[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2021-29063/mpmath
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4cbf8c15 by Salvatore Bonaccorso at 2021-10-01T06:38:05+02:00 Add fixed version via unstable for CVE-2021-29063/mpmath - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30822,7 +30822,7 @@ CVE-2021-29065 (NETGEAR RBR850 devices before 3.2.10.11 are affected by authenti CVE-2021-29064 RESERVED CVE-2021-29063 (A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...) - - mpmath (bug #990576) + - mpmath 1.2.1-2 (bug #990576) [bullseye] - mpmath (Minor issue) [buster] - mpmath (Minor issue) [stretch] - mpmath (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cbf8c15a4f239ad3d38c8f128802ff41ddb0380 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cbf8c15a4f239ad3d38c8f128802ff41ddb0380 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2774-1 for openssl1.0
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a8633aba by Thorsten Alteholz at 2021-10-01T00:00:06+02:00
Reserve DLA-2774-1 for openssl1.0
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[30 Sep 2021] DLA-2774-1 openssl1.0 - security update
+ {CVE-2021-3712}
+ [stretch] - openssl1.0 1.0.2u-1~deb9u6
[30 Sep 2021] DLA-2773-1 curl - security update
{CVE-2021-22946 CVE-2021-22947}
[stretch] - curl 7.52.1-5+deb9u16
=
data/dla-needed.txt
=
@@ -64,9 +64,6 @@ nvidia-graphics-drivers
NOTE: package is in non-free but also in packages-to-support
NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in
Stretch, no fix available for CVE-2021-1077
--
-openssl1.0 (Thorsten Alteholz)
- NOTE: 20210926: testing package, tests still don't pass
---
plib (Anton Gladky)
NOTE: 20210829: no fix yet. (thorsten)
NOTE: 20210829: upstream bug mentions that it might never get fixed.
(utkarsh)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8633aba50e683ab90d66cdc6632f9e472498f0b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8633aba50e683ab90d66cdc6632f9e472498f0b
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2773-1 for curl
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
627ed4d8 by Thorsten Alteholz at 2021-09-30T23:55:23+02:00
Reserve DLA-2773-1 for curl
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[30 Sep 2021] DLA-2773-1 curl - security update
+ {CVE-2021-22946 CVE-2021-22947}
+ [stretch] - curl 7.52.1-5+deb9u16
[30 Sep 2021] DLA-2772-1 taglib - security update
{CVE-2017-12678 CVE-2018-11439}
[stretch] - taglib 1.11.1+dfsg.1-0.3+deb9u1
=
data/dla-needed.txt
=
@@ -29,9 +29,6 @@ cacti (Roberto C. Sánchez)
NOTE: 20210829: not really sure whether affected, please recheck
NOTE: 20210914: still assessing whether or not affected (roberto)
--
-curl (Thorsten Alteholz)
- NOTE: 20210926: coordinate with upload to other releases
---
debian-archive-keyring (Utkarsh)
NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html
NOTE: 20210920: Raphael answered. will backport today. (utkarsh)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/627ed4d8e6101c93485d056047b9e9655d6c8cf5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/627ed4d8e6101c93485d056047b9e9655d6c8cf5
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust CVE id reference for node-prismjs issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b4eaf02 by Salvatore Bonaccorso at 2021-09-30T23:17:26+02:00 Adjust CVE id reference for node-prismjs issue - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -119,7 +119,7 @@ CVE-2021-41054 [buster] - atftp 0.7.git20120829-3.2+deb10u2 CVE-2021-3749 [buster] - node-axios 0.17.1+dfsg-2+deb10u1 -CVE-2021-40438 +CVE-2021-3801 [buster] - node-prismjs 1.11.0+dfsg-3+deb10u1 (CVE-2021-3807 [buster] - node-ansi-regex 3.0.0-1+deb10u1 = data/next-point-update.txt = @@ -54,7 +54,7 @@ CVE-2021-40540 [bullseye] - ulfius 2.7.1-1+deb11u1 CVE-2021-3807 [bullseye] - node-ansi-regex 5.0.1-1~deb11u1 -CVE-2021-40438 +CVE-2021-3801 [bullseye] - node-prismjs 1.23.0+dfsg-1+deb11u1 CVE-2020-26541 [bullseye] - linux 5.10.70-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b4eaf0235996c20cc51b05abfd24d472ffe50ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b4eaf0235996c20cc51b05abfd24d472ffe50ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-3660/cockpit via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e86a999d by Salvatore Bonaccorso at 2021-09-30T22:49:08+02:00 Track fixed version for CVE-2021-3660/cockpit via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10275,7 +10275,7 @@ CVE-2021-37402 (OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 NOT-FOR-US: OX App Suite CVE-2021-3660 RESERVED - - cockpit + - cockpit 254-1 [bullseye] - cockpit (Minor issue) [buster] - cockpit (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1980688 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e86a999d949fbb1e3bd9b38925e5a976150a8441 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e86a999d949fbb1e3bd9b38925e5a976150a8441 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a3c2a52f by Salvatore Bonaccorso at 2021-09-30T22:31:58+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1092,11 +1092,11 @@ CVE-2021-41327 CVE-2021-41326 (In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles p ...) NOT-FOR-US: MISP CVE-2021-41325 (Broken access control for user creation in Pydio Cells 2.2.9 allows re ...) - TODO: check + NOT-FOR-US: Pydio Cells CVE-2021-41324 RESERVED CVE-2021-41323 (Directory traversal in the Compress feature in Pydio Cells 2.2.9 allow ...) - TODO: check + NOT-FOR-US: Pydio Cells CVE-2021-41322 RESERVED CVE-2021-41321 @@ -38411,7 +38411,7 @@ CVE-2021-25965 CVE-2021-25964 RESERVED CVE-2021-25963 (In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cr ...) - TODO: check + NOT-FOR-US: Shuup CVE-2021-25962 (Shuup application in versions 0.4.2 to 2.10.8 is affecte ...) NOT-FOR-US: Shuup CVE-2021-25961 (In SuiteCRM application, v7.1.7 through v7.10.31 and v7. ...) @@ -42917,9 +42917,9 @@ CVE-2021-24019 CVE-2021-24018 (A buffer underwrite vulnerability in the firmware verification routine ...) NOT-FOR-US: FortiOS CVE-2021-24017 (An improper authentication in Fortinet FortiManager version 6.4.3 and ...) - TODO: check + NOT-FOR-US: Fortiguard CVE-2021-24016 (An improper neutralization of formula elements in a csv file in Fortin ...) - TODO: check + NOT-FOR-US: Fortiguard CVE-2021-24015 (An improper neutralization of special elements used in an OS Command v ...) NOT-FOR-US: Fortinet CVE-2021-24014 (Multiple instances of improper neutralization of input during web page ...) @@ -51549,7 +51549,7 @@ CVE-2021-21091 (Adobe Bridge versions 10.1.1 (and earlier) and 11.0.1 (and earli CVE-2021-21090 (Adobe InCopy version 16.0 (and earlier) is affected by an path travers ...) NOT-FOR-US: Adobe CVE-2021-21089 (Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020 ...) - TODO: check + NOT-FOR-US: Acrobat CVE-2021-21088 RESERVED CVE-2021-21087 (Adobe Coldfusion versions 2016 (update 16 and earlier), 2018 (update 1 ...) @@ -81164,7 +81164,7 @@ CVE-2020-20783 CVE-2020-20782 RESERVED CVE-2020-20781 (A stored cross-site scripting (XSS) vulnerability in /ucms/index.php?d ...) - TODO: check + NOT-FOR-US: UCMS CVE-2020-20780 RESERVED CVE-2020-20779 @@ -82492,13 +82492,13 @@ CVE-2020-20133 CVE-2020-20132 RESERVED CVE-2020-20131 (LaraCMS v1.0.1 contains a stored cross-site scripting (XSS) vulnerabil ...) - TODO: check + NOT-FOR-US: LaraCMS CVE-2020-20130 RESERVED CVE-2020-20129 (LaraCMS v1.0.1 contains a stored cross-site scripting (XSS) vulnerabil ...) - TODO: check + NOT-FOR-US: LaraCMS CVE-2020-20128 (LaraCMS v1.0.1 transmits sensitive information in cleartext which can ...) - TODO: check + NOT-FOR-US: LaraCMS CVE-2020-20127 RESERVED CVE-2020-20126 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3c2a52f02110742a253f319fbd38c1bc26cd486 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3c2a52f02110742a253f319fbd38c1bc26cd486 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bed6da08 by Salvatore Bonaccorso at 2021-09-30T22:23:38+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -241,7 +241,7 @@ CVE-2021-41731 CVE-2021-41730 RESERVED CVE-2021-41729 (BaiCloud-cms v2.5.7 is affected by an arbitrary file deletion vulnerab ...) - TODO: check + NOT-FOR-US: BaiCloud-cms CVE-2021-41728 RESERVED CVE-2021-41727 @@ -1172,35 +1172,35 @@ CVE-2021-41303 (Apache Shiro before 1.8.0, when using Apache Shiro with Spring B NOTE: https://www.openwall.com/lists/oss-security/2021/09/17/1 TODO: check CVE-2021-41302 (ECOA BAS controller stores sensitive data (backup exports) in clear-te ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41301 (ECOA BAS controller is vulnerable to configuration disclosure when dir ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41300 (ECOA BAS controllers special page displays user account and pas ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41299 (ECOA BAS controller is vulnerable to hard-coded credentials within its ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41298 (ECOA BAS controller is vulnerable to insecure direct object references ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41297 (ECOA BAS controller is vulnerable to weak access control mechanism all ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41296 (ECOA BAS controller uses weak set of default administrative credential ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41295 (ECOA BAS controller has a Cross-Site Request Forgery vulnerability, th ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41294 (ECOA BAS controller suffers from a path traversal vulnerability, causi ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41293 (ECOA BAS controller suffers from a path traversal vulnerability, causi ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41292 (ECOA BAS controller suffers from an authentication bypass vulnerabilit ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41291 (ECOA BAS controller suffers from a path traversal content disclosure v ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41290 (ECOA BAS controller suffers from an arbitrary file write and path trav ...) - TODO: check + NOT-FOR-US: ECOA BAS controller CVE-2021-41289 RESERVED CVE-2021-41288 (Zoho ManageEngine OpManager version 125466 and below is vulnerable to ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2021-41287 RESERVED CVE-2021-41286 @@ -15367,21 +15367,21 @@ CVE-2021-35207 (An issue was discovered in Zimbra Collaboration Suite 8.8 before CVE-2021-35206 (Gitpod before 0.6.0 allows unvalidated redirects. ...) NOT-FOR-US: Gitpod CVE-2021-35205 (NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 allows URL redire ...) - TODO: check + NOT-FOR-US: NETSCOUT CVE-2021-35204 (NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Reflected Cross-Si ...) - TODO: check + NOT-FOR-US: NETSCOUT CVE-2021-35203 (NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Arbitrary File Rea ...) - TODO: check + NOT-FOR-US: NETSCOUT CVE-2021-35202 (NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Authorization Bypa ...) - TODO: check + NOT-FOR-US: NETSCOUT CVE-2021-35201 (NEI in NETSCOUT nGeniusONE 6.3.0 build 1196 allows XML External Entity ...) - TODO: check + NOT-FOR-US: NETSCOUT CVE-2021-35200 (NETSCOUT nGeniusONE 6.3.0 build 1196 allows high-privileged users to a ...) - TODO: check + NOT-FOR-US: NETSCOUT CVE-2021-35199 (NETSCOUT nGeniusONE 6.3.0 build 1196 and earlier allows Stored Cross-S ...) - TODO: check + NOT-FOR-US: NETSCOUT CVE-2021-35198 (NETSCOUT nGeniusONE 6.3.0 build 1004 and earlier allows Stored Cross-S ...) - TODO: check + NOT-FOR-US: NETSCOUT CVE-2021-35197 (In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and ...) - mediawiki 1:1.35.3-1 [bullseye] - mediawiki (Minor issue, wait until next 1.35.x release) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bed6da083da804fd52743c0ce0090fbf0233c017 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bed6da083da804fd52743c0ce0090fbf0233c017 You're receiving this email because of your account on salsa.debian.org. ___
[Git][security-tracker-team/security-tracker][master] Process three NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e0aff90 by Salvatore Bonaccorso at 2021-09-30T22:20:56+02:00 Process three NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28799,7 +28799,7 @@ CVE-2021-29896 CVE-2021-29895 RESERVED CVE-2021-29894 (IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0 ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29893 RESERVED CVE-2021-29892 @@ -52625,7 +52625,7 @@ CVE-2021-20580 (IBM Planning Analytics 2.0 could be vulnerable to cross-site req CVE-2021-20579 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2021-20578 (IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0 ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20577 (IBM Cloud Pak for Security (CP4S) 1.5.0.0 and 1.5.0.1 is vulnerable to ...) NOT-FOR-US: IBM CVE-2021-20576 (IBM Security Verify Access 20.07 could allow a remote attacker to send ...) @@ -52673,7 +52673,7 @@ CVE-2021-20556 CVE-2021-20555 RESERVED CVE-2021-20554 (IBM Sterling Order Management 9.4, 9.5, and 10.0 is vulnerable to cros ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-20553 RESERVED CVE-2021-20552 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e0aff9044ce8a28f0665dc4de4ff0962e8cff0a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e0aff9044ce8a28f0665dc4de4ff0962e8cff0a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2772-1 for taglib
Adrian Bunk pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0d92c542 by Adrian Bunk at 2021-09-30T23:14:23+03:00
Reserve DLA-2772-1 for taglib
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -213536,7 +213536,6 @@ CVE-2018-11440 (Liblouis 3.5.0 has a stack-based
Buffer Overflow in the function
CVE-2018-11439 (The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp
in TagLi ...)
{DLA-1430-1}
- taglib 1.11.1+dfsg.1-0.3 (bug #903847)
- [stretch] - taglib (Minor issue)
NOTE: PoC: http://seclists.org/fulldisclosure/2018/May/49
NOTE: Upstream issue: https://github.com/taglib/taglib/issues/868
NOTE: Pull request: https://github.com/taglib/taglib/pull/869
@@ -260259,7 +260258,6 @@ CVE-2017-12679 (SQL Injection exists in NexusPHP
1.5.beta5.20120707 via the delc
NOT-FOR-US: NexusPHP
CVE-2017-12678 (In TagLib 1.11.1, the rebuildAggregateFrames function in
id3v2framefac ...)
- taglib 1.11.1+dfsg.1-0.2 (bug #871511)
- [stretch] - taglib (Minor issue)
[jessie] - taglib (Vulnerable code not present)
[wheezy] - taglib (Vulnerable code not present)
- silverjuke (Vulnerable code not present, based on
older taglib version)
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[30 Sep 2021] DLA-2772-1 taglib - security update
+ {CVE-2017-12678 CVE-2018-11439}
+ [stretch] - taglib 1.11.1+dfsg.1-0.3+deb9u1
[30 Sep 2021] DLA-2771-1 krb5 - security update
{CVE-2018-5729 CVE-2018-5730 CVE-2018-20217 CVE-2021-37750}
[stretch] - krb5 1.15-1+deb9u3
=
data/dla-needed.txt
=
@@ -103,7 +103,5 @@ smarty3
squashfs-tools (Thorsten Alteholz)
NOTE: 20210926: coordinate with upload to other releases
--
-taglib (Adrian Bunk)
---
tiff (Utkarsh)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d92c542f63f84d922fd1f89cc5ae7f669c029ab
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d92c542f63f84d922fd1f89cc5ae7f669c029ab
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2017-12678: Link to the commit in upstream master
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 40520f09 by Adrian Bunk at 2021-09-30T23:12:20+03:00 CVE-2017-12678: Link to the commit in upstream master - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -260264,7 +260264,7 @@ CVE-2017-12678 (In TagLib 1.11.1, the rebuildAggregateFrames function in id3v2fr [wheezy] - taglib (Vulnerable code not present) - silverjuke (Vulnerable code not present, based on older taglib version) NOTE: https://github.com/taglib/taglib/issues/829 - NOTE: https://github.com/taglib/taglib/pull/831/commits/eb9ded1206f18f2c319157337edea2533a40bea6#diff-37f706c8696a7c1ca939b169c0a04d97 + NOTE: https://github.com/taglib/taglib/commit/cb9f07d9dcd791b63e622da43f7b232adaec0a9a CVE-2017-12677 (IdentityServer3 2.4.x, 2.5.x, and 2.6.x before 2.6.1 has XSS in an Ang ...) NOT-FOR-US: IdentityServer CVE-2017-12676 (In ImageMagick 7.0.6-3, a memory leak vulnerability was found in the f ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40520f09cb007a151f5a0f3db8e455e78306b020 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40520f09cb007a151f5a0f3db8e455e78306b020 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 66cba0ef by security tracker role at 2021-09-30T20:10:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2021-41832 + RESERVED +CVE-2021-41831 + RESERVED +CVE-2021-41830 + RESERVED +CVE-2021-3844 + RESERVED +CVE-2021-3843 + RESERVED +CVE-2021-3842 + RESERVED +CVE-2021-3841 + RESERVED CVE-2021-41829 (Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the ...) NOT-FOR-US: Zoho ManageEngine CVE-2021-41828 (Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded ...) @@ -226,8 +240,8 @@ CVE-2021-41731 RESERVED CVE-2021-41730 RESERVED -CVE-2021-41729 - RESERVED +CVE-2021-41729 (BaiCloud-cms v2.5.7 is affected by an arbitrary file deletion vulnerab ...) + TODO: check CVE-2021-41728 RESERVED CVE-2021-41727 @@ -244,8 +258,8 @@ CVE-2021-41722 RESERVED CVE-2021-41721 RESERVED -CVE-2021-41720 - RESERVED +CVE-2021-41720 (A command injection vulnerability in Lodash in 4.17.21 allows attacker ...) + TODO: check CVE-2021-41719 RESERVED CVE-2021-41718 @@ -450,8 +464,8 @@ CVE-2021-41619 RESERVED CVE-2021-41618 RESERVED -CVE-2021-41616 - RESERVED +CVE-2021-41616 (Apache DB DdlUtils 1.0 included a BinaryObjectsHelper that was intende ...) + TODO: check CVE-2021-3830 (btcpayserver is vulnerable to Improper Neutralization of Input During ...) NOT-FOR-US: btcpayserver CVE-2021-41617 (sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default c ...) @@ -1077,12 +1091,12 @@ CVE-2021-41327 RESERVED CVE-2021-41326 (In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles p ...) NOT-FOR-US: MISP -CVE-2021-41325 - RESERVED +CVE-2021-41325 (Broken access control for user creation in Pydio Cells 2.2.9 allows re ...) + TODO: check CVE-2021-41324 RESERVED -CVE-2021-41323 - RESERVED +CVE-2021-41323 (Directory traversal in the Compress feature in Pydio Cells 2.2.9 allow ...) + TODO: check CVE-2021-41322 RESERVED CVE-2021-41321 @@ -1157,36 +1171,36 @@ CVE-2021-41303 (Apache Shiro before 1.8.0, when using Apache Shiro with Spring B - shiro NOTE: https://www.openwall.com/lists/oss-security/2021/09/17/1 TODO: check -CVE-2021-41302 - RESERVED -CVE-2021-41301 - RESERVED -CVE-2021-41300 - RESERVED -CVE-2021-41299 - RESERVED -CVE-2021-41298 - RESERVED -CVE-2021-41297 - RESERVED -CVE-2021-41296 - RESERVED -CVE-2021-41295 - RESERVED -CVE-2021-41294 - RESERVED -CVE-2021-41293 - RESERVED -CVE-2021-41292 - RESERVED -CVE-2021-41291 - RESERVED -CVE-2021-41290 - RESERVED +CVE-2021-41302 (ECOA BAS controller stores sensitive data (backup exports) in clear-te ...) + TODO: check +CVE-2021-41301 (ECOA BAS controller is vulnerable to configuration disclosure when dir ...) + TODO: check +CVE-2021-41300 (ECOA BAS controllers special page displays user account and pas ...) + TODO: check +CVE-2021-41299 (ECOA BAS controller is vulnerable to hard-coded credentials within its ...) + TODO: check +CVE-2021-41298 (ECOA BAS controller is vulnerable to insecure direct object references ...) + TODO: check +CVE-2021-41297 (ECOA BAS controller is vulnerable to weak access control mechanism all ...) + TODO: check +CVE-2021-41296 (ECOA BAS controller uses weak set of default administrative credential ...) + TODO: check +CVE-2021-41295 (ECOA BAS controller has a Cross-Site Request Forgery vulnerability, th ...) + TODO: check +CVE-2021-41294 (ECOA BAS controller suffers from a path traversal vulnerability, causi ...) + TODO: check +CVE-2021-41293 (ECOA BAS controller suffers from a path traversal vulnerability, causi ...) + TODO: check +CVE-2021-41292 (ECOA BAS controller suffers from an authentication bypass vulnerabilit ...) + TODO: check +CVE-2021-41291 (ECOA BAS controller suffers from a path traversal content disclosure v ...) + TODO: check +CVE-2021-41290 (ECOA BAS controller suffers from an arbitrary file write and path trav ...) + TODO: check CVE-2021-41289 RESERVED -CVE-2021-41288 - RESERVED +CVE-2021-41288 (Zoho ManageEngine OpManager version 125466 and below is vulnerable to ...) + TODO: check CVE-2021-41287 RESERVED CVE-2021-41286 @@ -1549,8 +1563,8 @@ CVE-2021-4 RESERVED CVE-2021-41110 RESERVED -CVE-2021-41109 - RESERVED +CVE-2021-41109 (Parse Server is an open source backend that can be deployed to any inf ...) + TODO: check CVE-2021-41108 RESERVED CVE-2021-41107
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2771-1 for krb5
Adrian Bunk pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
210740c6 by Adrian Bunk at 2021-09-30T23:04:09+03:00
Reserve DLA-2771-1 for krb5
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -182665,7 +182665,6 @@ CVE-2018-20218 (An issue was discovered on Teracue
ENC-400 devices with firmware
CVE-2018-20217 (A Reachable Assertion issue was discovered in the KDC in MIT
Kerberos ...)
{DLA-1643-1}
- krb5 1.16.2-1 (low; bug #917387)
- [stretch] - krb5 (Minor issue)
NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763
NOTE:
https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086
CVE-2018-20216 (QEMU can have an infinite loop in
hw/rdma/vmw/pvrdma_dev_ring.c becaus ...)
@@ -230068,13 +230067,11 @@ CVE-2018-5731 (An issue was discovered in Heimdal
PRO 2.2.190. As part of the sc
CVE-2018-5730 (MIT krb5 1.6 or later allows an authenticated kadmin with
permission t ...)
{DLA-1643-1}
- krb5 1.16.1-1 (bug #891869)
- [stretch] - krb5 (Minor issue)
[wheezy] - krb5 (Minor issue)
NOTE: Fixed by:
https://github.com/krb5/krb5/commit/e1caf6fb74981da62039846931ebdffed71309d1
CVE-2018-5729 (MIT krb5 1.6 or later allows an authenticated kadmin with
permission t ...)
{DLA-1643-1}
- krb5 1.16.1-1 (bug #891869)
- [stretch] - krb5 (Minor issue)
[wheezy] - krb5 (Minor issue)
NOTE: Fixed by:
https://github.com/krb5/krb5/commit/e1caf6fb74981da62039846931ebdffed71309d1
CVE-2018-5728 (Cobham Sea Tel 121 build 222701 devices allow remote attackers
to obta ...)
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[30 Sep 2021] DLA-2771-1 krb5 - security update
+ {CVE-2018-5729 CVE-2018-5730 CVE-2018-20217 CVE-2021-37750}
+ [stretch] - krb5 1.15-1+deb9u3
[30 Sep 2021] DLA-2770-1 weechat - security update
{CVE-2020-8955 CVE-2020-9759 CVE-2020-9760 CVE-2021-40516}
[stretch] - weechat 1.6-1+deb9u3
=
data/dla-needed.txt
=
@@ -51,9 +51,6 @@ firmware-nonfree
--
jsoup (Markus Koschany)
--
-krb5 (Adrian Bunk)
- NOTE: 20210905: testing fixes
---
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/210740c63e59d4ad1c2e1352139677b9b5f568f1
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/210740c63e59d4ad1c2e1352139677b9b5f568f1
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new mediawiki issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c0c9fd84 by Moritz Muehlenhoff at 2021-09-30T21:44:30+02:00 new mediawiki issues - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -56,12 +56,16 @@ CVE-2021-41802 RESERVED CVE-2021-41801 RESERVED + - mediawiki 1:1.35.4-1 CVE-2021-41800 RESERVED + - mediawiki 1:1.35.4-1 CVE-2021-41799 RESERVED + - mediawiki 1:1.35.4-1 CVE-2021-41798 RESERVED + - mediawiki 1:1.35.4-1 CVE-2021-41797 RESERVED CVE-2021-41796 = data/dsa-needed.txt = @@ -34,6 +34,8 @@ linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. -- +mediawiki (jmm) +-- ndpi -- nodejs (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0c9fd8448f5f2bd38619ade909a6b75b529f361 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0c9fd8448f5f2bd38619ade909a6b75b529f361 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] vim fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ea3dd7f4 by Moritz Muehlenhoff at 2021-09-30T21:40:51+02:00 vim fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2080,7 +2080,7 @@ CVE-2021-40865 CVE-2021-3797 (hestiacp is vulnerable to Use of Wrong Operator in String Comparison ...) NOT-FOR-US: Hestia Control Panel CVE-2021-3796 (vim is vulnerable to Use After Free ...) - - vim (bug #994497) + - vim 2:8.2.3455-1 (bug #994497) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) [stretch] - vim (Minor issue) @@ -2525,7 +2525,7 @@ CVE-2021-40682 CVE-2021-3779 RESERVED CVE-2021-3778 (vim is vulnerable to Heap-based Buffer Overflow ...) - - vim (bug #994498) + - vim 2:8.2.3455-1 (bug #994498) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) [stretch] - vim (Minor issue) @@ -2917,7 +2917,7 @@ CVE-2021-40516 (WeeChat before 3.2.1 allows remote attackers to cause a denial o CVE-2021-40515 RESERVED CVE-2021-3770 (vim is vulnerable to Heap-based Buffer Overflow ...) - - vim (bug #994076) + - vim 2:8.2.3455-1 (bug #994076) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) [stretch] - vim (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea3dd7f406f49e067e4fbbbc5dcb6e180a0ea063 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea3dd7f406f49e067e4fbbbc5dcb6e180a0ea063 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track CVE fixes for linux via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d7583d01 by Salvatore Bonaccorso at 2021-09-30T21:20:19+02:00 Track CVE fixes for linux via bullseye-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -56,3 +56,15 @@ CVE-2021-3807 [bullseye] - node-ansi-regex 5.0.1-1~deb11u1 CVE-2021-40438 [bullseye] - node-prismjs 1.23.0+dfsg-1+deb11u1 +CVE-2020-26541 + [bullseye] - linux 5.10.70-1 +CVE-2021-35039 + [bullseye] - linux 5.10.70-1 +CVE-2021-37159 + [bullseye] - linux 5.10.70-1 +CVE-2021-38204 + [bullseye] - linux 5.10.70-1 +CVE-2021-38205 + [bullseye] - linux 5.10.70-1 +CVE-2021-38300 + [bullseye] - linux 5.10.70-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7583d015db31f3835e6ce96d7b02027ac1cbf6c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7583d015db31f3835e6ce96d7b02027ac1cbf6c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: aad0d35d by Moritz Muehlenhoff at 2021-09-30T21:16:21+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -67,7 +67,7 @@ CVE-2021-41797 CVE-2021-41796 RESERVED CVE-2021-41795 (The Safari app extension bundled with 1Password for Mac 7.7.0 through ...) - TODO: check + NOT-FOR-US: 1Password CVE-2021-41794 RESERVED CVE-2021-41793 @@ -151,7 +151,7 @@ CVE-2021-3831 CVE-2021-41765 RESERVED CVE-2021-41764 (A cross-site request forgery (CSRF) vulnerability exists in Streama up ...) - TODO: check + NOT-FOR-US: Streama CVE-2021-41763 RESERVED CVE-2021-41762 @@ -1722,7 +1722,7 @@ CVE-2021-41036 CVE-2021-41035 RESERVED CVE-2021-41034 (The build of some language stacks of Eclipse Che version 6 includes pu ...) - TODO: check + NOT-FOR-US: Eclipse Che CVE-2021-41033 (In all released versions of Eclipse Equinox, at least until version 4. ...) NOT-FOR-US: Eclipse Equinox CVE-2021-41032 @@ -2594,7 +2594,7 @@ CVE-2021-40653 CVE-2021-40652 RESERVED CVE-2021-40651 (OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vu ...) - TODO: check + NOT-FOR-US: OS4Ed OpenSIS Community CVE-2021-40650 RESERVED CVE-2021-40649 @@ -5586,7 +5586,7 @@ CVE-2021-39344 CVE-2021-39343 RESERVED CVE-2021-39342 (The Credova_Financial WordPress plugin discloses a site's associated C ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-39341 RESERVED CVE-2021-39340 @@ -13683,11 +13683,11 @@ CVE-2021-35947 (The public share controller in the ownCloud server before versio CVE-2021-35946 (A receiver of a federated share with access to the database with ownCl ...) - owncloud CVE-2021-35945 (Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a Buffer O ...) - TODO: check + NOT-FOR-US: Couchbase Server CVE-2021-35944 (Couchbase Server 6.5.x, 6.6.x through 6.6.2, and 7.0.0 has a Buffer Ov ...) - TODO: check + NOT-FOR-US: Couchbase Server CVE-2021-35943 (Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Co ...) - TODO: check + NOT-FOR-US: Couchbase Server CVE-2021-35942 (The wordexp function in the GNU C Library (aka glibc) through 2.33 may ...) - glibc 2.31-13 (bug #990542) [buster] - glibc (Minor issue) @@ -38393,13 +38393,13 @@ CVE-2021-25964 CVE-2021-25963 RESERVED CVE-2021-25962 (Shuup application in versions 0.4.2 to 2.10.8 is affecte ...) - TODO: check + NOT-FOR-US: Shuup CVE-2021-25961 (In SuiteCRM application, v7.1.7 through v7.10.31 and v7. ...) - TODO: check + NOT-FOR-US: SuiteCRM CVE-2021-25960 (In SuiteCRM application, v7.11.18 through v7.11.19 and v ...) - TODO: check + NOT-FOR-US: SuiteCRM CVE-2021-25959 (In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected ...) - TODO: check + NOT-FOR-US: OpenCRX CVE-2021-25958 (In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch ...) NOT-FOR-US: Apache Ofbiz CVE-2021-25957 (In Dolibarr application, v2.8.1 to v13.0.2 are vulnerabl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aad0d35d4468959badb8708be1a9994968ddb551 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aad0d35d4468959badb8708be1a9994968ddb551 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-40438/apache2: clarify patches + re-order regression fixes
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: bffb81a1 by Sylvain Beucler at 2021-09-30T17:20:26+02:00 CVE-2021-40438/apache2: clarify patches + re-order regression fixes Cf. https://bugzilla.suse.com/show_bug.cgi?id=1190703#c1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3095,10 +3095,10 @@ CVE-2021-40439 CVE-2021-40438 (A crafted request uri-path can cause mod_proxy to forward the request ...) - apache2 2.4.49-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-40438 - NOTE: https://github.com/apache/httpd/commit/496c863776c68bd08cdbeb7d8fa5935ba63b76c2 (2.4.x) - NOTE: https://github.com/apache/httpd/commit/d4901cb32133bc0e59ad193a29d1665597080d67 (2.4.x) - NOTE: Regression fix: https://github.com/apache/httpd/commit/81a8b0133b46c4cf7dfc4b5476ad46eb34aa0a5c (2.4.x) - NOTE: Second regression fix: https://github.com/apache/httpd/commit/6e768a811c59ca6a0769b72681aaef381823339f (2.4.x) + NOTE: Minimal fix: https://github.com/apache/httpd/commit/496c863776c68bd08cdbeb7d8fa5935ba63b76c2 (2.4.x) + NOTE: Future-proof follow-up: https://github.com/apache/httpd/commit/d4901cb32133bc0e59ad193a29d1665597080d67 (2.4.x) + NOTE: Regression fix #1: https://github.com/apache/httpd/commit/6e768a811c59ca6a0769b72681aaef381823339f (2.4.x) + NOTE: Regression fix #2: https://github.com/apache/httpd/commit/81a8b0133b46c4cf7dfc4b5476ad46eb34aa0a5c (2.4.x) CVE-2021-40491 (The ftp client in GNU Inetutils before 2.2 does not validate addresses ...) - inetutils 2:2.2-1 (bug #993476) [bullseye] - inetutils (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bffb81a16bdd0fb3f549078b48f1b10114b3eb2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bffb81a16bdd0fb3f549078b48f1b10114b3eb2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Reserve DLA-2770-1 for weechat
Adrian Bunk pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7547195e by Adrian Bunk at 2021-09-30T13:49:47+03:00
Reserve DLA-2770-1 for weechat
- - - - -
dd5a5a27 by Adrian Bunk at 2021-09-30T15:11:21+03:00
dla: take taglib
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -109593,13 +109593,11 @@ CVE-2020-9760 (An issue was discovered in WeeChat
before 2.7.1 (0.3.4 to 2.7 are
{DLA-2157-1}
- weechat 2.7.1-1
[buster] - weechat (Minor issue)
- [stretch] - weechat (Minor issue)
NOTE:
https://github.com/weechat/weechat/commit/694b5c9f874d7337cd2e03761e0de435275dd64d
CVE-2020-9759 (A Vulnerability of LG Electronic web OS TV Emulator could allow
an att ...)
{DLA-2157-1}
- weechat 2.7.1-1
[buster] - weechat (Minor issue)
- [stretch] - weechat (Minor issue)
NOTE:
https://github.com/weechat/weechat/commit/c827d6fa864e2c0b79cea640c45272e83703081e
CVE-2020-9758 (An issue was discovered in chat.php in LiveZilla Live Chat
8.0.1.3 (He ...)
NOT-FOR-US: LiveZilla Live Chat
@@ -111518,7 +111516,6 @@ CVE-2020-8955 (irc_mode_channel_update in
plugins/irc/irc-mode.c in WeeChat thro
{DLA-2157-1}
- weechat 2.7.1-1 (bug #951289)
[buster] - weechat (Minor issue)
- [stretch] - weechat (Minor issue)
NOTE:
https://github.com/weechat/weechat/commit/6f4f147d8e86adf9ad34a8ffd7e7f1f23a7e74da
CVE-2020-8954 (OpenSearch Web browser 1.0.4.9 allows Intent Scheme
Hijacking.[a link ...)
NOT-FOR-US: OpenSearch Web browser
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[30 Sep 2021] DLA-2770-1 weechat - security update
+ {CVE-2020-8955 CVE-2020-9759 CVE-2020-9760 CVE-2021-40516}
+ [stretch] - weechat 1.6-1+deb9u3
[29 Sep 2021] DLA-2769-1 libxstream-java - security update
{CVE-2021-39139 CVE-2021-39140 CVE-2021-39141 CVE-2021-39144
CVE-2021-39145 CVE-2021-39146 CVE-2021-39147 CVE-2021-39148 CVE-2021-39149
CVE-2021-39150 CVE-2021-39151 CVE-2021-39152 CVE-2021-39153 CVE-2021-39154}
[stretch] - libxstream-java 1.4.11.1-1+deb9u4
=
data/dla-needed.txt
=
@@ -106,7 +106,7 @@ smarty3
squashfs-tools (Thorsten Alteholz)
NOTE: 20210926: coordinate with upload to other releases
--
-tiff (Utkarsh)
+taglib (Adrian Bunk)
--
-weechat (Adrian Bunk)
+tiff (Utkarsh)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/54ab6f37f51636e082de1438ea4f5cdc6054fece...dd5a5a27768b29b5a977eb58ed8e5ef45e498f06
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/54ab6f37f51636e082de1438ea4f5cdc6054fece...dd5a5a27768b29b5a977eb58ed8e5ef45e498f06
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 54ab6f37 by Salvatore Bonaccorso at 2021-09-30T10:28:56+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,21 +1,21 @@ CVE-2021-41829 (Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2021-41828 (Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2021-41827 (Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2021-41826 (PlaceOS Authentication Service before 1.29.10.0 allows app/controllers ...) - TODO: check + NOT-FOR-US: PlaceOS Authentication Service CVE-2021-41825 RESERVED CVE-2021-41824 (Craft CMS before 3.7.14 allows CSV injection. ...) - TODO: check + NOT-FOR-US: Craft CMS CVE-2021-41823 RESERVED CVE-2021-41822 RESERVED CVE-2021-41821 (Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer U ...) - TODO: check + NOT-FOR-US: Wazuh CVE-2021-41820 RESERVED CVE-2021-41819 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54ab6f37f51636e082de1438ea4f5cdc6054fece -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54ab6f37f51636e082de1438ea4f5cdc6054fece You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0a93b843 by security tracker role at 2021-09-30T08:10:11+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,89 @@
+CVE-2021-41829 (Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies
on the ...)
+ TODO: check
+CVE-2021-41828 (Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has
hardcoded ...)
+ TODO: check
+CVE-2021-41827 (Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has
hardcoded ...)
+ TODO: check
+CVE-2021-41826 (PlaceOS Authentication Service before 1.29.10.0 allows
app/controllers ...)
+ TODO: check
+CVE-2021-41825
+ RESERVED
+CVE-2021-41824 (Craft CMS before 3.7.14 allows CSV injection. ...)
+ TODO: check
+CVE-2021-41823
+ RESERVED
+CVE-2021-41822
+ RESERVED
+CVE-2021-41821 (Wazuh Manager in Wazuh through 4.1.5 is affected by a remote
Integer U ...)
+ TODO: check
+CVE-2021-41820
+ RESERVED
+CVE-2021-41819
+ RESERVED
+CVE-2021-41818
+ RESERVED
+CVE-2021-41817
+ RESERVED
+CVE-2021-41816
+ RESERVED
+CVE-2021-41815
+ RESERVED
+CVE-2021-41814
+ RESERVED
+CVE-2021-41813
+ RESERVED
+CVE-2021-41812
+ RESERVED
+CVE-2021-41811
+ RESERVED
+CVE-2021-41810
+ RESERVED
+CVE-2021-41809
+ RESERVED
+CVE-2021-41808
+ RESERVED
+CVE-2021-41807
+ RESERVED
+CVE-2021-41806
+ RESERVED
+CVE-2021-41805
+ RESERVED
+CVE-2021-41804
+ RESERVED
+CVE-2021-41803
+ RESERVED
+CVE-2021-41802
+ RESERVED
+CVE-2021-41801
+ RESERVED
+CVE-2021-41800
+ RESERVED
+CVE-2021-41799
+ RESERVED
+CVE-2021-41798
+ RESERVED
+CVE-2021-41797
+ RESERVED
+CVE-2021-41796
+ RESERVED
+CVE-2021-41795 (The Safari app extension bundled with 1Password for Mac 7.7.0
through ...)
+ TODO: check
+CVE-2021-41794
+ RESERVED
+CVE-2021-41793
+ RESERVED
+CVE-2021-41792
+ RESERVED
+CVE-2021-41791
+ RESERVED
+CVE-2021-41790
+ RESERVED
+CVE-2021-41789
+ RESERVED
+CVE-2021-41788
+ RESERVED
+CVE-2021-3840
+ RESERVED
CVE-2021-41787
RESERVED
CVE-2021-41786
@@ -1635,8 +1721,8 @@ CVE-2021-41036
RESERVED
CVE-2021-41035
RESERVED
-CVE-2021-41034
- RESERVED
+CVE-2021-41034 (The build of some language stacks of Eclipse Che version 6
includes pu ...)
+ TODO: check
CVE-2021-41033 (In all released versions of Eclipse Equinox, at least until
version 4. ...)
NOT-FOR-US: Eclipse Equinox
CVE-2021-41032
@@ -5499,8 +5585,8 @@ CVE-2021-39344
RESERVED
CVE-2021-39343
RESERVED
-CVE-2021-39342
- RESERVED
+CVE-2021-39342 (The Credova_Financial WordPress plugin discloses a site's
associated C ...)
+ TODO: check
CVE-2021-39341
RESERVED
CVE-2021-39340
@@ -8548,7 +8634,7 @@ CVE-2021-3683
RESERVED
CVE-2021-38113 (In addBouquet in js/bqe.js in OpenWebif (aka
e2openplugin-OpenWebif) t ...)
NOT-FOR-US: OpenWebif (aka e2openplugin-OpenWebif)
-CVE-2021-38112 (In the Amazon AWS WorkSpaces client before 3.1.9 on Windows,
argument ...)
+CVE-2021-38112 (In the Amazon AWS WorkSpaces client 3.0.10 through 3.1.8 on
Windows, a ...)
NOT-FOR-US: Amazon AWS client for Windows
CVE-2021-38111 (The DEF CON 27 badge allows remote attackers to exploit a
buffer overf ...)
NOT-FOR-US: DEF CON 27 badge
@@ -11557,8 +11643,7 @@ CVE-2021-36776
RESERVED
CVE-2021-36775
RESERVED
-CVE-2021-3653 [KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl]
- RESERVED
+CVE-2021-3653 (A flaw was found in the KVM's AMD code for supporting SVM
nested virtu ...)
{DSA-4978-1}
- linux 5.14.6-1
NOTE: https://www.openwall.com/lists/oss-security/2021/08/16/1
@@ -13597,12 +13682,12 @@ CVE-2021-35947 (The public share controller in the
ownCloud server before versio
- owncloud
CVE-2021-35946 (A receiver of a federated share with access to the database
with ownCl ...)
- owncloud
-CVE-2021-35945
- RESERVED
-CVE-2021-35944
- RESERVED
-CVE-2021-35943
- RESERVED
+CVE-2021-35945 (Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a
Buffer O ...)
+ TODO: check
+CVE-2021-35944 (Couchbase Server 6.5.x, 6.6.x through 6.6.2, and 7.0.0 has a
Buffer Ov ...)
+ TODO: check
+CVE-2021-35943 (Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect
Access Co ...)
+ TODO: check
CVE-2021-35942 (The wordexp function in the GNU C Library (aka glibc) through
2.33 may ...)
- glibc 2.31-13 (bug #990542)
[buster] - glibc (Minor issue)
@@ -45277,13 +45362,11 @@ CVE-2021-22949 (A CSRF in Concrete CMS version 8.5.5
and below allows an attacke
NOT-FOR-US: Concrete CMS
[Git][security-tracker-team/security-tracker][master] new rpm issue (concludes external check)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
61bbdc25 by Moritz Muehlenhoff at 2021-09-30T09:28:56+02:00
new rpm issue (concludes external check)
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -23405,6 +23405,10 @@ CVE-2020-36327 (Bundler 1.16.0 through 2.2.9 and
2.2.11 through 2.2.16 sometimes
NOTE: https://github.com/rubygems/rubygems/issues/3982
CVE-2021-3521
RESERVED
+ - rpm
+ [bullseye] - rpm (Minor issue)
+ [buster] - rpm (Minor issue)
+ NOTE: https://github.com/rpm-software-management/rpm/pull/1788
CVE-2021-3520 (There's a flaw in lz4. An attacker who submits a crafted file
to an ap ...)
{DSA-4919-1 DLA-2657-1}
- lz4 1.9.3-2 (bug #987856)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61bbdc258d4064acc4f626212719d9c7d5c5d6bd
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61bbdc258d4064acc4f626212719d9c7d5c5d6bd
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
