[Git][security-tracker-team/security-tracker][master] still WIP
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: fe19d23f by Thorsten Alteholz at 2021-07-19T00:15:02+02:00 still WIP - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -53,7 +53,7 @@ golang-1.7 (Sylvain Beucler) NOTE: 20210624: Need further checks whether any issues are important to solve or not. -- gpac (Thorsten Alteholz) - NOTE: 20210704: WIP + NOTE: 20210719: WIP -- icu (Utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe19d23f2f214e8e51fb1bb0b40da54118a9c43b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe19d23f2f214e8e51fb1bb0b40da54118a9c43b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5a53b165 by security tracker role at 2021-07-18T20:10:23+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -14494,7 +14494,7 @@ CVE-2021-30548 (Use after free in Loader in Google
Chrome prior to 91.0.4472.101
- chromium (bug #990079)
[stretch] - chromium (see DSA 4562)
CVE-2021-30547 (Out of bounds write in ANGLE in Google Chrome prior to
91.0.4472.101 a ...)
- {DSA-4939-1 DLA-2709-1}
+ {DSA-4940-1 DSA-4939-1 DLA-2709-1}
- chromium (bug #990079)
[stretch] - chromium (see DSA 4562)
- firefox 90.0-1
@@ -16016,7 +16016,7 @@ CVE-2021-29977
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-28/#CVE-2021-29977
CVE-2021-29976
RESERVED
- {DSA-4939-1 DLA-2709-1}
+ {DSA-4940-1 DSA-4939-1 DLA-2709-1}
- firefox 90.0-1
- firefox-esr 78.12.0esr-1
- thunderbird 1:78.12.0-1
@@ -16045,7 +16045,7 @@ CVE-2021-29971
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-28/#CVE-2021-29971
CVE-2021-29970
RESERVED
- {DSA-4939-1 DLA-2709-1}
+ {DSA-4940-1 DSA-4939-1 DLA-2709-1}
- firefox 90.0-1
- firefox-esr 78.12.0esr-1
- thunderbird 1:78.12.0-1
@@ -16054,6 +16054,7 @@ CVE-2021-29970
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-30/#CVE-2021-29970
CVE-2021-29969
RESERVED
+ {DSA-4940-1}
- thunderbird 1:78.12.0-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-30/#CVE-2021-29969
CVE-2021-29968 (When drawing text onto a canvas with WebRender disabled, an
out of bou ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a53b165a2cbad0095f338eb75067fec051c3b68
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a53b165a2cbad0095f338eb75067fec051c3b68
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-34429,jetty9: Fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 43738bcf by Markus Koschany at 2021-07-18T19:51:40+02:00 CVE-2021-34429,jetty9: Fixed in unstable Mark the versions in Buster and Stretch as not-affected because the vulnerable code was introduced in version 9.4.37 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5225,9 +5225,11 @@ CVE-2021-34431 CVE-2021-34430 (Eclipse TinyDTLS through 0.9-rc1 relies on the rand function in the C ...) NOT-FOR-US: Eclipse TinyDTLS CVE-2021-34429 (For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 11.0.1-1 ...) - - jetty9 (bug #991188) + - jetty9 9.4.39-3 (bug #991188) + [buster] - jetty9 (Vulnerable code was introduced in version 9.4.37) + [stretch] - jetty9 (Vulnerable code was introduced in version 9.4.37) NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm - TODO: check, seems to have been introduced 9.4.37 upstream + NOTE: Fixed by https://github.com/eclipse/jetty.project/pull/6477 CVE-2021-34428 (For Eclipse Jetty versions = 9.4.40, = 10.0.2, = 11.0.2, i ...) - jetty9 9.4.39-2 (bug #990578) [stretch] - jetty9 (vulnerable code is not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43738bcf7e38d30adbed6efe542d4fd965fa0dae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43738bcf7e38d30adbed6efe542d4fd965fa0dae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b9e8786e by Moritz Muehlenhoff at 2021-07-18T17:13:06+02:00
thunderbird DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[18 Jul 2021] DSA-4940-1 thunderbird - security update
+ {CVE-2021-29969 CVE-2021-29970 CVE-2021-29976 CVE-2021-30547}
+ [buster] - thunderbird 1:78.12.0-1~deb10u1
[14 Jul 2021] DSA-4939-1 firefox-esr - security update
{CVE-2021-29970 CVE-2021-29976 CVE-2021-30547}
[buster] - firefox-esr 78.12.0esr-1~deb10u1
=
data/dsa-needed.txt
=
@@ -41,8 +41,6 @@ runc
--
salt
--
-thunderbird (jmm)
---
tomcat9
--
trafficserver (jmm)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9e8786ed148fcf0f4ec86fc07e1605cf0c54b1f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9e8786ed148fcf0f4ec86fc07e1605cf0c54b1f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track upstream commits as reported by Michael for CVE-2020-35504/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 33096b94 by Salvatore Bonaccorso at 2021-07-18T16:45:46+02:00 Track upstream commits as reported by Michael for CVE-2020-35504/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41357,6 +41357,17 @@ CVE-2020-35504 (A NULL pointer dereference flaw was found in the SCSI emulation NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909766 NOTE: https://bugs.launchpad.net/qemu/+bug/1910723 (reproducer) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-12/msg06065.html + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f48 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=e5455b8c1c6170c788f3c0fd577c + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=c5fef9112b15c4b5494791cdf8bb + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=7b320a8e67a534925048cbabfa51 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=99545751734035b76bd372c4e721 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=fa7505c154d4d00ad89a747be2ed + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=fbc6510e3379fa8f8370bf71198f + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=0ebb5fd80589835153a0c2baa1b8 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=324c8809897c8c53ad05c3a7147d + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba CVE-2020-35503 (A NULL pointer dereference flaw was found in the megasas-gen2 SCSI hos ...) - qemu (bug #979678) [bullseye] - qemu (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33096b9472c110fc3f8a16c5345de15d29e912ea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33096b9472c110fc3f8a16c5345de15d29e912ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Track fixed version for qemu via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f9272d17 by Salvatore Bonaccorso at 2021-07-18T16:43:35+02:00
Track fixed version for qemu via unstable
- - - - -
9fbd296e by Salvatore Bonaccorso at 2021-07-18T16:44:25+02:00
Remove no-dsa tagged entries for which qemu got an update in upper suite
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -4278,13 +4278,13 @@ CVE-2021-34827 (This vulnerability allows
network-adjacent attackers to execute
NOT-FOR-US: D-Link
CVE-2021-3608 [pvrdma: uninitialized memory unmap in pvrdma_ring_init()]
RESERVED
- - qemu (bug #990563)
+ - qemu 1:5.2+dfsg-11 (bug #990563)
[buster] - qemu (Minor issue)
[stretch] - qemu (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973383
CVE-2021-3607 [pvrdma: unchecked malloc size due to integer overflow in
init_dev_ring()]
RESERVED
- - qemu (bug #990564)
+ - qemu 1:5.2+dfsg-11 (bug #990564)
[buster] - qemu (Minor issue)
[stretch] - qemu (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973349
@@ -6341,7 +6341,7 @@ CVE-2021-3587 [nfc: fix NULL ptr dereference in
llcp_sock_getname() after failed
NOTE:
https://git.kernel.org/linus/4ac06a1e013cf5fdd963317ffd3b968560f33bba
CVE-2021-3582 [hw/rdma: Fix possible mremap overflow in the pvrdma device]
RESERVED
- - qemu (bug #990565)
+ - qemu 1:5.2+dfsg-11 (bug #990565)
[buster] - qemu (Minor issue)
[stretch] - qemu (Vulnerable code introduced later)
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2021-06/msg04148.html
@@ -11063,8 +11063,7 @@ CVE-2021-31922 (An HTTP Request Smuggling vulnerability
in Pulse Secure Virtual
CVE-2021-3528 (A flaw was found in noobaa-operator in versions before 5.7.0,
where in ...)
NOT-FOR-US: noobaa
CVE-2021-3527 (A flaw was found in the USB redirector device (usb-redir) of
QEMU. Sma ...)
- - qemu (bug #988157)
- [bullseye] - qemu (Minor issue)
+ - qemu 1:5.2+dfsg-11 (bug #988157)
[buster] - qemu (Minor issue)
[stretch] - qemu (Minor issue; can be fixed in next update)
NOTE: Initial patchset:
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg00564.html
@@ -44846,8 +44845,7 @@ CVE-2020-29444 (Affected versions of Team Calendar in
Confluence Server before 7
NOT-FOR-US: Atlassian
CVE-2020-29443 (ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows
out-of- ...)
{DLA-2560-1}
- - qemu (bug #983575)
- [bullseye] - qemu (Fix along in future DSA)
+ - qemu 1:5.2+dfsg-11 (bug #983575)
[buster] - qemu (Fix along in future DSA)
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg04255.html
NOTE:
https://git.qemu.org/?p=qemu.git;a=commit;h=813212288970c39b1800f63e83ac6e96588095c6
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9fad303e5264297c8be9bfdef0a76d3d1f7aed97...9fbd296ef5c7e609b9e0167c7863ea83c6fb49c6
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9fad303e5264297c8be9bfdef0a76d3d1f7aed97...9fbd296ef5c7e609b9e0167c7863ea83c6fb49c6
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fix via experimental for CVE-2020-35504/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fad303e by Salvatore Bonaccorso at 2021-07-18T16:41:38+02:00 Track fix via experimental for CVE-2020-35504/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41350,6 +41350,7 @@ CVE-2020-35505 (A NULL pointer dereference flaw was found in the am53c974 SCSI h NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909769 NOTE: https://bugs.launchpad.net/qemu/+bug/1910723 (reproducer) CVE-2020-35504 (A NULL pointer dereference flaw was found in the SCSI emulation suppor ...) + [experimental] - qemu 1:6.0+dfsg-1~exp0 - qemu (bug #979679) [bullseye] - qemu (Minor issue, revisit when fixed upstream) [buster] - qemu (Fix along in future DSA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fad303e5264297c8be9bfdef0a76d3d1f7aed97 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fad303e5264297c8be9bfdef0a76d3d1f7aed97 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b9ccfa2a by security tracker role at 2021-07-18T08:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2021-36773 (uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitr ...) + TODO: check CVE-2021-36772 (Zoho ManageEngine ADManager Plus before 7110 allows stored XSS. ...) TODO: check CVE-2021-36771 (Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9ccfa2ad10f662889e85d7e55f97ae36073fc10 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9ccfa2ad10f662889e85d7e55f97ae36073fc10 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3602/golang-github-containers-buildah
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 656722d8 by Salvatore Bonaccorso at 2021-07-18T09:56:50+02:00 Add CVE-2021-3602/golang-github-containers-buildah - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4585,8 +4585,13 @@ CVE-2021-3603 (PHPMailer 6.4.1 and earlier contain a vulnerability that can resu [stretch] - libphp-phpmailer (Minor issue, fix along with next DLA) NOTE: https://www.huntr.dev/bounties/1-PHPMailer/PHPMailer/ NOTE: https://github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3 (v6.5.0) -CVE-2021-3602 +CVE-2021-3602 [Host environment variables leaked in build container when using chroot isolation] RESERVED + - golang-github-containers-buildah + NOTE: https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj + NOTE: https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0 (main) + NOTE: https://github.com/containers/buildah/commit/23c478b815fb93c094070baa336bcb6a27c01683 (release-1.21) + NOTE: https://github.com/containers/buildah/commit/f4f2a7fc78fa4f12e2f6e6c4ab450aae0d182f3e (release-1.19) CVE-2021-34695 RESERVED CVE-2021-34694 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/656722d8e077fbaeff796d63706d163f17433805 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/656722d8e077fbaeff796d63706d163f17433805 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3644/wildfly
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe4fb95f by Salvatore Bonaccorso at 2021-07-18T09:52:54+02:00 Add CVE-2021-3644/wildfly - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -84,6 +84,7 @@ CVE-2021-3645 RESERVED CVE-2021-3644 RESERVED + - wildfly (bug #752018) CVE-2020-36419 RESERVED CVE-2021-36739 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe4fb95f33c538905eaca9d91ad6ed94c59535f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe4fb95f33c538905eaca9d91ad6ed94c59535f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20299/openexr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 235597a3 by Salvatore Bonaccorso at 2021-07-18T09:52:15+02:00 Add CVE-2021-20299/openexr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40367,8 +40367,12 @@ CVE-2021-20300 [Integer-overflow in Imf_2_5::hufUncompress] NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25562 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/ed560b8a932c78d5e8e5990ce36fe7808b35d9f0 (master) NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d (2.5.x) -CVE-2021-20299 +CVE-2021-20299 [Null-dereference READ in Imf_2_5::Header::operator] RESERVED + - openexr 2.5.4-1 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25740 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/840 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/25e9515b06a6bc293d871622b8cafaee7af84e0f CVE-2021-20298 [Out-of-memory in B44Compressor] RESERVED - openexr 2.5.4-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/235597a3c3c13234bc73f781ce9ffe47f49cede7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/235597a3c3c13234bc73f781ce9ffe47f49cede7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
