[Git][security-tracker-team/security-tracker][master] 9 commits: mark CVE-2021-32815 as no-dsa for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: e03e4fe1 by Thorsten Alteholz at 2021-10-24T00:38:35+02:00 mark CVE-2021-32815 as no-dsa for Stretch - - - - - 2a2011cc by Thorsten Alteholz at 2021-10-24T00:39:40+02:00 mark CVE-2021-34335 as no-dsa for Stretch - - - - - 3270071f by Thorsten Alteholz at 2021-10-24T00:51:28+02:00 mark CVE-2021-37616 as no-dsa for Stretch - - - - - 8f715389 by Thorsten Alteholz at 2021-10-24T00:51:52+02:00 mark CVE-2021-37615 as no-dsa for Stretch - - - - - 51721ac5 by Thorsten Alteholz at 2021-10-24T00:54:14+02:00 mark CVE-2021-37618 as no-dsa for Stretch - - - - - e7296955 by Thorsten Alteholz at 2021-10-24T00:55:56+02:00 mark CVE-2021-37619 as no-dsa for Stretch - - - - - fbcf6902 by Thorsten Alteholz at 2021-10-24T00:56:31+02:00 mark CVE-2021-37621 as no-dsa for Stretch - - - - - 80cbb58f by Thorsten Alteholz at 2021-10-24T00:58:25+02:00 mark CVE-2021-37622 as no-dsa for Stretch - - - - - a0099de8 by Thorsten Alteholz at 2021-10-24T00:58:47+02:00 mark CVE-2021-37623 as no-dsa for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13560,14 +13560,17 @@ CVE-2021-37624 RESERVED CVE-2021-37623 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-mvc4-g5pv-4qqq NOTE: https://github.com/Exiv2/exiv2/pull/1790 CVE-2021-37622 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jh3-fcc3-g6hv NOTE: https://github.com/Exiv2/exiv2/pull/1788 CVE-2021-37621 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-m479-7frc-gqqg NOTE: https://github.com/Exiv2/exiv2/pull/1778 CVE-2021-37620 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) @@ -13576,12 +13579,14 @@ CVE-2021-37620 (Exiv2 is a command-line utility and C++ library for reading, wri NOTE: https://github.com/Exiv2/exiv2/pull/1769 CVE-2021-37619 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v NOTE: https://github.com/Exiv2/exiv2/pull/1752 CVE-2021-37618 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 [bullseye] - exiv2 (Minor issue) [buster] - exiv2 (Minor issue) + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2 NOTE: https://github.com/Exiv2/exiv2/pull/1759 CVE-2021-37617 (The Nextcloud Desktop Client is a tool to synchronize files from Nextc ...) @@ -13591,12 +13596,14 @@ CVE-2021-37616 (Exiv2 is a command-line utility and C++ library for reading, wri - exiv2 [bullseye] - exiv2 (Minor issue) [buster] - exiv2 (Minor issue) + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-54f7-vvj7-545w NOTE: https://github.com/Exiv2/exiv2/pull/1758 CVE-2021-37615 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 [bullseye] - exiv2 (Minor issue) [buster] - exiv2 (Minor issue) + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-h9x9-4f77-336w NOTE: https://github.com/Exiv2/exiv2/pull/1758 CVE-2021-37614 (In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0 ...) @@ -21241,6 +21248,7 @@ CVE-2021-34336 RESERVED CVE-2021-34335 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 (bug #992707) + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-pvjp-m4f6-q984 NOTE: https://github.com/Exiv2/exiv2/pull/1750 CVE-2021-34334 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) @@ -24864,6 +24872,7 @@ CVE-2021-32816 (ProtonMail Web Client is the official AngularJS web client for t NOT-FOR-US: ProtonMail Web Client CVE-2021-32815 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 (bug #992705) + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-mv9g-fxh2-m49m NOTE: https://github.com/Exiv2/exiv2/pull/1739 CVE-2021-32814 (Skytable
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0abb5590 by security tracker role at 2021-10-23T20:10:17+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,5 @@
+CVE-2021-3900
+ RESERVED
CVE-2021-42852
RESERVED
CVE-2021-42851
@@ -2906,14 +2908,14 @@ CVE-2021-42099
CVE-2021-42098 (An incomplete permission check on entries in Devolutions
Remote Deskto ...)
NOT-FOR-US: Devolutions
CVE-2021-42097 (GNU Mailman before 2.1.35 may allow remote Privilege
Escalation. A csr ...)
- {DSA-4991-1}
+ {DSA-4991-1 DLA-2791-1}
- mailman
NOTE: Fixed by:
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1873
NOTE: https://bugs.launchpad.net/mailman/+bug/1947640
NOTE:
https://mail.python.org/archives/list/mailman-annou...@python.org/thread/IKCO6JU755AP5G5TKMBJL6IEZQTTNPDQ/
NOTE: https://www.openwall.com/lists/oss-security/2021/10/21/4
CVE-2021-42096 (GNU Mailman before 2.1.35 may allow remote Privilege
Escalation. A cer ...)
- {DSA-4991-1}
+ {DSA-4991-1 DLA-2791-1}
- mailman
NOTE: Fixed by:
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1873
NOTE: https://bugs.launchpad.net/mailman/+bug/1947639
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0abb55908d457dabc67220272305c8514f043758
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0abb55908d457dabc67220272305c8514f043758
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2791-1 for mailman
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker
Commits:
336b79d1 by Chris Lamb at 2021-10-23T17:51:00+01:00
Reserve DLA-2791-1 for mailman
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[23 Oct 2021] DLA-2791-1 mailman - security update
+ {CVE-2021-42096 CVE-2021-42097}
+ [stretch] - mailman 1:2.1.23-1+deb9u7
[21 Oct 2021] DLA-2790-1 python-babel - security update
{CVE-2021-42771}
[stretch] - python-babel 2.3.4+dfsg.1-2+deb9u1
=
data/dla-needed.txt
=
@@ -52,8 +52,6 @@ linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
-mailman (Chris Lamb)
---
mosquitto (Anton Gladky)
NOTE: 20210805: coordinating upload to buster before DLA for Stretch
(codehelp)
NOTE: 20210806: CVE-2021-34432 ignored in buster and stretch. Vulnerable
code not accessible. (codehelp)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/336b79d1042ad93dbdf8a86f92edac9dd0cb7694
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/336b79d1042ad93dbdf8a86f92edac9dd0cb7694
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2019-15237/roundcube
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 49018062 by Salvatore Bonaccorso at 2021-10-23T11:49:41+02:00 Track fixed version for CVE-2019-15237/roundcube - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -150397,7 +150397,7 @@ CVE-2019-15238 (The cforms2 plugin before 15.0.2 for WordPress has CSRF related NOT-FOR-US: Wordpress plugin CVE-2019-15237 (Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, ...) [experimental] - roundcube 1.5~rc+dfsg.1-1 - - roundcube (low; bug #949629) + - roundcube 1.5.0+dfsg.1-1 (low; bug #949629) [bullseye] - roundcube (Minor issue) [buster] - roundcube (Minor issue) [stretch] - roundcube (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49018062a10fbc7fe2541cf13df2defca3b92e40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49018062a10fbc7fe2541cf13df2defca3b92e40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-25742 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ab337ee4 by Salvatore Bonaccorso at 2021-10-23T11:02:24+02:00 Mark CVE-2021-25742 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43045,6 +43045,7 @@ CVE-2021-25743 RESERVED CVE-2021-25742 RESERVED + NOT-FOR-US: Kubernetes ingress-nginx component CVE-2021-25741 (A security issue was discovered in Kubernetes where a user may be able ...) - kubernetes [bullseye] - kubernetes (Kubernetes in Bullseye only ships the client) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab337ee446db92fa710b29041b5a133d70a41dd4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab337ee446db92fa710b29041b5a133d70a41dd4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-3872/vim as no-dsa for bullseye and buster
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 69e55a83 by Salvatore Bonaccorso at 2021-10-23T10:56:49+02:00 Mark CVE-2021-3872/vim as no-dsa for bullseye and buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2871,6 +2871,8 @@ CVE-2021-42101 (An uncontrolled search path element vulnerabilities in Trend Mic NOT-FOR-US: Trend Micro CVE-2021-3872 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim + [bullseye] - vim (Minor issue) + [buster] - vim (Minor issue) [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/c958013b-1c09-4939-92ca-92f50aa169e8 NOTE: https://github.com/vim/vim/commit/826bfe4bbd7594188e3d74d2539d9707b1c6a14b View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69e55a8329218ca2a6ce27539d3aa952c0b62937 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69e55a8329218ca2a6ce27539d3aa952c0b62937 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3896/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4503d80b by Salvatore Bonaccorso at 2021-10-23T10:53:41+02:00 Add CVE-2021-3896/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -88,8 +88,11 @@ CVE-2021-42814 RESERVED CVE-2021-42813 RESERVED -CVE-2021-3896 +CVE-2021-3896 [isdn: cpai: check ctr->cnr to avoid array index out of bound] RESERVED + - linux + NOTE: https://www.openwall.com/lists/oss-security/2021/10/19/1 + NOTE: https://git.kernel.org/linus/1f3e2e97c003f80c4b087092b225c8787ff91e4d CVE-2021-42812 RESERVED CVE-2021-42811 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4503d80b77432dcb2c350d7d4d53eed99a2a14bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4503d80b77432dcb2c350d7d4d53eed99a2a14bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 973e7eb9 by Salvatore Bonaccorso at 2021-10-23T10:20:00+02:00 Process several NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -236,31 +236,31 @@ CVE-2021-3895 CVE-2021-23192 RESERVED CVE-2020-36502 (Swift File Transfer Mobile v1.1.2 was discovered to contain a cross-si ...) - TODO: check + NOT-FOR-US: Swift File Transfer Mobile CVE-2020-36501 (Multiple cross-site scripting (XSS) vulnerabilities in the Support mod ...) - TODO: check + NOT-FOR-US: SugarCRM CVE-2020-36500 RESERVED CVE-2020-36499 (TAO Open Source Assessment Platform v3.3.0 RC02 was discovered to cont ...) - TODO: check + NOT-FOR-US: TAO Open Source Assessment Platform CVE-2020-36498 (Macrob7 Macs Framework Content Management System - 1.14f contains a cr ...) - TODO: check + NOT-FOR-US: Macrob7 Macs Framework Content Management System CVE-2020-36497 (DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripti ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2020-36496 (DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripti ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2020-36495 (DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripti ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2020-36494 (DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripti ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2020-36493 (DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripti ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2020-36492 (DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripti ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2020-36491 (DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripti ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2020-36490 (DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripti ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2021- [RUSTSEC-2020-0159: Potential segfault in localtime_r invocations] - rust-chrono (bug #996913) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0159.html @@ -2005,13 +2005,13 @@ CVE-2021-42394 CVE-2021-42393 RESERVED CVE-2020-36489 (Dropouts Technologies LLP Air Share v1.2 was discovered to contain a c ...) - TODO: check + NOT-FOR-US: Dropouts Technologies LLP Air Share CVE-2020-36488 (An issue in the FTP server of Sky File v2.1.0 allows attackers to perf ...) - TODO: check + NOT-FOR-US: Sky File CVE-2020-36487 RESERVED CVE-2020-36486 (Swift File Transfer Mobile v1.1.2 and below was discovered to contain ...) - TODO: check + NOT-FOR-US: Swift File Transfer Mobile CVE-2021-42392 RESERVED CVE-2021-42391 @@ -2105,7 +2105,7 @@ CVE-2021-42348 CVE-2021-42347 RESERVED CVE-2020-36485 (Portable Ltd Playable v9.18 was discovered to contain an arbitrary fil ...) - TODO: check + NOT-FOR-US: Portable Ltd Playable CVE-2021-42346 RESERVED CVE-2021-42345 @@ -2528,7 +2528,7 @@ CVE-2021-42260 (TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData:: CVE-2021-42259 RESERVED CVE-2021-42258 (BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL i ...) - TODO: check + NOT-FOR-US: BQE BillQuick Web Suite CVE-2021-42257 (check_smart before 6.9.1 allows unintended drive access by an unprivil ...) NOT-FOR-US: check_smart Icinga plugin CVE-2021-42256 @@ -62850,35 +62850,35 @@ CVE-2020-28971 (An issue was discovered on Western Digital My Cloud OS 5 devices CVE-2020-28970 (An issue was discovered on Western Digital My Cloud OS 5 devices befor ...) NOT-FOR-US: Western Digital My Cloud OS 5 devices CVE-2020-28969 (Aplioxio PDF ShapingUp 5.0.0.139 contains a buffer overflow which allo ...) - TODO: check + NOT-FOR-US: Aplioxio PDF ShapingUp CVE-2020-28968 (Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vul ...) - TODO: check + NOT-FOR-US: Draytek VigorAP 1000C CVE-2020-28967 (FlashGet v1.9.6 was discovered to contain a buffer overflow in the 'cu ...) - TODO: check + NOT-FOR-US: FlashGet CVE-2020-28966 RESERVED CVE-2020-28965 RESERVED CVE-2020-28964 (Internet Download Manager 6.37.11.1 was discovered to contain a stack ...) - TODO: check + NOT-FOR-US: Internet Download Manager CVE-2020-28963 (Passcovery Co. Ltd ZIP Password Recovery v3.70.69.0 was discovered to ...) - TODO: check + NOT-FOR-US: Passcovery Co. Ltd ZIP Password Recovery CVE-2020-28962 RESERVED CVE-2020-28961 (Perfex CRM v2.4.4 was discovered to contain a stored
[Git][security-tracker-team/security-tracker][master] dla: take botan1.10
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d7e7062 by Adrian Bunk at 2021-10-23T11:11:47+03:00 dla: take botan1.10 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -18,7 +18,7 @@ ansible NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- -botan1.10 +botan1.10 (Adrian Bunk) -- debian-archive-keyring NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d7e7062e436dba7808e230b83811c5f3a61ef84 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d7e7062e436dba7808e230b83811c5f3a61ef84 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d2d4aac by security tracker role at 2021-10-23T08:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,19 @@ +CVE-2021-42852 + RESERVED +CVE-2021-42851 + RESERVED +CVE-2021-42850 + RESERVED +CVE-2021-42849 + RESERVED +CVE-2021-42848 + RESERVED +CVE-2021-3899 + RESERVED +CVE-2021-3898 + RESERVED +CVE-2021-3897 + RESERVED CVE-2021-42847 RESERVED CVE-2021-42846 @@ -219,32 +235,32 @@ CVE-2021-3895 RESERVED CVE-2021-23192 RESERVED -CVE-2020-36502 - RESERVED -CVE-2020-36501 - RESERVED +CVE-2020-36502 (Swift File Transfer Mobile v1.1.2 was discovered to contain a cross-si ...) + TODO: check +CVE-2020-36501 (Multiple cross-site scripting (XSS) vulnerabilities in the Support mod ...) + TODO: check CVE-2020-36500 RESERVED -CVE-2020-36499 - RESERVED -CVE-2020-36498 - RESERVED -CVE-2020-36497 - RESERVED -CVE-2020-36496 - RESERVED -CVE-2020-36495 - RESERVED -CVE-2020-36494 - RESERVED -CVE-2020-36493 - RESERVED -CVE-2020-36492 - RESERVED -CVE-2020-36491 - RESERVED -CVE-2020-36490 - RESERVED +CVE-2020-36499 (TAO Open Source Assessment Platform v3.3.0 RC02 was discovered to cont ...) + TODO: check +CVE-2020-36498 (Macrob7 Macs Framework Content Management System - 1.14f contains a cr ...) + TODO: check +CVE-2020-36497 (DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripti ...) + TODO: check +CVE-2020-36496 (DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripti ...) + TODO: check +CVE-2020-36495 (DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripti ...) + TODO: check +CVE-2020-36494 (DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripti ...) + TODO: check +CVE-2020-36493 (DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripti ...) + TODO: check +CVE-2020-36492 (DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripti ...) + TODO: check +CVE-2020-36491 (DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripti ...) + TODO: check +CVE-2020-36490 (DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripti ...) + TODO: check CVE-2021- [RUSTSEC-2020-0159: Potential segfault in localtime_r invocations] - rust-chrono (bug #996913) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0159.html @@ -1988,14 +2004,14 @@ CVE-2021-42394 RESERVED CVE-2021-42393 RESERVED -CVE-2020-36489 - RESERVED -CVE-2020-36488 - RESERVED +CVE-2020-36489 (Dropouts Technologies LLP Air Share v1.2 was discovered to contain a c ...) + TODO: check +CVE-2020-36488 (An issue in the FTP server of Sky File v2.1.0 allows attackers to perf ...) + TODO: check CVE-2020-36487 RESERVED -CVE-2020-36486 - RESERVED +CVE-2020-36486 (Swift File Transfer Mobile v1.1.2 and below was discovered to contain ...) + TODO: check CVE-2021-42392 RESERVED CVE-2021-42391 @@ -2088,8 +2104,8 @@ CVE-2021-42348 RESERVED CVE-2021-42347 RESERVED -CVE-2020-36485 - RESERVED +CVE-2020-36485 (Portable Ltd Playable v9.18 was discovered to contain an arbitrary fil ...) + TODO: check CVE-2021-42346 RESERVED CVE-2021-42345 @@ -2511,8 +2527,8 @@ CVE-2021-42260 (TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData:: NOTE: https://sourceforge.net/p/tinyxml/bugs/141/ CVE-2021-42259 RESERVED -CVE-2021-42258 - RESERVED +CVE-2021-42258 (BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL i ...) + TODO: check CVE-2021-42257 (check_smart before 6.9.1 allows unintended drive access by an unprivil ...) NOT-FOR-US: check_smart Icinga plugin CVE-2021-42256 @@ -62833,36 +62849,36 @@ CVE-2020-28971 (An issue was discovered on Western Digital My Cloud OS 5 devices NOT-FOR-US: Western Digital My Cloud OS 5 devices CVE-2020-28970 (An issue was discovered on Western Digital My Cloud OS 5 devices befor ...) NOT-FOR-US: Western Digital My Cloud OS 5 devices -CVE-2020-28969 - RESERVED -CVE-2020-28968 - RESERVED -CVE-2020-28967 - RESERVED +CVE-2020-28969 (Aplioxio PDF ShapingUp 5.0.0.139 contains a buffer overflow which allo ...) + TODO: check +CVE-2020-28968 (Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vul ...) + TODO: check +CVE-2020-28967 (FlashGet v1.9.6 was discovered to contain a buffer overflow in the 'cu ...) + TODO: check CVE-2020-28966 RESERVED CVE-2020-28965 RESERVED -CVE-2020-28964 - RESERVED -CVE-2020-28963
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2021-3875/vim
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 21d8ec6c by Salvatore Bonaccorso at 2021-10-23T10:03:13+02:00 Update information for CVE-2021-3875/vim - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2774,11 +2774,12 @@ CVE-2021-3876 RESERVED CVE-2021-3875 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim (bug #996593) - [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) - [stretch] - vim (Minor issue) + [bullseye] - vim (Vulnerable feature and code introduced later) + [buster] - vim (Vulnerable feature and code introduced later) + [stretch] - vim (Vulnerable feature and code introduced later) NOTE: https://huntr.dev/bounties/5cdbc168-6ba1-4bc2-ba6c-28be12166a53/ - NOTE: https://github.com/vim/vim/commit/35a319b77f897744eec1155b736e9372c9c5575f (v8.2.3489) + NOTE: Search from cursor position introduced in: https://github.com/vim/vim/commit/04db26b36000a4677b95403ec94bd11f6cc73975 (v8.2.3110) + NOTE: Fixed by: https://github.com/vim/vim/commit/35a319b77f897744eec1155b736e9372c9c5575f (v8.2.3489) CVE-2021-42133 RESERVED CVE-2021-42132 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21d8ec6c120bcf4ffa1005dd6f52a2399bdc7e21 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21d8ec6c120bcf4ffa1005dd6f52a2399bdc7e21 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add botan1.10
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c522242 by Thorsten Alteholz at 2021-10-23T09:38:25+02:00 add botan1.10 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -18,6 +18,8 @@ ansible NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- +botan1.10 +-- debian-archive-keyring NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c522242c337d4bcf5f1211c3ae8652eaad40dc4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c522242c337d4bcf5f1211c3ae8652eaad40dc4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim mailman.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: b09d6bbb by Chris Lamb at 2021-10-23T08:36:40+01:00 data/dla-needed.txt: Claim mailman. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -50,7 +50,7 @@ linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- -mailman +mailman (Chris Lamb) -- mosquitto (Anton Gladky) NOTE: 20210805: coordinating upload to buster before DLA for Stretch (codehelp) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b09d6bbb905a02db364cb0db7be1ced27ff1cc99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b09d6bbb905a02db364cb0db7be1ced27ff1cc99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-42836/golang-github-tidwall-gjson
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5894b8b8 by Salvatore Bonaccorso at 2021-10-23T08:51:08+02:00 Add CVE-2021-42836/golang-github-tidwall-gjson - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,7 +21,11 @@ CVE-2021-42838 CVE-2021-42837 RESERVED CVE-2021-42836 (GJSON before 1.9.3 allows a ReDoS (regular expression denial of servic ...) - TODO: check + - golang-github-tidwall-gjson + NOTE: https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944 + NOTE: https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96 + NOTE: https://github.com/tidwall/gjson/issues/236 + NOTE: https://github.com/tidwall/gjson/issues/237 CVE-2021-42835 RESERVED CVE-2021-42834 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5894b8b8ee9bd23b482241d3cd1c2d5ef4ab884d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5894b8b8ee9bd23b482241d3cd1c2d5ef4ab884d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 50bad0b5 by Salvatore Bonaccorso at 2021-10-23T08:50:21+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,7 +13,7 @@ CVE-2021-42842 CVE-2021-42841 RESERVED CVE-2021-42840 (SuiteCRM before 7.11.19 allows remote code execution via the system se ...) - TODO: check + NOT-FOR-US: SuiteCRM CVE-2021-42839 RESERVED CVE-2021-42838 @@ -631,7 +631,7 @@ CVE-2021-42558 CVE-2021-42557 RESERVED CVE-2021-42556 (Rasa X before 0.42.4 allows Directory Traversal during archive extract ...) - TODO: check + NOT-FOR-US: Rasa X CVE-2021-42555 RESERVED CVE-2021-42554 @@ -675,23 +675,23 @@ CVE-2021-42544 CVE-2021-42543 RESERVED CVE-2021-42542 (The affected product is vulnerable to directory traversal due to misha ...) - TODO: check + NOT-FOR-US: Emerson CVE-2021-42541 RESERVED CVE-2021-42540 (The affected product is vulnerable to a unsanitized extract folder for ...) - TODO: check + NOT-FOR-US: Emerson CVE-2021-42539 (The affected product is vulnerable to a missing permission validation ...) - TODO: check + NOT-FOR-US: Emerson CVE-2021-42538 (The affected product is vulnerable to a parameter injection via passph ...) - TODO: check + NOT-FOR-US: Emerson CVE-2021-42537 RESERVED CVE-2021-42536 (The affected product is vulnerable to a disclosure of peer username an ...) - TODO: check + NOT-FOR-US: Emerson CVE-2021-42535 RESERVED CVE-2021-42534 (The affected products web application does not properly neutral ...) - TODO: check + NOT-FOR-US: Trane CVE-2021-42533 RESERVED CVE-2021-42532 @@ -2693,7 +2693,7 @@ CVE-2021-42171 CVE-2021-42170 RESERVED CVE-2021-42169 (The Simple Payroll System with Dynamic Tax Bracket in PHP using SQLite ...) - TODO: check + NOT-FOR-US: Dynamic Tax Bracket in PHP using SQLite Free Source Code CVE-2021-42168 RESERVED CVE-2021-42167 @@ -3741,13 +3741,13 @@ CVE-2021-41749 CVE-2021-41748 RESERVED CVE-2021-41747 (Cross-Site Scripting (XSS) vulnerability exists in Csdn APP 4.10.0, wh ...) - TODO: check + NOT-FOR-US: Csdn APP CVE-2021-41746 RESERVED CVE-2021-41745 (ShowDoc 2.8.3 ihas a file upload vulnerability, where attackers can us ...) - TODO: check + NOT-FOR-US: ShowDoc CVE-2021-41744 (All versions of yongyou PLM are affected by a command injection issue. ...) - TODO: check + NOT-FOR-US: yongyou PLM CVE-2021-41743 RESERVED CVE-2021-41742 @@ -5005,7 +5005,7 @@ CVE-2021-41173 CVE-2021-41172 RESERVED CVE-2021-41171 (eLabFTW is an open source electronic lab notebook manager for research ...) - TODO: check + NOT-FOR-US: eLabFTW CVE-2021-41170 RESERVED CVE-2021-41169 (Sulu is an open-source PHP content management system based on the Symf ...) @@ -11377,7 +11377,7 @@ CVE-2021-38487 CVE-2021-38486 (InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 cl ...) NOT-FOR-US: InHand Networks IR615 Router CVE-2021-38485 (The affected product is vulnerable to improper input validation in the ...) - TODO: check + NOT-FOR-US: Emerson CVE-2021-38484 (InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 do ...) NOT-FOR-US: InHand Networks IR615 Router CVE-2021-38483 @@ -11385,71 +11385,71 @@ CVE-2021-38483 CVE-2021-38482 (InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 we ...) NOT-FOR-US: InHand Networks IR615 Router CVE-2021-38481 (The scheduler service running on a specific TCP port enables the user ...) - TODO: check + NOT-FOR-US: AUVESY CVE-2021-38480 (InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 ar ...) NOT-FOR-US: InHand Networks IR615 Router CVE-2021-38479 (Many API function codes receive raw pointers remotely from the user an ...) - TODO: check + NOT-FOR-US: AUVESY CVE-2021-38478 (InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 ar ...) NOT-FOR-US: InHand Networks IR615 Router CVE-2021-38477 (There are multiple API function codes that permit reading and writing ...) - TODO: check + NOT-FOR-US: AUVESY CVE-2021-38476 (InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 au ...) NOT-FOR-US: InHand Networks IR615 Router CVE-2021-38475 (The database connection to the server is performed by calling a specif ...) - TODO: check + NOT-FOR-US: AUVESY CVE-2021-38474 (InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 ha ...) NOT-FOR-US: InHand Networks IR615 Router CVE-2021-38473 (The affected products code base doesnt
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 173c974b by Salvatore Bonaccorso at 2021-10-23T08:40:57+02:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32777,7 +32777,7 @@ CVE-2021-29837 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1 CVE-2021-29836 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0. through 6.1.1.0 ...) NOT-FOR-US: IBM CVE-2021-29835 (IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnera ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29834 (IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0. ...) NOT-FOR-US: IBM CVE-2021-29833 (IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbu ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/173c974b1cdebfedd2a4188fe393359e44719086 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/173c974b1cdebfedd2a4188fe393359e44719086 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
