[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-13936/velocity via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 00efb2d4 by Salvatore Bonaccorso at 2021-03-17T06:26:03+01:00 Track fixed version for CVE-2020-13936/velocity via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -62722,7 +62722,7 @@ CVE-2020-13938 CVE-2020-13937 (Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2 ...) NOT-FOR-US: Apache Kylin (different from Kylin desktop environment) CVE-2020-13936 (An attacker that is able to modify Velocity templates may execute arbi ...) - - velocity (bug #985220) + - velocity 1.7-6 (bug #985220) NOTE: https://www.openwall.com/lists/oss-security/2021/03/10/1 NOTE: Fixed by: https://github.com/apache/velocity-engine/commit/1ba60771d23dae7e6b3138ae6bee09cf6f9d2485 CVE-2020-13935 (The payload length in a WebSocket frame was not correctly validated in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00efb2d4f0df4426cb27faef84c8d25911889f50 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00efb2d4f0df4426cb27faef84c8d25911889f50 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: (re)claim shiro in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f70c267 by Roberto C. Sánchez at 2021-03-16T21:52:32-04:00 LTS: (re)claim shiro in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -117,7 +117,7 @@ salt (Utkarsh) shadow (Sylvain Beucler) NOTE: 20210316: found new CVE, discussing with secteam -- -shiro +shiro (Roberto C. Sánchez) NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f70c26795a6e1afcdbdc46fe4455d1043427949 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f70c26795a6e1afcdbdc46fe4455d1043427949 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 504892bc by Moritz Muehlenhoff at 2021-03-16T22:50:10+01:00 bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2259,6 +2259,7 @@ CVE-2021-27646 (Use After Free vulnerability in iscsi_snapshot_comm_core in Syno NOT-FOR-US: Synology CVE-2021-27645 (The nameserver caching daemon (nscd) in the GNU C Library (aka glibc o ...) - glibc (bug #983479) + [bullseye] - glibc (Minor issue) [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27462 @@ -2911,9 +2912,12 @@ CVE-2021-27353 CVE-2021-27352 RESERVED CVE-2021-27351 (The Terminate Session feature in the Telegram application through 7.2. ...) - - telegram-desktop - [buster] - telegram-desktop (Minor issue) + - telegram-desktop 2.6.1-1 + [buster] - telegram-desktop (Vulnerable code not present) NOTE: https://0ffsecninja.github.io/Telegram:CVE-2021-2735.html + NOTE: Probably fixed earlier than 2.6.1, but marking that fixed in absence of further details + NOTE: (maintainer reached out to upstream for confirmation that 2.6.1 is fixed and buster + NOTE: not affected) CVE-2021-27350 RESERVED CVE-2021-27349 @@ -5497,6 +5501,7 @@ CVE-2021-26273 RESERVED CVE-2021-3326 (The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and ...) - glibc (bug #981198) + [bullseye] - glibc (Minor issue) [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27256 @@ -20582,7 +20587,6 @@ CVE-2021-20201 [Client initiated renegotiation denial of service] NOTE: https://gitlab.freedesktop.org/spice/spice/-/commit/ca5bbc5692e052159bce1a75f55dc60b36078749 NOTE: https://gitlab.freedesktop.org/spice/spice/-/commit/95a0cfac8a1c8eff50f05e65df945da3bb501fc9 NOTE: https://blog.qualys.com/product-tech/2011/10/31/tls-renegotiation-and-denial-of-service-attacks - TODO: check details CVE-2021-20200 RESERVED NOTE: Red Hat duplicate assignment for CVE-2020-29369, should be rejected, contacted CNA @@ -31080,7 +31084,8 @@ CVE-2020-27821 (A flaw was found in the memory management API of QEMU during the NOTE: Introduced by: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=48564041a73adbbff52834f9edbe3806fceefab7 (v3.0) CVE-2020-27820 [use-after-free in nouveau kernel module] RESERVED - - linux + - linux (unimportant) + NOTE: No security impact, requires physical access to the computer CVE-2020-27819 (An issue was discovered in libxls before and including 1.6.1 when read ...) - r-cran-readxl (Embeds libxls, but not affected) NOTE: https://github.com/libxls/libxls/issues/84 @@ -36643,18 +36648,26 @@ CVE-2020-25674 (WriteOnePNGImage() from coders/png.c (the PNG coder) has a for l CVE-2020-25673 RESERVED - linux + [bullseye] - linux (Minor issue, revisit once fixed upstream) + [buster] - linux (Minor issue, revisit once fixed upstream) NOTE: https://www.openwall.com/lists/oss-security/2020/11/01/1 CVE-2020-25672 RESERVED - linux + [bullseye] - linux (Minor issue, revisit once fixed upstream) + [buster] - linux (Minor issue, revisit once fixed upstream) NOTE: https://www.openwall.com/lists/oss-security/2020/11/01/1 CVE-2020-25671 RESERVED - linux + [bullseye] - linux (Minor issue, revisit once fixed upstream) + [buster] - linux (Minor issue, revisit once fixed upstream) NOTE: https://www.openwall.com/lists/oss-security/2020/11/01/1 CVE-2020-25670 RESERVED - linux + [bullseye] - linux (Minor issue, revisit once fixed upstream) + [buster] - linux (Minor issue, revisit once fixed upstream) NOTE: https://www.openwall.com/lists/oss-security/2020/11/01/1 CVE-2020-25669 RESERVED @@ -67856,6 +67869,8 @@ CVE-2020-11988 (Apache XmlGraphics Commons 2.4 is vulnerable to server-side requ NOTE: https://issues.apache.org/jira/browse/XGC-122 CVE-2020-11987 (Apache Batik 1.13 is vulnerable to server-side request forgery, caused ...) - batik (bug #984829) + [bullseye] - batik (Minor issue) + [buster] - batik (Minor issue) [stretch] - batik (Minor issue) NOTE: https://github.com/apache/xmlgraphics-batik/commit/0ef5b661a1f2d1110877ea9e0287987098f6 CVE-2020-11986 (To be able to analyze gradle projects, the build scripts need to be ex ...) @@ -96365,6 +96380,8 @@ CVE-2019-19450 RESERVED CVE-2019-19449 (In the Linux kernel 5.0.21, mounting a crafted f2fs
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-28543/varnish-modules
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a1c28a9 by Salvatore Bonaccorso at 2021-03-16T21:53:58+01:00 Add CVE-2021-28543/varnish-modules - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -203,7 +203,9 @@ CVE-2021-28545 CVE-2021-28544 RESERVED CVE-2021-28543 (Varnish varnish-modules before 0.17.1 allows remote attackers to cause ...) - TODO: check + - varnish-modules + NOTE: https://varnish-cache.org/security/VSV6.html + TODO: check, if only 0.17.0 and later affected? CVE-2021-28542 RESERVED CVE-2021-28541 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a1c28a968170ac6197b0679d8dedef48afd30b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a1c28a968170ac6197b0679d8dedef48afd30b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 02bdff8a by Salvatore Bonaccorso at 2021-03-16T21:49:46+01:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1613,7 +1613,7 @@ CVE-2021-27940 (resources/public/js/orchestrator.js in openark orchestrator befo CVE-2021-27939 RESERVED CVE-2021-27938 (A vulnerability has been identified in the Silverstripe CMS 3 and 4 ve ...) - TODO: check + NOT-FOR-US: Silverstripe CMS CVE-2021-27937 RESERVED CVE-2021-27936 @@ -13067,7 +13067,7 @@ CVE-2021-22889 CVE-2021-22888 RESERVED CVE-2021-22887 (A vulnerability in the BIOS of Pulse Secure (PSA-Series Hardware) mode ...) - TODO: check + NOT-FOR-US: BIOS of Pulse Secure (PSA-Series Hardware) models PSA5000 and PSA7000 CVE-2021-22886 RESERVED CVE-2021-22885 @@ -25756,7 +25756,7 @@ CVE-2020-28901 CVE-2020-28900 RESERVED CVE-2020-28899 (The Web CGI Script on ZyXEL LTE4506-M606 V1.00(ABDO.2)C0 devices does ...) - TODO: check + NOT-FOR-US: ZyXEL CVE-2020-28898 RESERVED CVE-2020-28897 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02bdff8a0ada49e517f4a66b9589d03a852ea73b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02bdff8a0ada49e517f4a66b9589d03a852ea73b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for gitlab-ci-multi-runner issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aa472170 by Salvatore Bonaccorso at 2021-03-16T21:38:43+01:00 Add Debian bug references for gitlab-ci-multi-runner issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -64341,7 +64341,7 @@ CVE-2020-13329 (An issue has been discovered in GitLab affecting versions from 1 CVE-2020-13328 (An issue has been discovered in GitLab affecting versions prior to 13. ...) - gitlab 13.2.3-2 CVE-2020-13327 (An issue has been discovered in GitLab Runner affecting all versions s ...) - - gitlab-ci-multi-runner + - gitlab-ci-multi-runner (bug #985377) CVE-2020-13326 (A vulnerability was discovered in GitLab versions prior to 13.1. Under ...) - gitlab 13.2.3-2 CVE-2020-13325 (A vulnerability was discovered in GitLab versions prior 13.1. The comm ...) @@ -64427,7 +64427,7 @@ CVE-2020-13297 (A vulnerability was discovered in GitLab versions before 13.1.10 CVE-2020-13296 (An issue has been discovered in GitLab affecting versions =10.7 ...) - gitlab 13.2.6-1 CVE-2020-13295 (For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd ...) - - gitlab-ci-multi-runner + - gitlab-ci-multi-runner (bug #985377) NOTE: https://about.gitlab.com/releases/2020/08/05/gitlab-13-2-3-released/ CVE-2020-13294 (In GitLab before 13.0.12, 13.1.6 and 13.2.3, access grants were not re ...) [experimental] - gitlab 13.1.6-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa472170e17e8a69fafe3a76fbb6b7379bfa4917 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa472170e17e8a69fafe3a76fbb6b7379bfa4917 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-35459
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8bb5969a by Salvatore Bonaccorso at 2021-03-16T21:36:39+01:00 Add Debian bug reference for CVE-2020-35459 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21374,7 +21374,7 @@ CVE-2020-35460 (common/InputStreamHelper.java in Packwood MPXJ before 8.3.5 allo NOT-FOR-US: Packwood MPXJ CVE-2020-35459 (An issue was discovered in ClusterLabs crmsh through 4.2.1. Local atta ...) {DLA-2533-1} - - crmsh + - crmsh (bug #985376) NOTE: https://www.openwall.com/lists/oss-security/2021/01/12/3 CVE-2020-35458 (An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x. There ...) - hawk (bug #634344) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bb5969abc57072b14e63c80cfaa0c04e513d09e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bb5969abc57072b14e63c80cfaa0c04e513d09e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d355442 by Salvatore Bonaccorso at 2021-03-16T21:34:58+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -87723,9 +87723,9 @@ CVE-2020-4893 (IBM Emptoris Strategic Supply Management 10.1.0, 10.1.1, and 10.1 CVE-2020-4892 (IBM Emptoris Contract Management 10.1.3 is vulnerable to cross-site sc ...) NOT-FOR-US: IBM CVE-2020-4891 (IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 use ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4890 (IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 cou ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4889 (IBM Spectrum Scale 5.0.0 through 5.0.5.4 and 5.1.0 could allow a local ...) NOT-FOR-US: IBM CVE-2020-4888 (IBM QRadar SIEM 7.4.0 to 7.4.2 Patch 1 and 7.3.0 to 7.3.3 Patch 7 coul ...) @@ -87803,7 +87803,7 @@ CVE-2020-4853 CVE-2020-4852 RESERVED CVE-2020-4851 (IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 cou ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4850 RESERVED CVE-2020-4849 (IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.19 Interim Fix 7 could ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d355442701cdb01681eddbe4a1cf192c20a64e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d355442701cdb01681eddbe4a1cf192c20a64e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for tor update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d67e06f3 by Salvatore Bonaccorso at 2021-03-16T21:19:42+01:00 Reserve DSA number for tor update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[16 Mar 2021] DSA-4871-1 tor - security update + {CVE-2021-28089 CVE-2021-28090} + [buster] - tor 0.3.5.14-1 [12 Mar 2021] DSA-4870-1 pygments - security update {CVE-2021-20270} [buster] - pygments 2.3.1+dfsg-1+deb10u1 = data/dsa-needed.txt = @@ -36,8 +36,6 @@ salt -- tomcat9 -- -tor (carnil) --- xen (jmm) will be held back to sync with next kernel update -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d67e06f3fe1bc6e9b62b359e4bc94afcff0e98c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d67e06f3fe1bc6e9b62b359e4bc94afcff0e98c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ab67182f by security tracker role at 2021-03-16T20:10:31+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,309 @@ +CVE-2021-3445 + RESERVED +CVE-2021-28644 + RESERVED +CVE-2021-28643 + RESERVED +CVE-2021-28642 + RESERVED +CVE-2021-28641 + RESERVED +CVE-2021-28640 + RESERVED +CVE-2021-28639 + RESERVED +CVE-2021-28638 + RESERVED +CVE-2021-28637 + RESERVED +CVE-2021-28636 + RESERVED +CVE-2021-28635 + RESERVED +CVE-2021-28634 + RESERVED +CVE-2021-28633 + RESERVED +CVE-2021-28632 + RESERVED +CVE-2021-28631 + RESERVED +CVE-2021-28630 + RESERVED +CVE-2021-28629 + RESERVED +CVE-2021-28628 + RESERVED +CVE-2021-28627 + RESERVED +CVE-2021-28626 + RESERVED +CVE-2021-28625 + RESERVED +CVE-2021-28624 + RESERVED +CVE-2021-28623 + RESERVED +CVE-2021-28622 + RESERVED +CVE-2021-28621 + RESERVED +CVE-2021-28620 + RESERVED +CVE-2021-28619 + RESERVED +CVE-2021-28618 + RESERVED +CVE-2021-28617 + RESERVED +CVE-2021-28616 + RESERVED +CVE-2021-28615 + RESERVED +CVE-2021-28614 + RESERVED +CVE-2021-28613 + RESERVED +CVE-2021-28612 + RESERVED +CVE-2021-28611 + RESERVED +CVE-2021-28610 + RESERVED +CVE-2021-28609 + RESERVED +CVE-2021-28608 + RESERVED +CVE-2021-28607 + RESERVED +CVE-2021-28606 + RESERVED +CVE-2021-28605 + RESERVED +CVE-2021-28604 + RESERVED +CVE-2021-28603 + RESERVED +CVE-2021-28602 + RESERVED +CVE-2021-28601 + RESERVED +CVE-2021-28600 + RESERVED +CVE-2021-28599 + RESERVED +CVE-2021-28598 + RESERVED +CVE-2021-28597 + RESERVED +CVE-2021-28596 + RESERVED +CVE-2021-28595 + RESERVED +CVE-2021-28594 + RESERVED +CVE-2021-28593 + RESERVED +CVE-2021-28592 + RESERVED +CVE-2021-28591 + RESERVED +CVE-2021-28590 + RESERVED +CVE-2021-28589 + RESERVED +CVE-2021-28588 + RESERVED +CVE-2021-28587 + RESERVED +CVE-2021-28586 + RESERVED +CVE-2021-28585 + RESERVED +CVE-2021-28584 + RESERVED +CVE-2021-28583 + RESERVED +CVE-2021-28582 + RESERVED +CVE-2021-28581 + RESERVED +CVE-2021-28580 + RESERVED +CVE-2021-28579 + RESERVED +CVE-2021-28578 + RESERVED +CVE-2021-28577 + RESERVED +CVE-2021-28576 + RESERVED +CVE-2021-28575 + RESERVED +CVE-2021-28574 + RESERVED +CVE-2021-28573 + RESERVED +CVE-2021-28572 + RESERVED +CVE-2021-28571 + RESERVED +CVE-2021-28570 + RESERVED +CVE-2021-28569 + RESERVED +CVE-2021-28568 + RESERVED +CVE-2021-28567 + RESERVED +CVE-2021-28566 + RESERVED +CVE-2021-28565 + RESERVED +CVE-2021-28564 + RESERVED +CVE-2021-28563 + RESERVED +CVE-2021-28562 + RESERVED +CVE-2021-28561 + RESERVED +CVE-2021-28560 + RESERVED +CVE-2021-28559 + RESERVED +CVE-2021-28558 + RESERVED +CVE-2021-28557 + RESERVED +CVE-2021-28556 + RESERVED +CVE-2021-28555 + RESERVED +CVE-2021-28554 + RESERVED +CVE-2021-28553 + RESERVED +CVE-2021-28552 + RESERVED +CVE-2021-28551 + RESERVED +CVE-2021-28550 + RESERVED +CVE-2021-28549 + RESERVED +CVE-2021-28548 + RESERVED +CVE-2021-28547 + RESERVED +CVE-2021-28546 + RESERVED +CVE-2021-28545 + RESERVED +CVE-2021-28544 + RESERVED +CVE-2021-28543 (Varnish varnish-modules before 0.17.1 allows remote attackers to cause ...) + TODO: check +CVE-2021-28542 + RESERVED +CVE-2021-28541 + RESERVED +CVE-2021-28540 + RESERVED +CVE-2021-28539 + RESERVED +CVE-2021-28538 + RESERVED +CVE-2021-28537 + RESERVED +CVE-2021-28536 + RESERVED +CVE-2021-28535 + RESERVED +CVE-2021-28534 + RESERVED +CVE-2021-28533 + RESERVED +CVE-2021-28532 + RESERVED +CVE-2021-28531 + RESERVED +CVE-2021-28530 + RESERVED +CVE-2021-28529 + RESERVED +CVE-2021-28528 + RESERVED +CVE-2021-28527 + RESERVED +CVE-2021-28526 + RESERVED +CVE-2021-28525 + RESERVED +CVE-2021-28524 + RESERVED +CVE-2021-28523 + RESERVED +CVE-2021-28522 + RESERVED +CVE-2021-28521 + RESERVED +CVE-2021-28520 + RESERVED +CVE-2021-28519 + RESERVED +CVE-2021-28518 + RESERVED +CVE-2021-28517 + RESERVED +CVE-2021-28516 + RESERVED +CVE-2021-28515 + RESERVED +CVE-2021-28514 + RESERVED +CVE-2021-28513 + RESERVED +CVE-2021-28512 + RESERVED +CVE-2021-28511 + RESERVED +CVE-2021-28510 + RESERVED +CVE-2021-28509 + RESERVED +CVE-2021-28508 + RESERVED
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2021-280{89,90}/tor via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dbd95bc8 by Salvatore Bonaccorso at 2021-03-16T21:02:53+01:00 Add fixed version for CVE-2021-280{89,90}/tor via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -959,13 +959,13 @@ CVE-2021-28091 RESERVED CVE-2021-28090 RESERVED - - tor + - tor 0.4.5.7-1 [stretch] - tor (See DSA 4644) NOTE: https://blog.torproject.org/node/2009 NOTE: https://bugs.torproject.org/tpo/core/tor/40316 CVE-2021-28089 RESERVED - - tor + - tor 0.4.5.7-1 [stretch] - tor (See DSA 4644) NOTE: https://blog.torproject.org/node/2009 NOTE: https://bugs.torproject.org/tpo/core/tor/40286 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbd95bc81ad042c727dfc76c1c24f005351f2cae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbd95bc81ad042c727dfc76c1c24f005351f2cae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take tor for DSA release
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6859a72f by Salvatore Bonaccorso at 2021-03-16T20:51:51+01:00 Take tor for DSA release - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -36,7 +36,7 @@ salt -- tomcat9 -- -tor +tor (carnil) -- xen (jmm) will be held back to sync with next kernel update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6859a72f236b41e4cead9897841187260e24ab03 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6859a72f236b41e4cead9897841187260e24ab03 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take python2.7
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: e637015b by Anton Gladky at 2021-03-16T19:29:55+01:00 LTS: take python2.7 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -76,7 +76,7 @@ php-pear -- pillow (Abhijith PA) -- -python2.7 +python2.7 (Anton Gladky) NOTE: 20210316: Same issue as python3.5 immediately below; suggest handled by same maintainer. (lamby) -- python3.5 (Anton Gladky) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e637015b140bc279ec122f4f47cc0a47bff62d5a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e637015b140bc279ec122f4f47cc0a47bff62d5a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add end-of-life marking for stretch for CVE-2021-28089 and CVE-2021-28090
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e8103551 by Salvatore Bonaccorso at 2021-03-16T16:50:33+01:00 Add end-of-life marking for stretch for CVE-2021-28089 and CVE-2021-28090 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -960,11 +960,13 @@ CVE-2021-28091 CVE-2021-28090 RESERVED - tor + [stretch] - tor (See DSA 4644) NOTE: https://blog.torproject.org/node/2009 NOTE: https://bugs.torproject.org/tpo/core/tor/40316 CVE-2021-28089 RESERVED - tor + [stretch] - tor (See DSA 4644) NOTE: https://blog.torproject.org/node/2009 NOTE: https://bugs.torproject.org/tpo/core/tor/40286 CVE-2020-36256 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8103551193e19ebe51776ad2ec65cfea86454d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8103551193e19ebe51776ad2ec65cfea86454d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add tor to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dc7adc82 by Salvatore Bonaccorso at 2021-03-16T16:49:03+01:00 Add tor to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -36,6 +36,8 @@ salt -- tomcat9 -- +tor +-- xen (jmm) will be held back to sync with next kernel update -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc7adc82c9de22e8cfbb5a849411f8eee76996cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc7adc82c9de22e8cfbb5a849411f8eee76996cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Further update CVE-2020-27844 status
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a575ed36 by Salvatore Bonaccorso at 2021-03-16T16:40:08+01:00 Further update CVE-2020-27844 status As Emilio has found this never affected an upstream tagged version nor a Debian released version. We can mark every unstable version as well as not affected. Thanks: Emilio Pozuelo Monfort - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30655,11 +30655,9 @@ CVE-2020-27845 (There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions p NOTE: https://github.com/uclouvain/openjpeg/issues/1302 NOTE: https://github.com/uclouvain/openjpeg/commit/8f5aff1dff510a964d3901d0fba281abec98ab63 (v2.4.0) CVE-2020-27844 (A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior ...) - - openjpeg2 2.4.0-1 - [buster] - openjpeg2 (Vulnerable code introduced and fixed in 2.4.0) - [stretch] - openjpeg2 (Vulnerable code introduced and fixed in 2.4.0) + - openjpeg2 (Vulnerable code introduced and fixed in 2.4.0) NOTE: https://github.com/uclouvain/openjpeg/issues/1299 - NOTE: https://github.com/uclouvain/openjpeg/commit/73fdf28342e4594019af26eb6a347a34eceb6296 (v2.4.0) + NOTE: Fixed by: https://github.com/uclouvain/openjpeg/commit/73fdf28342e4594019af26eb6a347a34eceb6296 (v2.4.0) NOTE: Introduced by: https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5 CVE-2020-27843 (A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw all ...) - openjpeg2 2.4.0-1 (bug #983663) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a575ed3666b18379cd9b166829f034d0aa640a58 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a575ed3666b18379cd9b166829f034d0aa640a58 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-280{89,90}/tor
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4811185e by Salvatore Bonaccorso at 2021-03-16T16:34:51+01:00 Add CVE-2021-280{89,90}/tor - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -959,8 +959,14 @@ CVE-2021-28091 RESERVED CVE-2021-28090 RESERVED + - tor + NOTE: https://blog.torproject.org/node/2009 + NOTE: https://bugs.torproject.org/tpo/core/tor/40316 CVE-2021-28089 RESERVED + - tor + NOTE: https://blog.torproject.org/node/2009 + NOTE: https://bugs.torproject.org/tpo/core/tor/40286 CVE-2020-36256 RESERVED CVE-2021-21381 (Flatpak is a system for building, distributing, and running sandboxed ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4811185ef38b372789a35fcf1d4dbf00b64b2c82 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4811185ef38b372789a35fcf1d4dbf00b64b2c82 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: reference work on shadow
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e838207a by Sylvain Beucler at 2021-03-16T14:27:21+01:00 dla: reference work on shadow - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -114,6 +114,9 @@ ruby-kaminari -- salt (Utkarsh) -- +shadow (Sylvain Beucler) + NOTE: 20210316: found new CVE, discussing with secteam +-- shiro NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e838207a78614f15a80b1def249fb33feb26f3df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e838207a78614f15a80b1def249fb33feb26f3df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1dc92906 by Moritz Muehlenhoff at 2021-03-16T14:22:40+01:00 NFUs - - - - - 2326b6c9 by Moritz Muehlenhoff at 2021-03-16T14:23:39+01:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1577,7 +1577,7 @@ CVE-2021-27819 CVE-2021-27818 RESERVED CVE-2021-27817 (A remote command execution vulnerability in shopxo 1.9.3 allows an att ...) - TODO: check + NOT-FOR-US: shopxo CVE-2021-27816 RESERVED CVE-2021-27815 @@ -2520,9 +2520,9 @@ CVE-2021-27383 CVE-2021-27382 RESERVED CVE-2021-27381 (A vulnerability has been identified in Solid Edge SE2020 (All Versions ...) - TODO: check + NOT-FOR-US: Solid Edge SE2020 CVE-2021-27380 (A vulnerability has been identified in Solid Edge SE2020 (All Versions ...) - TODO: check + NOT-FOR-US: Solid Edge SE2020 CVE-2021-27379 (An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM ...) - xen 4.14.0+80-gd101b417b7-1 [stretch] - xen (Incomplete fix for CVE-2020-15565 not applied) @@ -2840,7 +2840,7 @@ CVE-2021-27232 (The RTSPLive555.dll ActiveX control in Pelco Digital Sentry Serv CVE-2021-27231 (Hestia Control Panel through 1.3.3, in a shared-hosting environment, s ...) NOT-FOR-US: Hestia Control Panel CVE-2021-27230 (ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Inj ...) - TODO: check + NOT-FOR-US: ExpressionEngine CVE-2021-27229 (Mumble before 1.3.4 allows remote code execution if a victim navigates ...) {DLA-2562-1} - mumble 1.3.4-1 (bug #982904) @@ -3380,7 +3380,7 @@ CVE-2021-26989 (Clustered Data ONTAP versions prior to 9.3P21, 9.5P16, 9.6P12, 9 CVE-2021-26988 (Clustered Data ONTAP versions prior to 9.3P21, 9.5P16, 9.6P12, 9.7P8 a ...) NOT-FOR-US: Clustered Data ONTAP CVE-2021-26987 (Element Plug-in for vCenter Server incorporates SpringBoot Framework. ...) - TODO: check + NOT-FOR-US: Element Plug-in for vCenter Server CVE-2021-26986 RESERVED CVE-2021-26985 @@ -3560,9 +3560,9 @@ CVE-2021-26925 (Roundcube before 1.4.11 allows XSS via crafted Cascading Style S NOTE: https://roundcube.net/news/2021/02/08/security-update-1.4.11 NOTE: https://github.com/roundcube/roundcubemail/commit/9dc276d5f26042db02754fa1bac6fbd683c6d596 CVE-2021-26924 (An issue was discovered in Argo CD before 1.8.4. Browser XSS protectio ...) - TODO: check + NOT-FOR-US: Argo CD CVE-2021-26923 (An issue was discovered in Argo CD before 1.8.4. Accessing the endpoin ...) - TODO: check + NOT-FOR-US: Argo CD CVE-2021-26922 RESERVED CVE-2021-26921 (In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens cont ...) @@ -6767,13 +6767,13 @@ CVE-2021-25678 CVE-2021-25677 RESERVED CVE-2021-25676 (A vulnerability has been identified in RUGGEDCOM RM1224 (V6.3), SCALAN ...) - TODO: check + NOT-FOR-US: Siemens CVE-2021-25675 (A vulnerability has been identified in SIMATIC S7-PLCSIM V5.4 (All ver ...) - TODO: check + NOT-FOR-US: Siemens CVE-2021-25674 (A vulnerability has been identified in SIMATIC S7-PLCSIM V5.4 (All ver ...) - TODO: check + NOT-FOR-US: Siemens CVE-2021-25673 (A vulnerability has been identified in SIMATIC S7-PLCSIM V5.4 (All ver ...) - TODO: check + NOT-FOR-US: Siemens CVE-2021-25672 (A vulnerability has been identified in Mendix Forgot Password Appstore ...) NOT-FOR-US: Mendix Forgot Password Appstore module CVE-2021-25671 @@ -6785,7 +6785,7 @@ CVE-2021-25669 CVE-2021-25668 RESERVED CVE-2021-25667 (A vulnerability has been identified in RUGGEDCOM RM1224 (All versions ...) - TODO: check + NOT-FOR-US: Siemens CVE-2021-25666 (A vulnerability has been identified in SCALANCE W780 and W740 (IEEE 80 ...) NOT-FOR-US: Siemens CVE-2021-25665 @@ -7915,7 +7915,7 @@ CVE-2021-3152 (** DISPUTED ** Home Assistant before 2021.1.3 does not have a pro CVE-2021-3151 (i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) ...) NOT-FOR-US: i-doit CVE-2021-3150 (A cross-site scripting (XSS) vulnerability on the Delete Personal Data ...) - TODO: check + NOT-FOR-US: Cryptshare Server CVE-2021-3149 (On Netshield NANO 25 10.2.18 devices, /usr/local/webmin/System/manual_ ...) NOT-FOR-US: Netshield NANO devices CVE-2021-3148 (An issue was discovered in SaltStack Salt before 3002.5. Sending craft ...) @@ -10299,7 +10299,7 @@ CVE-2021-24033 (react-dev-utils prior to v11.0.4 exposes a function, getProcessF CVE-2021-24030 (The fbgames protocol handler registered as part of Facebook Gameroom d ...) NOT-FOR-US: Facebook Gameroom CVE-2021-24029 (A packet of death scenario is possible in mvfst via
[Git][security-tracker-team/security-tracker][master] CVE-2020-27844/openjpeg2 n/a on buster & stretch
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ac5d178 by Emilio Pozuelo Monfort at 2021-03-16T13:22:57+01:00 CVE-2020-27844/openjpeg2 n/a on buster stretch The issue was introduced during the development of 2.4.0 and fixed in that version, so was never in any version in Debian. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -30649,8 +30649,11 @@ CVE-2020-27845 (There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions p NOTE: https://github.com/uclouvain/openjpeg/commit/8f5aff1dff510a964d3901d0fba281abec98ab63 (v2.4.0) CVE-2020-27844 (A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior ...) - openjpeg2 2.4.0-1 + [buster] - openjpeg2 (Vulnerable code introduced and fixed in 2.4.0) + [stretch] - openjpeg2 (Vulnerable code introduced and fixed in 2.4.0) NOTE: https://github.com/uclouvain/openjpeg/issues/1299 NOTE: https://github.com/uclouvain/openjpeg/commit/73fdf28342e4594019af26eb6a347a34eceb6296 (v2.4.0) + NOTE: Introduced by: https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5 CVE-2020-27843 (A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw all ...) - openjpeg2 2.4.0-1 (bug #983663) [buster] - openjpeg2 (Minor issue) = data/dla-needed.txt = @@ -72,11 +72,6 @@ opendmarc NOTE: 20201217: patch for CVE-2020-12460 has become available (roberto) NOTE: 20210104: wait for other CVEs (abhijith) -- -openjpeg2 (Emilio) - NOTE: 20210316: CVE-2020-27844.patch exists in source (via DLA-2550-1), but - NOTE: 20210316: does not exist in debian/patches/series or is otherwise not - NOTE: 20210316: applied. See b8ffed3c021 for more. (lamby) --- php-pear -- pillow (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ac5d178b243580aea3f6c91637511aa235d057d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ac5d178b243580aea3f6c91637511aa235d057d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take openjpeg2
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 1deaff56 by Emilio Pozuelo Monfort at 2021-03-16T12:52:06+01:00 lts: take openjpeg2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -72,7 +72,7 @@ opendmarc NOTE: 20201217: patch for CVE-2020-12460 has become available (roberto) NOTE: 20210104: wait for other CVEs (abhijith) -- -openjpeg2 +openjpeg2 (Emilio) NOTE: 20210316: CVE-2020-27844.patch exists in source (via DLA-2550-1), but NOTE: 20210316: does not exist in debian/patches/series or is otherwise not NOTE: 20210316: applied. See b8ffed3c021 for more. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1deaff56ca725dea0fae474eaf7e9bfd14672080 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1deaff56ca725dea0fae474eaf7e9bfd14672080 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage squid3 for stretch LTS (CVE-2020-25097 & CVE-2021-28116).
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 82c50362 by Chris Lamb at 2021-03-16T11:12:10+00:00 data/dla-needed.txt: Triage squid3 for stretch LTS (CVE-2020-25097 CVE-2021-28116). - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -133,6 +133,10 @@ spotweb NOTE: 20210122: Upstream fix trivially bypassed, reported under CVE-2021-3286 NOTE: 20210127: Upstream says "we can fix this but it may take some time", revisit later (Beuc) -- +squid3 + NOTE: 20210316: Patch is for squid 4.0, but vulnerable to in CVE-2020-25097 in src/url.cc. (lamby) + NOTE: 20210316: Also check CVE-2021-28116. (lamby) +-- subversion (Thorsten Alteholz) NOTE: 20210307: solving build problems (on IPv6 only host) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82c503623cdf27337861d7e556c646437a36795a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82c503623cdf27337861d7e556c646437a36795a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage ruby-activerecord-session-store for stretch LTS (CVE-2019-25025).
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e2933b5 by Chris Lamb at 2021-03-16T11:02:15+00:00 data/dla-needed.txt: Triage ruby-activerecord-session-store for stretch LTS (CVE-2019-25025). - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -96,6 +96,8 @@ ruby-actionpack-page-caching NOTE: 20200819: uses the path without normalising any "../" etc., simply NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby) -- +ruby-activerecord-session-store +-- ruby-doorkeeper NOTE: 20200831: it's a breaking change, I'd rather not want to issue a DLA for this. (utkarsh) NOTE: 20200831: in case it's really DLA worthy, I'd be very careful with this update. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e2933b5012a70d8d5fc90b69971c1550fac32ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e2933b5012a70d8d5fc90b69971c1550fac32ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2020-8031 in open-build-service for stretch LTS>
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: dbc0ad0a by Chris Lamb at 2021-03-16T10:59:05+00:00 Triage CVE-2020-8031 in open-build-service for stretch LTS - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -79101,6 +79101,7 @@ CVE-2020-8032 (A Insecure Temporary File vulnerability in the packaging of cyrus - cyrus-sasl2 (openSUSE specific packaging issue) CVE-2020-8031 (A Improper Neutralization of Input During Web Page Generation ('Cross- ...) - open-build-service (bug #983576) + [stretch] - open-build-service (Minor issue, XSS in web app) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1178880 CVE-2020-8030 (A Insecure Temporary File vulnerability in skuba of SUSE CaaS Platform ...) NOT-FOR-US: SuSE CaaS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbc0ad0a3f02541f17760a48a453e321b158ff38 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbc0ad0a3f02541f17760a48a453e321b158ff38 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2021-24115 for botan1.10 in stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: fa9460ce by Chris Lamb at 2021-03-16T10:56:30+00:00 Triage CVE-2021-24115 for botan1.10 in stretch LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10130,6 +10130,7 @@ CVE-2021-24116 CVE-2021-24115 (In Botan before 2.17.3, constant-time computations are not used for ce ...) - botan 2.17.3+dfsg-1 - botan1.10 + [stretch] - botan1.10 (Vulnerable code not present) NOTE: https://github.com/randombit/botan/pull/2549 CVE-2021-24114 (Microsoft Teams iOS Information Disclosure Vulnerability ...) NOT-FOR-US: Microsoft View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa9460ce6f41f77653a982788422be8f0ef27f30 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa9460ce6f41f77653a982788422be8f0ef27f30 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2021-20248, CVE-2021-20249, CVE-2021-20266 & CVE-2021-20271 for rpm in stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 44895e80 by Chris Lamb at 2021-03-16T10:53:48+00:00 Triage CVE-2021-20248, CVE-2021-20249, CVE-2021-20266 CVE-2021-20271 for rpm in stretch LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19909,6 +19909,7 @@ CVE-2021-20271 - rpm (bug #985308) [bullseye] - rpm (Minor issue) [buster] - rpm (Minor issue) + [stretch] - rpm (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1934125 CVE-2021-20270 RESERVED @@ -19936,6 +19937,7 @@ CVE-2021-20266 - rpm (bug #985308) [bullseye] - rpm (Minor issue) [buster] - rpm (Minor issue) + [stretch] - rpm (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1927741 CVE-2021-20265 (A flaw was found in the way memory resources were freed in the unix_st ...) - linux 4.4.4-1 @@ -19993,12 +19995,14 @@ CVE-2021-20249 - rpm (bug #985308) [bullseye] - rpm (Minor issue) [buster] - rpm (Minor issue) + [stretch] - rpm (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1927742 CVE-2021-20248 RESERVED - rpm (bug #985308) [bullseye] - rpm (Minor issue) [buster] - rpm (Minor issue) + [stretch] - rpm (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1927740 CVE-2021-20247 (A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of th ...) - isync 1.3.0-2.1 (bug #983351) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44895e800f1f8f41088e788d90b2b264eafb251e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44895e800f1f8f41088e788d90b2b264eafb251e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage openjpeg2 for stretch LTS (CVE-2020-27844).
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 2485dcf4 by Chris Lamb at 2021-03-16T10:52:41+00:00 data/dla-needed.txt: Triage openjpeg2 for stretch LTS (CVE-2020-27844). - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -72,6 +72,11 @@ opendmarc NOTE: 20201217: patch for CVE-2020-12460 has become available (roberto) NOTE: 20210104: wait for other CVEs (abhijith) -- +openjpeg2 + NOTE: 20210316: CVE-2020-27844.patch exists in source (via DLA-2550-1), but + NOTE: 20210316: does not exist in debian/patches/series or is otherwise not + NOTE: 20210316: applied. See b8ffed3c021 for more. (lamby) +-- php-pear -- pillow (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2485dcf42c02f9487e5366548533ea634ae63c50 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2485dcf42c02f9487e5366548533ea634ae63c50 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage python2.7 for stretch LTS (CVE-2021-23336).
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: a50190ad by Chris Lamb at 2021-03-16T10:47:12+00:00 data/dla-needed.txt: Triage python2.7 for stretch LTS (CVE-2021-23336). - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -76,6 +76,9 @@ php-pear -- pillow (Abhijith PA) -- +python2.7 + NOTE: 20210316: Same issue as python3.5 immediately below; suggest handled by same maintainer. (lamby) +-- python3.5 (Anton Gladky) NOTE: 20210217: Fairly invasive change, changing/augmenting API of standard library. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a50190ad15157e996fd050d031023127332223cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a50190ad15157e996fd050d031023127332223cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Track qtwebengine-opensource-src for CVE-2021-21193"
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b735e66b by Salvatore Bonaccorso at 2021-03-16T09:28:15+01:00 Revert Track qtwebengine-opensource-src for CVE-2021-21193 This reverts commit 7a68d005eb91281aa3c1ca828a6f36502fc4763e. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17722,8 +17722,6 @@ CVE-2021-21193 RESERVED - chromium 89.0.4389.90-1 (bug #985142) [stretch] - chromium (see DSA 4562) - [experimental] - qtwebengine-opensource-src 5.15.3+dfsg-1 - - qtwebengine-opensource-src CVE-2021-21192 RESERVED - chromium 89.0.4389.90-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b735e66b77ab412f868d00ba3a646aa1949d8920 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b735e66b77ab412f868d00ba3a646aa1949d8920 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 085d9a28 by security tracker role at 2021-03-16T08:10:24+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,25 @@ +CVE-2021-3444 + RESERVED +CVE-2021-28492 + RESERVED +CVE-2021-28491 + RESERVED +CVE-2021-28490 + RESERVED +CVE-2021-28489 + RESERVED +CVE-2021-28488 + RESERVED +CVE-2021-28487 + RESERVED +CVE-2021-28486 + RESERVED +CVE-2021-28485 + RESERVED +CVE-2021-28484 + RESERVED CVE-2021-3443 [NULL pointer dereference in jp2_decode in jp2_dec.c] + RESERVED - jasper NOTE: https://github.com/jasper-software/jasper/issues/269 NOTE: https://github.com/jasper-software/jasper/commit/f94e7499a8b1471a4905c4f9c9e12e60fe88264b @@ -1436,8 +1457,7 @@ CVE-2021-27876 (An issue was discovered in Veritas Backup Exec before 21.2. The NOT-FOR-US: Veritas CVE-2021-3419 REJECTED -CVE-2021-3418 - RESERVED +CVE-2021-3418 (If certificates that signed grub are installed into db, grub can be bo ...) - grub2 (Vulnerability specific to distributions using shim_lock) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1933757 CVE-2021-27875 @@ -2819,8 +2839,8 @@ CVE-2021-27232 (The RTSPLive555.dll ActiveX control in Pelco Digital Sentry Serv NOT-FOR-US: Pelco Digital Sentry Server CVE-2021-27231 (Hestia Control Panel through 1.3.3, in a shared-hosting environment, s ...) NOT-FOR-US: Hestia Control Panel -CVE-2021-27230 - RESERVED +CVE-2021-27230 (ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Inj ...) + TODO: check CVE-2021-27229 (Mumble before 1.3.4 allows remote code execution if a victim navigates ...) {DLA-2562-1} - mumble 1.3.4-1 (bug #982904) @@ -3359,8 +3379,8 @@ CVE-2021-26989 (Clustered Data ONTAP versions prior to 9.3P21, 9.5P16, 9.6P12, 9 NOT-FOR-US: Clustered Data ONTAP CVE-2021-26988 (Clustered Data ONTAP versions prior to 9.3P21, 9.5P16, 9.6P12, 9.7P8 a ...) NOT-FOR-US: Clustered Data ONTAP -CVE-2021-26987 - RESERVED +CVE-2021-26987 (Element Plug-in for vCenter Server incorporates SpringBoot Framework. ...) + TODO: check CVE-2021-26986 RESERVED CVE-2021-26985 @@ -7486,6 +7506,7 @@ CVE-2021-3181 (rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a CVE-2021-3180 RESERVED CVE-2021-25329 (The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10. ...) + {DLA-2594-1} - tomcat9 9.0.43-1 - tomcat8 - tomcat7 @@ -8051,6 +8072,7 @@ CVE-2021-25124 (The Baseboard Management Controller(BMC) in HPE Cloudline CL5800 CVE-2021-25123 (The Baseboard Management Controller(BMC) in HPE Cloudline CL5800 Gen9 ...) NOT-FOR-US: HPE CVE-2021-25122 (When responding to new h2c connection requests, Apache Tomcat versions ...) + {DLA-2594-1} - tomcat9 9.0.43-1 - tomcat8 - tomcat7 @@ -10057,6 +10079,7 @@ CVE-2021-24124 CVE-2021-24123 RESERVED CVE-2021-24122 (When serving resources from a network location using the NTFS file sys ...) + {DLA-2594-1} - tomcat9 9.0.40-1 (unimportant) - tomcat8 (unimportant) - tomcat7 (unimportant) @@ -10274,8 +10297,8 @@ CVE-2021-24033 (react-dev-utils prior to v11.0.4 exposes a function, getProcessF NOT-FOR-US: react-dev-utils CVE-2021-24030 (The fbgames protocol handler registered as part of Facebook Gameroom d ...) NOT-FOR-US: Facebook Gameroom -CVE-2021-24029 - RESERVED +CVE-2021-24029 (A packet of death scenario is possible in mvfst via a specially crafte ...) + TODO: check CVE-2021-24028 RESERVED CVE-2021-24027 @@ -19838,20 +19861,15 @@ CVE-2021-20284 - binutils (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=26931 NOTE: binutils not covered by security support -CVE-2021-20283 - RESERVED +CVE-2021-20283 (The web service responsible for fetching other users' enrolled courses ...) - moodle -CVE-2021-20282 - RESERVED +CVE-2021-20282 (When creating a user account, it was possible to verify the account wi ...) - moodle -CVE-2021-20281 - RESERVED +CVE-2021-20281 (It was possible for some users without permission to view other users' ...) - moodle -CVE-2021-20280 - RESERVED +CVE-2021-20280 (Text-based feedback answers required additional sanitizing to prevent ...) - moodle -CVE-2021-20279 - RESERVED +CVE-2021-20279 (The ID number user profile field required additional sanitizing to pre ...) - moodle CVE-2021-20278 RESERVED @@ -32493,8 +32511,8 @@ CVE-2020-27292 RESERVED CVE-2020-27291 (Delta Electronics
[Git][security-tracker-team/security-tracker][master] 5 commits: Add CVE-2021-20283/moodle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6705c661 by Salvatore Bonaccorso at 2021-03-16T08:21:54+01:00 Add CVE-2021-20283/moodle - - - - - 5a2ac639 by Salvatore Bonaccorso at 2021-03-16T08:22:26+01:00 Add CVE-2021-20282/moodle - - - - - 7a6f0ad4 by Salvatore Bonaccorso at 2021-03-16T08:23:02+01:00 Add CVE-2021-20281/moodle - - - - - 5aaeefc7 by Salvatore Bonaccorso at 2021-03-16T08:23:38+01:00 Add CVE-2021-20280/moodle - - - - - cbc97fba by Salvatore Bonaccorso at 2021-03-16T08:24:13+01:00 Add CVE-2021-20279/moodle - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19840,14 +19840,19 @@ CVE-2021-20284 NOTE: binutils not covered by security support CVE-2021-20283 RESERVED + - moodle CVE-2021-20282 RESERVED + - moodle CVE-2021-20281 RESERVED + - moodle CVE-2021-20280 RESERVED + - moodle CVE-2021-20279 RESERVED + - moodle CVE-2021-20278 RESERVED NOT-FOR-US: Kiali View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5f70fa9c8c8d407e8e35698cf797868ce962cc75...cbc97fbaaac84d6a946d3a8ef10eb6e2d9442716 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5f70fa9c8c8d407e8e35698cf797868ce962cc75...cbc97fbaaac84d6a946d3a8ef10eb6e2d9442716 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20284/binutils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f70fa9c by Salvatore Bonaccorso at 2021-03-16T08:20:52+01:00 Add CVE-2021-20284/binutils - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19835,6 +19835,9 @@ CVE-2021-20285 [Illegal memory access in canPack function in p_lx_elf.cpp] NOTE: https://github.com/upx/upx/commit/3781df9da23840e596d5e9e8493f22666802fe6c CVE-2021-20284 RESERVED + - binutils (unimportant) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=26931 + NOTE: binutils not covered by security support CVE-2021-20283 RESERVED CVE-2021-20282 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f70fa9c8c8d407e8e35698cf797868ce962cc75 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f70fa9c8c8d407e8e35698cf797868ce962cc75 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-28210/edk2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f7a9b503 by Salvatore Bonaccorso at 2021-03-16T08:19:34+01:00 Add CVE-2021-28210/edk2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -575,8 +575,12 @@ CVE-2021-28211 [possible heap corruption with LzmaUefiDecompressGetInfo] NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1816 NOTE: https://github.com/tianocore/edk2/pull/1138 NOTE: https://github.com/tianocore/edk2/commit/e7bd0dd26db7e56aa8ca70132d6ea916ee6f3db0 -CVE-2021-28210 +CVE-2021-28210 [unlimited FV recursion, round 2] RESERVED + - edk2 2020.11-1 + NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1743 + NOTE: https://github.com/tianocore/edk2/pull/1137 + NOTE: https://github.com/tianocore/edk2/commit/47343af30435302c087027177613412a1a83e919 CVE-2021-28209 RESERVED CVE-2021-28208 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7a9b50355aab9bf43dac9c81cb6df99bcc6e775 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7a9b50355aab9bf43dac9c81cb6df99bcc6e775 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-202-28211/edk2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b576274e by Salvatore Bonaccorso at 2021-03-16T08:17:39+01:00 Add CVE-202-28211/edk2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -569,8 +569,12 @@ CVE-2021-28213 RESERVED CVE-2021-28212 RESERVED -CVE-2021-28211 +CVE-2021-28211 [possible heap corruption with LzmaUefiDecompressGetInfo] RESERVED + - edk2 2020.11-1 + NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1816 + NOTE: https://github.com/tianocore/edk2/pull/1138 + NOTE: https://github.com/tianocore/edk2/commit/e7bd0dd26db7e56aa8ca70132d6ea916ee6f3db0 CVE-2021-28210 RESERVED CVE-2021-28209 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b576274e7b585a53963e9e3837d0f398db52d54d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b576274e7b585a53963e9e3837d0f398db52d54d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3443/jasper
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 246f11c9 by Salvatore Bonaccorso at 2021-03-16T08:12:45+01:00 Add CVE-2021-3443/jasper - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2021-3443 [NULL pointer dereference in jp2_decode in jp2_dec.c] + - jasper + NOTE: https://github.com/jasper-software/jasper/issues/269 + NOTE: https://github.com/jasper-software/jasper/commit/f94e7499a8b1471a4905c4f9c9e12e60fe88264b CVE-2021-3442 RESERVED CVE-2021-28483 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/246f11c921479d384f225a1e04d226a4c0ef8d0a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/246f11c921479d384f225a1e04d226a4c0ef8d0a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits