[Git][security-tracker-team/security-tracker][master] Claim roundcube
Sebastien Delafond pushed to branch master at Debian Security Tracker / security-tracker Commits: cb0193be by Sébastien Delafond at 2021-11-23T08:38:29+01:00 Claim roundcube - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -41,7 +41,7 @@ python-pysaml2 (jmm) -- rabbitmq-server -- -roundcube +roundcube (seb) Maintainer prepared and proposed update, needs review and ack -- runc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb0193be3962e66f0f635c2593c82974d649687f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb0193be3962e66f0f635c2593c82974d649687f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 28c69b1c by Salvatore Bonaccorso at 2021-11-23T08:28:12+01:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -123986,7 +123986,7 @@ CVE-2020-7884 CVE-2020-7883 RESERVED CVE-2020-7882 (Using the parameter of getPFXFolderList function, attackers can see th ...) - TODO: check + NOT-FOR-US: anySign CVE-2020-7881 RESERVED CVE-2020-7880 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28c69b1cc92a1d7ca4bdea9c29a79a60d9276834 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28c69b1cc92a1d7ca4bdea9c29a79a60d9276834 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-44143/isync
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cfaff0b by Salvatore Bonaccorso at 2021-11-23T07:53:22+01:00 Add CVE-2021-44143/isync - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2021-44143 [malicious or compromised IMAP server could use a crafted mail message that lacks headers to provoke a heap overflow] + - isync (bug #999804) CVE-2021-44142 RESERVED CVE-2021-44141 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cfaff0b462c6a558749c1d42c74de3b1f0a8fd1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cfaff0b462c6a558749c1d42c74de3b1f0a8fd1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-14424/cacti fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3515ecee by Salvatore Bonaccorso at 2021-11-23T06:29:11+01:00 CVE-2020-14424/cacti fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -105193,7 +105193,7 @@ CVE-2020-14426 (Certain NETGEAR devices are affected by disclosure of administra CVE-2020-14425 (Foxit Reader before 10.0 allows Remote Command Execution via the app.o ...) NOT-FOR-US: Foxit Reader CVE-2020-14424 (Cacti before 1.2.18 allows remote attackers to trigger XSS via templat ...) - - cacti + - cacti 1.2.19+ds1-1 [stretch] - cacti (Vulnerable code not present) NOTE: https://github.com/Cacti/cacti/pull/4261 NOTE: https://github.com/Cacti/cacti/commit/d12800ab479ad95a091bc577f28fd99ec95eb64c (release/1.2.18) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3515ecee3f363d27586f361b9b184f90d9f34ae9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3515ecee3f363d27586f361b9b184f90d9f34ae9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add bluez
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e4db735 by Thorsten Alteholz at 2021-11-22T23:50:13+01:00 add bluez - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -18,6 +18,8 @@ ansible NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- +bluez +-- debian-archive-keyring NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e4db73596db8761b95eb8d21115cf89f312935c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e4db73596db8761b95eb8d21115cf89f312935c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fill in librecad details
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d19fedca by Moritz Muehlenhoff at 2021-11-22T23:15:28+01:00 fill in librecad details - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -57235,14 +57235,20 @@ CVE-2021-21902 CVE-2021-21901 RESERVED CVE-2021-21900 (A code execution vulnerability exists in the dxfRW::processLType() fun ...) - - librecad + - librecad NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1351 + NOTE: librecad bundles libdxfrw + NOTE: https://github.com/LibreCAD/libdxfrw/commit/fcd977cc7f8f6cc7f012e5b72d33cf7d77b3fa69 CVE-2021-21899 (A code execution vulnerability exists in the dwgCompressor::copyCompBy ...) - - librecad + - librecad NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1350 + NOTE: librecad bundles libdxfrw + NOTE: https://github.com/LibreCAD/libdxfrw/commit/641711887409aa10c4e59f954c3905a6e8b5 CVE-2021-21898 (A code execution vulnerability exists in the dwgCompressor::decompress ...) - - librecad + - librecad NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1349 + NOTE: librecad bundles libdxfrw + NOTE: https://github.com/LibreCAD/libdxfrw/commit/ba3fa95648bef948e008dfbdd31a4d21badd71f0 CVE-2021-21897 (A code execution vulnerability exists in the DL_Dxf::handleLWPolylineD ...) - dxflib 3.26.4-1 [bullseye] - dxflib (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d19fedca048bed67ad1fb0b16c0d90a29b0b51ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d19fedca048bed67ad1fb0b16c0d90a29b0b51ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-37322
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c11384e by Salvatore Bonaccorso at 2021-11-22T21:50:07+01:00 Add CVE-2021-37322 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19553,7 +19553,9 @@ CVE-2021-37324 CVE-2021-37323 RESERVED CVE-2021-37322 (GCC c++filt v2.26 was discovered to contain a use-after-free vulnerabi ...) - TODO: check + - binutils (unimportant) + NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188 + NOTE: binutils not covered by security support CVE-2021-37321 RESERVED CVE-2021-37320 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c11384e64d656e3b247b39353755bd98fd9a04e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c11384e64d656e3b247b39353755bd98fd9a04e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add three CVEs associated with librecad
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d706539 by Salvatore Bonaccorso at 2021-11-22T21:47:51+01:00 Add three CVEs associated with librecad - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -57233,11 +57233,14 @@ CVE-2021-21902 CVE-2021-21901 RESERVED CVE-2021-21900 (A code execution vulnerability exists in the dxfRW::processLType() fun ...) - TODO: check + - librecad + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1351 CVE-2021-21899 (A code execution vulnerability exists in the dwgCompressor::copyCompBy ...) - TODO: check + - librecad + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1350 CVE-2021-21898 (A code execution vulnerability exists in the dwgCompressor::decompress ...) - TODO: check + - librecad + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1349 CVE-2021-21897 (A code execution vulnerability exists in the DL_Dxf::handleLWPolylineD ...) - dxflib 3.26.4-1 [bullseye] - dxflib (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d706539c0cd1e982fae207b5752c1ea216a8fe7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d706539c0cd1e982fae207b5752c1ea216a8fe7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c79c3a82 by Salvatore Bonaccorso at 2021-11-22T21:45:52+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16773,7 +16773,7 @@ CVE-2021-38450 (The affected controllers do not properly sanitize the input cont CVE-2021-38449 (Some API functions permit by-design writing or copying data into a giv ...) NOT-FOR-US: AUVESY CVE-2021-38448 (The affected controllers do not properly sanitize the input containing ...) - TODO: check + NOT-FOR-US: Trane CVE-2021-38447 RESERVED CVE-2021-38446 @@ -53126,7 +53126,7 @@ CVE-2021-23720 CVE-2021-23719 RESERVED CVE-2021-23718 (The package ssrf-agent before 1.0.5 are vulnerable to Server-side Requ ...) - TODO: check + NOT-FOR-US: ssrf-agent CVE-2021-23717 RESERVED CVE-2021-23716 @@ -70264,7 +70264,7 @@ CVE-2021-1107 (NVIDIA Linux kernel distributions contain a vulnerability in nvma CVE-2021-1106 (NVIDIA Linux kernel distributions contain a vulnerability in nvmap, wh ...) NOT-FOR-US: NVIDIA CVE-2021-1105 (NVIDIA GPU and Tegra hardware contain a vulnerability in the internal ...) - TODO: check + NOT-FOR-US: NVIDIA CVE-2021-1104 (The RISC-V Instruction Set Manual contains a documented ambiguity for ...) NOT-FOR-US: RISC-V CVE-2021-1103 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...) @@ -70332,7 +70332,7 @@ CVE-2021-1090 (NVIDIA GPU Display Driver for Windows and Linux contains a vulner CVE-2021-1089 (NVIDIA GPU Display Driver for Windows contains a vulnerability in nvid ...) NOT-FOR-US: NVIDIA GPU Display Driver for Windows CVE-2021-1088 (NVIDIA GPU and Tegra hardware contain a vulnerability in the internal ...) - TODO: check + NOT-FOR-US: NVIDIA CVE-2021-1087 (NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager ...) NOT-FOR-US: NVIDIA vGPU driver CVE-2021-1086 (NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager ...) @@ -185644,7 +185644,7 @@ CVE-2019-5642 (Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers CVE-2019-5641 RESERVED CVE-2019-5640 (Rapid7 Nexpose versions prior to 6.6.114 suffer from an information ex ...) - TODO: check + NOT-FOR-US: Rapid7 Nexpose CVE-2019-5639 RESERVED CVE-2019-5638 (Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient sess ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c79c3a82810987a072c9a0abdb7aa3ce3d995628 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c79c3a82810987a072c9a0abdb7aa3ce3d995628 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ec1d0c1c by Salvatore Bonaccorso at 2021-11-22T21:21:53+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2292,9 +2292,9 @@ CVE-2021-3952 CVE-2021-3951 RESERVED CVE-2021-43582 (A Use-After-Free Remote Vulnerability exists when reading a DWG file u ...) - TODO: check + NOT-FOR-US: Open Design Alliance Drawings SDK CVE-2021-43581 (An Out-of-Bounds Read vulnerability exists when reading a U3D file usi ...) - TODO: check + NOT-FOR-US: Open Design Alliance PRC SDK CVE-2021-43580 RESERVED CVE-2021-43579 (A stack-based buffer overflow in image_load_bmp() in HTMLDOC before 1. ...) @@ -4698,9 +4698,9 @@ CVE-2021-43018 CVE-2021-43017 (Adobe Creative Cloud version 5.5 (and earlier) are affected by an Appl ...) NOT-FOR-US: Adobe CVE-2021-43016 (Adobe InCopy version 16.4 (and earlier) is affected by a Null pointer ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-43015 (Adobe InCopy version 16.4 (and earlier) is affected by a memory corrup ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-43014 RESERVED CVE-2021-43013 (Adobe Media Encoder version 15.4.1 (and earlier) are affected by a mem ...) @@ -5341,9 +5341,9 @@ CVE-2021-42739 (The firewire subsystem in the Linux kernel through 5.14.13 has a NOTE: https://seclists.org/oss-sec/2021/q2/46 NOTE: https://lore.kernel.org/linux-media/YHaulytonFcW+lyZ@mwanda/ CVE-2021-42738 (Adobe Prelude version 10.1 (and earlier) is affected by a memory corru ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-42737 (Adobe Prelude version 10.1 (and earlier) is affected by a memory corru ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-42736 RESERVED CVE-2021-42735 @@ -5351,7 +5351,7 @@ CVE-2021-42735 CVE-2021-42734 RESERVED CVE-2021-42733 (Adobe Prelude version 10.1 (and earlier) is affected by an improper in ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-42732 RESERVED CVE-2021-42731 (Adobe InDesign versions 16.4 (and earlier) are affected by a Buffer Ov ...) @@ -5363,7 +5363,7 @@ CVE-2021-42729 CVE-2021-42728 RESERVED CVE-2021-42727 (Acrobat RoboHelp Server versions 2020.0.1 (and earlier) are affected b ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-42726 (Adobe Media Encoder version 15.4 (and earlier) are affected by a memor ...) NOT-FOR-US: Adobe CVE-2021-42725 (Adobe Experience Manager version 6.5.9.0 (and earlier) are affected by ...) @@ -5414,11 +5414,11 @@ CVE-2021-42709 CVE-2021-42708 RESERVED CVE-2021-42707 (PLC Editor Versions 1.3.8 and prior is vulnerable to an out-of-bounds ...) - TODO: check + NOT-FOR-US: PLC Editor CVE-2021-42706 (This vulnerability could allow an attacker to disclose information and ...) NOT-FOR-US: Advantech CVE-2021-42705 (PLC Editor Versions 1.3.8 and prior is vulnerable to a stack-based buf ...) - TODO: check + NOT-FOR-US: PLC Editor CVE-2021-42704 RESERVED CVE-2021-42703 (This vulnerability could allow an attacker to send malicious Javascrip ...) @@ -11185,17 +11185,17 @@ CVE-2021-40777 CVE-2021-40776 RESERVED CVE-2021-40775 (Adobe Prelude version 10.1 (and earlier) is affected by a memory corru ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-40774 (Adobe Prelude version 10.1 (and earlier) is affected by a null pointer ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-40773 (Adobe Prelude version 10.1 (and earlier) is affected by a null pointer ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-40772 (Adobe Prelude version 10.1 (and earlier) is affected by a memory corru ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-40771 (Adobe Prelude version 10.1 (and earlier) is affected by a memory corru ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-40770 (Adobe Prelude version 10.1 (and earlier) is affected by a memory corru ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-40769 RESERVED CVE-2021-40768 @@ -16929,15 +16929,15 @@ CVE-2021-38380 (Live555 through 1.08 mishandles huge requests for the same MP3 s CVE-2021-38379 (The Hub in CFEngine Enterprise 3.6.7 through 3.18.0 has Insecure Permi ...) NOT-FOR-US: CFEngine Enterprise CVE-2021-38378 (OX App Suite 7.10.5 allows Information Exposure because a caching mech ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2021-38377 (OX App Suite through 7.10.5 allows XSS via JavaScript code in an ancho ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2021-38376 (OX App Suite through 7.10.5 has Incorrect Access Control for retrieval ...) - TODO: check + NOT-FOR-US: OX App
[Git][security-tracker-team/security-tracker][master] Track proposed update for libmodbus via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 90ccb128 by Salvatore Bonaccorso at 2021-11-22T21:17:34+01:00 Track proposed update for libmodbus via buster-pu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -92,3 +92,7 @@ CVE-2021-43331 [buster] - mailman 1:2.1.29-1+deb10u3 CVE-2021-43332 [buster] - mailman 1:2.1.29-1+deb10u3 +CVE-2019-14462 + [buster] - libmodbus 3.1.4-2+deb10u1 +CVE-2019-14463 + [buster] - libmodbus 3.1.4-2+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90ccb128b9f75fee4bc4d877ffc152ae110630b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90ccb128b9f75fee4bc4d877ffc152ae110630b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1a258d7b by security tracker role at 2021-11-22T20:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,139 @@ +CVE-2021-44142 + RESERVED +CVE-2021-44141 + RESERVED +CVE-2021-44140 + RESERVED +CVE-2021-44139 + RESERVED +CVE-2021-44138 + RESERVED +CVE-2021-44137 + RESERVED +CVE-2021-44136 + RESERVED +CVE-2021-44135 + RESERVED +CVE-2021-44134 + RESERVED +CVE-2021-44133 + RESERVED +CVE-2021-44132 + RESERVED +CVE-2021-44131 + RESERVED +CVE-2021-44130 + RESERVED +CVE-2021-44129 + RESERVED +CVE-2021-44128 + RESERVED +CVE-2021-44127 + RESERVED +CVE-2021-44126 + RESERVED +CVE-2021-44125 + RESERVED +CVE-2021-44124 + RESERVED +CVE-2021-44123 + RESERVED +CVE-2021-44122 + RESERVED +CVE-2021-44121 + RESERVED +CVE-2021-44120 + RESERVED +CVE-2021-44119 + RESERVED +CVE-2021-44118 + RESERVED +CVE-2021-44117 + RESERVED +CVE-2021-44116 + RESERVED +CVE-2021-44115 + RESERVED +CVE-2021-44114 + RESERVED +CVE-2021-44113 + RESERVED +CVE-2021-44112 + RESERVED +CVE-2021-44111 + RESERVED +CVE-2021-44110 + RESERVED +CVE-2021-44109 + RESERVED +CVE-2021-44108 + RESERVED +CVE-2021-44107 + RESERVED +CVE-2021-44106 + RESERVED +CVE-2021-44105 + RESERVED +CVE-2021-44104 + RESERVED +CVE-2021-44103 + RESERVED +CVE-2021-44102 + RESERVED +CVE-2021-44101 + RESERVED +CVE-2021-44100 + RESERVED +CVE-2021-44099 + RESERVED +CVE-2021-44098 + RESERVED +CVE-2021-44097 + RESERVED +CVE-2021-44096 + RESERVED +CVE-2021-44095 + RESERVED +CVE-2021-44094 + RESERVED +CVE-2021-44093 + RESERVED +CVE-2021-44092 + RESERVED +CVE-2021-44091 + RESERVED +CVE-2021-44090 + RESERVED +CVE-2021-44089 + RESERVED +CVE-2021-44088 + RESERVED +CVE-2021-44087 + RESERVED +CVE-2021-44086 + RESERVED +CVE-2021-44085 + RESERVED +CVE-2021-44084 + RESERVED +CVE-2021-44083 + RESERVED +CVE-2021-44082 + RESERVED +CVE-2021-44081 + RESERVED +CVE-2021-44080 + RESERVED +CVE-2021-4001 + RESERVED +CVE-2021-4000 + RESERVED +CVE-2021-3999 + RESERVED +CVE-2021-3998 + RESERVED +CVE-2021-3997 + RESERVED CVE-2021-44079 (In the wazuh-slack active response script in Wazuh before 4.2.5, untru ...) NOT-FOR-US: Wazuh CVE-2021-3996 @@ -2155,10 +2291,10 @@ CVE-2021-3952 RESERVED CVE-2021-3951 RESERVED -CVE-2021-43582 - RESERVED -CVE-2021-43581 - RESERVED +CVE-2021-43582 (A Use-After-Free Remote Vulnerability exists when reading a DWG file u ...) + TODO: check +CVE-2021-43581 (An Out-of-Bounds Read vulnerability exists when reading a U3D file usi ...) + TODO: check CVE-2021-43580 RESERVED CVE-2021-43579 (A stack-based buffer overflow in image_load_bmp() in HTMLDOC before 1. ...) @@ -,8 +2358,7 @@ CVE-2002-20001 (The Diffie-Hellman Key Agreement Protocol allows remote attacker NOT-FOR-US: Diffie Hellmann kex protocol issue CVE-2021-3944 RESERVED -CVE-2021-3943 - RESERVED +CVE-2021-3943 (A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, ...) - moodle CVE-2021-43575 (** DISPUTED ** KNX ETS6 through 6.0.0 uses the hard-coded password ETS ...) NOT-FOR-US: KNX ETS6 @@ -2255,19 +2390,15 @@ CVE-2021-43562 (An issue was discovered in the pixxio (aka pixx.io integration o NOT-FOR-US: TYPO3 extension CVE-2021-43561 (An XSS issue was discovered in the google_for_jobs (aka Google for Job ...) NOT-FOR-US: TYPO3 extension -CVE-2021-43560 - RESERVED +CVE-2021-43560 (A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, ...) - moodle -CVE-2021-43559 - RESERVED +CVE-2021-43559 (A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, ...) - moodle -CVE-2021-43558 - RESERVED +CVE-2021-43558 (A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, ...) - moodle CVE-2021-3942 RESERVED -CVE-2021-43557 - RESERVED +CVE-2021-43557 (The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri ...) NOT-FOR-US: Apache Apisix CVE-2021-3941 RESERVED @@ -2360,8 +2491,7 @@ CVE-2021-3937 RESERVED CVE-2021-3936 RESERVED -CVE-2021-3935 - RESERVED +CVE-2021-3935 (When PgBouncer is configured to use "cert" authentication, a man-in-th ...) - pgbouncer NOTE: https://www.pgbouncer.org/2021/11/pgbouncer-1-16-1 NOTE:
[Git][security-tracker-team/security-tracker][master] node-json-schema spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a604c565 by Moritz Mühlenhoff at 2021-11-22T17:36:10+01:00 node-json-schema spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -34,3 +34,5 @@ CVE-2021-43579 [bullseye] - htmldoc 1.9.11-4+deb11u1 CVE-2021-35604 [bullseye] - mariadb-10.5 1:10.5.13-0+deb11u1 +CVE-2021-3918 + [bullseye] - node-json-schema 0.3.0+~7.0.6-1+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a604c5658106ff74a2a62ebfdf07e6948f54e050 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a604c5658106ff74a2a62ebfdf07e6948f54e050 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: libmodbus issues fixed in recent upload
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: a435329c by Thorsten Alteholz at 2021-11-22T17:05:26+01:00 libmodbus issues fixed in recent upload - - - - - f228ef77 by Thorsten Alteholz at 2021-11-22T17:06:10+01:00 Reserve DLA-2825-1 for libmodbus - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -158650,7 +158650,6 @@ CVE-2019-14464 (XMFile::read in XMFile.cpp in milkyplay in MilkyTracker 1.02.00 CVE-2019-14463 (An issue was discovered in libmodbus before 3.0.7 and 3.1.x before 3.1 ...) - libmodbus 3.1.6-1 (bug #933805) [buster] - libmodbus (Minor issue) - [stretch] - libmodbus (Minor issue) [jessie] - libmodbus (Minor issue) NOTE: https://github.com/stephane/libmodbus/commit/5ccdf5ef79d742640355d1132fa9e2abc7fbaefc (3.1.5) NOTE: https://github.com/stephane/libmodbus/commit/6f915d4215c06be3c719761423d9b5e8aa3cb820 (3.1.5) @@ -158659,7 +158658,6 @@ CVE-2019-14463 (An issue was discovered in libmodbus before 3.0.7 and 3.1.x befo CVE-2019-14462 (An issue was discovered in libmodbus before 3.0.7 and 3.1.x before 3.1 ...) - libmodbus 3.1.6-1 (bug #933805) [buster] - libmodbus (Minor issue) - [stretch] - libmodbus (Minor issue) [jessie] - libmodbus (Minor issue) NOTE: https://github.com/stephane/libmodbus/commit/5ccdf5ef79d742640355d1132fa9e2abc7fbaefc (3.1.5) NOTE: https://github.com/stephane/libmodbus/commit/6f915d4215c06be3c719761423d9b5e8aa3cb820 (3.1.5) = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Nov 2021] DLA-2825-1 libmodbus - security update + {CVE-2019-14462 CVE-2019-14463} + [stretch] - libmodbus 3.0.6-2+deb9u1 [21 Nov 2021] DLA-2823-2 salt - regression update [stretch] - salt 2016.11.2+ds-1+deb9u9 [20 Nov 2021] DLA-2824-1 firebird3.0 - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1137946c9185dc40ecb36cfdecef5bca238bfe7e...f228ef77c64510c7aed68faa1c66b1ebf694ec7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1137946c9185dc40ecb36cfdecef5bca238bfe7e...f228ef77c64510c7aed68faa1c66b1ebf694ec7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Track proposed update for mailman via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e0779e8f by Salvatore Bonaccorso at 2021-11-22T13:12:23+01:00 Track proposed update for mailman via buster-pu - - - - - 1137946c by Salvatore Bonaccorso at 2021-11-22T13:12:55+01:00 Add tracking bug for CVE-2021-4333{1,2}/mailman - - - - - 2 changed files: - data/CVE/list - data/next-oldstable-point-update.txt Changes: = data/CVE/list = @@ -2803,13 +2803,13 @@ CVE-2021-43334 CVE-2021-4 RESERVED CVE-2021-43332 (In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py ad ...) - - mailman + - mailman (bug #1000367) [buster] - mailman (Minor issue) [stretch] - mailman (Minor issue) NOTE: https://mail.python.org/archives/list/mailman-annou...@python.org/message/I2X7PSFXIEPLM3UMKZMGOEO3UFYETGRL/ NOTE: https://bugs.launchpad.net/mailman/+bug/1949403 CVE-2021-43331 (In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user ...) - - mailman + - mailman (bug #1000367) [buster] - mailman (Minor issue) [stretch] - mailman (Minor issue) NOTE: https://mail.python.org/archives/list/mailman-annou...@python.org/message/I2X7PSFXIEPLM3UMKZMGOEO3UFYETGRL/ = data/next-oldstable-point-update.txt = @@ -88,3 +88,7 @@ CVE-2019-1010319 [buster] - wavpack 5.1.0-6+deb10u1 CVE-2021-35604 [buster] - mariadb-10.3 1:10.3.32-0+deb10u1 +CVE-2021-43331 + [buster] - mailman 1:2.1.29-1+deb10u3 +CVE-2021-43332 + [buster] - mailman 1:2.1.29-1+deb10u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/197cacb9c2e062a56af7d5b7b0697c48284c9309...1137946c9185dc40ecb36cfdecef5bca238bfe7e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/197cacb9c2e062a56af7d5b7b0697c48284c9309...1137946c9185dc40ecb36cfdecef5bca238bfe7e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 197cacb9 by Moritz Muehlenhoff at 2021-11-22T13:08:17+01:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2268,6 +2268,7 @@ CVE-2021-3942 RESERVED CVE-2021-43557 RESERVED + NOT-FOR-US: Apache Apisix CVE-2021-3941 RESERVED - openexr @@ -22771,22 +22772,22 @@ CVE-2021-35940 (An out-of-bounds array read in the apr_time_exp*() functions was CVE-2021-35939 [checks for unsafe symlinks are not performed for intermediary directories] RESERVED - rpm (bug #990543) - [bullseye] - rpm (Minor issue) - [buster] - rpm (Minor issue) + [bullseye] - rpm (Minor issue) + [buster] - rpm (Minor issue) [stretch] - rpm (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1964129 CVE-2021-35938 [races with chown/chmod/capabilities calls during installation] RESERVED - rpm (bug #990543) - [bullseye] - rpm (Minor issue) - [buster] - rpm (Minor issue) + [bullseye] - rpm (Minor issue) + [buster] - rpm (Minor issue) [stretch] - rpm (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1964114 CVE-2021-35937 [TOCTOU race in checks for unsafe symlinks] RESERVED - rpm (bug #990543) - [bullseye] - rpm (Minor issue) - [buster] - rpm (Minor issue) + [bullseye] - rpm (Minor issue) + [buster] - rpm (Minor issue) [stretch] - rpm (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1964125 CVE-2021-35936 (If remote logging is not used, the worker (in the case of CeleryExecut ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/197cacb9c2e062a56af7d5b7b0697c48284c9309 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/197cacb9c2e062a56af7d5b7b0697c48284c9309 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c72c97f8 by Moritz Muehlenhoff at 2021-11-22T12:02:05+01:00 buster/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2065,6 +2065,8 @@ CVE-2021-3957 (kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) ...) NOT-FOR-US: kimai2 CVE-2021-43616 (The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an i ...) - npm + [bullseye] - npm (Minor issue) + [buster] - npm (Minor issue) NOTE: https://github.com/npm/cli/issues/2701 CVE-2021-43615 RESERVED @@ -4158,6 +4160,8 @@ CVE-2021-43175 RESERVED CVE-2021-3918 (json-schema is vulnerable to Improperly Controlled Modification of Obj ...) - node-json-schema 0.4.0+~7.0.9-1 (bug #999765) + [bullseye] - node-json-schema (Minor issue) + [buster] - node-json-schema (Minor issue) NOTE: https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 (v0.4.0) CVE-2021-43174 (NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, suppo ...) - routinator (bug #929024) @@ -5190,6 +5194,8 @@ CVE-2020-36490 (DedeCMS v7.5 SP2 was discovered to contain multiple cross-site s NOT-FOR-US: DedeCMS CVE-2021- [RUSTSEC-2020-0159: Potential segfault in localtime_r invocations] - rust-chrono (bug #996913) + [bullseye] - rust-chrono (Minor issue) + [buster] - rust-chrono (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0159.html NOTE: https://github.com/chronotope/chrono/issues/499 CVE-2021-42742 @@ -28404,6 +28410,7 @@ CVE-2021-33516 (An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2. NOTE: https://gitlab.gnome.org/GNOME/gupnp/-/commit/ca6ec9dcb26fd7a2a630eb6a68118659b589afac (master) CVE-2021-33515 (The submission service in Dovecot before 2.3.15 allows STARTTLS comman ...) - dovecot 1:2.3.13+dfsg1-2 (bug #990566) + [bullseye] - dovecot (Minor issue, fix along with next update) [buster] - dovecot (Minor issue, fix along with next update) [stretch] - dovecot (Vulnerable code (smtp_server_command queue) introduced later) NOTE: https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html @@ -83872,9 +83879,13 @@ CVE-2020-23905 RESERVED CVE-2020-23904 (A stack buffer overflow in speexenc.c of Speex v1.2 allows attackers t ...) - speex + [bullseye] - speex (Minor issue) + [buster] - speex (Minor issue) NOTE: https://github.com/xiph/speex/issues/14 CVE-2020-23903 (A Divide by Zero vulnerability in the function static int read_samples ...) - speex + [bullseye] - speex (Minor issue) + [buster] - speex (Minor issue) NOTE: https://github.com/xiph/speex/issues/13 CVE-2020-23902 (A buffer overflow in WildBit Viewer v6.6 allows attackers to cause a d ...) NOT-FOR-US: WildBit Viewer View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c72c97f8af266b80bb36db2848903881fd1f894d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c72c97f8af266b80bb36db2848903881fd1f894d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f76dde3 by Salvatore Bonaccorso at 2021-11-22T09:45:35+01:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2021-44079 (In the wazuh-slack active response script in Wazuh before 4.2.5, untru ...) - TODO: check + NOT-FOR-US: Wazuh CVE-2021-3996 RESERVED CVE-2021-3995 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f76dde376450c7aa1d58c6abb1c1e7695a5db7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f76dde376450c7aa1d58c6abb1c1e7695a5db7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: update notes
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 51c22efc by Emilio Pozuelo Monfort at 2021-11-22T09:23:57+01:00 lts: update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -28,7 +28,7 @@ debian-archive-keyring NOTE: 20211018: with him and upload and publish the DLA. (utkarsh) -- firefox-esr (Emilio) - NOTE: 2026: blocked on toolchain backports (pochu) + NOTE: 20211122: blocked on toolchain backports (pochu) -- firmware-nonfree (Markus Koschany) NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree @@ -68,6 +68,7 @@ linux (Ben Hutchings) linux-4.19 (Ben Hutchings) -- mbedtls (Emilio) + NOTE: 20211122: CVEs backported, but one of them introduces a test regression, investigating (Emilio) -- nvidia-graphics-drivers NOTE: package is in non-free but also in packages-to-support @@ -87,7 +88,7 @@ rustc (Roberto C. Sánchez) samba (Anton) -- thunderbird (Emilio) - NOTE: 2026: blocked on toolchain backports (pochu) + NOTE: 20211122: blocked on toolchain backports (pochu) -- wireshark (Adrian Bunk) NOTE: 2029: Check https://salsa.debian.org/security-tracker-team/security-tracker/commit/d55b7eff90db8487e20106c2c09e61293a477e89 (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51c22efceeebc3c501182095a9576c462be78691 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51c22efceeebc3c501182095a9576c462be78691 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e8d901f by security tracker role at 2021-11-22T08:10:11+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,13 @@ +CVE-2021-44079 (In the wazuh-slack active response script in Wazuh before 4.2.5, untru ...) + TODO: check +CVE-2021-3996 + RESERVED +CVE-2021-3995 + RESERVED +CVE-2021-3994 + RESERVED +CVE-2021-3993 + RESERVED CVE-2021-3992 RESERVED CVE-2021-44078 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e8d901f42093e377eb3d90f4987a3314b612098 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e8d901f42093e377eb3d90f4987a3314b612098 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits