[Git][security-tracker-team/security-tracker][master] Update note in dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: e99c9a9a by Abhijith PA at 2021-07-20T09:33:23+05:30 Update note in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -110,6 +110,8 @@ ruby-kaminari -- runc (Abhijith PA) NOTE: 20210612: Not sure if applies to this version. (lamby) + NOTE: 20210721: Requires more investigation. Even Ubuntu ESM, LTS uploaded fixed upstream version. + -- salt NOTE: 20210329: WIP (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e99c9a9a03313971b3dc820d281eb77f794aef13 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e99c9a9a03313971b3dc820d281eb77f794aef13 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-36213/consul
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 91fe0e18 by Salvatore Bonaccorso at 2021-07-19T22:22:34+02:00 Add CVE-2021-36213/consul - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1275,7 +1275,9 @@ CVE-2021-36215 CVE-2021-36214 (LINE client for iOS before 10.16.3 allows cross site script with speci ...) NOT-FOR-US: LINE client for iOS CVE-2021-36213 (HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default de ...) - TODO: check + - consul + NOTE: https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentions-deny-action-fails-open-when-combined-with-default-deny-policy/26855 + TODO: check, likely only problem starting in 1.9.0 as per description CVE-2021-36212 (app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored X ...) NOT-FOR-US: MISP CVE-2021-3637 (A flaw was found in keycloak-model-infinispan in keycloak versions bef ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91fe0e18900a45a51f9079ad9bb11e75e9bc60ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91fe0e18900a45a51f9079ad9bb11e75e9bc60ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-36427/gthumb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d7a1842a by Salvatore Bonaccorso at 2021-07-19T22:21:37+02:00 Add CVE-2020-36427/gthumb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -63,7 +63,8 @@ CVE-2021-36775 CVE-2021-3653 RESERVED CVE-2020-36427 (GNOME gThumb before 3.10.1 allows an application crash via a malformed ...) - TODO: check + - gthumb 3:3.11.1-0.1 + NOTE: https://mail.gnome.org/archives/gthumb-list/2020-September/msg1.html CVE-2020-36426 (An issue was discovered in Arm Mbed TLS before 2.24.0. mbedtls_x509_cr ...) TODO: check CVE-2020-36425 (An issue was discovered in Arm Mbed TLS before 2.24.0. It incorrectly ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7a1842aca8db1c3206f4d17c63d89c73945869e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7a1842aca8db1c3206f4d17c63d89c73945869e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cce09b73 by Salvatore Bonaccorso at 2021-07-19T22:19:06+02:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,11 +11,11 @@ CVE-2021-36801 CVE-2021-36800 RESERVED CVE-2021-36799 (KNX ETS5 uses the hard-coded password ETS5Password, with a salt value ...) - TODO: check + NOT-FOR-US: KNX ETS5 CVE-2021-36798 RESERVED CVE-2021-36797 (** DISPUTED ** In Victron Energy Venus OS through 2.72, root access is ...) - TODO: check + NOT-FOR-US: Victron Energy Venus OS CVE-2021-36796 RESERVED CVE-2021-36795 @@ -1918,17 +1918,17 @@ CVE-2021-35970 (Talk 4 in Coral before 4.12.1 allows remote attackers to discove CVE-2021-35969 RESERVED CVE-2021-35968 (The directory list page parameter of the Orca HCM digital learning pla ...) - TODO: check + NOT-FOR-US: Orca HCM digital learning platform CVE-2021-35967 (The directory page parameter of the Orca HCM digital learning platform ...) - TODO: check + NOT-FOR-US: Orca HCM digital learning platform CVE-2021-35966 (The specific function of the Orca HCM digital learning platform does n ...) - TODO: check + NOT-FOR-US: Orca HCM digital learning platform CVE-2021-35965 (The Orca HCM digital learning platform uses a weak factory default adm ...) - TODO: check + NOT-FOR-US: Orca HCM digital learning platform CVE-2021-35964 (The management page of the Orca HCM digital learning platform does not ...) - TODO: check + NOT-FOR-US: Orca HCM digital learning platform CVE-2021-35963 (The specific parameter of upload function of the Orca HCM digital lear ...) - TODO: check + NOT-FOR-US: Orca HCM digital learning platform CVE-2021-35962 (Specific page parameters in Dr. ID Door Access Control and Personnel A ...) NOT-FOR-US: Dr. ID Door Access Control and Personnel Attendance Management system CVE-2021-35961 (Dr. ID Door Access Control and Personnel Attendance Management system ...) @@ -3045,7 +3045,7 @@ CVE-2021-35451 (In Teradici PCoIP Management Console-Enterprise 20.07.0, an unau CVE-2021-35450 RESERVED CVE-2021-35449 (The Lexmark Universal Print Driver version 2.15.1.0 and below, G2 driv ...) - TODO: check + NOT-FOR-US: Lexmark CVE-2021-35448 (Emote Interactive Remote Mouse 3.008 on Windows allows attackers to ex ...) NOT-FOR-US: Emote Interactive Remote Mouse on Windows CVE-2021-35447 @@ -3914,7 +3914,7 @@ CVE-2021-35045 (Cross site scripting (XSS) vulnerability in Ice Hrm 29.0.0.OS, a CVE-2021-35044 RESERVED CVE-2021-35043 (OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using ...) - TODO: check + NOT-FOR-US: OWASP AntiSamy CVE-2021-35042 (Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.orde ...) - python-django (Vulnerable code introduced in 3.1) NOTE: https://www.djangoproject.com/weblog/2021/jul/01/security-releases/ @@ -4386,9 +4386,9 @@ CVE-2021-34823 CVE-2021-34822 RESERVED CVE-2021-34821 (Cross Site Scripting (XSS) vulnerability exists in AAT Novus Managemen ...) - TODO: check + NOT-FOR-US: AAT Novus Management System CVE-2021-34820 (Web Path Directory Traversal in the Novus HTTP Server. The Novus HTTP ...) - TODO: check + NOT-FOR-US: Novus HTTP Server CVE-2021-34819 RESERVED CVE-2021-34818 @@ -4730,9 +4730,9 @@ CVE-2021-34678 CVE-2021-34677 RESERVED CVE-2021-34676 (Basix NEX-Forms through 7.8.7 allows authentication bypass for Excel r ...) - TODO: check + NOT-FOR-US: Basix NEX-Forms CVE-2021-34675 (Basix NEX-Forms through 7.8.7 allows authentication bypass for stored ...) - TODO: check + NOT-FOR-US: Basix NEX-Forms CVE-2021-3598 (There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in ...) {DLA-2701-1} - openexr (bug #990450) @@ -29459,7 +29459,7 @@ CVE-2021-24484 CVE-2021-24483 RESERVED CVE-2021-24482 (The Related Posts for WordPress plugin through 2.0.4 does not sanitise ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24481 RESERVED CVE-2021-24480 @@ -29517,9 +29517,9 @@ CVE-2021-24455 CVE-2021-24454 (In the YOP Poll WordPress plugin before 6.2.8, when a pool is created ...) NOT-FOR-US: Wordpress plugin CVE-2021-24453 (The Include Me WordPress plugin through 1.2.1 is vulnerable to path tr ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24452 (The W3 Total Cache WordPress plugin before 2.1.5 was affected by a ref ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24451 (The Export Users With Meta WordPress plugin before 0.6.5 did not escap ...) NOT-FOR-US:
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b7725ab by Salvatore Bonaccorso at 2021-07-19T22:12:50+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16605,7 +16605,7 @@ CVE-2021-29782 CVE-2021-29781 RESERVED CVE-2021-29780 (IBM Resilient OnPrem v41.1 of IBM Security SOAR could allow an authent ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29779 RESERVED CVE-2021-29778 @@ -16751,7 +16751,7 @@ CVE-2021-29709 CVE-2021-29708 (IBM Spectrum Scale 5.1.0.1 could allow a local with access to the GUI ...) NOT-FOR-US: IBM CVE-2021-29707 (IBM HMC (Hardware Management Console) V9.1.910.0 and V9.2.950.0 could ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29706 (IBM AIX 7.1 could allow a non-privileged local user to exploit a vulne ...) NOT-FOR-US: IBM CVE-2021-29705 @@ -39982,7 +39982,7 @@ CVE-2021-20509 CVE-2021-20508 RESERVED CVE-2021-20507 (IBM Jazz Foundation and IBM Engineering products are vulnerable to cro ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20506 (IBM Jazz Foundation Products are vulnerable to cross-site scripting. T ...) NOT-FOR-US: IBM CVE-2021-20505 @@ -108582,7 +108582,7 @@ CVE-2020-5033 CVE-2020-5032 (IBM QRadar SIEM 7.3 and 7.4 in some configurations may be vulnerable t ...) NOT-FOR-US: IBM CVE-2020-5031 (IBM Jazz Foundation and IBM Engineering products are vulnerable to cro ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-5030 (IBM Jazz Foundation and IBM Engineering products are vulnerable to cro ...) NOT-FOR-US: IBM CVE-2020-5029 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b7725abc0e70749f30f1e4b0b93157b3bbe0d65 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b7725abc0e70749f30f1e4b0b93157b3bbe0d65 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 12cac4f7 by security tracker role at 2021-07-19T20:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,81 @@ +CVE-2021-36805 + RESERVED +CVE-2021-36804 + RESERVED +CVE-2021-36803 + RESERVED +CVE-2021-36802 + RESERVED +CVE-2021-36801 + RESERVED +CVE-2021-36800 + RESERVED +CVE-2021-36799 (KNX ETS5 uses the hard-coded password ETS5Password, with a salt value ...) + TODO: check +CVE-2021-36798 + RESERVED +CVE-2021-36797 (** DISPUTED ** In Victron Energy Venus OS through 2.72, root access is ...) + TODO: check +CVE-2021-36796 + RESERVED +CVE-2021-36795 + RESERVED +CVE-2021-36794 + RESERVED +CVE-2021-36793 + RESERVED +CVE-2021-36792 + RESERVED +CVE-2021-36791 + RESERVED +CVE-2021-36790 + RESERVED +CVE-2021-36789 + RESERVED +CVE-2021-36788 + RESERVED +CVE-2021-36787 + RESERVED +CVE-2021-36786 + RESERVED +CVE-2021-36785 + RESERVED +CVE-2021-36784 + RESERVED +CVE-2021-36783 + RESERVED +CVE-2021-36782 + RESERVED +CVE-2021-36781 + RESERVED +CVE-2021-36780 + RESERVED +CVE-2021-36779 + RESERVED +CVE-2021-36778 + RESERVED +CVE-2021-36777 + RESERVED +CVE-2021-36776 + RESERVED +CVE-2021-36775 + RESERVED +CVE-2021-3653 + RESERVED +CVE-2020-36427 (GNOME gThumb before 3.10.1 allows an application crash via a malformed ...) + TODO: check +CVE-2020-36426 (An issue was discovered in Arm Mbed TLS before 2.24.0. mbedtls_x509_cr ...) + TODO: check +CVE-2020-36425 (An issue was discovered in Arm Mbed TLS before 2.24.0. It incorrectly ...) + TODO: check +CVE-2020-36424 (An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can ...) + TODO: check +CVE-2020-36423 (An issue was discovered in Arm Mbed TLS before 2.23.0. A remote attack ...) + TODO: check +CVE-2020-36422 (An issue was discovered in Arm Mbed TLS before 2.23.0. A side channel ...) + TODO: check +CVE-2020-36421 (An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a si ...) + TODO: check CVE-2021-36774 RESERVED CVE-2021-36773 (uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitr ...) @@ -1195,7 +1273,7 @@ CVE-2021-36215 RESERVED CVE-2021-36214 (LINE client for iOS before 10.16.3 allows cross site script with speci ...) NOT-FOR-US: LINE client for iOS -CVE-2021-36213 (In HashiCorp Consul before 1.10.1 (and Consul Enterprise), xds can gen ...) +CVE-2021-36213 (HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default de ...) TODO: check CVE-2021-36212 (app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored X ...) NOT-FOR-US: MISP @@ -1839,18 +1917,18 @@ CVE-2021-35970 (Talk 4 in Coral before 4.12.1 allows remote attackers to discove NOT-FOR-US: Coral CVE-2021-35969 RESERVED -CVE-2021-35968 - RESERVED -CVE-2021-35967 - RESERVED -CVE-2021-35966 - RESERVED -CVE-2021-35965 - RESERVED -CVE-2021-35964 - RESERVED -CVE-2021-35963 - RESERVED +CVE-2021-35968 (The directory list page parameter of the Orca HCM digital learning pla ...) + TODO: check +CVE-2021-35967 (The directory page parameter of the Orca HCM digital learning platform ...) + TODO: check +CVE-2021-35966 (The specific function of the Orca HCM digital learning platform does n ...) + TODO: check +CVE-2021-35965 (The Orca HCM digital learning platform uses a weak factory default adm ...) + TODO: check +CVE-2021-35964 (The management page of the Orca HCM digital learning platform does not ...) + TODO: check +CVE-2021-35963 (The specific parameter of upload function of the Orca HCM digital lear ...) + TODO: check CVE-2021-35962 (Specific page parameters in Dr. ID Door Access Control and Personnel A ...) NOT-FOR-US: Dr. ID Door Access Control and Personnel Attendance Management system CVE-2021-35961 (Dr. ID Door Access Control and Personnel Attendance Management system ...) @@ -2966,8 +3044,8 @@ CVE-2021-35451 (In Teradici PCoIP Management Console-Enterprise 20.07.0, an unau NOT-FOR-US: Teradici PCoIP Management Console-Enterprise CVE-2021-35450 RESERVED -CVE-2021-35449 - RESERVED +CVE-2021-35449 (The Lexmark Universal Print Driver version 2.15.1.0 and below, G2 driv ...) + TODO: check CVE-2021-35448 (Emote Interactive Remote Mouse 3.008 on Windows allows attackers to ex ...) NOT-FOR-US: Emote Interactive Remote Mouse on Windows CVE-2021-35447 @@ -3835,8 +3913,8 @@ CVE-2021-35045 (Cross site scripting (XSS) vulnerability in Ice Hrm 29.0.0.OS, a NOT-FOR-US: Ice Hrm
[Git][security-tracker-team/security-tracker][master] Add GHSA reference for CVE-2021-32760/containerd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 149aca6c by Salvatore Bonaccorso at 2021-07-19T21:22:28+02:00 Add GHSA reference for CVE-2021-32760/containerd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9060,6 +9060,7 @@ CVE-2021-32761 CVE-2021-32760 RESERVED - containerd 1.4.5~ds1-2 + NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w CVE-2021-32759 RESERVED CVE-2021-32758 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/149aca6c2823861a9f8beb4a7e8c4d13b6df57c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/149aca6c2823861a9f8beb4a7e8c4d13b6df57c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-32760/containerd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aaca7211 by Salvatore Bonaccorso at 2021-07-19T21:19:23+02:00 Add CVE-2021-32760/containerd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9059,6 +9059,7 @@ CVE-2021-32761 RESERVED CVE-2021-32760 RESERVED + - containerd 1.4.5~ds1-2 CVE-2021-32759 RESERVED CVE-2021-32758 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aaca721187f31db95ed62451d9b52bc38d57ff06 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aaca721187f31db95ed62451d9b52bc38d57ff06 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Take firmware-nonfree
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: f6ee0304 by Anton Gladky at 2021-07-19T19:14:15+00:00 LTS: Take firmware-nonfree - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -48,7 +48,7 @@ ffmpeg (Anton Gladky) NOTE: 20210719: https://salsa.debian.org/lts-team/packages/ffmpeg/-/blob/master/debian/changelog NOTE: 20210719: CVE-2020-22036 and CVE-2020-22032 are done. Many false-positive. Investigating. -- -firmware-nonfree +firmware-nonfree (Anton Gladky) -- golang-1.7 (Sylvain Beucler) NOTE: 20210624: Need further checks whether any issues are important to solve or not. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6ee030464f8571cfa7cd767e90eb9e92d282a03 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6ee030464f8571cfa7cd767e90eb9e92d282a03 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: give runc to Abhijith PA
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: b36a6379 by Anton Gladky at 2021-07-19T19:12:52+00:00 LTS: give runc to Abhijith PA - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -108,7 +108,7 @@ ruby-kaminari NOTE: 20210719: I believe the fix is just adding and extending the blacklist for ruby-kaminari. NOTE: 20210719: Will discuss this with Utkarsh (maintainer) shortly. -- -runc (Anton Gladky) +runc (Abhijith PA) NOTE: 20210612: Not sure if applies to this version. (lamby) -- salt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b36a6379e8bd3e9c6988a544a64aa1470a0a3013 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b36a6379e8bd3e9c6988a544a64aa1470a0a3013 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update NOTES for ruby-kaminari.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a0a199d by Markus Koschany at 2021-07-19T17:58:33+02:00 Update NOTES for ruby-kaminari. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -104,6 +104,9 @@ ruby-kaminari NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh) NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh) + NOTE: 20210719: https://people.debian.org/~apo/lts/ruby-kaminari/CVE-2020-11082.patch + NOTE: 20210719: I believe the fix is just adding and extending the blacklist for ruby-kaminari. + NOTE: 20210719: Will discuss this with Utkarsh (maintainer) shortly. -- runc (Anton Gladky) NOTE: 20210612: Not sure if applies to this version. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a0a199d55f485e997c38c9131c8a7fa7fd3beaf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a0a199d55f485e997c38c9131c8a7fa7fd3beaf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-34552: Reference as well directly the upstream commit merged
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0cf40dde by Salvatore Bonaccorso at 2021-07-19T17:42:08+02:00 CVE-2021-34552: Reference as well directly the upstream commit merged - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4962,7 +4962,8 @@ CVE-2021-34553 (Sonatype Nexus Repository Manager 3.x before 3.31.0 allows a rem CVE-2021-34552 (Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1. ...) - pillow NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow - NOTE: https://github.com/python-pillow/Pillow/pull/5567/files + NOTE: https://github.com/python-pillow/Pillow/pull/5567 + NOTE: https://github.com/python-pillow/Pillow/commit/31c473898c29d1b7cb6555ce67d9503a4906b83f (8.3.0) CVE-2021-34551 (PHPMailer before 6.5.0 on Windows allows remote code execution if lang ...) - libphp-phpmailer (Windows-specific) CVE-2021-34550 (An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-006. The ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cf40dde4e0315eb0e4ebc119396ba5c4a62c6a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cf40dde4e0315eb0e4ebc119396ba5c4a62c6a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update note on ffmpeg. Take runc.
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: a9e8a6b3 by Anton Gladky at 2021-07-19T13:41:54+00:00 LTS: update note on ffmpeg. Take runc. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -45,7 +45,8 @@ ffmpeg (Anton Gladky) NOTE: 20210607: going forward. There is a 3.4.x release branch, for example, NOTE: 20210607: but unclear on the compatibility as well as whether this one NOTE: 20210607: won't just be dropped too, etc. etc. (lamby) - NOTE: 20210719: WIP + NOTE: 20210719: https://salsa.debian.org/lts-team/packages/ffmpeg/-/blob/master/debian/changelog + NOTE: 20210719: CVE-2020-22036 and CVE-2020-22032 are done. Many false-positive. Investigating. -- firmware-nonfree -- @@ -104,7 +105,7 @@ ruby-kaminari NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh) -- -runc +runc (Anton Gladky) NOTE: 20210612: Not sure if applies to this version. (lamby) -- salt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9e8a6b331ae4886f7004795d3b8c3f8cbdf1905 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9e8a6b331ae4886f7004795d3b8c3f8cbdf1905 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: reclaim nettle
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 50ca55fb by Emilio Pozuelo Monfort at 2021-07-19T12:46:37+02:00 lts: reclaim nettle - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -71,8 +71,8 @@ linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- -nettle - NOTE: 20210628: difficult backport, wip (Emilio) +nettle (Emilio) + NOTE: 20210719: difficult backport, wip (Emilio) -- nvidia-graphics-drivers NOTE: package is in non-free but also in packages-to-support View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50ca55fb66ec7592f9bc1053a11dbf0bd50ee425 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50ca55fb66ec7592f9bc1053a11dbf0bd50ee425 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2711-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: e0f7a0a7 by Emilio Pozuelo Monfort at 2021-07-19T12:44:03+02:00 Reserve DLA-2711-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Jul 2021] DLA-2711-1 thunderbird - security update + {CVE-2021-29969 CVE-2021-29970 CVE-2021-29976 CVE-2021-30547} + [stretch] - thunderbird 1:78.12.0-1~deb9u1 [19 Jul 2021] DLA-2710-1 rabbitmq-server - security update {CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 CVE-2019-11281 CVE-2019-11287 CVE-2021-22116} [stretch] - rabbitmq-server 3.6.6-1+deb9u1 = data/dla-needed.txt = @@ -120,5 +120,3 @@ shiro NOTE: 20201220: Upstream has responded. Working with them to backport fixes. (roberto) NOTE: 20210511: Upstream provided suggestions/guidance on testing of backported fixes; testing/tweaking is in progress. (roberto) -- -thunderbird (Emilio) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0f7a0a74ad02107197bc27e52b975ca2af7cc26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0f7a0a74ad02107197bc27e52b975ca2af7cc26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take ffmpeg again
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b9df288 by Anton Gladky at 2021-07-19T10:33:22+00:00 LTS: take ffmpeg again - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -36,7 +36,7 @@ condor (Markus Koschany) NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) NOTE: 20210205: Some patches seems to be available but not clear if it solves the whole issue or not. (ola) -- -ffmpeg +ffmpeg (Anton Gladky) NOTE: 20210607: stretch was following the 3.2.x release line, but 3.2.15 NOTE: 20210607: (released 2020-07-02) was the last on this branch. There are NOTE: 20210607: now 10+ ~new CVEs that nominally apply to the version in LTS, @@ -45,7 +45,7 @@ ffmpeg NOTE: 20210607: going forward. There is a 3.4.x release branch, for example, NOTE: 20210607: but unclear on the compatibility as well as whether this one NOTE: 20210607: won't just be dropped too, etc. etc. (lamby) - NOTE: 20210704: WIP + NOTE: 20210719: WIP -- firmware-nonfree -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b9df288c3931198aca273383c53be0a4a9f1307 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b9df288c3931198aca273383c53be0a4a9f1307 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: ad26ed01 by Holger Levsen at 2021-07-19T12:01:34+02:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Holger Levsen hol...@layer-acht.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -36,7 +36,7 @@ condor (Markus Koschany) NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) NOTE: 20210205: Some patches seems to be available but not clear if it solves the whole issue or not. (ola) -- -ffmpeg (Anton Gladky) +ffmpeg NOTE: 20210607: stretch was following the 3.2.x release line, but 3.2.15 NOTE: 20210607: (released 2020-07-02) was the last on this branch. There are NOTE: 20210607: now 10+ ~new CVEs that nominally apply to the version in LTS, @@ -71,7 +71,7 @@ linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- -nettle (Emilio) +nettle NOTE: 20210628: difficult backport, wip (Emilio) -- nvidia-graphics-drivers @@ -86,14 +86,14 @@ python-babel roundcube NOTE: 20210706: Check with maintainer as they have handled previous uploads. (lamby) -- -ruby-actionpack-page-caching (Markus Koschany) +ruby-actionpack-page-caching NOTE: 20200819: Upstream's patch on does not apply due to subsequent NOTE: 20200819: refactoring. However, a quick look at the private NOTE: 20200819: page_cache_file method suggests that the issue exists, as it NOTE: 20200819: uses the path without normalising any "../" etc., simply NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby) -- -ruby-kaminari (Markus Koschany) +ruby-kaminari NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to NOTE: 20200819: the one upstream or in its many forks. For example, both dthe NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the @@ -104,7 +104,7 @@ ruby-kaminari (Markus Koschany) NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh) -- -runc (Abhijith PA) +runc NOTE: 20210612: Not sure if applies to this version. (lamby) -- salt @@ -113,7 +113,7 @@ salt NOTE: 20210510: will try to release ASAP; also preparing update for buster (DSA). (utkarsh) NOTE: 20210607: new CVE patch proposed by damien; donfede to provide a debdiff. (utkarsh) -- -shiro (Roberto C. Sánchez) +shiro NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad26ed0124bf70c44537df8f993d5496ff0041dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad26ed0124bf70c44537df8f993d5496ff0041dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2710-1 for rabbitmq-server
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 1150eee6 by Abhijith PA at 2021-07-19T14:36:45+05:30 Reserve DLA-2710-1 for rabbitmq-server - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Jul 2021] DLA-2710-1 rabbitmq-server - security update + {CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 CVE-2019-11281 CVE-2019-11287 CVE-2021-22116} + [stretch] - rabbitmq-server 3.6.6-1+deb9u1 [15 Jul 2021] DLA-2709-1 firefox-esr - security update {CVE-2021-29970 CVE-2021-29976 CVE-2021-30547} [stretch] - firefox-esr 78.12.0esr-1~deb9u1 = data/dla-needed.txt = @@ -83,9 +83,6 @@ python-babel NOTE: 20210620: http://people.debian.org/~abhijith/backport_of_3a700b5.patch (abhijith) NOTE: 20210620: Revisit when it have an assigned CVE Id. (abhijith) -- -rabbitmq-server (Abhijith PA) - NOTE: 20210705: Upstream replied with necessary commits (abhijith) --- roundcube NOTE: 20210706: Check with maintainer as they have handled previous uploads. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1150eee6d2ebc898f945d082ce08c8183a29f8c7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1150eee6d2ebc898f945d082ce08c8183a29f8c7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 509d196b by Moritz Muehlenhoff at 2021-07-19T10:58:30+02:00 NFUs drop one TODO for mongo-driver, if relevant it would get handled via k8s - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,11 @@ CVE-2021-36774 RESERVED CVE-2021-36773 (uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitr ...) - TODO: check + NOT-FOR-US: uBlock Origin CVE-2021-36772 (Zoho ManageEngine ADManager Plus before 7110 allows stored XSS. ...) - TODO: check + NOT-FOR-US: Zoho CVE-2021-36771 (Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS. ...) - TODO: check + NOT-FOR-US: Zoho CVE-2021-36770 RESERVED CVE-2021-36769 (A reordering issue exists in Telegram before 7.8.1 for Android, Telegr ...) @@ -58,7 +58,7 @@ CVE-2021-36749 CVE-2021-3650 RESERVED CVE-2021-3649 (chatwoot is vulnerable to Inefficient Regular Expression Complexity ...) - TODO: check + NOT-FOR-US: chatwoot CVE-2021-36748 RESERVED CVE-2021-36747 @@ -6312,7 +6312,7 @@ CVE-2021-33913 CVE-2021-33912 RESERVED CVE-2021-33911 (Zoho ManageEngine ADManager Plus before 7110 allows remote code execut ...) - TODO: check + NOT-FOR-US: Zoho CVE-2021-33910 RESERVED CVE-2021-33909 @@ -7132,7 +7132,7 @@ CVE-2021-33594 CVE-2021-33593 RESERVED CVE-2021-33592 (NAVER Toolbar before 4.0.30.323 allows remote attackers to execute arb ...) - TODO: check + NOT-FOR-US: NAVER Toolbar CVE-2021-33591 (An exposed remote debugging port in Naver Comic Viewer prior to 1.0.15 ...) NOT-FOR-US: Naver Comic Viewer CVE-2021-33590 (GattLib 0.3-rc1 has a stack-based buffer over-read in get_device_path_ ...) @@ -20609,7 +20609,7 @@ CVE-2021-28116 (Squid through 4.14 and 5.x through 5.0.5, in some configurations CVE-2021-28115 (The OUGC Feedback plugin before 1.8.23 for MyBB allows XSS via the com ...) NOT-FOR-US: MyBB addon CVE-2021-28114 (Froala WYSIWYG Editor 3.2.6-1 is affected by XSS due to a namespace co ...) - TODO: check + NOT-FOR-US: Froala WYSIWYG Editor CVE-2021-28113 (A command injection vulnerability in the cookieDomain and relayDomain ...) NOT-FOR-US: Okta Access Gateway CVE-2021-28112 (Draeger X-Dock Firmware before 03.00.13 has Active Debug Code on a deb ...) @@ -40256,10 +40256,10 @@ CVE-2021-20331 (Specific versions of the MongoDB C# Driver may erroneously publi CVE-2021-20330 RESERVED CVE-2021-20329 (Specific cstrings input may not be properly validated in the MongoDB G ...) + NOT-FOR-US: mongo-driver NOTE: https://jira.mongodb.org/browse/GODRIVER-1923 NOTE: https://github.com/mongodb/mongo-go-driver/pull/622 NOTE: https://github.com/mongodb/mongo-go-driver/commit/3a89e6cde18d6ac5d38f39b54eaa8d4e321fd118 (v1.5.1) - TODO: check, mongo-driver driver embedded in src:kubernetes CVE-2021-20328 (Specific versions of the Java driver that support client-side field le ...) - mongo-java-driver (Vulnerable code introduce later) NOTE: https://jira.mongodb.org/browse/JAVA-4017 @@ -395031,7 +395031,7 @@ CVE-2012-2667 (Session fixation vulnerability in lib/user/sfBasicSecurityUser.cl NOTE: http://trac.symfony-project.org/browser/tags/RELEASE_1_4_18/CHANGELOG NOTE: http://trac.symfony-project.org/changeset/33466?format=diff=33466 CVE-2012-2666 (golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/ ...) - TODO: check + NOT-FOR-US: Historic Go issue CVE-2012-2665 (Multiple heap-based buffer overflows in the XML manifest encryption ta ...) {DSA-2520-1} - libreoffice 1:3.5.4-7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/509d196b75aff9a068ee4dd091cfdfd8e762641f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/509d196b75aff9a068ee4dd091cfdfd8e762641f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add tracking note for pillow
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 49fb4688 by Neil Williams at 2021-07-19T09:19:41+01:00 Add tracking note for pillow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4962,6 +4962,7 @@ CVE-2021-34553 (Sonatype Nexus Repository Manager 3.x before 3.31.0 allows a rem CVE-2021-34552 (Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1. ...) - pillow NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow + NOTE: https://github.com/python-pillow/Pillow/pull/5567/files CVE-2021-34551 (PHPMailer before 6.5.0 on Windows allows remote code execution if lang ...) - libphp-phpmailer (Windows-specific) CVE-2021-34550 (An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-006. The ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49fb46882dcc84812d5ae305dbe8483e018c2e11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49fb46882dcc84812d5ae305dbe8483e018c2e11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d628d9aa by security tracker role at 2021-07-19T08:10:14+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2021-36774 + RESERVED CVE-2021-36773 (uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitr ...) TODO: check CVE-2021-36772 (Zoho ManageEngine ADManager Plus before 7110 allows stored XSS. ...) @@ -7128,8 +7130,8 @@ CVE-2021-33594 RESERVED CVE-2021-33593 RESERVED -CVE-2021-33592 - RESERVED +CVE-2021-33592 (NAVER Toolbar before 4.0.30.323 allows remote attackers to execute arb ...) + TODO: check CVE-2021-33591 (An exposed remote debugging port in Naver Comic Viewer prior to 1.0.15 ...) NOT-FOR-US: Naver Comic Viewer CVE-2021-33590 (GattLib 0.3-rc1 has a stack-based buffer over-read in get_device_path_ ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d628d9aace027f5144ff107891e147ad10084abd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d628d9aace027f5144ff107891e147ad10084abd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits