[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2020-27842/openjpeg2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 219f1a89 by Salvatore Bonaccorso at 2021-03-01T08:28:52+01:00 Track fixed version via unstable for CVE-2020-27842/openjpeg2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28764,7 +28764,7 @@ CVE-2020-27843 (A flaw was found in OpenJPEG in versions prior to 2.4.0. This fl NOTE: https://github.com/uclouvain/openjpeg/issues/1297 NOTE: Partial fix (preventing the out of bounds access): https://github.com/uclouvain/openjpeg/commit/38d661a3897052c7ff0b39b30c29cb067e130121 (2.4.0) CVE-2020-27842 (There's a flaw in openjpeg's t2 encoder in versions prior to 2.4.0. An ...) - - openjpeg2 + - openjpeg2 2.4.0-1 [buster] - openjpeg2 (Minor issue) [stretch] - openjpeg2 (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/issues/1294 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/219f1a893d4649756a7a4dfa3499c49dc0679bfc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/219f1a893d4649756a7a4dfa3499c49dc0679bfc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-27843
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a3660637 by Salvatore Bonaccorso at 2021-03-01T08:27:07+01:00 Track fixed version for CVE-2020-27843 Cf. https://github.com/uclouvain/openjpeg/issues/1297#issuecomment-787475666 on why this is considered fixed in the 2.4.0 upstream release. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28758,7 +28758,7 @@ CVE-2020-27844 (A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions NOTE: https://github.com/uclouvain/openjpeg/issues/1299 NOTE: https://github.com/uclouvain/openjpeg/commit/73fdf28342e4594019af26eb6a347a34eceb6296 (v2.4.0) CVE-2020-27843 (A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw all ...) - - openjpeg2 (bug #983663) + - openjpeg2 2.4.0-1 (bug #983663) [buster] - openjpeg2 (Minor issue) [stretch] - openjpeg2 (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/issues/1297 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a366063789ae420e4c2297c319642ff904f42ca2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a366063789ae420e4c2297c319642ff904f42ca2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take wpa
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 19ba52ec by Utkarsh Gupta at 2021-03-01T12:21:21+05:30 Take wpa - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -134,7 +134,7 @@ subversion (Thorsten Alteholz) -- thunderbird (Emilio) -- -wpa +wpa (Utkarsh) -- xmlbeans (Roberto C. Sánchez) NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19ba52ecfa14106f199bc9306cc534f5a82ea533 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19ba52ecfa14106f199bc9306cc534f5a82ea533 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim spip
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 30cd032a by Abhijith PA at 2021-03-01T12:08:09+05:30 data/dla-needed.txt: Claim spip - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -119,7 +119,7 @@ shiro NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) NOTE: 20201220: Upstream has responded. Working with them to backport fixes. (roberto) -- -spip +spip (Abhijith PA) NOTE: 20210228: maintainer doesn't want to work on this update. (utkarsh) NOTE: 20210228: a DSA is already out; check against the patch uploaded. (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30cd032a5fd385e70c01be4dd4e079cef905d11e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30cd032a5fd385e70c01be4dd4e079cef905d11e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] triage qemu gsoap wpa for stretch
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a6cea52 by Abhijith PA at 2021-03-01T12:03:14+05:30 triage qemu gsoap wpa for stretch - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -59,6 +59,8 @@ golang-github-appc-cni (Thorsten Alteholz) golang-gogoprotobuf (Ola Lundqvist) NOTE: 20210218: If you have any idea why this is called the "skippy peanut butter" issue, I would be mildly interested. (lamby) -- +gsoap +-- guacamole-server (Anton Gladky) NOTE: 20210217: Note may affect guacamole-client too (see note on security tracker). (lamby) -- @@ -83,6 +85,8 @@ python3.5 -- python-aiohttp (Utkarsh) -- +qemu +-- ruby-actionpack-page-caching NOTE: 20200819: Upstream's patch on does not apply due to subsequent NOTE: 20200819: refactoring. However, a quick look at the private @@ -130,6 +134,8 @@ subversion (Thorsten Alteholz) -- thunderbird (Emilio) -- +wpa +-- xmlbeans (Roberto C. Sánchez) NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the NOTE: 20210222: upstream release with the fix). Trying to determine how to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a6cea52d24774cc57d7e0d3919c0fe9ab999be1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a6cea52d24774cc57d7e0d3919c0fe9ab999be1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2019-0222 and associate mqtt-client
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c855b86 by Salvatore Bonaccorso at 2021-03-01T06:37:58+01:00 Update information on CVE-2019-0222 and associate mqtt-client activemq upstream included the mqtt-client library in the lib/extra directory but in Debian we use the external src:mqtt-client accordngly. The history is a bit involving at at first activemq disabled MQTT support, later on enabled it and depending on the mqtt-client provided packages. Associate now the CVE with mqtt-client where the issue got fixed. Thanks: Abhijith PA for spotting the issue. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -155264,11 +155264,13 @@ CVE-2019-0223 (While investigating bug PROTON-2014, we discovered that under som NOTE: not present in the jessie version. That part do not seem to be essential for NOTE: the package to be vulnerable. CVE-2019-0222 (In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame ca ...) - - activemq 5.15.9-1 (bug #925964) - [buster] - activemq (Minor issue) - [stretch] - activemq (Minor issue) + - activemq 5.15.9-1 (bug #925964; unimportant) [jessie] - activemq (MQTT support not enabled) + - mqtt-client 1.16-1 NOTE: http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt + NOTE: activemq disabled MQTT transport in 5.6.0+dfsg-1 (d/patches/exclude_mqtt.diff) + NOTE: but enabled activemq-mqtt in 5.13.2+dfsg-2 using the external mqtt-client. + NOTE: https://github.com/fusesource/mqtt-client/commit/2898f10be758decdc85ba6c523cb5be6b9092855 (mqtt-client-project-1.15) CVE-2019-0221 (The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 ...) {DSA-4596-1 DLA-1883-1 DLA-1810-1} - tomcat9 9.0.16-4 (bug #929895) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c855b8644a045d10341e3dc18a429971e604921 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c855b8644a045d10341e3dc18a429971e604921 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Triage spip for stretch
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: bec54dd9 by Utkarsh Gupta at 2021-03-01T02:24:54+05:30 Triage spip for stretch - - - - - 60ffd294 by Utkarsh Gupta at 2021-03-01T02:24:54+05:30 Triage python-aiohttp for stretch - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -81,6 +81,8 @@ php-pear (Ola Lundqvist) python3.5 NOTE: 20210217: Fairly invasive change, changing/augmenting API of standard library. (lamby) -- +python-aiohttp (Utkarsh) +-- ruby-actionpack-page-caching NOTE: 20200819: Upstream's patch on does not apply due to subsequent NOTE: 20200819: refactoring. However, a quick look at the private @@ -113,6 +115,10 @@ shiro NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) NOTE: 20201220: Upstream has responded. Working with them to backport fixes. (roberto) -- +spip + NOTE: 20210228: maintainer doesn't want to work on this update. (utkarsh) + NOTE: 20210228: a DSA is already out; check against the patch uploaded. (utkarsh) +-- spotweb NOTE: 20201220: The affected code uses string concatenation to construct a SQL query. NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0845da06e2129bbdff94c6f0cbf0233dfc31aaf9...60ffd294e190689e1a8f063816e40e25a2c78bf2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0845da06e2129bbdff94c6f0cbf0233dfc31aaf9...60ffd294e190689e1a8f063816e40e25a2c78bf2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-23336/python3.9 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0845da06 by Salvatore Bonaccorso at 2021-02-28T21:52:47+01:00 Track fixed version for CVE-2021-23336/python3.9 via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10174,7 +10174,7 @@ CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0 {DLA-2569-1} - python-django 2:2.2.19-1 (bug #983090) [buster] - python-django (Minor issue; can be fixed via point release) - - python3.9 + - python3.9 3.9.2-1 - python3.8 - python3.7 [buster] - python3.7 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0845da06e2129bbdff94c6f0cbf0233dfc31aaf9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0845da06e2129bbdff94c6f0cbf0233dfc31aaf9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for two xen issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c5fd8109 by Salvatore Bonaccorso at 2021-02-28T21:44:01+01:00 Track fixed version for two xen issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1897,7 +1897,7 @@ CVE-2021-26934 (An issue was discovered in the Linux kernel 4.18 through 5.10.16 NOTE: Driver never was meant to be supported and the patch in src:xen will only NOTE: update SUPPORT.md to explicitly document the fact. CVE-2021-26933 (An issue was discovered in Xen 4.9 through 4.14.x. On Arm, a guest is ...) - - xen + - xen 4.14.1+11-gb0b734a8b3-1 [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-364.html CVE-2021-26932 (An issue was discovered in the Linux kernel 3.2 through 5.10.16, as us ...) @@ -5185,7 +5185,7 @@ CVE-2021-25646 (Apache Druid includes the ability to execute user-provided JavaS CVE-2019-25014 (A NULL pointer dereference was found in pkg/proxy/envoy/v2/debug.go ge ...) NOT-FOR-US: Istio CVE-2021-3308 (An issue was discovered in Xen 4.12.3 through 4.12.4 and 4.13.1 throug ...) - - xen (bug #981052) + - xen 4.14.1+11-gb0b734a8b3-1 (bug #981052) [buster] - xen (Vulnerable code introduced later) [stretch] - xen (Vulnerable code introduced later) NOTE: https://xenbits.xen.org/xsa/advisory-360.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5fd810935e2844279b4c2a534dfa9b82d8f7f21 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5fd810935e2844279b4c2a534dfa9b82d8f7f21 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 72c5f5d6 by security tracker role at 2021-02-28T20:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2021-27807 + RESERVED CVE-2021-27806 RESERVED CVE-2021-27805 @@ -8729,7 +8731,7 @@ CVE-2021-23979 (Mozilla developers reported memory safety bugs present in Firefo - firefox 86.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-07/#CVE-2021-23979 CVE-2021-23978 (Mozilla developers reported memory safety bugs present in Firefox 85 a ...) - {DSA-4862-1 DLA-2575-1} + {DSA-4866-1 DSA-4862-1 DLA-2575-1} - firefox 86.0-1 - firefox-esr 78.8.0esr-1 - thunderbird 1:78.8.0-1 @@ -8749,7 +8751,7 @@ CVE-2021-23974 (The DOMParser API did not properly process 'noscript' el - firefox 86.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-07/#CVE-2021-23974 CVE-2021-23973 (When trying to load a cross-origin resource in an audio/video context ...) - {DSA-4862-1 DLA-2575-1} + {DSA-4866-1 DSA-4862-1 DLA-2575-1} - firefox 86.0-1 - firefox-esr 78.8.0esr-1 - thunderbird 1:78.8.0-1 @@ -8766,7 +8768,7 @@ CVE-2021-23970 (Context-specific code was included in a shared jump table; resul - firefox 86.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-07/#CVE-2021-23970 CVE-2021-23969 (As specified in the W3C Content Security Policy draft, when creating a ...) - {DSA-4862-1 DLA-2575-1} + {DSA-4866-1 DSA-4862-1 DLA-2575-1} - firefox 86.0-1 - firefox-esr 78.8.0esr-1 - thunderbird 1:78.8.0-1 @@ -8774,7 +8776,7 @@ CVE-2021-23969 (As specified in the W3C Content Security Policy draft, when crea NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-08/#CVE-2021-23969 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-09/#CVE-2021-23969 CVE-2021-23968 (If Content Security Policy blocked frame navigation, the full destinat ...) - {DSA-4862-1 DLA-2575-1} + {DSA-4866-1 DSA-4862-1 DLA-2575-1} - firefox 86.0-1 - firefox-esr 78.8.0esr-1 - thunderbird 1:78.8.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72c5f5d61b4e6141e8cca937714dd18fdc599196 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72c5f5d61b4e6141e8cca937714dd18fdc599196 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: e6fa8ad0 by Abhijith PA at 2021-03-01T00:31:45+05:30 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -14,6 +14,7 @@ rather than remove/replace existing ones. -- activemq (Abhijith PA) + NOTE: 20210301: Build available https://people.debian.org/~abhijith/upload/vda/activemq_5.14.3-3+deb9u2.dsc -- adminer (Utkarsh) NOTE: probably Chris wants to take this package as maintainer/sponsor View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6fa8ad01dd713bdc101042f3cb561017b7c1ce3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6fa8ad01dd713bdc101042f3cb561017b7c1ce3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f6299467 by Moritz Mühlenhoff at 2021-02-28T19:46:10+01:00 thunderbird DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[28 Feb 2021] DSA-4866-1 thunderbird - security update + {CVE-2021-23968 CVE-2021-23969 CVE-2021-23973 CVE-2021-23978} + [buster] - thunderbird 1:78.8.0-1~deb10u1 [27 Feb 2021] DSA-4865-1 docker.io - security update {CVE-2020-15157 CVE-2020-15257 CVE-2021-21284 CVE-2021-21285} [buster] - docker.io 18.09.1+dfsg1-7.1+deb10u3 = data/dsa-needed.txt = @@ -24,5 +24,3 @@ netty -- python-pysaml2 (jmm) -- -thunderbird (jmm) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f62994677ae9e5e411a77be6cb7e0eaaf4ad9f40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f62994677ae9e5e411a77be6cb7e0eaaf4ad9f40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2016-2568 ignored for bullseye
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ece4dbd by Salvatore Bonaccorso at 2021-02-28T17:13:42+01:00 Mark CVE-2016-2568 ignored for bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -282621,6 +282621,7 @@ CVE-2016-2569 (Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly ap NOTE: Upstream confirmed it does not affect squid 2.7.x CVE-2016-2568 (pkexec, when used with --user nonpriv, allows local users to escape to ...) - policykit-1 (low; bug #816062; bug #812512) + [bullseye] - policykit-1 (Minor issue) [buster] - policykit-1 (Minor issue) [stretch] - policykit-1 (Minor issue) [jessie] - policykit-1 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ece4dbd4b8573e8113b059bdcca47ce08cda3ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ece4dbd4b8573e8113b059bdcca47ce08cda3ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2016-10127 as no-dsa for bullseye
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e7e098e by Salvatore Bonaccorso at 2021-02-28T17:03:13+01:00 Mark CVE-2016-10127 as no-dsa for bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -246771,6 +246771,7 @@ CVE-2016-10125 (D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a hard NOT-FOR-US: D-Link CVE-2016-10127 (PySAML2 allows remote attackers to conduct XML external entity (XXE) a ...) - python-pysaml2 (low; bug #859135) + [bullseye] - python-pysaml2 (Minor issue) [buster] - python-pysaml2 (Minor issue) [stretch] - python-pysaml2 (Minor issue) [jessie] - python-pysaml2 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e7e098eaed0e5fc5225b0173bd076b874e0a867 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e7e098eaed0e5fc5225b0173bd076b874e0a867 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2021-20206/golang-github-appc-cni via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a201c3e by Salvatore Bonaccorso at 2021-02-28T16:51:36+01:00 Add fixed version for CVE-2021-20206/golang-github-appc-cni via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18375,7 +18375,7 @@ CVE-2021-20207 REJECTED CVE-2021-20206 RESERVED - - golang-github-appc-cni (bug #983659) + - golang-github-appc-cni 0.8.1-1 (bug #983659) [buster] - golang-github-appc-cni (Minor issue; can be fixed via point release) NOTE: https://github.com/containernetworking/cni/pull/808 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1919391 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a201c3eb899e2cb743654abbe2d0eb9dc96824b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a201c3eb899e2cb743654abbe2d0eb9dc96824b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: c9097fb9 by Henri Salo at 2021-02-28T17:32:07+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14236,7 +14236,7 @@ CVE-2020-36081 CVE-2020-36080 RESERVED CVE-2020-36079 (Zenphoto through 1.5.7 is affected by authenticated arbitrary file upl ...) - TODO: check + NOT-FOR-US: Zenphoto CVE-2020-36078 RESERVED CVE-2020-36077 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9097fb9fed587bccd06b8b45013fe84f9d346a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9097fb9fed587bccd06b8b45013fe84f9d346a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-20201: order commits
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6164ab6b by Salvatore Bonaccorso at 2021-02-28T16:23:53+01:00 CVE-2021-20201: order commits - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18396,8 +18396,8 @@ CVE-2021-20201 [Client initiated renegotiation denial of service] - spice (bug #983698) [buster] - spice (Minor issue) NOTE: https://gitlab.freedesktop.org/spice/spice/-/issues/49 - NOTE: https://gitlab.freedesktop.org/spice/spice/-/commit/95a0cfac8a1c8eff50f05e65df945da3bb501fc9 NOTE: https://gitlab.freedesktop.org/spice/spice/-/commit/ca5bbc5692e052159bce1a75f55dc60b36078749 + NOTE: https://gitlab.freedesktop.org/spice/spice/-/commit/95a0cfac8a1c8eff50f05e65df945da3bb501fc9 NOTE: https://blog.qualys.com/product-tech/2011/10/31/tls-renegotiation-and-denial-of-service-attacks TODO: check details CVE-2021-20200 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6164ab6b0eca6b434772c6c9cc6f245f47feca2a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6164ab6b0eca6b434772c6c9cc6f245f47feca2a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-20201/spice
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a8544bc8 by Salvatore Bonaccorso at 2021-02-28T16:22:06+01:00 Add Debian bug reference for CVE-2021-20201/spice - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18393,7 +18393,7 @@ CVE-2021-20202 RESERVED CVE-2021-20201 [Client initiated renegotiation denial of service] RESERVED - - spice + - spice (bug #983698) [buster] - spice (Minor issue) NOTE: https://gitlab.freedesktop.org/spice/spice/-/issues/49 NOTE: https://gitlab.freedesktop.org/spice/spice/-/commit/95a0cfac8a1c8eff50f05e65df945da3bb501fc9 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8544bc8145e3fd90fc90bc515318eab871c960d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8544bc8145e3fd90fc90bc515318eab871c960d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-20201/spice as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 04f31426 by Salvatore Bonaccorso at 2021-02-28T16:21:11+01:00 Mark CVE-2021-20201/spice as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18394,6 +18394,7 @@ CVE-2021-20202 CVE-2021-20201 [Client initiated renegotiation denial of service] RESERVED - spice + [buster] - spice (Minor issue) NOTE: https://gitlab.freedesktop.org/spice/spice/-/issues/49 NOTE: https://gitlab.freedesktop.org/spice/spice/-/commit/95a0cfac8a1c8eff50f05e65df945da3bb501fc9 NOTE: https://gitlab.freedesktop.org/spice/spice/-/commit/ca5bbc5692e052159bce1a75f55dc60b36078749 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04f31426168049d866315c709aac4c471513e48b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04f31426168049d866315c709aac4c471513e48b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-3410
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bb08b20d by Salvatore Bonaccorso at 2021-02-28T13:58:11+01:00 Add Debian bug reference for CVE-2021-3410 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1290,7 +1290,7 @@ CVE-2021-3411 [buster] - linux (Vulnerable code introduced later) [stretch] - linux (Vulnerable code introduced later) CVE-2021-3410 (A flaw was found in libcaca v0.99.beta19. A buffer overflow issue in c ...) - - libcaca + - libcaca (bug #983684) NOTE: https://github.com/cacalabs/libcaca/issues/52 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1928437 NOTE: https://github.com/cacalabs/libcaca/commit/46b4ea7cea72d6b3ffe65d33e604b1774dcc2bbd View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb08b20d374b6c1469e4325ff086f951d134abeb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb08b20d374b6c1469e4325ff086f951d134abeb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference commits for CVE-2021-3410
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 776ec38e by Salvatore Bonaccorso at 2021-02-28T13:51:27+01:00 Reference commits for CVE-2021-3410 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1293,6 +1293,8 @@ CVE-2021-3410 (A flaw was found in libcaca v0.99.beta19. A buffer overflow issue - libcaca NOTE: https://github.com/cacalabs/libcaca/issues/52 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1928437 + NOTE: https://github.com/cacalabs/libcaca/commit/46b4ea7cea72d6b3ffe65d33e604b1774dcc2bbd + NOTE: https://github.com/cacalabs/libcaca/commit/e4968ba6e93e9fd35429eb16895c785c51072015 CVE-2021-27205 (Telegram before 7.4 (212543) Stable on macOS stores the local copy of ...) NOT-FOR-US: Telegram for MacOS CVE-2021-27204 (Telegram before 7.4 (212543) Stable on macOS stores the local passcode ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/776ec38e89c75144f82c394c55fe85924d5d01a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/776ec38e89c75144f82c394c55fe85924d5d01a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-3407/mupdf
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 763e9aab by Salvatore Bonaccorso at 2021-02-28T13:37:19+01:00 Add Debian bug reference for CVE-2021-3407/mupdf - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1504,7 +1504,7 @@ CVE-2021-27106 CVE-2021-27105 RESERVED CVE-2021-3407 (A flaw was found in mupdf 1.18.0. Double free of object during lineari ...) - - mupdf + - mupdf (bug #983684) NOTE: http://git.ghostscript.com/?p=mupdf.git;h=cee7cefc610d42fd383b3c80c12cbc675443176a NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=703366 (not public yet) CVE-2021-3406 (A flaw was found in keylime 5.8.1 and older. The issue in the Keylime ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/763e9aabbf8b4e77b6355cb84547a37e817c413d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/763e9aabbf8b4e77b6355cb84547a37e817c413d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-508{6,7}/xcftools as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a2bdb3f0 by Salvatore Bonaccorso at 2021-02-28T13:35:28+01:00 Mark CVE-2019-508{6,7}/xcftools as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -140373,11 +140373,13 @@ CVE-2019-5088 (An exploitable memory corruption vulnerability exists in Investin CVE-2019-5087 (An exploitable integer overflow vulnerability exists in the flattenInc ...) {DLA-2553-1} - xcftools 1.0.7-6.1 (bug #945317) + [buster] - xcftools (Minor issue; can be fixed via point release) NOTE: https://github.com/j-jorge/xcftools/issues/13 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0879 CVE-2019-5086 (An exploitable integer overflow vulnerability exists in the flattenInc ...) {DLA-2553-1} - xcftools 1.0.7-6.1 (bug #945317) + [buster] - xcftools (Minor issue; can be fixed via point release) NOTE: https://github.com/j-jorge/xcftools/issues/12 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0878 CVE-2019-5085 (An exploitable code execution vulnerability exists in the DICOM packet ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2bdb3f0dd0b280175a387c628d64597cb6f412f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2bdb3f0dd0b280175a387c628d64597cb6f412f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2020-29509 and track golang-github-russellhaering-gosaml2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7bc4cdd8 by Salvatore Bonaccorso at 2021-02-28T13:25:47+01:00 Update information for CVE-2020-29509 and track golang-github-russellhaering-gosaml2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21910,12 +21910,13 @@ CVE-2020-29510 (The encoding/xml package in Go versions 1.15 and earlier does no NOTE: https://github.com/golang/go/issues/43168 NOTE: https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ CVE-2020-29509 (The encoding/xml package in Go (all versions) does not correctly prese ...) - - golang-1.15 - - golang-1.11 - - golang-1.8 - [stretch] - golang-1.8 (deemed unfixable by upstream who shifts responsibility to saml packages we don't ship) - - golang-1.7 - [stretch] - golang-1.7 (deemed unfixable by upstream who shifts responsibility to saml packages we don't ship) + - golang-github-russellhaering-gosaml2 (bug #948190) + - golang-1.15 (unimportant) + - golang-1.11 (unimportant) + - golang-1.8 (unimportant) + - golang-1.7 (unimportant) + NOTE: Golang upstream does not consider the issue to be fixable in Go, instread + NOTE: shifts responsibility to saml packages. NOTE: https://github.com/golang/go/issues/43168 NOTE: https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ NOTE: https://github.com/russellhaering/gosaml2/security/advisories/GHSA-xhqq-x44f-9fgg View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bc4cdd8e6116c9aa10b8695284a39d0a18c4b4b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bc4cdd8e6116c9aa10b8695284a39d0a18c4b4b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Track embedded copies of python-py
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 67ad7255 by Salvatore Bonaccorso at 2021-02-28T11:07:20+01:00 Track embedded copies of python-py - - - - - e605fc53 by Salvatore Bonaccorso at 2021-02-28T11:07:51+01:00 Mark pypy and pypy3 as unimportant for CVE-2020-29651 Source-wise affected but the svnwc.py does not seem to be part of the binary packages produced as is an embedded copy of python-py. - - - - - 2 changed files: - data/CVE/list - data/embedded-code-copies Changes: = data/CVE/list = @@ -21527,9 +21527,8 @@ CVE-2020-29651 (A denial of service via regular expression in the py.path.svnwc - python-py 1.10.0-1 [buster] - python-py (Minor issue) [stretch] - python-py (Minor issue) - - pypy - [stretch] - pypy (Minor issue) - - pypy3 + - pypy (unimportant) + - pypy3 (unimportant) NOTE: https://github.com/pytest-dev/py/issues/256 NOTE: https://github.com/pytest-dev/py/pull/257 NOTE: https://github.com/pytest-dev/py/commit/4a9017dc6199d2a564b6e4b0aa39d6d8870e4144 = data/embedded-code-copies = @@ -3550,3 +3550,7 @@ libbpf - bpfcc 0.17.0+ds-1 (embed) - dwarves-dfsg 1.18-1 (embed; bug #979105) - v4l-utils (embed; bug #979610) + +python-py + - pypy (embed) + - pypy3 (embed) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/691d8f6853352157ac3eec4840b7d3adcbd92e9d...e605fc53a376d47798ab69016b345ac455e7ca76 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/691d8f6853352157ac3eec4840b7d3adcbd92e9d...e605fc53a376d47798ab69016b345ac455e7ca76 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-29651/python-py as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 691d8f68 by Salvatore Bonaccorso at 2021-02-28T10:59:07+01:00 Mark CVE-2020-29651/python-py as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21525,6 +21525,7 @@ CVE-2021-1736 RESERVED CVE-2020-29651 (A denial of service via regular expression in the py.path.svnwc compon ...) - python-py 1.10.0-1 + [buster] - python-py (Minor issue) [stretch] - python-py (Minor issue) - pypy [stretch] - pypy (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/691d8f6853352157ac3eec4840b7d3adcbd92e9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/691d8f6853352157ac3eec4840b7d3adcbd92e9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-29651/python-py via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ca5536b by Salvatore Bonaccorso at 2021-02-28T10:48:52+01:00 Track fixed version for CVE-2020-29651/python-py via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21524,7 +21524,7 @@ CVE-2021-1737 CVE-2021-1736 RESERVED CVE-2020-29651 (A denial of service via regular expression in the py.path.svnwc compon ...) - - python-py + - python-py 1.10.0-1 [stretch] - python-py (Minor issue) - pypy [stretch] - pypy (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ca5536bec428ea202340baa0bc136b1a037885e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ca5536bec428ea202340baa0bc136b1a037885e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-28491
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7df1d82a by Salvatore Bonaccorso at 2021-02-28T10:46:36+01:00 Add Debian bug reference for CVE-2020-28491 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25586,7 +25586,7 @@ CVE-2020-28493 (This affects the package jinja2 from 0.0.0 and before 2.11.3. Th CVE-2020-28492 REJECTED CVE-2020-28491 (This affects the package com.fasterxml.jackson.dataformat:jackson-data ...) - - jackson-dataformat-cbor + - jackson-dataformat-cbor (bug #983664) [buster] - jackson-dataformat-cbor (Minor issue) NOTE: https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6 NOTE: https://github.com/FasterXML/jackson-dataformats-binary/issues/186 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7df1d82a63b07f8eaf32adf9fa799c36a493fb4f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7df1d82a63b07f8eaf32adf9fa799c36a493fb4f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-27843
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a6ff9b7 by Salvatore Bonaccorso at 2021-02-28T10:45:20+01:00 Add Debian bug reference for CVE-2020-27843 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28752,7 +28752,7 @@ CVE-2020-27844 (A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions NOTE: https://github.com/uclouvain/openjpeg/issues/1299 NOTE: https://github.com/uclouvain/openjpeg/commit/73fdf28342e4594019af26eb6a347a34eceb6296 (v2.4.0) CVE-2020-27843 (A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw all ...) - - openjpeg2 + - openjpeg2 (bug #983663) [buster] - openjpeg2 (Minor issue) [stretch] - openjpeg2 (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/issues/1297 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a6ff9b74c554dcc8cd994fa767cc9317e9b19b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a6ff9b74c554dcc8cd994fa767cc9317e9b19b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-28491 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 954766a2 by Salvatore Bonaccorso at 2021-02-28T10:44:29+01:00 Mark CVE-2020-28491 as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25587,6 +25587,7 @@ CVE-2020-28492 REJECTED CVE-2020-28491 (This affects the package com.fasterxml.jackson.dataformat:jackson-data ...) - jackson-dataformat-cbor + [buster] - jackson-dataformat-cbor (Minor issue) NOTE: https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6 NOTE: https://github.com/FasterXML/jackson-dataformats-binary/issues/186 CVE-2020-28490 (The package async-git before 1.13.2 are vulnerable to Command Injectio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/954766a29b022d7ab51c04e5a7435211438b9b36 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/954766a29b022d7ab51c04e5a7435211438b9b36 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add additional reference for CVE-2020-27843
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e7d9737 by Salvatore Bonaccorso at 2021-02-28T10:28:25+01:00 Add additional reference for CVE-2020-27843 Note, that while the commit make it avoid the oub of bounds access of the reported issue it is likely not meant to be the final and proper fix. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28755,6 +28755,7 @@ CVE-2020-27843 (A flaw was found in OpenJPEG in versions prior to 2.4.0. This fl [buster] - openjpeg2 (Minor issue) [stretch] - openjpeg2 (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/issues/1297 + NOTE: Partial fix (preventing the out of bounds access): https://github.com/uclouvain/openjpeg/commit/38d661a3897052c7ff0b39b30c29cb067e130121 (2.4.0) CVE-2020-27842 (There's a flaw in openjpeg's t2 encoder in versions prior to 2.4.0. An ...) - openjpeg2 [buster] - openjpeg2 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e7d97376d2950d08699aa1bbae15234d7d41252 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e7d97376d2950d08699aa1bbae15234d7d41252 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-20206
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 13254b17 by Salvatore Bonaccorso at 2021-02-28T09:40:21+01:00 Add Debian bug reference for CVE-2021-20206 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18373,7 +18373,7 @@ CVE-2021-20207 REJECTED CVE-2021-20206 RESERVED - - golang-github-appc-cni + - golang-github-appc-cni (bug #983659) [buster] - golang-github-appc-cni (Minor issue; can be fixed via point release) NOTE: https://github.com/containernetworking/cni/pull/808 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1919391 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13254b17f4e95c08689385ffe1edf16bcd206316 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13254b17f4e95c08689385ffe1edf16bcd206316 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-20206 as no-dsa for buster
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c4d0cea3 by Salvatore Bonaccorso at 2021-02-28T09:36:05+01:00 Mark CVE-2021-20206 as no-dsa for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18374,6 +18374,7 @@ CVE-2021-20207 CVE-2021-20206 RESERVED - golang-github-appc-cni + [buster] - golang-github-appc-cni (Minor issue; can be fixed via point release) NOTE: https://github.com/containernetworking/cni/pull/808 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1919391 TODO: check details, impact on docker.io? View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4d0cea34252c27be50b9befc4a6f22628461423 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4d0cea34252c27be50b9befc4a6f22628461423 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits