[Git][security-tracker-team/security-tracker][master] Reserve DLA-2743-1 for amd64-microcode
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 70f9d487 by Utkarsh Gupta at 2021-08-16T10:43:38+05:30 Reserve DLA-2743-1 for amd64-microcode - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[16 Aug 2021] DLA-2743-1 amd64-microcode - security update + {CVE-2017-5715} + [stretch] - amd64-microcode 3.20181128.1~deb9u1 [14 Aug 2021] DLA-2742-1 ffmpeg - security update {CVE-2020-21041 CVE-2020-22015 CVE-2020-22016 CVE-2020-22020 CVE-2020-22021 CVE-2020-22022 CVE-2020-22023 CVE-2020-22025 CVE-2020-22026 CVE-2020-22028 CVE-2020-22031 CVE-2020-22032 CVE-2020-22036 CVE-2021-3566 CVE-2021-38114} [stretch] - ffmpeg 7:3.2.15-0+deb9u3 = data/dla-needed.txt = @@ -12,9 +12,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. --- -amd64-microcode (Utkarsh Gupta) - NOTE: 20210805: See "Subject: packages in *-lts newer than in subsequent releases" -- ansible NOTE: 20210411: As discussed with the maintainer I will update Buster first and View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70f9d4873d7b67e8ca22c9647f8a16ba1054d5cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70f9d4873d7b67e8ca22c9647f8a16ba1054d5cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note in dla-needed
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 163ae125 by Abhijith PA at 2021-08-16T09:11:12+05:30 update note in dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -50,6 +50,7 @@ nvidia-graphics-drivers -- pjproject (Abhijith PA) NOTE: 20210804: Check notes on CVE (especially re. src:ring). (lamby) + NOTE: 20210821: Fix backported (abhijith) -- python-babel NOTE: 20210617: CVE-2021-20095 withdrawn, cf. 251b6e33 and #987824 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/163ae125aa129df1868afe6c3a2be36fbae1fbb7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/163ae125aa129df1868afe6c3a2be36fbae1fbb7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: status update
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 7cb20d44 by Anton Gladky at 2021-08-15T23:36:07+02:00 LTS: status update - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,6 +26,7 @@ exiv2 (Utkarsh Gupta) -- firmware-nonfree (Anton Gladky) NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree + NOTE: 20210815: Planed to be finished on CW 34/2021 -- gpac (Thorsten Alteholz) NOTE: 20210815: WIP, almost done, still testing package View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cb20d44e41a4917238fe63fcdf172fbffbfa04b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cb20d44e41a4917238fe63fcdf172fbffbfa04b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f7e7ea4 by Thorsten Alteholz at 2021-08-15T23:27:51+02:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -28,7 +28,7 @@ firmware-nonfree (Anton Gladky) NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree -- gpac (Thorsten Alteholz) - NOTE: 20210801: WIP, almost done, testing package + NOTE: 20210815: WIP, almost done, still testing package -- linux (Ben Hutchings) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f7e7ea4faaa056d31dd169ae9934600b89c51d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f7e7ea4faaa056d31dd169ae9934600b89c51d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 10173a7f by Moritz Muehlenhoff at 2021-08-15T23:25:34+02:00 NFUs new ffmpeg non issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,7 @@ CVE-2021-38701 CVE-2021-38700 RESERVED CVE-2021-38699 (TastyIgniter 3.0.7 allows XSS via /account, /reservation, /admin/dashb ...) - TODO: check + NOT-FOR-US: TastyIgniter CVE-2021-38698 RESERVED CVE-2021-38697 @@ -253,7 +253,7 @@ CVE-2021-38593 (Qt 5.0.0 through 6.1.2 has an out-of-bounds write in QOutlineMap NOTE: https://github.com/qt/qtbase/commit/202143ba41f6ac574f1858214ed8bf4a38b73ccd NOTE: https://github.com/qt/qtbase/commit/6b400e3147dcfd8cc3a393ace1bd118c93762e0c CVE-2021-38592 (Wasm3 0.5.0 has a heap-based buffer overflow in op_Const64 (called fro ...) - TODO: check + NOT-FOR-US: Wasm3 CVE-2021-38591 (An issue was discovered on LG mobile devices with Android OS P and Q s ...) NOT-FOR-US: LG mobile devices CVE-2021-38590 (In cPanel before 96.0.8, weak permissions on web stats can lead to inf ...) @@ -355,7 +355,7 @@ CVE-2021-38547 (Logitech Z120 and S120 speakers through 2021-08-09 allow remote CVE-2021-38546 (CREATIVE Pebble devices through 2021-08-09 allow remote attackers to r ...) NOT-FOR-US: CREATIVE Pebble devices CVE-2021-38545 (Raspberry Pi 3 B+ and 4 B devices through 2021-08-09, in certain speci ...) - TODO: check + NOT-FOR-US: Raspberry Pi hardware CVE-2021-38544 (Sony SRS-XB33 and SRS-XB43 devices through 2021-08-09 allow remote att ...) NOT-FOR-US: Sony SRS-XB33 and SRS-XB43 devices CVE-2021-38543 (TP-Link UE330 USB splitter devices through 2021-08-09, in certain spec ...) @@ -904,7 +904,10 @@ CVE-2021-38293 CVE-2021-38292 RESERVED CVE-2021-38291 (FFmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) s ...) - TODO: check + - ffmpeg (unimportant) + NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=e01d306c647b5827102260b885faa223b646d2d1 + NOTE: https://trac.ffmpeg.org/ticket/9312 + NOTE: Negligible security impact CVE-2021-38290 (A host header attack vulnerability exists in FUEL CMS 1.5.0 through fu ...) NOT-FOR-US: FUEL CMS CVE-2021-38289 @@ -2298,21 +2301,21 @@ CVE-2021-37702 CVE-2021-37701 RESERVED CVE-2021-37700 (@github/paste-markdown is an npm package for pasting markdown objects. ...) - TODO: check + NOT-FOR-US: Node paste-markdown CVE-2021-37699 (Next.js is an open source website development framework to be used wit ...) TODO: check CVE-2021-37698 RESERVED CVE-2021-37697 (tmerc-cogs are a collection of open source plugins for the Red Discord ...) - TODO: check + NOT-FOR-US: tmerc-cogs CVE-2021-37696 (tmerc-cogs are a collection of open source plugins for the Red Discord ...) - TODO: check + NOT-FOR-US: tmerc-cogs CVE-2021-37695 (ckeditor is an open source WYSIWYG HTML editor with rich content suppo ...) - ckeditor NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc NOTE: https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58 CVE-2021-37694 (@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud S ...) - TODO: check + NOT-FOR-US: @asyncapi/java-spring-cloud-stream-template CVE-2021-37693 (Discourse is an open-source platform for community discussion. In Disc ...) NOT-FOR-US: Discourse CVE-2021-37692 (TensorFlow is an end-to-end open source platform for machine learning. ...) @@ -3104,7 +3107,7 @@ CVE-2021-37328 CVE-2021-37327 RESERVED CVE-2021-37326 (NetSarang Xshell 7 before Build 0077 includes unintended code strings ...) - TODO: check + NOT-FOR-US: NetSarang Xshell CVE-2021-37325 RESERVED CVE-2021-37324 @@ -16711,7 +16714,7 @@ CVE-2021-31568 CVE-2021-31557 RESERVED CVE-2021-31556 (An issue was discovered in the Oauth extension for MediaWiki through 1 ...) - TODO: check + NOT-FOR-US: MediaWiki extension OAuth CVE-2021-31555 (An issue was discovered in the Oauth extension for MediaWiki through 1 ...) NOT-FOR-US: MediaWiki extension OAuth CVE-2021-31554 (An issue was discovered in the AbuseFilter extension for MediaWiki thr ...) @@ -25416,7 +25419,7 @@ CVE-2021-28123 (Undocumented Default Cryptographic Key Vulnerability in Cohesity CVE-2021-28122 (A request-validation issue was discovered in Open5GS 2.1.3 through 2.2 ...) NOT-FOR-US: Open5GS CVE-2021-28121 (Virtual Robots.txt before 1.10 does not block HTML tags in the robots. ...) - TODO: check + NOT-FOR-US: Virtual Robots.txt CVE-2021-28120 RESERVED CVE-2021-28119 (Twinkle Tray (aka
[Git][security-tracker-team/security-tracker][master] security-team.d.o: Sync table with real situation
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bc75d95b by Salvatore Bonaccorso at 2021-08-15T23:10:54+02:00 security-team.d.o: Sync table with real situation Add bullseye as new stable release and mention bookworm. Signed-off-by: Salvatore Bonaccorso car...@debian.org - - - - - 1 changed file: - doc/security-team.d.o/index Changes: = doc/security-team.d.o/index = @@ -1,9 +1,11 @@ -Buster 10Bullseye 11Sid -buster-securitytestingunstable +buster 10bullseye 11bookworm 12sid + buster-securitybullseye-securitytestingunstable + https://security-tracker.debian.org/tracker/status/release/oldstable;>Vulnerable Packages + https://security-tracker.debian.org/tracker/status/release/stable;>Vulnerable Packages https://security-tracker.debian.org/tracker/status/release/testing;>Vulnerable Packages @@ -11,13 +13,14 @@ https://security-tracker.debian.org/tracker/status/release/unstable;>Vulnerable Packages +https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/next-oldstable-point-update.txt;>Next (oldstable) point update + https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/next-point-update.txt;>Next point update Next point update Next point update - Security team documentation View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc75d95bd948b10929deb789040e26e9884a5e9e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc75d95bd948b10929deb789040e26e9884a5e9e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Postpone decision on possible apache2 DSA for VE-2021-33193
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 20b33b24 by Salvatore Bonaccorso at 2021-08-15T22:53:15+02:00 Postpone decision on possible apache2 DSA for VE-2021-33193 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12600,6 +12600,7 @@ CVE-2021-33193 [Apache mod_proxy HTTP2 request line injection] RESERVED - apache2 2.4.48-4 [bullseye] - apache2 2.4.48-3.1+deb11u1 + [buster] - apache2 (Revisit when a suitable backport is available for 2.4.38) NOTE: https://portswigger.net/research/http2 NOTE: https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c CVE-2021-33192 (A vulnerability in the HTML pages of Apache Jena Fuseki allows an atta ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20b33b24759cc5b93fdaffb70e4ad7f636d32725 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20b33b24759cc5b93fdaffb70e4ad7f636d32725 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for two icinga2 issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 29157936 by Salvatore Bonaccorso at 2021-08-15T22:11:02+02:00 Track fixed version for two icinga2 issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13686,7 +13686,7 @@ CVE-2021-32744 (Collabora Online is a collaborative online office suite. In vers NOT-FOR-US: Collabora Online CVE-2021-32743 (Icinga is a monitoring system which checks the availability of network ...) [experimental] - icinga2 2.12.5-1~exp1 - - icinga2 (bug #991494) + - icinga2 2.12.5-1 (bug #991494) NOTE: https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ NOTE: https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 CVE-2021-32742 (Vapor is a web framework for Swift. In versions 4.47.1 and prior, bug ...) @@ -13699,7 +13699,7 @@ CVE-2021-32740 (Addressable is an alternative implementation to the URI implemen NOTE: https://github.com/sporkmonger/addressable/commit/b48ff03347a6d46e8dc674e242ce74c6381962a5#diff-fb36d3dc67e6565ffde17e666a98697f48e76dac38fabf1bb9e97cdf3b583d76 CVE-2021-32739 (Icinga is a monitoring system which checks the availability of network ...) [experimental] - icinga2 2.12.5-1~exp1 - - icinga2 (bug #991494) + - icinga2 2.12.5-1 (bug #991494) NOTE: https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ NOTE: https://github.com/Icinga/icinga2/security/advisories/GHSA-98wp-jc6q-x5q5 CVE-2021-32738 (js-stellar-sdk is a Javascript library for communicating with a Stella ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2915793643da461dab5d39aba4b3ef58fea96387 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2915793643da461dab5d39aba4b3ef58fea96387 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 95378934 by security tracker role at 2021-08-15T20:10:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,25 @@ +CVE-2021-38707 + RESERVED +CVE-2021-38706 + RESERVED +CVE-2021-38705 + RESERVED +CVE-2021-38704 + RESERVED +CVE-2021-38703 + RESERVED +CVE-2021-3708 + RESERVED +CVE-2021-3707 + RESERVED CVE-2021-38702 RESERVED CVE-2021-38701 RESERVED CVE-2021-38700 RESERVED -CVE-2021-38699 - RESERVED +CVE-2021-38699 (TastyIgniter 3.0.7 allows XSS via /account, /reservation, /admin/dashb ...) + TODO: check CVE-2021-38698 RESERVED CVE-2021-38697 @@ -3089,8 +3103,8 @@ CVE-2021-37328 RESERVED CVE-2021-37327 RESERVED -CVE-2021-37326 - RESERVED +CVE-2021-37326 (NetSarang Xshell 7 before Build 0077 includes unintended code strings ...) + TODO: check CVE-2021-37325 RESERVED CVE-2021-37324 @@ -14936,7 +14950,7 @@ CVE-2021-32200 RESERVED CVE-2021-32199 RESERVED -CVE-2021-32198 (EmTec ZOC before 8.02.2 allows \e[201~ pastes. ...) +CVE-2021-32198 (EmTec ZOC through 8.02.4 allows remote servers to cause a denial of se ...) NOT-FOR-US: EmTec ZOC CVE-2021-32197 RESERVED @@ -20742,7 +20756,7 @@ CVE-2021-29990 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-33/#CVE-2021-29990 CVE-2021-29989 RESERVED - {DSA-4956-1 DLA-2740-1} + {DSA-4959-1 DSA-4956-1 DLA-2740-1} - firefox 91.0-1 - firefox-esr 78.13.0esr-1 - thunderbird 1:78.13.0-1 @@ -20751,7 +20765,7 @@ CVE-2021-29989 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-36/#CVE-2021-29989 CVE-2021-29988 RESERVED - {DSA-4956-1 DLA-2740-1} + {DSA-4959-1 DSA-4956-1 DLA-2740-1} - firefox 91.0-1 - firefox-esr 78.13.0esr-1 - thunderbird 1:78.13.0-1 @@ -20766,7 +20780,7 @@ CVE-2021-29987 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-36/#CVE-2021-29987 CVE-2021-29986 RESERVED - {DSA-4956-1 DLA-2740-1} + {DSA-4959-1 DSA-4956-1 DLA-2740-1} - firefox 91.0-1 - firefox-esr 78.13.0esr-1 - thunderbird 1:78.13.0-1 @@ -20775,7 +20789,7 @@ CVE-2021-29986 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-36/#CVE-2021-29986 CVE-2021-29985 RESERVED - {DSA-4956-1 DLA-2740-1} + {DSA-4959-1 DSA-4956-1 DLA-2740-1} - firefox 91.0-1 - firefox-esr 78.13.0esr-1 - thunderbird 1:78.13.0-1 @@ -20784,7 +20798,7 @@ CVE-2021-29985 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-36/#CVE-2021-29985 CVE-2021-29984 RESERVED - {DSA-4956-1 DLA-2740-1} + {DSA-4959-1 DSA-4956-1 DLA-2740-1} - firefox 91.0-1 - firefox-esr 78.13.0esr-1 - thunderbird 1:78.13.0-1 @@ -20809,7 +20823,7 @@ CVE-2021-29981 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-36/#CVE-2021-29981 CVE-2021-29980 RESERVED - {DSA-4956-1 DLA-2740-1} + {DSA-4959-1 DSA-4956-1 DLA-2740-1} - firefox 91.0-1 - firefox-esr 78.13.0esr-1 - thunderbird 1:78.13.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/953789340ab0c7eec32d17e908cbb896322c9cad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/953789340ab0c7eec32d17e908cbb896322c9cad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for several binutils issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 26812c44 by Salvatore Bonaccorso at 2021-08-15T22:08:57+02:00 Update information for several binutils issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13979,7 +13979,7 @@ CVE-2021-32617 (Exiv2 is a command-line utility and C++ library for reading, wri CVE-2021-32616 (1CDN is open-source file sharing software. In 1CDN before commit f88a2 ...) NOT-FOR-US: 1CDN CVE-2021-3549 (An out of bounds flaw was found in GNU binutils objdump utility versio ...) - - binutils (unimportant) + - binutils 2.37-3 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27294 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1cfcf3004e1830f8fe9112cfcd15285508d2c2b7 NOTE: binutils not covered by security support @@ -19530,7 +19530,7 @@ CVE-2021-30477 (An issue was discovered in Zulip Server before 3.4. A bug in the CVE-2021-30476 (HashiCorp Terraforms Vault Provider (terraform-provider-vault) ...) NOT-FOR-US: HashiCorp Terraform Vault Provider CVE-2021-3487 (There's a flaw in the BFD library of binutils in versions before 2.36. ...) - - binutils (unimportant) + - binutils 2.37-3 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=26946 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=647cebce12a6b0a26960220caff96ff38978cf24 NOTE: binutils not covered by security support @@ -45340,8 +45340,9 @@ CVE-2021-20295 [Regression of CVE-2020-10756 fix in virt:rhel/qemu-kvm in Red Ha RESERVED - qemu (RHEL 8.3 specific security regression) CVE-2021-20294 (A flaw was found in binutils readelf 2.35 program. An attacker who is ...) - - binutils (unimportant) + - binutils 2.35.2-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=26929 + NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=372dd157272e0674d13372655cc60eaca9c06926 NOTE: binutils not covered by security support CVE-2021-20293 (A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in a ...) - resteasy @@ -45383,8 +45384,9 @@ CVE-2021-20285 (A flaw was found in upx canPack in p_lx_elf.cpp in UPX 3.96. Thi NOTE: https://github.com/upx/upx/issues/421 NOTE: https://github.com/upx/upx/commit/3781df9da23840e596d5e9e8493f22666802fe6c CVE-2021-20284 (A flaw was found in GNU Binutils 2.35.1, where there is a heap-based b ...) - - binutils (unimportant) + - binutils 2.37-3 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=26931 + NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f60742b2a1988d276c77d5c1011143f320d9b4cb NOTE: binutils not covered by security support CVE-2021-20283 (The web service responsible for fetching other users' enrolled courses ...) - moodle @@ -45817,7 +45819,7 @@ CVE-2021-20198 (A flaw was found in the OpenShift Installer before version v0.9. NOT-FOR-US: OpenShift CVE-2021-20197 (There is an open race window when writing output in the following util ...) [experimental] - binutils 2.35.50.20201209-1 - - binutils (unimportant) + - binutils 2.37-3 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=26945 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=014cc7f849e8209623fc99264814bce7b3b6faf2 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1a1c3b4cc17687091cff5a368bd6f13742bcfdf8 @@ -81567,7 +81569,7 @@ CVE-2020-16600 (A Use After Free vulnerability exists in Artifex Software, Inc. NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=702253 NOTE: http://git.ghostscript.com/?p=mupdf.git;h=96751b25462f83d6e16a9afaf8980b0c3f979c8b CVE-2020-16599 (A Null Pointer Dereference vulnerability exists in the Binary File Des ...) - - binutils (unimportant) + - binutils 2.35-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25842 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8d55d10ac0d112c586eaceb92e75bd9b80aadcc4 NOTE: binutils not covered by security support @@ -81582,22 +81584,22 @@ CVE-2020-16595 CVE-2020-16594 RESERVED CVE-2020-16593 (A Null Pointer Dereference vulnerability exists in the Binary File Des ...) - - binutils (unimportant) + - binutils 2.35-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25827 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aec72fda3b320c36eb99fc1c4cf95b10fc026729 NOTE: binutils not covered by security support CVE-2020-16592 (A use after free issue exists in the Binary File Descriptor
[Git][security-tracker-team/security-tracker][master] Track fixed version of CVE-2021-3274{6,7}/icingaweb2 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f7b9fa65 by Salvatore Bonaccorso at 2021-08-15T21:45:03+02:00 Track fixed version of CVE-2021-3274{6,7}/icingaweb2 via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13654,14 +13654,14 @@ CVE-2021-32748 (Nextcloud Richdocuments in an open source self hosted online off NOT-FOR-US: Nextcloud Richdocuments CVE-2021-32747 (Icinga Web 2 is an open source monitoring web interface, framework, an ...) [experimental] - icingaweb2 2.8.3-1~exp1 - - icingaweb2 (bug #991116) + - icingaweb2 2.8.4-1 (bug #991116) [buster] - icingaweb2 (Minor issue) [stretch] - icingaweb2 (Minor issue) NOTE: https://github.com/Icinga/icingaweb2/security/advisories/GHSA-2xv9-886q-p7xx NOTE: https://github.com/Icinga/icingaweb2/commit/ffe8741c66af6ea085514a35ec878093b991875c (v2.8.3) CVE-2021-32746 (Icinga Web 2 is an open source monitoring web interface, framework and ...) [experimental] - icingaweb2 2.8.3-1~exp1 - - icingaweb2 (bug #991116) + - icingaweb2 2.8.4-1 (bug #991116) [buster] - icingaweb2 (Minor issue) [stretch] - icingaweb2 (Minor issue) NOTE: https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7b9fa6537be6a0c0d264136fc3163e02fcefbd4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7b9fa6537be6a0c0d264136fc3163e02fcefbd4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f43177d4 by Salvatore Bonaccorso at 2021-08-15T21:35:28+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,7 +17,7 @@ CVE-2021-38695 CVE-2021-38694 RESERVED CVE-2020-36473 (UCWeb UC 12.12.3.1219 through 12.12.3.1226 uses cleartext HTTP, and th ...) - TODO: check + NOT-FOR-US: UCWeb UC CVE-2021-38693 RESERVED CVE-2021-38692 @@ -2276,7 +2276,7 @@ CVE-2021-37706 CVE-2021-37705 (OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. S ...) NOT-FOR-US: OneFuzz CVE-2021-37704 (PhpFastCache is a high-performance backend cache system (packagist pac ...) - TODO: check + NOT-FOR-US: PhpFastCache CVE-2021-37703 (Discourse is an open-source platform for community discussion. In Disc ...) NOT-FOR-US: Discourse CVE-2021-37702 @@ -52860,7 +52860,7 @@ CVE-2021-1113 (NVIDIA camera firmware contains a vulnerability where an unauthor CVE-2021-1112 (NVIDIA Linux kernel distributions contain a vulnerability in nvmap, wh ...) NOT-FOR-US: NVIDIA CVE-2021- (Bootloader contains a vulnerability in the NV3P server where any user ...) - TODO: check + NOT-FOR-US: NVIDIA CVE-2021-1110 (NVIDIA Linux kernel distributions on Jetson Xavier contain a vulnerabi ...) NOT-FOR-US: NVIDIA CVE-2021-1109 (NVIDIA camera firmware contains a multistep, timing-related vulnerabil ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f43177d4e653047b4e991328a46affa65bba862a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f43177d4e653047b4e991328a46affa65bba862a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] three thunderbird issues n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 59e92c4b by Moritz Mühlenhoff at 2021-08-15T12:30:48+02:00 three thunderbird issues n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20761,7 +20761,7 @@ CVE-2021-29988 CVE-2021-29987 RESERVED - firefox 91.0-1 - - thunderbird + - thunderbird (Thunderbird 78.x not affected, only TB91) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-33/#CVE-2021-29987 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-36/#CVE-2021-29987 CVE-2021-29986 @@ -20798,13 +20798,13 @@ CVE-2021-29983 CVE-2021-29982 RESERVED - firefox 91.0-1 - - thunderbird + - thunderbird (Thunderbird 78.x not affected, only TB91) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-33/#CVE-2021-29982 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-36/#CVE-2021-29982 CVE-2021-29981 RESERVED - firefox 91.0-1 - - thunderbird + - thunderbird (Thunderbird 78.x not affected, only TB91) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-33/#CVE-2021-29981 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-36/#CVE-2021-29981 CVE-2021-29980 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59e92c4bb300f9b6dab54b36b994b0e9170798fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59e92c4bb300f9b6dab54b36b994b0e9170798fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cc1ece67 by Moritz Mühlenhoff at 2021-08-15T12:29:04+02:00 thunderbird DSA - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[15 Aug 2021] DSA-4959-1 thunderbird - security update + {CVE-2021-29980 CVE-2021-29984 CVE-2021-29985 CVE-2021-29986 CVE-2021-29988 CVE-2021-29989} + [bullseye] - thunderbird 1:78.13.0-1~deb11u1 + [buster] - thunderbird 1:78.13.0-1~deb10u1 [13 Aug 2021] DSA-4958-1 exiv2 - security update {CVE-2019-20421 CVE-2021-3482 CVE-2021-29457 CVE-2021-29473 CVE-2021-31292} [buster] - exiv2 0.25-4+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc1ece67d0209818a82f04f2953ca9d1d501a5b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc1ece67d0209818a82f04f2953ca9d1d501a5b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 07dc7f30 by security tracker role at 2021-08-15T08:10:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,23 @@ +CVE-2021-38702 + RESERVED +CVE-2021-38701 + RESERVED +CVE-2021-38700 + RESERVED +CVE-2021-38699 + RESERVED +CVE-2021-38698 + RESERVED +CVE-2021-38697 + RESERVED +CVE-2021-38696 + RESERVED +CVE-2021-38695 + RESERVED +CVE-2021-38694 + RESERVED +CVE-2020-36473 (UCWeb UC 12.12.3.1219 through 12.12.3.1226 uses cleartext HTTP, and th ...) + TODO: check CVE-2021-38693 RESERVED CVE-2021-38692 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07dc7f30c21a9d49ef44b5de09c0695e60467bd5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07dc7f30c21a9d49ef44b5de09c0695e60467bd5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-28589/tinyobjloader
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b755ef4e by Salvatore Bonaccorso at 2021-08-15T09:12:14+02:00 Add CVE-2020-28589/tinyobjloader - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52781,7 +52781,8 @@ CVE-2020-28590 (An out-of-bounds read vulnerability exists in the Obj File Trian NOTE: https://github.com/slic3r/Slic3r/issues/5074 NOTE: Crash in enduser application, no security impact CVE-2020-28589 (An improper array index validation vulnerability exists in the LoadObj ...) - TODO: check + - tinyobjloader + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1212 CVE-2020-28588 (An information disclosure vulnerability exists in the /proc/pid/syscal ...) - linux 5.9.15-1 [buster] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b755ef4ebabdfe7b6a8e2d6897e497a48e2e0c9e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b755ef4ebabdfe7b6a8e2d6897e497a48e2e0c9e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3688 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a500857 by Salvatore Bonaccorso at 2021-08-15T09:08:24+02:00 Add CVE-2021-3688 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1309,6 +1309,7 @@ CVE-2021-38136 (Corero SecureWatch Managed Services 9.7.2.0020 is affected by a NOT-FOR-US: Corero SecureWatch Managed Services CVE-2021-3688 RESERVED + NOT-FOR-US: Red Hat JBoss Core Services HTTP Server CVE-2021-38135 RESERVED CVE-2021-38134 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a50085741d371c6b2b8cb2b9d44e4a891ae950d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a50085741d371c6b2b8cb2b9d44e4a891ae950d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-35936/airflow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eac61ab6 by Salvatore Bonaccorso at 2021-08-15T09:06:20+02:00 Add CVE-2021-35936/airflow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6323,6 +6323,7 @@ CVE-2021-35937 [TOCTOU race in checks for unsafe symlinks] NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1964125 CVE-2021-35936 RESERVED + - airflow (bug #819700) CVE-2021-3626 RESERVED CVE-2021-3625 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eac61ab67335d1d71cc269927228cf7bfa338f98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eac61ab67335d1d71cc269927228cf7bfa338f98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits