[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2021-29063/mpmath
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4cbf8c15 by Salvatore Bonaccorso at 2021-10-01T06:38:05+02:00 Add fixed version via unstable for CVE-2021-29063/mpmath - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30822,7 +30822,7 @@ CVE-2021-29065 (NETGEAR RBR850 devices before 3.2.10.11 are affected by authenti CVE-2021-29064 RESERVED CVE-2021-29063 (A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...) - - mpmath (bug #990576) + - mpmath 1.2.1-2 (bug #990576) [bullseye] - mpmath (Minor issue) [buster] - mpmath (Minor issue) [stretch] - mpmath (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cbf8c15a4f239ad3d38c8f128802ff41ddb0380 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cbf8c15a4f239ad3d38c8f128802ff41ddb0380 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2774-1 for openssl1.0
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: a8633aba by Thorsten Alteholz at 2021-10-01T00:00:06+02:00 Reserve DLA-2774-1 for openssl1.0 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Sep 2021] DLA-2774-1 openssl1.0 - security update + {CVE-2021-3712} + [stretch] - openssl1.0 1.0.2u-1~deb9u6 [30 Sep 2021] DLA-2773-1 curl - security update {CVE-2021-22946 CVE-2021-22947} [stretch] - curl 7.52.1-5+deb9u16 = data/dla-needed.txt = @@ -64,9 +64,6 @@ nvidia-graphics-drivers NOTE: package is in non-free but also in packages-to-support NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 -- -openssl1.0 (Thorsten Alteholz) - NOTE: 20210926: testing package, tests still don't pass --- plib (Anton Gladky) NOTE: 20210829: no fix yet. (thorsten) NOTE: 20210829: upstream bug mentions that it might never get fixed. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8633aba50e683ab90d66cdc6632f9e472498f0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8633aba50e683ab90d66cdc6632f9e472498f0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2773-1 for curl
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 627ed4d8 by Thorsten Alteholz at 2021-09-30T23:55:23+02:00 Reserve DLA-2773-1 for curl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Sep 2021] DLA-2773-1 curl - security update + {CVE-2021-22946 CVE-2021-22947} + [stretch] - curl 7.52.1-5+deb9u16 [30 Sep 2021] DLA-2772-1 taglib - security update {CVE-2017-12678 CVE-2018-11439} [stretch] - taglib 1.11.1+dfsg.1-0.3+deb9u1 = data/dla-needed.txt = @@ -29,9 +29,6 @@ cacti (Roberto C. Sánchez) NOTE: 20210829: not really sure whether affected, please recheck NOTE: 20210914: still assessing whether or not affected (roberto) -- -curl (Thorsten Alteholz) - NOTE: 20210926: coordinate with upload to other releases --- debian-archive-keyring (Utkarsh) NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/627ed4d8e6101c93485d056047b9e9655d6c8cf5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/627ed4d8e6101c93485d056047b9e9655d6c8cf5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust CVE id reference for node-prismjs issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b4eaf02 by Salvatore Bonaccorso at 2021-09-30T23:17:26+02:00 Adjust CVE id reference for node-prismjs issue - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -119,7 +119,7 @@ CVE-2021-41054 [buster] - atftp 0.7.git20120829-3.2+deb10u2 CVE-2021-3749 [buster] - node-axios 0.17.1+dfsg-2+deb10u1 -CVE-2021-40438 +CVE-2021-3801 [buster] - node-prismjs 1.11.0+dfsg-3+deb10u1 (CVE-2021-3807 [buster] - node-ansi-regex 3.0.0-1+deb10u1 = data/next-point-update.txt = @@ -54,7 +54,7 @@ CVE-2021-40540 [bullseye] - ulfius 2.7.1-1+deb11u1 CVE-2021-3807 [bullseye] - node-ansi-regex 5.0.1-1~deb11u1 -CVE-2021-40438 +CVE-2021-3801 [bullseye] - node-prismjs 1.23.0+dfsg-1+deb11u1 CVE-2020-26541 [bullseye] - linux 5.10.70-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b4eaf0235996c20cc51b05abfd24d472ffe50ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b4eaf0235996c20cc51b05abfd24d472ffe50ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-3660/cockpit via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e86a999d by Salvatore Bonaccorso at 2021-09-30T22:49:08+02:00 Track fixed version for CVE-2021-3660/cockpit via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10275,7 +10275,7 @@ CVE-2021-37402 (OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 NOT-FOR-US: OX App Suite CVE-2021-3660 RESERVED - - cockpit + - cockpit 254-1 [bullseye] - cockpit (Minor issue) [buster] - cockpit (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1980688 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e86a999d949fbb1e3bd9b38925e5a976150a8441 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e86a999d949fbb1e3bd9b38925e5a976150a8441 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a3c2a52f by Salvatore Bonaccorso at 2021-09-30T22:31:58+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1092,11 +1092,11 @@ CVE-2021-41327 CVE-2021-41326 (In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles p ...) NOT-FOR-US: MISP CVE-2021-41325 (Broken access control for user creation in Pydio Cells 2.2.9 allows re ...) - TODO: check + NOT-FOR-US: Pydio Cells CVE-2021-41324 RESERVED CVE-2021-41323 (Directory traversal in the Compress feature in Pydio Cells 2.2.9 allow ...) - TODO: check + NOT-FOR-US: Pydio Cells CVE-2021-41322 RESERVED CVE-2021-41321 @@ -38411,7 +38411,7 @@ CVE-2021-25965 CVE-2021-25964 RESERVED CVE-2021-25963 (In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cr ...) - TODO: check + NOT-FOR-US: Shuup CVE-2021-25962 (Shuup application in versions 0.4.2 to 2.10.8 is affecte ...) NOT-FOR-US: Shuup CVE-2021-25961 (In SuiteCRM application, v7.1.7 through v7.10.31 and v7. ...) @@ -42917,9 +42917,9 @@ CVE-2021-24019 CVE-2021-24018 (A buffer underwrite vulnerability in the firmware verification routine ...) NOT-FOR-US: FortiOS CVE-2021-24017 (An improper authentication in Fortinet FortiManager version 6.4.3 and ...) - TODO: check + NOT-FOR-US: Fortiguard CVE-2021-24016 (An improper neutralization of formula elements in a csv file in Fortin ...) - TODO: check + NOT-FOR-US: Fortiguard CVE-2021-24015 (An improper neutralization of special elements used in an OS Command v ...) NOT-FOR-US: Fortinet CVE-2021-24014 (Multiple instances of improper neutralization of input during web page ...) @@ -51549,7 +51549,7 @@ CVE-2021-21091 (Adobe Bridge versions 10.1.1 (and earlier) and 11.0.1 (and earli CVE-2021-21090 (Adobe InCopy version 16.0 (and earlier) is affected by an path travers ...) NOT-FOR-US: Adobe CVE-2021-21089 (Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020 ...) - TODO: check + NOT-FOR-US: Acrobat CVE-2021-21088 RESERVED CVE-2021-21087 (Adobe Coldfusion versions 2016 (update 16 and earlier), 2018 (update 1 ...) @@ -81164,7 +81164,7 @@ CVE-2020-20783 CVE-2020-20782 RESERVED CVE-2020-20781 (A stored cross-site scripting (XSS) vulnerability in /ucms/index.php?d ...) - TODO: check + NOT-FOR-US: UCMS CVE-2020-20780 RESERVED CVE-2020-20779 @@ -82492,13 +82492,13 @@ CVE-2020-20133 CVE-2020-20132 RESERVED CVE-2020-20131 (LaraCMS v1.0.1 contains a stored cross-site scripting (XSS) vulnerabil ...) - TODO: check + NOT-FOR-US: LaraCMS CVE-2020-20130 RESERVED CVE-2020-20129 (LaraCMS v1.0.1 contains a stored cross-site scripting (XSS) vulnerabil ...) - TODO: check + NOT-FOR-US: LaraCMS CVE-2020-20128 (LaraCMS v1.0.1 transmits sensitive information in cleartext which can ...) - TODO: check + NOT-FOR-US: LaraCMS CVE-2020-20127 RESERVED CVE-2020-20126 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3c2a52f02110742a253f319fbd38c1bc26cd486 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3c2a52f02110742a253f319fbd38c1bc26cd486 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bed6da08 by Salvatore Bonaccorso at 2021-09-30T22:23:38+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -241,7 +241,7 @@ CVE-2021-41731 CVE-2021-41730 RESERVED CVE-2021-41729 (BaiCloud-cms v2.5.7 is affected by an arbitrary file deletion vulnerab ...) - TODO: check + NOT-FOR-US: BaiCloud-cms CVE-2021-41728 RESERVED CVE-2021-41727 @@ -1172,35 +1172,35 @@ CVE-2021-41303 (Apache Shiro before 1.8.0, when using Apache Shiro with Spring B NOTE: https://www.openwall.com/lists/oss-security/2021/09/17/1 TODO: check CVE-2021-41302 (ECOA BAS controller stores sensitive data (backup exports) in clear-te ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41301 (ECOA BAS controller is vulnerable to configuration disclosure when dir ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41300 (ECOA BAS controllers special page displays user account and pas ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41299 (ECOA BAS controller is vulnerable to hard-coded credentials within its ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41298 (ECOA BAS controller is vulnerable to insecure direct object references ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41297 (ECOA BAS controller is vulnerable to weak access control mechanism all ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41296 (ECOA BAS controller uses weak set of default administrative credential ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41295 (ECOA BAS controller has a Cross-Site Request Forgery vulnerability, th ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41294 (ECOA BAS controller suffers from a path traversal vulnerability, causi ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41293 (ECOA BAS controller suffers from a path traversal vulnerability, causi ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41292 (ECOA BAS controller suffers from an authentication bypass vulnerabilit ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41291 (ECOA BAS controller suffers from a path traversal content disclosure v ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41290 (ECOA BAS controller suffers from an arbitrary file write and path trav ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41289 RESERVED CVE-2021-41288 (Zoho ManageEngine OpManager version 125466 and below is vulnerable to ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2021-41287 RESERVED CVE-2021-41286 @@ -15367,21 +15367,21 @@ CVE-2021-35207 (An issue was discovered in Zimbra Collaboration Suite 8.8 before CVE-2021-35206 (Gitpod before 0.6.0 allows unvalidated redirects. ...) NOT-FOR-US: Gitpod CVE-2021-35205 (NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 allows URL redire ...) - TODO: check + NOT-FOR-US: NETSCOUT CVE-2021-35204 (NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Reflected Cross-Si ...) - TODO: check + NOT-FOR-US: NETSCOUT CVE-2021-35203 (NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Arbitrary File Rea ...) - TODO: check + NOT-FOR-US: NETSCOUT CVE-2021-35202 (NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Authorization Bypa ...) - TODO: check + NOT-FOR-US: NETSCOUT CVE-2021-35201 (NEI in NETSCOUT nGeniusONE 6.3.0 build 1196 allows XML External Entity ...) - TODO: check + NOT-FOR-US: NETSCOUT CVE-2021-35200 (NETSCOUT nGeniusONE 6.3.0 build 1196 allows high-privileged users to a ...) - TODO: check + NOT-FOR-US: NETSCOUT CVE-2021-35199 (NETSCOUT nGeniusONE 6.3.0 build 1196 and earlier allows Stored Cross-S ...) - TODO: check + NOT-FOR-US: NETSCOUT CVE-2021-35198 (NETSCOUT nGeniusONE 6.3.0 build 1004 and earlier allows Stored Cross-S ...) - TODO: check + NOT-FOR-US: NETSCOUT CVE-2021-35197 (In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and ...) - mediawiki 1:1.35.3-1 [bullseye] - mediawiki (Minor issue, wait until next 1.35.x release) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bed6da083da804fd52743c0ce0090fbf0233c017 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bed6da083da804fd52743c0ce0090fbf0233c017 You're receiving this email because of your account on salsa.debian.org. ___
[Git][security-tracker-team/security-tracker][master] Process three NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e0aff90 by Salvatore Bonaccorso at 2021-09-30T22:20:56+02:00 Process three NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28799,7 +28799,7 @@ CVE-2021-29896 CVE-2021-29895 RESERVED CVE-2021-29894 (IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0 ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29893 RESERVED CVE-2021-29892 @@ -52625,7 +52625,7 @@ CVE-2021-20580 (IBM Planning Analytics 2.0 could be vulnerable to cross-site req CVE-2021-20579 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2021-20578 (IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0 ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20577 (IBM Cloud Pak for Security (CP4S) 1.5.0.0 and 1.5.0.1 is vulnerable to ...) NOT-FOR-US: IBM CVE-2021-20576 (IBM Security Verify Access 20.07 could allow a remote attacker to send ...) @@ -52673,7 +52673,7 @@ CVE-2021-20556 CVE-2021-20555 RESERVED CVE-2021-20554 (IBM Sterling Order Management 9.4, 9.5, and 10.0 is vulnerable to cros ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20553 RESERVED CVE-2021-20552 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e0aff9044ce8a28f0665dc4de4ff0962e8cff0a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e0aff9044ce8a28f0665dc4de4ff0962e8cff0a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2772-1 for taglib
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 0d92c542 by Adrian Bunk at 2021-09-30T23:14:23+03:00 Reserve DLA-2772-1 for taglib - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -213536,7 +213536,6 @@ CVE-2018-11440 (Liblouis 3.5.0 has a stack-based Buffer Overflow in the function CVE-2018-11439 (The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLi ...) {DLA-1430-1} - taglib 1.11.1+dfsg.1-0.3 (bug #903847) - [stretch] - taglib (Minor issue) NOTE: PoC: http://seclists.org/fulldisclosure/2018/May/49 NOTE: Upstream issue: https://github.com/taglib/taglib/issues/868 NOTE: Pull request: https://github.com/taglib/taglib/pull/869 @@ -260259,7 +260258,6 @@ CVE-2017-12679 (SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the delc NOT-FOR-US: NexusPHP CVE-2017-12678 (In TagLib 1.11.1, the rebuildAggregateFrames function in id3v2framefac ...) - taglib 1.11.1+dfsg.1-0.2 (bug #871511) - [stretch] - taglib (Minor issue) [jessie] - taglib (Vulnerable code not present) [wheezy] - taglib (Vulnerable code not present) - silverjuke (Vulnerable code not present, based on older taglib version) = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Sep 2021] DLA-2772-1 taglib - security update + {CVE-2017-12678 CVE-2018-11439} + [stretch] - taglib 1.11.1+dfsg.1-0.3+deb9u1 [30 Sep 2021] DLA-2771-1 krb5 - security update {CVE-2018-5729 CVE-2018-5730 CVE-2018-20217 CVE-2021-37750} [stretch] - krb5 1.15-1+deb9u3 = data/dla-needed.txt = @@ -103,7 +103,5 @@ smarty3 squashfs-tools (Thorsten Alteholz) NOTE: 20210926: coordinate with upload to other releases -- -taglib (Adrian Bunk) --- tiff (Utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d92c542f63f84d922fd1f89cc5ae7f669c029ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d92c542f63f84d922fd1f89cc5ae7f669c029ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2017-12678: Link to the commit in upstream master
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 40520f09 by Adrian Bunk at 2021-09-30T23:12:20+03:00 CVE-2017-12678: Link to the commit in upstream master - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -260264,7 +260264,7 @@ CVE-2017-12678 (In TagLib 1.11.1, the rebuildAggregateFrames function in id3v2fr [wheezy] - taglib (Vulnerable code not present) - silverjuke (Vulnerable code not present, based on older taglib version) NOTE: https://github.com/taglib/taglib/issues/829 - NOTE: https://github.com/taglib/taglib/pull/831/commits/eb9ded1206f18f2c319157337edea2533a40bea6#diff-37f706c8696a7c1ca939b169c0a04d97 + NOTE: https://github.com/taglib/taglib/commit/cb9f07d9dcd791b63e622da43f7b232adaec0a9a CVE-2017-12677 (IdentityServer3 2.4.x, 2.5.x, and 2.6.x before 2.6.1 has XSS in an Ang ...) NOT-FOR-US: IdentityServer CVE-2017-12676 (In ImageMagick 7.0.6-3, a memory leak vulnerability was found in the f ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40520f09cb007a151f5a0f3db8e455e78306b020 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40520f09cb007a151f5a0f3db8e455e78306b020 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 66cba0ef by security tracker role at 2021-09-30T20:10:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2021-41832 + RESERVED +CVE-2021-41831 + RESERVED +CVE-2021-41830 + RESERVED +CVE-2021-3844 + RESERVED +CVE-2021-3843 + RESERVED +CVE-2021-3842 + RESERVED +CVE-2021-3841 + RESERVED CVE-2021-41829 (Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the ...) NOT-FOR-US: Zoho ManageEngine CVE-2021-41828 (Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded ...) @@ -226,8 +240,8 @@ CVE-2021-41731 RESERVED CVE-2021-41730 RESERVED -CVE-2021-41729 - RESERVED +CVE-2021-41729 (BaiCloud-cms v2.5.7 is affected by an arbitrary file deletion vulnerab ...) + TODO: check CVE-2021-41728 RESERVED CVE-2021-41727 @@ -244,8 +258,8 @@ CVE-2021-41722 RESERVED CVE-2021-41721 RESERVED -CVE-2021-41720 - RESERVED +CVE-2021-41720 (A command injection vulnerability in Lodash in 4.17.21 allows attacker ...) + TODO: check CVE-2021-41719 RESERVED CVE-2021-41718 @@ -450,8 +464,8 @@ CVE-2021-41619 RESERVED CVE-2021-41618 RESERVED -CVE-2021-41616 - RESERVED +CVE-2021-41616 (Apache DB DdlUtils 1.0 included a BinaryObjectsHelper that was intende ...) + TODO: check CVE-2021-3830 (btcpayserver is vulnerable to Improper Neutralization of Input During ...) NOT-FOR-US: btcpayserver CVE-2021-41617 (sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default c ...) @@ -1077,12 +1091,12 @@ CVE-2021-41327 RESERVED CVE-2021-41326 (In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles p ...) NOT-FOR-US: MISP -CVE-2021-41325 - RESERVED +CVE-2021-41325 (Broken access control for user creation in Pydio Cells 2.2.9 allows re ...) + TODO: check CVE-2021-41324 RESERVED -CVE-2021-41323 - RESERVED +CVE-2021-41323 (Directory traversal in the Compress feature in Pydio Cells 2.2.9 allow ...) + TODO: check CVE-2021-41322 RESERVED CVE-2021-41321 @@ -1157,36 +1171,36 @@ CVE-2021-41303 (Apache Shiro before 1.8.0, when using Apache Shiro with Spring B - shiro NOTE: https://www.openwall.com/lists/oss-security/2021/09/17/1 TODO: check -CVE-2021-41302 - RESERVED -CVE-2021-41301 - RESERVED -CVE-2021-41300 - RESERVED -CVE-2021-41299 - RESERVED -CVE-2021-41298 - RESERVED -CVE-2021-41297 - RESERVED -CVE-2021-41296 - RESERVED -CVE-2021-41295 - RESERVED -CVE-2021-41294 - RESERVED -CVE-2021-41293 - RESERVED -CVE-2021-41292 - RESERVED -CVE-2021-41291 - RESERVED -CVE-2021-41290 - RESERVED +CVE-2021-41302 (ECOA BAS controller stores sensitive data (backup exports) in clear-te ...) + TODO: check +CVE-2021-41301 (ECOA BAS controller is vulnerable to configuration disclosure when dir ...) + TODO: check +CVE-2021-41300 (ECOA BAS controllers special page displays user account and pas ...) + TODO: check +CVE-2021-41299 (ECOA BAS controller is vulnerable to hard-coded credentials within its ...) + TODO: check +CVE-2021-41298 (ECOA BAS controller is vulnerable to insecure direct object references ...) + TODO: check +CVE-2021-41297 (ECOA BAS controller is vulnerable to weak access control mechanism all ...) + TODO: check +CVE-2021-41296 (ECOA BAS controller uses weak set of default administrative credential ...) + TODO: check +CVE-2021-41295 (ECOA BAS controller has a Cross-Site Request Forgery vulnerability, th ...) + TODO: check +CVE-2021-41294 (ECOA BAS controller suffers from a path traversal vulnerability, causi ...) + TODO: check +CVE-2021-41293 (ECOA BAS controller suffers from a path traversal vulnerability, causi ...) + TODO: check +CVE-2021-41292 (ECOA BAS controller suffers from an authentication bypass vulnerabilit ...) + TODO: check +CVE-2021-41291 (ECOA BAS controller suffers from a path traversal content disclosure v ...) + TODO: check +CVE-2021-41290 (ECOA BAS controller suffers from an arbitrary file write and path trav ...) + TODO: check CVE-2021-41289 RESERVED -CVE-2021-41288 - RESERVED +CVE-2021-41288 (Zoho ManageEngine OpManager version 125466 and below is vulnerable to ...) + TODO: check CVE-2021-41287 RESERVED CVE-2021-41286 @@ -1549,8 +1563,8 @@ CVE-2021-4 RESERVED CVE-2021-41110 RESERVED -CVE-2021-41109 - RESERVED +CVE-2021-41109 (Parse Server is an open source backend that can be deployed to any inf ...) + TODO: check CVE-2021-41108 RESERVED CVE-2021-41107
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2771-1 for krb5
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 210740c6 by Adrian Bunk at 2021-09-30T23:04:09+03:00 Reserve DLA-2771-1 for krb5 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -182665,7 +182665,6 @@ CVE-2018-20218 (An issue was discovered on Teracue ENC-400 devices with firmware CVE-2018-20217 (A Reachable Assertion issue was discovered in the KDC in MIT Kerberos ...) {DLA-1643-1} - krb5 1.16.2-1 (low; bug #917387) - [stretch] - krb5 (Minor issue) NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763 NOTE: https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086 CVE-2018-20216 (QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c becaus ...) @@ -230068,13 +230067,11 @@ CVE-2018-5731 (An issue was discovered in Heimdal PRO 2.2.190. As part of the sc CVE-2018-5730 (MIT krb5 1.6 or later allows an authenticated kadmin with permission t ...) {DLA-1643-1} - krb5 1.16.1-1 (bug #891869) - [stretch] - krb5 (Minor issue) [wheezy] - krb5 (Minor issue) NOTE: Fixed by: https://github.com/krb5/krb5/commit/e1caf6fb74981da62039846931ebdffed71309d1 CVE-2018-5729 (MIT krb5 1.6 or later allows an authenticated kadmin with permission t ...) {DLA-1643-1} - krb5 1.16.1-1 (bug #891869) - [stretch] - krb5 (Minor issue) [wheezy] - krb5 (Minor issue) NOTE: Fixed by: https://github.com/krb5/krb5/commit/e1caf6fb74981da62039846931ebdffed71309d1 CVE-2018-5728 (Cobham Sea Tel 121 build 222701 devices allow remote attackers to obta ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Sep 2021] DLA-2771-1 krb5 - security update + {CVE-2018-5729 CVE-2018-5730 CVE-2018-20217 CVE-2021-37750} + [stretch] - krb5 1.15-1+deb9u3 [30 Sep 2021] DLA-2770-1 weechat - security update {CVE-2020-8955 CVE-2020-9759 CVE-2020-9760 CVE-2021-40516} [stretch] - weechat 1.6-1+deb9u3 = data/dla-needed.txt = @@ -51,9 +51,6 @@ firmware-nonfree -- jsoup (Markus Koschany) -- -krb5 (Adrian Bunk) - NOTE: 20210905: testing fixes --- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/210740c63e59d4ad1c2e1352139677b9b5f568f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/210740c63e59d4ad1c2e1352139677b9b5f568f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new mediawiki issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c0c9fd84 by Moritz Muehlenhoff at 2021-09-30T21:44:30+02:00 new mediawiki issues - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -56,12 +56,16 @@ CVE-2021-41802 RESERVED CVE-2021-41801 RESERVED + - mediawiki 1:1.35.4-1 CVE-2021-41800 RESERVED + - mediawiki 1:1.35.4-1 CVE-2021-41799 RESERVED + - mediawiki 1:1.35.4-1 CVE-2021-41798 RESERVED + - mediawiki 1:1.35.4-1 CVE-2021-41797 RESERVED CVE-2021-41796 = data/dsa-needed.txt = @@ -34,6 +34,8 @@ linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. -- +mediawiki (jmm) +-- ndpi -- nodejs (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0c9fd8448f5f2bd38619ade909a6b75b529f361 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0c9fd8448f5f2bd38619ade909a6b75b529f361 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] vim fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ea3dd7f4 by Moritz Muehlenhoff at 2021-09-30T21:40:51+02:00 vim fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2080,7 +2080,7 @@ CVE-2021-40865 CVE-2021-3797 (hestiacp is vulnerable to Use of Wrong Operator in String Comparison ...) NOT-FOR-US: Hestia Control Panel CVE-2021-3796 (vim is vulnerable to Use After Free ...) - - vim (bug #994497) + - vim 2:8.2.3455-1 (bug #994497) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) [stretch] - vim (Minor issue) @@ -2525,7 +2525,7 @@ CVE-2021-40682 CVE-2021-3779 RESERVED CVE-2021-3778 (vim is vulnerable to Heap-based Buffer Overflow ...) - - vim (bug #994498) + - vim 2:8.2.3455-1 (bug #994498) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) [stretch] - vim (Minor issue) @@ -2917,7 +2917,7 @@ CVE-2021-40516 (WeeChat before 3.2.1 allows remote attackers to cause a denial o CVE-2021-40515 RESERVED CVE-2021-3770 (vim is vulnerable to Heap-based Buffer Overflow ...) - - vim (bug #994076) + - vim 2:8.2.3455-1 (bug #994076) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) [stretch] - vim (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea3dd7f406f49e067e4fbbbc5dcb6e180a0ea063 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea3dd7f406f49e067e4fbbbc5dcb6e180a0ea063 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track CVE fixes for linux via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d7583d01 by Salvatore Bonaccorso at 2021-09-30T21:20:19+02:00 Track CVE fixes for linux via bullseye-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -56,3 +56,15 @@ CVE-2021-3807 [bullseye] - node-ansi-regex 5.0.1-1~deb11u1 CVE-2021-40438 [bullseye] - node-prismjs 1.23.0+dfsg-1+deb11u1 +CVE-2020-26541 + [bullseye] - linux 5.10.70-1 +CVE-2021-35039 + [bullseye] - linux 5.10.70-1 +CVE-2021-37159 + [bullseye] - linux 5.10.70-1 +CVE-2021-38204 + [bullseye] - linux 5.10.70-1 +CVE-2021-38205 + [bullseye] - linux 5.10.70-1 +CVE-2021-38300 + [bullseye] - linux 5.10.70-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7583d015db31f3835e6ce96d7b02027ac1cbf6c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7583d015db31f3835e6ce96d7b02027ac1cbf6c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: aad0d35d by Moritz Muehlenhoff at 2021-09-30T21:16:21+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -67,7 +67,7 @@ CVE-2021-41797 CVE-2021-41796 RESERVED CVE-2021-41795 (The Safari app extension bundled with 1Password for Mac 7.7.0 through ...) - TODO: check + NOT-FOR-US: 1Password CVE-2021-41794 RESERVED CVE-2021-41793 @@ -151,7 +151,7 @@ CVE-2021-3831 CVE-2021-41765 RESERVED CVE-2021-41764 (A cross-site request forgery (CSRF) vulnerability exists in Streama up ...) - TODO: check + NOT-FOR-US: Streama CVE-2021-41763 RESERVED CVE-2021-41762 @@ -1722,7 +1722,7 @@ CVE-2021-41036 CVE-2021-41035 RESERVED CVE-2021-41034 (The build of some language stacks of Eclipse Che version 6 includes pu ...) - TODO: check + NOT-FOR-US: Eclipse Che CVE-2021-41033 (In all released versions of Eclipse Equinox, at least until version 4. ...) NOT-FOR-US: Eclipse Equinox CVE-2021-41032 @@ -2594,7 +2594,7 @@ CVE-2021-40653 CVE-2021-40652 RESERVED CVE-2021-40651 (OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vu ...) - TODO: check + NOT-FOR-US: OS4Ed OpenSIS Community CVE-2021-40650 RESERVED CVE-2021-40649 @@ -5586,7 +5586,7 @@ CVE-2021-39344 CVE-2021-39343 RESERVED CVE-2021-39342 (The Credova_Financial WordPress plugin discloses a site's associated C ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-39341 RESERVED CVE-2021-39340 @@ -13683,11 +13683,11 @@ CVE-2021-35947 (The public share controller in the ownCloud server before versio CVE-2021-35946 (A receiver of a federated share with access to the database with ownCl ...) - owncloud CVE-2021-35945 (Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a Buffer O ...) - TODO: check + NOT-FOR-US: Couchbase Server CVE-2021-35944 (Couchbase Server 6.5.x, 6.6.x through 6.6.2, and 7.0.0 has a Buffer Ov ...) - TODO: check + NOT-FOR-US: Couchbase Server CVE-2021-35943 (Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Co ...) - TODO: check + NOT-FOR-US: Couchbase Server CVE-2021-35942 (The wordexp function in the GNU C Library (aka glibc) through 2.33 may ...) - glibc 2.31-13 (bug #990542) [buster] - glibc (Minor issue) @@ -38393,13 +38393,13 @@ CVE-2021-25964 CVE-2021-25963 RESERVED CVE-2021-25962 (Shuup application in versions 0.4.2 to 2.10.8 is affecte ...) - TODO: check + NOT-FOR-US: Shuup CVE-2021-25961 (In SuiteCRM application, v7.1.7 through v7.10.31 and v7. ...) - TODO: check + NOT-FOR-US: SuiteCRM CVE-2021-25960 (In SuiteCRM application, v7.11.18 through v7.11.19 and v ...) - TODO: check + NOT-FOR-US: SuiteCRM CVE-2021-25959 (In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected ...) - TODO: check + NOT-FOR-US: OpenCRX CVE-2021-25958 (In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch ...) NOT-FOR-US: Apache Ofbiz CVE-2021-25957 (In Dolibarr application, v2.8.1 to v13.0.2 are vulnerabl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aad0d35d4468959badb8708be1a9994968ddb551 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aad0d35d4468959badb8708be1a9994968ddb551 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-40438/apache2: clarify patches + re-order regression fixes
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: bffb81a1 by Sylvain Beucler at 2021-09-30T17:20:26+02:00 CVE-2021-40438/apache2: clarify patches + re-order regression fixes Cf. https://bugzilla.suse.com/show_bug.cgi?id=1190703#c1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3095,10 +3095,10 @@ CVE-2021-40439 CVE-2021-40438 (A crafted request uri-path can cause mod_proxy to forward the request ...) - apache2 2.4.49-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-40438 - NOTE: https://github.com/apache/httpd/commit/496c863776c68bd08cdbeb7d8fa5935ba63b76c2 (2.4.x) - NOTE: https://github.com/apache/httpd/commit/d4901cb32133bc0e59ad193a29d1665597080d67 (2.4.x) - NOTE: Regression fix: https://github.com/apache/httpd/commit/81a8b0133b46c4cf7dfc4b5476ad46eb34aa0a5c (2.4.x) - NOTE: Second regression fix: https://github.com/apache/httpd/commit/6e768a811c59ca6a0769b72681aaef381823339f (2.4.x) + NOTE: Minimal fix: https://github.com/apache/httpd/commit/496c863776c68bd08cdbeb7d8fa5935ba63b76c2 (2.4.x) + NOTE: Future-proof follow-up: https://github.com/apache/httpd/commit/d4901cb32133bc0e59ad193a29d1665597080d67 (2.4.x) + NOTE: Regression fix #1: https://github.com/apache/httpd/commit/6e768a811c59ca6a0769b72681aaef381823339f (2.4.x) + NOTE: Regression fix #2: https://github.com/apache/httpd/commit/81a8b0133b46c4cf7dfc4b5476ad46eb34aa0a5c (2.4.x) CVE-2021-40491 (The ftp client in GNU Inetutils before 2.2 does not validate addresses ...) - inetutils 2:2.2-1 (bug #993476) [bullseye] - inetutils (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bffb81a16bdd0fb3f549078b48f1b10114b3eb2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bffb81a16bdd0fb3f549078b48f1b10114b3eb2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Reserve DLA-2770-1 for weechat
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 7547195e by Adrian Bunk at 2021-09-30T13:49:47+03:00 Reserve DLA-2770-1 for weechat - - - - - dd5a5a27 by Adrian Bunk at 2021-09-30T15:11:21+03:00 dla: take taglib - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -109593,13 +109593,11 @@ CVE-2020-9760 (An issue was discovered in WeeChat before 2.7.1 (0.3.4 to 2.7 are {DLA-2157-1} - weechat 2.7.1-1 [buster] - weechat (Minor issue) - [stretch] - weechat (Minor issue) NOTE: https://github.com/weechat/weechat/commit/694b5c9f874d7337cd2e03761e0de435275dd64d CVE-2020-9759 (A Vulnerability of LG Electronic web OS TV Emulator could allow an att ...) {DLA-2157-1} - weechat 2.7.1-1 [buster] - weechat (Minor issue) - [stretch] - weechat (Minor issue) NOTE: https://github.com/weechat/weechat/commit/c827d6fa864e2c0b79cea640c45272e83703081e CVE-2020-9758 (An issue was discovered in chat.php in LiveZilla Live Chat 8.0.1.3 (He ...) NOT-FOR-US: LiveZilla Live Chat @@ -111518,7 +111516,6 @@ CVE-2020-8955 (irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat thro {DLA-2157-1} - weechat 2.7.1-1 (bug #951289) [buster] - weechat (Minor issue) - [stretch] - weechat (Minor issue) NOTE: https://github.com/weechat/weechat/commit/6f4f147d8e86adf9ad34a8ffd7e7f1f23a7e74da CVE-2020-8954 (OpenSearch Web browser 1.0.4.9 allows Intent Scheme Hijacking.[a link ...) NOT-FOR-US: OpenSearch Web browser = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Sep 2021] DLA-2770-1 weechat - security update + {CVE-2020-8955 CVE-2020-9759 CVE-2020-9760 CVE-2021-40516} + [stretch] - weechat 1.6-1+deb9u3 [29 Sep 2021] DLA-2769-1 libxstream-java - security update {CVE-2021-39139 CVE-2021-39140 CVE-2021-39141 CVE-2021-39144 CVE-2021-39145 CVE-2021-39146 CVE-2021-39147 CVE-2021-39148 CVE-2021-39149 CVE-2021-39150 CVE-2021-39151 CVE-2021-39152 CVE-2021-39153 CVE-2021-39154} [stretch] - libxstream-java 1.4.11.1-1+deb9u4 = data/dla-needed.txt = @@ -106,7 +106,7 @@ smarty3 squashfs-tools (Thorsten Alteholz) NOTE: 20210926: coordinate with upload to other releases -- -tiff (Utkarsh) +taglib (Adrian Bunk) -- -weechat (Adrian Bunk) +tiff (Utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/54ab6f37f51636e082de1438ea4f5cdc6054fece...dd5a5a27768b29b5a977eb58ed8e5ef45e498f06 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/54ab6f37f51636e082de1438ea4f5cdc6054fece...dd5a5a27768b29b5a977eb58ed8e5ef45e498f06 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 54ab6f37 by Salvatore Bonaccorso at 2021-09-30T10:28:56+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,21 +1,21 @@ CVE-2021-41829 (Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2021-41828 (Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2021-41827 (Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2021-41826 (PlaceOS Authentication Service before 1.29.10.0 allows app/controllers ...) - TODO: check + NOT-FOR-US: PlaceOS Authentication Service CVE-2021-41825 RESERVED CVE-2021-41824 (Craft CMS before 3.7.14 allows CSV injection. ...) - TODO: check + NOT-FOR-US: Craft CMS CVE-2021-41823 RESERVED CVE-2021-41822 RESERVED CVE-2021-41821 (Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer U ...) - TODO: check + NOT-FOR-US: Wazuh CVE-2021-41820 RESERVED CVE-2021-41819 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54ab6f37f51636e082de1438ea4f5cdc6054fece -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54ab6f37f51636e082de1438ea4f5cdc6054fece You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a93b843 by security tracker role at 2021-09-30T08:10:11+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,89 @@ +CVE-2021-41829 (Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the ...) + TODO: check +CVE-2021-41828 (Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded ...) + TODO: check +CVE-2021-41827 (Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded ...) + TODO: check +CVE-2021-41826 (PlaceOS Authentication Service before 1.29.10.0 allows app/controllers ...) + TODO: check +CVE-2021-41825 + RESERVED +CVE-2021-41824 (Craft CMS before 3.7.14 allows CSV injection. ...) + TODO: check +CVE-2021-41823 + RESERVED +CVE-2021-41822 + RESERVED +CVE-2021-41821 (Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer U ...) + TODO: check +CVE-2021-41820 + RESERVED +CVE-2021-41819 + RESERVED +CVE-2021-41818 + RESERVED +CVE-2021-41817 + RESERVED +CVE-2021-41816 + RESERVED +CVE-2021-41815 + RESERVED +CVE-2021-41814 + RESERVED +CVE-2021-41813 + RESERVED +CVE-2021-41812 + RESERVED +CVE-2021-41811 + RESERVED +CVE-2021-41810 + RESERVED +CVE-2021-41809 + RESERVED +CVE-2021-41808 + RESERVED +CVE-2021-41807 + RESERVED +CVE-2021-41806 + RESERVED +CVE-2021-41805 + RESERVED +CVE-2021-41804 + RESERVED +CVE-2021-41803 + RESERVED +CVE-2021-41802 + RESERVED +CVE-2021-41801 + RESERVED +CVE-2021-41800 + RESERVED +CVE-2021-41799 + RESERVED +CVE-2021-41798 + RESERVED +CVE-2021-41797 + RESERVED +CVE-2021-41796 + RESERVED +CVE-2021-41795 (The Safari app extension bundled with 1Password for Mac 7.7.0 through ...) + TODO: check +CVE-2021-41794 + RESERVED +CVE-2021-41793 + RESERVED +CVE-2021-41792 + RESERVED +CVE-2021-41791 + RESERVED +CVE-2021-41790 + RESERVED +CVE-2021-41789 + RESERVED +CVE-2021-41788 + RESERVED +CVE-2021-3840 + RESERVED CVE-2021-41787 RESERVED CVE-2021-41786 @@ -1635,8 +1721,8 @@ CVE-2021-41036 RESERVED CVE-2021-41035 RESERVED -CVE-2021-41034 - RESERVED +CVE-2021-41034 (The build of some language stacks of Eclipse Che version 6 includes pu ...) + TODO: check CVE-2021-41033 (In all released versions of Eclipse Equinox, at least until version 4. ...) NOT-FOR-US: Eclipse Equinox CVE-2021-41032 @@ -5499,8 +5585,8 @@ CVE-2021-39344 RESERVED CVE-2021-39343 RESERVED -CVE-2021-39342 - RESERVED +CVE-2021-39342 (The Credova_Financial WordPress plugin discloses a site's associated C ...) + TODO: check CVE-2021-39341 RESERVED CVE-2021-39340 @@ -8548,7 +8634,7 @@ CVE-2021-3683 RESERVED CVE-2021-38113 (In addBouquet in js/bqe.js in OpenWebif (aka e2openplugin-OpenWebif) t ...) NOT-FOR-US: OpenWebif (aka e2openplugin-OpenWebif) -CVE-2021-38112 (In the Amazon AWS WorkSpaces client before 3.1.9 on Windows, argument ...) +CVE-2021-38112 (In the Amazon AWS WorkSpaces client 3.0.10 through 3.1.8 on Windows, a ...) NOT-FOR-US: Amazon AWS client for Windows CVE-2021-38111 (The DEF CON 27 badge allows remote attackers to exploit a buffer overf ...) NOT-FOR-US: DEF CON 27 badge @@ -11557,8 +11643,7 @@ CVE-2021-36776 RESERVED CVE-2021-36775 RESERVED -CVE-2021-3653 [KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl] - RESERVED +CVE-2021-3653 (A flaw was found in the KVM's AMD code for supporting SVM nested virtu ...) {DSA-4978-1} - linux 5.14.6-1 NOTE: https://www.openwall.com/lists/oss-security/2021/08/16/1 @@ -13597,12 +13682,12 @@ CVE-2021-35947 (The public share controller in the ownCloud server before versio - owncloud CVE-2021-35946 (A receiver of a federated share with access to the database with ownCl ...) - owncloud -CVE-2021-35945 - RESERVED -CVE-2021-35944 - RESERVED -CVE-2021-35943 - RESERVED +CVE-2021-35945 (Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a Buffer O ...) + TODO: check +CVE-2021-35944 (Couchbase Server 6.5.x, 6.6.x through 6.6.2, and 7.0.0 has a Buffer Ov ...) + TODO: check +CVE-2021-35943 (Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Co ...) + TODO: check CVE-2021-35942 (The wordexp function in the GNU C Library (aka glibc) through 2.33 may ...) - glibc 2.31-13 (bug #990542) [buster] - glibc (Minor issue) @@ -45277,13 +45362,11 @@ CVE-2021-22949 (A CSRF in Concrete CMS version 8.5.5 and below allows an attacke NOT-FOR-US: Concrete CMS
[Git][security-tracker-team/security-tracker][master] new rpm issue (concludes external check)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 61bbdc25 by Moritz Muehlenhoff at 2021-09-30T09:28:56+02:00 new rpm issue (concludes external check) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23405,6 +23405,10 @@ CVE-2020-36327 (Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes NOTE: https://github.com/rubygems/rubygems/issues/3982 CVE-2021-3521 RESERVED + - rpm + [bullseye] - rpm (Minor issue) + [buster] - rpm (Minor issue) + NOTE: https://github.com/rpm-software-management/rpm/pull/1788 CVE-2021-3520 (There's a flaw in lz4. An attacker who submits a crafted file to an ap ...) {DSA-4919-1 DLA-2657-1} - lz4 1.9.3-2 (bug #987856) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61bbdc258d4064acc4f626212719d9c7d5c5d6bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61bbdc258d4064acc4f626212719d9c7d5c5d6bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits