[Git][security-tracker-team/security-tracker][master] still WIP
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: fe19d23f by Thorsten Alteholz at 2021-07-19T00:15:02+02:00 still WIP - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -53,7 +53,7 @@ golang-1.7 (Sylvain Beucler) NOTE: 20210624: Need further checks whether any issues are important to solve or not. -- gpac (Thorsten Alteholz) - NOTE: 20210704: WIP + NOTE: 20210719: WIP -- icu (Utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe19d23f2f214e8e51fb1bb0b40da54118a9c43b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe19d23f2f214e8e51fb1bb0b40da54118a9c43b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a53b165 by security tracker role at 2021-07-18T20:10:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14494,7 +14494,7 @@ CVE-2021-30548 (Use after free in Loader in Google Chrome prior to 91.0.4472.101 - chromium (bug #990079) [stretch] - chromium (see DSA 4562) CVE-2021-30547 (Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 a ...) - {DSA-4939-1 DLA-2709-1} + {DSA-4940-1 DSA-4939-1 DLA-2709-1} - chromium (bug #990079) [stretch] - chromium (see DSA 4562) - firefox 90.0-1 @@ -16016,7 +16016,7 @@ CVE-2021-29977 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-28/#CVE-2021-29977 CVE-2021-29976 RESERVED - {DSA-4939-1 DLA-2709-1} + {DSA-4940-1 DSA-4939-1 DLA-2709-1} - firefox 90.0-1 - firefox-esr 78.12.0esr-1 - thunderbird 1:78.12.0-1 @@ -16045,7 +16045,7 @@ CVE-2021-29971 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-28/#CVE-2021-29971 CVE-2021-29970 RESERVED - {DSA-4939-1 DLA-2709-1} + {DSA-4940-1 DSA-4939-1 DLA-2709-1} - firefox 90.0-1 - firefox-esr 78.12.0esr-1 - thunderbird 1:78.12.0-1 @@ -16054,6 +16054,7 @@ CVE-2021-29970 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-30/#CVE-2021-29970 CVE-2021-29969 RESERVED + {DSA-4940-1} - thunderbird 1:78.12.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-30/#CVE-2021-29969 CVE-2021-29968 (When drawing text onto a canvas with WebRender disabled, an out of bou ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a53b165a2cbad0095f338eb75067fec051c3b68 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a53b165a2cbad0095f338eb75067fec051c3b68 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-34429,jetty9: Fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 43738bcf by Markus Koschany at 2021-07-18T19:51:40+02:00 CVE-2021-34429,jetty9: Fixed in unstable Mark the versions in Buster and Stretch as not-affected because the vulnerable code was introduced in version 9.4.37 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5225,9 +5225,11 @@ CVE-2021-34431 CVE-2021-34430 (Eclipse TinyDTLS through 0.9-rc1 relies on the rand function in the C ...) NOT-FOR-US: Eclipse TinyDTLS CVE-2021-34429 (For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 11.0.1-1 ...) - - jetty9 (bug #991188) + - jetty9 9.4.39-3 (bug #991188) + [buster] - jetty9 (Vulnerable code was introduced in version 9.4.37) + [stretch] - jetty9 (Vulnerable code was introduced in version 9.4.37) NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm - TODO: check, seems to have been introduced 9.4.37 upstream + NOTE: Fixed by https://github.com/eclipse/jetty.project/pull/6477 CVE-2021-34428 (For Eclipse Jetty versions = 9.4.40, = 10.0.2, = 11.0.2, i ...) - jetty9 9.4.39-2 (bug #990578) [stretch] - jetty9 (vulnerable code is not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43738bcf7e38d30adbed6efe542d4fd965fa0dae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43738bcf7e38d30adbed6efe542d4fd965fa0dae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b9e8786e by Moritz Muehlenhoff at 2021-07-18T17:13:06+02:00 thunderbird DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[18 Jul 2021] DSA-4940-1 thunderbird - security update + {CVE-2021-29969 CVE-2021-29970 CVE-2021-29976 CVE-2021-30547} + [buster] - thunderbird 1:78.12.0-1~deb10u1 [14 Jul 2021] DSA-4939-1 firefox-esr - security update {CVE-2021-29970 CVE-2021-29976 CVE-2021-30547} [buster] - firefox-esr 78.12.0esr-1~deb10u1 = data/dsa-needed.txt = @@ -41,8 +41,6 @@ runc -- salt -- -thunderbird (jmm) --- tomcat9 -- trafficserver (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9e8786ed148fcf0f4ec86fc07e1605cf0c54b1f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9e8786ed148fcf0f4ec86fc07e1605cf0c54b1f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track upstream commits as reported by Michael for CVE-2020-35504/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 33096b94 by Salvatore Bonaccorso at 2021-07-18T16:45:46+02:00 Track upstream commits as reported by Michael for CVE-2020-35504/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41357,6 +41357,17 @@ CVE-2020-35504 (A NULL pointer dereference flaw was found in the SCSI emulation NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909766 NOTE: https://bugs.launchpad.net/qemu/+bug/1910723 (reproducer) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-12/msg06065.html + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f48 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=e5455b8c1c6170c788f3c0fd577c + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=c5fef9112b15c4b5494791cdf8bb + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=7b320a8e67a534925048cbabfa51 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=99545751734035b76bd372c4e721 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=fa7505c154d4d00ad89a747be2ed + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=fbc6510e3379fa8f8370bf71198f + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=0ebb5fd80589835153a0c2baa1b8 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=324c8809897c8c53ad05c3a7147d + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba CVE-2020-35503 (A NULL pointer dereference flaw was found in the megasas-gen2 SCSI hos ...) - qemu (bug #979678) [bullseye] - qemu (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33096b9472c110fc3f8a16c5345de15d29e912ea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33096b9472c110fc3f8a16c5345de15d29e912ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Track fixed version for qemu via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f9272d17 by Salvatore Bonaccorso at 2021-07-18T16:43:35+02:00 Track fixed version for qemu via unstable - - - - - 9fbd296e by Salvatore Bonaccorso at 2021-07-18T16:44:25+02:00 Remove no-dsa tagged entries for which qemu got an update in upper suite - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4278,13 +4278,13 @@ CVE-2021-34827 (This vulnerability allows network-adjacent attackers to execute NOT-FOR-US: D-Link CVE-2021-3608 [pvrdma: uninitialized memory unmap in pvrdma_ring_init()] RESERVED - - qemu (bug #990563) + - qemu 1:5.2+dfsg-11 (bug #990563) [buster] - qemu (Minor issue) [stretch] - qemu (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973383 CVE-2021-3607 [pvrdma: unchecked malloc size due to integer overflow in init_dev_ring()] RESERVED - - qemu (bug #990564) + - qemu 1:5.2+dfsg-11 (bug #990564) [buster] - qemu (Minor issue) [stretch] - qemu (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973349 @@ -6341,7 +6341,7 @@ CVE-2021-3587 [nfc: fix NULL ptr dereference in llcp_sock_getname() after failed NOTE: https://git.kernel.org/linus/4ac06a1e013cf5fdd963317ffd3b968560f33bba CVE-2021-3582 [hw/rdma: Fix possible mremap overflow in the pvrdma device] RESERVED - - qemu (bug #990565) + - qemu 1:5.2+dfsg-11 (bug #990565) [buster] - qemu (Minor issue) [stretch] - qemu (Vulnerable code introduced later) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-06/msg04148.html @@ -11063,8 +11063,7 @@ CVE-2021-31922 (An HTTP Request Smuggling vulnerability in Pulse Secure Virtual CVE-2021-3528 (A flaw was found in noobaa-operator in versions before 5.7.0, where in ...) NOT-FOR-US: noobaa CVE-2021-3527 (A flaw was found in the USB redirector device (usb-redir) of QEMU. Sma ...) - - qemu (bug #988157) - [bullseye] - qemu (Minor issue) + - qemu 1:5.2+dfsg-11 (bug #988157) [buster] - qemu (Minor issue) [stretch] - qemu (Minor issue; can be fixed in next update) NOTE: Initial patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg00564.html @@ -44846,8 +44845,7 @@ CVE-2020-29444 (Affected versions of Team Calendar in Confluence Server before 7 NOT-FOR-US: Atlassian CVE-2020-29443 (ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of- ...) {DLA-2560-1} - - qemu (bug #983575) - [bullseye] - qemu (Fix along in future DSA) + - qemu 1:5.2+dfsg-11 (bug #983575) [buster] - qemu (Fix along in future DSA) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg04255.html NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=813212288970c39b1800f63e83ac6e96588095c6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9fad303e5264297c8be9bfdef0a76d3d1f7aed97...9fbd296ef5c7e609b9e0167c7863ea83c6fb49c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9fad303e5264297c8be9bfdef0a76d3d1f7aed97...9fbd296ef5c7e609b9e0167c7863ea83c6fb49c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fix via experimental for CVE-2020-35504/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fad303e by Salvatore Bonaccorso at 2021-07-18T16:41:38+02:00 Track fix via experimental for CVE-2020-35504/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41350,6 +41350,7 @@ CVE-2020-35505 (A NULL pointer dereference flaw was found in the am53c974 SCSI h NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909769 NOTE: https://bugs.launchpad.net/qemu/+bug/1910723 (reproducer) CVE-2020-35504 (A NULL pointer dereference flaw was found in the SCSI emulation suppor ...) + [experimental] - qemu 1:6.0+dfsg-1~exp0 - qemu (bug #979679) [bullseye] - qemu (Minor issue, revisit when fixed upstream) [buster] - qemu (Fix along in future DSA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fad303e5264297c8be9bfdef0a76d3d1f7aed97 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fad303e5264297c8be9bfdef0a76d3d1f7aed97 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b9ccfa2a by security tracker role at 2021-07-18T08:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2021-36773 (uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitr ...) + TODO: check CVE-2021-36772 (Zoho ManageEngine ADManager Plus before 7110 allows stored XSS. ...) TODO: check CVE-2021-36771 (Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9ccfa2ad10f662889e85d7e55f97ae36073fc10 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9ccfa2ad10f662889e85d7e55f97ae36073fc10 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3602/golang-github-containers-buildah
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 656722d8 by Salvatore Bonaccorso at 2021-07-18T09:56:50+02:00 Add CVE-2021-3602/golang-github-containers-buildah - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4585,8 +4585,13 @@ CVE-2021-3603 (PHPMailer 6.4.1 and earlier contain a vulnerability that can resu [stretch] - libphp-phpmailer (Minor issue, fix along with next DLA) NOTE: https://www.huntr.dev/bounties/1-PHPMailer/PHPMailer/ NOTE: https://github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3 (v6.5.0) -CVE-2021-3602 +CVE-2021-3602 [Host environment variables leaked in build container when using chroot isolation] RESERVED + - golang-github-containers-buildah + NOTE: https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj + NOTE: https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0 (main) + NOTE: https://github.com/containers/buildah/commit/23c478b815fb93c094070baa336bcb6a27c01683 (release-1.21) + NOTE: https://github.com/containers/buildah/commit/f4f2a7fc78fa4f12e2f6e6c4ab450aae0d182f3e (release-1.19) CVE-2021-34695 RESERVED CVE-2021-34694 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/656722d8e077fbaeff796d63706d163f17433805 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/656722d8e077fbaeff796d63706d163f17433805 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3644/wildfly
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe4fb95f by Salvatore Bonaccorso at 2021-07-18T09:52:54+02:00 Add CVE-2021-3644/wildfly - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -84,6 +84,7 @@ CVE-2021-3645 RESERVED CVE-2021-3644 RESERVED + - wildfly (bug #752018) CVE-2020-36419 RESERVED CVE-2021-36739 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe4fb95f33c538905eaca9d91ad6ed94c59535f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe4fb95f33c538905eaca9d91ad6ed94c59535f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20299/openexr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 235597a3 by Salvatore Bonaccorso at 2021-07-18T09:52:15+02:00 Add CVE-2021-20299/openexr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40367,8 +40367,12 @@ CVE-2021-20300 [Integer-overflow in Imf_2_5::hufUncompress] NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25562 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/ed560b8a932c78d5e8e5990ce36fe7808b35d9f0 (master) NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d (2.5.x) -CVE-2021-20299 +CVE-2021-20299 [Null-dereference READ in Imf_2_5::Header::operator] RESERVED + - openexr 2.5.4-1 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25740 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/840 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/25e9515b06a6bc293d871622b8cafaee7af84e0f CVE-2021-20298 [Out-of-memory in B44Compressor] RESERVED - openexr 2.5.4-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/235597a3c3c13234bc73f781ce9ffe47f49cede7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/235597a3c3c13234bc73f781ce9ffe47f49cede7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits