnerable code not present)
[stretch] - ndpi  (Vulnerable code not present)
NOTE: 
https://github.com/ntop/nDPI/commit/23594f036536468072198a57c59b6e9d63caf6ce
 CVE-2020-15473 (In nDPI through 3.2, the OpenVPN dissector is vulnerable to a 
heap-bas ...)
-   - ndpi 
+   - ndpi  (bug #972050)
[stretch] - ndpi  (Vulnerable code introduced later)
NOTE: 
https://github.com/ntop/nDPI/commit/8e7b1ea7a136cc4e4aa9880072ec2d69900a825e
 CVE-2020-15472 (In nDPI through 3.2, the H.323 dissector is vulnerable to a 
heap-based ...)
-   - ndpi 
+   - ndpi  (bug #972050)
[stretch] - ndpi  (Vulnerable code introduced later)
NOTE: 
https://github.com/ntop/nDPI/commit/b7e666e465f138ae48ab81976726e67deed12701
 CVE-2020-15471 (In nDPI through 3.2, the packet parsing code is vulnerable to 
a heap-b ...)
-   - ndpi 
+   - ndpi  (bug #972050)
[buster] - ndpi  (Vulnerable code not present)
[stretch] - ndpi  (Vulnerable code not present)
NOTE: 
https://github.com/ntop/nDPI/commit/61066fb106efa6d3d95b67e47b662de208b2b622
@@ -33348,14 +33348,14 @@ CVE-2020-11942 (An issue was discovered in Open-AudIT 
3.2.2. There are Multiple
 CVE-2020-11941 (An issue was discovered in Open-AudIT 3.2.2. There is OS 
Command injec ...)
NOT-FOR-US: Open-AudIT
 CVE-2020-11940 (In nDPI through 3.2 Stable, an out-of-bounds read in 
concat_hash_strin ...)
-   - ndpi 
+   - ndpi  (bug #972050)
[buster] - ndpi  (Introduced in 3.0)
[stretch] - ndpi  (Introduced in 3.0)
[jessie] - ndpi  (Introduced in 3.0)
NOTE: 
https://github.com/ntop/nDPI/commit/3bbb0cd3296023f6f922c71d21a1c374d2b0a435
NOTE: 
https://securitylab.github.com/advisories/GHSL-2020-051_052-ntop-ndpi
 CVE-2020-11939 (In nDPI through 3.2 Stable, the SSH protocol dissector has 
multiple KE ...)
-   - ndpi 
+   - ndpi  (bug #972050)
[buster] - ndpi  (Introduced in 3.0)
[stretch] - ndpi  (Introduced in 3.0)
[jessie] - ndpi  (Introduced in 3.0)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ef63ccbf61a8041c5a4deb8a280cc60a4d8658a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ef63ccbf61a8041c5a4deb8a280cc60a4d8658a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-26570/opensc

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7e9525d5 by Salvatore Bonaccorso at 2020-10-12T08:43:32+02:00
Add Debian bug reference for CVE-2020-26570/opensc

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -800,7 +800,7 @@ CVE-2020-26571 (The gemsafe GPK smart card software driver 
in OpenSC before 0.21
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20612
TODO: check, unclear fixing commit
 CVE-2020-26570 (The Oberthur smart card software driver in OpenSC before 
0.21.0-rc1 ha ...)
-   - opensc 
+   - opensc  (bug #972037)
[buster] - opensc  (Minor issue)
[stretch] - opensc  (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24316



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e9525d5fc3c8bcfaaf07b72ad5cd871aede39f5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e9525d5fc3c8bcfaaf07b72ad5cd871aede39f5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug references for gpac issues

2020-10-12 Thread Salvatore Bonaccorso



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a5db7f0d by Salvatore Bonaccorso at 2020-10-12T08:41:46+02:00
Add Debian bug references for gpac issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -35536,7 +35536,7 @@ CVE-2020-11560 (NCH Express Invoice 7.25 allows local 
users to discover the clea
 CVE-2020-11559
RESERVED
 CVE-2020-11558 (An issue was discovered in libgpac.a in GPAC 0.8.0, as 
demonstrated by ...)
-   - gpac 
+   - gpac  (bug #972053)
[buster] - gpac  (Minor issue)
[stretch] - gpac  (Minor issue)
[jessie] - gpac  (Vulnerable code not present and not 
reproducible)
@@ -37341,35 +37341,35 @@ CVE-2020-10882 (This vulnerability allows 
network-adjacent attackers to execute
 CVE-2020-10881 (This vulnerability allows remote attackers to execute 
arbitrary code o ...)
NOT-FOR-US: TP-Link
 CVE-2019-20632 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as 
demonstr ...)
-   - gpac 
+   - gpac  (bug #972053)
[buster] - gpac  (Minor issue)
[stretch] - gpac  (Minor issue)
[jessie] - gpac  (Minor issue)
NOTE: 
https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090
NOTE: https://github.com/gpac/gpac/issues/1271
 CVE-2019-20631 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as 
demonstr ...)
-   - gpac 
+   - gpac  (bug #972053)
[buster] - gpac  (Minor issue)
[stretch] - gpac  (Minor issue)
[jessie] - gpac  (Minor issue)
NOTE: 
https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090
NOTE: https://github.com/gpac/gpac/issues/1270
 CVE-2019-20630 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as 
demonstr ...)
-   - gpac 
+   - gpac  (bug #972053)
[buster] - gpac  (Minor issue)
[stretch] - gpac  (Minor issue)
[jessie] - gpac  (Minor issue)
NOTE: 
https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090
NOTE: https://github.com/gpac/gpac/issues/1268
 CVE-2019-20629 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as 
demonstr ...)
-   - gpac 
+   - gpac  (bug #972053)
[buster] - gpac  (Minor issue)
[stretch] - gpac  (Minor issue)
[jessie] - gpac  (Minor issue)
NOTE: 
https://github.com/gpac/gpac/commit/2320eb73afba753b39b7147be91f7be7afc0eeb7
NOTE: https://github.com/gpac/gpac/issues/1264
 CVE-2019-20628 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as 
demonstr ...)
-   - gpac 
+   - gpac  (bug #972053)
[buster] - gpac  (Minor issue)
[stretch] - gpac  (Minor issue)
[jessie] - gpac  (Minor issue)
@@ -48103,7 +48103,7 @@ CVE-2020-6633
 CVE-2020-6632 (In PrestaShop 1.7.6.2, XSS can occur during addition or removal 
of a Q ...)
NOT-FOR-US: PrestaShop
 CVE-2020-6631 (An issue was discovered in GPAC version 0.8.0. There is a NULL 
pointer ...)
-   - gpac  (low)
+   - gpac  (bug #972053)
[buster] - gpac  (Minor issue)
[stretch] - gpac  (Minor issue)
[jessie] - gpac  (Minor issue, clean crash, MP42TS not 
shipped, incomplete patch)
@@ -48111,7 +48111,7 @@ CVE-2020-6631 (An issue was discovered in GPAC version 
0.8.0. There is a NULL po
NOTE: 
https://github.com/gpac/gpac/commit/c7e46e948ebe2d4a532539c7e714cdf655b84521
NOTE: fix considered "ugly" by upstream and introduces abort(3)-based 
DoS
 CVE-2020-6630 (An issue was discovered in GPAC version 0.8.0. There is a NULL 
pointer ...)
-   - gpac  (low)
+   - gpac  (bug #972053)
[buster] - gpac  (Minor issue)
[stretch] - gpac  (Minor issue)
[jessie] - gpac  (Minor issue, clean crash, MP42TS not 
shipped, incomplete patch)
@@ -52047,7 +52047,7 @@ CVE-2019-20209 (The CTHthemes CityBook before 2.3.4, 
TownHub before 1.0.6, and E
NOT-FOR-US: themes for WordPress
 CVE-2019-20208 (dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a 
stack-based  ...)
{DLA-2072-1}
-   - gpac 
+   - gpac  (bug #972053)
[buster] - gpac  (Minor issue)
[stretch] - gpac  (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1348
@@ -52253,7 +52253,7 @@ CVE-2019-20171 (An issue was discovered in GPAC version 
0.8.0 and 0.9.0-developm
NOTE: 
https://github.com/gpac/gpac/commit/2bcca3f1d4605100bb27d3ed7be25b53cddbc75c
 CVE-2019-20170 (An issue was discovered in GPAC version 0.8.0 and 
0.9.0-development-20 ...)
{DLA-2072-1}
-   - gpac  (low)
+   - gpac  (bug #972053)
[buster] - gpac  (Minor issue)
[stretch] - gpac  (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1328
@@ -52279,7 +52279,7 @@ CVE-2019-20166 (An issue was discovered in GPAC version

[Git][security-tracker-team/security-tracker][master] sqlite spu

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for sympa issues

[Git][security-tracker-team/security-tracker][master] Add new webmin issues

[Git][security-tracker-team/security-tracker][master] Process NFUs

[Git][security-tracker-team/security-tracker][master] Add CVE-020-13341/gitlab

[Git][security-tracker-team/security-tracker][master] Process NFUs

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-26159/libonig

[Git][security-tracker-team/security-tracker][master] Fix small typo in postponed note

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-1107{6,7}/puma

[Git][security-tracker-team/security-tracker][master] lua, rust-ncurses bugs

[Git][security-tracker-team/security-tracker][master] adplug fixed in sid

[Git][security-tracker-team/security-tracker][master] buster triage

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-13943/tomcat

[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-11979/ant

[Git][security-tracker-team/security-tracker][master] Process one NFUs

[Git][security-tracker-team/security-tracker][master] NFUs

[Git][security-tracker-team/security-tracker][master] Add upstream reference for CVE-2019-20922

[Git][security-tracker-team/security-tracker][master] 2 commits: Add yaws to dsa-needed list

[Git][security-tracker-team/security-tracker][master] new otrs issues

[Git][security-tracker-team/security-tracker][master] CVE-2019-20922 n/a, thanks yadd

[Git][security-tracker-team/security-tracker][master] more gitlab fixes

[Git][security-tracker-team/security-tracker][master] Update information on CVE-2019-14888/undertow

[Git][security-tracker-team/security-tracker][master] Process one NFU

[Git][security-tracker-team/security-tracker][master] gitlab fixed in sid

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-11800/zabbix

[Git][security-tracker-team/security-tracker][master] update note

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-15866/mruby

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-15476/ndpi

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-26570/opensc

[Git][security-tracker-team/security-tracker][master] Add Debian bug references for gpac issues

32 matches

Site Navigation

Mail list logo

Footer information