[Git][security-tracker-team/security-tracker][master] Add CVE-2021-34429/jetty9
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cd7e3019 by Salvatore Bonaccorso at 2021-07-16T07:01:58+02:00 Add CVE-2021-34429/jetty9 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5174,7 +5174,9 @@ CVE-2021-34431 CVE-2021-34430 (Eclipse TinyDTLS through 0.9-rc1 relies on the rand function in the C ...) NOT-FOR-US: Eclipse TinyDTLS CVE-2021-34429 (For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 11.0.1-1 ...) - TODO: check + - jetty9 + NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm + TODO: check, seems to have been introduced 9.4.37 upstream CVE-2021-34428 (For Eclipse Jetty versions = 9.4.40, = 10.0.2, = 11.0.2, i ...) - jetty9 9.4.39-2 (bug #990578) [stretch] - jetty9 (vulnerable code is not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd7e3019c3bc641a5a2bf344921013cf8c8062c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd7e3019c3bc641a5a2bf344921013cf8c8062c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-27847/vips
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2228b8b7 by Salvatore Bonaccorso at 2021-07-16T06:59:04+02:00 Add CVE-2021-27847/vips - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21248,7 +21248,10 @@ CVE-2021-27849 CVE-2021-27848 RESERVED CVE-2021-27847 (Division-By-Zero vulnerability in Libvips 8.10.5 in the function vips_ ...) - TODO: check + - vips 8.8.3-1 + NOTE: https://github.com/libvips/libvips/issues/1236 + NOTE: https://github.com/libvips/libvips/commit/2fb81b8ed6a4a6b2385f3efbb0412f24f80163c4 (v8.8.0-rc1) + NOTE: https://github.com/libvips/libvips/commit/65a259a0258b2036b168cdeff6e9db434471225a (v8.8.0-rc1) CVE-2021-27846 RESERVED CVE-2021-27845 (A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2228b8b789a9145ccc555df5fb7752622117d188 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2228b8b789a9145ccc555df5fb7752622117d188 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-27845/jasper
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c0516a3 by Salvatore Bonaccorso at 2021-07-16T06:52:32+02:00 Add CVE-2021-27845/jasper - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21252,7 +21252,8 @@ CVE-2021-27847 (Division-By-Zero vulnerability in Libvips 8.10.5 in the function CVE-2021-27846 RESERVED CVE-2021-27845 (A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2 ...) - TODO: check + - jasper + NOTE: https://github.com/jasper-software/jasper/issues/194 CVE-2021-27844 RESERVED CVE-2021-27843 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c0516a3939e0b3334606519613b22516696ea8d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c0516a3939e0b3334606519613b22516696ea8d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-33505/falco
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d644f128 by Salvatore Bonaccorso at 2021-07-16T06:50:01+02:00 Add CVE-2021-33505/falco - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7302,7 +7302,7 @@ CVE-2021-33507 (Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthSer CVE-2021-33506 (jitsi-meet-prosody in Jitsi Meet before 2.0.5963-1 does not ensure tha ...) NOT-FOR-US: jitsi-meet-prosody CVE-2021-33505 (Falco through 0.28.1 has a Time-of-check Time-of-use (TOCTOU) Race Con ...) - TODO: check + - falco (bug #842306) CVE-2021-33504 RESERVED CVE-2021-33503 (An issue was discovered in urllib3 before 1.26.5. When provided with a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d644f128a4a9281dfb42e35c537adef1992514ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d644f128a4a9281dfb42e35c537adef1992514ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dfed5eb8 by Salvatore Bonaccorso at 2021-07-16T06:49:03+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4553,17 +4553,17 @@ CVE-2021-34693 (net/can/bcm.c in the Linux kernel through 5.12.10 allows local u NOTE: https://github.com/nrb547/kernel-exploitation/tree/main/cve-2021-34693 NOTE: https://lore.kernel.org/netdev/trinity-87eaea25-2a7d-4aa9-92a5-269b822e5d95-1623609211076@3c-app-gmx-bs04/T/ CVE-2021-34692 (iDrive RemotePC before 7.6.48 on Windows allows privilege escalation. ...) - TODO: check + NOT-FOR-US: iDrive RemotePC CVE-2021-34691 (iDrive RemotePC before 4.0.1 on Linux allows denial of service. A remo ...) - TODO: check + NOT-FOR-US: iDrive RemotePC CVE-2021-34690 (iDrive RemotePC before 7.6.48 on Windows allows authentication bypass. ...) - TODO: check + NOT-FOR-US: iDrive RemotePC CVE-2021-34689 (iDrive RemotePC before 7.6.48 on Windows allows information disclosure ...) - TODO: check + NOT-FOR-US: iDrive RemotePC CVE-2021-34688 (iDrive RemotePC before 7.6.48 on Windows allows information disclosure ...) - TODO: check + NOT-FOR-US: iDrive RemotePC CVE-2021-34687 (iDrive RemotePC before 7.6.48 on Windows allows information disclosure ...) - TODO: check + NOT-FOR-US: iDrive RemotePC CVE-2021-3601 RESERVED - openssl1.0 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dfed5eb8c27539fff580d960ce90704b91121e23 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dfed5eb8c27539fff580d960ce90704b91121e23 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new chromium issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ba96d7a6 by Salvatore Bonaccorso at 2021-07-15T23:33:11+02:00 Add new chromium issues Note: Do review for correctness. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14376,16 +14376,28 @@ CVE-2021-30565 RESERVED CVE-2021-30564 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-30563 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-30562 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-30561 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-30560 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-30559 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-30558 RESERVED CVE-2021-30557 (Use after free in TabGroups in Google Chrome prior to 91.0.4472.114 al ...) @@ -14445,6 +14457,8 @@ CVE-2021-30542 (Use after free in Tab Strip in Google Chrome prior to 91.0.4472. [stretch] - chromium (see DSA 4562) CVE-2021-30541 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-30540 (Incorrect security UI in payments in Google Chrome on Android prior to ...) - chromium (bug #990079) [stretch] - chromium (see DSA 4562) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba96d7a665d3f81ee310dc82f7721dee44b9d3a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba96d7a665d3f81ee310dc82f7721dee44b9d3a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes for trafficserver via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eb832420 by Salvatore Bonaccorso at 2021-07-15T22:49:06+02:00 Track fixes for trafficserver via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2865,7 +2865,7 @@ CVE-2021-3615 CVE-2021-3614 RESERVED CVE-2021-35474 (Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache ...) - - trafficserver (bug #990303) + - trafficserver 8.1.1+ds-1.1 (bug #990303) NOTE: https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cannounce.trafficserver.apache.org%3E NOTE: https://github.com/apache/trafficserver/pull/7945 (8.1.x) NOTE: https://github.com/apache/trafficserver/commit/5a9339d7bc65e1c2d8d2a0fc80bb051daf3cdb0b (master) @@ -9480,19 +9480,19 @@ CVE-2021-32569 CVE-2021-32568 RESERVED CVE-2021-32567 (Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Se ...) - - trafficserver (bug #990303) + - trafficserver 8.1.1+ds-1.1 (bug #990303) NOTE: https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cannounce.trafficserver.apache.org%3E NOTE: https://github.com/apache/trafficserver/pull/7945 (8.1.x) NOTE: https://github.com/apache/trafficserver/commit/034965e0fd0def114658f0048d953d1c16a95bed (master) NOTE: https://github.com/apache/trafficserver/commit/b82a3d192f995fb9d78e1c44d51d9acca4783277 (8.1.x) CVE-2021-32566 (Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Se ...) - - trafficserver (bug #990303) + - trafficserver 8.1.1+ds-1.1 (bug #990303) NOTE: https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cannounce.trafficserver.apache.org%3E NOTE: https://github.com/apache/trafficserver/pull/7945 (8.1.x) NOTE: https://github.com/apache/trafficserver/commit/034965e0fd0def114658f0048d953d1c16a95bed (master) NOTE: https://github.com/apache/trafficserver/commit/b82a3d192f995fb9d78e1c44d51d9acca4783277 (8.1.x) CVE-2021-32565 (Invalid values in the Content-Length header sent to Apache Traffic Ser ...) - - trafficserver (bug #990303) + - trafficserver 8.1.1+ds-1.1 (bug #990303) NOTE: https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cannounce.trafficserver.apache.org%3E NOTE: https://github.com/apache/trafficserver/pull/7945 (8.1.x) NOTE: https://github.com/apache/trafficserver/commit/668d0f8668fec1cd350b0ceba3f7f8e4020ae3ca (master) @@ -21816,7 +21816,7 @@ CVE-2021-27579 (Snow Inventory Agent through 6.7.0 on Windows uses CPUID to repo CVE-2021-27578 RESERVED CVE-2021-27577 (Incorrect handling of url fragment vulnerability of Apache Traffic Ser ...) - - trafficserver (bug #990303) + - trafficserver 8.1.1+ds-1.1 (bug #990303) NOTE: https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cannounce.trafficserver.apache.org%3E NOTE: https://github.com/apache/trafficserver/pull/7945 (8.1.x) NOTE: https://github.com/apache/trafficserver/commit/2b13eb33794574e62249997b4ba654d943a10f2d (master) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb8324208d2bc614cfd4bfcc2738cf28449ebaaf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb8324208d2bc614cfd4bfcc2738cf28449ebaaf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 083bc345 by Salvatore Bonaccorso at 2021-07-15T22:29:20+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3734,7 +3734,7 @@ CVE-2021-35058 CVE-2021-35057 RESERVED CVE-2021-35056 (Unisys Stealth 5.1 before 5.1.025.0 and 6.0 before 6.0.055.0 has an un ...) - TODO: check + NOT-FOR-US: Unisys CVE-2021-35055 RESERVED CVE-2020-36393 @@ -4223,13 +4223,13 @@ CVE-2021-34832 CVE-2021-34831 RESERVED CVE-2021-34830 (This vulnerability allows network-adjacent attackers to execute arbitr ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-34829 (This vulnerability allows network-adjacent attackers to execute arbitr ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-34828 (This vulnerability allows network-adjacent attackers to execute arbitr ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-34827 (This vulnerability allows network-adjacent attackers to execute arbitr ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-3608 [pvrdma: uninitialized memory unmap in pvrdma_ring_init()] RESERVED - qemu (bug #990563) @@ -32277,9 +32277,9 @@ CVE-2021-3045 CVE-2021-3044 (An improper authorization vulnerability in Palo Alto Networks Cortex X ...) NOT-FOR-US: Palo Alto Networks CVE-2021-3043 (A reflected cross-site scripting (XSS) vulnerability exists in the Pri ...) - TODO: check + NOT-FOR-US: Prisma Cloud Compute web console (Palo Alto Networks) CVE-2021-3042 (A local privilege escalation (PE) vulnerability exists in the Palo Alt ...) - TODO: check + NOT-FOR-US: Palo Alto Networks CVE-2021-3041 (A local privilege escalation vulnerability exists in the Palo Alto Net ...) NOT-FOR-US: Palo Alto Networks CVE-2021-3040 (An unsafe deserialization vulnerability in Bridgecrew Checkov by Prism ...) @@ -35771,9 +35771,9 @@ CVE-2021-21589 (Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0 CVE-2021-21588 (Dell EMC PowerFlex, v3.5.x contain a Cross-Site WebSocket Hijacking Vu ...) NOT-FOR-US: EMC CVE-2021-21587 (Dell Wyse Management Suite versions 3.2 and earlier contain a full pat ...) - TODO: check + NOT-FOR-US: Dell CVE-2021-21586 (Wyse Management Suite versions 3.2 and earlier contain an absolute pat ...) - TODO: check + NOT-FOR-US: Dell CVE-2021-21585 RESERVED CVE-2021-21584 @@ -56934,7 +56934,7 @@ CVE-2020-25738 (CyberArk Endpoint Privilege Manager (EPM) 11.1.0.173 allows atta CVE-2020-25737 (An elevation of privilege vulnerability exists in Hackolade versions p ...) NOT-FOR-US: Hackolade CVE-2020-25736 (Acronis True Image 2019 update 1 through 2021 update 1 on macOS allows ...) - TODO: check + NOT-FOR-US: Acronis CVE-2020-25735 (webTareas through 2.1 allows XSS in clients/editclient.php, extensions ...) NOT-FOR-US: webTareas CVE-2020-25734 (webTareas through 2.1 allows files/Default/ Directory Listing. ...) @@ -57518,7 +57518,7 @@ CVE-2020-25595 (An issue was discovered in Xen through 4.14.x. The PCI passthrou CVE-2020-25594 (HashiCorp Vault and Vault Enterprise allowed for enumeration of Secret ...) NOT-FOR-US: HashiCorp Vault CVE-2020-25593 (Acronis True Image through 2021 on macOS allows local privilege escala ...) - TODO: check + NOT-FOR-US: Acronis CVE-2020-25592 (In SaltStack Salt through 3002, salt-netapi improperly validates eauth ...) {DSA-4837-1 DLA-2480-1} - salt 3002.1+dfsg1-1 @@ -79219,7 +79219,7 @@ CVE-2020-15497 (** DISPUTED ** jcore/portal/ajaxPortal.jsp in Jalios JCMS 10.0.2 CVE-2020-15496 (Acronis True Image for Mac before 2021 Update 4 allowed local privileg ...) TODO: check CVE-2020-15495 (Acronis True Image 2019 update 1 through 2020 on macOS allows local pr ...) - TODO: check + NOT-FOR-US: Acronis CVE-2020-15494 RESERVED CVE-2020-15493 @@ -86730,17 +86730,17 @@ CVE-2020-12736 (Code42 environments with on-premises server versions 7.0.4 and e CVE-2020-12735 (reset.php in DomainMOD 4.13.0 uses insufficient entropy for password r ...) NOT-FOR-US: DomainMOD CVE-2020-12734 (DEPSTECH WiFi Digital Microscope 3 allows remote attackers to change t ...) - TODO: check + NOT-FOR-US: DEPSTECH WiFi Digital Microscope CVE-2020-12733 (Certain Shenzhen PENGLIXIN components on DEPSTECH WiFi Digital Microsc ...) - TODO: check + NOT-FOR-US: DEPSTECH WiFi Digital Microscope CVE-2020-12732 (DEPSTECH WiFi Digital Microscope 3 has a default SSID of Jetion_xx ...) - TODO: check + NOT-FOR-US: DEPSTECH WiFi Digital Microscope CVE-2020-12731 (The MagicMotion Flamingo 2 application for Android stores data on an s ...) -
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 389ac4d7 by Salvatore Bonaccorso at 2021-07-15T22:17:30+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16505,7 +16505,7 @@ CVE-2021-29751 (IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Bu CVE-2021-29750 RESERVED CVE-2021-29749 (IBM Secure External Authentication Server 6.0.2 and IBM Secure Proxy 6 ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29748 RESERVED CVE-2021-29747 (IBM InfoSphere Information Server 11.7 could allow a remote attacker t ...) @@ -16519,7 +16519,7 @@ CVE-2021-29744 CVE-2021-29743 RESERVED CVE-2021-29742 (IBM Security Verify Access Docker 10.0.0 could allow a user to imperso ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29741 RESERVED CVE-2021-29740 (IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.3 sys ...) @@ -16553,7 +16553,7 @@ CVE-2021-29727 CVE-2021-29726 RESERVED CVE-2021-29725 (IBM Secure External Authentication Server 2.4.3.2, 6.0.1, 6.0.2 and IB ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29724 RESERVED CVE-2021-29723 @@ -16605,7 +16605,7 @@ CVE-2021-29701 CVE-2021-29700 RESERVED CVE-2021-29699 (IBM Security Verify Access Docker 10.0.0 could allow a remote priviled ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29698 RESERVED CVE-2021-29697 @@ -39754,15 +39754,15 @@ CVE-2021-20539 CVE-2021-20538 (IBM Cloud Pak for Security (CP4S) 1.5.0.0 and 1.5.0.1 could allow a us ...) NOT-FOR-US: IBM CVE-2021-20537 (IBM Security Verify Access Docker 10.0.0 contains hard-coded credentia ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20536 (IBM Spectrum Protect Plus File Systems Agent 10.1.6 and 10.1.7 stores ...) NOT-FOR-US: IBM CVE-2021-20535 (IBM Jazz Reporting Service 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerabl ...) NOT-FOR-US: IBM CVE-2021-20534 (IBM Security Verify Access Docker 10.0.0 could allow a remote attacker ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20533 (IBM Security Verify Access Docker 10.0.0 could allow a remote authenti ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20532 (IBM Spectrum Protect Client 8.1.0.0 through 8.1.11.0 could allow a loc ...) NOT-FOR-US: IBM CVE-2021-20531 @@ -39780,9 +39780,9 @@ CVE-2021-20526 CVE-2021-20525 RESERVED CVE-2021-20524 (IBM Security Verify Access Docker 10.0.0 is vulnerable to cross-site s ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20523 (IBM Security Verify Access Docker 10.0.0 could allow a remote attacker ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20522 RESERVED CVE-2021-20521 @@ -39806,9 +39806,9 @@ CVE-2021-20513 CVE-2021-20512 RESERVED CVE-2021-20511 (IBM Security Verify Access Docker 10.0.0 could allow a remote attacker ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20510 (IBM Security Verify Access Docker 10.0.0 stores user credentials in pl ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20509 RESERVED CVE-2021-20508 @@ -39828,15 +39828,15 @@ CVE-2021-20502 (IBM Jazz Foundation Products are vulnerable to an XML External E CVE-2021-20501 (IBM i 7.1, 7.2, 7.3, and 7.4 SMTP allows a network attacker to send em ...) NOT-FOR-US: IBM CVE-2021-20500 (IBM Security Verify Access Docker 10.0.0 could reveal highly sensitive ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20499 (IBM Security Verify Access Docker 10.0.0 could allow a remote attacker ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20498 (IBM Security Verify Access Docker 10.0.0 reveals version information i ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20497 (IBM Security Verify Access Docker 10.0.0 uses weaker than expected cry ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20496 (IBM Security Verify Access Docker 10.0.0 could allow an authenticated ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20495 RESERVED CVE-2021-20494 (IBM Security Identity Manager Adapters 6.0 and 7.0 are vulnerable to a ...) @@ -39950,7 +39950,7 @@ CVE-2021-20441 (IBM Security Verify Bridge uses weaker than expected cryptograph CVE-2021-20440 (IBM API Connect 10.0.0.0, and 2018.4.1.0 through 2018.4.1.13 does not ...) NOT-FOR-US: IBM CVE-2021-20439 (IBM Security Access Manager 9.0 and IBM Security Verify Access Docker ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20438 RESERVED CVE-2021-20437 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/389ac4d7af94f2485bec8c4992976ac647a99aec -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b1adf3bb by security tracker role at 2021-07-15T20:10:27+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2021-36753 (sharkdp BAT before 0.18.2 executes less.exe from the current working d ...) + TODO: check +CVE-2021-36752 + RESERVED +CVE-2021-36751 + RESERVED +CVE-2021-36750 + RESERVED +CVE-2021-36749 + RESERVED +CVE-2021-3650 + RESERVED +CVE-2021-3649 + RESERVED CVE-2021-36748 RESERVED CVE-2021-36747 @@ -3719,8 +3733,8 @@ CVE-2021-35058 RESERVED CVE-2021-35057 RESERVED -CVE-2021-35056 - RESERVED +CVE-2021-35056 (Unisys Stealth 5.1 before 5.1.025.0 and 6.0 before 6.0.055.0 has an un ...) + TODO: check CVE-2021-35055 RESERVED CVE-2020-36393 @@ -4208,14 +4222,14 @@ CVE-2021-34832 RESERVED CVE-2021-34831 RESERVED -CVE-2021-34830 - RESERVED -CVE-2021-34829 - RESERVED -CVE-2021-34828 - RESERVED -CVE-2021-34827 - RESERVED +CVE-2021-34830 (This vulnerability allows network-adjacent attackers to execute arbitr ...) + TODO: check +CVE-2021-34829 (This vulnerability allows network-adjacent attackers to execute arbitr ...) + TODO: check +CVE-2021-34828 (This vulnerability allows network-adjacent attackers to execute arbitr ...) + TODO: check +CVE-2021-34827 (This vulnerability allows network-adjacent attackers to execute arbitr ...) + TODO: check CVE-2021-3608 [pvrdma: uninitialized memory unmap in pvrdma_ring_init()] RESERVED - qemu (bug #990563) @@ -4538,18 +4552,18 @@ CVE-2021-34693 (net/can/bcm.c in the Linux kernel through 5.12.10 allows local u NOTE: https://www.openwall.com/lists/oss-security/2021/06/15/1 NOTE: https://github.com/nrb547/kernel-exploitation/tree/main/cve-2021-34693 NOTE: https://lore.kernel.org/netdev/trinity-87eaea25-2a7d-4aa9-92a5-269b822e5d95-1623609211076@3c-app-gmx-bs04/T/ -CVE-2021-34692 - RESERVED -CVE-2021-34691 - RESERVED -CVE-2021-34690 - RESERVED -CVE-2021-34689 - RESERVED -CVE-2021-34688 - RESERVED -CVE-2021-34687 - RESERVED +CVE-2021-34692 (iDrive RemotePC before 7.6.48 on Windows allows privilege escalation. ...) + TODO: check +CVE-2021-34691 (iDrive RemotePC before 4.0.1 on Linux allows denial of service. A remo ...) + TODO: check +CVE-2021-34690 (iDrive RemotePC before 7.6.48 on Windows allows authentication bypass. ...) + TODO: check +CVE-2021-34689 (iDrive RemotePC before 7.6.48 on Windows allows information disclosure ...) + TODO: check +CVE-2021-34688 (iDrive RemotePC before 7.6.48 on Windows allows information disclosure ...) + TODO: check +CVE-2021-34687 (iDrive RemotePC before 7.6.48 on Windows allows information disclosure ...) + TODO: check CVE-2021-3601 RESERVED - openssl1.0 @@ -4870,8 +4884,7 @@ CVE-2021-3592 (An invalid pointer initialization issue was found in the SLiRP ne NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f13cad45b25d92760bb0ad67bec0300a4d7d5275 (v4.6.0) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2eca0838eee1da96204545e22cdaed860d9d7c6c (v4.6.0) NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. -CVE-2021-34558 - RESERVED +CVE-2021-34558 (The crypto/tls package of Go through 1.16.5 does not properly assert t ...) - golang-1.16 1.16.6-1 - golang-1.15 - golang-1.11 @@ -5160,8 +5173,8 @@ CVE-2021-34431 RESERVED CVE-2021-34430 (Eclipse TinyDTLS through 0.9-rc1 relies on the rand function in the C ...) NOT-FOR-US: Eclipse TinyDTLS -CVE-2021-34429 - RESERVED +CVE-2021-34429 (For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 11.0.1-1 ...) + TODO: check CVE-2021-34428 (For Eclipse Jetty versions = 9.4.40, = 10.0.2, = 11.0.2, i ...) - jetty9 9.4.39-2 (bug #990578) [stretch] - jetty9 (vulnerable code is not present) @@ -7288,8 +7301,8 @@ CVE-2021-33507 (Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthSer NOT-FOR-US: Zope Products.CMFCore (as used in Plone) CVE-2021-33506 (jitsi-meet-prosody in Jitsi Meet before 2.0.5963-1 does not ensure tha ...) NOT-FOR-US: jitsi-meet-prosody -CVE-2021-33505 - RESERVED +CVE-2021-33505 (Falco through 0.28.1 has a Time-of-check Time-of-use (TOCTOU) Race Con ...) + TODO: check CVE-2021-33504 RESERVED CVE-2021-33503 (An issue was discovered in urllib3 before 1.26.5. When provided with a ...) @@ -8964,8 +8977,8 @@ CVE-2021-32772 RESERVED CVE-2021-32771 RESERVED -CVE-2021-32770 - RESERVED +CVE-2021-32770 (Gatsby is a framework for
[Git][security-tracker-team/security-tracker][master] Track proposed update for postsrsd via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 254b973c by Salvatore Bonaccorso at 2021-07-15T21:56:52+02:00 Track proposed update for postsrsd via buster-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -44,3 +44,5 @@ CVE-2019-15605 [buster] - http-parser 2.8.1-1+deb10u1 CVE-2021-21375 [buster] - ring 20190215.1.f152c98~ds1-1+deb10u1 +CVE-2021-35525 + [buster] - postsrsd 1.5-2+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/254b973cb330fc3dc0c4b1a9a3fe71e85bc1791d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/254b973cb330fc3dc0c4b1a9a3fe71e85bc1791d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two new icinga2 issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 50f345eb by Salvatore Bonaccorso at 2021-07-15T21:31:27+02:00 Add two new icinga2 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9026,8 +9026,11 @@ CVE-2021-32745 RESERVED CVE-2021-32744 RESERVED -CVE-2021-32743 +CVE-2021-32743 [Passwords used to access external services inadvertently exposed through API] RESERVED + - icinga2 + NOTE: https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ + NOTE: https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 CVE-2021-32742 (Vapor is a web framework for Swift. In versions 4.47.1 and prior, bug ...) NOT-FOR-US: Vapor CVE-2021-32741 (Nextcloud Server is a Nextcloud package that handles data storage. In ...) @@ -9036,8 +9039,11 @@ CVE-2021-32740 (Addressable is an alternative implementation to the URI implemen - ruby-addressable 2.7.0-2 (bug #990791) NOTE: https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g NOTE: https://github.com/sporkmonger/addressable/commit/b48ff03347a6d46e8dc674e242ce74c6381962a5#diff-fb36d3dc67e6565ffde17e666a98697f48e76dac38fabf1bb9e97cdf3b583d76 -CVE-2021-32739 +CVE-2021-32739 [Results of queries for ApiListener objects include the ticket salt which allows in turn to steal (more privileged) identities] RESERVED + - icinga2 + NOTE: https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ + NOTE: https://github.com/Icinga/icinga2/security/advisories/GHSA-98wp-jc6q-x5q5 CVE-2021-32738 (js-stellar-sdk is a Javascript library for communicating with a Stella ...) NOT-FOR-US: js-stellar-sdk CVE-2021-32737 (Sulu is an open-source PHP content management system based on the Symf ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50f345eb813f8fffa88b60dcd99f374d3b40d9b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50f345eb813f8fffa88b60dcd99f374d3b40d9b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Track fixed version for CVE-2021-21404/syncthing via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8576c68b by Salvatore Bonaccorso at 2021-07-15T21:14:22+02:00 Track fixed version for CVE-2021-21404/syncthing via unstable - - - - - ca82cdca by Salvatore Bonaccorso at 2021-07-15T21:15:13+02:00 Remove no-dsa tagged entry for bullseye for CVE-2021-21404/syncthing - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37432,8 +37432,7 @@ CVE-2021-21406 CVE-2021-21405 (Lotus is an Implementation of the Filecoin protocol written in Go. BLS ...) NOT-FOR-US: Lotus CVE-2021-21404 (Syncthing is a continuous file synchronization program. In Syncthing b ...) - - syncthing (bug #986593) - [bullseye] - syncthing (Minor issue) + - syncthing 1.12.1~ds1-3 (bug #986593) [buster] - syncthing (Minor issue) [stretch] - syncthing (Minor issue; can be fixed in next update) NOTE: https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9341e2417470bcad464ae7868dfbe1f634a73d3d...ca82cdca7c130ff8f1223ec73e5dc0d758e25163 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9341e2417470bcad464ae7868dfbe1f634a73d3d...ca82cdca7c130ff8f1223ec73e5dc0d758e25163 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-24116/wolfssl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9341e241 by Salvatore Bonaccorso at 2021-07-15T21:12:42+02:00 Add CVE-2021-24116/wolfssl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30042,7 +30042,8 @@ CVE-2021-24118 CVE-2021-24117 (In Rust SGX 1.1.3, a side-channel vulnerability in base64 PEM file dec ...) TODO: check CVE-2021-24116 (In wolfSSL through 4.6.0, a side-channel vulnerability in base64 PEM f ...) - TODO: check + - wolfssl + NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v4.8.0-stable CVE-2021-24115 (In Botan before 2.17.3, constant-time computations are not used for ce ...) - botan 2.17.3+dfsg-1 [buster] - botan (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9341e2417470bcad464ae7868dfbe1f634a73d3d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9341e2417470bcad464ae7868dfbe1f634a73d3d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f34bb4d by Salvatore Bonaccorso at 2021-07-15T21:12:05+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3388,7 +3388,7 @@ CVE-2021-35213 CVE-2021-35212 RESERVED CVE-2021-35211 (Microsoft discovered a remote code execution (RCE) vulnerability in th ...) - TODO: check + NOT-FOR-US: SolarWinds CVE-2020-36394 (pam_setquota.c in the pam_setquota module before 2020-05-29 for Linux- ...) - pam (Vulnerable code introduced and fixed in v1.4.0) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1171721 @@ -33072,15 +33072,15 @@ CVE-2021-22784 CVE-2021-22783 RESERVED CVE-2021-22782 (Missing Encryption of Sensitive Data vulnerability exists in EcoStruxu ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2021-22781 (Insufficiently Protected Credentials vulnerability exists in EcoStruxu ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2021-22780 (Insufficiently Protected Credentials vulnerability exists in EcoStruxu ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2021-22779 (Authentication Bypass by Spoofing vulnerability exists in EcoStruxure ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2021-22778 (Insufficiently Protected Credentials vulnerability exists in EcoStruxu ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2021-22777 RESERVED CVE-2021-22776 @@ -34161,7 +34161,7 @@ CVE-2021-22320 (There is a denial of service vulnerability in Huawei products. A CVE-2021-22319 RESERVED CVE-2021-22318 (A component of the HarmonyOS 2.0 has a Null Pointer Dereference Vulner ...) - TODO: check + NOT-FOR-US: HarmonyOS CVE-2021-22317 (There is an Information Disclosure vulnerability in Huawei Smartphone. ...) NOT-FOR-US: Huawei CVE-2021-22316 (There is a Missing Authentication for Critical Function vulnerability ...) @@ -43460,7 +43460,7 @@ CVE-2021-1972 CVE-2021-1971 RESERVED CVE-2021-1970 (Possible out of bound read due to lack of length check of FT sub-eleme ...) - TODO: check + NOT-FOR-US: Snapdragon CVE-2021-1969 RESERVED CVE-2021-1968 @@ -43470,9 +43470,9 @@ CVE-2021-1967 CVE-2021-1966 RESERVED CVE-2021-1965 (Possible buffer overflow due to lack of parameter length check during ...) - TODO: check + NOT-FOR-US: Snapdragon CVE-2021-1964 (Possible buffer over read due to improper validation of IE size while ...) - TODO: check + NOT-FOR-US: Snapdragon CVE-2021-1963 RESERVED CVE-2021-1962 @@ -43492,9 +43492,9 @@ CVE-2021-1956 CVE-2021-1955 (Denial of service in SAP case due to improper handling of connections ...) NOT-FOR-US: SAP CVE-2021-1954 (Possible buffer over read due to improper validation of data pointer w ...) - TODO: check + NOT-FOR-US: Snapdragon CVE-2021-1953 (Improper handling of received malformed FTMR request frame can lead to ...) - TODO: check + NOT-FOR-US: Snapdragon CVE-2021-1952 RESERVED CVE-2021-1951 @@ -43510,21 +43510,21 @@ CVE-2021-1947 CVE-2021-1946 RESERVED CVE-2021-1945 (Possible out of bound read due to lack of length check of Bandwidth-NS ...) - TODO: check + NOT-FOR-US: Snapdragon CVE-2021-1944 RESERVED CVE-2021-1943 (Possible buffer out of bound read can occur due to improper validation ...) - TODO: check + NOT-FOR-US: Snapdragon CVE-2021-1942 RESERVED CVE-2021-1941 RESERVED CVE-2021-1940 (Use after free can occur due to improper handling of response from fir ...) - TODO: check + NOT-FOR-US: Snapdragon CVE-2021-1939 RESERVED CVE-2021-1938 (Possible assertion due to improper verification while creating and del ...) - TODO: check + NOT-FOR-US: Snapdragon CVE-2021-1937 (Reachable assertion is possible while processing peer association WLAN ...) NOT-FOR-US: Qualcomm components for Android CVE-2021-1936 @@ -43538,7 +43538,7 @@ CVE-2021-1933 CVE-2021-1932 RESERVED CVE-2021-1931 (Possible buffer overflow due to improper validation of buffer length w ...) - TODO: check + NOT-FOR-US: Snapdragon CVE-2021-1930 RESERVED CVE-2021-1929 @@ -43586,7 +43586,7 @@ CVE-2021-1909 CVE-2021-1908 RESERVED CVE-2021-1907 (Possible buffer overflow due to lack of length check in BA request in ...) - TODO: check + NOT-FOR-US: Snapdragon CVE-2021-1906 (Improper handling of address deregistration on failure can lead to new ...) NOT-FOR-US: Qualcomm components for Android CVE-2021-1905 (Possible use after free due to improper handling of memory mapping of ...) @@ -43598,17 +43598,17 @@ CVE-2021-1903
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-36420/polipo
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b8ebe4c3 by Salvatore Bonaccorso at 2021-07-15T21:00:37+02:00 Add CVE-2020-36420/polipo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,8 @@ CVE-2021-36747 CVE-2021-36746 RESERVED CVE-2020-36420 (** UNSUPPORTED WHEN ASSIGNED ** Polipo through 1.1.1 allows denial of ...) - TODO: check + - polipo + NOTE: https://www.openwall.com/lists/oss-security/2020/11/18/1 CVE-2021-36745 RESERVED CVE-2021-36744 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8ebe4c34d0ac9b407197072003eae36889baee9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8ebe4c34d0ac9b407197072003eae36889baee9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2021-22555/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 54e6ba05 by Salvatore Bonaccorso at 2021-07-15T17:46:00+02:00 Add reference for CVE-2021-22555/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33683,6 +33683,7 @@ CVE-2021-22555 (A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was [buster] - linux 4.19.194-1 [stretch] - linux 4.9.272-1 NOTE: https://github.com/google/security-research/security/advisories/GHSA-xxx5-8mvq-3528 + NOTE: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html CVE-2021-22554 RESERVED CVE-2021-22553 (Any git operation is passed through Jetty and a session is created. No ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54e6ba05ba30c324d34878bfa101d2230f7f5888 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54e6ba05ba30c324d34878bfa101d2230f7f5888 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new wireshark issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c1f5bdef by Moritz Muehlenhoff at 2021-07-15T17:31:30+02:00 new wireshark issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34326,6 +34326,12 @@ CVE-2021-22236 RESERVED CVE-2021-22235 RESERVED + [experimental] - wireshark 3.4.7-1~exp1 + - wireshark + [bullseye] - wireshark (Minor issue, can be fixed along in future update) + [buster] - wireshark (Minor issue, can be fixed along in future update) + NOTE: https://www.wireshark.org/security/wnpa-sec-2021-06.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17462 CVE-2021-22234 RESERVED CVE-2021-22233 (An information disclosure vulnerability in GitLab EE versions 13.10 an ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1f5bdefa8750c5bb059aa6cf007cb20a4e50361 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1f5bdefa8750c5bb059aa6cf007cb20a4e50361 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5dcc0b4c by Moritz Muehlenhoff at 2021-07-15T17:29:03+02:00 buster triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -11340,64 +11340,76 @@ CVE-2021-31816 (When configuring Octopus Server if it is configured with an exte NOT-FOR-US: Octopus Server CVE-2019-25042 (** DISPUTED ** Unbound before 1.9.5 allows an out-of-bounds write via ...) {DLA-2652-1} - - unbound 1.9.6-1 + - unbound 1.9.6-1 (unimportant) [stretch] - unbound (No longer supported, see DSA 4694) NOTE: https://github.com/NLnetLabs/unbound/commit/6c3a0b54ed8ace93d5b5ca7b8078dc87e75cd640 + NOTE: Not deemed an exploitable vulnerability by upstream CVE-2019-25041 (** DISPUTED ** Unbound before 1.9.5 allows an assertion failure via a ...) {DLA-2652-1} - - unbound 1.9.6-1 + - unbound 1.9.6-1 (unimportant) [stretch] - unbound (No longer supported, see DSA 4694) NOTE: https://github.com/NLnetLabs/unbound/commit/2d444a5037acff6024630b88092d9188f2f5d8fe + NOTE: Not deemed an exploitable vulnerability by upstream CVE-2019-25040 (** DISPUTED ** Unbound before 1.9.5 allows an infinite loop via a comp ...) {DLA-2652-1} - - unbound 1.9.6-1 + - unbound 1.9.6-1 (unimportant) [stretch] - unbound (No longer supported, see DSA 4694) NOTE: https://github.com/NLnetLabs/unbound/commit/2d444a5037acff6024630b88092d9188f2f5d8fe + NOTE: Not deemed an exploitable vulnerability by upstream CVE-2019-25039 (** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in a si ...) {DLA-2652-1} - - unbound 1.9.6-1 + - unbound 1.9.6-1 (unimportant) [stretch] - unbound (No longer supported, see DSA 4694) NOTE: https://github.com/NLnetLabs/unbound/commit/02080f6b180232f43b77f403d0c038e9360a460f + NOTE: Not deemed an exploitable vulnerability by upstream CVE-2019-25038 (** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in a si ...) {DLA-2652-1} - - unbound 1.9.6-1 + - unbound 1.9.6-1 (unimportant) [stretch] - unbound (No longer supported, see DSA 4694) NOTE: https://github.com/NLnetLabs/unbound/commit/02080f6b180232f43b77f403d0c038e9360a460f + NOTE: Not deemed an exploitable vulnerability by upstream CVE-2019-25037 (** DISPUTED ** Unbound before 1.9.5 allows an assertion failure and de ...) {DLA-2652-1} - - unbound 1.9.6-1 + - unbound 1.9.6-1 (unimportant) [stretch] - unbound (No longer supported, see DSA 4694) NOTE: https://github.com/NLnetLabs/unbound/commit/d2eb78e871153f22332d30c6647f3815148f21e5 + NOTE: Not deemed an exploitable vulnerability by upstream CVE-2019-25036 (** DISPUTED ** Unbound before 1.9.5 allows an assertion failure and de ...) {DLA-2652-1} - - unbound 1.9.6-1 + - unbound 1.9.6-1 (unimportant) [stretch] - unbound (No longer supported, see DSA 4694) NOTE: https://github.com/NLnetLabs/unbound/commit/f5e06689d193619c57c33270c83f5e40781a261d + NOTE: Not deemed an exploitable vulnerability by upstream CVE-2019-25035 (** DISPUTED ** Unbound before 1.9.5 allows an out-of-bounds write in s ...) {DLA-2652-1} - - unbound 1.9.6-1 + - unbound 1.9.6-1 (unimportant) [stretch] - unbound (No longer supported, see DSA 4694) NOTE: https://github.com/NLnetLabs/unbound/commit/fa23ee8f31ba9a018c720ea822faaee639dc7a9c + NOTE: Not deemed an exploitable vulnerability by upstream CVE-2019-25034 (** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in sldn ...) {DLA-2652-1} - - unbound 1.9.6-1 + - unbound 1.9.6-1 (unimportant) [stretch] - unbound (No longer supported, see DSA 4694) NOTE: https://github.com/NLnetLabs/unbound/commit/a3545867fcdec50307c776ce0af28d07046a52dd + NOTE: Not deemed an exploitable vulnerability by upstream CVE-2019-25033 (** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in the ...) {DLA-2652-1} - - unbound 1.9.6-1 + - unbound 1.9.6-1 (unimportant) [stretch] - unbound (No longer supported, see DSA 4694) NOTE: https://github.com/NLnetLabs/unbound/commit/226298bbd36f1f0fd9608e98c2ae85988b7bbdb8 + NOTE: Not deemed an exploitable vulnerability by upstream CVE-2019-25032 (** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in the ...) {DLA-2652-1} - - unbound 1.9.6-1 + - unbound 1.9.6-1 (unimportant) [stretch] - unbound (No longer supported, see DSA 4694) NOTE: https://github.com/NLnetLabs/unbound/commit/226298bbd36f1f0fd9608e98c2ae85988b7bbdb8 + NOTE: Not deemed an exploitable
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2709-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: c44fce99 by Emilio Pozuelo Monfort at 2021-07-15T16:38:23+02:00 Reserve DLA-2709-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Jul 2021] DLA-2709-1 firefox-esr - security update + {CVE-2021-29970 CVE-2021-29976 CVE-2021-30547} + [stretch] - firefox-esr 78.12.0esr-1~deb9u1 [15 Jul 2021] DLA-2708-1 php7.0 - security update {CVE-2019-18218 CVE-2020-7071 CVE-2021-21702 CVE-2021-21704 CVE-2021-21705} [stretch] - php7.0 7.0.33-0+deb9u11 = data/dla-needed.txt = @@ -47,8 +47,6 @@ ffmpeg (Anton Gladky) NOTE: 20210607: won't just be dropped too, etc. etc. (lamby) NOTE: 20210704: WIP -- -firefox-esr (Emilio) --- firmware-nonfree -- golang-1.7 (Sylvain Beucler) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c44fce99fb10535a1664d4aad9c5290b0cb4d7cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c44fce99fb10535a1664d4aad9c5290b0cb4d7cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim golang-1.7
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: da9634ce by Sylvain Beucler at 2021-07-15T15:10:11+02:00 dla: claim golang-1.7 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -51,7 +51,7 @@ firefox-esr (Emilio) -- firmware-nonfree -- -golang-1.7 +golang-1.7 (Sylvain Beucler) NOTE: 20210624: Need further checks whether any issues are important to solve or not. -- gpac (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da9634ceeca347f485f128027774deda933889df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da9634ceeca347f485f128027774deda933889df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e782b790 by Moritz Muehlenhoff at 2021-07-15T10:52:20+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51034,44 +51034,62 @@ CVE-2021-0296 RESERVED CVE-2021-0295 RESERVED + NOT-FOR-US: Juniper CVE-2021-0294 RESERVED + NOT-FOR-US: Juniper CVE-2021-0293 RESERVED + NOT-FOR-US: Juniper CVE-2021-0292 RESERVED + NOT-FOR-US: Juniper CVE-2021-0291 RESERVED CVE-2021-0290 RESERVED + NOT-FOR-US: Juniper CVE-2021-0289 RESERVED CVE-2021-0288 RESERVED + NOT-FOR-US: Juniper CVE-2021-0287 RESERVED + NOT-FOR-US: Juniper CVE-2021-0286 RESERVED + NOT-FOR-US: Juniper CVE-2021-0285 RESERVED + NOT-FOR-US: Juniper CVE-2021-0284 RESERVED + NOT-FOR-US: Juniper CVE-2021-0283 RESERVED + NOT-FOR-US: Juniper CVE-2021-0282 RESERVED + NOT-FOR-US: Juniper CVE-2021-0281 RESERVED + NOT-FOR-US: Juniper CVE-2021-0280 RESERVED + NOT-FOR-US: Juniper CVE-2021-0279 RESERVED + NOT-FOR-US: Juniper CVE-2021-0278 RESERVED + NOT-FOR-US: Juniper CVE-2021-0277 RESERVED + NOT-FOR-US: Juniper CVE-2021-0276 RESERVED + NOT-FOR-US: Juniper CVE-2021-0275 (A Cross-site Scripting (XSS) vulnerability in J-Web on Juniper Network ...) NOT-FOR-US: Juniper CVE-2021-0274 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e782b790a1ba155ff22ef6a053d03547c19b1f8c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e782b790a1ba155ff22ef6a053d03547c19b1f8c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2708-1 for php7.0
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 72b2fa1b by Sylvain Beucler at 2021-07-15T10:33:51+02:00 Reserve DLA-2708-1 for php7.0 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -35502,7 +35502,6 @@ CVE-2021-21702 (In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x - php7.4 7.4.15-1 - php7.3 - php7.0 - [stretch] - php7.0 (Relatively minor issue, can be fixed with next update) NOTE: Fixed in PHP 8.0.2, 7.4.15, 7.3.27 NOTE: PHP Bug: https://bugs.php.net/80672 CVE-2021-21701 @@ -102576,7 +102575,6 @@ CVE-2020-7071 (In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, - php7.4 7.4.14-1 - php7.3 - php7.0 - [stretch] - php7.0 (Minor issue, can be fixed in next release.) NOTE: Fixed in PHP 8.0.1, 7.4.14, 7.3.26 NOTE: PHP Bug: https://bugs.php.net/77423 CVE-2020-7070 (In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Jul 2021] DLA-2708-1 php7.0 - security update + {CVE-2019-18218 CVE-2020-7071 CVE-2021-21702 CVE-2021-21704 CVE-2021-21705} + [stretch] - php7.0 7.0.33-0+deb9u11 [12 Jul 2021] DLA-2707-1 sogo - security update {CVE-2021-33054} [stretch] - sogo 3.2.6-2+deb9u1 = data/dla-needed.txt = @@ -80,8 +80,6 @@ nvidia-graphics-drivers NOTE: package is in non-free but also in packages-to-support NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 -- -php7.0 (Sylvain Beucler) --- python-babel NOTE: 20210617: CVE ID rejected. (abhijith) NOTE: 20210620: http://people.debian.org/~abhijith/backport_of_3a700b5.patch (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72b2fa1bb700147a48b7dd89edadb5333114d218 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72b2fa1bb700147a48b7dd89edadb5333114d218 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c4a7ea31 by security tracker role at 2021-07-15T08:10:31+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2021-36748 + RESERVED +CVE-2021-36747 + RESERVED +CVE-2021-36746 + RESERVED +CVE-2020-36420 (** UNSUPPORTED WHEN ASSIGNED ** Polipo through 1.1.1 allows denial of ...) + TODO: check CVE-2021-36745 RESERVED CVE-2021-36744 @@ -3378,8 +3386,8 @@ CVE-2021-35213 RESERVED CVE-2021-35212 RESERVED -CVE-2021-35211 - RESERVED +CVE-2021-35211 (Microsoft discovered a remote code execution (RCE) vulnerability in th ...) + TODO: check CVE-2020-36394 (pam_setquota.c in the pam_setquota module before 2020-05-29 for Linux- ...) - pam (Vulnerable code introduced and fixed in v1.4.0) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1171721 @@ -32880,8 +32888,8 @@ CVE-2021-22869 RESERVED CVE-2021-22868 RESERVED -CVE-2021-22867 - RESERVED +CVE-2021-22867 (A path traversal vulnerability was identified in GitHub Enterprise Ser ...) + TODO: check CVE-2021-22866 (A UI misrepresentation vulnerability was identified in GitHub Enterpri ...) NOT-FOR-US: GitHub Enterprise Server CVE-2021-22865 (An improper access control vulnerability was identified in GitHub Ente ...) @@ -45347,8 +45355,8 @@ CVE-2020-29159 (An issue was discovered in Zammad before 3.5.1. The default sign - zammad (bug #841355) CVE-2020-29158 (An issue was discovered in Zammad before 3.5.1. An Agent with Customer ...) - zammad (bug #841355) -CVE-2020-29157 - RESERVED +CVE-2020-29157 (An issue in RAONWIZ K Editor v2018.0.0.10 allows attackers to perform ...) + TODO: check CVE-2020-29156 (The WooCommerce plugin before 4.7.0 for WordPress allows remote attack ...) NOT-FOR-US: WooCommerce plugin for WordPress CVE-2020-29155 @@ -57748,7 +57756,7 @@ CVE-2020-25447 RESERVED CVE-2020-25446 RESERVED -CVE-2020-25445 (Cross Site Scripting (XSS) vulnerability in Booking Core - Ultimate Bo ...) +CVE-2020-25445 (The Subscribe feature in Ultimate Booking System Booking ...) TODO: check CVE-2020-25444 (Cross Site Scripting (XSS) vulnerability in Booking Core - Ultimate Bo ...) TODO: check @@ -60768,8 +60776,8 @@ CVE-2020-24135 (A Reflected Cross Site Scripting (XSS) Vulnerability was discove NOT-FOR-US: wmcs CVE-2020-24134 RESERVED -CVE-2020-24133 - RESERVED +CVE-2020-24133 (A heap buffer overflow vulnerability in the r_asm_swf_disass function ...) + TODO: check CVE-2020-24132 RESERVED CVE-2020-24131 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4a7ea3152b44b6e49abb536bbdcc385b70796ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4a7ea3152b44b6e49abb536bbdcc385b70796ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new k8s issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: eb916828 by Moritz Muehlenhoff at 2021-07-15T09:36:51+02:00 new k8s issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26458,6 +26458,9 @@ CVE-2021-25741 RESERVED CVE-2021-25740 RESERVED + - kubernetes + [bullseye] - kubernetes (Kubernetes in Bullseye only ships the client) + NOTE: https://www.openwall.com/lists/oss-security/2021/07/14/1 CVE-2021-25739 RESERVED CVE-2021-25738 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb9168282996518a5e17c75cf4c79175a506b98d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb9168282996518a5e17c75cf4c79175a506b98d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 493f736c by Moritz Muehlenhoff at 2021-07-15T09:35:28+02:00 NFUs libstb fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -72,7 +72,7 @@ CVE-2021-36718 CVE-2021-36717 RESERVED CVE-2021-36716 (A ReDoS (regular expression denial of service) flaw was found in the S ...) - TODO: check + NOT-FOR-US: Node is-email CVE-2021-3643 RESERVED CVE-2021- [RUSTSEC-2021-0074] @@ -4871,7 +4871,6 @@ CVE-2021-34558 NOTE: https://github.com/golang/go/issues/47143 NOTE: https://github.com/golang/go/commit/58bc454a11d4b3dbc03f44dfcabb9068a9c076f4 (1.16.x) NOTE: key_agreement.go also bundled in various other packages - TODO: check older golang branches CVE-2021-34556 RESERVED CVE-2021-34555 (OpenDMARC 1.4.1 and 1.4.1.1 allows remote attackers to cause a denial ...) @@ -5707,9 +5706,9 @@ CVE-2021-34176 CVE-2021-34175 RESERVED CVE-2021-34174 (A vulnerability exists in Broadcom BCM4352 and BCM43684 chips. Any wir ...) - TODO: check + NOT-FOR-US: Broadcom CVE-2021-34173 (An attacker can cause a Denial of Service and kernel panic in v4.2 and ...) - TODO: check + NOT-FOR-US: Espressif CVE-2021-34172 RESERVED CVE-2021-34171 @@ -6629,13 +6628,13 @@ CVE-2021-33780 (Windows DNS Server Remote Code Execution Vulnerability This CVE CVE-2021-33779 (Windows ADFS Security Feature Bypass Vulnerability ...) NOT-FOR-US: Microsoft CVE-2021-33778 (HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-33777 (HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-33776 (HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-33775 (HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-33774 (Windows Event Tracing Elevation of Privilege Vulnerability ...) NOT-FOR-US: Microsoft CVE-2021-33773 (Windows Remote Access Connection Manager Elevation of Privilege Vulner ...) @@ -7893,11 +7892,11 @@ CVE-2021-33215 (An issue was discovered in CommScope Ruckus IoT Controller 1.7.1 CVE-2021-33214 (In HMS Ewon eCatcher through 6.6.4, weak filesystem permissions could ...) NOT-FOR-US: HMS Ewon eCatcher CVE-2021-33213 (An SSRF vulnerability in the "Upload from URL" feature in Elements-IT ...) - TODO: check + NOT-FOR-US: Elements-IT HTTP Commander CVE-2021-33212 (A Cross-site scripting (XSS) vulnerability in the "View in Browser" fe ...) - TODO: check + NOT-FOR-US: Elements-IT HTTP Commander CVE-2021-33211 (A Directory Traversal vulnerability in the Unzip feature in Elements-I ...) - TODO: check + NOT-FOR-US: Elements-IT HTTP Commander CVE-2021-33210 RESERVED CVE-2021-33209 @@ -10844,7 +10843,7 @@ CVE-2021-31986 CVE-2021-31985 (Microsoft Defender Remote Code Execution Vulnerability ...) NOT-FOR-US: Microsoft CVE-2021-31984 (Power BI Remote Code Execution Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-31983 (Paint 3D Remote Code Execution Vulnerability This CVE ID is unique fro ...) NOT-FOR-US: Microsoft CVE-2021-31982 @@ -10918,7 +10917,7 @@ CVE-2021-31949 (Microsoft Outlook Remote Code Execution Vulnerability ...) CVE-2021-31948 (Microsoft SharePoint Server Spoofing Vulnerability This CVE ID is uniq ...) NOT-FOR-US: Microsoft CVE-2021-31947 (HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-31946 (Paint 3D Remote Code Execution Vulnerability This CVE ID is unique fro ...) NOT-FOR-US: Microsoft CVE-2021-31945 (Paint 3D Remote Code Execution Vulnerability This CVE ID is unique fro ...) @@ -11202,7 +11201,7 @@ CVE-2021-31861 CVE-2021-31860 RESERVED CVE-2021-31859 (Incorrect privileges in the MU55 FlexiSpooler service in YSoft SafeQ 6 ...) - TODO: check + NOT-FOR-US: Ysoft SafeQ CVE-2021-31858 RESERVED CVE-2021-31857 (In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, att ...) @@ -12087,8 +12086,8 @@ CVE-2021-26260 (An integer overflow leading to a heap-buffer overflow was found CVE-2021-23215 (An integer overflow leading to a heap-buffer overflow was found in the ...) {DLA-2701-1} - openexr - [bullseye] - openexr (Minor issue) - [buster] - openexr (Minor issue) + [bullseye] - openexr (Minor issue, changes ABI) + [buster] - openexr (Minor issue, changes ABI) NOTE:
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3642
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 39636911 by Salvatore Bonaccorso at 2021-07-15T09:33:47+02:00 Add CVE-2021-3642 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -679,6 +679,7 @@ CVE-2021-36420 RESERVED CVE-2021-3642 RESERVED + NOT-FOR-US: WildFly Elytron CVE-2021-36419 RESERVED CVE-2021-36418 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39636911e056fe65ad032f03d3d0e44a67e7e4d9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39636911e056fe65ad032f03d3d0e44a67e7e4d9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3636 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ef7d689 by Salvatore Bonaccorso at 2021-07-15T09:32:42+02:00 Add CVE-2021-3636 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1253,6 +1253,7 @@ CVE-2021-36151 RESERVED CVE-2021-3636 RESERVED + NOT-FOR-US: OpenShift CVE-2021-3635 RESERVED CVE-2021-3634 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ef7d6892fa52989f972bd0d455dda27e412c70a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ef7d6892fa52989f972bd0d455dda27e412c70a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-21781/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f09e3eb by Salvatore Bonaccorso at 2021-07-15T09:17:11+02:00 Add CVE-2021-21781/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35297,6 +35297,10 @@ CVE-2021-21782 (An out-of-bounds write vulnerability exists in the SGI format bu NOT-FOR-US: ImageGear CVE-2021-21781 RESERVED + - linux 5.10.19-1 + [buster] - linux 4.19.177-1 + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1243 + NOTE: https://git.kernel.org/linus/9c698bff66ab4914bb3d71da7dc6112519bde23e CVE-2021-21780 RESERVED CVE-2021-21779 (A use-after-free vulnerability exists in the way Webkits Graphi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f09e3ebc7fab6d19a80061e66de1114c90edb2e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f09e3ebc7fab6d19a80061e66de1114c90edb2e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20304/openexr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe47c2a5 by Salvatore Bonaccorso at 2021-07-15T09:10:32+02:00 Add CVE-2021-20304/openexr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40216,8 +40216,12 @@ CVE-2021-20305 (A flaw was found in Nettle in versions before 3.7.2, where sever NOTE: https://git.lysator.liu.se/nettle/nettle/-/commit/ae3801a0e5cce276c270973214385c86048d5f7b NOTE: Fix canonical reduction in gostdsa_vko: NOTE: https://git.lysator.liu.se/nettle/nettle/-/commit/63f222c60b03470c0005aa9bc4296fbf585f68b9 -CVE-2021-20304 +CVE-2021-20304 [Undefined-shift in Imf_2_5::hufDecode] RESERVED + - openexr 2.5.4-1 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26229 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/51a92d67f53c08230734e74564c807043cbfe41e + NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/849 CVE-2021-20303 [Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer] RESERVED - openexr 2.5.4-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe47c2a5186ea181ab37dfce57be9fd124ef3bdd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe47c2a5186ea181ab37dfce57be9fd124ef3bdd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20303/openexr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e9689f7d by Salvatore Bonaccorso at 2021-07-15T09:07:23+02:00 Add CVE-2021-20303/openexr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40218,8 +40218,11 @@ CVE-2021-20305 (A flaw was found in Nettle in versions before 3.7.2, where sever NOTE: https://git.lysator.liu.se/nettle/nettle/-/commit/63f222c60b03470c0005aa9bc4296fbf585f68b9 CVE-2021-20304 RESERVED -CVE-2021-20303 +CVE-2021-20303 [Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer] RESERVED + - openexr 2.5.4-1 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25505 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/831 CVE-2021-20302 [Floating-point-exception in Imf_2_5::precalculateTileInfot] RESERVED - openexr 2.5.4-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9689f7df57fbb44f42c5cbe6ca6b924f4feb360 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9689f7df57fbb44f42c5cbe6ca6b924f4feb360 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20302/openexr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b239e0a by Salvatore Bonaccorso at 2021-07-15T09:05:50+02:00 Add CVE-2021-20302/openexr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40220,8 +40220,11 @@ CVE-2021-20304 RESERVED CVE-2021-20303 RESERVED -CVE-2021-20302 +CVE-2021-20302 [Floating-point-exception in Imf_2_5::precalculateTileInfot] RESERVED + - openexr 2.5.4-1 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25894 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/842 CVE-2021-20301 RESERVED CVE-2021-20300 [Integer-overflow in Imf_2_5::hufUncompress] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b239e0a9c32e14ee0b387922f9760a44b5877af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b239e0a9c32e14ee0b387922f9760a44b5877af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20300/openexr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a37963aa by Salvatore Bonaccorso at 2021-07-15T09:04:10+02:00 Add CVE-2021-20300/openexr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40224,8 +40224,11 @@ CVE-2021-20302 RESERVED CVE-2021-20301 RESERVED -CVE-2021-20300 +CVE-2021-20300 [Integer-overflow in Imf_2_5::hufUncompress] RESERVED + - openexr 2.5.4-1 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25562 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/ed560b8a932c78d5e8e5990ce36fe7808b35d9f0 CVE-2021-20299 RESERVED CVE-2021-20298 [Out-of-memory in B44Compressor] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a37963aa25b56a2339331af33cc75f4cd8142f6f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a37963aa25b56a2339331af33cc75f4cd8142f6f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20298/openexr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4198f287 by Salvatore Bonaccorso at 2021-07-15T09:01:13+02:00 Add CVE-2021-20298/openexr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40228,8 +40228,11 @@ CVE-2021-20300 RESERVED CVE-2021-20299 RESERVED -CVE-2021-20298 +CVE-2021-20298 [Out-of-memory in B44Compressor] RESERVED + - openexr 2.5.4-1 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25913 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97 CVE-2021-20297 (A flaw was found in NetworkManager in versions before 1.30.0. Setting ...) - network-manager 1.30.0-2 (bug #986809) [buster] - network-manager (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4198f287dddf3cd9ae3c172258566fdbed2a29f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4198f287dddf3cd9ae3c172258566fdbed2a29f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits