[Git][security-tracker-team/security-tracker][master] dla: retake
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab3323f5 by Adrian Bunk at 2024-05-27T21:35:50+03:00 dla: retake - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -47,7 +47,7 @@ cacti NOTE: 20240519: I'd have postponed them but let's fix it before buster NOTE: 20240519: goes EOL. (utkarsh) -- -dcmtk +dcmtk (Adrian Bunk) NOTE: 20240428: Added by Front-Desk (ta) -- dlt-daemon (utkarsh) @@ -292,7 +292,7 @@ squid NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) -- -suricata +suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3323f5a1815d67a28aacc719b9cbf9169403a2 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3323f5a1815d67a28aacc719b9cbf9169403a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take gst-plugins-base1.0
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abc0b92f by Adrian Bunk at 2024-05-24T12:18:57+03:00 dla: take gst-plugins-base1.0 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -118,7 +118,7 @@ glibc (Adrian Bunk) NOTE: 20240504: Re-add for remaining CVEs. (bunk) NOTE: 20240520: Testing fixes. (bunk) -- -gst-plugins-base1.0 +gst-plugins-base1.0 (Adrian Bunk) NOTE: 20240524: Added by Front-Desk (lamby) -- h2o View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abc0b92faadd41cd80686c7a868ac136ef810f38 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abc0b92faadd41cd80686c7a868ac136ef810f38 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add note
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab3a10d4 by Adrian Bunk at 2024-05-20T14:38:38+03:00 dla: add note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -115,6 +115,7 @@ git -- glibc (Adrian Bunk) NOTE: 20240504: Re-add for remaining CVEs. (bunk) + NOTE: 20240520: Testing fixes. (bunk) -- h2o NOTE: 20231228: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3a10d499d7ff21ef77c49df1acadb5b97af5bf -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3a10d499d7ff21ef77c49df1acadb5b97af5bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: retake
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab23bad9 by Adrian Bunk at 2024-05-13T15:52:51+03:00 dla: retake - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -53,7 +53,7 @@ bind9 (Santiago) bluez NOTE: 20240510: Added by Front-Desk (ta) -- -dcmtk +dcmtk (Adrian Bunk) NOTE: 20240428: Added by Front-Desk (ta) -- dnsmasq (dleidert) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab23bad9afd18019d9cd3944770dd26ca35c8d14 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab23bad9afd18019d9cd3944770dd26ca35c8d14 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: retake
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab68269e by Adrian Bunk at 2024-05-08T15:27:11+03:00 dla: retake - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -280,7 +280,7 @@ squid NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) -- -suricata +suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab68269e2cef85f8d8488a7328a346a8e901f3de -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab68269e2cef85f8d8488a7328a346a8e901f3de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3809-1 for libkf5ksieve
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 21e3422a by Adrian Bunk at 2024-05-05T23:48:57+03:00 Reserve DLA-3809-1 for libkf5ksieve - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 May 2024] DLA-3809-1 libkf5ksieve - security update + {CVE-2023-52723} + [buster] - libkf5ksieve 4:18.08.3-2+deb10u1 [04 May 2024] DLA-3808-1 intel-microcode - security update {CVE-2023-22655 CVE-2023-28746 CVE-2023-38575 CVE-2023-39368 CVE-2023-43490} [buster] - intel-microcode 3.20240312.1~deb10u1 = data/dla-needed.txt = @@ -116,10 +116,6 @@ jenkins-htmlunit-core-js less (Abhijith PA) NOTE: 20240418: Added by Front-Desk (apo) -- -libkf5ksieve (Adrian Bunk) - NOTE: 20240504: Added by Front-Desk (Beuc) - NOTE: 20240504: Follow PU #1069836/#1069690 (Beuc/front-desk) --- libmojolicious-perl NOTE: 20240421: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21e3422a164712f603e13edf907b6a4056b30c41 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21e3422a164712f603e13edf907b6a4056b30c41 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take libkf5ksieve
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab8b986e by Adrian Bunk at 2024-05-04T23:10:37+03:00 dla: take libkf5ksieve - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -116,7 +116,7 @@ jenkins-htmlunit-core-js less (Abhijith PA) NOTE: 20240418: Added by Front-Desk (apo) -- -libkf5ksieve +libkf5ksieve (Adrian Bunk) NOTE: 20240504: Added by Front-Desk (Beuc) NOTE: 20240504: Follow PU #1069836/#1069690 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab8b986ec7914d3015b5e93363af6162a7686a89 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab8b986ec7914d3015b5e93363af6162a7686a89 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: re-add glibc
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab032412 by Adrian Bunk at 2024-05-04T02:08:16+03:00 dla: re-add glibc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -95,6 +95,9 @@ freeimage NOTE: 20240412: ELTS also have a need to update this package. NOTE: 20240412: We should open upstream bug reports and push fixes. See above email discussion. (ola) -- +glibc (Adrian Bunk) + NOTE: 20240504: Re-add for remaining CVEs. (bunk) +-- h2o (dleidert) NOTE: 20231228: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab03241267ab0d8d359e0c2699e592e128cb54ea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab03241267ab0d8d359e0c2699e592e128cb54ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3807-1 for glibc
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 388144f1 by Adrian Bunk at 2024-05-04T01:47:05+03:00 Reserve DLA-3807-1 for glibc - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[04 May 2024] DLA-3807-1 glibc - security update + {CVE-2024-2961} + [buster] - glibc 2.28-10+deb10u3 [01 May 2024] DLA-3806-1 distro-info-data - database update [buster] - distro-info-data 0.41+deb10u9 [01 May 2024] DLA-3805-1 qtbase-opensource-src - security update = data/dla-needed.txt = @@ -95,9 +95,6 @@ freeimage NOTE: 20240412: ELTS also have a need to update this package. NOTE: 20240412: We should open upstream bug reports and push fixes. See above email discussion. (ola) -- -glibc (Adrian Bunk) - NOTE: 20240419: Added by coordinator (santiago) --- h2o (dleidert) NOTE: 20231228: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/388144f1f55c35a9aab00190701658f359a8f557 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/388144f1f55c35a9aab00190701658f359a8f557 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-28130/dcmtk: Link to upstream issue
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab8797a4 by Adrian Bunk at 2024-04-30T14:36:22+03:00 CVE-2024-28130/dcmtk: Link to upstream issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1463,6 +1463,7 @@ CVE-2024-28627 (An issue in Flipsnack v.18/03/2024 allows a local attacker to ob CVE-2024-28130 (An incorrect type conversion vulnerability exists in the DVPSSoftcopyV ...) - dcmtk NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1957 + NOTE: https://support.dcmtk.org/redmine/issues/1120 NOTE: https://github.com/DCMTK/dcmtk/commit/601b227eecaab33a3a3a11dc256d84b1a62f63af NOTE: https://github.com/DCMTK/dcmtk/commit/7d54f8efec995e5601d089fa17b0625c2b41af23 CVE-2024-21979 (An out of bounds write vulnerability in the AMD Radeon\u2122 user mode ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab8797a4ec25f27f28680c3a389b2ccc0de1cb27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab8797a4ec25f27f28680c3a389b2ccc0de1cb27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3800-1 for ruby-rack
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 03883179 by Adrian Bunk at 2024-04-29T12:26:12+03:00 Reserve DLA-3800-1 for ruby-rack - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Apr 2024] DLA-3800-1 ruby-rack - security update + {CVE-2024-25126 CVE-2024-26141 CVE-2024-26146} + [buster] - ruby-rack 2.0.6-3+deb10u4 [28 Apr 2024] DLA-3799-1 trafficserver - security update {CVE-2024-31309} [buster] - trafficserver 8.1.7-0+deb10u4 = data/dla-needed.txt = @@ -258,10 +258,6 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- -ruby-rack (Adrian Bunk) - NOTE: 20240306: Added by Front-Desk (opal) - NOTE: 20240408: waiting for feedback from Debian maintainer (bunk) --- runc (dleidert) NOTE: 20240312: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0388317923da14943723872f5d267e5613c31b01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0388317923da14943723872f5d267e5613c31b01 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take dcmtk
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abbc6388 by Adrian Bunk at 2024-04-29T02:59:03+03:00 dla: take dcmtk - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,7 +49,7 @@ bind9 (Santiago) NOTE: 20240418: https://salsa.debian.org/lts-team/packages/bind9/-/commit/135e46d2e43b6e499454385c2228338c6a72ba96 NOTE: 20240418: All testing activities remains. -- -dcmtk +dcmtk (Adrian Bunk) NOTE: 20240428: Added by Front-Desk (ta) -- dnsmasq View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abbc63886bd82da89d29a2330778589e5662ac3e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abbc63886bd82da89d29a2330778589e5662ac3e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3799-1 for trafficserver
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: dca4d563 by Adrian Bunk at 2024-04-28T23:51:32+03:00 Reserve DLA-3799-1 for trafficserver - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Apr 2024] DLA-3799-1 trafficserver - security update + {CVE-2024-31309} + [buster] - trafficserver 8.1.7-0+deb10u4 [28 Apr 2024] DLA-3798-1 zabbix - security update {CVE-2024-22119} [buster] - zabbix 1:4.0.4+dfsg-1+deb10u5 = data/dla-needed.txt = @@ -306,9 +306,6 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- -trafficserver (Adrian Bunk) - NOTE: 20240421: Added by Front-Desk (apo) --- tryton-server (Markus Koschany) NOTE: 20240421: Added by Front-Desk (apo) NOTE: 20240421: Fix causes regressions in tryton client. Waiting for that View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dca4d5635318336e67b292f148f00abb54dc4c87 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dca4d5635318336e67b292f148f00abb54dc4c87 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3798-1 for zabbix
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f60305a by Adrian Bunk at 2024-04-28T21:38:34+03:00 Reserve DLA-3798-1 for zabbix - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -119630,8 +119630,8 @@ CVE-2022-40627 RESERVED CVE-2022-40626 (An unauthenticated user can create a link with reflected Javascript co ...) - zabbix 1:6.0.7+dfsg-2 - [bullseye] - zabbix (Vulnerable code introduced later) - [buster] - zabbix (Vulnerable code introduced later) + [bullseye] - zabbix (Vulnerable code introduced later) + [buster] - zabbix (Vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-21350 NOTE: Introduced by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/e4000620f1f427cc8df02914125b3b985ad797dc (6.0.0beta3) NOTE: Introduced by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/56d8343c34c83ac727ab6250c7eb9e6d682b5b1c (6.0.0beta3) = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Apr 2024] DLA-3798-1 zabbix - security update + {CVE-2024-22119} + [buster] - zabbix 1:4.0.4+dfsg-1+deb10u5 [28 Apr 2024] DLA-3797-1 frr - security update {CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128 CVE-2022-26129 CVE-2022-37035 CVE-2023-38406 CVE-2023-38407 CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235 CVE-2024-31948 CVE-2024-31949} [buster] - frr 7.5.1-1.1+deb10u2 = data/dla-needed.txt = @@ -327,9 +327,6 @@ wordpress NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookwork. Uploads to spu and ospu should be coordinated. (roberto) -- -zabbix (Adrian Bunk) - NOTE: 20240212: Added by Front-Desk (utkarsh) --- zookeeper NOTE: 20240324: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f60305ac193975bfef12579e0db4fa9b9388d38 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f60305ac193975bfef12579e0db4fa9b9388d38 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-22119/zabbix: Link to commit that introduced the vulnerability
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab3c49fa by Adrian Bunk at 2024-04-28T17:01:29+03:00 CVE-2024-22119/zabbix: Link to commit that introduced the vulnerability - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21794,8 +21794,9 @@ CVE-2024-23319 (Mattermost Jira Plugin fails to protect against logout CSRF allo CVE-2024-22119 (The cause of vulnerability is improper validation of form input field ...) - zabbix 1:6.0.24+dfsg-1 NOTE: https://support.zabbix.com/browse/ZBX-24070 - NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aec9ebf575e6c62b5397f267ae5353b121a91262 (6.0.24rc1) - NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/62a62b1b7f07a4a7cf249bef05968bb0eef1cfb2 (5.0.40rc1) + NOTE: Introduced by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/d5b73ddafc2b91376c0d74027b5f727cea6f9c29 (4.0.0alpha1) + NOTE: Fixed by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aec9ebf575e6c62b5397f267ae5353b121a91262 (6.0.24rc1) + NOTE: Fixed by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/62a62b1b7f07a4a7cf249bef05968bb0eef1cfb2 (5.0.40rc1) CVE-2024-21762 (A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2 ...) NOT-FOR-US: FortiGuard CVE-2024-1402 (Mattermost fails to check if a custom emoji reaction exists when sendi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3c49fa3985b730d4e356926b5f3709c3104305 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3c49fa3985b730d4e356926b5f3709c3104305 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-40626/zabbix does not affect buster or bullseye
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abd7bbed by Adrian Bunk at 2024-04-28T16:50:31+03:00 CVE-2022-40626/zabbix does not affect buster or bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -119421,10 +119421,12 @@ CVE-2022-40627 RESERVED CVE-2022-40626 (An unauthenticated user can create a link with reflected Javascript co ...) - zabbix 1:6.0.7+dfsg-2 - [bullseye] - zabbix (Minor issue) - [buster] - zabbix (Minor issue) + [bullseye] - zabbix (Vulnerable code introduced later) + [buster] - zabbix (Vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-21350 - NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/55eb14d0a394b362d5df00ed9e06a3918472deec (6.0.7rc1) + NOTE: Introduced by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/e4000620f1f427cc8df02914125b3b985ad797dc (6.0.0beta3) + NOTE: Introduced by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/56d8343c34c83ac727ab6250c7eb9e6d682b5b1c (6.0.0beta3) + NOTE: Fixed by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/55eb14d0a394b362d5df00ed9e06a3918472deec (6.0.7rc1) CVE-2022-40625 RESERVED CVE-2022-40624 (pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execut ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abd7bbede9129adde1340dfc783e4594b769b394 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abd7bbede9129adde1340dfc783e4594b769b394 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-33600/glibc: Add second commit of the fix
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab7d3d8b by Adrian Bunk at 2024-04-26T19:49:52+03:00 CVE-2024-33600/glibc: Add second commit of the fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -138,6 +138,7 @@ CVE-2024-33600 [nscd: Null pointer dereferences after failed netgroup cache inse NOTE: https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fwei...@redhat.com/ NOTE: https://www.openwall.com/lists/oss-security/2024/04/24/2 NOTE: Fixed by: https://sourceware.org/git?p=glibc.git;a=commit;h=b048a482f088e53144d26a61c390bed0210f49f2 + NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=7835b00dbce53c3c871754a95fb5e58187aa CVE-2024-33599 [nscd: netgroup cache: invalid memcpy under low memory/storage conditions] - glibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=31677 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab7d3d8bc9680961a0e25552eaddfd4eb7c1ba5b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab7d3d8bc9680961a0e25552eaddfd4eb7c1ba5b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-26945/openexr is fixed since 3.1.5-2
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abe4a0e8 by Adrian Bunk at 2024-04-25T02:34:23+03:00 CVE-2021-26945/openexr is fixed since 3.1.5-2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -216383,7 +216383,7 @@ CVE-2021-31525 (net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows re NOTE: golang: introduced by https://github.com/golang/go/commit/ae080c1aecb129a3230e7afecdb4a16ad3da9b3c (go1.5beta1) NOTE: golang-golang-x-net: introduced by https://github.com/golang/net/commit/5916dcb167ed985a5b9e6871fbfd74848a4c170b CVE-2021-26945 (An integer overflow leading to a heap-buffer overflow was found in Ope ...) - - openexr (unimportant) + - openexr 3.1.5-2 (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947591 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31221 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31228 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abe4a0e857ac27b5c908b14462b75074c5ed4252 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abe4a0e857ac27b5c908b14462b75074c5ed4252 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take trafficserver
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab520918 by Adrian Bunk at 2024-04-25T02:32:52+03:00 dla: take trafficserver - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -319,7 +319,7 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- -trafficserver +trafficserver (Adrian Bunk) NOTE: 20240421: Added by Front-Desk (apo) -- tryton-server (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab5209189ad297780d889328827da5d58550fc74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab5209189ad297780d889328827da5d58550fc74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-31047/openexr: The vulnerable exrmultipart is not installed in buster
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab7bf1be by Adrian Bunk at 2024-04-25T00:45:44+03:00 CVE-2024-31047/openexr: The vulnerable exrmultipart is not installed in buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5174,7 +5174,7 @@ CVE-2024-31047 (An issue in Academy Software Foundation openexr v.3.2.3 and befo - openexr (bug #1068939) [bookworm] - openexr (Minor issue) [bullseye] - openexr (Minor issue) - [buster] - openexr (Minor issue) + [buster] - openexr (exrmultipart not installed in the Debian package before 2.5.0-1) NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/1680 NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1681 NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/7aa89e1d09b09d9f5dbb96976ee083a331ab9d71 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab7bf1be7037e750932b790edae986b44c04d23f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab7bf1be7037e750932b790edae986b44c04d23f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: retake
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abd5dfea by Adrian Bunk at 2024-04-22T18:49:43+03:00 dla: retake - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -297,7 +297,7 @@ squid NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) -- -suricata +suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abd5dfea0cd310db2e8289f6e72d8b4830aefbeb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abd5dfea0cd310db2e8289f6e72d8b4830aefbeb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take glibc
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab96d571 by Adrian Bunk at 2024-04-19T16:19:46+03:00 dla: take glibc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -98,7 +98,7 @@ frr (tobi) NOTE: 20240206: Continuing fixing the remaining issues (abhijith) NOTE: 20240301: continue work (abhijith) -- -glibc +glibc (Adrian Bunk) NOTE: 20240419: Added by coordinator (santiago) -- h2o View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab96d571dc310a5712f537c7da5a7f76d5fdcaca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab96d571dc310a5712f537c7da5a7f76d5fdcaca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3787-1 for xorg-server
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 43c9c437 by Adrian Bunk at 2024-04-15T16:06:42+03:00 Reserve DLA-3787-1 for xorg-server - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Apr 2024] DLA-3787-1 xorg-server - security update + {CVE-2024-31080 CVE-2024-31081 CVE-2024-31083} + [buster] - xorg-server 2:1.20.4-1+deb10u14 [10 Apr 2024] DLA-3786-1 pillow - security update {CVE-2024-28219} [buster] - pillow 5.4.1-2+deb10u6 = data/dla-needed.txt = @@ -303,13 +303,6 @@ wordpress (Markus Koschany) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookwork. Uploads to spu and ospu should be coordinated. (roberto) -- -xorg-server (Adrian Bunk) - NOTE: 20240404: Added by Front-Desk (lamby) - NOTE: 20240404: Similar to the fixes within DLA-3721-1, these did not warrant a - NOTE: 20240404: DSA to src:xwayland as it does not run as root, but they - NOTE: 20240404: (may) affect xorg-server in LTS. (lamby) - NOTE: 20240408: CVE fixes caused regression in unstable: https://bugs.debian.org/1068470 (bunk) --- zabbix (Adrian Bunk) NOTE: 20240212: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43c9c437f6026120409e1ec532efe81eda777fc6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43c9c437f6026120409e1ec532efe81eda777fc6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] It might also be used by other software
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abbbcd98 by Adrian Bunk at 2024-04-13T13:11:55+03:00 It might also be used by other software - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -2800,7 +2800,7 @@ pdfrw bind9 - isc-dhcp (embed; bug #643569) NOTE: introduced in upstream 4.2 series - - bind9-libs (bullseye-only package of 9.11 for isc-dhcp) + - bind9-libs (bullseye-only package of 9.11 libs mainly for isc-dhcp) qof - gnucash (embed; bug #556245) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abbbcd9851717a724ed0776750b96a0a6b3967ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abbbcd9851717a724ed0776750b96a0a6b3967ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] embedded-code-copies: bind9-libs embeds bind9 in bullseye
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab173a3b by Adrian Bunk at 2024-04-13T13:08:17+03:00 embedded-code-copies: bind9-libs embeds bind9 in bullseye - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -2800,6 +2800,7 @@ pdfrw bind9 - isc-dhcp (embed; bug #643569) NOTE: introduced in upstream 4.2 series + - bind9-libs (bullseye-only package of 9.11 for isc-dhcp) qof - gnucash (embed; bug #556245) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab173a3b110affaf5659bca2e09228093f01c1ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab173a3b110affaf5659bca2e09228093f01c1ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take zabbix
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab0d5b23 by Adrian Bunk at 2024-04-13T02:56:59+03:00 dla: take zabbix - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -309,7 +309,7 @@ xorg-server (Adrian Bunk) NOTE: 20240404: (may) affect xorg-server in LTS. (lamby) NOTE: 20240408: CVE fixes caused regression in unstable: https://bugs.debian.org/1068470 (bunk) -- -zabbix +zabbix (Adrian Bunk) NOTE: 20240212: Added by Front-Desk (utkarsh) -- zookeeper (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab0d5b235753cf1201658b6e8e3e5e2ede31a932 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab0d5b235753cf1201658b6e8e3e5e2ede31a932 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Tinymce is not affected in buster, removing from dla-needed."
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab1af125 by Adrian Bunk at 2024-04-11T13:52:29+03:00 Revert Tinymce is not affected in buster, removing from dla-needed. This reverts commit 21503da906963c312a371bf78d64f3c95b8ec67a. not-affected annotations were without justification. Also add a link to upstream CVE-2023-48219 fix. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -24635,17 +24635,14 @@ CVE-2024-0222 (Use after free in ANGLE in Google Chrome prior to 120.0.6099.199 [buster] - chromium (see DSA 5046) CVE-2024-21911 (TinyMCE versions before 5.6.0 are affected by a stored cross-site scri ...) - tinymce - [buster] - tinymce (Vulnerable code not present) NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-w7jx-j77m-wp65 CVE-2024-21910 (TinyMCE versions before 5.10.0 are affected by a cross-site scripting ...) - tinymce - [buster] - tinymce (Vulnerable code not present) NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-r8hm-w5f7-wj39 CVE-2024-21909 (PeterO.Cbor versions 4.0.0 through 4.5.0 are vulnerable to a denial of ...) NOT-FOR-US: PeterO.Cbor CVE-2024-21908 (TinyMCE versions before 5.9.0 are affected by a stored cross-site scri ...) - tinymce - [buster] - tinymce (Vulnerable code not present) NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-5h9g-x5rv-25wg CVE-2024-21907 (Newtonsoft.Json before version 13.0.1 is affected by a mishandling of ...) NOT-FOR-US: Newtonsoft.Json @@ -33298,7 +33295,7 @@ CVE-2023-4602 (The Namaste! LMS plugin for WordPress is vulnerable to Reflected NOT-FOR-US: WordPress plugin CVE-2023-48219 (TinyMCE is an open source rich text editor. A mutation cross-site scri ...) - tinymce - [buster] - tinymce (Vulnerable code not present) + NOTE: https://github.com/tinymce/tinymce/commit/751e35f1419a6a060ded397dda1b2945bacaa711 CVE-2023-48089 (xxl-job-admin 2.4.0 is vulnerable to Remote Code Execution (RCE) via / ...) NOT-FOR-US: XXL-Job CVE-2023-48088 (xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) via /x ...) = data/dla-needed.txt = @@ -275,9 +275,11 @@ tiff (Thorsten Alteholz) NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. (roberto) -- tinymce - NOTE: 20240404: Added by Front-Desk (lamby) - NOTE: 20240404: May be v. difficult to backport and/or not even vulnerable. (lamby) - NOTE: 20240404: Check Ola's commit message in 21503da906. (lamby) + NOTE: 20231123: Added by Front-Desk (ola) + NOTE: 20231216: Someone with more XSS experience needed to assess the + NOTE: 20231216: severity of CVE-2023-48219. Also not clear to me that + NOTE: 20231216: upstream's patch is backportable, as the code has changed a + NOTE: 20231216: lot. (spwhitton) -- tzdata (Emilio) NOTE: 20240327: Added by pochu View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab1af1251027036c394e2320ad98cf7370b953ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab1af1251027036c394e2320ad98cf7370b953ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Remove runc from dla-needed"
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abad8cee by Adrian Bunk at 2024-04-11T13:42:21+03:00 Revert Remove runc from dla-needed This reverts commit 6c41e578160845c9f84e1a335d5266011e542869. https://lists.debian.org/debian-lts/2024/04/msg00014.html - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -232,6 +232,11 @@ ruby-rack (Adrian Bunk) NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240408: waiting for feedback from Debian maintainer (bunk) -- +runc + NOTE: 20240312: Added by coordinator (roberto) + NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye. + NOTE: 20240314: Uploads to ospu should be coordinated. (roberto) +-- samba (Santiago) NOTE: 20230918: Added by Front-Desk (apo) NOTE: 20240406: Update should be ready. Will upload this Monday. (Santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abad8ceef7ae5e224cdb4f931d68112b0f0ca587 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abad8ceef7ae5e224cdb4f931d68112b0f0ca587 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3786-1 for pillow
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: cbe65225 by Adrian Bunk at 2024-04-10T22:18:37+03:00 Reserve DLA-3786-1 for pillow - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Apr 2024] DLA-3786-1 pillow - security update + {CVE-2024-28219} + [buster] - pillow 5.4.1-2+deb10u6 [09 Apr 2024] DLA-3785-1 gtkwave - security update {CVE-2023-32650 CVE-2023-34087 CVE-2023-34436 CVE-2023-35004 CVE-2023-35057 CVE-2023-35128 CVE-2023-35702 CVE-2023-35703 CVE-2023-35704 CVE-2023-35955 CVE-2023-35956 CVE-2023-35957 CVE-2023-35958 CVE-2023-35959 CVE-2023-35960 CVE-2023-35961 CVE-2023-35962 CVE-2023-35963 CVE-2023-35964 CVE-2023-35969 CVE-2023-35970 CVE-2023-35989 CVE-2023-35992 CVE-2023-35994 CVE-2023-35995 CVE-2023-35996 CVE-2023-35997 CVE-2023-36746 CVE-2023-36747 CVE-2023-36861 CVE-2023-36864 CVE-2023-36915 CVE-2023-36916 CVE-2023-37282 CVE-2023-37416 CVE-2023-37417 CVE-2023-37418 CVE-2023-37419 CVE-2023-37420 CVE-2023-37442 CVE-2023-37443 CVE-2023-37444 CVE-2023-37445 CVE-2023-37446 CVE-2023-37447 CVE-2023-37573 CVE-2023-37574 CVE-2023-37575 CVE-2023-37576 CVE-2023-37577 CVE-2023-37578 CVE-2023-37921 CVE-2023-37922 CVE-2023-37923 CVE-2023-38583 CVE-2023-38618 CVE-2023-38619 CVE-2023-38620 CVE-2023-38621 CVE-2023-38622 CVE-2023-38623 CVE-2023-38648 CVE-2023-38649 CVE-2023-38650 CVE-2023-38651 CVE-2023-38652 CVE-2023-38653 CVE-2023-38657 CVE-2023-39234 CVE-2023-39235 CVE-2023-39270 CVE-2023-39271 CVE-2023-39272 CVE-2023-39273 CVE-2023-39274 CVE-2023-39275 CVE-2023-39316 CVE-2023-39317 CVE-2023-39413 CVE-2023-39414 CVE-2023-39443 CVE-2023-39444} [buster] - gtkwave 3.3.98+really3.3.118-0+deb10u1 = data/dla-needed.txt = @@ -200,9 +200,6 @@ pdns-recursor NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240319: Upload postponed due to #1067124 (dleidert) -- -pillow (Adrian Bunk) - NOTE: 20240403: Added by Front-Desk (lamby) --- putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbe652259af53fc2fda7d8f671581ebc31745d60 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbe652259af53fc2fda7d8f671581ebc31745d60 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3785-1 for gtkwave
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 47f2ff9b by Adrian Bunk at 2024-04-09T23:20:40+03:00 Reserve DLA-3785-1 for gtkwave - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Apr 2024] DLA-3785-1 gtkwave - security update + {CVE-2023-32650 CVE-2023-34087 CVE-2023-34436 CVE-2023-35004 CVE-2023-35057 CVE-2023-35128 CVE-2023-35702 CVE-2023-35703 CVE-2023-35704 CVE-2023-35955 CVE-2023-35956 CVE-2023-35957 CVE-2023-35958 CVE-2023-35959 CVE-2023-35960 CVE-2023-35961 CVE-2023-35962 CVE-2023-35963 CVE-2023-35964 CVE-2023-35969 CVE-2023-35970 CVE-2023-35989 CVE-2023-35992 CVE-2023-35994 CVE-2023-35995 CVE-2023-35996 CVE-2023-35997 CVE-2023-36746 CVE-2023-36747 CVE-2023-36861 CVE-2023-36864 CVE-2023-36915 CVE-2023-36916 CVE-2023-37282 CVE-2023-37416 CVE-2023-37417 CVE-2023-37418 CVE-2023-37419 CVE-2023-37420 CVE-2023-37442 CVE-2023-37443 CVE-2023-37444 CVE-2023-37445 CVE-2023-37446 CVE-2023-37447 CVE-2023-37573 CVE-2023-37574 CVE-2023-37575 CVE-2023-37576 CVE-2023-37577 CVE-2023-37578 CVE-2023-37921 CVE-2023-37922 CVE-2023-37923 CVE-2023-38583 CVE-2023-38618 CVE-2023-38619 CVE-2023-38620 CVE-2023-38621 CVE-2023-38622 CVE-2023-38623 CVE-2023-38648 CVE-2023-38649 CVE-2023-38650 CVE-2023-38651 CVE-2023-38652 CVE-2023-38653 CVE-2023-38657 CVE-2023-39234 CVE-2023-39235 CVE-2023-39270 CVE-2023-39271 CVE-2023-39272 CVE-2023-39273 CVE-2023-39274 CVE-2023-39275 CVE-2023-39316 CVE-2023-39317 CVE-2023-39413 CVE-2023-39414 CVE-2023-39443 CVE-2023-39444} + [buster] - gtkwave 3.3.98+really3.3.118-0+deb10u1 [07 Apr 2024] DLA-3784-1 libcaca - security update {CVE-2021-30498 CVE-2021-30499} [buster] - libcaca 0.99.beta19-2.1+deb10u1 = data/dla-needed.txt = @@ -87,14 +87,6 @@ frr NOTE: 20240206: Continuing fixing the remaining issues (abhijith) NOTE: 20240301: continue work (abhijith) -- -gtkwave (Adrian Bunk) - NOTE: 20240116: Added by Front-Desk (lamby) - NOTE: 20240116: For CVE-2023-32650 etc. (lamby) - NOTE: 20240316: https://bugs.debian.org/1060407 (bunk) - NOTE: 20240403: will be submitted for DLA review when the pending DSA is published (bunk) - NOTE: 20240408: gtkwave 3.3.118 backport review: - NOTE: 20240408: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/113 (bunk) --- h2o (Adrian Bunk) NOTE: 20231228: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47f2ff9b264400ed0fd712367716b69986815881 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47f2ff9b264400ed0fd712367716b69986815881 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add notes
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abbc03df by Adrian Bunk at 2024-04-08T17:22:53+03:00 dla: add notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -92,6 +92,8 @@ gtkwave (Adrian Bunk) NOTE: 20240116: For CVE-2023-32650 etc. (lamby) NOTE: 20240316: https://bugs.debian.org/1060407 (bunk) NOTE: 20240403: will be submitted for DLA review when the pending DSA is published (bunk) + NOTE: 20240408: gtkwave 3.3.118 backport review: + NOTE: 20240408: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/113 (bunk) -- h2o (Adrian Bunk) NOTE: 20231228: Added by Front-Desk (lamby) @@ -238,6 +240,7 @@ ring -- ruby-rack (Adrian Bunk) NOTE: 20240306: Added by Front-Desk (opal) + NOTE: 20240408: waiting for feedback from Debian maintainer (bunk) -- samba (Santiago) NOTE: 20230918: Added by Front-Desk (apo) @@ -302,6 +305,7 @@ xorg-server (Adrian Bunk) NOTE: 20240404: Similar to the fixes within DLA-3721-1, these did not warrant a NOTE: 20240404: DSA to src:xwayland as it does not run as root, but they NOTE: 20240404: (may) affect xorg-server in LTS. (lamby) + NOTE: 20240408: CVE fixes caused regression in unstable: https://bugs.debian.org/1068470 (bunk) -- zabbix (utkarsh) NOTE: 20240212: Added by Front-Desk (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abbc03df988e3d1c2bf20e5b36284aa897623059 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abbc03df988e3d1c2bf20e5b36284aa897623059 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take xorg-server
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab5df7be by Adrian Bunk at 2024-04-05T13:43:48+03:00 dla: take xorg-server - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -303,7 +303,7 @@ wordpress NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookwork. Uploads to spu and ospu should be coordinated. (roberto) -- -xorg-server +xorg-server (Adrian Bunk) NOTE: 20240404: Added by Front-Desk (lamby) NOTE: 20240404: Similar to the fixes within DLA-3721-1, these did not warrant a NOTE: 20240404: DSA to src:xwayland as it does not run as root, but they View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab5df7be4deda167535516e17de39f64b73097e6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab5df7be4deda167535516e17de39f64b73097e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-25291/pillow does not affect buster
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab866516 by Adrian Bunk at 2024-04-03T21:01:30+03:00 CVE-2021-25291/pillow does not affect buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -225149,7 +225149,7 @@ CVE-2021-25292 (An issue was discovered in Pillow before 8.1.1. The PDF parser a NOTE: Introduced in: https://github.com/python-pillow/Pillow/commit/6207b44ab1ff4a91d8ddc7579619876d0bb191a4 (5.1.0) CVE-2021-25291 (An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there ...) - pillow 8.1.1-1 - [buster] - pillow (Minor issue) + [buster] - pillow (Vulnerable code introduced later) [stretch] - pillow (Vulnerable code introduced later) NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html NOTE: https://github.com/python-pillow/Pillow/commit/8b8076bdcb3815be0ef0d279651d8d1342b8ea61 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab866516c39a669ad03d93921c666fb8060944c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab866516c39a669ad03d93921c666fb8060944c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take pillow
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: aba5fb9d by Adrian Bunk at 2024-04-03T15:57:05+03:00 dla: take pillow - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -204,7 +204,7 @@ pdns-recursor (dleidert) NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240319: Upload postponed due to #1067124 (dleidert) -- -pillow +pillow (Adrian Bunk) NOTE: 20240403: Added by Front-Desk (lamby) -- putty (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aba5fb9db32872949fe3baf6c06f6b41def7c905 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aba5fb9db32872949fe3baf6c06f6b41def7c905 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: retake
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab3b3865 by Adrian Bunk at 2024-04-03T14:24:44+03:00 dla: retake - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -87,10 +87,11 @@ frr NOTE: 20240206: Continuing fixing the remaining issues (abhijith) NOTE: 20240301: continue work (abhijith) -- -gtkwave +gtkwave (Adrian Bunk) NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240116: For CVE-2023-32650 etc. (lamby) NOTE: 20240316: https://bugs.debian.org/1060407 (bunk) + NOTE: 20240403: will be submitted for DLA review when the pending DSA is published (bunk) -- h2o (Adrian Bunk) NOTE: 20231228: Added by Front-Desk (lamby) @@ -260,7 +261,7 @@ squid NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) -- -suricata +suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3b3865935a0c04e7428dc9eba9a8ea5a60aa37 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3b3865935a0c04e7428dc9eba9a8ea5a60aa37 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take h2o
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abda1bbb by Adrian Bunk at 2024-03-27T16:06:50+02:00 dla: take h2o - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -88,7 +88,7 @@ gtkwave (Adrian Bunk) NOTE: 20240116: For CVE-2023-32650 etc. (lamby) NOTE: 20240316: https://bugs.debian.org/1060407 (bunk) -- -h2o +h2o (Adrian Bunk) NOTE: 20231228: Added by Front-Desk (lamby) -- i2p View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abda1bbbcc7f08dead35fdaf705ae1d71dac98c5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abda1bbbcc7f08dead35fdaf705ae1d71dac98c5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: re-take
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab6e03d4 by Adrian Bunk at 2024-03-26T02:26:10+02:00 dla: re-take - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -237,7 +237,7 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- -ruby-rack +ruby-rack (Adrian Bunk) NOTE: 20240306: Added by Front-Desk (opal) -- runc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab6e03d4e077a4bcdbf9d23c875cdcc23f9ab2df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab6e03d4e077a4bcdbf9d23c875cdcc23f9ab2df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add freeimage note
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab3400ac by Adrian Bunk at 2024-03-25T22:13:52+02:00 dla: add freeimage note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,6 +79,8 @@ expat (tobi) freeimage NOTE: 20240320: Added by Front-Desk (ta) NOTE: 20240320: lots of postponed issue could be fixed as well + NOTE: 20240325: Lack of upstream activity, + NOTE: 20240325: postponed issues are "Revisit when fixed upstream (bunk) -- frr NOTE: 20231119: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3400ac1def2438f5b0d8694b8b6131d4f69269 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3400ac1def2438f5b0d8694b8b6131d4f69269 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-14002/putty: Link to commit that introduced it
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab27db5c by Adrian Bunk at 2024-03-25T21:29:22+02:00 CVE-2020-14002/putty: Link to commit that introduced it - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -279977,6 +279977,7 @@ CVE-2020-14002 (PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to [buster] - putty (Minor issue) [stretch] - putty (Minor issue) [jessie] - putty (Minor issue) + NOTE: Introduced by: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=d21041f7f8846b16ff6d72ed696d6190627e19b4 (0.68) NOTE: Fixed by: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=08f1e2a5066ea95559945af339a60ca14560d764 (0.74) CVE-2020-14001 (The kramdown gem before 2.3.0 for Ruby processes the template option i ...) {DSA-4743-1 DLA-2316-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab27db5c53085e091ad423f423ee8797587be4c7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab27db5c53085e091ad423f423ee8797587be4c7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3774-1 for gross
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 954d37d3 by Adrian Bunk at 2024-03-25T15:14:50+02:00 Reserve DLA-3774-1 for gross - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Mar 2024] DLA-3774-1 gross - security update + {CVE-2023-52159} + [buster] - gross 1.0.2-4.1~deb10u1 [25 Mar 2024] DLA-3773-1 freeipa - security update {CVE-2024-1481} [buster] - freeipa 4.7.2-3+deb10u1 = data/dla-needed.txt = @@ -90,9 +90,6 @@ frr gnutls28 (guilhem) NOTE: 20240323: Added by Front-Desk (ta) -- -gross (Adrian Bunk) - NOTE: 20240320: Added by Front-Desk (ta) --- gtkwave (Adrian Bunk) NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240116: For CVE-2023-32650 etc. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/954d37d33f39205ed49454436d19980961fcd771 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/954d37d33f39205ed49454436d19980961fcd771 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3772-1 for python3.7
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 9510f5cf by Adrian Bunk at 2024-03-24T23:48:24+02:00 Reserve DLA-3772-1 for python3.7 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Mar 2024] DLA-3772-1 python3.7 - security update + {CVE-2023-6597 CVE-2024-0450} + [buster] - python3.7 3.7.3-2+deb10u7 [24 Mar 2024] DLA-3771-1 python2.7 - security update {CVE-2024-0450} [buster] - python2.7 2.7.16-2+deb10u4 = data/dla-needed.txt = @@ -224,9 +224,6 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- -python3.7 (Adrian Bunk) - NOTE: 20240323: Added by Front-Desk (ta) --- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9510f5cfe34bac92d0bf773db46bf0d6fcae84fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9510f5cfe34bac92d0bf773db46bf0d6fcae84fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3771-1 for python2.7
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: f209db39 by Adrian Bunk at 2024-03-24T23:40:04+02:00 Reserve DLA-3771-1 for python2.7 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Mar 2024] DLA-3771-1 python2.7 - security update + {CVE-2024-0450} + [buster] - python2.7 2.7.16-2+deb10u4 [23 Mar 2024] DLA-3770-1 libnet-cidr-lite-perl - security update {CVE-2021-47154} [buster] - libnet-cidr-lite-perl 0.21-2+debu10u1 = data/dla-needed.txt = @@ -224,9 +224,6 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- -python2.7 (Adrian Bunk) - NOTE: 20240323: Added by Front-Desk (ta) --- python3.7 (Adrian Bunk) NOTE: 20240323: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f209db3970879ad131af809aee9572f5f06882af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f209db3970879ad131af809aee9572f5f06882af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/embedded-code-copies: Update the clamav/rar embedding status
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 68a173c3 by Adrian Bunk at 2024-03-24T20:31:04+02:00 data/embedded-code-copies: Update the clamav/rar embedding status - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -631,10 +631,11 @@ libgd2 rar - unrar-nonfree (embed) + - libclamunrar (embed) -unrar-free (maybe this code is derived from the original rar, too?) - - clamav (embed) - NOTE: seems to be disabled in default config +unrar-free + - clamav 0.101.0+dfsg-1 (embed) + NOTE: upstream switched to embedding unrar-nonfree instead mplayer (DirectMedia Object loader) - xine-lib (embed) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68a173c32a3a63e46a2a0c2b9436856df940c76b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68a173c32a3a63e46a2a0c2b9436856df940c76b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: remove clamav, the non-free unrar code is in src:libclamunrar
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abf9bd7b by Adrian Bunk at 2024-03-24T20:13:27+02:00 dla: remove clamav, the non-free unrar code is in src:libclamunrar - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,10 +40,6 @@ bind9 (Sean Whitton) NOTE: 20240218: Added by Front-Desk (lamby) NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby) -- -clamav - NOTE: 20240324: Added by Front-Desk (ta) - NOTE: 20240324: there is no CVE for clamav but CVE-2023-40477 affects the embedded version of unrar --- composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) NOTE: 20240304: Need to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abf9bd7b3a3416060e47db8318ff874bf8079f1e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abf9bd7b3a3416060e47db8318ff874bf8079f1e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-37282: fix URL
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: aba8f90a by Adrian Bunk at 2024-03-23T22:30:38+02:00 CVE-2023-37282: fix URL - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17571,7 +17571,7 @@ CVE-2023-37416 (Multiple out-of-bounds write vulnerabilities exist in the VCD pa NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1804 CVE-2023-37282 (An out-of-bounds write vulnerability exists in the VZT LZMA_Read dmem ...) - gtkwave (bug #1060407) - NOTE: ttps://talosintelligence.com/vulnerability_reports/TALOS-2023-1810 + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1810 CVE-2023-36916 (Multiple integer overflow vulnerabilities exist in the FST fstReaderIt ...) - gtkwave (bug #1060407) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1798 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aba8f90aa01e71c46dcdd4f6cb7c97de80fc3694 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aba8f90aa01e71c46dcdd4f6cb7c97de80fc3694 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-6597 does not affect python2.7
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab7d0819 by Adrian Bunk at 2024-03-23T17:36:30+02:00 CVE-2023-6597 does not affect python2.7 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1008,8 +1008,7 @@ CVE-2023-6597 (An issue was found in the CPython `tempfile.TemporaryDirectory` c - python3.10 - python3.9 - python3.7 - - python2.7 - [bullseye] - python2.7 (Unsupported in Bullseye, only included to build a few applications) + - python2.7 (tempfile.TemporaryDirectory added in 3.2) NOTE: https://github.com/python/cpython/pull/99930 NOTE: https://github.com/python/cpython/issues/91133 NOTE: https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5 (v3.12.1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab7d081948acc80d150ed66a4fcdae2c8d5d5989 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab7d081948acc80d150ed66a4fcdae2c8d5d5989 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take python
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abd4c463 by Adrian Bunk at 2024-03-23T02:52:52+02:00 dla: take python - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -222,10 +222,10 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- -python2.7 +python2.7 (Adrian Bunk) NOTE: 20240323: Added by Front-Desk (ta) -- -python3.7 +python3.7 (Adrian Bunk) NOTE: 20240323: Added by Front-Desk (ta) -- rails View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abd4c46300685407f957183b2a26d8a2a79c3753 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abd4c46300685407f957183b2a26d8a2a79c3753 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take gross
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abe63800 by Adrian Bunk at 2024-03-21T01:45:10+02:00 dla: take gross - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -90,7 +90,7 @@ frr NOTE: 20240206: Continuing fixing the remaining issues (abhijith) NOTE: 20240301: continue work (abhijith) -- -gross +gross (Adrian Bunk) NOTE: 20240320: Added by Front-Desk (ta) -- gtkwave (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abe638004afe3a23a8613225d08075369f944f0e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abe638004afe3a23a8613225d08075369f944f0e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-25{47,48,50}/imlib2 do not affect buster
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab54c701 by Adrian Bunk at 2024-03-19T00:22:17+02:00 CVE-2024-25{47,48,50}/imlib2 do not affect buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9494,23 +9494,26 @@ CVE-2024-25451 (Bento4 v1.6.0-640 was discovered to contain an out-of-memory bug CVE-2024-25450 (imlib2 v1.9.1 was discovered to mishandle memory allocation in the fun ...) - imlib2 1.10.0-2 [bullseye] - imlib2 (Minor issue) - [buster] - imlib2 (Minor issue) + [buster] - imlib2 (Vulnerable code introduced later) NOTE: https://github.com/derf/feh/issues/712 NOTE: https://git.enlightenment.org/old/legacy-imlib2/issues/20 + NOTE: Introduced by: https://git.enlightenment.org/old/legacy-imlib2/commit/0d0a701a96bf87a5df95fd8bb599b414b6a6a220 (v1.6.0) NOTE: Fixed by: https://git.enlightenment.org/old/legacy-imlib2/commit/e9c09deb08047c9e902ce37144e82b6edb8aedb6 (v1.10.0) CVE-2024-25448 (An issue in the imlib_free_image_and_decache function of imlib2 v1.9.1 ...) - imlib2 1.10.0-2 [bullseye] - imlib2 (Minor issue) - [buster] - imlib2 (Minor issue) + [buster] - imlib2 (Vulnerable code introduced later) NOTE: https://github.com/derf/feh/issues/711 NOTE: https://git.enlightenment.org/old/legacy-imlib2/issues/20 + NOTE: Introduced by: https://git.enlightenment.org/old/legacy-imlib2/commit/0d0a701a96bf87a5df95fd8bb599b414b6a6a220 (v1.6.0) NOTE: Fixed by: https://git.enlightenment.org/old/legacy-imlib2/commit/e9c09deb08047c9e902ce37144e82b6edb8aedb6 (v1.10.0) CVE-2024-25447 (An issue in the imlib_load_image_with_error_return function of imlib2 ...) - imlib2 1.10.0-2 [bullseye] - imlib2 (Minor issue) - [buster] - imlib2 (Minor issue) + [buster] - imlib2 (Vulnerable code introduced later) NOTE: https://github.com/derf/feh/issues/709 NOTE: https://git.enlightenment.org/old/legacy-imlib2/issues/20 + NOTE: Introduced by: https://git.enlightenment.org/old/legacy-imlib2/commit/0d0a701a96bf87a5df95fd8bb599b414b6a6a220 (v1.6.0) NOTE: Fixed by: https://git.enlightenment.org/old/legacy-imlib2/commit/e9c09deb08047c9e902ce37144e82b6edb8aedb6 (v1.10.0) CVE-2024-25446 (An issue in the HuginBase::PTools::setDestImage function of Hugin v202 ...) - hugin 2023.0~beta1+dfsg-1 (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab54c7018fbef3ca1051ce1d959e8120d0098dd2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab54c7018fbef3ca1051ce1d959e8120d0098dd2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3764-1 for postgresql-11
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: c2833bc4 by Adrian Bunk at 2024-03-18T15:40:16+02:00 Reserve DLA-3764-1 for postgresql-11 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Mar 2024] DLA-3764-1 postgresql-11 - security update + {CVE-2024-0985} + [buster] - postgresql-11 11.22-0+deb10u2 [17 Mar 2024] DLA-3763-1 curl - security update {CVE-2023-27534} [buster] - curl 7.64.0-4+deb10u9 = data/dla-needed.txt = @@ -222,9 +222,6 @@ nvidia-graphics-drivers-legacy-390xx pdns-recursor (dleidert) NOTE: 20240306: Added by Front-Desk (opal) -- -postgresql-11 (Adrian Bunk) - NOTE: 20240306: Added by Front-Desk (opal) --- putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2833bc4c561b2d6046797f2950c3be19b1a722f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2833bc4c561b2d6046797f2950c3be19b1a722f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add note
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab1a836f by Adrian Bunk at 2024-03-16T01:03:19+02:00 dla: add note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -103,6 +103,7 @@ frr (Abhijith PA) gtkwave (Adrian Bunk) NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240116: For CVE-2023-32650 etc. (lamby) + NOTE: 20240316: https://bugs.debian.org/1060407 (bunk) -- h2o NOTE: 20231228: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab1a836f4e73def6f65220cc52bd2f203a5d2f64 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab1a836f4e73def6f65220cc52bd2f203a5d2f64 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3762-1 for unadf
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 62f50578 by Adrian Bunk at 2024-03-15T18:43:03+02:00 Reserve DLA-3762-1 for unadf - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -505651,7 +505651,6 @@ CVE-2016-1244 (The extractTree function in unADF allows remote attackers to exec - unadf 0.7.11a-6 (bug #838248) [bookworm] - unadf 0.7.11a-5+deb12u1 [bullseye] - unadf 0.7.11a-4+deb11u1 - [buster] - unadf (Minor issue) NOTE: Fixed by: https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd NOTE: The changes between 0.7.11a-3 and 0.7.11a-4 did not include the upstream fix. CVE-2016-1243 (Stack-based buffer overflow in the extractTree function in unADF allow ...) @@ -505659,7 +505658,6 @@ CVE-2016-1243 (Stack-based buffer overflow in the extractTree function in unADF - unadf 0.7.11a-6 (bug #838248) [bookworm] - unadf 0.7.11a-5+deb12u1 [bullseye] - unadf 0.7.11a-4+deb11u1 - [buster] - unadf (Minor issue) NOTE: Fixed by: https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd NOTE: The changes between 0.7.11a-3 and 0.7.11a-4 did not include the upstream fix. CVE-2016-1242 (file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3 ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Mar 2024] DLA-3762-1 unadf - security update + {CVE-2016-1243 CVE-2016-1244} + [buster] - unadf 0.7.11a-4+deb11u1~deb10u1 [15 Mar 2024] DLA-3761-1 spip - security update {CVE-2023-52322} [buster] - spip 3.2.4-1+deb10u13 = data/dla-needed.txt = @@ -298,10 +298,6 @@ tiff tomcat9 NOTE: 20240121: Added by Front-Desk (apo) -- -unadf (Adrian Bunk) - NOTE: 20240314: Added by Front-Desk (Beuc) - NOTE: 20240314: Follow fixes from bullseye 11.9 (two 2016 CVEs) (Beuc/front-desk) --- varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62f505787f67bbc9ca45d0141b0600de207e9bba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62f505787f67bbc9ca45d0141b0600de207e9bba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3760-1 for node-xml2js
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 82f39acd by Adrian Bunk at 2024-03-14T22:02:58+02:00 Reserve DLA-3760-1 for node-xml2js - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -68310,7 +68310,6 @@ CVE-2023-0843 CVE-2023-0842 (xml2js version 0.4.23 allows an external attacker to edit or add new p ...) - node-xml2js 0.4.23+~cs15.4.0+dfsg-7 (bug #1034148) [bullseye] - node-xml2js 0.2.8-1.1+deb11u1 - [buster] - node-xml2js (Minor issue) NOTE: https://fluidattacks.com/advisories/myers/ NOTE: https://github.com/Leonidas-from-XIV/node-xml2js/issues/663 NOTE: https://github.com/Leonidas-from-XIV/node-xml2js/pull/603 = data/DLA/list = @@ -1,3 +1,6 @@ +[14 Mar 2024] DLA-3760-1 node-xml2js - security update + {CVE-2023-0842} + [buster] - node-xml2js 0.2.8-1.1+deb11u1~deb10u1 [11 Mar 2024] DLA-3759-1 qemu - security update {CVE-2023-2861 CVE-2023-3354 CVE-2023-5088} [buster] - qemu 1:3.1+dfsg-8+deb10u12 = data/dla-needed.txt = @@ -167,10 +167,6 @@ linux-5.10 lucene-solr NOTE: 20240213: Added by Front-Desk (lamby) -- -node-xml2js (Adrian Bunk) - NOTE: 20240313: Added by Front-Desk (Beuc) - NOTE: 20240313: Follow fix from bullseye 11.9 (CVE-2023-0842) (Beuc/front-desk) --- nodejs (guilhem) NOTE: 20240218: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82f39acdaedb466d3432559b2a8f4de68978be1c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82f39acdaedb466d3432559b2a8f4de68978be1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-0842/bullseye: Correct bullseye fixed version
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abcb360e by Adrian Bunk at 2024-03-14T21:14:13+02:00 CVE-2023-0842/bullseye: Correct bullseye fixed version 0.2.8-1+deb11u1 is not a version that ever existed. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -68309,7 +68309,7 @@ CVE-2023-0843 RESERVED CVE-2023-0842 (xml2js version 0.4.23 allows an external attacker to edit or add new p ...) - node-xml2js 0.4.23+~cs15.4.0+dfsg-7 (bug #1034148) - [bullseye] - node-xml2js 0.2.8-1+deb11u1 + [bullseye] - node-xml2js 0.2.8-1.1+deb11u1 [buster] - node-xml2js (Minor issue) NOTE: https://fluidattacks.com/advisories/myers/ NOTE: https://github.com/Leonidas-from-XIV/node-xml2js/issues/663 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abcb360e86c2242e741cd5bbd76d817c823851d9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abcb360e86c2242e741cd5bbd76d817c823851d9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take unadf
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab7680c1 by Adrian Bunk at 2024-03-14T16:09:09+02:00 dla: take unadf - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -288,7 +288,7 @@ tinymce (Ola) tomcat9 NOTE: 20240121: Added by Front-Desk (apo) -- -unadf +unadf (Adrian Bunk) NOTE: 20240314: Added by Front-Desk (Beuc) NOTE: 20240314: Follow fixes from bullseye 11.9 (two 2016 CVEs) (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab7680c129623fff17138c99e95ae4cdb04387ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab7680c129623fff17138c99e95ae4cdb04387ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take node-xml2js
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: aba66277 by Adrian Bunk at 2024-03-13T23:43:32+02:00 dla: take node-xml2js - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -170,7 +170,7 @@ linux-5.10 lucene-solr NOTE: 20240213: Added by Front-Desk (lamby) -- -node-xml2js +node-xml2js (Adrian Bunk) NOTE: 20240313: Added by Front-Desk (Beuc) NOTE: 20240313: Follow fix from bullseye 11.9 (CVE-2023-0842) (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aba66277c60de01158e2aa5f4caaf227e85ba3a3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aba66277c60de01158e2aa5f4caaf227e85ba3a3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: reclaim
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abb52544 by Adrian Bunk at 2024-03-12T05:22:47+02:00 dla: reclaim - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -233,7 +233,7 @@ squid NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) -- -suricata +suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abb52544d7be895e00031601e8603ba7ad9b8749 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abb52544d7be895e00031601e8603ba7ad9b8749 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3759-1 for qemu
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: b5101f27 by Adrian Bunk at 2024-03-11T19:24:58+02:00 Reserve DLA-3759-1 for qemu - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -25234,7 +25234,6 @@ CVE-2023-5088 (A bug in QEMU could cause a guest I/O operation otherwise address - qemu 1:8.1.1+ds-2 [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) - [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2247283 NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/7d7512019fc40c577e2bdd61f114f31a9eb84a8e (v8.2.0-rc0) CVE-2023-4769 (A SSRF vulnerability has been found in ManageEngine Desktop Central af ...) @@ -44697,7 +44696,6 @@ CVE-2023-3354 (A flaw was found in the QEMU built-in VNC server. When a client c - qemu 1:8.0.4+dfsg-1 [bookworm] - qemu 1:7.2+dfsg-7+deb12u2 [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 - [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2216478 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg01014.html NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62 (v8.0.4) @@ -44759,7 +44757,6 @@ CVE-2023-2861 (A flaw was found in the 9p passthrough filesystem (9pfs) implemen - qemu 1:8.0.3+dfsg-1 [bookworm] - qemu 1:7.2+dfsg-7+deb12u1 [bullseye] - qemu (Minor issue) - [buster] - qemu (Minor issue) NOTE: https://gitlab.com/qemu-project/qemu/-/commit/f6b0de53fb87ddefed348a39284c8e2f28dc4eda CVE-2023-2860 (An out-of-bounds read vulnerability was found in the SR-IPv6 implement ...) - linux 5.19.11-1 = data/DLA/list = @@ -1,3 +1,6 @@ +[11 Mar 2024] DLA-3759-1 qemu - security update + {CVE-2023-2861 CVE-2023-3354 CVE-2023-5088} + [buster] - qemu 1:3.1+dfsg-8+deb10u12 [11 Mar 2024] DLA-3758-1 tiff - security update {CVE-2023-3576 CVE-2023-52356} [buster] - tiff 4.1.0+git191117-2~deb10u9 = data/dla-needed.txt = @@ -192,10 +192,6 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- -qemu (Adrian Bunk) - NOTE: 20240119: Added by Front-Desk (lamby) - NOTE: 20240119: CVE-2023-1544 and CVE-2023-3354 already fixed in bullseye via DSA or point releases; to be fixed or . (lamby) --- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5101f27748259296b9cc0077f40d74821330c82 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5101f27748259296b9cc0077f40d74821330c82 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Ignore CVE-2023-1544/qemu in buster
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab14a284 by Adrian Bunk at 2024-03-10T00:38:59+02:00 Ignore CVE-2023-1544/qemu in buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -58334,9 +58334,10 @@ CVE-2023-1544 (A flaw was found in the QEMU implementation of VMWare's paravirtu - qemu 1:8.2.0+ds-1 (bug #1034179) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) - [buster] - qemu (Minor issue) + [buster] - qemu (PVRDMA support not enabled in the binary packages) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c7320d1641d344d0c5dfbe341d087 (v8.2.0-rc0) + NOTE: PVRDMA support not enabled in the binary packages until 1:3.1+dfsg-3, disabled again in 1:3.1+dfsg-4 until 1:4.1-1 NOTE: Not fixed in 1:5.2+dfsg-11+deb11u3 as claimed in the changelog, contains the NOTE: CVE-2022-1050 fix instead. In unstable 1:8.0.2+dfsg-1 disabled support for NOTE: pvrdma (addressing/mitigating) CVE-2023-1544. Sourcewise fixed in v8.2.0 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab14a284e9645b99d81868a08256a5354f2240aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab14a284e9645b99d81868a08256a5354f2240aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3755-1 for tar
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 19d318ca by Adrian Bunk at 2024-03-09T22:59:42+02:00 Reserve DLA-3755-1 for tar - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Mar 2024] DLA-3755-1 tar - security update + {CVE-2023-39804} + [buster] - tar 1.30+dfsg-6+deb10u1 [08 Mar 2024] DLA-3754-1 fontforge - security update {CVE-2020-5395 CVE-2020-5496 CVE-2024-25081 CVE-2024-25082} [buster] - fontforge 1:20170731~dfsg-1+deb10u1 = data/dla-needed.txt = @@ -312,12 +312,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -tar (Adrian Bunk) - NOTE: 20240308: Added by Front-Desk (opal) - NOTE: 20240308: It was previously no-dsa but since it has been fixed in - NOTE: 20240308: bullseye and the fix is trivial it is worth fixing in buster - NOTE: 20240308: too. Low priority though. --- thunderbird (Emilio) NOTE: 20240306: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19d318ca6a7b4500e3db9f7597703c0927aa7ac6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19d318ca6a7b4500e3db9f7597703c0927aa7ac6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-24474/qemu does not affect buster or bullseye
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab50b5ee by Adrian Bunk at 2024-03-09T22:47:05+02:00 CVE-2024-24474/qemu does not affect buster or bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5007,9 +5007,11 @@ CVE-2024-24475 CVE-2024-24474 (QEMU before 8.2.0 has an integer underflow, and resultant buffer overf ...) - qemu 1:8.2.0+ds-1 [bookworm] - qemu (Minor issue) - [bullseye] - qemu (Minor issue) + [bullseye] - qemu (Vulnerable code introduced later) + [buster] - qemu (Vulnerable code introduced later) NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1810 - NOTE: https://github.com/qemu/qemu/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52 (v8.2.0-rc0) + NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/1b9e48a5bdbc96833113f249909af0d30a76cc25 (v6.0.0-rc0) + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52 (v8.2.0-rc0) CVE-2024-23809 (A double-free vulnerability exists in the BrainVision ASCII Header Par ...) - biosig 2.6.0-1 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1919 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab50b5ee16449ee692c3719db0dce483c7f9b881 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab50b5ee16449ee692c3719db0dce483c7f9b881 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-42467/qemu does not affect buster or bullseye
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab990934 by Adrian Bunk at 2024-03-09T22:36:05+02:00 CVE-2023-42467/qemu does not affect buster or bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34402,9 +34402,12 @@ CVE-2023-42470 (The Imou Life com.mm.android.smartlifeiot application through 6. CVE-2023-42467 (QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset ...) - qemu 1:8.1.1+ds-1 (bug #1051899) [bookworm] - qemu 1:7.2+dfsg-7+deb12u3 - [bullseye] - qemu (Minor issue) - [buster] - qemu (Minor issue) + [bullseye] - qemu (Vulnerable code introduced later) + [buster] - qemu (Vulnerable code introduced later) NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1813 + NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/356c4c441ec01910314c5867c680bef80d1dd373 (v7.1.0-rc0) + NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/55794c904df723109b228da28b5db778e0df3110 (v7.1.0-rc2) + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/7cfcc79b0ab800959716738aff9419f53fc68c9c (v8.2.0-rc0) CVE-2023-40040 (An issue was discovered in the MyCrops HiGrade "THC Testing & Cannabi" ...) NOT-FOR-US: MyCrops HiGrade "THC Testing & Cannabi" application CVE-2023-40039 (An issue was discovered on ARRIS TG852G, TG862G, and TG1672G devices. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab990934fca81c0f623d42bb82ca2501b407599a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab990934fca81c0f623d42bb82ca2501b407599a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-6683/qemu does not affect buster or bullseye
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab4278e3 by Adrian Bunk at 2024-03-09T22:23:30+02:00 CVE-2023-6683/qemu does not affect buster or bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12592,8 +12592,10 @@ CVE-2024-0459 (A vulnerability has been found in Blood Bank & Donor Management 5 CVE-2023-6683 (A flaw was found in the QEMU built-in VNC server while processing Clie ...) - qemu 1:8.2.0+ds-5 (bug #1060749) [bookworm] - qemu 1:7.2+dfsg-7+deb12u4 - [bullseye] - qemu (Minor issue) + [bullseye] - qemu (Vulnerable code introduced later) + [buster] - qemu (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2254825 + NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/660e8d0f0be4e87da937ce797973874bb282d498 (v6.1.0-rc0) NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a CVE-2023-52026 (TOTOlink EX1800T V9.1.0cu.2112_B20220316 was discovered to contain a r ...) NOT-FOR-US: TOTOlink View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab4278e32d0ce10fff2c3aef8afc7fe8d0027c6b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab4278e32d0ce10fff2c3aef8afc7fe8d0027c6b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-6683/qemu: Update note to point to committed fix
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab05bc38 by Adrian Bunk at 2024-03-09T22:19:27+02:00 CVE-2023-6683/qemu: Update note to point to committed fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12594,7 +12594,7 @@ CVE-2023-6683 (A flaw was found in the QEMU built-in VNC server while processing [bookworm] - qemu 1:7.2+dfsg-7+deb12u4 [bullseye] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2254825 - NOTE: Proposed patch: https://lists.nongnu.org/archive/html/qemu-devel/2024-01/msg02382.html + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a CVE-2023-52026 (TOTOlink EX1800T V9.1.0cu.2112_B20220316 was discovered to contain a r ...) NOT-FOR-US: TOTOlink CVE-2023-51978 (In PHPGurukul Art Gallery Management System v1.1, "Update Artist Image ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab05bc38e73f837a9f8c29a7d50a10f13fc04f8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab05bc38e73f837a9f8c29a7d50a10f13fc04f8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-5088/qemu: Update note to point to committed fix
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abddfa6d by Adrian Bunk at 2024-03-09T22:09:41+02:00 CVE-2023-5088/qemu: Update note to point to committed fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25150,8 +25150,7 @@ CVE-2023-5088 (A bug in QEMU could cause a guest I/O operation otherwise address [bullseye] - qemu (Minor issue) [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2247283 - NOTE: https://lore.kernel.org/all/20230921160712.99521-1-simon.r...@nutanix.com/T/ - NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-09/msg01011.html + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/7d7512019fc40c577e2bdd61f114f31a9eb84a8e (v8.2.0-rc0) CVE-2023-4769 (A SSRF vulnerability has been found in ManageEngine Desktop Central af ...) NOT-FOR-US: ManageEngine Desktop Central CVE-2023-4768 (A CRLF injection vulnerability has been found in ManageEngine Desktop ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abddfa6d4cb8413963fe395565f07454e4f2cec2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abddfa6d4cb8413963fe395565f07454e4f2cec2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] qemu 1:5.2+dfsg-11+deb11u3 fixed CVE-2022-1051, not CVE-2023-1546
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab9d53cc by Adrian Bunk at 2024-03-09T21:46:01+02:00 qemu 1:5.2+dfsg-11+deb11u3 fixed CVE-2022-1051, not CVE-2023-1546 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -58309,12 +58309,13 @@ CVE-2023-1546 (The MyCryptoCheckout WordPress plugin before 2.124 does not escap CVE-2023-1545 (SQL Injection in GitHub repository nilsteampassnet/teampass prior to 3 ...) - teampass (bug #730180) CVE-2023-1544 (A flaw was found in the QEMU implementation of VMWare's paravirtual RD ...) - - qemu 1:8.0.2+dfsg-1 (bug #1034179) + - qemu 1:8.2.0+ds-1 (bug #1034179) [bookworm] - qemu (Minor issue) - [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 + [bullseye] - qemu (Minor issue) [buster] - qemu (Minor issue) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html - NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/31c4b6fb0293e359f9ef8a61892667e76eea4c99 (v8.0.0-rc0) + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c7320d1641d344d0c5dfbe341d087 (v8.2.0-rc0) + NOTE: Not fixed in 1:5.2+dfsg-11+deb11u3 as claimed in the changelog, contains the CVE-2022-1050 fix instead. CVE-2023-28686 (Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows a ...) {DSA-5379-1} - dino-im 0.4.2-1 (bug #1033370) @@ -141328,10 +141329,11 @@ CVE-2022-1051 (The WPQA Builder Plugin WordPress plugin before 5.2, used as a co CVE-2022-1050 (A flaw was found in the QEMU implementation of VMWare's paravirtual RD ...) {DLA-3362-1} - qemu 1:7.1+dfsg-2 (bug #1014589) - [bullseye] - qemu (Minor issue) + [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 [stretch] - qemu (rdma devices introduced in v2.12) NOTE: https://gitlab.com/qemu-project/qemu/-/commit/31c4b6fb0293e359f9ef8a61892667e76eea4c99 (master, after v7.2.0) NOTE: PVRDMA support not enabled in the binary packages until 1:3.1+dfsg-3, disabled again in 1:3.1+dfsg-4 until 1:4.1-1 + NOTE: 1:5.2+dfsg-11+deb11u3 changelog incorrectly lists CVE-2023-1544 as fixed instead of CVE-2022-1050. CVE-2022-1049 (A flaw was found in the Pacemaker configuration tool (pcs). The pcs da ...) {DSA-5226-1 DLA-3108-1} - pcs 0.11.3-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab9d53cc222dc0179d5f98c3f1a7c0eb8660a55f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab9d53cc222dc0179d5f98c3f1a7c0eb8660a55f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take tar
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: aba1933b by Adrian Bunk at 2024-03-09T01:26:45+02:00 dla: take tar - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -312,7 +312,7 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -tar +tar (Adrian Bunk) NOTE: 20240308: Added by Front-Desk (opal) NOTE: 20240308: It was previously no-dsa but since it has been fixed in NOTE: 20240308: bullseye and the fix is trivial it is worth fixing in buster View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aba1933b550def146f196362f0691fe6d7168f90 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aba1933b550def146f196362f0691fe6d7168f90 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take postgresql
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abe5852f by Adrian Bunk at 2024-03-08T01:03:36+02:00 dla: take postgresql - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -230,7 +230,7 @@ nvidia-graphics-drivers-legacy-390xx pdns-recursor NOTE: 20240306: Added by Front-Desk (opal) -- -postgresql-11 +postgresql-11 (Adrian Bunk) NOTE: 20240306: Added by Front-Desk (opal) -- putty View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abe5852fbf8c5a88d7439703ef5a8a74e7609de3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abe5852fbf8c5a88d7439703ef5a8a74e7609de3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3754-1 for fontforge
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: afd03b29 by Adrian Bunk at 2024-03-08T01:02:57+02:00 Reserve DLA-3754-1 for fontforge - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -299331,7 +299331,6 @@ CVE-2020-5497 (The OpenID Connect reference implementation for MITREid Connect t NOT-FOR-US: MITREid Connect CVE-2020-5496 (FontForge 20190801 has a heap-based buffer overflow in the Type2NotDef ...) - fontforge 1:20201107~dfsg-1 (bug #948231) - [buster] - fontforge (Minor issue) [stretch] - fontforge (Minor issue) [jessie] - fontforge (Minor issue) NOTE: https://github.com/fontforge/fontforge/issues/4085 @@ -299549,7 +299548,6 @@ CVE-2020-5396 (VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, NOT-FOR-US: VMware CVE-2020-5395 (FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd. ...) - fontforge 1:20201107~dfsg-1 (bug #948231) - [buster] - fontforge (Minor issue) [stretch] - fontforge (Minor issue) [jessie] - fontforge (Minor issue) NOTE: https://github.com/fontforge/fontforge/issues/4084 = data/DLA/list = @@ -1,3 +1,6 @@ +[08 Mar 2024] DLA-3754-1 fontforge - security update + {CVE-2020-5395 CVE-2020-5496 CVE-2024-25081 CVE-2024-25082} + [buster] - fontforge 1:20170731~dfsg-1+deb10u1 [06 Mar 2024] DLA-3753-1 yard - security update {CVE-2019-1020001 CVE-2024-27285} [buster] - yard 0.9.16-1+deb10u1 = data/dla-needed.txt = @@ -101,9 +101,6 @@ exiftags expat NOTE: 20240306: Added by Front-Desk (opal) -- -fontforge (Adrian Bunk) - NOTE: 20240306: Added by Front-Desk (opal) --- freeimage NOTE: 20240121: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afd03b2915fb9afbb3ac5849fd89f01080b8714e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afd03b2915fb9afbb3ac5849fd89f01080b8714e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take ruby-rack
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab07e09e by Adrian Bunk at 2024-03-06T23:22:21+02:00 dla: take ruby-rack - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -277,7 +277,7 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- -ruby-rack +ruby-rack (Adrian Bunk) NOTE: 20240306: Added by Front-Desk (opal) -- runc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab07e09ea26b4cc21bcace49182c17724a424733 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab07e09ea26b4cc21bcace49182c17724a424733 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take fontforge
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab218ce1 by Adrian Bunk at 2024-03-06T22:58:43+02:00 dla: take fontforge - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -105,7 +105,7 @@ exiftags expat NOTE: 20240306: Added by Front-Desk (opal) -- -fontforge +fontforge (Adrian Bunk) NOTE: 20240306: Added by Front-Desk (opal) -- freeimage View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab218ce143bc3a837758a3e2d36a3ce62ca26c46 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab218ce143bc3a837758a3e2d36a3ce62ca26c46 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-28084/iwd does not affect buster
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abcaca2e by Adrian Bunk at 2024-03-06T22:35:37+02:00 CVE-2024-28084/iwd does not affect buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -826,8 +826,10 @@ CVE-2024-28088 (LangChain through 0.1.10 allows ../ directory traversal by an ac NOT-FOR-US: LanChain-ai Langchain CVE-2024-28084 (p2putil.c in iNet wireless daemon (IWD) through 2.15 allows attackers ...) - iwd 2.16-1 (bug #1065443) + [buster] - iwd (Vulnerable code not present) NOTE: https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=52a47c9fd428904de611a90cbf8b223af879684d (2.16) NOTE: https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=d34b4e16e045142590ed7cb653e01ed0ae5362eb (2.16) + NOTE: first version of p2putil in 0.19, P2P is supported since 1.8 CVE-2024-21826 (in OpenHarmony v3.2.4 and prior versions allow a local attacker cause ...) NOT-FOR-US: OpenHarmony CVE-2024-21816 (in OpenHarmony v4.0.0 and prior versions allow a local attacker cause ...) = data/dla-needed.txt = @@ -133,9 +133,6 @@ imagemagick NOTE: 20231014: Some work under git branch debian/buster but unease NOTE: 20240227: Made a partial release -- -iwd (Adrian Bunk) - NOTE: 20240306: Added by Front-Desk (opal) --- jenkins-htmlunit-core-js NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: Needs checking that this is definitely vulnerable: a quick glance View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abcaca2e26273641969616cfcb4badfdd8ec3eb3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abcaca2e26273641969616cfcb4badfdd8ec3eb3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take iwd
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab8b52fc by Adrian Bunk at 2024-03-06T22:21:11+02:00 dla: take iwd - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -133,7 +133,7 @@ imagemagick NOTE: 20231014: Some work under git branch debian/buster but unease NOTE: 20240227: Made a partial release -- -iwd +iwd (Adrian Bunk) NOTE: 20240306: Added by Front-Desk (opal) -- jenkins-htmlunit-core-js View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab8b52fc7b9199be95ef129b1ad676a5c49c4d91 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab8b52fc7b9199be95ef129b1ad676a5c49c4d91 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3753-1 for yard
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 72dabf92 by Adrian Bunk at 2024-03-06T22:11:22+02:00 Reserve DLA-3753-1 for yard - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -329064,7 +329064,6 @@ CVE-2019-1020002 (Pterodactyl before 0.7.14 with 2FA allows credential sniffing. NOT-FOR-US: Pterodactyl CVE-2019-1020001 (yard before 0.9.20 allows path traversal.) - yard 0.9.20-1 (low; bug #945369) - [buster] - yard (Minor issue) [stretch] - yard (Minor issue) [jessie] - yard (Bug was introduced in 0.9.6) NOTE: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Mar 2024] DLA-3753-1 yard - security update + {CVE-2019-1020001 CVE-2024-27285} + [buster] - yard 0.9.16-1+deb10u1 [05 Mar 2024] DLA-3752-1 libuv1 - security update {CVE-2024-24806} [buster] - libuv1 1.24.1-1+deb10u2 = data/dla-needed.txt = @@ -332,9 +332,6 @@ varnish NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- -yard (Adrian Bunk) - NOTE: 20240303: Added by Front-Desk (apo) --- zabbix NOTE: 20240212: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72dabf922fd5d03bcbaa624bca60975d06b61ac2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72dabf922fd5d03bcbaa624bca60975d06b61ac2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3752-1 for libuv1
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 38d7b4df by Adrian Bunk at 2024-03-05T23:28:13+02:00 Reserve DLA-3752-1 for libuv1 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Mar 2024] DLA-3752-1 libuv1 - security update + {CVE-2024-24806} + [buster] - libuv1 1.24.1-1+deb10u2 [05 Mar 2024] DLA-3751-1 libapache2-mod-auth-openidc - security update {CVE-2024-24814} [buster] - libapache2-mod-auth-openidc 2.3.10.2-1+deb10u4 = data/dla-needed.txt = @@ -176,9 +176,6 @@ libstb NOTE: 20221119: and in the past CVE fixes have caused regressions. NOTE: 20221119: Wait for upstream merge of fixes (and fixing in unstable). (bunk) -- -libuv1 (Adrian Bunk) - NOTE: 20240303: Added by Front-Desk (apo) --- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38d7b4df588532a995285b31d897ddf733467899 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38d7b4df588532a995285b31d897ddf733467899 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take yard
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab15d47a by Adrian Bunk at 2024-03-04T17:51:38+02:00 dla: take yard - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -326,7 +326,7 @@ varnish NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- -yard +yard (Adrian Bunk) NOTE: 20240303: Added by Front-Desk (apo) -- zabbix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab15d47ae59bda9b49422ca7d6eb7a76433adc5c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab15d47ae59bda9b49422ca7d6eb7a76433adc5c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take libuv1
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: fb4d7cfe by Adrian Bunk at 2024-03-04T16:52:04+02:00 dla: take libuv1 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -175,7 +175,7 @@ libstb NOTE: 20221119: and in the past CVE fixes have caused regressions. NOTE: 20221119: Wait for upstream merge of fixes (and fixing in unstable). (bunk) -- -libuv1 +libuv1 (Adrian Bunk) NOTE: 20240303: Added by Front-Desk (apo) -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb4d7cfea71ff176f97e8eda9584a44483c392ff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb4d7cfea71ff176f97e8eda9584a44483c392ff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-7216/cpio: upstream considers it normal behavior
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab006b54 by Adrian Bunk at 2024-03-04T14:52:44+02:00 CVE-2023-7216/cpio: upstream considers it normal behavior I am leaving the final assessment/decision about this CVE to the security team. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -7034,7 +7034,8 @@ CVE-2024-0323 (Use of a Broken or Risky Cryptographic Algorithm vulnerability in CVE-2023-7216 (A path traversal vulnerability was found in the CPIO utility. This iss ...) - cpio NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2249901 - NOTE: https://lists.gnu.org/archive/html/bug-cpio/2024-02/msg0.html + NOTE: Upstream considers it normal behavior: + NOTE: https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg0.html CVE-2023-6874 (Prior to v7.4.0, Ember ZNet is vulnerable to a denial of service attac ...) NOT-FOR-US: Ember ZNet CVE-2023-6028 (A reflected cross-site scripting (XSS) vulnerability exists in the SVG ...) = data/dla-needed.txt = @@ -65,6 +65,7 @@ composer (rouca) -- cpio NOTE: 20240303: Added by Front-Desk (apo) + NOTE: 20240304: Likely no work to do since upstream considers CVE-2023-7216 normal behavior. (bunk) -- curl NOTE: 20231229: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab006b54bd62ef52555abed33f92c94fbf1817fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab006b54bd62ef52555abed33f92c94fbf1817fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take gtkwave
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab5547e2 by Adrian Bunk at 2024-03-04T00:47:00+02:00 dla: take gtkwave - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -108,7 +108,7 @@ frr (Abhijith PA) golang-go.crypto NOTE: 20231219: Added by Front-Desk (ta) -- -gtkwave +gtkwave (Adrian Bunk) NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240116: For CVE-2023-32650 etc. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab5547e295988de63f7a2ac0c2e06034e94dc4b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab5547e295988de63f7a2ac0c2e06034e94dc4b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-20175/qemu was fixed in 5.0
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab5d4411 by Adrian Bunk at 2024-03-03T22:15:05+02:00 CVE-2019-20175/qemu was fixed in 5.0 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -299517,7 +299517,7 @@ CVE-2019-20176 (In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in [jessie] - pure-ftpd (Minor issue) NOTE: https://github.com/jedisct1/pure-ftpd/commit/aea56f4bcb9948d456f3fae4d044fd3fa2e19706 CVE-2019-20175 (An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 ...) - - qemu (unimportant) + - qemu 1:5.0-1 (unimportant) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2019-07/msg01651.html NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2019-07/msg03869.html NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2019-11/msg00597.html @@ -299525,6 +299525,7 @@ CVE-2019-20175 (An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU NOTE: Marked unimportant, as negligible security impact (a privileged guest NOTE: can trigger similar issues without triggering the specific assert) and NOTE: is disputed by QEMU security team. + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/ed78352a59ea7acf7520d4d47a96b9911bae7fc3 (v5.0.0-rc0) CVE-2019-20174 (Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is us ...) NOT-FOR-US: Auth0 Lock CVE-2019-20173 (The Auth0 wp-auth0 plugin 3.11.x before 3.11.3 for WordPress allows XS ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab5d4411459bc860516d625beb0e8f33f3e7e037 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab5d4411459bc860516d625beb0e8f33f3e7e037 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3746-1 for wireshark
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: d03247f5 by Adrian Bunk at 2024-02-29T23:54:56+00:00 Reserve DLA-3746-1 for wireshark - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -34816,7 +34816,6 @@ CVE-2023-4513 (BT SDP dissector memory leak in Wireshark 4.0.0 to 4.0.7 and 3.6. {DSA-5559-1} - wireshark 4.0.8-1 [bullseye] - wireshark (Minor issue) - [buster] - wireshark (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19259 NOTE: https://www.wireshark.org/security/wnpa-sec-2023-25.html CVE-2023-4512 (CBOR dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of serv ...) @@ -34830,7 +34829,6 @@ CVE-2023-4511 (BT SDP dissector infinite loop in Wireshark 4.0.0 to 4.0.7 and 3. {DSA-5559-1} - wireshark 4.0.8-1 [bullseye] - wireshark (Minor issue) - [buster] - wireshark (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19258 NOTE: https://www.wireshark.org/security/wnpa-sec-2023-24.html CVE-2023-4230 (A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4 ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Feb 2024] DLA-3746-1 wireshark - security update + {CVE-2023-4511 CVE-2023-4513 CVE-2023-6175 CVE-2024-0208} + [buster] - wireshark 2.6.20-0+deb10u8 [29 Feb 2024] DLA-3745-1 gsoap - security update {CVE-2020-13574 CVE-2020-13575 CVE-2020-13576 CVE-2020-13577 CVE-2020-13578} [buster] - gsoap 2.8.75-1+deb10u1 = data/dla-needed.txt = @@ -300,11 +300,6 @@ varnish (Abhijith PA) NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- -wireshark (Adrian Bunk) - NOTE: 20231118: Added by Front-Desk (apo) - NOTE: 20231204: DLA pending (bunk) - NOTE: 20231218: Debugging a problem with the update. (bunk) --- zabbix NOTE: 20240212: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d03247f5a771d5f45ed13c5c240b0b3fb729d959 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d03247f5a771d5f45ed13c5c240b0b3fb729d959 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3745-1 for gsoap
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b7538d4 by Adrian Bunk at 2024-02-29T23:47:08+00:00 Reserve DLA-3745-1 for gsoap - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -275300,27 +275300,22 @@ CVE-2020-13579 (An exploitable integer overflow vulnerability exists in the Plan NOT-FOR-US: SoftMaker CVE-2020-13578 (A denial-of-service vulnerability exists in the WS-Security plugin fun ...) - gsoap 2.8.104-3 (bug #983596) - [buster] - gsoap (Minor issue) [stretch] - gsoap (intrusive to backport, will either not compile or may cause runtime errors) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1189 CVE-2020-13577 (A denial-of-service vulnerability exists in the WS-Security plugin fun ...) - gsoap 2.8.104-3 (bug #983596) - [buster] - gsoap (Minor issue) [stretch] - gsoap (intrusive to backport, will either not compile or may cause runtime errors) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1188 CVE-2020-13576 (A code execution vulnerability exists in the WS-Addressing plugin func ...) - gsoap 2.8.104-3 (bug #983596) - [buster] - gsoap (Minor issue) [stretch] - gsoap (intrusive to backport, will either not compile or may cause runtime errors) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1187 CVE-2020-13575 (A denial-of-service vulnerability exists in the WS-Addressing plugin f ...) - gsoap 2.8.104-3 (bug #983596) - [buster] - gsoap (Minor issue) [stretch] - gsoap (intrusive to backport, will either not compile or may cause runtime errors) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1186 CVE-2020-13574 (A denial-of-service vulnerability exists in the WS-Security plugin fun ...) - gsoap 2.8.104-3 (bug #983596) - [buster] - gsoap (Minor issue) [stretch] - gsoap (intrusive to backport, will either not compile or may cause runtime errors) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1185 CVE-2020-13573 (A denial-of-service vulnerability exists in the Ethernet/IP server fun ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Feb 2024] DLA-3745-1 gsoap - security update + {CVE-2020-13574 CVE-2020-13575 CVE-2020-13576 CVE-2020-13577 CVE-2020-13578} + [buster] - gsoap 2.8.75-1+deb10u1 [29 Feb 2024] DLA-3744-1 python-django - security update {CVE-2021-28658 CVE-2021-31542 CVE-2021-33203 CVE-2021-33571} [buster] - python-django 1:1.11.29-1+deb10u11 = data/dla-needed.txt = @@ -107,9 +107,6 @@ frr golang-go.crypto NOTE: 20231219: Added by Front-Desk (ta) -- -gsoap (Adrian Bunk) - NOTE: 20240229: Forward-port of stretch ELA. (bunk) --- gtkwave NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240116: For CVE-2023-32650 etc. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b7538d4a5f7c810200cfa9138192dc9731ee0b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b7538d4a5f7c810200cfa9138192dc9731ee0b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-0210/wireshark does not affect <= bookworm
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abde01a1 by Adrian Bunk at 2024-02-29T21:53:15+02:00 CVE-2024-0210/wireshark does not affect = bookworm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12411,8 +12411,9 @@ CVE-2024-0211 (DOCSIS dissector crash in Wireshark 4.2.0 allows denial of servic NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19557 CVE-2024-0210 (Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service ...) - wireshark 4.2.2-1 (bug #1059925) - [bookworm] - wireshark (Minor issue) - [bullseye] - wireshark (Minor issue) + [bookworm] - wireshark (Zigbee TLV dissector introduced in 4.2) + [bullseye] - wireshark (Zigbee TLV dissector introduced in 4.2) + [buster] - wireshark (Zigbee TLV dissector introduced in 4.2) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-04.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19504 CVE-2024-0209 (IEEE 1609.2 dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abde01a1e0a4e9179cc5bae3b9f43e660593a65e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abde01a1e0a4e9179cc5bae3b9f43e660593a65e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-0207/wireshark does not affect <= bookworm
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab51bc5f by Adrian Bunk at 2024-02-29T21:39:26+02:00 CVE-2024-0207/wireshark does not affect = bookworm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12431,10 +12431,12 @@ CVE-2024-0208 (GVCP dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19496 CVE-2024-0207 (HTTP3 dissector crash in Wireshark 4.2.0 allows denial of service via ...) - wireshark 4.2.2-1 (bug #1059925) - [bookworm] - wireshark (Minor issue) - [bullseye] - wireshark (Minor issue) + [bookworm] - wireshark (Vulnerable code introduced later) + [bullseye] - wireshark (Vulnerable code introduced later) + [buster] - wireshark (Vulnerable code introduced later) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-03.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19502 + NOTE: Introduced by: https://gitlab.com/wireshark/wireshark/-/commit/80f9a28921acfa1fb9fe29a25468451faad2b6f2 (v4.2.0rc0) CVE-2024-0196 (A vulnerability has been found in Magic-Api up to 2.0.1 and classified ...) NOT-FOR-US: Magic-Api CVE-2024-0195 (A vulnerability, which was classified as critical, was found in spider ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab51bc5fb1b9cd7b20138f975b378eae8707b478 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab51bc5fb1b9cd7b20138f975b378eae8707b478 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-6174/wireshark does not affect buster
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab34aa73 by Adrian Bunk at 2024-02-29T21:22:29+02:00 CVE-2023-6174/wireshark does not affect buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20602,8 +20602,10 @@ CVE-2023-6174 (SSH dissector crash in Wireshark 4.0.0 to 4.0.10 allows denial of {DSA-5559-1} - wireshark 4.0.11-1 [bullseye] - wireshark (Only affects 4.x) + [buster] - wireshark (Only affects 4.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-28.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19369 + NOTE: Introduced by: https://gitlab.com/wireshark/wireshark/-/commit/a2f6b079f16e0dfa10a1eab82b13b52d8e173199 (v3.7.0) CVE-2023-6121 (An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsy ...) {DSA-5594-1 DLA-3711-1} - linux 6.6.8-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab34aa736b18426058d985ea4ea3145d46276e4b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab34aa736b18426058d985ea4ea3145d46276e4b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-5371/wireshark does not affect buster or bullseye
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abb9350d by Adrian Bunk at 2024-02-29T21:12:37+02:00 CVE-2023-5371/wireshark does not affect buster or bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28339,10 +28339,11 @@ CVE-2023-5373 (A vulnerability classified as critical has been found in SourceCo CVE-2023-5371 (RTPS dissector memory leak in Wireshark 4.0.0 to 4.0.8 and 3.6.0 to 3. ...) {DSA-5559-1} - wireshark 4.0.10-1 - [bullseye] - wireshark (Minor issue) - [buster] - wireshark (Minor issue) + [bullseye] - wireshark (Vulnerable code introduced later) + [buster] - wireshark (Vulnerable code introduced later) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19322 NOTE: https://www.wireshark.org/security/wnpa-sec-2023-27.html + NOTE: Introduced by: https://gitlab.com/wireshark/wireshark/-/commit/b46d244a9ba55daaed1ebbb15f5ea56231658d3d (v3.5.0) CVE-2023-5113 (Certain HP Enterprise LaserJet and HP LaserJet Managed Printers are po ...) NOT-FOR-US: HP CVE-2023-4997 (Improper authorisation of regular users in ProIntegra Uptime DC softwa ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abb9350defb7a4b7f6d2edcd7fa04b9effbebabf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abb9350defb7a4b7f6d2edcd7fa04b9effbebabf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: Add and take gsoap
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abe6d7ca by Adrian Bunk at 2024-02-29T20:31:40+02:00 dla: Add and take gsoap - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -107,6 +107,9 @@ frr golang-go.crypto NOTE: 20231219: Added by Front-Desk (ta) -- +gsoap (Adrian Bunk) + NOTE: 20240229: Forward-port of stretch ELA. (bunk) +-- gtkwave NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240116: For CVE-2023-32650 etc. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abe6d7ca95582882791e8ff833d5668c5dd7d77a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abe6d7ca95582882791e8ff833d5668c5dd7d77a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take qemu
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab44afc3 by Adrian Bunk at 2024-02-25T22:34:27+02:00 dla: take qemu - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -234,7 +234,7 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -qemu +qemu (Adrian Bunk) NOTE: 20240119: Added by Front-Desk (lamby) NOTE: 20240119: CVE-2023-1544 and CVE-2023-3354 already fixed in bullseye via DSA or point releases; to be fixed or . (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab44afc3878381574198af459c5f2cd12bd8d080 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab44afc3878381574198af459c5f2cd12bd8d080 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: retake
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab7a9284 by Adrian Bunk at 2024-02-25T21:34:45+02:00 dla: retake - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -276,7 +276,7 @@ squid NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) -- -suricata +suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), @@ -312,7 +312,7 @@ varnish (Abhijith PA) NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- -wireshark +wireshark (Adrian Bunk) NOTE: 20231118: Added by Front-Desk (apo) NOTE: 20231204: DLA pending (bunk) NOTE: 20231218: Debugging a problem with the update. (bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab7a928481e437abd747e921182cf0359c53eb43 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab7a928481e437abd747e921182cf0359c53eb43 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: retake
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab9de5e0 by Adrian Bunk at 2024-01-26T00:04:23+02:00 dla: retake - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -268,7 +268,7 @@ squid sudo (rouca) NOTE: 20231224: Added by Front-Desk (ta) -- -suricata +suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), @@ -278,7 +278,7 @@ suricata NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -tiff +tiff (Adrian Bunk) NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point release(s). (lamby) -- @@ -299,7 +299,7 @@ varnish (Abhijith PA) NOTE: 20240108: Backported security fixes and related commits. Fixing test failures. (abhijith) NOTE: 20240122: Still fixing tests (abhijith) -- -wireshark +wireshark (Adrian Bunk) NOTE: 20231118: Added by Front-Desk (apo) NOTE: 20231204: DLA pending (bunk) NOTE: 20231218: Debugging a problem with the update. (bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab9de5e07d722905ff5fe33e368b07e56b8a29a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab9de5e07d722905ff5fe33e368b07e56b8a29a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: retake
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abec2543 by Adrian Bunk at 2024-01-04T18:25:38+02:00 dla: retake - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -245,7 +245,7 @@ squid (Markus Koschany) sudo (Adrian Bunk) NOTE: 20231224: Added by Front-Desk (ta) -- -suricata +suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), @@ -276,7 +276,7 @@ varnish (Abhijith PA) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 NOTE: 20231219: Continuing work -- -wireshark +wireshark (Adrian Bunk) NOTE: 20231118: Added by Front-Desk (apo) NOTE: 20231204: DLA pending (bunk) NOTE: 20231218: Debugging a problem with the update. (bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abec2543ba07d54daf2adedf678f9236848c90c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abec2543ba07d54daf2adedf678f9236848c90c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take tiff
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab92749d by Adrian Bunk at 2023-12-31T21:21:56+02:00 dla: take tiff - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -258,7 +258,7 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -tiff +tiff (Adrian Bunk) NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point release(s). (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab92749d26700639274219af7624b462d7516063 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab92749d26700639274219af7624b462d7516063 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take sudo
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab7c2276 by Adrian Bunk at 2023-12-26T00:13:57+02:00 dla: take sudo - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -231,7 +231,7 @@ squid (Markus Koschany) NOTE: 20231218: Investigating new CVE. (apo) NOTE: 20231223: The update requires a few more tests. Intend to release after the holidays. -- -sudo +sudo (Adrian Bunk) NOTE: 20231224: Added by Front-Desk (ta) -- suricata (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab7c227638a0ee1907a9414be46983161a6fca8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab7c227638a0ee1907a9414be46983161a6fca8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3692-1 for curl
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 72c00733 by Adrian Bunk at 2023-12-19T09:16:03+02:00 Reserve DLA-3692-1 for curl - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -42187,7 +42187,6 @@ CVE-2023-28323 (A deserialization of untrusted data exists in EPM 2022 Su3 and a CVE-2023-28322 (An information disclosure vulnerability exists in curl (Minor issue) NOTE: https://curl.se/docs/CVE-2023-28322.html NOTE: Introduced by: https://github.com/curl/curl/commit/546572da0457f37c698c02d0a08d90fdfcbeedec (curl-7_7) NOTE: Fixed by: https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de6c5e61272c496b (curl-8_1_0) = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Dec 2023] DLA-3692-1 curl - security update + {CVE-2023-28322 CVE-2023-46218} + [buster] - curl 7.64.0-4+deb10u8 [18 Dec 2023] DLA-3691-1 spip - security update [buster] - spip 3.2.4-1+deb10u12 [17 Dec 2023] DLA-3686-2 xorg-server - security update = data/dla-needed.txt = @@ -56,10 +56,6 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -curl (Adrian Bunk) - NOTE: 20231210: Added by Front-Desk (ta) - NOTE: 20231210: maybe also take care of https://lists.debian.org/debian-lts/2023/12/msg00020.html --- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72c0073304accd5e3a9db27db1f469312dcf78e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72c0073304accd5e3a9db27db1f469312dcf78e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add note
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abcf7697 by Adrian Bunk at 2023-12-18T13:47:40+02:00 dla: add note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -236,6 +236,7 @@ varnish (Abhijith PA) wireshark (Adrian Bunk) NOTE: 20231118: Added by Front-Desk (apo) NOTE: 20231204: DLA pending (bunk) + NOTE: 20231218: Debugging a problem with the update. (bunk) -- zabbix NOTE: 20231015: Added by Front-Desk (ta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abcf7697165f28c78505a66fa1bfd212e0a398e6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abcf7697165f28c78505a66fa1bfd212e0a398e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-46218/curl does not affect buster
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab967160 by Adrian Bunk at 2023-12-18T00:48:58+02:00 CVE-2023-46218/curl does not affect buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2443,6 +2443,7 @@ CVE-2023-46218 (This flaw allows a malicious HTTP server to set "super cookies" CVE-2023-46219 (When saving HSTS data to an excessively long file name, curl could end ...) - curl 8.5.0-1 (bug #1057645) [bullseye] - curl (curl is not built with HSTS support) + [buster] - curl (Not affected by CVE-2022-32207) NOTE: Introduced by: https://github.com/curl/curl/commit/20f9dd6bae50b7223171b17ba7798946e74f877f (curl-7_84_0) NOTE: The issue is introduced with the fix for CVE-2022-32207. NOTE: Fixed by: https://github.com/curl/curl/commit/73b65e94f3531179de45c6f3c836a610e3d0a846 (curl-8_5_0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab967160a75effabe41c934a8b098a56e7e6874c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab967160a75effabe41c934a8b098a56e7e6874c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-27534/curl: This is a regression *fix*
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab8ff21d by Adrian Bunk at 2023-12-17T23:53:36+02:00 CVE-2023-27534/curl: This is a regression *fix* - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -44536,7 +44536,7 @@ CVE-2023-27534 (A path traversal vulnerability exists in curl <8.0.0 SFTP implem NOTE: https://curl.se/docs/CVE-2023-27534.html NOTE: Introduced by: https://github.com/curl/curl/commit/ba6f20a2442ab1ebfe947cff19a552f92114a29a (curl-7_18_0) NOTE: Fixed by: https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 (curl-8_0_0) - NOTE: Regression: https://github.com/curl/curl/commit/91b53efa4b6854dc3688f55bfb329b0cafcf5325 (curl-8_1_0) + NOTE: Regression fix: https://github.com/curl/curl/commit/91b53efa4b6854dc3688f55bfb329b0cafcf5325 (curl-8_1_0) CVE-2023-27533 (A vulnerability in input validation exists in curl <8.0 during communi ...) {DLA-3398-1} - curl 7.88.1-7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab8ff21dae1a4ad83d47546a0d8aabe66b01418a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab8ff21dae1a4ad83d47546a0d8aabe66b01418a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-27534/curl: Add regression
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abe25e07 by Adrian Bunk at 2023-12-17T22:38:01+02:00 CVE-2023-27534/curl: Add regression - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -44536,6 +44536,7 @@ CVE-2023-27534 (A path traversal vulnerability exists in curl <8.0.0 SFTP implem NOTE: https://curl.se/docs/CVE-2023-27534.html NOTE: Introduced by: https://github.com/curl/curl/commit/ba6f20a2442ab1ebfe947cff19a552f92114a29a (curl-7_18_0) NOTE: Fixed by: https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 (curl-8_0_0) + NOTE: Regression: https://github.com/curl/curl/commit/91b53efa4b6854dc3688f55bfb329b0cafcf5325 (curl-8_1_0) CVE-2023-27533 (A vulnerability in input validation exists in curl <8.0 during communi ...) {DLA-3398-1} - curl 7.88.1-7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abe25e07bd5765ec1243081d1304aab6e8913b85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abe25e07bd5765ec1243081d1304aab6e8913b85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla: retake suricata
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: aba3621a by Adrian Bunk at 2023-12-13T14:56:18+02:00 dla: retake suricata - - - - - ab025649 by Adrian Bunk at 2023-12-13T15:01:26+02:00 dla: tor is EOL https://tracker.debian.org/news/1485222/accepted-debian-security-support-11020231312-source-into-oldoldstable/ - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -217,7 +217,7 @@ spip (guilhem) squid (Markus Koschany) NOTE: 20231102: Added by Front-Desk (lamby) -- -suricata +suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), @@ -233,9 +233,6 @@ tinymce (Sean Whitton) tomcat9 NOTE: 20231129: Added by Front-Desk (Beuc) -- -tor - NOTE: 20231119: Added by Front-Desk (apo) --- varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5aa6f79827fdd21672fb514c6c839ffacc91e33c...ab02564921da898f3562df85963a9fdb21a75a19 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5aa6f79827fdd21672fb514c6c839ffacc91e33c...ab02564921da898f3562df85963a9fdb21a75a19 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take curl
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abf6516c by Adrian Bunk at 2023-12-11T01:40:38+02:00 dla: take curl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -55,7 +55,7 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -curl +curl (Adrian Bunk) NOTE: 20231210: Added by Front-Desk (ta) NOTE: 20231210: maybe also take care of https://lists.debian.org/debian-lts/2023/12/msg00020.html -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abf6516cb938434da90bfe898bff02ae72fbf4e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abf6516cb938434da90bfe898bff02ae72fbf4e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits