[Git][security-tracker-team/security-tracker][master] update note
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: cd9f2a2c by Abhijith PA at 2021-03-22T11:23:27+05:30 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -92,6 +92,7 @@ opendmarc php-pear -- pillow (Abhijith PA) + NOTE: 20200322: Working on no-DSA tagged CVEs (abhijith) -- python2.7 (Anton Gladky) NOTE: 20210316: Same issue as python3.5 immediately below; suggest handled by same maintainer. (lamby) @@ -144,6 +145,7 @@ shiro (Roberto C. Sánchez) NOTE: 20201220: Upstream has responded. Working with them to backport fixes. (roberto) -- smarty3 (Abhijith PA) + NOTE: 20200322: CVE-2018-13982 need more time to backport (abhijith) -- spotweb NOTE: 20201220: The affected code uses string concatenation to construct a SQL query. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd9f2a2c075bf9faabc5dfbbe1a878744994cf08 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd9f2a2c075bf9faabc5dfbbe1a878744994cf08 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-13959/velocity-tools via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ca7dbdb by Salvatore Bonaccorso at 2021-03-22T05:08:18+01:00 Track fixed version for CVE-2020-13959/velocity-tools via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -63440,7 +63440,7 @@ CVE-2020-13960 (D-Link DSL 2730-U IN_1.10 and IN_1.11 and DIR-600M 3.04 devices NOT-FOR-US: D-Link CVE-2020-13959 (The default error page for VelocityView in Apache Velocity Tools prior ...) {DLA-2597-1} - - velocity-tools (bug #985221) + - velocity-tools 2.0-8 (bug #985221) NOTE: https://www.openwall.com/lists/oss-security/2021/03/10/2 NOTE: Fixed by: https://github.com/apache/velocity-tools/commit/e141828a4eb03e4b0224535eed12b5c463a24152 CVE-2020-13958 (A vulnerability in Apache OpenOffice scripting events allows an attack ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ca7dbdb2256639b3b138b1dc02525e79bcc38cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ca7dbdb2256639b3b138b1dc02525e79bcc38cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-35459/crmsh via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c6eae20 by Salvatore Bonaccorso at 2021-03-22T05:06:02+01:00 Track fixed version for CVE-2020-35459/crmsh via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22148,7 +22148,7 @@ CVE-2020-35460 (common/InputStreamHelper.java in Packwood MPXJ before 8.3.5 allo NOT-FOR-US: Packwood MPXJ CVE-2020-35459 (An issue was discovered in ClusterLabs crmsh through 4.2.1. Local atta ...) {DLA-2533-1} - - crmsh (bug #985376) + - crmsh 4.2.1-2 (bug #985376) NOTE: https://www.openwall.com/lists/oss-security/2021/01/12/3 CVE-2020-35458 (An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x. There ...) - hawk (bug #634344) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c6eae206e72e8bcd382283caff20253e3fc4394 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c6eae206e72e8bcd382283caff20253e3fc4394 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: be470032 by security tracker role at 2021-03-21T20:10:27+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12880,8 +12880,8 @@ CVE-2021-23362 RESERVED CVE-2021-23361 RESERVED -CVE-2021-23360 - RESERVED +CVE-2021-23360 (This affects the package killport before 1.0.2. If (attacker-controlle ...) + TODO: check CVE-2021-23359 (This affects all versions of package port-killer. If (attacker-control ...) TODO: check CVE-2021-23358 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be470032f588f50feb3719e975ce5039721f17e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be470032f588f50feb3719e975ce5039721f17e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-26295 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 166eaf99 by Salvatore Bonaccorso at 2021-03-21T20:55:21+01:00 Add CVE-2021-26295 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6160,6 +6160,7 @@ CVE-2021-26296 (In the default configuration, Apache MyFaces Core versions 2.2.0 NOT-FOR-US: Apache MyFaces CVE-2021-26295 RESERVED + NOT-FOR-US: Apache OFBiz CVE-2021- (Opmantek Open-AudIT 4.0.1 is affected by cross-site scripting (XSS). W ...) NOT-FOR-US: Open-AudIT CVE-2021-3332 (WPS Hide Login 1.6.1 allows remote attackers to bypass a protection me ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/166eaf99edcb0a09fb446d78d0380197ff4c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/166eaf99edcb0a09fb446d78d0380197ff4c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-28831/busybox
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1dfd4e36 by Salvatore Bonaccorso at 2021-03-21T20:46:31+01:00 Add Debian bug reference for CVE-2021-28831/busybox - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -285,7 +285,7 @@ CVE-2021-28833 CVE-2021-28832 RESERVED CVE-2021-28831 (decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit ...) - - busybox + - busybox (bug #985674) [buster] - busybox (Minor issue) NOTE: https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd CVE-2021- [Local privilege escalation via guix-daemon and --keep-failed] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dfd4e36414504c75392c18f52206ff0c9684f41 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dfd4e36414504c75392c18f52206ff0c9684f41 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] cimg no-dsa, various bugs filed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 413e425a by Moritz Mühlenhoff at 2021-03-21T20:11:51+01:00 cimg no-dsa, various bugs filed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18205,7 +18205,7 @@ CVE-2020-35638 CVE-2020-35637 RESERVED CVE-2020-35636 (A code execution vulnerability exists in the Nef polygon-parsing funct ...) - - cgal + - cgal (bug #985671) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225 CVE-2020-35635 RESERVED @@ -18222,7 +18222,7 @@ CVE-2020-35630 CVE-2020-35629 RESERVED CVE-2020-35628 (A code execution vulnerability exists in the Nef polygon-parsing funct ...) - - cgal + - cgal (bug #985671) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225 CVE-2021-21433 RESERVED @@ -28075,7 +28075,7 @@ CVE-2020-28638 (ask_password in Tomb 2.0 through 2.7 returns a warning when pine CVE-2020-28637 RESERVED CVE-2020-28636 (A code execution vulnerability exists in the Nef polygon-parsing funct ...) - - cgal + - cgal (bug #985671) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225 CVE-2020-28635 RESERVED @@ -28146,7 +28146,7 @@ CVE-2020-28603 CVE-2020-28602 RESERVED CVE-2020-28601 (A code execution vulnerability exists in the Nef polygon-parsing funct ...) - - cgal + - cgal (bug #985671) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225 CVE-2020-28600 RESERVED @@ -31755,7 +31755,7 @@ CVE-2020-27840 RESERVED CVE-2020-27839 RESERVED - - ceph + - ceph (bug #985670) [buster] - ceph (Minor issue) NOTE: https://tracker.ceph.com/issues/44591 NOTE: https://github.com/ceph/ceph/pull/38259 @@ -31951,7 +31951,7 @@ CVE-2020-27782 (A flaw was found in the Undertow AJP connector. Malicious reques NOTE: https://issues.redhat.com/browse/UNDERTOW-1824 NOTE: https://github.com/undertow-io/undertow/commit/fdac349cbcd1da41fe8b9d4e7ebbab6879990c2a (2.2.4.Final) CVE-2020-27781 (User credentials can be manipulated and stolen by Native CephFS consum ...) - - ceph + - ceph (bug #985670) NOTE: https://bugs.launchpad.net/manila/+bug/1904015 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1900109 NOTE: https://github.com/ceph/ceph/commit/1b8a634fdcd94dfb3ba650793fb1b6d09af65e05 (octopus) @@ -59384,7 +59384,7 @@ CVE-2020-15402 CVE-2020-15401 (IOBit Malware Fighter Pro 8.0.2.547 allows local users to gain privile ...) NOT-FOR-US: IOBit Malware Fighter Pro CVE-2020-15400 (CakePHP before 4.0.6 mishandles CSRF token generation. This might be r ...) - - cakephp + - cakephp (bug #985673) [buster] - cakephp (Minor issue) [stretch] - cakephp (Minor issue) CVE-2020-15399 @@ -189861,6 +189861,7 @@ CVE-2018-7588 (An issue was discovered in CImg v.220. A heap-based buffer over-r NOTE: https://github.com/dtschump/CImg/commit/8447076ef22322a14a0ce130837e44c5ba8095f4 CVE-2018-7587 (An issue was discovered in CImg v.220. DoS occurs when loading a craft ...) - cimg (low; bug #892780; bug #940951) + [bullseye] - cimg (Minor issue) [buster] - cimg (Minor issue) [stretch] - cimg (Minor issue) [jessie] - cimg (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/413e425aaa27f24d2604ecf79d441b13800f09c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/413e425aaa27f24d2604ecf79d441b13800f09c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: give back subversion, not buildable on IPv6 only builder
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f46d3e0 by Thorsten Alteholz at 2021-03-21T17:58:13+01:00 give back subversion, not buildable on IPv6 only builder - - - - - e4fbd70d by Thorsten Alteholz at 2021-03-21T17:58:13+01:00 add freediameter - - - - - 845e67d4 by Thorsten Alteholz at 2021-03-21T17:58:13+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -47,12 +47,15 @@ dnsmasq (Sylvain Beucler) -- edk2 -- +freediameter (Thorsten Alteholz) +-- firmware-nonfree NOTE: 20201207: wait for the update in buster and backport that (Emilio) -- golang-github-appc-cni (Thorsten Alteholz) NOTE: 20210221: also taking care of reverse dependencies NOTE: 20210221: also taking care of other suites + NOTE: 20210321: still WIP -- golang-gogoprotobuf NOTE: 20210218: If you have any idea why this is called the "skippy peanut butter" issue, I would be mildly interested. (lamby) @@ -67,7 +70,8 @@ gsoap imagemagick (Markus Koschany) -- libebml (Thorsten Alteholz) - NOTE: 20210307: testing package (not yet finished) + NOTE: 20210307: testing package + NOTE: 20210321: preparing buster debdiff as well -- libmediainfo (Chris Lamb) -- @@ -147,8 +151,7 @@ spotweb NOTE: 20210122: Upstream fix trivially bypassed, reported under CVE-2021-3286 NOTE: 20210127: Upstream says "we can fix this but it may take some time", revisit later (Beuc) -- -subversion (Thorsten Alteholz) - NOTE: 20210307: solving build problems (on IPv6 only host) +subversion -- xmlbeans (Roberto C. Sánchez) NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ef8be517e1750ea4b92c5429ba2b7060d2dc914...845e67d4f63ca9494c6d62b5217f09464008b5e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ef8be517e1750ea4b92c5429ba2b7060d2dc914...845e67d4f63ca9494c6d62b5217f09464008b5e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add commit reference for CVE-2021-28957/lxml
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ef8be51 by Salvatore Bonaccorso at 2021-03-21T17:50:57+01:00 Add commit reference for CVE-2021-28957/lxml - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32,6 +32,7 @@ CVE-2021-28957 (lxml 4.6.2 places the HTML action attribute into defs.link_attrs - lxml (bug #985643) NOTE: https://bugs.launchpad.net/lxml/+bug/1888153 NOTE: https://github.com/lxml/lxml/pull/316 + NOTE: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d CVE-2021-28952 (An issue was discovered in the Linux kernel through 5.11.8. The sound/ ...) - linux [buster] - linux (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ef8be517e1750ea4b92c5429ba2b7060d2dc914 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ef8be517e1750ea4b92c5429ba2b7060d2dc914 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] distributions.json: Add sid
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e0a8b599 by Salvatore Bonaccorso at 2021-03-21T17:41:48+01:00 distributions.json: Add sid Everywhere else in the tracker sid is handled as well. Raphaël Hertzog suggested to add thus sid to distributions.json as well to be consistent. Add it with an empty major-version and none value for the support attribute. Link: https://salsa.debian.org/qa/distro-tracker/-/issues/58#note_232506 Signed-off-by: Salvatore Bonaccorso car...@debian.org - - - - - 1 changed file: - static/distributions.json Changes: = static/distributions.json = @@ -33,5 +33,10 @@ "major-version": "13", "support": "none", "contact": "" + }, + "sid": { +"major-version": "", +"support": "none", +"contact": "" } } View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0a8b599d1b56e920b2c6c6d218b71e9a56df066 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0a8b599d1b56e920b2c6c6d218b71e9a56df066 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2021-28952/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cedc1b16 by Salvatore Bonaccorso at 2021-03-21T17:07:19+01:00 Update status for CVE-2021-28952/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34,6 +34,8 @@ CVE-2021-28957 (lxml 4.6.2 places the HTML action attribute into defs.link_attrs NOTE: https://github.com/lxml/lxml/pull/316 CVE-2021-28952 (An issue was discovered in the Linux kernel through 5.11.8. The sound/ ...) - linux + [buster] - linux (Vulnerable code introduced later) + [stretch] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/1c668e1c0a0f74472469cd514f40c9012b324c31 CVE-2021-28951 (An issue was discovered in fs/io_uring.c in the Linux kernel through 5 ...) - linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cedc1b16aac68dcbbcc43acca12f27c35854201a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cedc1b16aac68dcbbcc43acca12f27c35854201a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix grammatical typo and slight rewrite of note
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 34124748 by Salvatore Bonaccorso at 2021-03-21T15:41:32+01:00 Fix grammatical typo and slight rewrite of note - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -67988,7 +67988,7 @@ CVE-2019-20790 (OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf NOTE: https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816 NOTE: https://sourceforge.net/p/opendmarc/tickets/235/ NOTE: https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf - NOTE: Issue is disputed upstream, and considered "work as designed" and wont be fixed + NOTE: Issue is disputed upstream and considered "work as designed" (wontfix) NOTE: https://github.com/trusteddomainproject/OpenDMARC/blob/develop/SECURITY/CVE-2019-20970 NOTE: (there ia typo in above reference) CVE-2020-12266 (An issue was discovered where there are multiple externally accessible ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3412474883ffb5dc35a6bfb90033bffba6024aa7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3412474883ffb5dc35a6bfb90033bffba6024aa7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2019-20790
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2608759d by Salvatore Bonaccorso at 2021-03-21T15:29:44+01:00 Update information for CVE-2019-20790 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -67984,10 +67984,13 @@ CVE-2020-12267 (setMarkdown in Qt before 5.14.2 has a use-after-free related to NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20450 NOTE: The 5.14 in experimental contains the code, but is already fixed CVE-2019-20790 (OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, ...) - - opendmarc (bug #977766) + - opendmarc (bug #977766; unimportant) NOTE: https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816 NOTE: https://sourceforge.net/p/opendmarc/tickets/235/ NOTE: https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf + NOTE: Issue is disputed upstream, and considered "work as designed" and wont be fixed + NOTE: https://github.com/trusteddomainproject/OpenDMARC/blob/develop/SECURITY/CVE-2019-20970 + NOTE: (there ia typo in above reference) CVE-2020-12266 (An issue was discovered where there are multiple externally accessible ...) NOT-FOR-US: WAVLINK CVE-2020-12265 (The decompress package before 4.2.1 for Node.js is vulnerable to Arbit ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2608759df0092e68eeb3171fd2d3e59acf6483be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2608759df0092e68eeb3171fd2d3e59acf6483be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 929c7036 by Salvatore Bonaccorso at 2021-03-21T10:47:58+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2021-28962 RESERVED CVE-2021-28961 (applications/luci-app-ddns/luasrc/model/cbi/ddns/detail.lua in the DDN ...) - TODO: check + NOT-FOR-US: DDNS package for OpenWrt CVE-2021-28960 RESERVED CVE-2021-28959 @@ -13,9 +13,9 @@ CVE-2021-28956 CVE-2021-28955 RESERVED CVE-2021-28954 (In Chris Walz bit before 1.0.5 on Windows, attackers can run arbitrary ...) - TODO: check + NOT-FOR-US: Chris Walz bit CVE-2021-28953 (The unofficial C/C++ Advanced Lint extension before 1.9.0 for Visual S ...) - TODO: check + NOT-FOR-US: unofficial C/C++ Advanced Lint extension for Visual Studio Code CVE-2021-3455 RESERVED CVE-2021-3454 @@ -4435,11 +4435,11 @@ CVE-2021-26994 CVE-2021-26993 RESERVED CVE-2021-26992 (Cloud Manager versions prior to 3.9.4 are susceptible to a vulnerabili ...) - TODO: check + NOT-FOR-US: Cloud Manager (NetApp) CVE-2021-26991 (Cloud Manager versions prior to 3.9.4 contain an insecure Cross-Origin ...) - TODO: check + NOT-FOR-US: Cloud Manager (NetApp) CVE-2021-26990 (Cloud Manager versions prior to 3.9.4 are susceptible to a vulnerabili ...) - TODO: check + NOT-FOR-US: Cloud Manager (NetApp) CVE-2021-26989 (Clustered Data ONTAP versions prior to 9.3P21, 9.5P16, 9.6P12, 9.7P9 a ...) NOT-FOR-US: Clustered Data ONTAP CVE-2021-26988 (Clustered Data ONTAP versions prior to 9.3P21, 9.5P16, 9.6P12, 9.7P8 a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/929c7036d2a6d96f78a9e0c77ae217b778a72a13 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/929c7036d2a6d96f78a9e0c77ae217b778a72a13 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-28957/lxml
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7acae7da by Salvatore Bonaccorso at 2021-03-21T10:26:25+01:00 Add Debian bug reference for CVE-2021-28957/lxml - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,7 @@ CVE-2021-3451 CVE-2021-3450 RESERVED CVE-2021-28957 (lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in h ...) - - lxml + - lxml (bug #985643) NOTE: https://bugs.launchpad.net/lxml/+bug/1888153 NOTE: https://github.com/lxml/lxml/pull/316 CVE-2021-28952 (An issue was discovered in the Linux kernel through 5.11.8. The sound/ ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7acae7dac20eaa6be72e643b4dc34039cea130f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7acae7dac20eaa6be72e643b4dc34039cea130f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2558-2 for xterm
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 72149a3c by Utkarsh Gupta at 2021-03-21T14:12:35+05:30 Reserve DLA-2558-2 for xterm - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[21 Mar 2021] DLA-2558-2 xterm - regression update + [stretch] - xterm 327-2+deb9u2 [20 Mar 2021] DLA-2601-1 cloud-init - security update {CVE-2021-3429} [stretch] - cloud-init 0.7.9-2+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72149a3c7dfe830ef950531e5463db2aeb18ebcc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72149a3c7dfe830ef950531e5463db2aeb18ebcc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a7b70f66 by security tracker role at 2021-03-21T08:10:25+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,21 @@ +CVE-2021-28962 + RESERVED +CVE-2021-28961 (applications/luci-app-ddns/luasrc/model/cbi/ddns/detail.lua in the DDN ...) + TODO: check +CVE-2021-28960 + RESERVED +CVE-2021-28959 + RESERVED +CVE-2021-28958 + RESERVED +CVE-2021-28956 + RESERVED +CVE-2021-28955 + RESERVED +CVE-2021-28954 (In Chris Walz bit before 1.0.5 on Windows, attackers can run arbitrary ...) + TODO: check +CVE-2021-28953 (The unofficial C/C++ Advanced Lint extension before 1.9.0 for Visual S ...) + TODO: check CVE-2021-3455 RESERVED CVE-2021-3454 @@ -10,19 +28,19 @@ CVE-2021-3451 RESERVED CVE-2021-3450 RESERVED -CVE-2021-28957 [Missing formaction attribute to defs.link_attrs for HTML5] +CVE-2021-28957 (lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in h ...) - lxml NOTE: https://bugs.launchpad.net/lxml/+bug/1888153 NOTE: https://github.com/lxml/lxml/pull/316 -CVE-2021-28952 [ASoC: qcom: sdm845: Fix array out of bounds access] +CVE-2021-28952 (An issue was discovered in the Linux kernel through 5.11.8. The sound/ ...) - linux NOTE: https://git.kernel.org/linus/1c668e1c0a0f74472469cd514f40c9012b324c31 -CVE-2021-28951 [io_uring: ensure that SQPOLL thread is started for exit] +CVE-2021-28951 (An issue was discovered in fs/io_uring.c in the Linux kernel through 5 ...) - linux [buster] - linux (Vulnerable code introduced later) [stretch] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/3ebba796fa251d042be42b929a2d916ee5c34a49 -CVE-2021-28950 [fuse: fix live lock in fuse_iget()] +CVE-2021-28950 (An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before ...) - linux 5.10.24-1 NOTE: https://git.kernel.org/linus/775c5033a0d164622d9d10dd0f0a5531639ed3ed CVE-2021-28949 @@ -1839,8 +1857,7 @@ CVE-2021-28119 (Twinkle Tray (aka twinkle-tray) through 1.13.3 allows remote com NOT-FOR-US: Twinkle Tray CVE-2021-28118 RESERVED -CVE-2021-28117 - RESERVED +CVE-2021-28117 (libdiscover/backends/KNSBackend/KNSResource.cpp in KDE Discover before ...) - plasma-discover 5.20.5-3 [buster] - plasma-discover (Vulnerable code introduced later) [stretch] - plasma-discover (Vulnerable code introduced later) @@ -4519,7 +4536,7 @@ CVE-2021-26939 (** DISPUTED ** An information disclosure issue exists in henriqu NOT-FOR-US: henriquedornas CVE-2021-26938 (** DISPUTED ** A stored XSS issue exists in henriquedornas 5.2.17 via ...) NOT-FOR-US: henriquedornas -CVE-2021-27135 (xterm through Patch #365 allows remote attackers to cause a denial of ...) +CVE-2021-27135 (xterm before Patch #366 allows remote attackers to execute arbitrary c ...) {DLA-2558-1} - xterm 366-1 (bug #982439) [buster] - xterm (Minor issue; can be fixed via point release) @@ -33840,12 +33857,10 @@ CVE-2020-27173 (In vm-superio before 0.1.1, the serial console FIFO can grow to NOT-FOR-US: vm-superio CVE-2020-27172 (An issue was discovered in G-Data before 25.5.9.25 using Symbolic link ...) NOT-FOR-US: G-Data -CVE-2020-27171 - RESERVED +CVE-2020-27171 (An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/ ...) - linux 5.10.24-1 NOTE: https://www.openwall.com/lists/oss-security/2021/03/19/3 -CVE-2020-27170 - RESERVED +CVE-2020-27170 (An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/ ...) - linux 5.10.24-1 NOTE: https://www.openwall.com/lists/oss-security/2021/03/19/2 CVE-2020-27169 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7b70f66d664956d7b888f11df99c531d906d104 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7b70f66d664956d7b888f11df99c531d906d104 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-28957/lxml
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ccdedce3 by Salvatore Bonaccorso at 2021-03-21T08:28:26+01:00 Add CVE-2021-28957/lxml - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10,6 +10,10 @@ CVE-2021-3451 RESERVED CVE-2021-3450 RESERVED +CVE-2021-28957 [Missing formaction attribute to defs.link_attrs for HTML5] + - lxml + NOTE: https://bugs.launchpad.net/lxml/+bug/1888153 + NOTE: https://github.com/lxml/lxml/pull/316 CVE-2021-28952 [ASoC: qcom: sdm845: Fix array out of bounds access] - linux NOTE: https://git.kernel.org/linus/1c668e1c0a0f74472469cd514f40c9012b324c31 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccdedce3624702c0325de020e472109750b93bc5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccdedce3624702c0325de020e472109750b93bc5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-28952/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 80c7b037 by Salvatore Bonaccorso at 2021-03-21T08:23:37+01:00 Add CVE-2021-28952/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10,6 +10,9 @@ CVE-2021-3451 RESERVED CVE-2021-3450 RESERVED +CVE-2021-28952 [ASoC: qcom: sdm845: Fix array out of bounds access] + - linux + NOTE: https://git.kernel.org/linus/1c668e1c0a0f74472469cd514f40c9012b324c31 CVE-2021-28951 [io_uring: ensure that SQPOLL thread is started for exit] - linux [buster] - linux (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80c7b037b5739a952129d7661f8e71d05a5996e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80c7b037b5739a952129d7661f8e71d05a5996e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-28951/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b207b1e by Salvatore Bonaccorso at 2021-03-21T08:17:18+01:00 Add CVE-2021-28951/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10,6 +10,11 @@ CVE-2021-3451 RESERVED CVE-2021-3450 RESERVED +CVE-2021-28951 [io_uring: ensure that SQPOLL thread is started for exit] + - linux + [buster] - linux (Vulnerable code introduced later) + [stretch] - linux (Vulnerable code introduced later) + NOTE: https://git.kernel.org/linus/3ebba796fa251d042be42b929a2d916ee5c34a49 CVE-2021-28950 [fuse: fix live lock in fuse_iget()] - linux 5.10.24-1 NOTE: https://git.kernel.org/linus/775c5033a0d164622d9d10dd0f0a5531639ed3ed View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b207b1ecd162e76934aea2ab63d7d383db59009 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b207b1ecd162e76934aea2ab63d7d383db59009 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-28950/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f7f04f6 by Salvatore Bonaccorso at 2021-03-21T08:12:22+01:00 Add CVE-2021-28950/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10,6 +10,9 @@ CVE-2021-3451 RESERVED CVE-2021-3450 RESERVED +CVE-2021-28950 [fuse: fix live lock in fuse_iget()] + - linux 5.10.24-1 + NOTE: https://git.kernel.org/linus/775c5033a0d164622d9d10dd0f0a5531639ed3ed CVE-2021-28949 RESERVED CVE-2021-28948 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f7f04f69bde2f7bbd317c0efae518f24d6593c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f7f04f69bde2f7bbd317c0efae518f24d6593c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Two glibc issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d2fda240 by Salvatore Bonaccorso at 2021-03-21T07:15:04+01:00 Two glibc issues fixed in unstable At same time drop our no-dsa marking for bullseye as the fixes are aimed to go into testing and so included in bullseye. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2966,8 +2966,7 @@ CVE-2021-27647 (Out-of-bounds Read vulnerability in iscsi_snapshot_comm_core in CVE-2021-27646 (Use After Free vulnerability in iscsi_snapshot_comm_core in Synology D ...) NOT-FOR-US: Synology CVE-2021-27645 (The nameserver caching daemon (nscd) in the GNU C Library (aka glibc o ...) - - glibc (bug #983479) - [bullseye] - glibc (Minor issue) + - glibc 2.31-10 (bug #983479) [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27462 @@ -6221,8 +6220,7 @@ CVE-2021-26274 CVE-2021-26273 RESERVED CVE-2021-3326 (The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and ...) - - glibc (bug #981198) - [bullseye] - glibc (Minor issue) + - glibc 2.31-10 (bug #981198) [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27256 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2fda240a46b921c9dd7ddb13c66302a4179ceb2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2fda240a46b921c9dd7ddb13c66302a4179ceb2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-25097/squid fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 978846d8 by Salvatore Bonaccorso at 2021-03-21T07:13:18+01:00 CVE-2020-25097/squid fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38832,7 +38832,7 @@ CVE-2020-25098 RESERVED CVE-2020-25097 (An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. D ...) {DLA-2598-1} - - squid (bug #985068) + - squid 4.13-8 (bug #985068) - squid3 NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6 NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_11.patch View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/978846d8a4e6675f35bc58d65825b9934bd9a8a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/978846d8a4e6675f35bc58d65825b9934bd9a8a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits