[Git][security-tracker-team/security-tracker][master] Update status for CVE-2017-16837/tboot
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 01beda9d by Salvatore Bonaccorso at 2020-10-19T06:52:56+02:00 Update status for CVE-2017-16837/tboot - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -178356,7 +178356,7 @@ CVE-2017-16839 (Hashicorp vagrant-vmware-fusion 5.0.4 allows local users to stea CVE-2017-16838 RESERVED CVE-2017-16837 (Certain function pointers in Trusted Boot (tboot) through 1.9.6 are no ...) - - tboot + - tboot (Fixed with first upload to Debian) NOTE: https://sourceforge.net/p/tboot/code/ci/521c58e51eb5be105a29983742850e72c44ed80e/ CVE-2017-16836 (Arris TG1682G devices with Comcast TG1682_2.0s7_PRODse 10.0.59.SIP.PC2 ...) NOT-FOR-US: Arris TG1682G devices View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01beda9d775d906a4ad84960ffc56f8eaed041ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01beda9d775d906a4ad84960ffc56f8eaed041ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2017-16837/tboot
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 47e52ce1 by Salvatore Bonaccorso at 2020-10-19T06:50:33+02:00 Add reference for CVE-2017-16837/tboot - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -178357,6 +178357,7 @@ CVE-2017-16838 RESERVED CVE-2017-16837 (Certain function pointers in Trusted Boot (tboot) through 1.9.6 are no ...) - tboot + NOTE: https://sourceforge.net/p/tboot/code/ci/521c58e51eb5be105a29983742850e72c44ed80e/ CVE-2017-16836 (Arris TG1682G devices with Comcast TG1682_2.0s7_PRODse 10.0.59.SIP.PC2 ...) NOT-FOR-US: Arris TG1682G devices CVE-2017-16835 (The "Photo,Video Locker-Calculator" application 12.0 for Android has a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47e52ce18a5e667da6f78f69d5c3be70d50ec70d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47e52ce18a5e667da6f78f69d5c3be70d50ec70d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] src:rubygems has been re-introduced into the archive
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 252f0e58 by Salvatore Bonaccorso at 2020-10-19T06:47:18+02:00 src:rubygems has been re-introduced into the archive The initial upload states: - Upstream bundler source code is now hosted in the same git repository as rubygems, due to that this new source package is introduced and it will provide the binaries previously provided by src:bundler (ruby-bundler and bundler). src:bundler will be removed after src:rubygems is accepted. We need to recheck if any of this previously unfixed issues are still unfixed or now adressed with this initial first re-upload. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -100054,7 +100054,7 @@ CVE-2019-8325 (An issue was discovered in RubyGems 2.6 and later through 3.0.2. - ruby2.5 2.5.5-1 - ruby2.3 - ruby2.1 - - rubygems + - rubygems - jruby 9.1.17.0-3 (bug #925987) NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html @@ -100064,7 +100064,7 @@ CVE-2019-8324 (An issue was discovered in RubyGems 2.6 and later through 3.0.2. - ruby2.5 2.5.5-1 - ruby2.3 - ruby2.1 - - rubygems + - rubygems - jruby 9.1.17.0-3 (bug #925987) NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html @@ -100074,7 +100074,7 @@ CVE-2019-8323 (An issue was discovered in RubyGems 2.6 and later through 3.0.2. - ruby2.5 2.5.5-1 - ruby2.3 - ruby2.1 - - rubygems + - rubygems - jruby 9.1.17.0-3 (bug #925987) NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html @@ -100084,7 +100084,7 @@ CVE-2019-8322 (An issue was discovered in RubyGems 2.6 and later through 3.0.2. - ruby2.5 2.5.5-1 - ruby2.3 - ruby2.1 - - rubygems + - rubygems - jruby 9.1.17.0-3 (bug #925987) NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html @@ -100095,7 +100095,7 @@ CVE-2019-8321 (An issue was discovered in RubyGems 2.6 and later through 3.0.2. - ruby2.3 - ruby2.1 [jessie] - ruby2.1 (Vulnerable code introduced later) - - rubygems + - rubygems - jruby 9.1.17.0-3 (bug #925987) NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html @@ -100105,7 +100105,7 @@ CVE-2019-8320 (A Directory Traversal issue was discovered in RubyGems 2.7.6 and - ruby2.5 2.5.5-1 - ruby2.3 - ruby2.1 - - rubygems + - rubygems - jruby 9.1.17.0-3 (bug #925987) [jessie] - jruby (Vulnerable code introduced later) NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ @@ -155706,7 +155706,7 @@ CVE-2018-179 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 - ruby2.1 - ruby1.9.1 [wheezy] - ruby1.9.1 (Minor issue, too intrusive to backport) - - rubygems + - rubygems [wheezy] - rubygems (Vulnerable code not present) - jruby 9.1.17.0-1 (bug #895778) [jessie] - jruby (Vulnerable code not present) @@ -155720,7 +155720,7 @@ CVE-2018-178 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 - ruby2.3 - ruby2.1 - ruby1.9.1 - - rubygems + - rubygems - jruby 9.1.17.0-1 (bug #895778) NOTE: https://github.com/rubygems/rubygems/commit/66a28b9275551384fdab45f3591a82d6b59952cb NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ @@ -155730,7 +155730,7 @@ CVE-2018-177 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 - ruby2.3 - ruby2.1 - ruby1.9.1 - - rubygems + - rubygems - jruby 9.1.17.0-1 (bug #895778) NOTE: https://github.com/rubygems/rubygems/commit/feadefc2d351dcb95d6492f5ad17ebca546eb964 NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ @@ -155740,7 +155740,7 @@ CVE-2018-176 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 - ruby2.3 - ruby2.1 - ruby1.9.1 - - rubygems + - rubygems - jruby
[Git][security-tracker-team/security-tracker][master] tboot entered the archive, move from itp status to unfixed for further checks
László Böszörményi pushed to branch master at Debian Security Tracker / security-tracker Commits: e55bdc50 by Laszlo Boszormenyi (GCS) at 2020-10-19T00:04:42+02:00 tboot entered the archive, move from itp status to unfixed for further checks - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -178356,7 +178356,7 @@ CVE-2017-16839 (Hashicorp vagrant-vmware-fusion 5.0.4 allows local users to stea CVE-2017-16838 RESERVED CVE-2017-16837 (Certain function pointers in Trusted Boot (tboot) through 1.9.6 are no ...) - - tboot (bug #803180) + - tboot CVE-2017-16836 (Arris TG1682G devices with Comcast TG1682_2.0s7_PRODse 10.0.59.SIP.PC2 ...) NOT-FOR-US: Arris TG1682G devices CVE-2017-16835 (The "Photo,Video Locker-Calculator" application 12.0 for Android has a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e55bdc508e2e9f3eb67367a8d3d4dd1c8abde094 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e55bdc508e2e9f3eb67367a8d3d4dd1c8abde094 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Processing 1f2324ff6a8338a914e3e3c79e5621de2aa3d44b failed
The error message was: data/CVE/list:178358: ITPed package tboot is in the archive make: *** [Makefile:19: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 1f2324ff by Thorsten Alteholz at 2020-10-18T22:47:01+02:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -51,6 +51,7 @@ cimg (Thorsten Alteholz) NOTE: 20200709: method (vs "load_network") but is still missing the argument NOTE: 20200709: sanitisation. (lamby) NOTE: 20201005: checking whether reverse dependencies still build/work + NOTE: 20201018: recovering from a broken computer :-( -- condor NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto) @@ -135,6 +136,7 @@ pluxml -- python3.5 (Thorsten Alteholz) NOTE: 20201011: testing package + NOTE: 20201018: recovering from a broken computer :-( -- qtsvg-opensource-src (Adrian Bunk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f2324ff6a8338a914e3e3c79e5621de2aa3d44b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f2324ff6a8338a914e3e3c79e5621de2aa3d44b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c96cf128 by security tracker role at 2020-10-18T20:10:18+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28865,8 +28865,8 @@ CVE-2020-13896 (The web interface of Maipu MP1800X-50 7.5.3.14(R) devices allows NOT-FOR-US: Maipu devices CVE-2020-13894 (handler/upload_handler.jsp in DEXT5 Editor through 3.5.1402961 allows ...) NOT-FOR-US: DEXT5 Editor -CVE-2020-13893 - RESERVED +CVE-2020-13893 (Multiple stored cross-site scripting (XSS) vulnerabilities in Sage Eas ...) + TODO: check CVE-2020-13892 (The SportsPress plugin before 2.7.2 for WordPress allows XSS. ...) NOT-FOR-US: SportsPress plugin for WordPress CVE-2020-13891 (An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c96cf128da11d264bcc1e09d2d2969d5f84fb0af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c96cf128da11d264bcc1e09d2d2969d5f84fb0af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2019-12761/pyxdg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d6c6c2e by Salvatore Bonaccorso at 2020-10-18T15:03:11+02:00 Add fixed version via unstable for CVE-2019-12761/pyxdg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -86525,7 +86525,7 @@ CVE-2019-12762 (Xiaomi Mi 5s Plus devices allow attackers to trigger touchscreen NOT-FOR-US: Xiaomi Mi 5s Plus devices CVE-2019-12761 (A code injection issue was discovered in PyXDG before 0.26 via crafted ...) {DLA-1819-1} - - pyxdg (low; bug #930099) + - pyxdg 0.26-1 (low; bug #930099) [buster] - pyxdg (Minor issue) [stretch] - pyxdg (Minor issue) NOTE: https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d6c6c2edbb2a8ef59c033f47984b9e71222183c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d6c6c2edbb2a8ef59c033f47984b9e71222183c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track upstream commit for CVE-2019-12761/pyxdg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1cdcbc5a by Salvatore Bonaccorso at 2020-10-18T15:02:10+02:00 Track upstream commit for CVE-2019-12761/pyxdg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -86529,6 +86529,7 @@ CVE-2019-12761 (A code injection issue was discovered in PyXDG before 0.26 via c [buster] - pyxdg (Minor issue) [stretch] - pyxdg (Minor issue) NOTE: https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562 + NOTE: https://gitlab.freedesktop.org/xdg/pyxdg/-/commit/aa4ce1bbc59def6975c9dd1598aafb3ef3fea681 (rel-0.26) NOTE: https://gitlab.freedesktop.org/xdg/pyxdg/issues/14 CVE-2019-12760 (** DISPUTED ** A deserialization vulnerability exists in the way parso ...) - parso 0.5.1-0.1 (unimportant; bug #930356) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cdcbc5a5a6404867f01d7e2706f9958d84c5b3b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cdcbc5a5a6404867f01d7e2706f9958d84c5b3b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2020-26682 in libass for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: b6e724c1 by Chris Lamb at 2020-10-18T11:15:07+01:00 Triage CVE-2020-26682 in libass for stretch LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1051,6 +1051,7 @@ CVE-2020-26683 RESERVED CVE-2020-26682 (In libass 0.14.0, the `ass_outline_construct`'s call to `outline_strok ...) - libass + [stretch] - libass (Vulnerable code not present) NOTE: https://github.com/libass/libass/issues/431 NOTE: https://github.com/libass/libass/pull/432 CVE-2020-26681 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6e724c196b987023b20fc0b5374aa2ab58630e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6e724c196b987023b20fc0b5374aa2ab58630e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 54bffe3d by security tracker role at 2020-10-18T08:10:14+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2020-27199 + RESERVED +CVE-2020-27198 + RESERVED +CVE-2020-27197 (** DISPUTED ** TAXII libtaxii through 1.1.117, as used in EclecticIQ O ...) + TODO: check CVE-2020-27196 RESERVED CVE-2020-27195 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54bffe3d2a041ab4851ce39b11ccd8a09087e8f2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54bffe3d2a041ab4851ce39b11ccd8a09087e8f2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits