[Git][security-tracker-team/security-tracker][master] Reserve DLA-2780-1 for ruby2.3
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 56a67e79 by Utkarsh Gupta at 2021-10-11T11:09:11+05:30 Reserve DLA-2780-1 for ruby2.3 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[11 Oct 2021] DLA-2780-1 ruby2.3 - security update + {CVE-2021-31799 CVE-2021-31810 CVE-2021-32066} + [stretch] - ruby2.3 2.3.3-1+deb9u10 [09 Oct 2021] DLA-2779-1 mediawiki - security update {CVE-2021-35197 CVE-2021-41798 CVE-2021-41799} [stretch] - mediawiki 1:1.27.7-1~deb9u10 = data/dla-needed.txt = @@ -89,13 +89,6 @@ redis (Chris Lamb) NOTE: 20211004: Fixed in sid and experimental. (lamby) NOTE: 20211006: buster-pu filed in #995825. (lamby) -- -ruby2.3 - NOTE: 20210802: Utkarsh already uploaded a fix for sid/bullseye. (utkarsh) - NOTE: 20210816: wip, backporting patches; a bit hard. (utkarsh) - NOTE: 20210920: in midst of backporting patches. (utkarsh) - NOTE: 20211003: only backporting CVE-2021-31810 is left, which has a bit - NOTE: 20211003: of difference whilst going back to ruby2.3. (utkarsh) --- rustc NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable NOTE: https://bugs.debian.org/928422 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56a67e79fd64384c0fd4a4a4a1b7a539286e0c96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56a67e79fd64384c0fd4a4a4a1b7a539286e0c96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: ec87c80f by Thorsten Alteholz at 2021-10-11T00:14:37+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,8 +31,10 @@ debian-archive-keyring (Utkarsh) NOTE: 20211003: failing. Or at least appears to be. :( (utkarsh) -- exiv2 (Thorsten Alteholz) + NOTE: 20211010: WIP, also taking care of older issues -- faad2 (Thorsten Alteholz) + NOTE: 20211010: WIP, also taking care of older issues -- ffmpeg (Anton Gladky) NOTE: probably wait until stuff is fixed in Buster @@ -111,7 +113,7 @@ smarty3 (Markus Koschany) NOTE: 20210906: prepared a build for testing. Waiting for bug submitter's reply (abhijith) -- squashfs-tools (Thorsten Alteholz) - NOTE: 20210926: coordinate with upload to other releases + NOTE: 20211010: coordinate with upload to other releases -- thunderbird (Emilio) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec87c80f36288b03c7df0c6ad1acea4f6138ba10 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec87c80f36288b03c7df0c6ad1acea4f6138ba10 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: status update
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: f44355f6 by Anton Gladky at 2021-10-10T22:30:48+02:00 LTS: status update - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -36,6 +36,7 @@ faad2 (Thorsten Alteholz) -- ffmpeg (Anton Gladky) NOTE: probably wait until stuff is fixed in Buster + NOTE: 20211010: WIP https://salsa.debian.org/lts-team/packages/ffmpeg -- firefox-esr (Emilio) -- @@ -57,6 +58,7 @@ mosquitto NOTE: 20210806: CVE-2021-34432 ignored in buster and stretch. Vulnerable code not accessible. (codehelp) -- nghttp2 (Anton Gladky) + NOTE: 20211010: WIP https://salsa.debian.org/lts-team/packages/nghttp2 -- ntfs-3g (Abhijith PA) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f44355f63450c7d598b3706777d2a54e9d8bcf60 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f44355f63450c7d598b3706777d2a54e9d8bcf60 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 08e1b8d2 by security tracker role at 2021-10-10T20:10:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2021-3876 + RESERVED CVE-2021-3875 RESERVED CVE-2021-42133 @@ -4736,6 +4738,7 @@ CVE-2021-40087 (An issue was discovered in PrimeKey EJBCA before 7.6.0. When aud CVE-2021-40086 (An issue was discovered in PrimeKey EJBCA before 7.6.0. As part of the ...) NOT-FOR-US: PrimeKey CVE-2021-40085 (An issue was discovered in OpenStack Neutron before 16.4.1, 17.x befor ...) + {DSA-4983-1} - neutron 2:18.1.0-3 (bug #993398) NOTE: https://www.openwall.com/lists/oss-security/2021/08/31/2 NOTE: https://launchpad.net/bugs/1939733 @@ -39296,8 +39299,8 @@ CVE-2021-25968 RESERVED CVE-2021-25967 RESERVED -CVE-2021-25966 - RESERVED +CVE-2021-25966 (In Orchard core CMS application, versions 1.0.0-beta1-33 ...) + TODO: check CVE-2021-25965 RESERVED CVE-2021-25964 (In Calibre-web application, v0.6.0 to v0.6.12, are vulne ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08e1b8d2d53ff5a80c45ff68b25dacc8a15f5563 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08e1b8d2d53ff5a80c45ff68b25dacc8a15f5563 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-38598/neutron for bullseye
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 68ebf342 by Salvatore Bonaccorso at 2021-10-10T21:13:08+02:00 Track fixed version for CVE-2021-38598/neutron for bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8173,6 +8173,7 @@ CVE-2021-38599 (WAL-G before 1.1, when a non-libsodium build (e.g., one of the o NOT-FOR-US: WAL-G CVE-2021-38598 (OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 allows ...) - neutron 2:18.1.0-2 + [bullseye] - neutron 2:17.2.1-0+deb11u1 [buster] - neutron (Minor issue, not backported to rocky branch) NOTE: https://www.openwall.com/lists/oss-security/2021/08/17/4 NOTE: https://launchpad.net/bugs/1938670 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68ebf3428b0f5767532f6e0acfbcfe63b9f77fe2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68ebf3428b0f5767532f6e0acfbcfe63b9f77fe2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2021-40926/php-getid3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 28fa9551 by Salvatore Bonaccorso at 2021-10-10T20:42:11+02:00 Track fixed version via unstable for CVE-2021-40926/php-getid3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2724,7 +2724,7 @@ CVE-2021-40928 (Cross-site scripting (XSS) vulnerability in index.php in FlexTV CVE-2021-40927 (Cross-site scripting (XSS) vulnerability in callback.php in Spotify-fo ...) NOT-FOR-US: Spotify-for-Alfred CVE-2021-40926 (Cross-site scripting (XSS) vulnerability in demos/demo.mysqli.php in g ...) - - php-getid3 (unimportant) + - php-getid3 1.9.21+dfsg-1 (unimportant) NOTE: https://github.com/JamesHeinrich/getID3/issues/341 NOTE: https://github.com/JamesHeinrich/getID3/commit/0163ba96f7fc64765e499847c2373b1f994797c5 (v1.9.21) NOTE: XSS issue in demo file View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28fa95516001f9fb6ad3d6f9d941c34d1e557955 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28fa95516001f9fb6ad3d6f9d941c34d1e557955 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update entry for CVE-2020-28282: Associate with node-getobject
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 58c6c0cd by Salvatore Bonaccorso at 2021-10-10T20:28:56+02:00 Update entry for CVE-2020-28282: Associate with node-getobject - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -64158,7 +64158,8 @@ CVE-2020-28284 CVE-2020-28283 (Prototype pollution vulnerability in 'libnested' versions 0.0.0 throug ...) NOT-FOR-US: libnested CVE-2020-28282 (Prototype pollution vulnerability in 'getobject' version 0.1.0 allows ...) - NOT-FOR-US: Node getobject + - node-getobject 1.0.2-1 + NOTE: https://github.com/cowboy/node-getobject/commit/84071748fa407caa8f824e0d0b9c1cde9ec56633 (v1.0.0) CVE-2020-28281 (Prototype pollution vulnerability in 'set-object-value' versions 0.0.0 ...) NOT-FOR-US: react-atomic-organism CVE-2020-28280 (Prototype pollution vulnerability in 'predefine' versions 0.0.0 throug ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58c6c0cd38964ac33bb8ca3214f9b11e8e4b55c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58c6c0cd38964ac33bb8ca3214f9b11e8e4b55c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for two squid issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a3ad244 by Salvatore Bonaccorso at 2021-10-10T20:23:26+02:00 Add fixed version via unstable for two squid issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1212,7 +1212,7 @@ CVE-2021-41612 RESERVED CVE-2021-41611 [SQUID-2021:6 Improper Certificate Validation of TLS server certificates] RESERVED - - squid + - squid 5.2-1 [bullseye] - squid (Vulnerable code introduced later) [buster] - squid (Vulnerable code introduced later) NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-47m4-g3mv-9q5r @@ -34033,7 +34033,7 @@ CVE-2021-28117 (libdiscover/backends/KNSBackend/KNSResource.cpp in KDE Discover NOTE: Plasma 5.21: https://commits.kde.org/plasma/discover/94478827aab63d2e2321f0ca9ec5553718798e60 NOTE: Plasma 5.18: https://commits.kde.org/plasma/discover/fcd3b30552bf03a384b1a16f9bb8db029c111356 CVE-2021-28116 (Squid through 4.14 and 5.x through 5.0.5, in some configurations, allo ...) - - squid (bug #986804) + - squid 5.2-1 (bug #986804) [bullseye] - squid (Minor issue) [buster] - squid (Minor issue) - squid3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a3ad24467018ef47bb32990b0d2257b60b17f05 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a3ad24467018ef47bb32990b0d2257b60b17f05 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one neutron issue ignored in buster
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fd972b7f by Moritz Muehlenhoff at 2021-10-10T20:05:31+02:00 one neutron issue ignored in buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8173,6 +8173,7 @@ CVE-2021-38599 (WAL-G before 1.1, when a non-libsodium build (e.g., one of the o NOT-FOR-US: WAL-G CVE-2021-38598 (OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 allows ...) - neutron 2:18.1.0-2 + [buster] - neutron (Minor issue, not backported to rocky branch) NOTE: https://www.openwall.com/lists/oss-security/2021/08/17/4 NOTE: https://launchpad.net/bugs/1938670 NOTE: https://review.opendev.org/c/openstack/neutron/+/785917/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd972b7f8498ffd9400fcec1e0c2e86fa928e937 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd972b7f8498ffd9400fcec1e0c2e86fa928e937 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] neutron DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d9abd69e by Moritz Mühlenhoff at 2021-10-10T20:00:11+02:00 neutron DSA - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -54317,7 +54317,7 @@ CVE-2021-20268 (An out-of-bounds access flaw was found in the Linux kernel's imp NOTE: https://git.kernel.org/linus/bc895e8b2a64e502fbba72748d59618272052a8b CVE-2021-20267 (A flaw was found in openstack-neutron's default Open vSwitch firewall ...) - neutron 2:17.1.1-5 (bug #985104) - [buster] - neutron (Minor issue) + [buster] - neutron 2:13.0.7+git.2021.09.27.bace3d1890-0+deb10u1 [stretch] - neutron (Minor issue) NOTE: https://bugs.launchpad.net/neutron/+bug/1902917 NOTE: https://review.opendev.org/c/openstack/neutron/+/776599 = data/DSA/list = @@ -1,3 +1,7 @@ +[10 Oct 2021] DSA-4983-1 neutron - security update + {CVE-2021-40085} + [buster] - neutron 2:13.0.7+git.2021.09.27.bace3d1890-0+deb10u1 + [bullseye] - neutron 2:17.2.1-0+deb11u1 [08 Oct 2021] DSA-4982-1 apache2 - security update {CVE-2021-34798 CVE-2021-36160 CVE-2021-39275 CVE-2021-40438} [buster] - apache2 2.4.38-3+deb10u6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9abd69e7f7cf0e110b7a3f8d7f876f309a90f75 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9abd69e7f7cf0e110b7a3f8d7f876f309a90f75 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2017-11190/unrar-free
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 613dc285 by Salvatore Bonaccorso at 2021-10-10T09:50:19+02:00 Update information for CVE-2017-11190/unrar-free - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -265472,8 +265472,9 @@ CVE-2017-11192 CVE-2017-11191 (** DISPUTED ** FreeIPA 4.x with API version 2.213 allows a remote auth ...) NOTE: non-issue claimed for freepia CVE-2017-11190 (unrarlib.c in unrar-free 0.0.1, when _DEBUG_LOG mode is enabled, might ...) - - unrar-free (unimportant) + - unrar-free 1:0.0.2-0.1 (unimportant; bug #995065) NOTE: Affected debug code not enabled + NOTE: https://gitlab.com/bgermann/unrar-free/-/commit/e4b3d2d974780af12d8221a25165809e611676df CVE-2017-11189 (unrarlib.c in unrar-free 0.0.1 might allow remote attackers to cause a ...) - unrar-free 1:0.0.1+cvs20140707-4 (unimportant) NOTE: Crash in CLI tool, no security impact View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/613dc285957a911adeb7c7bb782825fccc0c140e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/613dc285957a911adeb7c7bb782825fccc0c140e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3713{6,7}/netty
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 980ac60f by Salvatore Bonaccorso at 2021-10-10T09:13:54+02:00 Add CVE-2021-3713{6,7}/netty - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11694,8 +11694,14 @@ CVE-2021-37138 RESERVED CVE-2021-37137 RESERVED + - netty + NOTE: https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363 + NOTE: Fixed by: https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f (netty-4.1.68.Final) CVE-2021-37136 RESERVED + - netty + NOTE: https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv + NOTE: Fixed by: https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020 (netty-4.1.68.Final) CVE-2021-37135 RESERVED CVE-2021-37134 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/980ac60f8ab6bef1533a952194be543b92e51a89 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/980ac60f8ab6bef1533a952194be543b92e51a89 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits