[Git][security-tracker-team/security-tracker][master] Fix ordering
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7515c2ae by Markus Koschany at 2022-05-23T00:06:40+02:00 Fix ordering - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -99312,8 +99312,8 @@ CVE-2021-20229 (A flaw was found in PostgreSQL in versions before 13.2. This fla CVE-2021-20228 (A flaw was found in the Ansible Engine 2.9.18, where sensitive info is ...) {DSA-4950-1} - ansible 2.10.7+merged+base+2.10.8+dfsg-1 - - ansible-base [stretch] - ansible (EOL'd for stretch) + - ansible-base NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1925002 NOTE: https://github.com/ansible/ansible/pull/73487 CVE-2021-20227 (A flaw was found in SQLite's SELECT query functionality (src/select.c) ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7515c2ae6e53430e86f07bad87aad7506736f0cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7515c2ae6e53430e86f07bad87aad7506736f0cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Processing 2ca061f879b47aba252839d288e47fa0309f74b9 failed
The error message was: data/CVE/list:99316: release note must follow its package note make: *** [Makefile:19: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark all open ansible CVE in Stretch as EOL
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ca061f8 by Markus Koschany at 2022-05-23T00:02:35+02:00 Mark all open ansible CVE in Stretch as EOL - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -59533,6 +59533,7 @@ CVE-2021-3620 (A flaw was found in Ansible Engine's ansible-connection module, w - ansible [bullseye] - ansible (Minor issue, revisit when/if fixed upstream) [buster] - ansible (Minor issue, revisit when/if fixed upstream) + [stretch] - ansible (EOL'd for stretch) - ansible-base NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975767 CVE-2021-35500 (The Data Virtualization Server component of TIBCO Software Inc.'s TIBC ...) @@ -62360,6 +62361,7 @@ CVE-2021-3583 (A flaw was found in Ansible, where a user's controller is vulnera - ansible [bullseye] - ansible (Minor issue) [buster] - ansible (Minor issue) + [stretch] - ansible (EOL'd for stretch) - ansible-base NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1968412 NOTE: https://github.com/ansible/ansible/commit/4c8c40fd3d4a58defdc80e7d22aa8d26b731353e.patch @@ -68129,6 +68131,7 @@ CVE-2021-3533 (A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC - ansible [bullseye] - ansible (Minor issue, revisit when/if fixed upstream) [buster] - ansible (Minor issue, revisit when/if fixed upstream) + [stretch] - ansible (EOL'd for stretch) - ansible-base NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1956477 CVE-2021-32026 @@ -68165,6 +68168,7 @@ CVE-2021-3532 (A flaw was found in Ansible where the secret information present - ansible [bullseye] - ansible (Minor issue, revisit when/if fixed upstream) [buster] - ansible (Minor issue, revisit when/if fixed upstream) + [stretch] - ansible (EOL'd for stretch) - ansible-base NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1956464 CVE-2021-3531 (A flaw was found in the Red Hat Ceph Storage RGW in versions before 14 ...) @@ -99309,6 +99313,7 @@ CVE-2021-20228 (A flaw was found in the Ansible Engine 2.9.18, where sensitive i {DSA-4950-1} - ansible 2.10.7+merged+base+2.10.8+dfsg-1 - ansible-base + [stretch] - ansible (EOL'd for stretch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1925002 NOTE: https://github.com/ansible/ansible/pull/73487 CVE-2021-20227 (A flaw was found in SQLite's SELECT query functionality (src/select.c) ...) @@ -99502,6 +99507,7 @@ CVE-2021-20191 (A flaw was found in ansible. Credentials, such as secrets, are b - ansible (bug #985753) [bullseye] - ansible (Minor issue) [buster] - ansible (Minor issue) + [stretch] - ansible (EOL'd for stretch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1916813 NOTE: https://github.com/ansible-collections/cisco.nxos/pull/227 NOTE: https://github.com/ansible-collections/cisco.nxos/commit/120956963f47502151a358e4a7bc2a87f71813aa @@ -99542,6 +99548,7 @@ CVE-2021-20180 (A flaw was found in ansible module where credentials are disclos - ansible (bug #985753) [bullseye] - ansible (Minor issue) [buster] - ansible (Minor issue) + [stretch] - ansible (EOL'd for stretch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1915808 NOTE: https://github.com/ansible-collections/community.general/pull/1635 NOTE: https://github.com/ansible-collections/community.general/commit/1d0c5e2ba47724c31a18d7b08b9daf13df8829dc @@ -99552,6 +99559,7 @@ CVE-2021-20178 (A flaw was found in ansible module where credentials are disclos - ansible (bug #985753) [bullseye] - ansible (Minor issue) [buster] - ansible (Minor issue) + [stretch] - ansible (EOL'd for stretch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1914774 NOTE: https://github.com/ansible-collections/community.general/pull/1621 NOTE: https://github.com/ansible-collections/community.general/commit/3560aeb12f7061bf21d63ca0e1e19feb99c57de3 @@ -142170,6 +142178,7 @@ CVE-2020-14333 (A flaw was found in Ovirt Engine's web interface in ovirt 4.4 an CVE-2020-14332 (A flaw was found in the Ansible Engine when using module_args. Tasks e ...) {DSA-4950-1} - ansible 2.9.13+dfsg-1 (bug #966672) + [stretch] - ansible (EOL'd for stretch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1857805 NOTE: https://github.com/ansible/ansible/pull/71033 NOTE: https://github.com/ansible/ansible/commit/6cae9a4b168df776bf82deb04b2c62e00c38b49a (v2.9.12) @@ -142182,6 +142191,7 @@ CVE-2020-14331 (A flaw was found in the Linux kernels implementation of t
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 89a72e70 by Thorsten Alteholz at 2022-05-22T23:41:43+02:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -83,7 +83,7 @@ liblouis NOTE: 20220503: Patch not applied upstream yet. -- libvirt (Thorsten Alteholz) - NOTE: 20220508: testing package + NOTE: 20220522: testing package -- linux (Ben Hutchings) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89a72e70ebc0cdc19690fb22cbb56d80fe02a0be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89a72e70ebc0cdc19690fb22cbb56d80fe02a0be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added firefox-esr to dla-needed. It looks serious enough to not halt any...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f3a2325 by Ola Lundqvist at 2022-05-22T23:27:37+02:00 Added firefox-esr to dla-needed. It looks serious enough to not halt any update. Did not check the source code so that must be done by someone. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -48,6 +48,9 @@ exempi NOTE: 20220517: A lot of packages reverse depends on libexmpi8. Further analysis NOTE: 20220517: is needed. -- +firefox-esr + NOTE: 20220522: From the description this looks criticial. Did not check whether the code is vulnerable or not. Leaving that to someone else. +-- firmware-nonfree NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f3a232539788aa69a20e771de08c417173f2d0e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f3a232539788aa69a20e771de08c417173f2d0e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: libspring-java no longer supported for stretch. Marking CVE-2022-22970 and...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: e00cb9f6 by Ola Lundqvist at 2022-05-22T23:07:38+02:00 libspring-java no longer supported for stretch. Marking CVE-2022-22970 and CVE-2022-22971 accordingly. - - - - - a282c886 by Ola Lundqvist at 2022-05-22T23:07:39+02:00 The package node-formidable is no longer supported for stretch, so marking CVE-2022-21698 accordingly. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4541,6 +4541,7 @@ CVE-2022-29623 (An arbitrary file upload vulnerability in the file upload module NOT-FOR-US: expressjs/connect-multiparty CVE-2022-29622 (An arbitrary file upload vulnerability in formidable v3.1.4 allows att ...) - node-formidable (bug #1011341) + [stretch] - node-formidable (No longer supported in LTS) NOTE: https://www.youtube.com/watch?v=C6QPKooxhAo NOTE: https://github.com/vyas0189/CougarCS-Backend/issues/57 NOTE: unclear if reported upstream @@ -24782,9 +24783,11 @@ CVE-2022-22972 (VMware Workspace ONE Access, Identity Manager and vRealize Autom NOT-FOR-US: VMware CVE-2022-22971 (In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupp ...) - libspring-java + [stretch] - libspring-java (No longer supported in LTS) NOTE: https://tanzu.vmware.com/security/cve-2022-22971 CVE-2022-22970 (In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupp ...) - libspring-java + [stretch] - libspring-java (No longer supported in LTS) NOTE: https://tanzu.vmware.com/security/cve-2022-22970 CVE-2022-22969 (Issue Description Spring Security OAuth versions 2.5.x prior t ...) NOT-FOR-US: spring-security-oauth View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/01520eb3d083a70a73425bd3eedc3422e571d9d1...a282c886eff03fb846e55b839da5a8655ce383a1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/01520eb3d083a70a73425bd3eedc3422e571d9d1...a282c886eff03fb846e55b839da5a8655ce383a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3019-1 for admesh
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 01520eb3 by Anton Gladky at 2022-05-22T23:07:09+02:00 Reserve DLA-3019-1 for admesh - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[22 May 2022] DLA-3019-1 admesh - security update + {CVE-2018-25033} + [stretch] - admesh 0.98.2-3+deb9u1 [20 May 2022] DLA-3018-1 libpgjava - security update {CVE-2022-21724} [stretch] - libpgjava 9.4.1212-1+deb9u1 = data/dla-needed.txt = @@ -17,8 +17,6 @@ rather than remove/replace existing ones. NOTE: 20220516: Source code is vulnerable to CVE-2022-0996. The package do not have a large install base so the NOTE: 20220516: priority of fixing is probably low. -- -admesh (Anton Gladky) --- amd64-microcode -- asterisk (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01520eb3d083a70a73425bd3eedc3422e571d9d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01520eb3d083a70a73425bd3eedc3422e571d9d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove ansible from dla-needed.txt.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 99076357 by Markus Koschany at 2022-05-22T22:46:08+02:00 Remove ansible from dla-needed.txt. As discussed on our private mailing list, due to the lack of an effective test suite ansible cannot be supported in Stretch anymore. Maintainer agrees with marking ansible EOL in Stretch. - - - - - ea3b7d78 by Markus Koschany at 2022-05-22T22:50:54+02:00 Claim mysql-connector-java and puma in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,13 +21,6 @@ admesh (Anton Gladky) -- amd64-microcode -- -ansible - NOTE: 20210411: As discussed with the maintainer I will update Buster first and - NOTE: 20210411: after that LTS. (apo) - NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ - NOTE: 20220427: Lee Garrett (maintainer) took over the work a while ago. See - NOTE: 20220427: https://salsa.debian.org/debian/ansible/-/commits/stretch/ --- asterisk (Abhijith PA) NOTE: 20220424: programming language C -- @@ -106,7 +99,7 @@ mbedtls (Utkarsh) NOTE: 20220516: helf off upload to see if the other one should NOTE: 20220516: be squeezed in. waiting on -pu. (utkarsh) -- -mysql-connector-java +mysql-connector-java (Markus Koschany) NOTE: 20220512: Requires a new upstream version. (apo) -- ntfs-3g @@ -130,7 +123,7 @@ pdns NOTE: 20220506: package builds but does not run a test suite, and I lack the NOTE: 20220506: know-how for testing manually (enrico) -- -puma +puma (Markus Koschany) -- puppet-module-puppetlabs-firewall NOTE: 20220402: no Debian maintainers activity since 2018 (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/eb51387273b8fb118ef4e5832e953e1987c554a5...ea3b7d78bac57871adbcac23381bfbe4aeb6d1a3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/eb51387273b8fb118ef4e5832e953e1987c554a5...ea3b7d78bac57871adbcac23381bfbe4aeb6d1a3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-45101,condor: ignored for Buster
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: eb513872 by Markus Koschany at 2022-05-22T22:25:35+02:00 CVE-2021-45101,condor: ignored for Buster The patch is too intrusive - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30842,6 +30842,7 @@ CVE-2021-45102 (An issue was discovered in HTCondor 9.0.x before 9.0.4 and 9.1.x NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2021-0004/ CVE-2021-45101 (An issue was discovered in HTCondor before 8.8.15, 9.0.x before 9.0.4, ...) - condor (bug #1002540) + [buster] - condor (Patch is too intrusive to backport) [stretch] - condor (Patch is too destructive to backport it; Patch does not apply cleanly. Too many calls in patch, not existed in this version of the software) NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2021-0003/ NOTE: https://github.com/htcondor/htcondor/commit/8b311dee6dee6be518e65381e020fb74848b552b (V8_8_14) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb51387273b8fb118ef4e5832e953e1987c554a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb51387273b8fb118ef4e5832e953e1987c554a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6de00bfd by security tracker role at 2022-05-22T20:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2022-1813 (OS Command Injection in GitHub repository yogeshojha/rengine prior to ...) + TODO: check +CVE-2022-1812 + RESERVED +CVE-2022-1811 + RESERVED +CVE-2022-1810 + RESERVED CVE-2022-31269 RESERVED CVE-2022-31268 (A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading we ...) @@ -76,6 +84,7 @@ CVE-2022-1803 (Improper Restriction of Rendered UI Layers or Frames in GitHub re NOT-FOR-US: Trudesk CVE-2022-1802 RESERVED + {DSA-5143-1} - firefox 100.0.2-1 - firefox-esr 91.9.1esr-1 - thunderbird @@ -3641,6 +3650,7 @@ CVE-2022-1530 (Cross-site Scripting (XSS) in GitHub repository livehelperchat/li NOT-FOR-US: livehelperchat CVE-2022-1529 RESERVED + {DSA-5143-1} - firefox 100.0.2-1 - firefox-esr 91.9.1esr-1 - thunderbird @@ -3874,7 +3884,7 @@ CVE-2022-29826 CVE-2022-29825 RESERVED CVE-2022-29824 (In libxml2 before 2.9.14, several buffer handling functions in buf.c ( ...) - {DLA-3012-1} + {DSA-5142-1 DLA-3012-1} - libxml2 2.9.14+dfsg-1 (bug #1010526) NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab (v2.9.14) NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/6c283d83eccd940bcde15634ac8c7f100e3caefd (master) @@ -14641,7 +14651,7 @@ CVE-2021-4224 CVE-2022-26111 (The BeanShell components of IRISNext through 9.8.28 allow execution of ...) NOT-FOR-US: IRISNext CVE-2022-26110 (An issue was discovered in HTCondor 8.8.x before 8.8.16, 9.0.x before ...) - {DLA-2984-1} + {DSA-5144-1 DLA-2984-1} - condor (bug #1008634) NOTE: https://htcondor.org/security/vulnerabilities/HTCONDOR-2022-0003 NOTE: https://github.com/htcondor/htcondor/commit/1cae7601d796725e7f5dd73fedf37f6fbbe379ca (V8_8_16) @@ -157889,6 +157899,7 @@ CVE-2020-8861 (This vulnerability allows network-adjacent attackers to bypass au CVE-2020-8860 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Samsung Galaxy S10 Firmware CVE-2020-8859 (This vulnerability allows remote attackers to create a denial-of-servi ...) + {DLA-3014-1} - elog NOTE: https://elog.psi.ch/elogs/Forum/69114 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-252/ @@ -158385,7 +158396,6 @@ CVE-2020-8661 (CNCF Envoy through 1.13.0 may consume excessive amounts of memory CVE-2020-8660 (CNCF Envoy through 1.13.0 TLS inspector bypass. TLS inspector could ha ...) - envoyproxy (bug #987544) CVE-2020-8659 (CNCF Envoy through 1.13.0 may consume excessive amounts of memory when ...) - {DLA-3014-1} - envoyproxy (bug #987544) CVE-2020-8658 (The BestWebSoft Htaccess plugin through 1.8.1 for WordPress allows wp- ...) NOT-FOR-US: BestWebSoft Htaccess plugin for WordPress @@ -179255,7 +179265,7 @@ CVE-2019-18825 (Barco ClickShare Huddle CS-100 devices before 1.9.0 and CSE-200 CVE-2019-18824 (Barco ClickShare Button R9861500D01 devices before 1.10.0.13 have Miss ...) NOT-FOR-US: Barco ClickShare Button R9861500D01 devices CVE-2019-18823 (HTCondor up to and including stable series 8.8.6 and development serie ...) - {DLA-2724-1} + {DSA-5144-1 DLA-2724-1} - condor (bug #963777) NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0003.html NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6de00bfd95cf07cdd2ccea1cad15afd7bc0e6d4f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6de00bfd95cf07cdd2ccea1cad15afd7bc0e6d4f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5144-1 condor
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: eed4372b by Markus Koschany at 2022-05-22T22:04:28+02:00 Reserve DSA-5144-1 condor - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[22 May 2022] DSA-5144-1 condor - security update + {CVE-2019-18823 CVE-2022-26110} + [buster] - condor 8.6.8~dfsg.1-2+deb10u1 [22 May 2022] DSA-5143-1 firefox-esr - security update {CVE-2022-1529 CVE-2022-1802} [buster] - firefox-esr 91.9.1esr-1~deb10u1 = data/dsa-needed.txt = @@ -18,8 +18,6 @@ cacti -- cifs-utils (carnil) -- -condor/oldstable (apo) --- curl -- epiphany-browser View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eed4372b8cfff9a9e17e35bdcbf7bfa7a55b00ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eed4372b8cfff9a9e17e35bdcbf7bfa7a55b00ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for three nvidia-graphics-drivers-tesla-450 CVEs fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 90c7ee1c by Salvatore Bonaccorso at 2022-05-22T20:41:38+02:00 Track fixed version for three nvidia-graphics-drivers-tesla-450 CVEs fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8609,7 +8609,7 @@ CVE-2022-28192 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU [buster] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-tesla-418 (bug #1011143) [bullseye] - nvidia-graphics-drivers-tesla-418 (Non-free not supported) - - nvidia-graphics-drivers-tesla-450 (bug #1011144) + - nvidia-graphics-drivers-tesla-450 450.191.01-1 (bug #1011144) [bullseye] - nvidia-graphics-drivers-tesla-450 (Non-free not supported) - nvidia-graphics-drivers-tesla-460 (bug #1011145) [bullseye] - nvidia-graphics-drivers-tesla-460 (Non-free not supported) @@ -8648,7 +8648,7 @@ CVE-2022-28185 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-tesla-418 (bug #1011143) [bullseye] - nvidia-graphics-drivers-tesla-418 (Non-free not supported) - - nvidia-graphics-drivers-tesla-450 (bug #1011144) + - nvidia-graphics-drivers-tesla-450 450.191.01-1 (bug #1011144) [bullseye] - nvidia-graphics-drivers-tesla-450 (Non-free not supported) - nvidia-graphics-drivers-tesla-460 (bug #1011145) [bullseye] - nvidia-graphics-drivers-tesla-460 (Non-free not supported) @@ -8689,7 +8689,7 @@ CVE-2022-28181 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-tesla-418 (bug #1011143) [bullseye] - nvidia-graphics-drivers-tesla-418 (Non-free not supported) - - nvidia-graphics-drivers-tesla-450 (bug #1011144) + - nvidia-graphics-drivers-tesla-450 450.191.01-1 (bug #1011144) [bullseye] - nvidia-graphics-drivers-tesla-450 (Non-free not supported) - nvidia-graphics-drivers-tesla-460 (bug #1011145) [bullseye] - nvidia-graphics-drivers-tesla-460 (Non-free not supported) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90c7ee1c024c0c453778da2d341f8af4c8f0f56d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90c7ee1c024c0c453778da2d341f8af4c8f0f56d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add DSA entry for DSA-5143-1
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a9f7280 by Salvatore Bonaccorso at 2022-05-22T20:38:32+02:00 Add DSA entry for DSA-5143-1 - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[22 May 2022] DSA-5143-1 firefox-esr - security update + {CVE-2022-1529 CVE-2022-1802} + [buster] - firefox-esr 91.9.1esr-1~deb10u1 + [bullseye] - firefox-esr 91.9.1esr-1~deb11u1 [22 May 2022] DSA-5142-1 libxml2 - security update {CVE-2022-29824} [buster] - libxml2 2.9.4+dfsg1-7+deb10u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a9f72805f8b9550223592450ca3ca560390410f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a9f72805f8b9550223592450ca3ca560390410f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix typo in CVE ID
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: c963b3c9 by Utkarsh Gupta at 2022-05-22T23:39:38+05:30 Fix typo in CVE ID - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -11,7 +11,7 @@ {CVE-2020-16116 CVE-2020-24654} [stretch] - ark 4:16.08.3-2+deb9u1 [18 May 2022] DLA-3014-1 elog - security update - {CVE-2020-8659} + {CVE-2020-8859} [stretch] - elog 3.1.2-1-1+deb9u1 [18 May 2022] DLA-3013-1 needrestart - security update {CVE-2022-30688} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c963b3c90b11297a1eff0ec3da53383137ab702c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c963b3c90b11297a1eff0ec3da53383137ab702c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-23409/golang-github-pires-go-proxyproto via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 75ec12ee by Salvatore Bonaccorso at 2022-05-22T16:47:15+02:00 Track fixed version for CVE-2021-23409/golang-github-pires-go-proxyproto via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -89910,7 +89910,7 @@ CVE-2021-23411 (Affected versions of this package are vulnerable to Cross-site S CVE-2021-23410 REJECTED CVE-2021-23409 (The package github.com/pires/go-proxyproto before 0.6.0 are vulnerable ...) - - golang-github-pires-go-proxyproto (bug #991498) + - golang-github-pires-go-proxyproto 0.4.2-2 (bug #991498) [bullseye] - golang-github-pires-go-proxyproto (Minor issue) NOTE: https://github.com/pires/go-proxyproto/issues/65 NOTE: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPIRESGOPROXYPROTO-1316439 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/75ec12ee07a7eaee9e23faacd4014f9938433861 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/75ec12ee07a7eaee9e23faacd4014f9938433861 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] php-dompdf: Even unstable has a version before CVE-2022-28368 was introduced
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 19b4fe9a by Adrian Bunk at 2022-05-22T16:03:36+03:00 php-dompdf: Even unstable has a version before CVE-2022-28368 was introduced - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7926,13 +7926,14 @@ CVE-2022-28370 CVE-2022-28369 RESERVED CVE-2022-28368 (Dompdf 1.2.1 allows remote code execution via a .php file in the src:u ...) - - php-dompdf (bug #1010090) - [stretch] - php-dompdf (Vulnerable code not present) + - php-dompdf (Vulnerable code introduced in 0.8.0, fixed in 1.2.1) NOTE: https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/ NOTE: https://positive.security/blog/dompdf-rce NOTE: https://github.com/dompdf/dompdf/issues/2598 NOTE: https://github.com/dompdf/dompdf/pull/2808 NOTE: https://github.com/dompdf/dompdf/commit/4c70e1025bcd9b7694b95dd552499bd83cd6141d (v1.2.1) + NOTE: Vulnerability introduced by: + NOTE: https://github.com/dompdf/dompdf/commit/0e0261b7bce372b3a05b712a023f6f742a22d57e (v0.8.0) CVE-2022-28367 (OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE ...) - libowasp-antisamy-java (bug #1010154) NOTE: https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae (v1.6.6) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19b4fe9ac2ffd4bc26a510e041a9a8abd56372f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19b4fe9ac2ffd4bc26a510e041a9a8abd56372f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-1809/radare2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a87bedbd by Salvatore Bonaccorso at 2022-05-22T11:08:21+02:00 Add CVE-2022-1809/radare2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,7 +17,9 @@ CVE-2022-31262 CVE-2022-31261 RESERVED CVE-2022-1809 (Access of Uninitialized Pointer in GitHub repository radareorg/radare2 ...) - TODO: check + - radare2 + NOTE: https://huntr.dev/bounties/0730a95e-c485-4ff2-9a5d-bb3abfda0b17 + NOTE: https://github.com/radareorg/radare2/commit/919e3ac1a13f753c73e7a8e8d8bb4a143218732d CVE-2022-31260 RESERVED CVE-2022-31259 (The route lookup process in beego through 1.12.4 and 2.x through 2.0.2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a87bedbd1e02c088a8a2e424585974c7770f97b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a87bedbd1e02c088a8a2e424585974c7770f97b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 78cd9cb7 by Salvatore Bonaccorso at 2022-05-22T11:07:51+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,15 +1,15 @@ CVE-2022-31269 RESERVED CVE-2022-31268 (A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading we ...) - TODO: check + NOT-FOR-US: Gitblit CVE-2022-31267 (Gitblit 1.9.2 allows privilege escalation via the Config User Service: ...) - TODO: check + NOT-FOR-US: Gitblit CVE-2022-31266 RESERVED CVE-2022-31265 RESERVED CVE-2022-31264 (Solana solana_rbpf before 0.2.29 has an addition integer overflow via ...) - TODO: check + NOT-FOR-US: Solana rBPF CVE-2022-31263 RESERVED CVE-2022-31262 @@ -21,7 +21,7 @@ CVE-2022-1809 (Access of Uninitialized Pointer in GitHub repository radareorg/ra CVE-2022-31260 RESERVED CVE-2022-31259 (The route lookup process in beego through 1.12.4 and 2.x through 2.0.2 ...) - TODO: check + NOT-FOR-US: Beego CVE-2022-31258 (In Checkmk before 1.6.0p29, 2.x before 2.0.0p25, and 2.1.x before 2.1. ...) - check-mk CVE-2022-1808 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78cd9cb7fdc0606a23b1a3c485123c0acd2e9170 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78cd9cb7fdc0606a23b1a3c485123c0acd2e9170 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add note for trafficserver in dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 562f6bfe by Salvatore Bonaccorso at 2022-05-22T11:01:28+02:00 Add note for trafficserver in dsa-needed list - - - - - 125fd853 by Salvatore Bonaccorso at 2022-05-22T11:02:18+02:00 Add note for firefox-esr in dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -25,6 +25,7 @@ curl epiphany-browser -- firefox-esr + Maintainer uploaded fixed packages -- freecad (aron) -- @@ -56,6 +57,7 @@ thunderbird -- trafficserver (jmm) wait until status for CVE-2021-38161 is clarified (upstream patch got reverted) + Maintainer prepared debdiffs for review for a set of CVEs -- unzip unclear information, initial report indicates writable memory corruption, but View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b16402025e874e87a9aeb83b371f8097b10a7638...125fd8539d5ca8a4e82595f6f21c04be7b49f6e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b16402025e874e87a9aeb83b371f8097b10a7638...125fd8539d5ca8a4e82595f6f21c04be7b49f6e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Track proposed update for python-scrapy via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b2c7bf0e by Salvatore Bonaccorso at 2022-05-22T10:56:17+02:00 Track proposed update for python-scrapy via buster-pu - - - - - b1640202 by Salvatore Bonaccorso at 2022-05-22T10:57:10+02:00 Track proposed updates for python-scrapy via bullseye-pu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -138,3 +138,7 @@ CVE-2022-24801 [buster] - twisted 18.9.0-3+deb10u1 CVE-2022-3033 [buster] - unrar-nonfree 1:5.6.6-1+deb10u1 +CVE-2021-41125 + [buster] - python-scrapy 1.5.1-1+deb10u1 +CVE-2022-0577 + [buster] - python-scrapy 1.5.1-1+deb10u1 = data/next-point-update.txt = @@ -76,3 +76,7 @@ CVE-2022-1650 [bullseye] - node-eventsource 1.0.7-1+deb11u1 CVE-2021-3618 [bullseye] - nginx 1.18.0-6.1+deb11u2 +CVE-2021-41125 + [bullseye] - python-scrapy 2.4.1-2+deb11u1 +CVE-2022-0577 + [bullseye] - python-scrapy 2.4.1-2+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/17537c1a3ac02310b17eedb74346b9048999e4b9...b16402025e874e87a9aeb83b371f8097b10a7638 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/17537c1a3ac02310b17eedb74346b9048999e4b9...b16402025e874e87a9aeb83b371f8097b10a7638 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-0577 as no-dsa for bullseye and buster
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 17537c1a by Salvatore Bonaccorso at 2022-05-22T10:55:32+02:00 Mark CVE-2022-0577 as no-dsa for bullseye and buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17717,6 +17717,8 @@ CVE-2022-24976 (Atheme IRC Services before 7.2.12, when used in conjunction with CVE-2022-0577 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...) {DLA-2950-1} - python-scrapy 2.6.1-1 (bug #1008234) + [bullseye] - python-scrapy (Minor issue) + [buster] - python-scrapy (Minor issue) NOTE: https://github.com/advisories/GHSA-cjvr-mfj7-j4j8 NOTE: https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585 NOTE: https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17537c1a3ac02310b17eedb74346b9048999e4b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17537c1a3ac02310b17eedb74346b9048999e4b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for libxml2 update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 201c0807 by Salvatore Bonaccorso at 2022-05-22T10:39:28+02:00 Reserve DSA number for libxml2 update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[22 May 2022] DSA-5142-1 libxml2 - security update + {CVE-2022-29824} + [buster] - libxml2 2.9.4+dfsg1-7+deb10u4 + [bullseye] - libxml2 2.9.10+dfsg-6.7+deb11u2 [19 May 2022] DSA-5141-1 thunderbird - security update {CVE-2022-1520 CVE-2022-29909 CVE-2022-29911 CVE-2022-29912 CVE-2022-29913 CVE-2022-29914 CVE-2022-29916 CVE-2022-29917} [buster] - thunderbird 1:91.9.0-1~deb10u1 = data/dsa-needed.txt = @@ -32,8 +32,6 @@ linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. -- -libxml2 (carnil) --- ndpi/oldstable -- nodejs (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/201c080717efaf45cfd092572b58827f54f25fc4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/201c080717efaf45cfd092572b58827f54f25fc4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a01929d7 by security tracker role at 2022-05-22T08:10:11+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,23 @@ +CVE-2022-31269 + RESERVED +CVE-2022-31268 (A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading we ...) + TODO: check +CVE-2022-31267 (Gitblit 1.9.2 allows privilege escalation via the Config User Service: ...) + TODO: check +CVE-2022-31266 + RESERVED +CVE-2022-31265 + RESERVED +CVE-2022-31264 (Solana solana_rbpf before 0.2.29 has an addition integer overflow via ...) + TODO: check +CVE-2022-31263 + RESERVED +CVE-2022-31262 + RESERVED +CVE-2022-31261 + RESERVED +CVE-2022-1809 (Access of Uninitialized Pointer in GitHub repository radareorg/radare2 ...) + TODO: check CVE-2022-31260 RESERVED CVE-2022-31259 (The route lookup process in beego through 1.12.4 and 2.x through 2.0.2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a01929d7a61849a8936ad6959625aa8f8a6e6aa2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a01929d7a61849a8936ad6959625aa8f8a6e6aa2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits