[Git][security-tracker-team/security-tracker][master] Reserve DLA-2408-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 282485a6 by Emilio Pozuelo Monfort at 2020-10-17T00:47:02+02:00 Reserve DLA-2408-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Oct 2020] DLA-2408-1 thunderbird - security update + {CVE-2020-15673 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678} + [stretch] - thunderbird 1:78.3.1-2~deb9u1 [14 Oct 2020] DLA-2407-1 tomcat8 - security update {CVE-2020-13943} [stretch] - tomcat8 8.5.54-0+deb9u4 = data/dla-needed.txt = @@ -198,9 +198,6 @@ sympa NOTE: 20201007: I won't have time to do more this month (Beuc) NOTE: 20201015: See #972189. (lamby) -- -thunderbird (Emilio) - NOTE: 20201012: update now in buster, working on the stretch backport (Emilio) --- tinymce (Abhijith PA) NOTE: 20201003: relevant commits are hard to chase down (abhijith) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/282485a64037f56568fcb5d2286a50c28c79cea2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/282485a64037f56568fcb5d2286a50c28c79cea2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for yaws update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c374e237 by Salvatore Bonaccorso at 2020-10-16T23:45:56+02:00 Reserve DSA number for yaws update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[16 Oct 2020] DSA-4773-1 yaws - security update + {CVE-2020-24379 CVE-2020-24916} + [buster] - yaws 2.0.6+dfsg-1+deb10u1 [14 Oct 2020] DSA-4772-1 httpcomponents-client - security update {CVE-2020-13956} [buster] - httpcomponents-client 4.5.7-1+deb10u1 = data/dsa-needed.txt = @@ -30,5 +30,3 @@ python-flask-cors (carnil) xcftools Hugo proposed to work on this update -- -yaws (carnil) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c374e237973282e87dc91bd600cedf845e8b5993 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c374e237973282e87dc91bd600cedf845e8b5993 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream commits for CVE-2020-1235{1,2}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 330ecacf by Salvatore Bonaccorso at 2020-10-16T22:36:39+02:00 Reference upstream commits for CVE-2020-1235{1,2} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32847,11 +32847,13 @@ CVE-2020-12352 - linux NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html NOTE: https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq + NOTE: Fixed by: https://git.kernel.org/linus/eddb7732119d53400f48a02536a84c509692faa8 CVE-2020-12351 RESERVED - linux NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html NOTE: https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq + NOTE: Fixed by: https://git.kernel.org/linus/f19425641cb2572a33cb074d5e30283720bd4d22 CVE-2020-12350 RESERVED CVE-2020-12349 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/330ecacf37c5bbf3180313d400ae2afb48a3c34f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/330ecacf37c5bbf3180313d400ae2afb48a3c34f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 52e84fa6 by Salvatore Bonaccorso at 2020-10-16T22:15:06+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2070,9 +2070,9 @@ CVE-2020-26185 CVE-2020-26184 RESERVED CVE-2020-26183 (Dell EMC NetWorker versions prior to 19.3.0.2 contain an improper auth ...) - TODO: check + NOT-FOR-US: EMC CVE-2020-26182 (Dell EMC NetWorker versions prior to 19.3.0.2 contain an incorrect pri ...) - TODO: check + NOT-FOR-US: EMC CVE-2020-26181 RESERVED CVE-2020-26180 @@ -53890,7 +53890,7 @@ CVE-2020-4638 (IBM API Connect's API Manager 2018.4.1.0 through 2018.4.1.12 is v CVE-2020-4637 RESERVED CVE-2020-4636 (IBM Resilient OnPrem 38.2 could allow a privileged user to inject mali ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4635 RESERVED CVE-2020-4634 @@ -54654,7 +54654,7 @@ CVE-2020-4256 CVE-2020-4255 RESERVED CVE-2020-4254 (IBM Security Guardium Big Data Intelligence 1.0 (SonarG) uses weaker t ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4253 (IBM Content Navigator 3.0CD does not invalidate session after logout w ...) NOT-FOR-US: IBM CVE-2020-4252 (IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is vulner ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52e84fa666b0e8fbfe17984ffbcefd0e223a0430 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52e84fa666b0e8fbfe17984ffbcefd0e223a0430 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d34dd9e by security tracker role at 2020-10-16T20:10:30+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,29 @@ +CVE-2020-27190 + RESERVED +CVE-2020-27189 + RESERVED +CVE-2020-27188 + RESERVED +CVE-2020-27187 + RESERVED +CVE-2020-27186 + RESERVED +CVE-2020-27185 + RESERVED +CVE-2020-27184 + RESERVED +CVE-2020-27183 + RESERVED +CVE-2020-27182 + RESERVED +CVE-2020-27181 + RESERVED +CVE-2020-27180 + RESERVED +CVE-2020-27179 + RESERVED +CVE-2020-27178 (Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4 ...) + TODO: check CVE-2020-27177 RESERVED CVE-2020-27176 (Mutation XSS exists in Mark Text through 0.16.2 that leads to Remote C ...) @@ -466,8 +492,8 @@ CVE-2020-26946 RESERVED CVE-2020-26945 (MyBatis before 3.5.6 mishandles deserialization of object streams. ...) NOT-FOR-US: MyBatis -CVE-2020-26944 - RESERVED +CVE-2020-26944 (An issue was discovered in Aptean Product Configurator 4.61. on Wi ...) + TODO: check CVE-2020-26943 (An issue was discovered in OpenStack blazar-dashboard before 1.3.1, 2. ...) NOT-FOR-US: blazar-dashboard CVE-2020-26942 @@ -570,8 +596,8 @@ CVE-2020-26895 RESERVED CVE-2020-26894 (Faulkner Wildlife Issues in the New Millennium 18.0.160 on Windows all ...) NOT-FOR-US: New Millennium -CVE-2020-26893 - RESERVED +CVE-2020-26893 (An issue was discovered in ClamXAV 3 before 3.1.1. A malicious actor c ...) + TODO: check CVE-2020-26892 RESERVED CVE-2020-26891 @@ -997,8 +1023,8 @@ CVE-2020-26684 RESERVED CVE-2020-26683 RESERVED -CVE-2020-26682 - RESERVED +CVE-2020-26682 (In libass 0.14.0, the `ass_outline_construct`'s call to `outline_strok ...) + TODO: check CVE-2020-26681 RESERVED CVE-2020-26680 @@ -1017,8 +1043,8 @@ CVE-2020-26674 RESERVED CVE-2020-26673 RESERVED -CVE-2020-26672 - RESERVED +CVE-2020-26672 (Testimonial Rotator Wordpress Plugin 3.0.2 is affected by Cross Site S ...) + TODO: check CVE-2020-26671 RESERVED CVE-2020-26670 @@ -2043,10 +2069,10 @@ CVE-2020-26185 RESERVED CVE-2020-26184 RESERVED -CVE-2020-26183 - RESERVED -CVE-2020-26182 - RESERVED +CVE-2020-26183 (Dell EMC NetWorker versions prior to 19.3.0.2 contain an improper auth ...) + TODO: check +CVE-2020-26182 (Dell EMC NetWorker versions prior to 19.3.0.2 contain an incorrect pri ...) + TODO: check CVE-2020-26181 RESERVED CVE-2020-26180 @@ -6013,8 +6039,8 @@ CVE-2020-24410 RESERVED CVE-2020-24409 RESERVED -CVE-2020-24408 - RESERVED +CVE-2020-24408 (Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by a per ...) + TODO: check CVE-2020-24407 RESERVED CVE-2020-24406 @@ -22487,8 +22513,8 @@ CVE-2020-16272 (The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 NOT-FOR-US: Kee Vault KeePassRPC CVE-2020-16271 (The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 genera ...) NOT-FOR-US: Kee Vault KeePassRPC -CVE-2020-16270 - RESERVED +CVE-2020-16270 (OLIMPOKS before 5.1.0 allows Auth/Admin ErrorMessage XSS. ...) + TODO: check CVE-2020-16269 (radare2 4.5.0 misparses DWARF information in executable files, causing ...) - radare2 NOTE: https://github.com/radareorg/radare2/issues/17383 @@ -23459,8 +23485,8 @@ CVE-2020-15869 (Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 NOT-FOR-US: Sonatype Nexus Repository Manager OSS/Pro CVE-2020-15868 (Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect ...) NOT-FOR-US: Sonatype Nexus Repository Manager OSS/Pro -CVE-2020-15867 - RESERVED +CVE-2020-15867 (The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authentic ...) + TODO: check CVE-2020-15866 (mruby through 2.1.2-rc has a heap-based buffer overflow in the mrb_yie ...) - mruby (bug #972051) [buster] - mruby (Minor issue) @@ -25073,20 +25099,20 @@ CVE-2020-15260 RESERVED CVE-2020-15259 RESERVED -CVE-2020-15258 - RESERVED +CVE-2020-15258 (In Wire before 3.20.x, `shell.openExternal` was used without checking ...) + TODO: check CVE-2020-15257 RESERVED CVE-2020-15256 RESERVED -CVE-2020-15255 - RESERVED -CVE-2020-15254 - RESERVED +CVE-2020-15255 (In Anuko Time Tracker before verion 1.19.23.5325, due to not properly ...) + TODO: check +CVE-2020-15254 (Crossbeam is a set of tools for concurrent programming. In crossbeam-c ...) + TODO: check CVE-2020-15253 (Versions of Grocy = 2.7.1 are vulnerable to
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-24490/linux as not-affected for stretch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1919058a by Salvatore Bonaccorso at 2020-10-16T21:27:25+02:00 Mark CVE-2020-24490/linux as not-affected for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5847,6 +5847,7 @@ CVE-2020-24490 RESERVED - linux 5.7.17-1 [buster] - linux 4.19.146-1 + [stretch] - linux (Vulnerable code introduced later) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html NOTE: https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649 NOTE: Fixed by: https://git.kernel.org/linus/a2ec905d1e160a33b2e210e45ad30445ef26ce0e (5.8) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1919058a0ea0d86adec9cc8e8dd6beb08d5302aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1919058a0ea0d86adec9cc8e8dd6beb08d5302aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add references to advisories for CVE-2020-24490 and CVE-2020-1235{1,2}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f33fa746 by Salvatore Bonaccorso at 2020-10-16T21:23:12+02:00 Add references to advisories for CVE-2020-24490 and CVE-2020-1235{1,2} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5848,6 +5848,7 @@ CVE-2020-24490 - linux 5.7.17-1 [buster] - linux 4.19.146-1 NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html + NOTE: https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649 NOTE: Fixed by: https://git.kernel.org/linus/a2ec905d1e160a33b2e210e45ad30445ef26ce0e (5.8) CVE-2020-24489 RESERVED @@ -32820,10 +32821,12 @@ CVE-2020-12352 RESERVED - linux NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html + NOTE: https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq CVE-2020-12351 RESERVED - linux NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html + NOTE: https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq CVE-2020-12350 RESERVED CVE-2020-12349 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f33fa746433ad5056fc622f831d4fdb47bcf3714 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f33fa746433ad5056fc622f831d4fdb47bcf3714 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update note for CVE-2020-9385
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 94332907 by Salvatore Bonaccorso at 2020-10-16T21:15:38+02:00 Update note for CVE-2020-9385 Try to make clear that the issue was fixed within the initial upload (and matching other similar versions which entered the archive never affected by an issue). - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41837,7 +41837,7 @@ CVE-2020-9391 (An issue was discovered in the Linux kernel 5.4 and 5.5 through 5 [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/dcde237319e626d1ec3c9d8b7613032f0fd4663a CVE-2020-9385 (A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because mul ...) - - zint 2.8.0-1 + - zint (Fixed with initial upload to archive) CVE-2020-9384 (** DISPUTED ** An Insecure Direct Object Reference (IDOR) vulnerabilit ...) NOT-FOR-US: Subex CVE-2020-9383 (An issue was discovered in the Linux kernel through 5.5.6. set_fdc in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94332907815226a5bbcc6050fc0acf7b1412c3f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94332907815226a5bbcc6050fc0acf7b1412c3f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2020-24490/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f053691b by Salvatore Bonaccorso at 2020-10-16T21:00:19+02:00 Update information for CVE-2020-24490/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5845,8 +5845,10 @@ CVE-2020-24491 RESERVED CVE-2020-24490 RESERVED - - linux + - linux 5.7.17-1 + [buster] - linux 4.19.146-1 NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html + NOTE: Fixed by: https://git.kernel.org/linus/a2ec905d1e160a33b2e210e45ad30445ef26ce0e (5.8) CVE-2020-24489 RESERVED CVE-2020-24488 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f053691befb7720d72487b29bec1055fb25f96dc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f053691befb7720d72487b29bec1055fb25f96dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ros-ros-comm spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ba331f18 by Moritz Mühlenhoff at 2020-10-16T19:44:00+02:00 ros-ros-comm spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -74,3 +74,5 @@ CVE-2020-11076 [buster] - puma 3.12.0-2+deb10u2 CVE-2020-11077 [buster] - puma 3.12.0-2+deb10u2 +CVE-2020-16124 + [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba331f185b1458fdfa3803f76ebee8992c5faf65 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba331f185b1458fdfa3803f76ebee8992c5faf65 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] djangorestframework fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 59faf302 by Moritz Muehlenhoff at 2020-10-16T19:02:16+02:00 djangorestframework fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3326,7 +3326,7 @@ CVE-2020-25628 CVE-2020-25627 RESERVED CVE-2020-25626 (A flaw was found in Django REST Framework versions before 3.12.0 and b ...) - - djangorestframework (bug #971554) + - djangorestframework 3.12.1-1 (bug #971554) [stretch] - djangorestframework (Minor issue) NOTE: https://github.com/encode/django-rest-framework/commit/4121b01b912668c049b26194a9a107c27a332429 NOTE: Fixed upstream in 3.12.0 and 3.11.2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59faf302e0569e22125717f714ef1361d5141eac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59faf302e0569e22125717f714ef1361d5141eac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] k8s bugnum
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3de3fdc6 by Moritz Muehlenhoff at 2020-10-16T14:57:24+02:00 k8s bugnum NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1257,7 +1257,7 @@ CVE-2020-26571 (The gemsafe GPK smart card software driver in OpenSC before 0.21 [buster] - opensc (Minor issue) [stretch] - opensc (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20612 - TODO: check, unclear fixing commit + NOTE: https://github.com/OpenSC/OpenSC/commit/ed55fcd2996930bf58b9bb57e9ba7b1f3a753c43 CVE-2020-26570 (The Oberthur smart card software driver in OpenSC before 0.21.0-rc1 ha ...) - opensc (bug #972037) [buster] - opensc (Minor issue) @@ -43845,19 +43845,19 @@ CVE-2020-8567 RESERVED CVE-2020-8566 RESERVED - - kubernetes + - kubernetes (bug #972341) NOTE: https://github.com/kubernetes/kubernetes/pull/95245 NOTE: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk NOTE: https://github.com/kubernetes/kubernetes/issues/95624 CVE-2020-8565 RESERVED - - kubernetes + - kubernetes (bug #972341) NOTE: https://github.com/kubernetes/kubernetes/pull/95316 NOTE: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk NOTE: https://github.com/kubernetes/kubernetes/issues/95623 CVE-2020-8564 RESERVED - - kubernetes + - kubernetes (bug #972341) NOTE: https://github.com/kubernetes/kubernetes/pull/94712 NOTE: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk NOTE: https://github.com/kubernetes/kubernetes/issues/95622 @@ -68326,7 +68326,7 @@ CVE-2020-0412 (In setProcessMemoryTrimLevel of ActivityManagerService.java, ther CVE-2020-0411 (In ~AACExtractor() of AACExtractor.cpp, there is a possible out of bou ...) NOT-FOR-US: Android Media Framework CVE-2020-0410 (In setNotification of SapServer.java, there is a possible permission b ...) - TODO: check + NOT-FOR-US: Android CVE-2020-0409 RESERVED CVE-2020-0408 (In remove of String16.cpp, there is a possible out of bounds write due ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3de3fdc6359f7e79c294a9552d1e394f869e8a6a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3de3fdc6359f7e79c294a9552d1e394f869e8a6a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new linux issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fb738344 by Moritz Muehlenhoff at 2020-10-16T14:20:59+02:00 new linux issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3239,6 +3239,8 @@ CVE-2020-25657 RESERVED CVE-2020-25656 RESERVED + - linux + NOTE: https://www.openwall.com/lists/oss-security/2020/10/16/1 CVE-2020-25655 RESERVED CVE-2020-25654 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb7383446477b89e387828828753a691c5830882 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb7383446477b89e387828828753a691c5830882 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new kubernetes issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 20ad92dd by Moritz Muehlenhoff at 2020-10-16T14:19:26+02:00 new kubernetes issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43843,12 +43843,28 @@ CVE-2020-8567 RESERVED CVE-2020-8566 RESERVED + - kubernetes + NOTE: https://github.com/kubernetes/kubernetes/pull/95245 + NOTE: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk + NOTE: https://github.com/kubernetes/kubernetes/issues/95624 CVE-2020-8565 RESERVED + - kubernetes + NOTE: https://github.com/kubernetes/kubernetes/pull/95316 + NOTE: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk + NOTE: https://github.com/kubernetes/kubernetes/issues/95623 CVE-2020-8564 RESERVED + - kubernetes + NOTE: https://github.com/kubernetes/kubernetes/pull/94712 + NOTE: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk + NOTE: https://github.com/kubernetes/kubernetes/issues/95622 CVE-2020-8563 RESERVED + - kubernetes (Only affects 19.x) + NOTE: https://github.com/kubernetes/kubernetes/pull/95236 + NOTE: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk + NOTE: https://github.com/kubernetes/kubernetes/issues/95621 CVE-2020-8562 RESERVED CVE-2020-8561 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20ad92dda00bc96333e1934efb49d89514b7314b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20ad92dda00bc96333e1934efb49d89514b7314b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] zint fixed with initial upload
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0affb4a1 by Moritz Muehlenhoff at 2020-10-16T13:51:41+02:00 zint fixed with initial upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41833,7 +41833,7 @@ CVE-2020-9391 (An issue was discovered in the Linux kernel 5.4 and 5.5 through 5 [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/dcde237319e626d1ec3c9d8b7613032f0fd4663a CVE-2020-9385 (A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because mul ...) - - zint + - zint 2.8.0-1 CVE-2020-9384 (** DISPUTED ** An Insecure Direct Object Reference (IDOR) vulnerabilit ...) NOT-FOR-US: Subex CVE-2020-9383 (An issue was discovered in the Linux kernel through 5.5.6. set_fdc in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0affb4a1658d8ce67226ff8b596ebc9b2743745e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0affb4a1658d8ce67226ff8b596ebc9b2743745e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b4321748 by Moritz Muehlenhoff at 2020-10-16T13:49:26+02:00 NFUs otrs n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,13 @@ CVE-2020-27177 RESERVED CVE-2020-27176 (Mutation XSS exists in Mark Text through 0.16.2 that leads to Remote C ...) - TODO: check + NOT-FOR-US: Mark Text CVE-2020-27175 RESERVED CVE-2020-27174 (In Amazon AWS Firecracker before 0.21.3, and 0.22.x before 0.22.1, the ...) - TODO: check + NOT-FOR-US: Firecracker CVE-2020-27173 (In vm-superio before 0.1.1, the serial console FIFO can grow to unlimi ...) - TODO: check + NOT-FOR-US: vm-superio CVE-2020-27172 RESERVED CVE-2020-27171 @@ -27,7 +27,7 @@ CVE-2020-27165 CVE-2020-27164 RESERVED CVE-2020-27163 (phpRedisAdmin before 1.13.2 allows XSS via the login.php username para ...) - TODO: check + NOT-FOR-US: phpRedisAdmin CVE-2020-27162 RESERVED CVE-2020-27161 @@ -469,7 +469,7 @@ CVE-2020-26945 (MyBatis before 3.5.6 mishandles deserialization of object stream CVE-2020-26944 RESERVED CVE-2020-26943 (An issue was discovered in OpenStack blazar-dashboard before 1.3.1, 2. ...) - TODO: check + NOT-FOR-US: blazar-dashboard CVE-2020-26942 RESERVED CVE-2020-26941 @@ -1194,9 +1194,9 @@ CVE-2020-26586 CVE-2020-26585 RESERVED CVE-2020-26584 (An issue was discovered in Sage DPW 2020_06_x before 2020_06_002. The ...) - TODO: check + NOT-FOR-US: Sage CVE-2020-26583 (An issue was discovered in Sage DPW 2020_06_x before 2020_06_002. It a ...) - TODO: check + NOT-FOR-US: Sage CVE-2020-26582 (D-Link DAP-1360U before 3.0.1 devices allow remote authenticated users ...) NOT-FOR-US: D-Link CVE-2020-26581 @@ -2774,9 +2774,9 @@ CVE-2020-25861 CVE-2020-25860 RESERVED CVE-2020-25859 (The QCMAP_CLI utility in the Qualcomm QCMAP software suite prior to ve ...) - TODO: check + NOT-FOR-US: Qualcomm QCMAP CVE-2020-25858 (The QCMAP_Web_CLIENT binary in the Qualcomm QCMAP software suite prior ...) - TODO: check + NOT-FOR-US: Qualcomm QCMAP CVE-2020-25857 RESERVED CVE-2020-25856 @@ -28001,7 +28001,7 @@ CVE-2020-14187 CVE-2020-14186 RESERVED CVE-2020-14185 (Affected versions of Jira Server allow remote unauthenticated attacker ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2020-14184 (Affected versions of Atlassian Jira Server allow remote attackers to i ...) NOT-FOR-US: Atlassian CVE-2020-14183 (Affected versions of Jira Server Data Center allow a remote atta ...) @@ -32325,15 +32325,15 @@ CVE-2020-12506 (Improper Authentication vulnerability in WAGO 750-8XX series wit CVE-2020-12505 (Improper Authentication vulnerability in WAGO 750-8XX series with FW v ...) NOT-FOR-US: WAGO CVE-2020-12504 (Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol Rock ...) - TODO: check + NOT-FOR-US: Pepperl+Fuchs CVE-2020-12503 (Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol Rock ...) - TODO: check + NOT-FOR-US: Pepperl+Fuchs CVE-2020-12502 (Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol Rock ...) - TODO: check + NOT-FOR-US: Pepperl+Fuchs CVE-2020-12501 (Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol Rock ...) - TODO: check + NOT-FOR-US: Pepperl+Fuchs CVE-2020-12500 (Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol Rock ...) - TODO: check + NOT-FOR-US: Pepperl+Fuchs CVE-2020-12499 (In PHOENIX CONTACT PLCnext Engineer version 2020.3.1 and earlier an im ...) NOT-FOR-US: PHOENIX CONTACT PLCnext Engineer CVE-2020-12498 (mwe file parsing in Phoenix Contact PC Worx and PC Worx Express versio ...) @@ -35547,17 +35547,17 @@ CVE-2019-20637 (An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x NOTE: Introduced in https://github.com/varnishcache/varnish-cache/commit/62932b422f311ed1224f14a216169bcdc1b77a2d (5.0) NOTE: Case #3 implies labels introduced in https://github.com/varnishcache/varnish-cache/commit/34350d5e183ef4e04285729d1f63b784d1bc6454 (5.0) CVE-2020-11646 (A log information disclosure vulnerability in BR GateManager 4260 ...) - TODO: check + NOT-FOR-US: B GateManager CVE-2020-11645 (A denial of service vulnerability in BR GateManager 4260 and 9250 ...) - TODO: check + NOT-FOR-US: B GateManager CVE-2020-11644 (The information disclosure vulnerability present in BR GateManage ...) - TODO: check + NOT-FOR-US: B GateManager CVE-2020-11643 (An information disclosure vulnerability in BR GateManager 4260 an ...) - TODO: check + NOT-FOR-US: B GateManager
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d5a2e019 by Moritz Muehlenhoff at 2020-10-16T11:07:58+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -64241,72 +64241,102 @@ CVE-2019-18780 (An arbitrary command injection vulnerability in the Cluster Serv NOT-FOR-US: Veritas InfoScale CVE-2020-1689 RESERVED + NOT-FOR-US: Juniper CVE-2020-1688 RESERVED + NOT-FOR-US: Juniper CVE-2020-1687 RESERVED + NOT-FOR-US: Juniper CVE-2020-1686 RESERVED + NOT-FOR-US: Juniper CVE-2020-1685 RESERVED + NOT-FOR-US: Juniper CVE-2020-1684 RESERVED + NOT-FOR-US: Juniper CVE-2020-1683 RESERVED + NOT-FOR-US: Juniper CVE-2020-1682 RESERVED CVE-2020-1681 RESERVED + NOT-FOR-US: Juniper CVE-2020-1680 RESERVED + NOT-FOR-US: Juniper CVE-2020-1679 RESERVED + NOT-FOR-US: Juniper CVE-2020-1678 RESERVED + NOT-FOR-US: Juniper CVE-2020-1677 RESERVED + NOT-FOR-US: Juniper CVE-2020-1676 RESERVED + NOT-FOR-US: Juniper CVE-2020-1675 RESERVED + NOT-FOR-US: Juniper CVE-2020-1674 RESERVED + NOT-FOR-US: Juniper CVE-2020-1673 RESERVED + NOT-FOR-US: Juniper CVE-2020-1672 RESERVED + NOT-FOR-US: Juniper CVE-2020-1671 RESERVED + NOT-FOR-US: Juniper CVE-2020-1670 RESERVED + NOT-FOR-US: Juniper CVE-2020-1669 RESERVED + NOT-FOR-US: Juniper CVE-2020-1668 RESERVED + NOT-FOR-US: Juniper CVE-2020-1667 RESERVED + NOT-FOR-US: Juniper CVE-2020-1666 RESERVED + NOT-FOR-US: Juniper CVE-2020-1665 RESERVED + NOT-FOR-US: Juniper CVE-2020-1664 RESERVED + NOT-FOR-US: Juniper CVE-2020-1663 RESERVED CVE-2020-1662 RESERVED + NOT-FOR-US: Juniper CVE-2020-1661 RESERVED + NOT-FOR-US: Juniper CVE-2020-1660 RESERVED + NOT-FOR-US: Juniper CVE-2020-1659 RESERVED CVE-2020-1658 RESERVED CVE-2020-1657 RESERVED + NOT-FOR-US: Juniper CVE-2020-1656 RESERVED + NOT-FOR-US: Juniper CVE-2020-1655 (When a device running Juniper Networks Junos OS with MPC7, MPC8, or MP ...) NOT-FOR-US: Juniper CVE-2020-1654 (On Juniper Networks SRX Series with ICAP (Internet Content Adaptation ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a2e0191704485682f3449486f17b78bf03b5dc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a2e0191704485682f3449486f17b78bf03b5dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a1fa9308 by security tracker role at 2020-10-16T08:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,37 @@ +CVE-2020-27177 + RESERVED +CVE-2020-27176 (Mutation XSS exists in Mark Text through 0.16.2 that leads to Remote C ...) + TODO: check +CVE-2020-27175 + RESERVED +CVE-2020-27174 (In Amazon AWS Firecracker before 0.21.3, and 0.22.x before 0.22.1, the ...) + TODO: check +CVE-2020-27173 (In vm-superio before 0.1.1, the serial console FIFO can grow to unlimi ...) + TODO: check +CVE-2020-27172 + RESERVED +CVE-2020-27171 + RESERVED +CVE-2020-27170 + RESERVED +CVE-2020-27169 + RESERVED +CVE-2020-27168 + RESERVED +CVE-2020-27167 + RESERVED +CVE-2020-27166 + RESERVED +CVE-2020-27165 + RESERVED +CVE-2020-27164 + RESERVED +CVE-2020-27163 (phpRedisAdmin before 1.13.2 allows XSS via the login.php username para ...) + TODO: check +CVE-2020-27162 + RESERVED +CVE-2020-27161 + RESERVED CVE-2020-27160 RESERVED CVE-2020-27159 @@ -434,8 +468,8 @@ CVE-2020-26945 (MyBatis before 3.5.6 mishandles deserialization of object stream NOT-FOR-US: MyBatis CVE-2020-26944 RESERVED -CVE-2020-26943 - RESERVED +CVE-2020-26943 (An issue was discovered in OpenStack blazar-dashboard before 1.3.1, 2. ...) + TODO: check CVE-2020-26942 RESERVED CVE-2020-26941 @@ -1159,10 +1193,10 @@ CVE-2020-26586 RESERVED CVE-2020-26585 RESERVED -CVE-2020-26584 - RESERVED -CVE-2020-26583 - RESERVED +CVE-2020-26584 (An issue was discovered in Sage DPW 2020_06_x before 2020_06_002. The ...) + TODO: check +CVE-2020-26583 (An issue was discovered in Sage DPW 2020_06_x before 2020_06_002. It a ...) + TODO: check CVE-2020-26582 (D-Link DAP-1360U before 3.0.1 devices allow remote authenticated users ...) NOT-FOR-US: D-Link CVE-2020-26581 @@ -2799,8 +2833,7 @@ CVE-2020-25831 RESERVED CVE-2020-25830 (An issue was discovered in MantisBT before 2.24.3. Improper escaping o ...) - mantis -CVE-2020-25829 [cache pollution issue] - RESERVED +CVE-2020-25829 (An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x befo ...) - pdns-recursor (bug #972159) NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html CVE-2020-25828 (An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through ...) @@ -6114,8 +6147,7 @@ CVE-2020-24354 (Zyxel VMG5313-B30B router on firmware 5.13(ABCJ.6)b3_1127, and p NOT-FOR-US: Zyxel CVE-2020-24353 RESERVED -CVE-2020-24352 - RESERVED +CVE-2020-24352 (An issue was discovered in QEMU through 5.1.0. An out-of-bounds memory ...) - qemu (unimportant; bug #968820) [buster] - qemu (Vulnerable code introduced in ATI VGA device emulation added later) [stretch] - qemu (Vulnerable code introduced later) @@ -27968,8 +28000,8 @@ CVE-2020-14187 RESERVED CVE-2020-14186 RESERVED -CVE-2020-14185 - RESERVED +CVE-2020-14185 (Affected versions of Jira Server allow remote unauthenticated attacker ...) + TODO: check CVE-2020-14184 (Affected versions of Atlassian Jira Server allow remote attackers to i ...) NOT-FOR-US: Atlassian CVE-2020-14183 (Affected versions of Jira Server Data Center allow a remote atta ...) @@ -70220,8 +70252,8 @@ CVE-2019-17642 (An issue was discovered in Centreon before 18.10.8, 19.10.1, and - centreon-web (bug #913903) CVE-2019-17641 RESERVED -CVE-2019-17640 - RESERVED +CVE-2019-17640 (In Eclipse Vert.x 3.4.x up to 3.9.4, 4.0.0.milestone1, 4.0.0.milestone ...) + TODO: check CVE-2019-17639 (In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling th ...) NOT-FOR-US: IBM JDK specific issue on on AIX and Linux on the Power platform CVE-2019-17638 (In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in ca ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1fa9308054776cc44e1bfed5b6589fde9a475db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1fa9308054776cc44e1bfed5b6589fde9a475db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] puma fixed in sid, add spu entries
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 303de702 by Moritz Mühlenhoff at 2020-10-16T09:06:07+02:00 puma fixed in sid, add spu entries - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -37132,11 +37132,13 @@ CVE-2020-11078 (In httplib2 before version 0.18.0, an attacker controlling unesc NOTE: https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e CVE-2020-11077 (In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a re ...) {DLA-2398-1} - - puma (bug #972102) + - puma 4.3.6-1 (bug #972102) + [buster] - puma (Minor issue) NOTE: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm CVE-2020-11076 (In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle a ...) {DLA-2398-1} - - puma (bug #972102) + - puma 4.3.6-1 (bug #972102) + [buster] - puma (Minor issue) NOTE: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h NOTE: https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd CVE-2020-11075 (In Anchore Engine version 0.7.0, a specially crafted container image m ...) = data/next-point-update.txt = @@ -66,3 +66,11 @@ CVE-2019-2201 [buster] - libjpeg-turbo 1:1.5.2-2+deb10u1 CVE-2020-13790 [buster] - libjpeg-turbo 1:1.5.2-2+deb10u1 +CVE-2020-5247 + [buster] - puma 3.12.0-2+deb10u2 +CVE-2020-5249 + [buster] - puma 3.12.0-2+deb10u2 +CVE-2020-11076 + [buster] - puma 3.12.0-2+deb10u2 +CVE-2020-11077 + [buster] - puma 3.12.0-2+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/303de702fd579be4f7b7aa7912aa952ef5fbe991 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/303de702fd579be4f7b7aa7912aa952ef5fbe991 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits