[Git][security-tracker-team/security-tracker][master] Add CVE-2021-43337/slurm-wlm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f2088928 by Salvatore Bonaccorso at 2021-11-17T08:30:10+01:00 Add CVE-2021-43337/slurm-wlm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1861,6 +1861,9 @@ CVE-2021-43338 (In Ericsson Network Location MPS GMPC21, it is possible to creat NOT-FOR-US: Ericsson CVE-2021-43337 RESERVED + - slurm-wlm (Affects only 21.08 series; vulnerable code introduced later) + NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2021/68.html + NOTE: https://www.schedmd.com/news.php?id=256 CVE-2021-42743 RESERVED CVE-2021-3926 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2088928dd5067d0a932645297049ea9cdee54ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2088928dd5067d0a932645297049ea9cdee54ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3917 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0615f678 by Salvatore Bonaccorso at 2021-11-17T08:24:02+01:00 Add CVE-2021-3917 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3250,6 +3250,7 @@ CVE-2021-43172 (NLnet Labs Routinator prior to 0.10.2 happily processes a chain NOTE: https://www.nlnetlabs.nl/downloads/routinator/CVE-2021-43172_CVE-2021-43173_CVE-2021-43174.txt CVE-2021-3917 RESERVED + NOT-FOR-US: coreos-installer CVE-2021-43171 RESERVED CVE-2021-43170 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0615f678eee38d99ca4452aba01a5207bcc6607b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0615f678eee38d99ca4452aba01a5207bcc6607b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3935/pgbouncer
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 31bff9aa by Salvatore Bonaccorso at 2021-11-17T08:22:40+01:00 Add CVE-2021-3935/pgbouncer - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1454,6 +1454,10 @@ CVE-2021-3936 RESERVED CVE-2021-3935 RESERVED + - pgbouncer + NOTE: https://www.pgbouncer.org/2021/11/pgbouncer-1-16-1 + NOTE: https://github.com/pgbouncer/pgbouncer/releases/tag/pgbouncer_1_16_1 + NOTE: https://github.com/pgbouncer/pgbouncer/commit/e4453c9151a2f5af0a9cb049b302a3f9f9654453 (v1.16.1) CVE-2021-3934 (ohmyzsh is vulnerable to Improper Neutralization of Special Elements u ...) NOT-FOR-US: ohmyzsh CVE-2021-3933 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31bff9aa37db6aee7e450c75ae7c7fc66d8030db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31bff9aa37db6aee7e450c75ae7c7fc66d8030db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3943/moodle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 38058b0c by Salvatore Bonaccorso at 2021-11-17T08:19:08+01:00 Add CVE-2021-3943/moodle - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1318,6 +1318,7 @@ CVE-2021-3944 RESERVED CVE-2021-3943 RESERVED + - moodle CVE-2021-43575 (** DISPUTED ** KNX ETS6 through 6.0.0 uses the hard-coded password ETS ...) NOT-FOR-US: KNX ETS6 CVE-2021-43574 (** UNSUPPORTED WHEN ASSIGNED ** WebAdmin Control Panel in Atmail 6.5.0 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38058b0c6ab1c8d5f100f1645db894025474ec85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38058b0c6ab1c8d5f100f1645db894025474ec85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3962/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 904814ad by Salvatore Bonaccorso at 2021-11-17T08:18:20+01:00 Add CVE-2021-3962/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10,8 +10,12 @@ CVE-2021-3964 RESERVED CVE-2021-3963 RESERVED -CVE-2021-3962 +CVE-2021-3962 [heap-use-after-free in at dcm.c RelinquishDCMMemory] RESERVED + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/4446 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/82775af03bbb10a0a1d0e15c0156c75673b4525e + TODO: check, possibly affects only 7.x versions CVE-2022-21641 RESERVED CVE-2022-21640 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/904814adecf9e4e030bd68cadf159722b778ebc2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/904814adecf9e4e030bd68cadf159722b778ebc2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-42114 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 875b815f by Salvatore Bonaccorso at 2021-11-17T08:15:00+01:00 Add CVE-2021-42114 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6896,7 +6896,9 @@ CVE-2021-42116 CVE-2021-42115 RESERVED CVE-2021-42114 (Modern DRAM devices (PC-DDR4, LPDDR4X) are affected by a vulnerability ...) - TODO: check + NOT-FOR-US: hardware vulnerability in DRAM devices (Blacksmith) + NOTE: https://comsec.ethz.ch/wp-content/files/blacksmith_sp22.pdf + NOTE: https://comsec.ethz.ch/research/dram/blacksmith/ CVE-2021-42113 RESERVED CVE-2021-42112 (The "File upload question" functionality in LimeSurvey 3.x-LTS through ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/875b815fb4dfd04f56751b0a9dcf8ff6192dfe2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/875b815fb4dfd04f56751b0a9dcf8ff6192dfe2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-202-143558/moodle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 01419775 by Salvatore Bonaccorso at 2021-11-17T08:12:21+01:00 Add CVE-202-143558/moodle - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1352,6 +1352,7 @@ CVE-2021-43559 - moodle CVE-2021-43558 RESERVED + - moodle CVE-2021-3942 RESERVED CVE-2021-43557 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01419775aa30897f980d523e9afe4263fed40e88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01419775aa30897f980d523e9afe4263fed40e88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-43559/moodle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6bc14cd0 by Salvatore Bonaccorso at 2021-11-17T08:11:45+01:00 Add CVE-2021-43559/moodle - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1349,6 +1349,7 @@ CVE-2021-43560 - moodle CVE-2021-43559 RESERVED + - moodle CVE-2021-43558 RESERVED CVE-2021-3942 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bc14cd07881e12405eed184330656f3b19a18fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bc14cd07881e12405eed184330656f3b19a18fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-43560/moodle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a14ba88c by Salvatore Bonaccorso at 2021-11-17T08:10:56+01:00 Add CVE-2021-43560/moodle - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1346,6 +1346,7 @@ CVE-2021-43561 (An XSS issue was discovered in the google_for_jobs (aka Google f NOT-FOR-US: TYPO3 extension CVE-2021-43560 RESERVED + - moodle CVE-2021-43559 RESERVED CVE-2021-43558 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a14ba88cc529732aa5547f29e1b0f47fa7d0d6d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a14ba88cc529732aa5547f29e1b0f47fa7d0d6d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2019-3686/openqa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 99ce2e30 by Salvatore Bonaccorso at 2021-11-17T08:09:49+01:00 Update status for CVE-2019-3686/openqa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -189046,7 +189046,8 @@ CVE-2019-3688 (The /usr/sbin/pinger binary packaged with squid in SUSE Linux Ent CVE-2019-3687 (The permission package in SUSE Linux Enterprise Server allowed all loc ...) NOT-FOR-US: SuSE CVE-2019-3686 (openQA before commit c172e8883d8f32fced5e02f9b6faaacc913df27b was vuln ...) - - openqa + - openqa (Fixed before initial upload to Debian) + NOTE: Fixed by: https://github.com/os-autoinst/openQA/commit/c172e8883d8f32fced5e02f9b6faaacc913df27b CVE-2019-3685 (Open Build Service before version 0.165.4 diddn't validate TLS certifi ...) - osc (Affects 0.165.x only, bug #941667) CVE-2019-3684 (SUSE Manager until version 4.0.7 and Uyuni until commit 1b426ad5ed0a71 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99ce2e301aa2c9b47a1c8f9b3586e5edd47a9e85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99ce2e301aa2c9b47a1c8f9b3586e5edd47a9e85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVEs of atftp postponed until now
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 20a7383c by Thorsten Alteholz at 2021-11-17T01:25:05+01:00 CVEs of atftp postponed until now - - - - - f130652d by Thorsten Alteholz at 2021-11-17T01:25:46+01:00 Reserve DLA-2820-1 for atftp - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -8031,7 +8031,7 @@ CVE-2021-41655 CVE-2021-41654 RESERVED CVE-2021-41653 (The PING function on the TP-Link TL-WR840N EU v5 router with firmware ...) - NOT-FOR-US: TP-Link + NOT-FOR-US: TP-Link CVE-2021-41652 RESERVED CVE-2021-41651 (A blind SQL injection vulnerability exists in the Raymart DG / Ahmed H ...) @@ -9844,7 +9844,6 @@ CVE-2021-41054 (tftpd_file.c in atftp through 0.7.4 has a buffer overflow becaus - atftp 0.7.git20210915-1 (bug #994895) [bullseye] - atftp 0.7.git20120829-3.3+deb11u1 [buster] - atftp 0.7.git20120829-3.2~deb10u2 - [stretch] - atftp (Minor issue) NOTE: https://sourceforge.net/p/atftp/code/ci/d255bf90834fb45be52decf9bc0b4fb46c90f205/ CVE-2021-3798 [Soft token does not check if an EC key is valid] RESERVED @@ -127472,7 +127471,6 @@ CVE-2020-6098 (An exploitable denial of service vulnerability exists in the free CVE-2020-6097 (An exploitable denial of service vulnerability exists in the atftpd da ...) - atftp 0.7.git20120829-3.2 (bug #970066) [buster] - atftp 0.7.git20120829-3.2~deb10u1 - [stretch] - atftp (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029 NOTE: https://sourceforge.net/u/peterkaestle/atftp/ci/96409ef3b9ca061f9527cfaafa778105cf15d994/ CVE-2020-6096 (An exploitable signed comparison vulnerability exists in the ARMv7 mem ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Nov 2021] DLA-2820-1 atftp - security update + {CVE-2020-6097 CVE-2021-41054} + [stretch] - atftp 0.7.git20120829-3.1~deb9u2 [16 Nov 2021] DLA-2819-1 ntfs-3g - security update {CVE-2021-33285 CVE-2021-33286 CVE-2021-33287 CVE-2021-33289 CVE-2021-35266 CVE-2021-35267 CVE-2021-35268 CVE-2021-35269 CVE-2021-39251 CVE-2021-39252 CVE-2021-39253 CVE-2021-39254 CVE-2021-39255 CVE-2021-39256 CVE-2021-39257 CVE-2021-39258 CVE-2021-39259 CVE-2021-39260 CVE-2021-39261 CVE-2021-39262 CVE-2021-39263} [stretch] - ntfs-3g 1:2016.2.22AR.1+dfsg-1+deb9u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e3ed57c00486c8b681e0765b423c617030b10636...f130652dae0d98b9c640725afa90f47f57a9fab9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e3ed57c00486c8b681e0765b423c617030b10636...f130652dae0d98b9c640725afa90f47f57a9fab9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Processing 31f166206ca0eff8c65f8f92baf614d4071d094f failed
The error message was: data/CVE/list:189050: ITPed package openqa is in the archive make: *** [Makefile:19: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] openqa entered the archive, move from itp status to unfixed for further checks
László Böszörményi pushed to branch master at Debian Security Tracker / security-tracker Commits: e3ed57c0 by Laszlo Boszormenyi (GCS) at 2021-11-17T00:15:16+01:00 openqa entered the archive, move from itp status to unfixed for further checks - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -189048,7 +189048,7 @@ CVE-2019-3688 (The /usr/sbin/pinger binary packaged with squid in SUSE Linux Ent CVE-2019-3687 (The permission package in SUSE Linux Enterprise Server allowed all loc ...) NOT-FOR-US: SuSE CVE-2019-3686 (openQA before commit c172e8883d8f32fced5e02f9b6faaacc913df27b was vuln ...) - - openqa (bug #840253) + - openqa CVE-2019-3685 (Open Build Service before version 0.165.4 diddn't validate TLS certifi ...) - osc (Affects 0.165.x only, bug #941667) CVE-2019-3684 (SUSE Manager until version 4.0.7 and Uyuni until commit 1b426ad5ed0a71 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3ed57c00486c8b681e0765b423c617030b10636 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3ed57c00486c8b681e0765b423c617030b10636 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-41653, Readd the whitespace character
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 31f16620 by Markus Koschany at 2021-11-17T00:12:18+01:00 CVE-2021-41653, Readd the whitespace character This is the only unrelated change which might cause the processing errors. The whitespace was automatically removed by the gen-DLA script. No idea why. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8031,7 +8031,7 @@ CVE-2021-41655 CVE-2021-41654 RESERVED CVE-2021-41653 (The PING function on the TP-Link TL-WR840N EU v5 router with firmware ...) - NOT-FOR-US: TP-Link + NOT-FOR-US: TP-Link CVE-2021-41652 RESERVED CVE-2021-41651 (A blind SQL injection vulnerability exists in the Raymart DG / Ahmed H ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31f166206ca0eff8c65f8f92baf614d4071d094f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31f166206ca0eff8c65f8f92baf614d4071d094f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Processing 83a5b72a4d39814983d32011ce1bc24000d30def failed
The error message was: data/CVE/list:189050: ITPed package openqa is in the archive make: *** [Makefile:19: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Processing 83a5b72a4d39814983d32011ce1bc24000d30def failed
The error message was: data/CVE/list:189050: ITPed package openqa is in the archive make: *** [Makefile:19: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Claim firmware-nonfree in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 851a329f by Markus Koschany at 2021-11-16T23:20:07+01:00 Claim firmware-nonfree in dla-needed.txt - - - - - 83a5b72a by Markus Koschany at 2021-11-16T23:23:10+01:00 Reserve DLA-2819-1 for ntfs-3g - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -8031,7 +8031,7 @@ CVE-2021-41655 CVE-2021-41654 RESERVED CVE-2021-41653 (The PING function on the TP-Link TL-WR840N EU v5 router with firmware ...) - NOT-FOR-US: TP-Link + NOT-FOR-US: TP-Link CVE-2021-41652 RESERVED CVE-2021-41651 (A blind SQL injection vulnerability exists in the Raymart DG / Ahmed H ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[16 Nov 2021] DLA-2819-1 ntfs-3g - security update + {CVE-2021-33285 CVE-2021-33286 CVE-2021-33287 CVE-2021-33289 CVE-2021-35266 CVE-2021-35267 CVE-2021-35268 CVE-2021-35269 CVE-2021-39251 CVE-2021-39252 CVE-2021-39253 CVE-2021-39254 CVE-2021-39255 CVE-2021-39256 CVE-2021-39257 CVE-2021-39258 CVE-2021-39259 CVE-2021-39260 CVE-2021-39261 CVE-2021-39262 CVE-2021-39263} + [stretch] - ntfs-3g 1:2016.2.22AR.1+dfsg-1+deb9u2 [13 Nov 2021] DLA-2818-1 ffmpeg - security update {CVE-2020-20445 CVE-2020-20446 CVE-2020-20451 CVE-2020-20453 CVE-2020-22037 CVE-2020-22041 CVE-2020-22044 CVE-2020-22046 CVE-2020-22048 CVE-2020-22049 CVE-2020-22054 CVE-2021-38171 CVE-2021-38291} [stretch] - ffmpeg 7:3.2.16-1+deb9u1 = data/dla-needed.txt = @@ -33,7 +33,7 @@ exiv2 (Thorsten Alteholz) firefox-esr (Emilio) NOTE: 2026: blocked on toolchain backports (pochu) -- -firmware-nonfree +firmware-nonfree (Markus Koschany) NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag -- @@ -70,9 +70,6 @@ linux-4.19 (Ben Hutchings) -- mbedtls (Emilio) -- -ntfs-3g (Markus Koschany) - NOTE: 20211101: too many CVEs (gladk) --- nvidia-graphics-drivers NOTE: package is in non-free but also in packages-to-support NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3feeb3765955377f8b806786c42ce9fb1b49a89a...83a5b72a4d39814983d32011ce1bc24000d30def -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3feeb3765955377f8b806786c42ce9fb1b49a89a...83a5b72a4d39814983d32011ce1bc24000d30def You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3feeb376 by Salvatore Bonaccorso at 2021-11-16T21:25:21+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -889,7 +889,7 @@ CVE-2021-3960 CVE-2021-3959 RESERVED CVE-2021-3958 (Due to improper sanitization iPack SCADA Automation software suffers f ...) - TODO: check + NOT-FOR-US: iPack SCADA Automation CVE-2021-43745 RESERVED CVE-2021-43744 @@ -3527,11 +3527,11 @@ CVE-2021-43050 CVE-2021-43049 RESERVED CVE-2021-43048 (The Interior Server and Gateway Server components of TIBCO Software In ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2021-43047 (The Interior Server and Gateway Server components of TIBCO Software In ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2021-43046 (The Interior Server and Gateway Server components of TIBCO Software In ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2021-43056 (An issue was discovered in the Linux kernel for powerpc before 5.14.15 ...) - linux 5.14.16-1 [buster] - linux (Vulnerable code introduced later) @@ -8939,7 +8939,7 @@ CVE-2021-41259 (Nim is a systems programming language with a focus on efficiency [stretch] - nim (Minor issue) NOTE: https://github.com/nim-lang/security/security/advisories/GHSA-3gg2-rw3q-qwgc CVE-2021-41258 (Kirby is an open source file structured CMS. In affected versions Kirb ...) - TODO: check + NOT-FOR-US: Kirby CVE-2021-41257 RESERVED CVE-2021-41256 @@ -8954,7 +8954,7 @@ CVE-2021-41253 (Zydis is an x86/x86-64 disassembler library. Users of Zydis vers NOTE: Fixed by: https://github.com/zyantific/zydis/commit/55dd08c210722aed81b38132f5fd4a04ec1943b5 (master) NOTE: Fixed by: https://github.com/zyantific/zydis/commit/330b259583ade789886ce11af2ebcd030097dcbf (v3.2.1) CVE-2021-41252 (Kirby is an open source file structured CMS ### Impact Kirby's writer ...) - TODO: check + NOT-FOR-US: Kirby CVE-2021-41251 (@sap-cloud-sdk/core contains the core functionality of the SAP Cloud S ...) NOT-FOR-US: SAP CVE-2021-41250 (Python discord bot is the community bot for the Python Discord communi ...) @@ -35983,7 +35983,7 @@ CVE-2021-30218 (samurai 1.2 has a NULL pointer dereference in writefile() in uti CVE-2021-30217 RESERVED CVE-2021-30216 (Zoho Web mail version NA is affected by an incorrect access control vu ...) - TODO: check + NOT-FOR-US: Zoho Web mail CVE-2021-30215 RESERVED CVE-2021-30214 (Knowage Suite 7.3 is vulnerable to Stored Client-Side Template Injecti ...) @@ -46583,13 +46583,13 @@ CVE-2021-25987 CVE-2021-25986 RESERVED CVE-2021-25985 (In Factor (App Framework Headless CMS) v1.0.4 to v1.8.30, improp ...) - TODO: check + NOT-FOR-US: Factor (App Framework & Headless CMS) CVE-2021-25984 (In Factor (App Framework Headless CMS) forum plugin, versions v1 ...) - TODO: check + NOT-FOR-US: Factor (App Framework & Headless CMS) CVE-2021-25983 (In Factor (App Framework Headless CMS) forum plugin, versions v1 ...) - TODO: check + NOT-FOR-US: Factor (App Framework & Headless CMS) CVE-2021-25982 (In Factor (App Framework Headless CMS) forum plugin, versions 1. ...) - TODO: check + NOT-FOR-US: Factor (App Framework & Headless CMS) CVE-2021-25981 RESERVED CVE-2021-25980 (In Talkyard, versions v0.04.01 through v0.6.74-WIP-63220cb, v0.2020.22 ...) @@ -46601,7 +46601,7 @@ CVE-2021-25978 (Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable t CVE-2021-25977 (In PiranhaCMS, versions 7.0.0 to 9.1.1 are vulnerable to stored XSS du ...) NOT-FOR-US: PiranhaCMS CVE-2021-25976 (In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross- ...) - TODO: check + NOT-FOR-US: PiranhaCMS CVE-2021-25975 (In publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS as a ...) NOT-FOR-US: Publify CVE-2021-25974 (In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A us ...) @@ -46623,7 +46623,7 @@ CVE-2021-25967 CVE-2021-25966 (In Orchard core CMS application, versions 1.0.0-beta1-33 ...) NOT-FOR-US: Orchard CMS CVE-2021-25965 (In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site ...) - TODO: check + NOT-FOR-US: Calibre web CVE-2021-25964 (In Calibre-web application, v0.6.0 to v0.6.12, are vulne ...) NOT-FOR-US: Calibre web CVE-2021-25963 (In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3feeb3765955377f8b806786c42ce9fb1b49a89a -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2deaa223 by Salvatore Bonaccorso at 2021-11-16T21:12:22+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14457,7 +14457,7 @@ CVE-2021-38951 CVE-2021-38950 RESERVED CVE-2021-38949 (IBM MQ 7.5, 8.0, 9.0 LTS, 9.1 CD, and 9.1 LTS stores user credentials ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-38948 (IBM InfoSphere Information Server 11.7 is vulnerable to an XML Externa ...) NOT-FOR-US: IBM CVE-2021-38947 @@ -14591,7 +14591,7 @@ CVE-2021-38884 CVE-2021-38883 RESERVED CVE-2021-38882 (IBM Spectrum Scale 5.1.0 through 5.1.1.1 could allow a privileged admi ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-38881 RESERVED CVE-2021-38880 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2deaa2236f65b60e7e9f1304faa2d263d5bc30ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2deaa2236f65b60e7e9f1304faa2d263d5bc30ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 19484c84 by security tracker role at 2021-11-16T20:10:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2021-43774 + RESERVED +CVE-2021-43773 + RESERVED +CVE-2021-43772 + RESERVED +CVE-2021-43771 + RESERVED +CVE-2021-3964 + RESERVED +CVE-2021-3963 + RESERVED +CVE-2021-3962 + RESERVED CVE-2022-21641 RESERVED CVE-2022-21640 @@ -874,8 +888,8 @@ CVE-2021-3960 RESERVED CVE-2021-3959 RESERVED -CVE-2021-3958 - RESERVED +CVE-2021-3958 (Due to improper sanitization iPack SCADA Automation software suffers f ...) + TODO: check CVE-2021-43745 RESERVED CVE-2021-43744 @@ -3512,12 +3526,12 @@ CVE-2021-43050 RESERVED CVE-2021-43049 RESERVED -CVE-2021-43048 - RESERVED -CVE-2021-43047 - RESERVED -CVE-2021-43046 - RESERVED +CVE-2021-43048 (The Interior Server and Gateway Server components of TIBCO Software In ...) + TODO: check +CVE-2021-43047 (The Interior Server and Gateway Server components of TIBCO Software In ...) + TODO: check +CVE-2021-43046 (The Interior Server and Gateway Server components of TIBCO Software In ...) + TODO: check CVE-2021-43056 (An issue was discovered in the Linux kernel for powerpc before 5.14.15 ...) - linux 5.14.16-1 [buster] - linux (Vulnerable code introduced later) @@ -6878,8 +6892,8 @@ CVE-2021-42116 RESERVED CVE-2021-42115 RESERVED -CVE-2021-42114 - RESERVED +CVE-2021-42114 (Modern DRAM devices (PC-DDR4, LPDDR4X) are affected by a vulnerability ...) + TODO: check CVE-2021-42113 RESERVED CVE-2021-42112 (The "File upload question" functionality in LimeSurvey 3.x-LTS through ...) @@ -8924,8 +8938,8 @@ CVE-2021-41259 (Nim is a systems programming language with a focus on efficiency [buster] - nim (Minor issue) [stretch] - nim (Minor issue) NOTE: https://github.com/nim-lang/security/security/advisories/GHSA-3gg2-rw3q-qwgc -CVE-2021-41258 - RESERVED +CVE-2021-41258 (Kirby is an open source file structured CMS. In affected versions Kirb ...) + TODO: check CVE-2021-41257 RESERVED CVE-2021-41256 @@ -8939,8 +8953,8 @@ CVE-2021-41253 (Zydis is an x86/x86-64 disassembler library. Users of Zydis vers NOTE: https://github.com/zyantific/zydis/security/advisories/GHSA-q42v-hv86-3m4g NOTE: Fixed by: https://github.com/zyantific/zydis/commit/55dd08c210722aed81b38132f5fd4a04ec1943b5 (master) NOTE: Fixed by: https://github.com/zyantific/zydis/commit/330b259583ade789886ce11af2ebcd030097dcbf (v3.2.1) -CVE-2021-41252 - RESERVED +CVE-2021-41252 (Kirby is an open source file structured CMS ### Impact Kirby's writer ...) + TODO: check CVE-2021-41251 (@sap-cloud-sdk/core contains the core functionality of the SAP Cloud S ...) NOT-FOR-US: SAP CVE-2021-41250 (Python discord bot is the community bot for the Python Discord communi ...) @@ -14442,8 +14456,8 @@ CVE-2021-38951 RESERVED CVE-2021-38950 RESERVED -CVE-2021-38949 - RESERVED +CVE-2021-38949 (IBM MQ 7.5, 8.0, 9.0 LTS, 9.1 CD, and 9.1 LTS stores user credentials ...) + TODO: check CVE-2021-38948 (IBM InfoSphere Information Server 11.7 is vulnerable to an XML Externa ...) NOT-FOR-US: IBM CVE-2021-38947 @@ -14576,8 +14590,8 @@ CVE-2021-38884 RESERVED CVE-2021-38883 RESERVED -CVE-2021-38882 - RESERVED +CVE-2021-38882 (IBM Spectrum Scale 5.1.0 through 5.1.1.1 could allow a privileged admi ...) + TODO: check CVE-2021-38881 RESERVED CVE-2021-38880 @@ -17883,8 +17897,8 @@ CVE-2021-37582 RESERVED CVE-2021-37581 RESERVED -CVE-2021-37580 - RESERVED +CVE-2021-37580 (A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in S ...) + TODO: check CVE-2021-37579 (The Dubbo Provider will check the incoming request and the correspondi ...) NOT-FOR-US: Apache Dubbo CVE-2021-3667 @@ -35968,8 +35982,8 @@ CVE-2021-30218 (samurai 1.2 has a NULL pointer dereference in writefile() in uti NOT-FOR-US: samurai CVE-2021-30217 RESERVED -CVE-2021-30216 - RESERVED +CVE-2021-30216 (Zoho Web mail version NA is affected by an incorrect access control vu ...) + TODO: check CVE-2021-30215 RESERVED CVE-2021-30214 (Knowage Suite 7.3 is vulnerable to Stored Client-Side Template Injecti ...) @@ -45575,44 +45589,44 @@ CVE-2021-26340 RESERVED CVE-2021-26339 RESERVED -CVE-2021-26338 - RESERVED -CVE-2021-26337 - RESERVED -CVE-2021-26336 - RESERVED -CVE-2021-26335 - RESERVED +CVE-2021-26338 (Improper access controls in System Management Unit
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-43618/gmp as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 55ad1348 by Salvatore Bonaccorso at 2021-11-16T20:48:06+01:00 Mark CVE-2021-43618/gmp as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1132,6 +1132,8 @@ CVE-2021-43619 RESERVED CVE-2021-43618 (GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an m ...) - gmp 2:6.2.1+dfsg-3 (bug #994405) + [bullseye] - gmp (Minor issue) + [buster] - gmp (Minor issue) NOTE: https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html NOTE: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e CVE-2021-43617 (Laravel Framework through 8.70.2 does not sufficiently block the uploa ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55ad13486be24c97fd0d842b3d5285205ae309f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55ad13486be24c97fd0d842b3d5285205ae309f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-3756/libmysofa via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5410f991 by Salvatore Bonaccorso at 2021-11-16T20:46:00+01:00 Track fixed version for CVE-2021-3756/libmysofa via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11139,7 +11139,7 @@ CVE-2021-3757 (immer is vulnerable to Improperly Controlled Modification of Obje CVE-2021-40331 RESERVED CVE-2021-3756 (libmysofa is vulnerable to Heap-based Buffer Overflow ...) - - libmysofa + - libmysofa 1.2.1~dfsg0-1 NOTE: https://huntr.dev/bounties/7ca8d9ea-e2a6-4294-af28-70260bb53bc1/ NOTE: https://github.com/hoene/libmysofa/commit/890400ebd092c574707d0c132124f8ff047e20e1 (v1.2.1) CVE-2021-3755 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5410f991a9c9a9378cca61d0673568b303fe78f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5410f991a9c9a9378cca61d0673568b303fe78f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2020-20891, CVE-2020-20892, CVE-2020-20896, CVE-2020-21688,...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 60b0dac9 by Chris Lamb at 2021-11-16T07:48:55-08:00 Triage CVE-2020-20891, CVE-2020-20892, CVE-2020-20896, CVE-2020-21688, CVE-2020-21697 CVE-2020-20902 in ffmpeg for stretch LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -87575,6 +87575,7 @@ CVE-2020-21697 (A heap-use-after-free in the mpeg_mux_write_packet function in l {DSA-4998-1} - ffmpeg 7:4.4-5 [buster] - ffmpeg (Wait for 4.1.9) + [stretch] - ffmpeg (Minor issue; can be fixed in next update) NOTE: https://trac.ffmpeg.org/ticket/8188 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=cfce16449cb815132f829d5a07beb138dfb2cba6 CVE-2020-21696 @@ -87597,6 +87598,7 @@ CVE-2020-21688 (A heap-use-after-free in the av_freep function in libavutil/mem. {DSA-4998-1} - ffmpeg 7:4.4-5 [buster] - ffmpeg (Wait for 4.1.9) + [stretch] - ffmpeg (Minor issue; can be fixed in next update) NOTE: https://trac.ffmpeg.org/ticket/8186 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=22c3cd176079dd104ec7610ead697235b04396f1 CVE-2020-21687 @@ -89334,6 +89336,7 @@ CVE-2020-20903 CVE-2020-20902 (A CWE-125: Out-of-bounds read vulnerability exists in long_term_filter ...) {DSA-4722-1} - ffmpeg 7:4.2.2-1 + [stretch] - ffmpeg (Minor issue; can be fixed in next update) NOTE: https://trac.ffmpeg.org/ticket/8176 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=5f0acc5064ed501cb40d4aaccae2b3ce5c4552fd (4.3) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=2c78a76cb0443f8a12a5eadc3b58373aa2f4ab22 (4.3) @@ -89356,6 +89359,7 @@ CVE-2020-20897 CVE-2020-20896 (An issue was discovered in function latm_write_packet in libavformat/l ...) - ffmpeg 7:4.3-2 [buster] - ffmpeg (Wait for 4.1.9) + [stretch] - ffmpeg (Minor issue; can be fixed in next update) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/dd01947397b98e94c3f2a79d5820aaf4594f4d3b (4.3) NOTE: https://trac.ffmpeg.org/ticket/8273 CVE-2020-20895 @@ -89367,11 +89371,13 @@ CVE-2020-20893 CVE-2020-20892 (An issue was discovered in function filter_frame in libavfilter/vf_len ...) - ffmpeg 7:4.3-2 [buster] - ffmpeg (Minor issue) + [stretch] - ffmpeg (Minor issue; can be fixed in next update) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=19587c9332f5be4f6bc6d7b2b8ef3fd21dfeaa01 (4.3) NOTE: https://trac.ffmpeg.org/ticket/8265 CVE-2020-20891 (Buffer Overflow vulnerability in function config_input in libavfilter/ ...) - ffmpeg 7:4.3-2 [buster] - ffmpeg (Wait for 4.1.9) + [stretch] - ffmpeg (Minor issue; can be fixed in next update) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/64a805883d7223c868a683f0030837d859edd2ab (4.3) NOTE: https://trac.ffmpeg.org/ticket/8282 CVE-2020-20890 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60b0dac9737fd2c8d5f5d27de02ed175b7a5c99f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60b0dac9737fd2c8d5f5d27de02ed175b7a5c99f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUS
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 71f9d433 by Moritz Muehlenhoff at 2021-11-16T14:49:00+01:00 NFUS resolve TODO for older golang versions - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8897,19 +8897,19 @@ CVE-2021-41271 (Discourse is a platform for community discussion. In affected ve CVE-2021-41270 RESERVED CVE-2021-41269 (cron-utils is a Java library to define, parse, validate, migrate crons ...) - TODO: check + NOT-FOR-US: cron-utils Java library CVE-2021-41268 RESERVED CVE-2021-41267 RESERVED CVE-2021-41266 (Minio console is a graphical user interface for the for MinIO operator ...) - TODO: check + NOT-FOR-US: Minio console CVE-2021-41265 RESERVED CVE-2021-41264 (OpenZeppelin Contracts is a library for smart contract development. In ...) NOT-FOR-US: OpenZeppelin Contracts CVE-2021-41263 (rails_multisite provides multi-db support for Rails applications. In a ...) - TODO: check + NOT-FOR-US: rails_multisite CVE-2021-41262 RESERVED CVE-2021-41261 @@ -13807,7 +13807,7 @@ CVE-2021-39224 (Nextcloud is an open-source, self-hosted productivity platform. CVE-2021-39223 (Nextcloud is an open-source, self-hosted productivity platform. The Ne ...) NOT-FOR-US: Nextcloud Richdocuments CVE-2021-39222 (Nextcloud is an open-source, self-hosted productivity platform. The Ne ...) - TODO: check + - nextcloud-server (bug #941708) CVE-2021-39221 (Nextcloud is an open-source, self-hosted productivity platform. The Ne ...) NOT-FOR-US: Nextcloud Contacts CVE-2021-39220 (Nextcloud is an open-source, self-hosted productivity platform The Nex ...) @@ -16006,10 +16006,13 @@ CVE-2021-38298 (Zoho ManageEngine ADManager Plus before 7110 is vulnerable to bl CVE-2021-38297 (Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via la ...) - golang-1.17 1.17.2-1 - golang-1.16 1.16.9-1 + - golang-1.11 + [buster] - golang-1.11 (Minor issue) + - golang-1.8 (Vulnerable code not present) + - golang-1.7 (Vulnerable code not present) NOTE: https://github.com/golang/go/commit/77f2750f4398990eed972186706f160631d7dae4 NOTE: https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A NOTE: https://github.com/golang/go/issues/48797 - TODO: check older branches CVE-2021-38296 RESERVED CVE-2021-38295 (In Apache CouchDB, a malicious user with permission to create document ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71f9d433c9dde4478a23a7a65c3acf3ee81905f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71f9d433c9dde4478a23a7a65c3acf3ee81905f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nomad n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ab16bd58 by Moritz Muehlenhoff at 2021-11-16T14:03:40+01:00 nomad n/a add note for pdf2json - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7500,11 +7500,10 @@ CVE-2021-3853 CVE-2021-3852 RESERVED CVE-2021-41865 (HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authe ...) - - nomad + - nomad (Only affects 1.1.x) NOTE: https://discuss.hashicorp.com/t/hcsec-2021-26-nomad-denial-of-service-via-submission-of-incomplete-job-specification-using-consul-mesh-gateway-host-network/30311 NOTE: https://github.com/hashicorp/nomad/issues/11243 NOTE: https://github.com/hashicorp/nomad/pull/11257 - TODO: check CVE-2021-41864 (prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kern ...) - linux 5.14.12-1 NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=30e29a9a2bc6a4888335a6ede968b75cd329657a @@ -82956,8 +82955,12 @@ CVE-2020-23880 RESERVED CVE-2020-23879 (pdf2json v0.71 was discovered to contain a NULL pointer dereference in ...) NOT-FOR-US: pdf2json + NOTE: pdf2json bundles a 14 year old xpdf release (3.0.2), there's no point in + NOTE: tracking whether this affects src:poppler CVE-2020-23878 (pdf2json v0.71 was discovered to contain a stack buffer overflow in th ...) NOT-FOR-US: pdf2json + NOTE: pdf2json bundles a 14 year old xpdf release (3.0.2), there's no point in + NOTE: tracking whether this affects src:poppler CVE-2020-23877 (pdf2xml v2.0 was discovered to contain a stack buffer overflow in the ...) NOT-FOR-US: pdf2xml CVE-2020-23876 (pdf2xml v2.0 was discovered to contain a memory leak in the function T ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab16bd58212d6e92541b13c36c45da1194d87af7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab16bd58212d6e92541b13c36c45da1194d87af7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-36477/mbedtls n/a on stretch
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 0532f71a by Emilio Pozuelo Monfort at 2021-11-16T13:40:02+01:00 CVE-2020-36477/mbedtls n/a on stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13334,6 +13334,7 @@ CVE-2020-36478 (An issue was discovered in Mbed TLS before 2.25.0 (and before 2. NOTE: https://github.com/ARMmbed/mbedtls/commit/ca17ebfbc02b57e2bcb42efe64a5f2002c756ea8 (development) CVE-2020-36477 (An issue was discovered in Mbed TLS before 2.24.0. The verification of ...) - mbedtls + [stretch] - mbedtls (2.4 not affected) NOTE: https://github.com/ARMmbed/mbedtls/issues/3498 NOTE: https://github.com/ARMmbed/mbedtls/commit/f3e4bd8632b71dc491e52e6df87dc3e409d2b869 (development) CVE-2020-36476 (An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 L ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0532f71a8665c3ed8a62d86b63da499e1f32eb61 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0532f71a8665c3ed8a62d86b63da499e1f32eb61 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed verison via unstable for CVE-2021-3918/node-json-schema
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 701f6d6e by Salvatore Bonaccorso at 2021-11-16T13:12:40+01:00 Track fixed verison via unstable for CVE-2021-3918/node-json-schema - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3209,7 +3209,7 @@ CVE-2021-43176 CVE-2021-43175 RESERVED CVE-2021-3918 (json-schema is vulnerable to Improperly Controlled Modification of Obj ...) - - node-json-schema (bug #999765) + - node-json-schema 0.4.0+~7.0.9-1 (bug #999765) NOTE: https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 (v0.4.0) CVE-2021-43174 (NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, suppo ...) - routinator (bug #929024) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/701f6d6e9e215d2e40a22a8861df5db1597b308d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/701f6d6e9e215d2e40a22a8861df5db1597b308d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] busybox: stretch postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: af773e06 by Sylvain Beucler at 2021-11-16T12:44:33+01:00 busybox: stretch postponed - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -6010,46 +6010,55 @@ CVE-2021-42386 (A use-after-free in Busybox's awk applet leads to denial of serv - busybox (bug #999567) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) + [stretch] - busybox (Minor issue, requires passing arbitrary awk program, no identified patch) NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/ CVE-2021-42385 (A use-after-free in Busybox's awk applet leads to denial of service an ...) - busybox (bug #999567) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) + [stretch] - busybox (Minor issue, requires passing arbitrary awk program, no identified patch) NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/ CVE-2021-42384 (A use-after-free in Busybox's awk applet leads to denial of service an ...) - busybox (bug #999567) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) + [stretch] - busybox (Minor issue, requires passing arbitrary awk program, no identified patch) NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/ CVE-2021-42383 (A use-after-free in Busybox's awk applet leads to denial of service an ...) - busybox (bug #999567) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) + [stretch] - busybox (Minor issue, requires passing arbitrary awk program, no identified patch) NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/ CVE-2021-42382 (A use-after-free in Busybox's awk applet leads to denial of service an ...) - busybox (bug #999567) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) + [stretch] - busybox (Minor issue, requires passing arbitrary awk program, no identified patch) NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/ CVE-2021-42381 (A use-after-free in Busybox's awk applet leads to denial of service an ...) - busybox (bug #999567) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) + [stretch] - busybox (Minor issue, requires passing arbitrary awk program, no identified patch) NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/ CVE-2021-42380 (A use-after-free in Busybox's awk applet leads to denial of service an ...) - busybox (bug #999567) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) + [stretch] - busybox (Minor issue, requires passing arbitrary awk program, no identified patch) NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/ CVE-2021-42379 (A use-after-free in Busybox's awk applet leads to denial of service an ...) - busybox (bug #999567) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) + [stretch] - busybox (Minor issue, requires passing arbitrary awk program, no identified patch) NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/ CVE-2021-42378 (A use-after-free in Busybox's awk applet leads to denial of service an ...) - busybox (bug #999567) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) + [stretch] - busybox (Minor issue, requires passing arbitrary awk program, no identified patch) NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/ CVE-2021-42377 (An attacker-controlled pointer free in Busybox's hush applet leads to ...) - busybox (bug #999567) = data/dla-needed.txt = @@ -18,12 +18,6 @@ ansible NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- -busybox (Sylvain Beucler) - NOTE: 2021: dos issues are low impact and could be ignored, awk issues seem - NOTE: 2021: only serious if executing untrusted code, so perhaps postpone, - NOTE: 2021: but double-check (pochu) - NOTE: 2023: waiting for further maintainer feedback & commit info (Beuc) --- debian-archive-keyring NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html
[Git][security-tracker-team/security-tracker][master] CVE-2021-3918/node-json-schema #999765
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 7dedc819 by Neil Williams at 2021-11-16T11:10:08+00:00 CVE-2021-3918/node-json-schema #999765 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3209,7 +3209,8 @@ CVE-2021-43176 CVE-2021-43175 RESERVED CVE-2021-3918 (json-schema is vulnerable to Improperly Controlled Modification of Obj ...) - TODO: check + - node-json-schema (bug #999765) + NOTE: https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 (v0.4.0) CVE-2021-43174 (NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, suppo ...) - routinator (bug #929024) NOTE: https://www.nlnetlabs.nl/downloads/routinator/CVE-2021-43172_CVE-2021-43173_CVE-2021-43174.txt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7dedc8191d4294b565ed2b2f2cbbc6c5784aa11e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7dedc8191d4294b565ed2b2f2cbbc6c5784aa11e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 91955775 by Neil Williams at 2021-11-16T10:35:02+00:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -82944,21 +82944,21 @@ CVE-2020-23881 CVE-2020-23880 RESERVED CVE-2020-23879 (pdf2json v0.71 was discovered to contain a NULL pointer dereference in ...) - TODO: check + NOT-FOR-US: pdf2json CVE-2020-23878 (pdf2json v0.71 was discovered to contain a stack buffer overflow in th ...) - TODO: check + NOT-FOR-US: pdf2json CVE-2020-23877 (pdf2xml v2.0 was discovered to contain a stack buffer overflow in the ...) - TODO: check + NOT-FOR-US: pdf2xml CVE-2020-23876 (pdf2xml v2.0 was discovered to contain a memory leak in the function T ...) - TODO: check + NOT-FOR-US: pdf2xml CVE-2020-23875 RESERVED CVE-2020-23874 (pdf2xml v2.0 was discovered to contain a heap-buffer overflow in the f ...) - TODO: check + NOT-FOR-US: pdf2xml CVE-2020-23873 (pdf2xml v2.0 was discovered to contain a heap-buffer overflow in the f ...) - TODO: check + NOT-FOR-US: pdf2xml CVE-2020-23872 (A NULL pointer dereference in the function TextPage::restoreState of p ...) - TODO: check + NOT-FOR-US: pdf2xml CVE-2020-23871 RESERVED CVE-2020-23870 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91955775aa35a7b072a07f389e9abf06640f33d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91955775aa35a7b072a07f389e9abf06640f33d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-6492/chromium - EOL stretch, add to DSA-4714-1
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 09909448 by Neil Williams at 2021-11-16T10:34:01+00:00 Add CVE-2020-6492/chromium - EOL stretch, add to DSA-4714-1 - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -126368,7 +126368,9 @@ CVE-2020-6493 (Use after free in WebAuthentication in Google Chrome prior to 83. - chromium 83.0.4103.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6492 (Use after free in ANGLE in Google Chrome prior to 83.0.4103.97 allowed ...) - TODO: check + {DSA-4714-1} + - chromium 83.0.4103.106-1 + [stretch] - chromium (see DSA 4562) CVE-2020-6491 (Insufficient data validation in site information in Google Chrome prio ...) {DSA-4714-1} - chromium 83.0.4103.83-1 = data/DSA/list = @@ -933,7 +933,7 @@ {CVE-2019-13300 CVE-2019-13304 CVE-2019-13305 CVE-2019-13306 CVE-2019-13307 CVE-2019-15140 CVE-2019-19948} [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u8 [01 Jul 2020] DSA-4714-1 chromium - security update - {CVE-2020-6423 CVE-2020-6430 CVE-2020-6431 CVE-2020-6432 CVE-2020-6433 CVE-2020-6434 CVE-2020-6435 CVE-2020-6436 CVE-2020-6437 CVE-2020-6438 CVE-2020-6439 CVE-2020-6440 CVE-2020-6441 CVE-2020-6442 CVE-2020-6443 CVE-2020-6444 CVE-2020-6445 CVE-2020-6446 CVE-2020-6447 CVE-2020-6448 CVE-2020-6454 CVE-2020-6455 CVE-2020-6456 CVE-2020-6457 CVE-2020-6458 CVE-2020-6459 CVE-2020-6460 CVE-2020-6461 CVE-2020-6462 CVE-2020-6463 CVE-2020-6464 CVE-2020-6465 CVE-2020-6466 CVE-2020-6467 CVE-2020-6468 CVE-2020-6469 CVE-2020-6470 CVE-2020-6471 CVE-2020-6472 CVE-2020-6473 CVE-2020-6474 CVE-2020-6475 CVE-2020-6476 CVE-2020-6478 CVE-2020-6479 CVE-2020-6480 CVE-2020-6481 CVE-2020-6482 CVE-2020-6483 CVE-2020-6484 CVE-2020-6485 CVE-2020-6486 CVE-2020-6487 CVE-2020-6488 CVE-2020-6489 CVE-2020-6490 CVE-2020-6491 CVE-2020-6493 CVE-2020-6494 CVE-2020-6495 CVE-2020-6496 CVE-2020-6497 CVE-2020-6498 CVE-2020-6505 CVE-2020-6506 CVE-2020-6507 CVE-2020-6509 CVE-2020-6831} + {CVE-2020-6423 CVE-2020-6430 CVE-2020-6431 CVE-2020-6432 CVE-2020-6433 CVE-2020-6434 CVE-2020-6435 CVE-2020-6436 CVE-2020-6437 CVE-2020-6438 CVE-2020-6439 CVE-2020-6440 CVE-2020-6441 CVE-2020-6442 CVE-2020-6443 CVE-2020-6444 CVE-2020-6445 CVE-2020-6446 CVE-2020-6447 CVE-2020-6448 CVE-2020-6454 CVE-2020-6455 CVE-2020-6456 CVE-2020-6457 CVE-2020-6458 CVE-2020-6459 CVE-2020-6460 CVE-2020-6461 CVE-2020-6462 CVE-2020-6463 CVE-2020-6464 CVE-2020-6465 CVE-2020-6466 CVE-2020-6467 CVE-2020-6468 CVE-2020-6469 CVE-2020-6470 CVE-2020-6471 CVE-2020-6472 CVE-2020-6473 CVE-2020-6474 CVE-2020-6475 CVE-2020-6476 CVE-2020-6478 CVE-2020-6479 CVE-2020-6480 CVE-2020-6481 CVE-2020-6482 CVE-2020-6483 CVE-2020-6484 CVE-2020-6485 CVE-2020-6486 CVE-2020-6487 CVE-2020-6488 CVE-2020-6489 CVE-2020-6490 CVE-2020-6491 CVE-2020-6492 CVE-2020-6493 CVE-2020-6494 CVE-2020-6495 CVE-2020-6496 CVE-2020-6497 CVE-2020-6498 CVE-2020-6505 CVE-2020-6506 CVE-2020-6507 CVE-2020-6509 CVE-2020-6831} [buster] - chromium 83.0.4103.116-1~deb10u1 [01 Jul 2020] DSA-4713-1 firefox-esr - security update {CVE-2020-12417 CVE-2020-12418 CVE-2020-12419 CVE-2020-12420 CVE-2020-12421} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09909448f496b599460b7803f243d51a3942de28 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09909448f496b599460b7803f243d51a3942de28 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new laravel issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 704136f4 by Moritz Muehlenhoff at 2021-11-16T10:39:27+01:00 new laravel issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1135,7 +1135,8 @@ CVE-2021-43618 (GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 ha NOTE: https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html NOTE: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e CVE-2021-43617 (Laravel Framework through 8.70.2 does not sufficiently block the uploa ...) - TODO: check + - php-laravel-framework + NOTE: https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b CVE-2021-3957 RESERVED CVE-2021-43616 (The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an i ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/704136f42daa544623d11e68c9e7aa16f38bf8a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/704136f42daa544623d11e68c9e7aa16f38bf8a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Re-claim libssh2.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f76e0f3 by Ola Lundqvist at 2021-11-16T09:48:00+01:00 Re-claim libssh2. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -63,9 +63,10 @@ libgit2 (Utkarsh) NOTE: 20211029: and TAL later next week. (utkarsh) NOTE: 2026: backports prepped; checking build and smoke-testing package. (utkarsh) -- -libssh2 +libssh2 (Ola Lundqvist) NOTE: 20211031: CVE-2019-13115 and CVE-2019-17498 were fixed in jessie DLAs NOTE: 20211031: but still need fixing in stretch and buster. (bunk) + NOTE: 2026: Work in progress for stretch. (ola) -- libvorbis (Adrian Bunk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f76e0f310cec080c260a2fb5cc58eb3daf6252d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f76e0f310cec080c260a2fb5cc58eb3daf6252d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: reclaim firefox & thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 1a25e4fb by Emilio Pozuelo Monfort at 2021-11-16T09:45:39+01:00 lts: reclaim firefox thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -36,7 +36,8 @@ debian-archive-keyring exiv2 (Thorsten Alteholz) NOTE: 20211109: testing package -- -firefox-esr +firefox-esr (Emilio) + NOTE: 2026: blocked on toolchain backports (pochu) -- firmware-nonfree NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree @@ -94,5 +95,6 @@ salt (Markus Koschany) -- samba (Anton) -- -thunderbird +thunderbird (Emilio) + NOTE: 2026: blocked on toolchain backports (pochu) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a25e4fbfc84037c3eccb9dc9fbae9df75840292 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a25e4fbfc84037c3eccb9dc9fbae9df75840292 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-3647[78]/mbedtls: add fixing commits
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: ed6b52cd by Emilio Pozuelo Monfort at 2021-11-16T09:41:34+01:00 CVE-2020-3647[78]/mbedtls: add fixing commits - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13320,9 +13320,11 @@ CVE-2021-39363 CVE-2020-36478 (An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 L ...) - mbedtls 2.16.9-0.1 NOTE: https://github.com/ARMmbed/mbedtls/issues/3629 + NOTE: https://github.com/ARMmbed/mbedtls/commit/ca17ebfbc02b57e2bcb42efe64a5f2002c756ea8 (development) CVE-2020-36477 (An issue was discovered in Mbed TLS before 2.24.0. The verification of ...) - mbedtls NOTE: https://github.com/ARMmbed/mbedtls/issues/3498 + NOTE: https://github.com/ARMmbed/mbedtls/commit/f3e4bd8632b71dc491e52e6df87dc3e409d2b869 (development) CVE-2020-36476 (An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 L ...) - mbedtls 2.16.9-0.1 NOTE: https://github.com/ARMmbed/mbedtls/commit/a321413807927d6e295cec8677733bbde6aeec34 (development) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed6b52cd4db06571ba386615fe2bf57113a0ba89 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed6b52cd4db06571ba386615fe2bf57113a0ba89 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a52da49c by Salvatore Bonaccorso at 2021-11-16T09:27:09+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6181,7 +6181,7 @@ CVE-2021-42339 CVE-2021-42338 RESERVED CVE-2021-42337 (The permission control of AIFU cashier management salary query functio ...) - TODO: check + NOT-FOR-US: AIFU cashier management salary CVE-2021-42336 (The learning history page of the Easytest is vulnerable by permission ...) NOT-FOR-US: Easytest CVE-2021-42335 (Easytest bulletin board management function of online learning platfor ...) @@ -8883,7 +8883,7 @@ CVE-2021-41273 CVE-2021-41272 RESERVED CVE-2021-41271 (Discourse is a platform for community discussion. In affected versions ...) - TODO: check + NOT-FOR-US: Discourse CVE-2021-41270 RESERVED CVE-2021-41269 (cron-utils is a Java library to define, parse, validate, migrate crons ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a52da49cb89a2a5091dfbf366c64532b80284339 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a52da49cb89a2a5091dfbf366c64532b80284339 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2013-7109
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5547ba09 by Salvatore Bonaccorso at 2021-11-16T09:14:03+01:00 Remove notes from CVE-2013-7109 It was withdrawn by its CNA. Further investigation showed that it was not a security issue. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -386358,8 +386358,6 @@ CVE-2013-7115 REJECTED CVE-2013-7109 REJECTED - - glance 2012.1~e4-1 - NOTE: https://github.com/openstack/glance/commit/804396204e23ebb CVE-2013-7105 (Buffer overflow in the Interstage HTTP Server log functionality, as us ...) NOT-FOR-US: Fujitsu Interstage HTTP Server CVE-2013-7104 (McAfee Email Gateway 7.6 allows remote authenticated administrators to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5547ba0984e3d76bb1bef394f228f3983b48af40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5547ba0984e3d76bb1bef394f228f3983b48af40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a2d48bd by security tracker role at 2021-11-16T08:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,855 @@ +CVE-2022-21641 + RESERVED +CVE-2022-21640 + RESERVED +CVE-2022-21639 + RESERVED +CVE-2022-21638 + RESERVED +CVE-2022-21637 + RESERVED +CVE-2022-21636 + RESERVED +CVE-2022-21635 + RESERVED +CVE-2022-21634 + RESERVED +CVE-2022-21633 + RESERVED +CVE-2022-21632 + RESERVED +CVE-2022-21631 + RESERVED +CVE-2022-21630 + RESERVED +CVE-2022-21629 + RESERVED +CVE-2022-21628 + RESERVED +CVE-2022-21627 + RESERVED +CVE-2022-21626 + RESERVED +CVE-2022-21625 + RESERVED +CVE-2022-21624 + RESERVED +CVE-2022-21623 + RESERVED +CVE-2022-21622 + RESERVED +CVE-2022-21621 + RESERVED +CVE-2022-21620 + RESERVED +CVE-2022-21619 + RESERVED +CVE-2022-21618 + RESERVED +CVE-2022-21617 + RESERVED +CVE-2022-21616 + RESERVED +CVE-2022-21615 + RESERVED +CVE-2022-21614 + RESERVED +CVE-2022-21613 + RESERVED +CVE-2022-21612 + RESERVED +CVE-2022-21611 + RESERVED +CVE-2022-21610 + RESERVED +CVE-2022-21609 + RESERVED +CVE-2022-21608 + RESERVED +CVE-2022-21607 + RESERVED +CVE-2022-21606 + RESERVED +CVE-2022-21605 + RESERVED +CVE-2022-21604 + RESERVED +CVE-2022-21603 + RESERVED +CVE-2022-21602 + RESERVED +CVE-2022-21601 + RESERVED +CVE-2022-21600 + RESERVED +CVE-2022-21599 + RESERVED +CVE-2022-21598 + RESERVED +CVE-2022-21597 + RESERVED +CVE-2022-21596 + RESERVED +CVE-2022-21595 + RESERVED +CVE-2022-21594 + RESERVED +CVE-2022-21593 + RESERVED +CVE-2022-21592 + RESERVED +CVE-2022-21591 + RESERVED +CVE-2022-21590 + RESERVED +CVE-2022-21589 + RESERVED +CVE-2022-21588 + RESERVED +CVE-2022-21587 + RESERVED +CVE-2022-21586 + RESERVED +CVE-2022-21585 + RESERVED +CVE-2022-21584 + RESERVED +CVE-2022-21583 + RESERVED +CVE-2022-21582 + RESERVED +CVE-2022-21581 + RESERVED +CVE-2022-21580 + RESERVED +CVE-2022-21579 + RESERVED +CVE-2022-21578 + RESERVED +CVE-2022-21577 + RESERVED +CVE-2022-21576 + RESERVED +CVE-2022-21575 + RESERVED +CVE-2022-21574 + RESERVED +CVE-2022-21573 + RESERVED +CVE-2022-21572 + RESERVED +CVE-2022-21571 + RESERVED +CVE-2022-21570 + RESERVED +CVE-2022-21569 + RESERVED +CVE-2022-21568 + RESERVED +CVE-2022-21567 + RESERVED +CVE-2022-21566 + RESERVED +CVE-2022-21565 + RESERVED +CVE-2022-21564 + RESERVED +CVE-2022-21563 + RESERVED +CVE-2022-21562 + RESERVED +CVE-2022-21561 + RESERVED +CVE-2022-21560 + RESERVED +CVE-2022-21559 + RESERVED +CVE-2022-21558 + RESERVED +CVE-2022-21557 + RESERVED +CVE-2022-21556 + RESERVED +CVE-2022-21555 + RESERVED +CVE-2022-21554 + RESERVED +CVE-2022-21553 + RESERVED +CVE-2022-21552 + RESERVED +CVE-2022-21551 + RESERVED +CVE-2022-21550 + RESERVED +CVE-2022-21549 + RESERVED +CVE-2022-21548 + RESERVED +CVE-2022-21547 + RESERVED +CVE-2022-21546 + RESERVED +CVE-2022-21545 + RESERVED +CVE-2022-21544 + RESERVED +CVE-2022-21543 + RESERVED +CVE-2022-21542 + RESERVED +CVE-2022-21541 + RESERVED +CVE-2022-21540 + RESERVED +CVE-2022-21539 + RESERVED +CVE-2022-21538 + RESERVED +CVE-2022-21537 + RESERVED +CVE-2022-21536 + RESERVED +CVE-2022-21535 + RESERVED +CVE-2022-21534 + RESERVED +CVE-2022-21533 + RESERVED +CVE-2022-21532 + RESERVED +CVE-2022-21531 + RESERVED +CVE-2022-21530 + RESERVED +CVE-2022-21529 + RESERVED +CVE-2022-21528 + RESERVED +CVE-2022-21527 + RESERVED +CVE-2022-21526 + RESERVED +CVE-2022-21525 + RESERVED +CVE-2022-21524 + RESERVED +CVE-2022-21523 + RESERVED +CVE-2022-21522 + RESERVED +CVE-2022-21521 + RESERVED +CVE-2022-21520 + RESERVED +CVE-2022-21519 + RESERVED +CVE-2022-21518 + RESERVED +CVE-2022-21517 + RESERVED +CVE-2022-21516 + RESERVED +CVE-2022-21515 + RESERVED +CVE-2022-21514 + RESERVED +CVE-2022-21513 + RESERVED +CVE-2022-21512 + RESERVED +CVE-2022-21511 + RESERVED +CVE-2022-21510 + RESERVED +CVE-2022-21509 + RESERVED +CVE-2022-21508 + RESERVED +CVE-2022-21507 + RESERVED +CVE-2022-21506 + RESERVED +CVE-2022-21505 + RESERVED +CVE-2022-21504 + RESERVED +CVE-2022-21503 + RESERVED +CVE-2022-21502 + RESERVED +CVE-2022-21501 +