[Git][security-tracker-team/security-tracker][master] Track fixed gpac issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 54007340 by Salvatore Bonaccorso at 2021-05-25T06:53:50+02:00 Track fixed gpac issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5210,15 +5210,15 @@ CVE-2021-31264 CVE-2021-31263 RESERVED CVE-2021-31262 (The AV1_DuplicateConfig function in GPAC 1.0.1 allows attackers to cau ...) - - gpac (bug #987280) + - gpac 1.0.1+dfsg1-4 (bug #987280) NOTE: https://github.com/gpac/gpac/commit/b2eab95e07cb5819375a50358d4806a8813b6e50 NOTE: https://github.com/gpac/gpac/issues/1738 CVE-2021-31261 (The gf_hinter_track_new function in GPAC 1.0.1 allows attackers to rea ...) - - gpac (bug #987280) + - gpac 1.0.1+dfsg1-4 (bug #987280) NOTE: https://github.com/gpac/gpac/commit/cd3738dea038dbd12e603ad48cd7373ae0440f65 NOTE: https://github.com/gpac/gpac/issues/1737 CVE-2021-31260 (The MergeTrack function in GPAC 1.0.1 allows attackers to cause a deni ...) - - gpac (bug #987280) + - gpac 1.0.1+dfsg1-4 (bug #987280) NOTE: https://github.com/gpac/gpac/commit/df8fffd839fe5ae9acd82d26fd48280a397411d9 NOTE: https://github.com/gpac/gpac/issues/1736 CVE-2021-31259 (The gf_isom_cenc_get_default_info_internal function in GPAC 1.0.1 allo ...) @@ -5227,19 +5227,19 @@ CVE-2021-31259 (The gf_isom_cenc_get_default_info_internal function in GPAC 1.0. NOTE: https://github.com/gpac/gpac/issues/1735 NOTE: Introduced in https://github.com/gpac/gpac/commit/f966d85ee940b0a19dbbe972bc9ff042a98d7264 (after v1.0.1) CVE-2021-31258 (The gf_isom_set_extraction_slc function in GPAC 1.0.1 allows attackers ...) - - gpac (bug #987280) + - gpac 1.0.1+dfsg1-4 (bug #987280) NOTE: https://github.com/gpac/gpac/commit/ebfa346eff05049718f7b80041093b4c5581c24e NOTE: https://github.com/gpac/gpac/issues/1706 CVE-2021-31257 (The HintFile function in GPAC 1.0.1 allows attackers to cause a denial ...) - - gpac (bug #987280) + - gpac 1.0.1+dfsg1-4 (bug #987280) NOTE: https://github.com/gpac/gpac/commit/87afe070cd6866df7fe80f11b26ef75161de85e0 NOTE: https://github.com/gpac/gpac/issues/1734 CVE-2021-31256 (Memory leak in the stbl_GetSampleInfos function in MP4Box in GPAC 1.0. ...) - - gpac (bug #987280) + - gpac 1.0.1+dfsg1-4 (bug #987280) NOTE: https://github.com/gpac/gpac/commit/2da2f68bffd51d89b1d272d22aa8cc023c1c066e NOTE: https://github.com/gpac/gpac/issues/1705 CVE-2021-31255 (Buffer overflow in the abst_box_read function in MP4Box in GPAC 1.0.1 ...) - - gpac (bug #987280) + - gpac 1.0.1+dfsg1-4 (bug #987280) NOTE: https://github.com/gpac/gpac/commit/758135e91e623d7dfe7f6aaad7aeb3f791b7a4e5 NOTE: https://github.com/gpac/gpac/issues/1733 CVE-2021-31254 (Buffer overflow in the tenc_box_read function in MP4Box in GPAC 1.0.1 ...) @@ -7635,7 +7635,7 @@ CVE-2021-30201 CVE-2021-30200 RESERVED CVE-2021-30199 (In filters/reframe_latm.c in GPAC 1.0.1 there is a Null Pointer Derefe ...) - - gpac (bug #987323) + - gpac 1.0.1+dfsg1-4 (bug #987323) NOTE: https://github.com/gpac/gpac/commit/b2db2f99b4c30f96e17b9a14537c776da6cb5dca NOTE: https://github.com/gpac/gpac/issues/1728 CVE-2021-30198 @@ -8111,17 +8111,17 @@ CVE-2021-30024 CVE-2021-30023 RESERVED CVE-2021-30022 (There is a integer overflow in media_tools/av_parsers.c in the gf_avc_ ...) - - gpac (bug #987323) + - gpac 1.0.1+dfsg1-4 (bug #987323) NOTE: https://github.com/gpac/gpac/commit/51cdb67ff7c5f1242ac58c5aa603ceaf1793b788 NOTE: https://github.com/gpac/gpac/issues/1720 CVE-2021-30021 RESERVED CVE-2021-30020 (In the function gf_hevc_read_pps_bs_internal function in media_tools/a ...) - - gpac (bug #987323) + - gpac 1.0.1+dfsg1-4 (bug #987323) NOTE: https://github.com/gpac/gpac/commit/51cdb67ff7c5f1242ac58c5aa603ceaf1793b788 NOTE: https://github.com/gpac/gpac/issues/1722 CVE-2021-30019 (In the adts_dmx_process function in filters/reframe_adts.c in GPAC 1.0 ...) - - gpac (bug #987323) + - gpac 1.0.1+dfsg1-4 (bug #987323) NOTE: https://github.com/gpac/gpac/commit/22774aa9e62f586319c8f107f5bae950fed900bc NOTE: https://github.com/gpac/gpac/issues/1723 CVE-2021-30018 @@ -8131,11 +8131,11 @@ CVE-2021-30017 CVE-2021-30016 RESERVED CVE-2021-30015 (There is a Null Pointer Dereference in function filter_core/filter_pck ...) - - gpac (bug #987323) + - gpac 1.0.1+dfsg1-4 (bug #987323) NOTE: https://github.com/gpac/gpac/commit/13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec NOTE: https://github.com/gpac/gpac/issues/1719 CVE-2021-30014 (There is a integer overflow in
[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 137fe025 by Moritz Mühlenhoff at 2021-05-24T23:16:44+02:00 bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4909,6 +4909,7 @@ CVE-2021-31403 (Non-constant-time comparison of CSRF tokens in UIDL request hand NOT-FOR-US: Vaadin CVE-2021-3502 (A flaw was found in avahi 0.8-5. A reachable assertion is present in a ...) - avahi (bug #986018) + [bullseye] - avahi (Minor issue) [buster] - avahi (Vulnerable code introduced later) [stretch] - avahi (Vulnerable code introduced later) NOTE: https://github.com/lathiat/avahi/issues/338 @@ -9005,6 +9006,8 @@ CVE-2020-36284 (Union Pay up to 3.4.93.4.9, for android, contains a CWE-347: Imp NOT-FOR-US: Union Pay CVE-2021-3480 (A flaw was found in slapi-nis in versions before 0.56.7. A NULL pointe ...) - slapi-nis (bug #988736) + [bullseye] - slapi-nis (Minor issue) + [buster] - slapi-nis (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1944640 NOTE: https://pagure.io/slapi-nis/c/c7417ea2d534712e559b56ed45baa91c5d3d44db?branch=master CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in versions bef ...) @@ -10006,6 +10009,7 @@ CVE-2021-3469 CVE-2021-3468 [Local DoS by event-busy-loop from writing long lines to /run/avahi-daemon/socket] RESERVED - avahi (bug #984938) + [bullseye] - avahi (Minor issue) [buster] - avahi (Minor issue) [stretch] - avahi (Minor issue; can be fixed in next DLA) NOTE: https://github.com/lathiat/avahi/pull/330 @@ -10803,19 +10807,29 @@ CVE-2021-28908 CVE-2021-28907 RESERVED CVE-2021-28906 (In function read_yin_leaf() in libyang = v1.0.225, it doesn't chec ...) - - libyang + - libyang (bug #989060) + [bullseye] - libyang (Minor issue) + [buster] - libyang (Minor issue) NOTE: https://github.com/CESNET/libyang/issues/1455 CVE-2021-28905 (In function lys_node_free() in libyang = v1.0.225, it asserts that ...) - - libyang + - libyang (bug #989060) + [bullseye] - libyang (Minor issue) + [buster] - libyang (Minor issue) NOTE: https://github.com/CESNET/libyang/issues/1452 CVE-2021-28904 (In function ext_get_plugin() in libyang = v1.0.225, it doesn't che ...) - - libyang + - libyang (bug #989060) + [bullseye] - libyang (Minor issue) + [buster] - libyang (Minor issue) NOTE: https://github.com/CESNET/libyang/issues/1451 CVE-2021-28903 (A stack overflow in libyang = v1.0.225 can cause a denial of servi ...) - - libyang + - libyang (bug #989060) + [bullseye] - libyang (Minor issue) + [buster] - libyang (Minor issue) NOTE: https://github.com/CESNET/libyang/issues/1453 CVE-2021-28902 (In function read_yin_container() in libyang = v1.0.225, it doesn't ...) - - libyang + - libyang (bug #989060) + [bullseye] - libyang (Minor issue) + [buster] - libyang (Minor issue) NOTE: https://github.com/CESNET/libyang/issues/1454 CVE-2021-28901 RESERVED @@ -11309,7 +11323,7 @@ CVE-2021-28679 CVE-2021-28678 RESERVED [experimental] - pillow 8.2.0-1 - - pillow + - pillow (bug #989062) [buster] - pillow (Minor issue) [stretch] - pillow (Minor issue) NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos @@ -11317,7 +11331,7 @@ CVE-2021-28678 CVE-2021-28677 RESERVED [experimental] - pillow 8.2.0-1 - - pillow + - pillow (bug #989062) [buster] - pillow (Minor issue) [stretch] - pillow (Minor issue) NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open @@ -11325,7 +11339,7 @@ CVE-2021-28677 CVE-2021-28676 RESERVED [experimental] - pillow 8.2.0-1 - - pillow + - pillow (bug #989062) [buster] - pillow (Minor issue) [stretch] - pillow (Minor issue) NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos @@ -11333,7 +11347,7 @@ CVE-2021-28676 CVE-2021-28675 RESERVED [experimental] - pillow 8.2.0-1 - - pillow + - pillow (bug #989062) [buster] - pillow (Minor issue) [stretch] - pillow (Minor issue) NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28675-fix-dos-in-psdimageplugin @@ -11383,6 +11397,7 @@ CVE-2021-3449 (An OpenSSL TLS server may crash if sent a maliciously crafted ren CVE-2021-28687 [HVM soft-reset crashes toolstack] RESERVED - xen + [bullseye] - xen (Fix
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f446672c by Salvatore Bonaccorso at 2021-05-24T22:49:56+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31670,7 +31670,7 @@ CVE-2021-20559 (IBM Control Desk 7.6.1.2 and 7.6.1.3 is vulnerable to cross-site CVE-2021-20558 RESERVED CVE-2021-20557 (IBM Security Guardium 11.2 could allow a remote authenticated attacker ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20556 RESERVED CVE-2021-20555 @@ -31928,11 +31928,11 @@ CVE-2021-20430 CVE-2021-20429 (IBM QRadar User Behavior Analytics 1.0.0 through 4.1.0 could disclose ...) NOT-FOR-US: IBM CVE-2021-20428 (IBM Security Guardium 11.2 could allow a remote attacker to obtain sen ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20427 RESERVED CVE-2021-20426 (IBM Security Guardium 11.2 contains hard-coded credentials, such as a ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20425 RESERVED CVE-2021-20424 @@ -31946,7 +31946,7 @@ CVE-2021-20421 CVE-2021-20420 RESERVED CVE-2021-20419 (IBM Security Guardium 11.2 uses weaker than expected cryptographic alg ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20418 RESERVED CVE-2021-20417 @@ -32006,15 +32006,15 @@ CVE-2021-20391 (IBM QRadar User Behavior Analytics 1.0.0 through 4.1.0 allows we CVE-2021-20390 RESERVED CVE-2021-20389 (IBM Security Guardium 11.2 stores user credentials in plain clear text ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20388 RESERVED CVE-2021-20387 RESERVED CVE-2021-20386 (IBM Security Guardium 11.2 is vulnerable to cross-site scripting. This ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20385 (IBM Security Guardium 11.2 could allow a remote authenticated attacker ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20384 RESERVED CVE-2021-20383 @@ -100105,7 +100105,7 @@ CVE-2020-4992 CVE-2020-4991 RESERVED CVE-2020-4990 (IBM Security Guardium 11.2 is vulnerable to SQL injection. A remote at ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4989 RESERVED CVE-2020-4988 (Loopback 8.0.0 contains a vulnerability that could allow an attacker t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f446672cd2c60de7e84155e817d219fbeb25052c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f446672cd2c60de7e84155e817d219fbeb25052c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Lynoure Braakman pushed to branch master at Debian Security Tracker / security-tracker Commits: 68d93651 by Lynoure Braakman at 2021-05-24T22:44:17+02:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Lynoure Braakman lyno...@gmail.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -68,10 +68,10 @@ nvidia-graphics-drivers NOTE: package is in non-free but also in packages-to-support NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 -- -php-phpseclib (Abhijith PA) +php-phpseclib NOTE: 20210503: unclear if 2.x is affected, double check (pochu) -- -phpseclib (Abhijith PA) +phpseclib NOTE: 20210503: apparently 1.x is not affected, but double check (pochu) -- prosody (Anton Gladky) @@ -110,7 +110,7 @@ ruby-kaminari ruby-kramdown NOTE: 20210412: Probably needs two commits (see the one linked in the comment of d6a1cbcb2c. (lamby) -- -ruby-nokogiri (Markus Koschany) +ruby-nokogiri NOTE: 20210403: CVE-2020-26247: Java-level API not included in stretch but CVE also affects C/Ruby-level APIs; NOTE: 20210403: check if default change (trust -> don't trust external schemas) possibly breaks compatibility (Beuc) -- @@ -143,7 +143,7 @@ squid3 thunderbird (Emilio) NOTE: wait for 78.11.0 (Emilio) -- -xmlbeans (Roberto C. Sánchez) +xmlbeans NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the NOTE: 20210222: upstream release with the fix). Trying to determine how to NOTE: 20210222: implement the changes without introducing too much new code. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68d93651a40e709d6c4a2c7bffdc4e0ac4612726 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68d93651a40e709d6c4a2c7bffdc4e0ac4612726 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b3bcdf6a by security tracker role at 2021-05-24T20:10:29+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,25 @@ +CVE-2021-3564 + RESERVED +CVE-2021-33524 + RESERVED +CVE-2021-33523 + RESERVED +CVE-2021-33522 + RESERVED +CVE-2021-33521 + RESERVED +CVE-2021-33520 + RESERVED +CVE-2021-33519 + RESERVED +CVE-2021-33518 + RESERVED +CVE-2021-33517 + RESERVED +CVE-2021-33516 (An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x befo ...) + TODO: check +CVE-2021-33515 + RESERVED CVE-2021-33514 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2021-33513 (Plone through 5.2.4 allows XSS via the inline_diff methods in Products ...) @@ -22,8 +44,8 @@ CVE-2021-33504 RESERVED CVE-2021-33503 RESERVED -CVE-2021-33502 - RESERVED +CVE-2021-33502 (The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x befo ...) + TODO: check CVE-2021-33501 RESERVED CVE-2021-33500 (PuTTY before 0.75 on Windows allows remote servers to cause a denial o ...) @@ -627,8 +649,7 @@ CVE-2021-33206 RESERVED CVE-2021-33205 RESERVED -CVE-2021-3559 [nodedev-list command may cause libvirt to crash on hosts with GRID driver installed] - RESERVED +CVE-2021-3559 (A flaw was found in libvirt in the virConnectListAllNodeDevices API in ...) - libvirt (Vulnerable code never in a released version) NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/4c4d0e2da07b5a035b26a0ff13ec27070f7c7b1a (v7.0.0-rc1) NOTE: Introduced by: https://gitlab.com/libvirt/libvirt/-/commit/f1b08901f7ae7557f79d83bdac33cc0bd79d1437 (v6.10.0-rc1) @@ -1880,8 +1901,8 @@ CVE-2021-32631 RESERVED CVE-2021-32630 (Admidio is a free, open source user management system for websites of ...) NOT-FOR-US: Admidio -CVE-2021-32629 - RESERVED +CVE-2021-32629 (Cranelift is an open-source code generator maintained by Bytecode Alli ...) + TODO: check CVE-2021-32628 RESERVED CVE-2021-32627 @@ -1890,8 +1911,8 @@ CVE-2021-32626 RESERVED CVE-2021-32625 RESERVED -CVE-2021-32624 - RESERVED +CVE-2021-32624 (Keystone 5 is an open source CMS platform to build Node.js application ...) + TODO: check CVE-2021-32623 RESERVED CVE-2021-32622 (Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip ...) @@ -3082,8 +3103,8 @@ CVE-2021-32077 (Primary Source Verification in VerityStream MSOW Solutions befor NOT-FOR-US: VerityStream MSOW Solutions CVE-2021-32076 RESERVED -CVE-2021-32075 - RESERVED +CVE-2021-32075 (Re-Logic Terraria before 1.4.2.3 performs Insecure Deserialization. ...) + TODO: check CVE-2021-32074 (HashiCorp vault-action (aka Vault GitHub Action) before 2.2.0 allows a ...) NOT-FOR-US: HashiCorp vault-action (aka Vault GitHub Action) CVE-2021-32073 (DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote at ...) @@ -7520,8 +7541,8 @@ CVE-2020-36316 (In RELIC before 2021-04-03, there is a buffer overflow in PKCS#1 NOT-FOR-US: RELIC CVE-2020-36315 (In RELIC before 2020-08-01, RSA PKCS#1 v1.5 signature forgery can occu ...) NOT-FOR-US: RELIC -CVE-2021-3485 - RESERVED +CVE-2021-3485 (An Improper Input Validation vulnerability in the Product Update featu ...) + TODO: check CVE-2021-30244 RESERVED CVE-2021-30243 @@ -7964,12 +7985,12 @@ CVE-2021-30085 RESERVED CVE-2021-30084 RESERVED -CVE-2021-30083 - RESERVED -CVE-2021-30082 - RESERVED -CVE-2021-30081 - RESERVED +CVE-2021-30083 (An issue was discovered in Mediat 1.4.1. There is a Reflected XSS vuln ...) + TODO: check +CVE-2021-30082 (An issue was discovered in Gris CMS v0.1. There is a Persistent XSS vu ...) + TODO: check +CVE-2021-30081 (An issue was discovered in emlog 6.0.0stable. There is a SQL Injection ...) + TODO: check CVE-2021-30080 RESERVED CVE-2021-30079 @@ -9880,8 +9901,8 @@ CVE-2021-29302 (TP-Link TL-WR802N(US), Archer_C50v5_US v4_200 = 2020.06 cont NOT-FOR-US: TP-Link CVE-2021-29301 RESERVED -CVE-2021-29300 - RESERVED +CVE-2021-29300 (The @ronomon/opened library before 1.5.2 is vulnerable to a command in ...) + TODO: check CVE-2021-29299 RESERVED CVE-2021-29298 @@ -10001,8 +10022,8 @@ CVE-2021-29258 (An issue was discovered in Envoy 1.14.0. There is a remotely exp - envoyproxy (bug #987544) CVE-2021-29257 RESERVED -CVE-2021-29256 - RESERVED +CVE-2021-29256 (. The Arm Mali GPU kernel driver allows an unprivileged user to achiev ...) + TODO:
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-22116/rabbitmq-server
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4884deaf by Salvatore Bonaccorso at 2021-05-24T21:31:29+02:00 Add Debian bug reference for CVE-2021-22116/rabbitmq-server - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26641,7 +26641,7 @@ CVE-2021-22117 (RabbitMQ installers on Windows prior to version 3.8.16 do not ha - rabbitmq-server (Windows-specific) CVE-2021-22116 RESERVED - - rabbitmq-server + - rabbitmq-server (bug #989056) NOTE: https://tanzu.vmware.com/security/cve-2021-22116 CVE-2021-22115 (Cloud Controller API versions prior to 1.106.0 logs service broker cre ...) NOT-FOR-US: Cloud Controller API View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4884deafa42202f901f4d9fcb51dfc896ee268aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4884deafa42202f901f4d9fcb51dfc896ee268aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-20718/libapache2-mod-auth-openidc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c6c87ee6 by Salvatore Bonaccorso at 2021-05-24T21:23:08+02:00 Add Debian bug reference for CVE-2021-20718/libapache2-mod-auth-openidc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31324,7 +31324,7 @@ CVE-2021-20720 (SQL injection vulnerability in the KonaWiki2 versions prior to 2 CVE-2021-20719 (RFNTPS firmware versions System_0104 and earlier, and Web_0104 ...) NOT-FOR-US: RFNTPS firmware CVE-2021-20718 (mod_auth_openidc 2.4.0 to 2.4.7 allows a remote attacker to cause a de ...) - - libapache2-mod-auth-openidc + - libapache2-mod-auth-openidc (bug #989055) [buster] - libapache2-mod-auth-openidc (Vulnerable code introduced later) [stretch] - libapache2-mod-auth-openidc (Vulnerable code introduced later) NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/5ef1b0a74208fcb43a16795d0afc94c3d54cd120 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6c87ee6382b4bff82e071e43dabceae8131ff09 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6c87ee6382b4bff82e071e43dabceae8131ff09 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-29509/puma
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b11e4dfd by Salvatore Bonaccorso at 2021-05-24T21:21:44+02:00 Add Debian bug reference for CVE-2021-29509/puma - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9299,7 +9299,7 @@ CVE-2021-29510 (Pydantic is a data validation and settings management using Pyth NOTE: https://github.com/samuelcolvin/pydantic/security/advisories/GHSA-5jqp-qgf6-3pvh NOTE: https://github.com/samuelcolvin/pydantic/commit/7e83fdd2563ffac081db7ecdf1affa65ef38c468 CVE-2021-29509 (Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The f ...) - - puma + - puma (bug #989054) NOTE: https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5 NOTE: https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837 NOTE: CVE is related to an incomplete fix for CVE-2019-16770 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b11e4dfd8ae690abc840b91f105a773213b6a8a3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b11e4dfd8ae690abc840b91f105a773213b6a8a3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2021-20718/libapache2-mod-auth-openidc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cb7b40a by Salvatore Bonaccorso at 2021-05-24T21:20:37+02:00 Update status for CVE-2021-20718/libapache2-mod-auth-openidc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31325,6 +31325,8 @@ CVE-2021-20719 (RFNTPS firmware versions System_0104 and earlier, and Web_01 NOT-FOR-US: RFNTPS firmware CVE-2021-20718 (mod_auth_openidc 2.4.0 to 2.4.7 allows a remote attacker to cause a de ...) - libapache2-mod-auth-openidc + [buster] - libapache2-mod-auth-openidc (Vulnerable code introduced later) + [stretch] - libapache2-mod-auth-openidc (Vulnerable code introduced later) NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/5ef1b0a74208fcb43a16795d0afc94c3d54cd120 CVE-2021-20717 (Cross-site scripting vulnerability in EC-CUBE 4.0.0 to 4.0.5 allows a ...) NOT-FOR-US: EC-CUBE View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb7b40a25162af96f8419e62e3e5c5cdc32334c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb7b40a25162af96f8419e62e3e5c5cdc32334c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add some notes for CVE-2020-0478/aom
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f8bab27 by Salvatore Bonaccorso at 2021-05-24T21:03:19+02:00 Add some notes for CVE-2020-0478/aom - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -115126,6 +115126,8 @@ CVE-2020-0478 (In extend_frame_lowbd of restoration.c, there is a possible out o - aom NOTE: https://android.googlesource.com/platform/external/libaom/+/816f15265cb89a02d7ce4b657de277828e71a4b1 NOTE: https://source.android.com/security/bulletin/pixel/2020-12-01 + NOTE: https://aomedia.googlesource.com/aom/+/ebba9c769be2c99d5396d0018901e9a4af5e2d2c (v1.0.0-errata1-avif) + TODO: check if ebba9c769be2c99d5396d0018901e9a4af5e2d2c is the needed commit CVE-2020-0477 (In sendLinkConfigurationChangedBroadcast of ClientModeImpl.java, there ...) NOT-FOR-US: Android CVE-2020-0476 (In onNotificationRemoved of Assistant.java, there is a possible leak o ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f8bab279f51b5016496251df86bbddb4ccabf0f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f8bab279f51b5016496251df86bbddb4ccabf0f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync three linux CVEs with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ffd86294 by Salvatore Bonaccorso at 2021-05-24T20:35:15+02:00 Sync three linux CVEs with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10205,6 +10205,7 @@ CVE-2021-29156 (ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Web NOT-FOR-US: ForgeRock OpenAM CVE-2021-29155 (An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf ...) - linux 5.10.38-1 + [stretch] - linux (Vulnerability introduced later) NOTE: https://www.openwall.com/lists/oss-security/2021/04/18/4 CVE-2021-29154 (BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect c ...) - linux 5.10.28-1 @@ -45440,11 +45441,13 @@ CVE-2020-27171 (An issue was discovered in the Linux kernel before 5.11.8. kerne {DLA-2610-1} - linux 5.10.24-1 [buster] - linux 4.19.181-1 + [stretch] - linux (Vulnerability introduced later) NOTE: https://www.openwall.com/lists/oss-security/2021/03/19/3 CVE-2020-27170 (An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/ ...) {DLA-2610-1} - linux 5.10.24-1 [buster] - linux 4.19.181-1 + [stretch] - linux (Vulnerability introduced later) NOTE: https://www.openwall.com/lists/oss-security/2021/03/19/2 CVE-2020-27169 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffd86294ba1df83f1523c474347c9044e8ad9bea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffd86294ba1df83f1523c474347c9044e8ad9bea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for squid issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f5e25dd by Salvatore Bonaccorso at 2021-05-24T17:32:17+02:00 Add Debian bug reference for squid issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3961,19 +3961,19 @@ CVE-2021-31809 RESERVED CVE-2021-31808 RESERVED - - squid + - squid (bug #989043) - squid3 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1185916 NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch CVE-2021-31807 RESERVED - - squid + - squid (bug #989043) - squid3 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1185916 NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch CVE-2021-31806 RESERVED - - squid + - squid (bug #989043) - squid3 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1185916 NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f5e25dd59b7e5b00c00deaac395b5467d187bac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f5e25dd59b7e5b00c00deaac395b5467d187bac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] three.js n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c03a17c9 by Moritz Mühlenhoff at 2021-05-24T17:31:03+02:00 three.js n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40022,9 +40022,7 @@ CVE-2020-28498 (The package elliptic before 6.5.4 are vulnerable to Cryptographi CVE-2020-28497 RESERVED CVE-2020-28496 (This affects the package three before 0.125.0. This can happen when ha ...) - - three.js (bug #988726) - [buster] - three.js (Minor issue) - [stretch] - three.js (can be fixed along in next DLA) + - three.js (Vulnerable code introduced later, #988726) NOTE: https://github.com/mrdoob/three.js/pull/21143/commits/4a582355216b620176a291ff319d740e619d583e NOTE: https://github.com/mrdoob/three.js/issues/21132 CVE-2020-28495 (This affects the package total.js before 3.4.7. The set function can b ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c03a17c9bc9fb70d6db3d8452d4c4b575f5fdea0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c03a17c9bc9fb70d6db3d8452d4c4b575f5fdea0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-33477/eterm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f06966a0 by Salvatore Bonaccorso at 2021-05-24T16:49:44+02:00 Add Debian bug reference for CVE-2021-33477/eterm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -705,7 +705,7 @@ CVE-2021-33477 (rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 all - rxvt-unicode 9.22-11 (bug #988763) [buster] - rxvt-unicode (Minor issue) - mrxvt - - eterm + - eterm (bug #989041) [buster] - eterm (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/05/17/1 NOTE: Mentioned first in: https://www.openwall.com/lists/oss-security/2017/05/01/20 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f06966a0f8e731e775f5d6faeb80005b6ff7f7fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f06966a0f8e731e775f5d6faeb80005b6ff7f7fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix package name in previous commit for CVE-2021-20291
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7cc1b3e8 by Salvatore Bonaccorso at 2021-05-24T15:17:51+02:00 Fix package name in previous commit for CVE-2021-20291 Fixes: a5252a1af0a7 (Reassociate CVE-2021-20291 with golange-github-containers-storage) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32234,7 +32234,7 @@ CVE-2021-20292 [RM Memory Management Double Free Privilege Escalation Vulnerabil NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939686 NOTE: https://git.kernel.org/linus/5de5b6ecf97a021f29403aa272cb4e03318ef586 CVE-2021-20291 (A deadlock vulnerability was found in 'github.com/containers/storage' ...) - - golange-github-containers-storage (bug #988942) + - golang-github-containers-storage (bug #988942) NOTE: https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1 TODO: check golang-github-containers-buildah, docker.io CVE-2021-20290 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cc1b3e801c29162138b5d1f593dc3a63102874f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cc1b3e801c29162138b5d1f593dc3a63102874f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reassociate CVE-2021-20291 with golange-github-containers-storage
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a5252a1a by Salvatore Bonaccorso at 2021-05-24T15:16:02+02:00 Reassociate CVE-2021-20291 with golange-github-containers-storage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32234,9 +32234,9 @@ CVE-2021-20292 [RM Memory Management Double Free Privilege Escalation Vulnerabil NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939686 NOTE: https://git.kernel.org/linus/5de5b6ecf97a021f29403aa272cb4e03318ef586 CVE-2021-20291 (A deadlock vulnerability was found in 'github.com/containers/storage' ...) - - golang-github-containers-image (bug #988942) + - golange-github-containers-storage (bug #988942) NOTE: https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1 - TODO: check golang-github-containers-buildah, docker.io, golang-github-containers-storage + TODO: check golang-github-containers-buildah, docker.io CVE-2021-20290 RESERVED - foreman (bug #663101) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5252a1af0a7f937d47457200175dbcab850d17f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5252a1af0a7f937d47457200175dbcab850d17f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0503ca04 by Salvatore Bonaccorso at 2021-05-24T10:18:58+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38,9 +38,9 @@ CVE-2021-3563 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1962908 TODO: scarce details on it if there are upstream references, try to get more information CVE-2021-33497 (Dutchcoders transfer.sh before 1.2.4 allows Directory Traversal for de ...) - TODO: check + NOT-FOR-US: Dutchcoders transfer.sh CVE-2021-33496 (Dutchcoders transfer.sh before 1.2.4 allows XSS via an inline view. ...) - TODO: check + NOT-FOR-US: Dutchcoders transfer.sh CVE-2021-33495 RESERVED CVE-2021-33494 @@ -31298,15 +31298,15 @@ CVE-2021-20728 CVE-2021-20727 RESERVED CVE-2021-20726 (Untrusted search path vulnerability in The Installer of Overwolf 2.168 ...) - TODO: check + NOT-FOR-US: Overwolf CVE-2021-20725 (Reflected cross-site scripting vulnerability in the admin page of [Cal ...) - TODO: check + NOT-FOR-US: Calendar01 CVE-2021-20724 (Reflected cross-site scripting vulnerability in the admin page of [Tel ...) - TODO: check + NOT-FOR-US: Telop01 CVE-2021-20723 (Reflected cross-site scripting vulnerability in [MailForm01] free edit ...) - TODO: check + NOT-FOR-US: MailForm01 CVE-2021-20722 (Untrusted search path vulnerability in the installers of ScanSnap Mana ...) - TODO: check + NOT-FOR-US: ScanSnap Manager CVE-2021-20721 (KonaWiki2 versions prior to 2.2.4 allows a remote attacker to upload a ...) NOT-FOR-US: KonaWiki2 CVE-2021-20720 (SQL injection vulnerability in the KonaWiki2 versions prior to 2.2.4 a ...) @@ -31325,7 +31325,7 @@ CVE-2021-20715 (Improper access control vulnerability in Hot Pepper Gourmet App CVE-2021-20714 (Directory traversal vulnerability in WP Fastest Cache versions prior t ...) NOT-FOR-US: WP fastest cache CVE-2021-20713 (Privilege escalation vulnerability in QND Advance/Premium/Standard Ver ...) - TODO: check + NOT-FOR-US: QND Advance/Premium/Standard CVE-2021-20712 (Improper access control vulnerability in NEC Aterm WG2600HS firmware V ...) NOT-FOR-US: Aterm firmware CVE-2021-20711 (Aterm WG2600HS firmware Ver1.5.1 and earlier allows an attacker to exe ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0503ca045563ee4ddfb1ee82253393bb25461b9f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0503ca045563ee4ddfb1ee82253393bb25461b9f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 54e74045 by security tracker role at 2021-05-24T08:10:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37,10 +37,10 @@ CVE-2021-3563 - keystone NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1962908 TODO: scarce details on it if there are upstream references, try to get more information -CVE-2021-33497 - RESERVED -CVE-2021-33496 - RESERVED +CVE-2021-33497 (Dutchcoders transfer.sh before 1.2.4 allows Directory Traversal for de ...) + TODO: check +CVE-2021-33496 (Dutchcoders transfer.sh before 1.2.4 allows XSS via an inline view. ...) + TODO: check CVE-2021-33495 RESERVED CVE-2021-33494 @@ -4527,6 +4527,7 @@ CVE-2021-31536 RESERVED CVE-2021-31535 RESERVED + {DSA-4920-1 DLA-2666-1} - libx11 2:1.7.1-1 (bug #988737) NOTE: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605 NOTE: https://www.openwall.com/lists/oss-security/2021/05/18/2 @@ -8360,7 +8361,7 @@ CVE-2021-29923 RESERVED CVE-2021-29922 RESERVED -CVE-2021-29921 (Improper input validation of octal strings in Python stdlib ipaddress ...) +CVE-2021-29921 (In Python before 3,9,5, the ipaddress library mishandles leading zero ...) [experimental] - python3.9 3.9.5-1 - python3.9 NOTE: https://bugs.python.org/issue36384#msg392423 @@ -31296,16 +31297,16 @@ CVE-2021-20728 RESERVED CVE-2021-20727 RESERVED -CVE-2021-20726 - RESERVED -CVE-2021-20725 - RESERVED -CVE-2021-20724 - RESERVED -CVE-2021-20723 - RESERVED -CVE-2021-20722 - RESERVED +CVE-2021-20726 (Untrusted search path vulnerability in The Installer of Overwolf 2.168 ...) + TODO: check +CVE-2021-20725 (Reflected cross-site scripting vulnerability in the admin page of [Cal ...) + TODO: check +CVE-2021-20724 (Reflected cross-site scripting vulnerability in the admin page of [Tel ...) + TODO: check +CVE-2021-20723 (Reflected cross-site scripting vulnerability in [MailForm01] free edit ...) + TODO: check +CVE-2021-20722 (Untrusted search path vulnerability in the installers of ScanSnap Mana ...) + TODO: check CVE-2021-20721 (KonaWiki2 versions prior to 2.2.4 allows a remote attacker to upload a ...) NOT-FOR-US: KonaWiki2 CVE-2021-20720 (SQL injection vulnerability in the KonaWiki2 versions prior to 2.2.4 a ...) @@ -31323,8 +31324,8 @@ CVE-2021-20715 (Improper access control vulnerability in Hot Pepper Gourmet App NOT-FOR-US: Hot Pepper Gourmet App CVE-2021-20714 (Directory traversal vulnerability in WP Fastest Cache versions prior t ...) NOT-FOR-US: WP fastest cache -CVE-2021-20713 - RESERVED +CVE-2021-20713 (Privilege escalation vulnerability in QND Advance/Premium/Standard Ver ...) + TODO: check CVE-2021-20712 (Improper access control vulnerability in NEC Aterm WG2600HS firmware V ...) NOT-FOR-US: Aterm firmware CVE-2021-20711 (Aterm WG2600HS firmware Ver1.5.1 and earlier allows an attacker to exe ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54e740459ef9c93dd7f66ce8d40eb3666c6d7fe0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54e740459ef9c93dd7f66ce8d40eb3666c6d7fe0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] php-horde-text-filter spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d73e0245 by Moritz Mühlenhoff at 2021-05-24T09:09:10+02:00 php-horde-text-filter spu - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -15421,6 +15421,7 @@ CVE-2021-26930 (An issue was discovered in the Linux kernel 3.11 through 5.10.16 CVE-2021-26929 (An XSS issue was discovered in Horde Groupware Webmail Edition through ...) {DLA-2564-1} - php-horde-text-filter 2.3.7-1 (bug #982769) + [buster] - php-horde-text-filter (Minor issue) NOTE: https://lists.horde.org/archives/announce/2021/001298.html NOTE: https://github.com/horde/Text_Filter/commit/c26f938854c36b981558a3b1b9b2f81403cff60e (master) NOTE: https://github.com/horde/Text_Filter/commit/a2f67da064d7a91440b7a2448e56a6387ab94c67 (v2.3.7) = data/next-point-update.txt = @@ -143,3 +143,5 @@ CVE-2021-33477 [buster] - rxvt-unicode 9.22-6+deb10u1 CVE-2021-3561 [buster] - fig2dev 1:3.2.7a-5+deb10u4 +CVE-2021-26929 + [[buster] - php-horde-text-filter 2.3.5-3+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d73e02455d16095902d3dd0c97f2bfb29de1da94 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d73e02455d16095902d3dd0c97f2bfb29de1da94 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for libx11 update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fd4a5f2c by Salvatore Bonaccorso at 2021-05-24T09:01:47+02:00 Reserve DSA number for libx11 update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[24 May 2021] DSA-4920-1 libx11 - security update + {CVE-2021-31535} + [buster] - libx11 2:1.6.7-1+deb10u2 [21 May 2021] DSA-4916-2 prosody - regression update [buster] - prosody 0.11.2-1+deb10u2 [21 May 2021] DSA-4919-1 lz4 - security update = data/dsa-needed.txt = @@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- condor -- -libx11 (carnil) --- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd4a5f2c4508ed9e4da1e9555767eb1d0f945395 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd4a5f2c4508ed9e4da1e9555767eb1d0f945395 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2666-1 for libx11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: d75f7d9b by Emilio Pozuelo Monfort at 2021-05-24T08:50:37+02:00 Reserve DLA-2666-1 for libx11 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[24 May 2021] DLA-2666-1 libx11 - security update + {CVE-2021-31535} + [stretch] - libx11 2:1.6.4-3+deb9u4 [23 May 2021] DLA-2665-1 ring - security update {CVE-2021-21375} [stretch] - ring 20161221.2.7bd7d91~dfsg1-1+deb9u1 = data/dla-needed.txt = @@ -57,8 +57,6 @@ libwebp (Anton Gladky) -- libxml2 (Thorsten Alteholz) -- -libx11 (Emilio) --- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d75f7d9b60143fd50cdceaa056e70d7df40f8980 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d75f7d9b60143fd50cdceaa056e70d7df40f8980 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: bb7e22d3 by Thorsten Alteholz at 2021-05-24T08:49:19+02:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -45,7 +45,7 @@ eterm (Utkarsh) NOTE: 20210521: src/term.c:process_escape_seq(), probably just disable vulnerable escape sequence -- gpac (Thorsten Alteholz) - NOTE: 20210510: WIP + NOTE: 20210524: WIP -- imagemagick (Anton Gladky) NOTE: 20210415: Tracker records as vulnerable to CVE-2021-20312, but parts of View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb7e22d3c3fee0027aaeb71557d62b9ccb85874a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb7e22d3c3fee0027aaeb71557d62b9ccb85874a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits