[Git][security-tracker-team/security-tracker][master] Reserve DLA-3822-1 for python-pymysql
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: c84857fb by Chris Lamb at 2024-05-27T10:40:56+01:00 Reserve DLA-3822-1 for python-pymysql - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[27 May 2024] DLA-3822-1 python-pymysql - security update + {CVE-2024-36039} + [buster] - python-pymysql 0.9.3-1+deb10u1 [26 May 2024] DLA-3821-1 libreoffice - security update {CVE-2024-3044} [buster] - libreoffice 1:6.1.5-3+deb10u12 = data/dla-needed.txt = @@ -241,9 +241,6 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- -python-pymysql (Chris Lamb) - NOTE: 20240523: Added by Front-Desk (lamby) --- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c84857fb2dafb199fb68d864e7111db852794169 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c84857fb2dafb199fb68d864e7111db852794169 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Triage CVE-2024-1968 in python-scrapy for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: fbd535b4 by Chris Lamb at 2024-05-24T08:15:54+01:00 Triage CVE-2024-1968 in python-scrapy for buster LTS. - - - - - 148f06f5 by Chris Lamb at 2024-05-24T08:16:51+01:00 Triage CVE-2024-29038 CVE-2024-29039 in tpm2-tools for buster LTS. - - - - - 6bfabaf2 by Chris Lamb at 2024-05-24T08:17:14+01:00 Triage CVE-2024-29040 in tpm2-tss for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2791,6 +2791,7 @@ CVE-2024-1968 (In scrapy/scrapy, an issue was identified where the Authorization - python-scrapy 2.11.2-1 [bookworm] - python-scrapy (Minor issue) [bullseye] - python-scrapy (Minor issue) + [buster] - python-scrapy (Minor issue; can be fixed in next update) NOTE: https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a NOTE: https://github.com/scrapy/scrapy/security/advisories/GHSA-4qqq-9vqf-3h3f NOTE: https://github.com/scrapy/scrapy/commit/f8d6c456e0669ea5344e93fe9206bd1ffebc2008 (2.11.2) @@ -11802,16 +11803,19 @@ CVE-2024-29040 - tpm2-tss 4.1.0-1 (bug #1070140) [bookworm] - tpm2-tss (Minor issue) [bullseye] - tpm2-tss (Minor issue) + [buster] - tpm2-tss (Minor issue; can be fixed in next update) NOTE: https://github.com/tpm2-software/tpm2-tss/commit/710cd0b6adf3a063f34a8e92da46df7a107d9a99 (4.1.0) CVE-2024-29039 - tpm2-tools 5.7-1 (bug #1070139) [bookworm] - tpm2-tools (Minor issue) [bullseye] - tpm2-tools (Minor issue) + [buster] - tpm2-tools (Minor issue; can be fixed in next update) NOTE: https://github.com/tpm2-software/tpm2-tools/commit/98599df9392a346216c5a059b8d35271286100bb (5.7) CVE-2024-29038 - tpm2-tools 5.7-1 (bug #1070139) [bookworm] - tpm2-tools (Minor issue) [bullseye] - tpm2-tools (Minor issue) + [buster] - tpm2-tools (Minor issue; can be fixed in next update) NOTE: https://github.com/tpm2-software/tpm2-tools/commit/66d922d6547b7b4fe4f274fb2ec10b376e0e259c (5.7) CVE-2024-4327 (A vulnerability was found in Apryse WebViewer up to 10.8.0. It has bee ...) NOT-FOR-US: Apryse WebViewer View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fbbb0d4e39f3e712eb99e4bd5b79e40423ed2dc3...6bfabaf2a8d3a0e875e5418424afc3524c48e0d0 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fbbb0d4e39f3e712eb99e4bd5b79e40423ed2dc3...6bfabaf2a8d3a0e875e5418424afc3524c48e0d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage roundcube for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: fbbb0d4e by Chris Lamb at 2024-05-24T08:13:45+01:00 data/dla-needed.txt: Triage roundcube for buster LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -272,6 +272,9 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- +roundcube + NOTE: 20240524: Added by Front-Desk (lamby) +-- ruby2.5 NOTE: 20240504: Added by Front-Desk (Beuc) NOTE: 20240504: Follow DSA-5677-1 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbbb0d4e39f3e712eb99e4bd5b79e40423ed2dc3 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbbb0d4e39f3e712eb99e4bd5b79e40423ed2dc3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage gst-plugins-base1.0 for buster LTS (CVE-2024-4453)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: ff636f5b by Chris Lamb at 2024-05-24T08:10:56+01:00 data/dla-needed.txt: Triage gst-plugins-base1.0 for buster LTS (CVE-2024-4453) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -118,6 +118,9 @@ glibc (Adrian Bunk) NOTE: 20240504: Re-add for remaining CVEs. (bunk) NOTE: 20240520: Testing fixes. (bunk) -- +gst-plugins-base1.0 + NOTE: 20240524: Added by Front-Desk (lamby) +-- h2o NOTE: 20231228: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff636f5bbbd7813daa5712aa4926ba01e39297b7 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff636f5bbbd7813daa5712aa4926ba01e39297b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2024-28285 in libcrypto++ for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: d2116336 by Chris Lamb at 2024-05-23T11:17:52+01:00 Triage CVE-2024-28285 in libcrypto++ for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6354,6 +6354,7 @@ CVE-2024-28285 (A Fault Injection vulnerability in the SymmetricDecrypt function - libcrypto++ [bookworm] - libcrypto++ (Minor issue) [bullseye] - libcrypto++ (Minor issue) + [buster] - libcrypto++ (Minor issue; can be fixed in next update) NOTE: https://groups.google.com/g/cryptopp-users/c/UkVcH2IWR2M?pli=1 NOTE: https://github.com/weidai11/cryptopp/issues/1262 CVE-2024-28279 (Code-projects Computer Book Store 1.0 is vulnerable to SQL Injection v ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2116336dfcb700ff9c634e14a2d49cc82d178b1 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2116336dfcb700ff9c634e14a2d49cc82d178b1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2024-35195 in requests for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: b916bb52 by Chris Lamb at 2024-05-23T11:11:24+01:00 Triage CVE-2024-35195 in requests for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2598,6 +2598,7 @@ CVE-2024-35195 (Requests is a HTTP library. Prior to 2.32.0, when making request - requests (bug #1071593) [bookworm] - requests (Minor issue) [bullseye] - requests (Minor issue) + [buster] - requests (Minor issue; can be fixed in next update) NOTE: https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56 NOTE: https://github.com/psf/requests/pull/6655 NOTE: https://github.com/psf/requests/commit/c0813a2d910ea6b4f8438b91d315b8d181302356 (v2.32.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b916bb527916ef784ec36e0b3382244a74238769 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b916bb527916ef784ec36e0b3382244a74238769 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: data/dla-needed.txt: Triage python-pymysql for buster LTS (CVE-2024-36039)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: b40a30bc by Chris Lamb at 2024-05-23T11:03:56+01:00 data/dla-needed.txt: Triage python-pymysql for buster LTS (CVE-2024-36039) - - - - - 4b968c93 by Chris Lamb at 2024-05-23T11:04:23+01:00 data/dla-needed.txt: Claim python-pymysql. - - - - - 675acd8c by Chris Lamb at 2024-05-23T11:05:39+01:00 Triage CVE-2024-26306 in iperf3 for buster LTS. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -6450,6 +6450,7 @@ CVE-2024-26306 (iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a ser - iperf3 [bookworm] - iperf3 (Minor issue) [bullseye] - iperf3 (Minor issue) + [buster] - iperf3 (Minor issue; can be fixed in next update) CVE-2023-5052 (vulnerability in Uniform Server Zero, version 10.2.5, consisting of an ...) NOT-FOR-US: Uniform Zero Server CVE-2024-4799 (A vulnerability, which was classified as critical, was found in Kaship ...) = data/dla-needed.txt = @@ -247,6 +247,9 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- +python-pymysql (Chris Lamb) + NOTE: 20240523: Added by Front-Desk (lamby) +-- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/09303ea80b963cf5690204f25b00d2ddbd7f05d5...675acd8ce8d80583be19006f08db658de2769092 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/09303ea80b963cf5690204f25b00d2ddbd7f05d5...675acd8ce8d80583be19006f08db658de2769092 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2023-45733, CVE-2023-45745, CVE-2023-46103 & CVE-2023-47855 in...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: a0cd2a32 by Chris Lamb at 2024-05-22T09:12:31+01:00 Triage CVE-2023-45733, CVE-2023-45745, CVE-2023-46103 CVE-2023-47855 in intel-microcode for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4499,24 +4499,28 @@ CVE-2023-47855 (Improper input validation in some Intel(R) TDX module software b - intel-microcode 3.20240514.1 [bookworm] - intel-microcode (Minor issue; can be fixed in point release) [bullseye] - intel-microcode (Minor issue; can be fixed in point release) + [buster] - intel-microcode (Minor issue; can be fixed in next update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01036.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514 CVE-2023-45745 (Improper input validation in some Intel(R) TDX module software before ...) - intel-microcode 3.20240514.1 [bookworm] - intel-microcode (Minor issue; can be fixed in point release) [bullseye] - intel-microcode (Minor issue; can be fixed in point release) + [buster] - intel-microcode (Minor issue; can be fixed in next update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01036.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514 CVE-2023-46103 (Sequence of processor instructions leads to unexpected behavior in Int ...) - intel-microcode 3.20240514.1 [bookworm] - intel-microcode (Minor issue; can be fixed in point release) [bullseye] - intel-microcode (Minor issue; can be fixed in point release) + [buster] - intel-microcode (Minor issue; can be fixed in next update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01052.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514 CVE-2023-45733 (Hardware logic contains race conditions in some Intel(R) Processors ma ...) - intel-microcode 3.20240514.1 [bookworm] - intel-microcode (Minor issue; can be fixed in point release) [bullseye] - intel-microcode (Minor issue; can be fixed in point release) + [buster] - intel-microcode (Minor issue; can be fixed in next update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01051.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514 CVE-2024-5023 (Improper Neutralization of Special Elements used in a Command ('Comman ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0cd2a32bc4f5d0de27aa95b531c8b3c237a76e9 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0cd2a32bc4f5d0de27aa95b531c8b3c237a76e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop pymongo from dla-needed.txt: package was marked as no-dsa in bullseye &...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 2af90a2a by Chris Lamb at 2024-05-15T16:15:59+01:00 Drop pymongo from dla-needed.txt: package was marked as no-dsa in bullseye bookworm and as yet unfixed in sid. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -224,9 +224,6 @@ putty (rouca) NOTE: 20240412: Wait for comments by maintainer NOTE: 20240430: Backport fixes for CVE-2024-31497 wait review -- -pymongo (Chris Lamb) - NOTE: 20240420: Added by Front-Desk (apo) --- pypy3 NOTE: 20240503: Added by Front-Desk (Beuc) NOTE: 20240503: Fix newly triaged (but old) issues; View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2af90a2aea68ad81cb62f2162b67e2c6153eb9f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2af90a2aea68ad81cb62f2162b67e2c6153eb9f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2024-21506 in pymongo for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: a2443d56 by Chris Lamb at 2024-05-15T16:15:02+01:00 Triage CVE-2024-21506 in pymongo for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13222,6 +13222,7 @@ CVE-2024-21506 (Versions of the package pymongo before 4.6.3 are vulnerable to O - pymongo (bug #1069581) [bookworm] - pymongo (Minor issue) [bullseye] - pymongo (Minor issue) + [buster] - pymongo (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-PYMONGO-6370597 NOTE: https://gist.github.com/keltecc/62a7c2bf74a997d0a7b48a0ff3853a03 CVE-2024-1994 (The Image Watermark plugin for WordPress is vulnerable to unauthorized ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2443d56e3d6b8f33e3d5321d31e0768b8264f8e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2443d56e3d6b8f33e3d5321d31e0768b8264f8e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim pymongo.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a9152b0 by Chris Lamb at 2024-05-14T08:15:03+01:00 data/dla-needed.txt: Claim pymongo. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -221,7 +221,7 @@ putty (rouca) NOTE: 20240412: Wait for comments by maintainer NOTE: 20240430: Backport fixes for CVE-2024-31497 wait review -- -pymongo +pymongo (Chris Lamb) NOTE: 20240420: Added by Front-Desk (apo) -- pypy3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a9152b0b17cda6ed03b9ff14dc8051b9a31da02 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a9152b0b17cda6ed03b9ff14dc8051b9a31da02 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3803-1 for astropy
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 7780abf2 by Chris Lamb at 2024-04-30T16:46:37+01:00 Reserve DLA-3803-1 for astropy - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Apr 2024] DLA-3803-1 astropy - security update + {CVE-2023-41334} + [buster] - astropy 3.1.2-2+deb10u1 [30 Apr 2024] DLA-3802-1 org-mode - security update {CVE-2024-30203 CVE-2024-30204 CVE-2024-30205} [buster] - org-mode 9.1.14+dfsg-3+deb10u2 = data/dla-needed.txt = @@ -33,9 +33,6 @@ ansible (Lee Garrett) apache2 (debian) NOTE: 20240418: Added by Front-Desk (apo) -- -astropy (Chris Lamb) - NOTE: 20240421: Added by Front-Desk (apo) --- atril NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7780abf242e55319ede82aa0c76154a64dcc16c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7780abf242e55319ede82aa0c76154a64dcc16c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Actually mark CVE-2024-1135/gunicorn as postponed for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 784afb10 by Chris Lamb at 2024-04-29T12:35:32+01:00 Actually mark CVE-2024-1135/gunicorn as postponed for buster LTS. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3654,6 +3654,7 @@ CVE-2024-1135 (Gunicorn fails to properly validate Transfer-Encoding headers, le - gunicorn (bug #1069126) [bookworm] - gunicorn (Minor issue) [bullseye] - gunicorn (Minor issue) + [buster] - gunicorn (Minor issue) NOTE: https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1 NOTE: https://github.com/benoitc/gunicorn/commit/ac29c9b0a758d21f1e0fb3b3457239e523fa9f1d CVE-2024-0549 (mintplex-labs/anything-llm is vulnerable to a relative path traversal ...) = data/dla-needed.txt = @@ -104,9 +104,6 @@ freeimage glibc (Adrian Bunk) NOTE: 20240419: Added by coordinator (santiago) -- -gunicorn (Chris Lamb) - NOTE: 20240421: Added by Front-Desk (apo) --- h2o (dleidert) NOTE: 20231228: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/784afb10403ea7c8da0854a4d241fc5c611e3bd5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/784afb10403ea7c8da0854a4d241fc5c611e3bd5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim gunicorn.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e76d436 by Chris Lamb at 2024-04-29T12:21:52+01:00 data/dla-needed.txt: Claim gunicorn. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -104,7 +104,7 @@ freeimage glibc (Adrian Bunk) NOTE: 20240419: Added by coordinator (santiago) -- -gunicorn +gunicorn (Chris Lamb) NOTE: 20240421: Added by Front-Desk (apo) -- h2o (dleidert) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e76d4369a8e3136ecb730b89b37c28437bab788 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e76d4369a8e3136ecb730b89b37c28437bab788 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Update name for ansible claim (based on commit message).
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: fd6f0df9 by Chris Lamb at 2024-04-29T12:20:19+01:00 dla-needed.txt: Update name for ansible claim (based on commit message). - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,7 +21,7 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -ansible (debian) +ansible (Lee Garrett) NOTE: 20231202: Added by Front-Desk (Beuc) NOTE: 20231202: Supported package, but there's a CVE backlog, and no updates since 2021 NOTE: 20231202: (neither in LTS nor in stable/oldstable), so this is an opportunity to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd6f0df96038a01cf66456655b0349eee08822b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd6f0df96038a01cf66456655b0349eee08822b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim astropy.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b19ac59 by Chris Lamb at 2024-04-22T10:22:58+01:00 data/dla-needed.txt: Claim astropy. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -33,7 +33,7 @@ ansible (debian) apache2 NOTE: 20240418: Added by Front-Desk (apo) -- -astropy +astropy (Chris Lamb) NOTE: 20240421: Added by Front-Desk (apo) -- atril View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b19ac597930d90ad3561ccd17eb313b930661e9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b19ac597930d90ad3561ccd17eb313b930661e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Triage CVE-2024-22412 in clickhouse for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d1b9d3c by Chris Lamb at 2024-04-06T13:54:09+01:00 Triage CVE-2024-22412 in clickhouse for buster LTS. - - - - - 4d5891ed by Chris Lamb at 2024-04-06T13:54:57+01:00 Triage CVE-2024-28871 in libhtp for buster LTS. - - - - - ecd648b7 by Chris Lamb at 2024-04-06T13:56:36+01:00 data/dla-needed.txt: Triage mediawiki for buster LTS. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -331,6 +331,7 @@ CVE-2024-28871 (LibHTP is a security-aware parser for the HTTP protocol and the - libhtp 1:0.5.47-1 [bookworm] - libhtp (Vulnerable code introduced in 0.5.46) [bullseye] - libhtp (Vulnerable code introduced in 0.5.46) + [buster] - libhtp (Vulnerable code introduced in 0.5.46) NOTE: https://github.com/OISF/libhtp/security/advisories/GHSA-ffr2-45w9-7wmg NOTE: Introduced by: https://github.com/OISF/libhtp/commit/bf618ec7f243cebfb0f7e84c3cb158955cb32b4d (0.5.46) NOTE: Fixed by: https://github.com/OISF/libhtp/commit/79e713f3e527593a45f545e854cd9e6fbb3cd3ed (0.5.47) @@ -5585,6 +5586,7 @@ CVE-2024-22453 (Dell PowerEdge Server BIOS contains a heap-based buffer overflow CVE-2024-22412 (ClickHouse is an open-source column-oriented database management syste ...) - clickhouse (bug #1067178) [bullseye] - clickhouse (Minor issue) + [buster] - clickhouse (Minor issue; can be fixed in next update) NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-45h5-f7g3-gr8r NOTE: https://github.com/ClickHouse/ClickHouse/pull/58611 CVE-2024-21504 (Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 ...) = data/dla-needed.txt = @@ -166,6 +166,10 @@ linux-5.10 lucene-solr NOTE: 20240213: Added by Front-Desk (lamby) -- +mediawiki + NOTE: 20240406: Added by Front-Desk (lamby) + NOTE: 20240406: Added to address "TEMP-000-519C2D" at the time of writing. (lamby) +-- nodejs NOTE: 20240406: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4da9185a560c76db4280a3cbc39b2db5d497f753...ecd648b72ce5edde5dbfc8b06fbb6644e73b8d17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4da9185a560c76db4280a3cbc39b2db5d497f753...ecd648b72ce5edde5dbfc8b06fbb6644e73b8d17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage nodejs for buster LTS (CVE-2024-27982 & CVE-2024-27983)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 4da9185a by Chris Lamb at 2024-04-06T13:52:47+01:00 data/dla-needed.txt: Triage nodejs for buster LTS (CVE-2024-27982 CVE-2024-27983) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -166,6 +166,9 @@ linux-5.10 lucene-solr NOTE: 20240213: Added by Front-Desk (lamby) -- +nodejs + NOTE: 20240406: Added by Front-Desk (lamby) +-- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4da9185a560c76db4280a3cbc39b2db5d497f753 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4da9185a560c76db4280a3cbc39b2db5d497f753 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage util-linux for buster LTS (CVE-2024-28085)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 51644175 by Chris Lamb at 2024-04-05T17:29:37+01:00 data/dla-needed.txt: Triage util-linux for buster LTS (CVE-2024-28085) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -293,6 +293,9 @@ tomcat9 (Markus Koschany) tzdata (Emilio) NOTE: 20240327: Added by pochu -- +util-linux + NOTE: 20240405: Added by Front-Desk (lamby) +-- varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5164417582c505bfa41a8d07ad428f22cb5e9f6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5164417582c505bfa41a8d07ad428f22cb5e9f6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage org-mode for buster LTS (CVE-2024-30205)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d7d0512 by Chris Lamb at 2024-04-05T17:25:13+01:00 data/dla-needed.txt: Triage org-mode for buster LTS (CVE-2024-30205) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -200,6 +200,9 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: See comment for nvidia-graphics-drivers. (apo/front-desk) -- +org-mode + NOTE: 20240405: Added by Front-Desk (lamby) +-- pdns-recursor (dleidert) NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240319: Upload postponed due to #1067124 (dleidert) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d7d05124c7cb1547205aa24add78521c9b35e90 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d7d05124c7cb1547205aa24add78521c9b35e90 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add offending commit for CVE-2024-30202/emacs.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 50cb1e64 by Chris Lamb at 2024-04-05T17:22:09+01:00 Add offending commit for CVE-2024-30202/emacs. - - - - - 35aa10ed by Chris Lamb at 2024-04-05T17:23:19+01:00 Triage CVE-2024-30202 in emacs for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3710,11 +3710,13 @@ CVE-2024-30202 (In Emacs before 29.3, arbitrary Lisp code is evaluated as part o - emacs 1:29.3+1-1 (bug #1067630) - org-mode 9.6.23+dfsg-1 (bug #1067663) [bookworm] - org-mode (Produces only a dependency binary package) + [buster] - org-mode (Vulnerable code not present; added in tag release_9.5) NOTE: https://www.openwall.com/lists/oss-security/2024/03/24/1 NOTE: https://lists.gnu.org/archive/html/info-gnu/2024-03/msg5.html NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29=befa9fcaae29a6c9a283ba371c3c5234c7f644eb NOTE: https://list.orgmode.org/87o7b3eczr@bzg.fr/T/#t NOTE: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9 + NOTE: Introduced by: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=8abdbbee395f284f2262a89187d662eaf40080b1 NOTE: org-mode/9.5.2+dfsh-5 dropped all lisp files from the produced binary packages NOTE: making an empty dependency package only. CVE-2024-2865 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/448af4d061ce1f57359a5779d6418b8bdfd89606...35aa10ed36622f1dca7f6d3c54dd548111f14e7a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/448af4d061ce1f57359a5779d6418b8bdfd89606...35aa10ed36622f1dca7f6d3c54dd548111f14e7a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage tinymce for buster LTS (CVE-2024-29881 & CVE-2024-29881)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 57dce20a by Chris Lamb at 2024-04-04T17:34:05+01:00 data/dla-needed.txt: Triage tinymce for buster LTS (CVE-2024-29881 CVE-2024-29881) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -279,6 +279,11 @@ tiff NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. (roberto) -- +tinymce + NOTE: 20240404: Added by Front-Desk (lamby) + NOTE: 20240404: May be v. difficult to backport and/or not even vulnerable. (lamby) + NOTE: 20240404: Check Ola's commit message in 21503da906. (lamby) +-- tomcat9 (Markus Koschany) NOTE: 20240121: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57dce20ad7b18a4519b867c5e78f449d0a2a1ca6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57dce20ad7b18a4519b867c5e78f449d0a2a1ca6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 6 commits: Triage CVE-2024-30187 in anope for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: f10bd73a by Chris Lamb at 2024-04-04T17:12:21+01:00 Triage CVE-2024-30187 in anope for buster LTS. - - - - - c85ae800 by Chris Lamb at 2024-04-04T17:13:59+01:00 Triage CVE-2024-21503 in black for buster LTS. - - - - - 5a1c1635 by Chris Lamb at 2024-04-04T17:18:24+01:00 Triage CVE-2024-2398 in curl for buster LTS. - - - - - 56b46114 by Chris Lamb at 2024-04-04T17:25:07+01:00 Triage CVE-2024-29489 in iotjs for buster LTS. - - - - - 5b5b5c3c by Chris Lamb at 2024-04-04T17:25:52+01:00 Triage CVE-2024-29041 in node-express for buster LTS. - - - - - cef45552 by Chris Lamb at 2024-04-04T17:26:19+01:00 Triage CVE-2024-2955 in wireshark for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1887,6 +1887,7 @@ CVE-2024-29640 (An issue in aliyundrive-webdav v.2.3.3 and before allows a remot CVE-2024-29489 (Jerryscript 2.4.0 has SEGV at ./jerry-core/ecma/base/ecma-helpers.c:23 ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5101 NOTE: https://github.com/jerryscript-project/jerryscript/pull/5129 NOTE: https://github.com/jerryscript-project/jerryscript/commit/cefd391772529c8a9531d7b3c244d78d38be47c6 @@ -2658,6 +2659,7 @@ CVE-2024-2398 (When an application tells libcurl it wants to allow HTTP/2 server - curl 8.7.1-1 [bookworm] - curl (Minor issue) [bullseye] - curl (Minor issue) + [buster] - curl (Minor issue; can be fixed in next update) NOTE: https://curl.se/docs/CVE-2024-2398.html NOTE: Introduced by: https://github.com/curl/curl/commit/ea7134ac874a66107e54ff93657ac565cf2ec4aa (curl-7_44_0) NOTE: Fixed by: https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764 (curl-8_7_0) @@ -2997,6 +2999,7 @@ CVE-2024-2955 (T.38 dissector crash in Wireshark 4.2.0 to 4.0.3 and 4.0.0 to 4.0 - wireshark (bug #1068111) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue; can be fixed in next update) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-06.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19695 CVE-2024-2951 (Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Registrat ...) @@ -3285,6 +3288,7 @@ CVE-2024-29041 (Express.js minimalist web framework for node. Versions of Expres - node-express (bug #1068346) [bookworm] - node-express (Minor issue) [bullseye] - node-express (Minor issue) + [buster] - node-express (Minor issue; can be fixed in next update) NOTE: https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc NOTE: https://github.com/koajs/koa/issues/1800 NOTE: https://github.com/expressjs/express/pull/5539 @@ -3724,6 +3728,7 @@ CVE-2024-30187 (Anope before 2.0.15 does not prevent resetting the password of a - anope 2.0.15-1 [bookworm] - anope (Minor issue; due to apparmor bug not affecting default configurations) [bullseye] - anope (Minor issue) + [buster] - anope (Minor issue; can be fixed in next update) NOTE: https://github.com/anope/anope/issues/351 NOTE: https://github.com/anope/anope/commit/2b7872139c40ea5b0ca96c1d6595b7d5f9fa60a5 (2.0.15) CVE-2024-2849 (A vulnerability classified as critical was found in SourceCodester Sim ...) @@ -4990,6 +4995,7 @@ CVE-2024-21503 (Versions of the package black before 24.3.0 are vulnerable to Re - black (bug #1067177) [bookworm] - black (Minor issue) [bullseye] - black (Minor issue) + [buster] - black (Minor issue; can be fixed in next update) NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273 NOTE: https://github.com/psf/black/releases/tag/24.3.0 NOTE: https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8 (24.3.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5e16f1bbc9dd7898cd74dfebfd9787ec6e893646...cef45552d2d78037ec65c5a351ab5c29547e1f11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5e16f1bbc9dd7898cd74dfebfd9787ec6e893646...cef45552d2d78037ec65c5a351ab5c29547e1f11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage xorg-server for buster LTS (CVE-2024-31080,...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e16f1bb by Chris Lamb at 2024-04-04T17:09:13+01:00 data/dla-needed.txt: Triage xorg-server for buster LTS (CVE-2024-31080, CVE-2024-31081 CVE-2024-31083) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -298,6 +298,12 @@ wordpress NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookwork. Uploads to spu and ospu should be coordinated. (roberto) -- +xorg-server + NOTE: 20240404: Added by Front-Desk (lamby) + NOTE: 20240404: Similar to the fixes within DLA-3721-1, these did not warrant a + NOTE: 20240404: DSA to src:xwayland as it does not run as root, but they + NOTE: 20240404: (may) affect xorg-server in LTS. (lamby) +-- zabbix (utkarsh) NOTE: 20240212: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e16f1bbc9dd7898cd74dfebfd9787ec6e893646 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e16f1bbc9dd7898cd74dfebfd9787ec6e893646 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Reassign dnsmasq to dleidert.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 31c0ebef by Chris Lamb at 2024-04-03T12:50:41+01:00 dla-needed.txt: Reassign dnsmasq to dleidert. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,8 +40,11 @@ bind9 (Sean Whitton) NOTE: 20240218: Added by Front-Desk (lamby) NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby) -- -dnsmasq (Chris Lamb) +dnsmasq (dleidert) NOTE: 20240303: Added by Front-Desk (apo) + NOTE: 20240325: Automatically unassigned (lamby) + NOTE: 20240327: Claimed by lamby, started thread on deblts-team. (lamby) + NOTE: 20240403: Re-assigned back to dleidert; see thread. (lamby) -- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31c0ebef59d1b6ce89f00e89b15e988b161d7d9f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31c0ebef59d1b6ce89f00e89b15e988b161d7d9f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add an emacs note.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: fcad6410 by Chris Lamb at 2024-04-03T12:12:27+01:00 Add an emacs note. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -67,6 +67,10 @@ edk2 -- emacs NOTE: 20240403: Added by Front-Desk (lamby) + NOTE: 20240403: Needs someone with a little familiarity with Lisp — by my + NOTE: 20240403: eye, the version of emacs in LTS may not be vulnerable to, + NOTE: 20240403: for example, CVE-2024-30202. But I think it is vulnerable + NOTE: 20240403: to CVE-2024-30203. (lamby) -- expat (tobi) NOTE: 20240306: Added by Front-Desk (opal) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcad6410006df4c605343b5a411b587176653cde -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcad6410006df4c605343b5a411b587176653cde You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage emacs for buster LTS (CVE-2024-30202,...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 629d78c6 by Chris Lamb at 2024-04-03T11:50:14+01:00 data/dla-needed.txt: Triage emacs for buster LTS (CVE-2024-30202, CVE-2024-30203, CVE-2024-30204 CVE-2024-30205) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -65,6 +65,9 @@ edk2 NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) -- +emacs + NOTE: 20240403: Added by Front-Desk (lamby) +-- expat (tobi) NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20230324: slowly making progress, seems that I've just defeated CVE-2023-52425 :) (tobi) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/629d78c693ffb754c909e3d529b440d55a20330d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/629d78c693ffb754c909e3d529b440d55a20330d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage pillow for buster LTS (CVE-2024-28219)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: c382a956 by Chris Lamb at 2024-04-03T11:42:59+01:00 data/dla-needed.txt: Triage pillow for buster LTS (CVE-2024-28219) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -196,6 +196,9 @@ pdns-recursor (dleidert) NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240319: Upload postponed due to #1067124 (dleidert) -- +pillow + NOTE: 20240403: Added by Front-Desk (lamby) +-- putty (rouca) NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c382a9561269fe28f6ddff26925ca1905514a571 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c382a9561269fe28f6ddff26925ca1905514a571 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim dnsmasq.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b5e80b5 by Chris Lamb at 2024-03-27T10:52:38+00:00 data/dla-needed.txt: Claim dnsmasq. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,7 +40,7 @@ bind9 (Sean Whitton) NOTE: 20240218: Added by Front-Desk (lamby) NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby) -- -dnsmasq +dnsmasq (Chris Lamb) NOTE: 20240303: Added by Front-Desk (apo) -- docker.io View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b5e80b544e627d92d82bd537202cbd18700940b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b5e80b544e627d92d82bd537202cbd18700940b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3773-1 for freeipa
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: f99d7b64 by Chris Lamb at 2024-03-25T11:00:34+00:00 Reserve DLA-3773-1 for freeipa - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Mar 2024] DLA-3773-1 freeipa - security update + {CVE-2024-1481} + [buster] - freeipa 4.7.2-3+deb10u1 [24 Mar 2024] DLA-3772-1 python3.7 - security update {CVE-2023-6597 CVE-2024-0450} [buster] - python3.7 3.7.3-2+deb10u7 = data/dla-needed.txt = @@ -82,9 +82,6 @@ freeimage NOTE: 20240320: Added by Front-Desk (ta) NOTE: 20240320: lots of postponed issue could be fixed as well -- -freeipa (Chris Lamb) - NOTE: 20240307: Added by Front-Desk (opal) --- frr NOTE: 20231119: Added by Front-Desk (apo) NOTE: 20240206: Continuing fixing the remaining issues (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f99d7b6460c57abfcd60c4cdc552d230fcf5d3b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f99d7b6460c57abfcd60c4cdc552d230fcf5d3b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim freeipa.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e10e39a by Chris Lamb at 2024-03-08T10:37:39+00:00 data/dla-needed.txt: Claim freeipa. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -104,7 +104,7 @@ expat freeimage NOTE: 20240121: Added by Front-Desk (apo) -- -freeipa +freeipa (Chris Lamb) NOTE: 20240307: Added by Front-Desk (opal) -- frr (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e10e39a30bfea25bd6803677d1498fc764aadaf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e10e39a30bfea25bd6803677d1498fc764aadaf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3751-1 for libapache2-mod-auth-openidc
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: e97aabc0 by Chris Lamb at 2024-03-05T17:47:42+00:00 Reserve DLA-3751-1 for libapache2-mod-auth-openidc - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Mar 2024] DLA-3751-1 libapache2-mod-auth-openidc - security update + {CVE-2024-24814} + [buster] - libapache2-mod-auth-openidc 2.3.10.2-1+deb10u4 [05 Mar 2024] DLA-3750-1 php-phpseclib - security update {CVE-2024-27354 CVE-2024-27355} [buster] - php-phpseclib 2.0.30-2~deb10u3 = data/dla-needed.txt = @@ -144,9 +144,6 @@ jetty9 knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- -libapache2-mod-auth-openidc (Chris Lamb) - NOTE: 20240305: Added by Front-Desk (opal) --- libcommons-compress-java (Markus Koschany) NOTE: 20240303: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e97aabc00b6e1615609397d031bbcdc09bb57d97 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e97aabc00b6e1615609397d031bbcdc09bb57d97 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim libapache2-mod-auth-openidc.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ed995f0 by Chris Lamb at 2024-03-05T12:33:07+00:00 data/dla-needed.txt: Claim libapache2-mod-auth-openidc. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -144,7 +144,7 @@ jetty9 knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- -libapache2-mod-auth-openidc +libapache2-mod-auth-openidc (Chris Lamb) NOTE: 20240305: Added by Front-Desk (opal) -- libcommons-compress-java (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ed995f0a1cbfe898045cb381541fc4a60b7e009 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ed995f0a1cbfe898045cb381541fc4a60b7e009 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3744-1 for python-django
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d599100 by Chris Lamb at 2024-02-29T15:17:14+00:00 Reserve DLA-3744-1 for python-django - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -194168,7 +194168,6 @@ CVE-2021-33572 (A Denial-of-Service (DoS) vulnerability was discovered in F-Secu CVE-2021-33571 (In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, ...) {DLA-2676-1} - python-django 2:2.2.24-1 (bug #989394) - [buster] - python-django (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/06/02/1 NOTE: https://github.com/django/django/commit/e1d787f1b36d13b95187f8f425425ae1b98da188 (main) NOTE: https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc (2.2.24) @@ -195118,7 +195117,6 @@ CVE-2021-33204 (In the pg_partman (aka PG Partition Manager) extension before 4. CVE-2021-33203 (Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a ...) {DLA-2676-1} - python-django 2:2.2.24-1 (bug #989394) - [buster] - python-django (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/06/02/1 NOTE: https://github.com/django/django/commit/46572de2e92fdeaf047f80c44d52269e54ad68db (main) NOTE: https://github.com/django/django/commit/053cc9534d174dc89daba36724ed2dcb36755b90 (2.2.24) @@ -199678,7 +199676,6 @@ CVE-2021-31543 CVE-2021-31542 (In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, M ...) {DLA-2651-1} - python-django 2:2.2.21-1 (bug #988053) - [buster] - python-django (Minor issue) NOTE: https://www.djangoproject.com/weblog/2021/may/04/security-releases/ NOTE: https://github.com/django/django/commit/0b79eb36915d178aef5c6a7bbce71b1e76d376d3 (main) NOTE: https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d (2.2.21) @@ -207407,7 +207404,6 @@ CVE-2021-28659 CVE-2021-28658 (In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, ...) {DLA-2622-1} - python-django 2:2.2.20-1 (bug #986447) - [buster] - python-django (Minor issue; can be fixed via point release) NOTE: https://www.djangoproject.com/weblog/2021/apr/06/security-releases/ NOTE: https://github.com/django/django/commit/d4d800ca1addc4141e03c5440a849bb64d1582cd (main) NOTE: https://github.com/django/django/commit/4036d62bda0e9e9f6172943794b744a454ca49c2 (2.2.20) = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Feb 2024] DLA-3744-1 python-django - security update + {CVE-2021-28658 CVE-2021-31542 CVE-2021-33203 CVE-2021-33571} + [buster] - python-django 1:1.11.29-1+deb10u11 [27 Feb 2024] DLA-3743-1 wpa - security update {CVE-2023-52160} [buster] - wpa 2:2.7+git20190128+0c1e29f-6+deb10u4 = data/dla-needed.txt = @@ -212,12 +212,6 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- -python-django (Chris Lamb) - NOTE: 20231006: Added by Front-Desk (Beuc) - NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) - NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby) - NOTE: 20231020: Also now vulnerable to CVE-2023-43665. (lamby) --- python-glance-store NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d599100d6794a9d239120cf36caad0b97d66f5e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d599100d6794a9d239120cf36caad0b97d66f5e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Postpone for CVE-2024-24680/python-django in buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: c0c45bac by Chris Lamb at 2024-02-29T13:53:28+00:00 Postpone for CVE-2024-24680/python-django in buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5562,6 +5562,7 @@ CVE-2024-24680 (An issue was discovered in Django 3.2 before 3.2.24, 4.2 before - python-django 3:4.2.10-1 [bookworm] - python-django (Minor issue, fix along in future update) [bullseye] - python-django (Minor issue, fix along in future update) + [buster] - python-django (Minor issue, fix along in future update) NOTE: https://www.openwall.com/lists/oss-security/2024/02/06/2 NOTE: https://www.djangoproject.com/weblog/2024/feb/06/security-releases/ NOTE: https://github.com/django/django/commit/55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9 (main) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0c45bac3c79a54b3b81f9bd901ba45913947b67 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0c45bac3c79a54b3b81f9bd901ba45913947b67 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim python-django.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c7bcf87 by Chris Lamb at 2024-02-29T13:52:59+00:00 data/dla-needed.txt: Claim python-django. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -212,7 +212,7 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- -python-django +python-django (Chris Lamb) NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c7bcf871909b53a8b1fcab2221c51cbc84516fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c7bcf871909b53a8b1fcab2221c51cbc84516fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3743-1 for wpa
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e402626 by Chris Lamb at 2024-02-27T13:59:39+00:00 Reserve DLA-3743-1 for wpa - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[27 Feb 2024] DLA-3743-1 wpa - security update + {CVE-2023-52160} + [buster] - wpa 2:2.7+git20190128+0c1e29f-6+deb10u4 [27 Feb 2024] DLA-3742-1 libgit2 - security update {CVE-2024-24577} [buster] - libgit2 0.27.7+dfsg.1-0.2+deb10u2 = data/dla-needed.txt = @@ -309,9 +309,6 @@ wireshark (Adrian Bunk) NOTE: 20231204: DLA pending (bunk) NOTE: 20231218: Debugging a problem with the update. (bunk) -- -wpa (Chris Lamb) - NOTE: 20240222: Added by Front-Desk (santiago) --- zabbix NOTE: 20240212: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e4026260427fa1a1fe1dd524aa4687424a3ea5c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e4026260427fa1a1fe1dd524aa4687424a3ea5c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim wpa.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 224b857c by Chris Lamb at 2024-02-26T09:45:05+00:00 data/dla-needed.txt: Claim wpa. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -313,7 +313,7 @@ wireshark (Adrian Bunk) NOTE: 20231204: DLA pending (bunk) NOTE: 20231218: Debugging a problem with the update. (bunk) -- -wpa +wpa (Chris Lamb) NOTE: 20240222: Added by Front-Desk (santiago) -- zabbix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/224b857cc176241c7183a3e393520b0a3b3ecc27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/224b857cc176241c7183a3e393520b0a3b3ecc27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3738-1 for iwd
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: efddaa4c by Chris Lamb at 2024-02-22T12:59:37+00:00 Reserve DLA-3738-1 for iwd - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Feb 2024] DLA-3738-1 iwd - security update + {CVE-2023-52161} + [buster] - iwd 0.14-2+deb10u1 [22 Feb 2024] DLA-3737-1 imagemagick - security update {CVE-2023-1289 CVE-2023-5341 CVE-2023-34151} [buster] - imagemagick 8:6.9.10.23+dfsg-2.1+deb10u6 = data/dla-needed.txt = @@ -127,9 +127,6 @@ imagemagick NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) NOTE: 20231014: Some work under git branch debian/buster but unease -- -iwd (Chris Lamb) - NOTE: 20240218: Added by Front-Desk (lamby) --- jenkins-htmlunit-core-js NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: Needs checking that this is definitely vulnerable: a quick glance View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/efddaa4c9c76ad52ae047356521ca5290f418a0f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/efddaa4c9c76ad52ae047356521ca5290f418a0f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim iwd.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 3eef94d6 by Chris Lamb at 2024-02-19T14:33:37+00:00 data/dla-needed.txt: Claim iwd. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -127,7 +127,7 @@ imagemagick NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) NOTE: 20231014: Some work under git branch debian/buster but unease -- -iwd +iwd (Chris Lamb) NOTE: 20240218: Added by Front-Desk (lamby) -- jenkins-htmlunit-core-js View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3eef94d60a4b05b7633bdb320f7507820486 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3eef94d60a4b05b7633bdb320f7507820486 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: Triage CVE-2022-48623 in libcpanel-json-xs-perl for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: ae4bf3c6 by Chris Lamb at 2024-02-18T18:28:49+00:00 Triage CVE-2022-48623 in libcpanel-json-xs-perl for buster LTS. - - - - - 635b6321 by Chris Lamb at 2024-02-18T18:29:28+00:00 Triage CVE-2024-25189 in libjwt for buster LTS. - - - - - 4de01d7f by Chris Lamb at 2024-02-18T18:30:10+00:00 Triage CVE-2023-6110 in python-openstackclient for buster LTS. - - - - - 76530924 by Chris Lamb at 2024-02-18T18:30:27+00:00 Triage CVE-2023-51774 in ruby-json-jwt for buster LTS. - - - - - e09c0619 by Chris Lamb at 2024-02-18T18:31:34+00:00 data/dla-needed.txt: Triage bind9 for buster LTS (re. CVE-2023-4408, CVE-2023-50387, CVE-2023-50868, CVE-2023-5517 CVE-2023-5679) - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1206,6 +1206,7 @@ CVE-2023-41703 (User ID references at mentions in document comments were not cor CVE-2022-48623 (The Cpanel::JSON::XS package before 4.33 for Perl performs out-of-boun ...) - libcpanel-json-xs-perl 4.35-1 [bullseye] - libcpanel-json-xs-perl (Minor issue) + [buster] - libcpanel-json-xs-perl (Minor issue) NOTE: https://github.com/rurban/Cpanel-JSON-XS/issues/208 NOTE: Fixed by: https://github.com/rurban/Cpanel-JSON-XS/commit/41f32396eee9395a40f9ed80145c37622560de9b (4.33) CVE-2021-4437 (A vulnerability, which was classified as problematic, has been found i ...) @@ -1227,6 +1228,7 @@ CVE-2023-6110 [deleting a non existing access rule deletes another existing acce - python-openstackclient [bookworm] - python-openstackclient (Minor issue) [bullseye] - python-openstackclient (Minor issue) + [buster] - python-openstackclient (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2212960 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2209607 NOTE: https://review.opendev.org/888697 @@ -1675,6 +1677,7 @@ CVE-2024-25189 (libjwt 1.15.3 uses strcmp (which is not constant time) to verify - libjwt (bug #1063534) [bookworm] - libjwt (Minor issue) [bullseye] - libjwt (Minor issue) + [buster] - libjwt (Minor issue) NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/benmcollins%3Alibjwt.md NOTE: https://github.com/benmcollins/libjwt/commit/f73bac57c5bece16ac24f1a70022aa34355fc1bf (v1.17.0) NOTE: https://github.com/benmcollins/libjwt/commit/a5d61ef4f1b383876e0a78534383f38159471fd6 (v1.17.0) @@ -9976,6 +9979,7 @@ CVE-2023-51774 (The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allow - ruby-json-jwt [bookworm] - ruby-json-jwt (Revisit when addressed upstream) [bullseye] - ruby-json-jwt (Revisit when addressed upstream) + [buster] - ruby-json-jwt (Revisit when addressed upstream) NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/novjson-jwt.md NOTE: https://github.com/nov/json-jwt/issues/113 CVE-2023-51773 (BACnet Stack before 1.3.2 has a decode function APDU buffer over-read ...) = data/dla-needed.txt = @@ -34,6 +34,10 @@ atril NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead. -- +bind9 + NOTE: 20240218: Added by Front-Desk (lamby) + NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby) +-- cacti (Sylvain Beucler) NOTE: 20230906: Added by Front-Desk (lamby) NOTE: 20231205: Triaging CVEs backlog (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ae90d779787424cfbe534a40be8ad12965c908a...e09c06199691c435c54fd6da97463ac574d4e0fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ae90d779787424cfbe534a40be8ad12965c908a...e09c06199691c435c54fd6da97463ac574d4e0fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2024-24826 & CVE-2024-25112 in exiv2 for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ae90d77 by Chris Lamb at 2024-02-18T18:28:02+00:00 Triage CVE-2024-24826 CVE-2024-25112 in exiv2 for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1027,6 +1027,7 @@ CVE-2024-25112 (Exiv2 is a command-line utility and C++ library for reading, wri - exiv2 [bookworm] - exiv2 (Minor issue) [bullseye] - exiv2 (Minor issue) + [buster] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-crmj-qh74-2r36 NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/355afea485550e8214ac6b449fb210a7efb71365 (v0.28.2) NOTE: GHSA mentions new in v0.28.0, but that only applies to the "main" branch, where @@ -1054,6 +1055,7 @@ CVE-2024-24826 (Exiv2 is a command-line utility and C++ library for reading, wri - exiv2 [bookworm] - exiv2 (Minor issue) [bullseye] - exiv2 (Minor issue) + [buster] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-g9xm-7538-mq8w NOTE: https://github.com/Exiv2/exiv2/pull/2337 NOTE: GHSA mentions new in v0.28.0, but that only applies to the "main" branch, where View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ae90d779787424cfbe534a40be8ad12965c908a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ae90d779787424cfbe534a40be8ad12965c908a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2024-25715 in glewlwyd for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 66d9a897 by Chris Lamb at 2024-02-18T17:46:02+00:00 Triage CVE-2024-25715 in glewlwyd for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1298,6 +1298,7 @@ CVE-2024-25715 (Glewlwyd SSO server 2.x through 2.7.6 allows open redirection vi - glewlwyd 2.7.6+ds-2 [bookworm] - glewlwyd (Minor issue) [bullseye] - glewlwyd (Minor issue) + [buster] - glewlwyd (Minor issue) NOTE: https://github.com/babelouest/glewlwyd/commit/59239381a88c505ab38fe64fdd92f846defa5754 NOTE: https://github.com/babelouest/glewlwyd/commit/c91c0155f2393274cc18efe77e06c6846e404c75 CVE-2024-25714 (In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66d9a89788b163c7697d3f481a5ef494fb1abb87 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66d9a89788b163c7697d3f481a5ef494fb1abb87 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 8 commits: data/dla-needed.txt: Triage iwd for buster LTS (CVE-2023-52161)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 5297b690 by Chris Lamb at 2024-02-18T17:31:01+00:00 data/dla-needed.txt: Triage iwd for buster LTS (CVE-2023-52161) - - - - - 9572bb5b by Chris Lamb at 2024-02-18T17:31:25+00:00 Triage CVE-2023-29483 in dnspython for buster LTS. - - - - - ee62ef4e by Chris Lamb at 2024-02-18T17:35:17+00:00 Triage CVE-2023-25951, CVE-2023-26586, CVE-2023-28374, CVE-2023-28720, CVE-2023-32642, CVE-2023-32644, CVE-2023-32651, CVE-2023-33875, CVE-2023-34983 CVE-2023-35061 in firmware-nonfree for buster LTS. - - - - - 8d0b627f by Chris Lamb at 2024-02-18T17:35:53+00:00 Triage CVE-2024-1019 in modsecurity for buster LTS. - - - - - 707ac7bd by Chris Lamb at 2024-02-18T17:36:16+00:00 Triage CVE-2024-1454 in opensc for buster LTS. - - - - - c43fecd6 by Chris Lamb at 2024-02-18T17:37:41+00:00 Triage CVE-2024-25447, CVE-2024-25448 CVE-2024-25450 in imlib2 for buster LTS. - - - - - 59aa8e74 by Chris Lamb at 2024-02-18T17:38:13+00:00 Triage CVE-2024-23635 in libowasp-antisamy-java for buster LTS. - - - - - 8e06b533 by Chris Lamb at 2024-02-18T17:38:51+00:00 Triage CVE-2023-1932 in libhibernate-validator-java for buster LTS. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -565,6 +565,7 @@ CVE-2023-35061 (Improper initialization for some Intel(R) PROSet/Wireless and In - firmware-nonfree [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) + [buster] - firmware-nonfree (Non-free not supported) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html NOTE: Fixed upstream in linux-firmware/20231211 CVE-2023-35060 (Uncontrolled search path in some Intel(R) Battery Life Diagnostic Tool ...) @@ -575,6 +576,7 @@ CVE-2023-34983 (Improper input validation for some Intel(R) PROSet/Wireless and - firmware-nonfree [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) + [buster] - firmware-nonfree (Non-free not supported) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html NOTE: Fixed upstream in linux-firmware/20231211 CVE-2023-34351 (Buffer underflow in some Intel(R) PCM software before version 202307 m ...) @@ -585,6 +587,7 @@ CVE-2023-33875 (Improper access control for some Intel(R) PROSet/Wireless and In - firmware-nonfree [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) + [buster] - firmware-nonfree (Non-free not supported) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html NOTE: Fixed upstream in linux-firmware/20231211 CVE-2023-33870 (Insecure inherited permissions in some Intel(R) Ethernet tools and dri ...) @@ -593,6 +596,7 @@ CVE-2023-32651 (Improper validation of specified type of input for some Intel(R) - firmware-nonfree [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) + [buster] - firmware-nonfree (Non-free not supported) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html NOTE: Fixed upstream in linux-firmware/20231211 CVE-2023-32647 (Improper access control in some Intel(R) XTU software before version 7 ...) @@ -603,12 +607,14 @@ CVE-2023-32644 (Protection mechanism failure for some Intel(R) PROSet/Wireless a - firmware-nonfree [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) + [buster] - firmware-nonfree (Non-free not supported) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html NOTE: Fixed upstream in linux-firmware/20231211 CVE-2023-32642 (Insufficient adherence to expected conventions for some Intel(R) PROSe ...) - firmware-nonfree [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) + [buster] - firmware-nonfree (Non-free not supported) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html NOTE: Fixed upstream in linux-firmware/20231211 CVE-2023-32618 (Uncontrolled search path in some Intel(R) oneAPI Toolkit and component ...) @@ -627,12 +633,14 @@ CVE-2023-28720 (Improper initialization for some Intel(R) PROSet/Wireless and In - firmware-nonfree [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) + [buster] - firmware
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage nodejs for buster LTS (CVE-2023-46809, CVE-2024-21892 & CVE-2024-22019)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 6608ae8e by Chris Lamb at 2024-02-18T17:29:09+00:00 data/dla-needed.txt: Triage nodejs for buster LTS (CVE-2023-46809, CVE-2024-21892 CVE-2024-22019) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -166,6 +166,9 @@ linux-5.10 lucene-solr NOTE: 20240213: Added by Front-Desk (lamby) -- +nodejs + NOTE: 20240218: Added by Front-Desk (lamby) +-- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6608ae8e8e4d17d842cd4f40112877cef78885cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6608ae8e8e4d17d842cd4f40112877cef78885cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage unbound for buster LTS (CVE-2023-50387 & CVE-2023-50868)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: e89070ae by Chris Lamb at 2024-02-14T08:35:19+00:00 data/dla-needed.txt: Triage unbound for buster LTS (CVE-2023-50387 CVE-2023-50868) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -283,6 +283,9 @@ tinymce tomcat9 (Markus Koschany) NOTE: 20240121: Added by Front-Desk (apo) -- +unbound + NOTE: 20240214: Added by Front-Desk (lamby) +-- varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e89070ae795a2a595c2e6f6c07525e2e511baca2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e89070ae795a2a595c2e6f6c07525e2e511baca2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: data/dla-needed.txt: Triage engrampa for buster LTS (CVE-2023-52138)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 9de3efaf by Chris Lamb at 2024-02-13T18:13:24+00:00 data/dla-needed.txt: Triage engrampa for buster LTS (CVE-2023-52138) - - - - - 61cf5b52 by Chris Lamb at 2024-02-13T18:14:31+00:00 Triage CVE-2024-24815 CVE-2024-24816 in ckeditor for buster LTS. - - - - - dc4cf461 by Chris Lamb at 2024-02-13T18:14:55+00:00 Triage CVE-2023-42282 in node-ip for buster LTS. - - - - - 72d61192 by Chris Lamb at 2024-02-13T18:15:49+00:00 data/dla-needed.txt: Triage lucene-solr for buster LTS (CVE-2023-50291, CVE-2023-50292, CVE-2023-50298 CVE-2023-50386) - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -727,6 +727,7 @@ CVE-2023-42282 (An issue in NPM IP Package v.1.1.8 and before allows an attacker - node-ip (bug #1063535) [bookworm] - node-ip (Minor issue) [bullseye] - node-ip (Minor issue) + [buster] - node-ip (Minor issue) NOTE: https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/ NOTE: https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html NOTE: https://github.com/indutny/node-ip/issues/136 @@ -835,6 +836,7 @@ CVE-2024-24816 (CKEditor4 is an open source what-you-see-is-what-you-get HTML ed - ckeditor (bug #1063536) [bookworm] - ckeditor (Minor issue) [bullseye] - ckeditor (Minor issue) + [buster] - ckeditor (Minor issue) - ckeditor3 (bug #1063537) [bookworm] - ckeditor3 (Minor issue) [bullseye] - ckeditor3 (Minor issue) @@ -845,6 +847,7 @@ CVE-2024-24815 (CKEditor4 is an open source what-you-see-is-what-you-get HTML ed - ckeditor (bug #1063536) [bookworm] - ckeditor (Minor issue) [bullseye] - ckeditor (Minor issue) + [buster] - ckeditor (Minor issue) - ckeditor3 (bug #1063537) [bookworm] - ckeditor3 (Minor issue) [bullseye] - ckeditor3 (Minor issue) = data/dla-needed.txt = @@ -82,6 +82,9 @@ edk2 NOTE: 20231230: Added by Front-Desk (lamby) NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release (lamby) -- +engrampa + NOTE: 20240213: Added by Front-Desk (lamby) +-- exiftags NOTE: 20240121: Added by Front-Desk (apo) -- @@ -159,6 +162,9 @@ linux (Ben Hutchings) linux-5.10 NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- +lucene-solr + NOTE: 20240213: Added by Front-Desk (lamby) +-- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/16fa3d98947451f12de6faf3332185c6bdc2be11...72d61192b726f8162b6fab51542d093fb982ff9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/16fa3d98947451f12de6faf3332185c6bdc2be11...72d61192b726f8162b6fab51542d093fb982ff9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] (Re-)triage filezilla for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 630bacc3 by Chris Lamb at 2024-02-12T09:20:25-08:00 (Re-)triage filezilla for buster LTS. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -10192,7 +10192,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - filezilla 3.66.4-1 [bookworm] - filezilla 3.63.0-1+deb12u3 [bullseye] - filezilla 3.52.2-3+deb11u1 - [buster] - filezilla (Minor issue) + [buster] - filezilla (OpenSSH extension in question not implemented) - golang-go.crypto 1:0.17.0-1 (bug #1059003) [bookworm] - golang-go.crypto (Minor issue) [bullseye] - golang-go.crypto (Minor issue) = data/dla-needed.txt = @@ -85,10 +85,6 @@ edk2 exiftags NOTE: 20240121: Added by Front-Desk (apo) -- -filezilla - NOTE: 20240212: Added by Front-Desk (lamby) - NOTE: 20240212: CVE-2023-48795 fixed in bullseye via DSA or point release. (lamby) --- freeimage NOTE: 20240121: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/630bacc3fda1bdbb812e13d3f8e3fc4357280f47 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/630bacc3fda1bdbb812e13d3f8e3fc4357280f47 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage filezilla for buster LTS (CVE-2023-48795)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 82e4d059 by Chris Lamb at 2024-02-12T09:08:32-08:00 data/dla-needed.txt: Triage filezilla for buster LTS (CVE-2023-48795) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -85,6 +85,10 @@ edk2 exiftags NOTE: 20240121: Added by Front-Desk (apo) -- +filezilla + NOTE: 20240212: Added by Front-Desk (lamby) + NOTE: 20240212: CVE-2023-48795 fixed in bullseye via DSA or point release. (lamby) +-- freeimage NOTE: 20240121: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82e4d05916353a40e7aa495fcb9747cfb7687774 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82e4d05916353a40e7aa495fcb9747cfb7687774 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2023-43665/python-django for buster as postponed.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 16af6287 by Chris Lamb at 2024-02-12T09:05:58-08:00 Mark CVE-2023-43665/python-django for buster as postponed. - - - - - ad4521b7 by Chris Lamb at 2024-02-12T09:07:32-08:00 data/dla-needed.txt: Triage ghostscript for buster LTS (CVE-2020-36773) - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -24412,6 +24412,7 @@ CVE-2023-43665 (In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4 - python-django 3:4.2.6-1 (bug #1053475) [bookworm] - python-django (Minor issue, fix along in future update) [bullseye] - python-django (Minor issue, fix along in future update) + [buster] - python-django (Minor issue, fix along in future update) NOTE: https://www.openwall.com/lists/oss-security/2023/10/04/6 NOTE: https://www.djangoproject.com/weblog/2023/oct/04/security-releases/ NOTE: https://github.com/django/django/commit/17b51094d778b421bb2b3aae0c270894b050455d (main) = data/dla-needed.txt = @@ -92,6 +92,9 @@ frr (Abhijith PA) NOTE: 20231119: Added by Front-Desk (apo) NOTE: 20240206: Continuing fixing the remaining issues (abhijith) -- +ghostscript + NOTE: 20240212: Added by Front-Desk (lamby) +-- gnutls28 (guilhem) NOTE: 20240122: Added by Front-Desk (Beuc) NOTE: 20240122: Incomplete fix for CVE-2023-5981/DLA-3660-1 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c641b6873514816ec6cbb82b3131ed10bbd608b2...ad4521b7cf6220762f9059a34a4feed9abbbe867 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c641b6873514816ec6cbb82b3131ed10bbd608b2...ad4521b7cf6220762f9059a34a4feed9abbbe867 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim python-django.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: a0118d4d by Chris Lamb at 2024-02-05T08:35:55-08:00 data/dla-needed.txt: Claim python-django. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -177,7 +177,7 @@ python-asyncssh (dleidert) NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- -python-django +python-django (Chris Lamb) NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0118d4d71c2be3f07f0fca7105ac7bef81da447 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0118d4d71c2be3f07f0fca7105ac7bef81da447 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3724-1 for pillow
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: d74639e6 by Chris Lamb at 2024-01-29T11:14:05-08:00 Reserve DLA-3724-1 for pillow - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Jan 2024] DLA-3724-1 pillow - security update + {CVE-2023-50447} + [buster] - pillow 5.4.1-2+deb10u4 [27 Jan 2024] DLA-3723-1 libspreadsheet-parsexlsx-perl - security update {CVE-2024-22368 CVE-2024-23525} [buster] - libspreadsheet-parsexlsx-perl 0.27-2+deb10u1 = data/dla-needed.txt = @@ -178,9 +178,6 @@ nvidia-cuda-toolkit openjdk-11 (Emilio) NOTE: 20240121: Added by Front-Desk (apo) -- -pillow (Chris Lamb) - NOTE: 20240121: Added by Front-Desk (apo) --- postfix (rouca) NOTE: 20240129: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d74639e64c3d0ce3f6d4faa695748e19f5003d04 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d74639e64c3d0ce3f6d4faa695748e19f5003d04 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim pillow.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b58cf5e by Chris Lamb at 2024-01-24T07:08:36-08:00 data/dla-needed.txt: Claim pillow. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -189,7 +189,7 @@ php-phpseclib (guilhem) phpseclib (guilhem) NOTE: 20240114: Added by Front-Desk (apo) -- -pillow +pillow (Chris Lamb) NOTE: 20240121: Added by Front-Desk (apo) -- putty View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b58cf5e51e22fded557e28a2c0e86bc222f2a4e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b58cf5e51e22fded557e28a2c0e86bc222f2a4e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3716-1 for ruby-httparty
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: e41e5bb7 by Chris Lamb at 2024-01-23T09:02:36-08:00 Reserve DLA-3716-1 for ruby-httparty - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Jan 2024] DLA-3716-1 ruby-httparty - security update + {CVE-2024-22049} + [buster] - ruby-httparty 0.16.2+dfsg1-3+deb10u1 [23 Jan 2024] DLA-3715-1 jinja2 - security update {CVE-2024-22195} [buster] - jinja2 2.10-2+deb10u1 = data/dla-needed.txt = @@ -241,9 +241,6 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- -ruby-httparty (Chris Lamb) - NOTE: 20240121: Added by Front-Desk (apo) --- salt NOTE: 20220814: Added by Front-Desk (gladk) NOTE: 20220814: I am not sure, whether it is possible to fix issues View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e41e5bb72ab609e9e6c2767790ca9929f0f06543 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e41e5bb72ab609e9e6c2767790ca9929f0f06543 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3715-1 for jinja2
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 92240195 by Chris Lamb at 2024-01-23T08:53:12-08:00 Reserve DLA-3715-1 for jinja2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Jan 2024] DLA-3715-1 jinja2 - security update + {CVE-2024-22195} + [buster] - jinja2 2.10-2+deb10u1 [22 Jan 2024] DLA-3709-2 squid - regression update [buster] - squid 4.6-1+deb10u10 [21 Jan 2024] DLA-3714-1 keystone - security update = data/dla-needed.txt = @@ -122,9 +122,6 @@ jenkins-htmlunit-core-js NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may NOTE: 20231231: … indeed be vulnerable. (lamby) -- -jinja2 (Chris Lamb) - NOTE: 20240121: Added by Front-Desk (apo) --- knot-resolver (Markus Koschany) NOTE: 20231029: Added by Front-Desk (gladk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92240195d687f646ce55c635a62c80d87fccb30a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92240195d687f646ce55c635a62c80d87fccb30a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim jinja2.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 1404ea69 by Chris Lamb at 2024-01-22T07:14:11-08:00 data/dla-needed.txt: Claim jinja2. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -121,7 +121,7 @@ jenkins-htmlunit-core-js NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may NOTE: 20231231: … indeed be vulnerable. (lamby) -- -jinja2 +jinja2 (Chris Lamb) NOTE: 20240121: Added by Front-Desk (apo) -- knot-resolver (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1404ea69bcf45f73bd9068c3221f8c352a048d60 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1404ea69bcf45f73bd9068c3221f8c352a048d60 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim ruby-httparty.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: b89071f4 by Chris Lamb at 2024-01-22T07:10:12-08:00 data/dla-needed.txt: Claim ruby-httparty. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -242,7 +242,7 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- -ruby-httparty +ruby-httparty (Chris Lamb) NOTE: 20240121: Added by Front-Desk (apo) -- salt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b89071f46b2e70e34263fea1a1002dcbe4b618cc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b89071f46b2e70e34263fea1a1002dcbe4b618cc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Triage CVE-2024-0567 in gnutls28 for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a3f2eb6 by Chris Lamb at 2024-01-20T08:40:01-08:00 Triage CVE-2024-0567 in gnutls28 for buster LTS. - - - - - e234a770 by Chris Lamb at 2024-01-20T08:41:40-08:00 Triage CVE-2024-0553 in gnutls28 for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -828,6 +828,7 @@ CVE-2024-0567 (A vulnerability was found in GnuTLS, where a cockpit (which uses - gnutls28 3.8.3-1 (bug #1061045) [bookworm] - gnutls28 (Minor issue) [bullseye] - gnutls28 (Minor issue) + [buster] - gnutls28 (Minor issue) NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1521 NOTE: https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-09 NOTE: https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html @@ -842,6 +843,7 @@ CVE-2024-0553 (A vulnerability was found in GnuTLS. The response times to malfor - gnutls28 3.8.3-1 (bug #1061046) [bookworm] - gnutls28 (Minor issue) [bullseye] - gnutls28 (Incomplete fix for CVE-2023-5981 not published officially in any Debian bullseye release) + [buster] - gnutls28 (Vulnerable code not present) NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1522 NOTE: https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-14 NOTE: https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e (3.8.3) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/01ef138081043cdc8c28d7ee6cbb31154d76aa4b...e234a770f5eb3e440d40f1995fe9db67a1df2d73 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/01ef138081043cdc8c28d7ee6cbb31154d76aa4b...e234a770f5eb3e440d40f1995fe9db67a1df2d73 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: Triage CVE-2024-22365 in pam for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: e9657309 by Chris Lamb at 2024-01-19T07:14:13-08:00 Triage CVE-2024-22365 in pam for buster LTS. - - - - - 1c0a7782 by Chris Lamb at 2024-01-19T07:14:38-08:00 Triage CVE-2023-50658 in golang-github-dvsekhvalnov-jose2go for buster LTS. - - - - - eac2152c by Chris Lamb at 2024-01-19T07:15:01-08:00 Triage CVE-2024-22368 in libspreadsheet-parsexlsx-perl for buster LTS. - - - - - 304bbdbe by Chris Lamb at 2024-01-19T07:15:37-08:00 Triage CVE-2024-23659 in spip for buster LTS. - - - - - 27854d72 by Chris Lamb at 2024-01-19T07:17:24-08:00 data/dla-needed.txt: Triage qemu for buster LTS (CVE-2023-1544 CVE-2023-3354) - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -237,6 +237,7 @@ CVE-2024-22365 [pam_namespace: protect_dir(): use O_DIRECTORY to prevent local D - pam (bug #1061097) [bookworm] - pam (Minor issue) [bullseye] - pam (Minor issue) + [buster] - pam (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/01/18/3 NOTE: https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb (v1.6.0) CVE-2023-6596 @@ -1282,6 +1283,7 @@ CVE-2024-23659 (SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the nam - spip 4.1.15+dfsg-1 [bookworm] - spip (Minor issue) [bullseye] - spip (Vulnerable code not present) + [buster] - spip (Vulnerable code not present) NOTE: https://git.spip.net/spip/bigup/commit/ada821c076d67d1147a195178223d0b4a6d8cecc NOTE: https://git.spip.net/spip/bigup/commit/0757f015717cb72b84dba0e9a375ec71caddf1c2 NOTE: https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-8-SPIP-4-1-14.html?lang=fr @@ -2113,6 +2115,7 @@ CVE-2024-22368 (The Spreadsheet::ParseXLSX package before 0.28 for Perl can enco - libspreadsheet-parsexlsx-perl 0.29-1 [bookworm] - libspreadsheet-parsexlsx-perl (Minor issue; DoS, can be fixed in point release) [bullseye] - libspreadsheet-parsexlsx-perl (Minor issue; DoS, can be fixed in point release) + [buster] - libspreadsheet-parsexlsx-perl (Minor issue) NOTE: https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md NOTE: Fixed by: https://github.com/MichaelDaum/spreadsheet-parsexlsx/commit/39b25b91fcb939a9c8ea807fdc80386c1ae5be0c (0.28) NOTE: Minor rewrite followup: https://github.com/MichaelDaum/spreadsheet-parsexlsx/commit/47ff82d74fbd014b8ec3cab80fa4fd25db9e8242 @@ -4389,6 +4392,7 @@ CVE-2023-50658 (The jose2go component before 1.6.0 for Go allows attackers to ca - golang-github-dvsekhvalnov-jose2go (bug #1059507) [bookworm] - golang-github-dvsekhvalnov-jose2go (Minor issue) [bullseye] - golang-github-dvsekhvalnov-jose2go (Minor issue) + [buster] - golang-github-dvsekhvalnov-jose2go (Minor issue) NOTE: https://github.com/dvsekhvalnov/jose2go/commit/a4584e9dd7128608fedbc67892eba9697f0d5317 (v1.6.0) CVE-2023-50339 (Stored cross-site scripting vulnerability exists in the User Managemen ...) NOT-FOR-US: GROWI = data/dla-needed.txt = @@ -193,6 +193,10 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +qemu + NOTE: 20240119: Added by Front-Desk (lamby) + NOTE: 20240119: CVE-2023-1544 and CVE-2023-3354 already fixed in bullseye via DSA or point releases; to be fixed or . (lamby) +-- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e815576af40189b41a25e9e45ac3397e994de86...27854d722fae2fa0488177670a66ab6c80b8b9c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e815576af40189b41a25e9e45ac3397e994de86...27854d722fae2fa0488177670a66ab6c80b8b9c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: Triage CVE-2023-40458 in tinyxml for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f06dc33 by Chris Lamb at 2024-01-18T13:51:26-08:00 Triage CVE-2023-40458 in tinyxml for buster LTS. - - - - - 992a34ad by Chris Lamb at 2024-01-18T13:51:28-08:00 Triage CVE-2023-26159 in node-follow-redirects for buster LTS. - - - - - ec9618ab by Chris Lamb at 2024-01-18T13:51:29-08:00 Triage CVE-2023-44483 in libxml-security-java for buster LTS. - - - - - 38c90f2f by Chris Lamb at 2024-01-18T13:51:30-08:00 Triage CVE-2023-6395 in mock for buster LTS. - - - - - a2194454 by Chris Lamb at 2024-01-18T13:51:31-08:00 Triage CVE-2023-39326, CVE-2023-45285 CVE-2023-45287 in golang-1.11 for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -688,6 +688,7 @@ CVE-2023-45229 (EDK2's Network Package is susceptible to an out-of-bounds read NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2 CVE-2023-6395 (The Mock software contains a vulnerability wherein an attacker could p ...) - mock + [buster] - mock (Vulnerable code not present) - templated-dictionary (bug #1025862) NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/1 NOTE: Introduced in: https://github.com/rpm-software-management/mock/commit/426d973c2917a18303eea243bdf496ff6942bd27 (mock-1.4.14-1) @@ -8475,6 +8476,7 @@ CVE-2023-39326 (A malicious HTTP sender can use chunk extensions to cause a rece - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 + [buster] - golang-1.11 (Minor issue) NOTE: https://go.dev/issue/64433 NOTE: https://github.com/golang/go/commit/ec8c526e4be720e94b98ca509e6364f0efaf28f7 (go1.21.5) NOTE: https://github.com/golang/go/commit/6446af942e2e2b161c4ec1b60d9703a2b55dc4dd (go1.20.12) @@ -8486,6 +8488,7 @@ CVE-2023-45285 (Using go get to fetch a module with the ".git" suffix may unexpe - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 + [buster] - golang-1.11 (Minor issue) NOTE: https://go.dev/issue/63845 NOTE: https://github.com/golang/go/commit/23c943e5296c6fa3a6f9433bd929306c4dbf2aa3 (go1.21.5) NOTE: https://github.com/golang/go/commit/46bc33819ac86a9596b8059235842f0e0c7469bd (go1.20.12) @@ -8552,6 +8555,7 @@ CVE-2023-45287 (Before Go 1.20, the RSA based TLS key exchanges used the math/bi - golang-1.15 [bullseye] - golang-1.15 (Minor issue; intrusive backport) - golang-1.11 + [buster] - golang-1.11 (Minor issue) NOTE: https://go.dev/issue/20654 NOTE: https://go.dev/cl/326012/26 NOTE: https://groups.google.com/g/golang-announce/c/QMK8IQALDvA @@ -9783,6 +9787,7 @@ CVE-2023-40458 (Loop with Unreachable Exit Condition ('Infinite Loop') vulnerabi - tinyxml (bug #1059315) [bookworm] - tinyxml (Minor issue) [bullseye] - tinyxml (Minor issue) + [buster] - tinyxml (Minor issue) NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities CVE-2023-3741 (An OS Command injection vulnerability in NEC Platforms DT900 and DT900 ...) NOT-FOR-US: NEC @@ -16114,6 +16119,7 @@ CVE-2023-44483 (All versions of Apache Santuario - XML Security for Java prior t - libxml-security-java (bug #1059313) [bookworm] - libxml-security-java (Minor issue) [bullseye] - libxml-security-java (Minor issue) + [buster] - libxml-security-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/10/20/5 NOTE: https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55 NOTE: https://santuario.apache.org/secadv.data/CVE-2023-44483.txt.asc @@ -54309,6 +54315,7 @@ CVE-2023-26159 (Versions of the package follow-redirects before 1.15.4 are vulne - node-follow-redirects (bug #1059926) [bookworm] - node-follow-redirects (Minor issue) [bullseye] - node-follow-redirects (Minor issue) + [buster] - node-follow-redirects (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137 NOTE: https://github.com/follow-redirects/follow-redirects/issues/235 NOTE: https://github.com/follow-redirects/follow-redirects/pull/236 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a65243caa1574534a2b980d8bb630278dc469449...a21944540a5d7fec171e24a47b3a1f9b9b673b09 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a65243caa1574534a2b980d8bb630278dc469449...a21944540a5d7fec171e24a47b3a1f9b9b673b09 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-comm
[Git][security-tracker-team/security-tracker][master] 6 commits: data/dla-needed.txt: Triage xorg-server for buster LTS (CVE-2023-6816,...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: ae90db2f by Chris Lamb at 2024-01-17T10:50:46+00:00 data/dla-needed.txt: Triage xorg-server for buster LTS (CVE-2023-6816, CVE-2024-0229 CVE-2024-0408) - - - - - cc17a071 by Chris Lamb at 2024-01-17T10:51:32+00:00 Triage CVE-2023-44487 in grpc for buster LTS. - - - - - 152b362e by Chris Lamb at 2024-01-17T10:52:00+00:00 Triage CVE-2023-52339 in libebml for buster LTS. - - - - - 12e88488 by Chris Lamb at 2024-01-17T10:52:20+00:00 Triage CVE-2024-21647 in puma for buster LTS. - - - - - 8d27bcc8 by Chris Lamb at 2024-01-17T10:52:42+00:00 Triage CVE-2023-52323 in pycryptodome for buster LTS. - - - - - 55dff7d8 by Chris Lamb at 2024-01-17T10:54:05+00:00 Triage CVE-2023-48795 in trilead-ssh2 for buster LTS. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1076,6 +1076,7 @@ CVE-2023-52339 (In libebml before 1.4.5, an integer overflow in MemIOCallback.cp - libebml 1.4.5-1 [bookworm] - libebml (Minor issue) [bullseye] - libebml (Minor issue) + [buster] - libebml (Minor issue) NOTE: https://github.com/Matroska-Org/libebml/issues/147 NOTE: https://github.com/Matroska-Org/libebml/pull/148 NOTE: https://github.com/Matroska-Org/libebml/commit/4d577f5c3e267b2988d56dafebc82dedb4c45506 (master) @@ -2107,6 +2108,7 @@ CVE-2024-21647 (Puma is a web server for Ruby/Rack applications built for parall - puma (bug #1060345) [bookworm] - puma (Minor issue) [bullseye] - puma (Minor issue) + [buster] - puma (Minor issue) NOTE: https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2 NOTE: https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d (v5.6.8) CVE-2024-21645 (pyLoad is the free and open-source Download Manager written in pure Py ...) @@ -2711,6 +2713,7 @@ CVE-2023-52323 (PyCryptodome and pycryptodomex before 3.19.1 allow side-channel - pycryptodome (bug #1060059) [bookworm] - pycryptodome (Minor issue) [bullseye] - pycryptodome (Minor issue) + [buster] - pycryptodome (Minor issue) NOTE: https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd (v3.19.1) CVE-2023-52184 (Cross-Site Request Forgery (CSRF) vulnerability in WP Job Portal WP Jo ...) NOT-FOR-US: WordPress plugin @@ -5591,6 +5594,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - trilead-ssh2 (bug #1059294) [bookworm] - trilead-ssh2 (Minor issue) [bullseye] - trilead-ssh2 (Minor issue) + [buster] - trilead-ssh2 (Minor issue) NOTE: https://terrapin-attack.com/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 NOTE: dropbear: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 @@ -18134,6 +18138,7 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource - grpc [bookworm] - grpc (Minor issue) [bullseye] - grpc (Minor issue) + [buster] - grpc (Minor issue) - h2o 2.2.5+dfsg2-8 (bug #1054232) - haproxy 1.8.13-1 - nginx 1.24.0-2 (unimportant; bug #1053770) = data/dla-needed.txt = @@ -273,6 +273,9 @@ wireshark (Adrian Bunk) NOTE: 20231204: DLA pending (bunk) NOTE: 20231218: Debugging a problem with the update. (bunk) -- +xorg-server + NOTE: 20240117: Added by Front-Desk (lamby) +-- zabbix (tobi) NOTE: 20231015: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/49ed17cb5052b4f944c755ba3c50ce1e07c78780...55dff7d87dc873a7d7bed1823c687f22f5f994f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/49ed17cb5052b4f944c755ba3c50ce1e07c78780...55dff7d87dc873a7d7bed1823c687f22f5f994f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Triage CVE-2024-21633 in apktool for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 88245c67 by Chris Lamb at 2024-01-16T10:06:46+00:00 Triage CVE-2024-21633 in apktool for buster LTS. - - - - - 0ed57bad by Chris Lamb at 2024-01-16T10:07:14+00:00 Triage CVE-2023-51441 in axis for buster LTS. - - - - - 42eda358 by Chris Lamb at 2024-01-16T10:08:28+00:00 Triage CVE-2023-51074 in jayway-jsonpath for buster LTS. - - - - - bab9a888 by Chris Lamb at 2024-01-16T10:08:52+00:00 Triage CVE-2021-46900 in sympa for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2349,6 +2349,7 @@ CVE-2024-21633 (Apktool is a tool for reverse engineering Android APK files. In - apktool 2.7.0+dfsg-7 (bug #1060013) [bookworm] - apktool (Minor issue) [bullseye] - apktool (Minor issue) + [buster] - apktool (Minor issue) NOTE: https://github.com/iBotPeaches/Apktool/security/advisories/GHSA-2hqv-2xv4-5h5w NOTE: https://github.com/iBotPeaches/Apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712 CVE-2024-21631 (Vapor is an HTTP web framework for Swift. Prior to version 4.90.0, Vap ...) @@ -2865,6 +2866,7 @@ CVE-2021-46901 (examples/6lbr/apps/6lbr-webserver/httpd.c in CETIC-6LBR (aka 6lb CVE-2021-46900 (Sympa before 6.2.62 relies on a cookie parameter for certain security ...) - sympa 6.2.66~dfsg-1 [bullseye] - sympa (Minor issue) + [buster] - sympa (Minor issue) NOTE: https://www.sympa.community/security/2021-001.html NOTE: https://github.com/sympa-community/sympa/issues/1091 CVE-2023-7192 (A memory leak problem was found in ctnetlink_create_conntrack in net/n ...) @@ -3335,6 +3337,7 @@ CVE-2023-51074 (json-path v2.8.0 was discovered to contain a stack overflow via - jayway-jsonpath [bookworm] - jayway-jsonpath (Minor issue) [bullseye] - jayway-jsonpath (Minor issue) + [buster] - jayway-jsonpath (Minor issue) NOTE: https://github.com/json-path/JsonPath/issues/973 CVE-2023-51010 (An issue in the export component AdSdkH5Activity of com.sdjictec.qdmet ...) NOT-FOR-US: com.sdjictec.qdmetro @@ -22731,6 +22734,7 @@ CVE-2023-51441 (** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulner - axis (bug #1060169) [bookworm] - axis (Minor issue) [bullseye] - axis (Minor issue) + [buster] - axis (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/01/05/2 NOTE: Fixed by: https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 CVE-2023-40743 (** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/362cd7a860ae840c4bc575fae85aeb14d72aa585...bab9a88841dd33c4927ec40697ab3ebe25d07969 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/362cd7a860ae840c4bc575fae85aeb14d72aa585...bab9a88841dd33c4927ec40697ab3ebe25d07969 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage python-asyncssh for buster LTS (CVE-2023-48795)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 362cd7a8 by Chris Lamb at 2024-01-16T10:05:58+00:00 data/dla-needed.txt: Triage python-asyncssh for buster LTS (CVE-2023-48795) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -179,6 +179,9 @@ putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) -- +python-asyncssh + NOTE: 20240116: Added by Front-Desk (lamby) +-- python-django (Chris Lamb) NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/362cd7a860ae840c4bc575fae85aeb14d72aa585 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/362cd7a860ae840c4bc575fae85aeb14d72aa585 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Claim python-django.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 095b1e09 by Chris Lamb at 2024-01-16T10:03:59+00:00 data/dla-needed.txt: Claim python-django. - - - - - 953a6a26 by Chris Lamb at 2024-01-16T10:05:08+00:00 data/dla-needed.txt: Triage gtkwave for buster LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -83,6 +83,10 @@ frr golang-go.crypto NOTE: 20231219: Added by Front-Desk (ta) -- +gtkwave + NOTE: 20240116: Added by Front-Desk (lamby) + NOTE: 20240116: For CVE-2023-32650 etc. (lamby) +-- h2o NOTE: 20231228: Added by Front-Desk (lamby) -- @@ -175,7 +179,7 @@ putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) -- -python-django +python-django (Chris Lamb) NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c32a55974121084e1feae79cdac604e311bb40bb...953a6a26eb11939f45bb4f75edeb9b2f03b69fc1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c32a55974121084e1feae79cdac604e311bb40bb...953a6a26eb11939f45bb4f75edeb9b2f03b69fc1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2023-50120, CVE-2024-0321 & CVE-2024-0322 in gpac for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: c32a5597 by Chris Lamb at 2024-01-16T10:03:24+00:00 Triage CVE-2023-50120, CVE-2024-0321 CVE-2024-0322 in gpac for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1077,6 +1077,7 @@ CVE-2023-50172 (A recovery notification bypass vulnerability exists in the userR CVE-2023-50120 (MP4Box GPAC version 2.3-DEV-rev636-gfbd7e13aa-master was discovered to ...) - gpac (bug #1060696) [bullseye] - gpac (Vulnerable code not present) + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2698 NOTE: https://github.com/gpac/gpac/commit/b655955b840ccd7c7198bb15375aa510e76208eb CVE-2023-49864 (An information disclosure vulnerability exists in the aVideoEncoderRec ...) @@ -1589,10 +1590,12 @@ CVE-2024-21644 (pyLoad is the free and open-source Download Manager written in p - pyload (bug #1001980) CVE-2024-0322 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.) - gpac (bug #1060409) + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.com/bounties/87611fc9-ed7c-43e9-8e52-d83cd270bbec/ NOTE: https://github.com/gpac/gpac/commit/092904b80edbc4dce315684a59cc3184c45c1b70 CVE-2024-0321 (Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2. ...) - gpac (bug #1060409) + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.com/bounties/4c027b94-8e9c-4c31-a169-893b25047769/ NOTE: https://github.com/gpac/gpac/commit/d0ced41651b279bb054eb6390751e2d4eb84819a CVE-2024-0308 (A vulnerability was found in Inis up to 2.0.1. It has been rated as cr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c32a55974121084e1feae79cdac604e311bb40bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c32a55974121084e1feae79cdac604e311bb40bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim python-django.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 7468fe36 by Chris Lamb at 2024-01-01T16:28:04+00:00 data/dla-needed.txt: Claim python-django. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -180,7 +180,7 @@ postfix putty NOTE: 20231224: Added by Front-Desk (ta) -- -python-django +python-django (Chris Lamb) NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7468fe36b9f31eb16f28bf9c2505f6925762b3a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7468fe36b9f31eb16f28bf9c2505f6925762b3a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: Triage CVE-2023-48795 in filezilla for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: d2baea94 by Chris Lamb at 2023-12-31T12:16:40+00:00 Triage CVE-2023-48795 in filezilla for buster LTS. - - - - - 36f36cc3 by Chris Lamb at 2023-12-31T12:17:05+00:00 Triage CVE-2023-51714 in qtbase-opensource-src for buster LTS. - - - - - 7d3d77b8 by Chris Lamb at 2023-12-31T12:18:19+00:00 data/dla-needed.txt: Triage tiff for buster LTS (CVE-2023-3576) - - - - - 7de46bd4 by Chris Lamb at 2023-12-31T12:22:16+00:00 Add upstream commit references for CVE-2023-49093 in htmlunit jenkins-htmlunit-core-js - - - - - 46294fe9 by Chris Lamb at 2023-12-31T12:27:45+00:00 data/dla-needed.txt: Triage jenkins-htmlunit-core-js for buster LTS (CVE-2023-49093) - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -803,6 +803,7 @@ CVE-2023-51714 (An issue was discovered in the HTTP2 implementation in Qt before - qtbase-opensource-src [bookworm] - qtbase-opensource-src (Minor issue) [bullseye] - qtbase-opensource-src (Minor issue) + [buster] - qtbase-opensource-src (Minor issue) - qtbase-opensource-src-gles [bookworm] - qtbase-opensource-src-gles (Minor issue) [bullseye] - qtbase-opensource-src-gles (Minor issue) @@ -2147,6 +2148,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - filezilla 3.66.4-1 [bookworm] - filezilla (Minor issue) [bullseye] - filezilla (Minor issue) + [buster] - filezilla (Minor issue) - golang-go.crypto (bug #1059003) - jsch (ChaCha20-Poly1305 support introduced in 0.1.61; *-EtM support introduced in 0.1.58) - libssh 0.10.6-1 (bug #1059004) @@ -5284,6 +5286,8 @@ CVE-2023-49093 (HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vu - jenkins-htmlunit-core-js - htmlunit NOTE: https://github.com/HtmlUnit/htmlunit/security/advisories/GHSA-37vq-hr2f-g7h7 + NOTE: https://github.com/HtmlUnit/htmlunit/commit/e015082aa909fd9e1c2b5f9b26553ddc0ddbbcab + NOTE: https://github.com/HtmlUnit/htmlunit/commit/641325bbc84702dc9800ec7037aec061ce21956b CVE-2023-47701 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5 ...) NOT-FOR-US: IBM CVE-2023-46167 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 ...) = data/dla-needed.txt = @@ -98,6 +98,14 @@ imagemagick NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) NOTE: 20231014: Some work under git branch debian/buster but unease -- +jenkins-htmlunit-core-js + NOTE: 20231231: Added by Front-Desk (lamby) + NOTE: 20231231: Needs checking that this is definitely vulnerable: a quick glance + NOTE: 20231231: … suggests that the embedded copy of htmlunit is very old and may + NOTE: 20231231: … not even support XLST processing. However, it does use the + NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may + NOTE: 20231231: … indeed be vulnerable. (lamby) +-- keystone NOTE: 20231102: Added by Front-Desk (lamby) NOTE: 20231102: Sync (eg. CVE-2021-38155) with stable etc. (lamby) @@ -250,6 +258,10 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- +tiff + NOTE: 20231231: Added by Front-Desk (lamby) + NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point release(s). (lamby) +-- tinymce NOTE: 20231123: Added by Front-Desk (ola) NOTE: 20231216: Someone with more XSS experience needed to assess the View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ca8ce7390e8ffa33ef93fccee9734db8047563ec...46294fe95d55a442c022843bb1b143758a1d7bca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ca8ce7390e8ffa33ef93fccee9734db8047563ec...46294fe95d55a442c022843bb1b143758a1d7bca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage edk2 for buster LTS (CVE-2019-11098)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: ae2a0002 by Chris Lamb at 2023-12-30T12:37:40+00:00 data/dla-needed.txt: Triage edk2 for buster LTS (CVE-2019-11098) - - - - - 58fd8228 by Chris Lamb at 2023-12-30T12:38:41+00:00 data/dla-needed.txt: Triage php-guzzlehttp-psr7 for buster LTS (CVE-2023-29197) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -76,6 +76,10 @@ dogecoin dropbear (guilhem) NOTE: 20231219: Added by Front-Desk (ta) -- +edk2 + NOTE: 20231230: Added by Front-Desk (lamby) + NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release (lamby) +-- exim4 (Markus Koschany) NOTE: 20231224: Added by Front-Desk (ta) -- @@ -174,6 +178,10 @@ nvidia-cuda-toolkit paramiko NOTE: 20231225: Added by Front-Desk (ta) -- +php-guzzlehttp-psr7 + NOTE: 20231230: Added by Front-Desk (lamby) + NOTE: 20231230: CVE-2023-29197 already fixed in bullseye via DSA or point release (lamby) +-- postfix NOTE: 20231224: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bce0734072f5c5b275a47d94bafd803dd79ddc66...58fd822899037b2abf8f6fefed4f1b32515860f3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bce0734072f5c5b275a47d94bafd803dd79ddc66...58fd822899037b2abf8f6fefed4f1b32515860f3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage libspreadsheet-parseexcel-perl for buster LTS (CVE-2023-7101)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 1216ea9e by Chris Lamb at 2023-12-30T12:20:56+00:00 data/dla-needed.txt: Triage libspreadsheet-parseexcel-perl for buster LTS (CVE-2023-7101) - - - - - bce07340 by Chris Lamb at 2023-12-30T12:21:49+00:00 Triage CVE-2023-47118, CVE-2023-48298 CVE-2023-48704 in clickhouse for buster LTS. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -984,6 +984,7 @@ CVE-2023-48704 (ClickHouse is an open-source column-oriented database management - clickhouse (bug #1059367) [bookworm] - clickhouse (Minor issue) [bullseye] - clickhouse (Minor issue) + [buster] - clickhouse (Minor issue) NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-5rmf-5g48-xv63 NOTE: https://github.com/ClickHouse/ClickHouse/pull/57107 CVE-2023-48670 (Dell SupportAssist for Home PCs version 3.14.1 and prior versions cont ...) @@ -1129,6 +1130,7 @@ CVE-2023-48298 (ClickHouse\xae is an open-source column-oriented database manage - clickhouse (bug #1059261) [bookworm] - clickhouse (Minor issue) [bullseye] - clickhouse (Minor issue) + [buster] - clickhouse (Minor issue) NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938 NOTE: https://github.com/ClickHouse/ClickHouse/pull/56795 CVE-2023-46649 (A race condition in GitHub Enterprise Server was identified that could ...) @@ -1487,6 +1489,7 @@ CVE-2023-47118 (ClickHouse\xae is an open-source column-oriented database manage - clickhouse (bug #1059261) [bookworm] - clickhouse (Minor issue) [bullseye] - clickhouse (Minor issue) + [buster] - clickhouse (Minor issue) NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v CVE-2023-46311 (Authorization Bypass Through User-Controlled Key vulnerability in gVec ...) NOT-FOR-US: WordPress plugin = data/dla-needed.txt = @@ -122,6 +122,9 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- +libspreadsheet-parseexcel-perl + NOTE: 20231230: Added by Front-Desk (lamby) +-- libssh (Sean Whitton) NOTE: 20231219: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/179129dc8165f0fbce6a195c7f514630885b181e...bce0734072f5c5b275a47d94bafd803dd79ddc66 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/179129dc8165f0fbce6a195c7f514630885b181e...bce0734072f5c5b275a47d94bafd803dd79ddc66 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage curl for buster LTS (CVE-2023-27534)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 486bddce by Chris Lamb at 2023-12-29T10:56:44+00:00 data/dla-needed.txt: Triage curl for buster LTS (CVE-2023-27534) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -51,6 +51,10 @@ cinder cjson (Thorsten Alteholz) NOTE: 20231225: Added by Front-Desk (ta) -- +curl + NOTE: 20231229: Added by Front-Desk (lamby) + NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby) +-- dask.distributed NOTE: 20231228: Added by Front-Desk (lamby) NOTE: 20231228: CVE-2021-42343 fixed in bullseye via DSA or point release. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/486bddce377dc7377794adcb89e375c888db969a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/486bddce377dc7377794adcb89e375c888db969a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Triage CVE-2023-51767 in openssh for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 65e9905c by Chris Lamb at 2023-12-28T17:24:38+00:00 Triage CVE-2023-51767 in openssh for buster LTS. - - - - - 8466d112 by Chris Lamb at 2023-12-28T17:25:29+00:00 Triage CVE-2023-7104 in sqlite3 for buster LTS. - - - - - 30249332 by Chris Lamb at 2023-12-28T17:27:03+00:00 data/dla-needed.txt: Triage kodi for buster LTS (CVE-2021-42917) - - - - - b99caa35 by Chris Lamb at 2023-12-28T17:27:54+00:00 data/dla-needed.txt: Triage dask.distributed for buster LTS (CVE-2021-42343) - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -214,6 +214,7 @@ CVE-2023-7104 (A vulnerability was found in SQLite SQLite3 up to 3.43.0 and clas - sqlite3 3.43.1-1 [bookworm] - sqlite3 (Minor issue) [bullseye] - sqlite3 (Minor issue) + [buster] - sqlite3 (Minor issue) NOTE: https://sqlite.org/forum/forumpost/5bcbf4571c NOTE: Fixed by: https://sqlite.org/src/info/0e4e7a05c4204b47 CVE-2023-51775 (The jose4j component before 0.9.4 for Java allows attackers to cause a ...) @@ -376,6 +377,7 @@ CVE-2023-51767 (OpenSSH through 9.6, when common types of DRAM are used, might a - openssh (bug #1059393) [bookworm] - openssh (Revisit once hardening/mitigation for Rowhammer type of attack exists) [bullseye] - openssh (Revisit once hardening/mitigation for Rowhammer type of attack exists) + [buster] - openssh (Revisit once hardening/mitigation for Rowhammer type of attack exists) NOTE: https://arxiv.org/abs/2309.02545 CVE-2023-51766 (Exim through 4.97 allows SMTP smuggling in certain configurations. Rem ...) - exim4 4.97-3 (bug #1059387) = data/dla-needed.txt = @@ -53,6 +53,10 @@ cinder cjson (Thorsten Alteholz) NOTE: 20231225: Added by Front-Desk (ta) -- +dask.distributed + NOTE: 20231228: Added by Front-Desk (lamby) + NOTE: 20231228: CVE-2021-42343 fixed in bullseye via DSA or point release. (lamby) +-- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) @@ -104,6 +108,10 @@ keystone knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- +kodi + NOTE: 20231228: Added by Front-Desk (lamby) + NOTE: 20231228: CVE-2021-42917 was postponed in 2021; fixed in bullseye via DSA or point release. (lamby) +-- libde265 (Thorsten Alteholz) NOTE: 20231224: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c1376f504d3baf9021b2e783cd2f5dd4c26b9ea3...b99caa35b9e556c7eb34c507754e4c93f94d026c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c1376f504d3baf9021b2e783cd2f5dd4c26b9ea3...b99caa35b9e556c7eb34c507754e4c93f94d026c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage h2o for buster LTS (CVE-2023-41337)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: c1376f50 by Chris Lamb at 2023-12-28T17:23:50+00:00 data/dla-needed.txt: Triage h2o for buster LTS (CVE-2023-41337) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -82,6 +82,9 @@ frr golang-go.crypto NOTE: 20231219: Added by Front-Desk (ta) -- +h2o + NOTE: 20231228: Added by Front-Desk (lamby) +-- haproxy (tobi) NOTE: 20231217: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1376f504d3baf9021b2e783cd2f5dd4c26b9ea3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1376f504d3baf9021b2e783cd2f5dd4c26b9ea3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3689-1 for bluez
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: d339178c by Chris Lamb at 2023-12-14T17:09:04+00:00 Reserve DLA-3689-1 for bluez - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[14 Dec 2023] DLA-3689-1 bluez - security update + {CVE-2023-45866} + [buster] - bluez 5.50-1.2~deb10u4 [14 Dec 2023] DLA-3688-1 haproxy - security update {CVE-2023-45539} [buster] - haproxy 1.8.19-1+deb10u5 = data/dla-needed.txt = @@ -35,9 +35,6 @@ bind9 (Thorsten Alteholz) NOTE: 20231008: backporting patches NOTE: 20231203: almost done with testing -- -bluez (Chris Lamb) - NOTE: 20231210: Added by Front-Desk (ta) --- bouncycastle (Markus Koschany) NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 was fixed in stretch-lts (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d339178c332f89a1267c155dda27efd5f6d87a87 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d339178c332f89a1267c155dda27efd5f6d87a87 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3688-1 for haproxy
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ca1692d by Chris Lamb at 2023-12-14T14:03:36+00:00 Reserve DLA-3688-1 for haproxy - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[14 Dec 2023] DLA-3688-1 haproxy - security update + {CVE-2023-45539} + [buster] - haproxy 1.8.19-1+deb10u5 [13 Dec 2023] DLA-3687-1 rabbitmq-server - security update {CVE-2023-46118} [buster] - rabbitmq-server 3.8.2-1+deb10u2 = data/dla-needed.txt = @@ -76,9 +76,6 @@ dogecoin frr NOTE: 20231119: Added by Front-Desk (apo) -- -haproxy (Chris Lamb) - NOTE: 20231206: Added by Front-Desk (ta) --- i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ca1692d7e1db15cbd6b03fbc2af9a2427e9f01c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ca1692d7e1db15cbd6b03fbc2af9a2427e9f01c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim python-django.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: f639d0b3 by Chris Lamb at 2023-12-12T12:06:09+00:00 data/dla-needed.txt: Claim python-django. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -154,7 +154,7 @@ osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. -- -python-django +python-django (Chris Lamb) NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f639d0b33a437a74ed9044d78b88f50759c38e1d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f639d0b33a437a74ed9044d78b88f50759c38e1d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim bluez.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: b6ebb3dc by Chris Lamb at 2023-12-11T12:55:20+00:00 data/dla-needed.txt: Claim bluez. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -35,7 +35,7 @@ bind9 (Thorsten Alteholz) NOTE: 20231008: backporting patches NOTE: 20231203: almost done with testing -- -bluez +bluez (Chris Lamb) NOTE: 20231210: Added by Front-Desk (ta) -- bouncycastle (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6ebb3dc0cd13443d88853781b99003db66f614e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6ebb3dc0cd13443d88853781b99003db66f614e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim haproxy.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: c2c15f64 by Chris Lamb at 2023-12-07T17:26:21+00:00 data/dla-needed.txt: Claim haproxy. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -66,7 +66,7 @@ dogecoin frr NOTE: 20231119: Added by Front-Desk (apo) -- -haproxy +haproxy (Chris Lamb) NOTE: 20231206: Added by Front-Desk (ta) -- i2p View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2c15f64e66a6d32082ffcef391b200ec78b4520 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2c15f64e66a6d32082ffcef391b200ec78b4520 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim python-django.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 27e8ac71 by Chris Lamb at 2023-11-27T10:47:18+00:00 data/dla-needed.txt: Claim python-django. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -158,7 +158,7 @@ postgresql-multicorn (rouca) NOTE: 20231108: Added by Front-Desk (santiago) NOTE: 20231108: Need to handle incompatibilities with versions in debian packages, brought up by PEP 440. See https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70 -- -python-django +python-django (Chris Lamb) NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27e8ac71e656c4164ae0274bdd5361d3051cf2dc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27e8ac71e656c4164ae0274bdd5361d3051cf2dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3663-1 for strongswan
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: bfaa8fe4 by Chris Lamb at 2023-11-24T14:10:15+00:00 Reserve DLA-3663-1 for strongswan - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Nov 2023] DLA-3663-1 strongswan - security update + {CVE-2023-41913} + [buster] - strongswan 5.7.2-1+deb10u4 [24 Nov 2023] DLA-3662-1 freeimage - security update {CVE-2020-21427 CVE-2020-21428 CVE-2020-22524} [buster] - freeimage 3.18.0+ds2-1+deb10u2 = data/dla-needed.txt = @@ -235,9 +235,6 @@ samba squid NOTE: 20231102: Added by Front-Desk (lamby) -- -strongswan (Chris Lamb) - NOTE: 20231121: Added by Front-Desk (ola) --- suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfaa8fe41ed75c95c63494b8a67074ec5dbe3883 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfaa8fe41ed75c95c63494b8a67074ec5dbe3883 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim strongswan.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: e99cd54d by Chris Lamb at 2023-11-22T08:55:38+00:00 data/dla-needed.txt: Claim strongswan. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -245,7 +245,7 @@ samba squid NOTE: 20231102: Added by Front-Desk (lamby) -- -strongswan +strongswan (Chris Lamb) NOTE: 20231121: Added by Front-Desk (ola) -- suricata (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e99cd54dbffccd962048b75b31152d01b9830b47 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e99cd54dbffccd962048b75b31152d01b9830b47 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3652-1 for ruby-sanitize
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: cdaa185e by Chris Lamb at 2023-11-14T10:31:00+00:00 Reserve DLA-3652-1 for ruby-sanitize - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[14 Nov 2023] DLA-3652-1 ruby-sanitize - security update + {CVE-2023-36823} + [buster] - ruby-sanitize 4.6.6-2.1~deb10u2 [14 Nov 2023] DLA-3651-1 postgresql-11 - security update {CVE-2023-5868 CVE-2023-5869 CVE-2023-5870} [buster] - postgresql-11 11.22-0+deb10u1 = data/dla-needed.txt = @@ -219,9 +219,6 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- -ruby-sanitize (Chris Lamb) - NOTE: 20231108: Added by Front-Desk (pochu) --- salt NOTE: 20220814: Added by Front-Desk (gladk) NOTE: 20220814: I am not sure, whether it is possible to fix issues View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdaa185e01495cf212db65d82118a3847d6509d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdaa185e01495cf212db65d82118a3847d6509d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim ruby-sanitize.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 0d1a5c4a by Chris Lamb at 2023-11-10T10:14:37+00:00 data/dla-needed.txt: Claim ruby-sanitize. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -218,7 +218,7 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- -ruby-sanitize +ruby-sanitize (Chris Lamb) NOTE: 20231108: Added by Front-Desk (pochu) -- salt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d1a5c4a0c3571d7f6304660fa3cf067d94ccd36 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d1a5c4a0c3571d7f6304660fa3cf067d94ccd36 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3648-1 for tang
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 61677687 by Chris Lamb at 2023-11-07T12:04:04+00:00 Reserve DLA-3648-1 for tang - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -32164,7 +32164,6 @@ CVE-2023-1672 (A race condition exists in the Tang server functionality for key - tang 14-1 (bug #1038119) [bookworm] - tang 11-2+deb12u1 [bullseye] - tang 8-3+deb11u2 - [buster] - tang (Minor issue) NOTE: Fixed by: https://github.com/latchset/tang/commit/8dbbed10870378f1b2c3cf3df2ea7edca7617096 NOTE: https://census-labs.com/news/2023/06/15/race-tang/ CVE-2023-1671 (A pre-auth command injection vulnerability in the warn-proceed handler ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Nov 2023] DLA-3648-1 tang - security update + {CVE-2023-1672} + [buster] - tang 7-1+deb10u2 [07 Nov 2023] DLA-3647-1 trapperkeeper-webserver-jetty9-clojure - security update [buster] - trapperkeeper-webserver-jetty9-clojure 1.7.0-2+deb10u2 [05 Nov 2023] DLA-3646-1 open-vm-tools - security update = data/dla-needed.txt = @@ -244,10 +244,6 @@ suricata (Adrian Bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) -- -tang (Chris Lamb) - NOTE: 20231103: Added by Front-Desk (lamby) - NOTE: 20231103: Sync with stable. (lamby) --- vlc NOTE: 20231106: Added by Front-Desk (pochu) NOTE: 20231106: Follow bullseye and update to 3.0.20 (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6167768762e88384e00ad022546a0c126f3f716e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6167768762e88384e00ad022546a0c126f3f716e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim python-django.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: a31d0b39 by Chris Lamb at 2023-11-07T07:33:45+00:00 data/dla-needed.txt: Claim python-django. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -176,7 +176,7 @@ osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. -- -python-django +python-django (Chris Lamb) NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a31d0b39b3a3440a86cac4079d6dc4e0f8e04c3b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a31d0b39b3a3440a86cac4079d6dc4e0f8e04c3b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage node-json5 for buster LTS (CVE-2022-46175)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: d76fa3e0 by Chris Lamb at 2023-11-05T08:17:10+00:00 data/dla-needed.txt: Triage node-json5 for buster LTS (CVE-2022-46175) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -140,6 +140,10 @@ netty (Markus Koschany) NOTE: 20231104: Added by Front-Desk (lamby) NOTE: 20231104: For, at least, CVE-2023-44487. (lamby) -- +node-json5 + NOTE: 20231105: Added by Front-Desk (lamby) + NOTE: 20231105: Sync with later releases. (lamby) +-- node-webpack NOTE: 20231005: Added by Front-Desk (Beuc) NOTE: 20231005: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d76fa3e0de247c68bce99c9c40f99eab80ee43d2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d76fa3e0de247c68bce99c9c40f99eab80ee43d2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 6 commits: Triage CVE-2023-46136 in python-werkzeug for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fd35094 by Chris Lamb at 2023-11-04T10:37:28+01:00 Triage CVE-2023-46136 in python-werkzeug for buster LTS. - - - - - 4731c035 by Chris Lamb at 2023-11-04T10:37:52+01:00 Triage CVE-2023-44271 in pillow for buster LTS. - - - - - b8fa93ef by Chris Lamb at 2023-11-04T10:38:31+01:00 Triage CVE-2023-42295 CVE-2023-42299 in openimageio for buster LTS. - - - - - ecd6249a by Chris Lamb at 2023-11-04T10:38:47+01:00 Triage CVE-2023-5072 in libjettison-java for buster LTS. - - - - - 41f0d13b by Chris Lamb at 2023-11-04T10:39:05+01:00 Triage CVE-2023-46303 in calibre for buster LTS. - - - - - d82092c7 by Chris Lamb at 2023-11-04T10:39:46+01:00 Triage CVE-2023-31122, CVE-2023-43622 CVE-2023-45802 in apache2 for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -90,6 +90,7 @@ CVE-2023-44271 (An issue was discovered in Pillow before 10.0.0. It is a Denial - pillow 10.0.0-1 [bookworm] - pillow (Minor issue) [bullseye] - pillow (Minor issue) + [buster] - pillow (Minor issue) NOTE: https://github.com/python-pillow/Pillow/pull/7244 NOTE: https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7 (10.0.0) CVE-2023-43982 (Bon Presta boninstagramcarousel between v5.2.1 to v7.0.0 was discovere ...) @@ -102,6 +103,7 @@ CVE-2023-42299 (Buffer Overflow vulnerability in OpenImageIO oiio v.2.4.12.0 all - openimageio 2.4.13.0+dfsg-1 [bookworm] - openimageio (Minor issue) [bullseye] - openimageio (Minor issue) + [buster] - openimageio (Minor issue) NOTE: https://github.com/OpenImageIO/oiio/issues/3840 NOTE: https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/3841 NOTE: https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/5ff2c56dd28e96f67ed8f80d8a3d1235e51f9957 (v2.4.12.0) @@ -1722,6 +1724,7 @@ CVE-2023-46136 (Werkzeug is a comprehensive WSGI web application library. If an - python-werkzeug (bug #1054553) [bookworm] - python-werkzeug (Minor issue) [bullseye] - python-werkzeug (Minor issue) + [buster] - python-werkzeug (Minor issue) NOTE: https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw NOTE: https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 (3.0.1) CVE-2023-46135 (rs-stellar-strkey is a Rust lib for encode/decode of Stellar Strkeys. ...) @@ -2105,6 +2108,7 @@ CVE-2023-42295 (An issue in OpenImageIO oiio v.2.4.12.0 allows a remote attacker - openimageio 2.4.16.0+dfsg-1 (bug #1054873) [bookworm] - openimageio (Minor issue) [bullseye] - openimageio (Minor issue) + [buster] - openimageio (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/3947 NOTE: https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/3948 NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/15750af31a5d130ea63ac133453eb5448cefa636 (v2.5.3.0-beta1) @@ -2184,6 +2188,7 @@ CVE-2023-46303 (link_to_local_path in ebooks/conversion/plugins/html_input.py in - calibre 6.19.1-1 [bookworm] - calibre (Minor issue) [bullseye] - calibre (Minor issue) + [buster] - calibre (Minor issue) NOTE: https://github.com/0x1717/ssrf-via-img NOTE: https://github.com/kovidgoyal/calibre/commit/bbbddd2bf4ef4ddb467b0aeb0abe8765ed7f8a6b (v6.19.0) CVE-2021-46898 (views/switch.py in django-grappelli (aka Django Grappelli) before 2.15 ...) @@ -2705,6 +2710,7 @@ CVE-2023-45802 (When a HTTP/2 stream was reset (RST frame) by a client, there wa - apache2 2.4.58-1 [bookworm] - apache2 (Minor issue) [bullseye] - apache2 (Minor issue) + [buster] - apache2 (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/10/19/6 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-45802 NOTE: https://github.com/icing/blog/blob/main/h2-rapid-reset.md#cve-2023-45802 @@ -2712,6 +2718,7 @@ CVE-2023-43622 (An attacker, opening a HTTP/2 connection with an initial window - apache2 2.4.58-1 [bookworm] - apache2 (Minor issue) [bullseye] - apache2 (Minor issue) + [buster] - apache2 (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/10/19/5 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-43622 CVE-2023-5654 (The React Developer Tools extension registers a message listener with ...) @@ -3752,6 +3759,7 @@ CVE-2023-5072 (Denial of Service in JSON-Java versions up to and including 2023 - libjettison-java (bug #1053884) [bookworm] - libjettison-java (Minor issue
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage netty for buster LTS (CVE-2023-44487)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: b0b39be0 by Chris Lamb at 2023-11-04T10:36:58+01:00 data/dla-needed.txt: Triage netty for buster LTS (CVE-2023-44487) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -139,6 +139,10 @@ mosquitto (Markus Koschany) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20231009: Waiting for upstream clarification how to proceed with open CVE. (apo) -- +netty + NOTE: 20231104: Added by Front-Desk (lamby) + NOTE: 20231104: For, at least, CVE-2023-44487. (lamby) +-- node-webpack NOTE: 20231005: Added by Front-Desk (Beuc) NOTE: 20231005: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0b39be0a65d0e464978c90f2b02c365cf432260 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0b39be0a65d0e464978c90f2b02c365cf432260 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim tang.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: caa85cea by Chris Lamb at 2023-11-03T09:21:14+01:00 data/dla-needed.txt: Claim tang. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -242,7 +242,7 @@ suricata (Adrian Bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) -- -tang +tang (Chris Lamb) NOTE: 20231103: Added by Front-Desk (lamby) NOTE: 20231103: Sync with stable. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caa85ceaf03acd5a4d316aa7c435d015e626edaf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caa85ceaf03acd5a4d316aa7c435d015e626edaf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage curl for buster LTS (CVE-2023-28322 & CVE-2023-27534)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 1f1ee790 by Chris Lamb at 2023-11-03T09:16:15+01:00 data/dla-needed.txt: Triage curl for buster LTS (CVE-2023-28322 CVE-2023-27534) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -44,6 +44,10 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +curl + NOTE: 20231103: Added by Front-Desk (lamby) + NOTE: 20231103: Sync with stable. (lamby) +-- docker.io (rouca/santiago) NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f1ee790e3c90917c08f5c57870c03135c339586 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f1ee790e3c90917c08f5c57870c03135c339586 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Triage CVE-2023-31794 in mupdf for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 0aa31d46 by Chris Lamb at 2023-11-03T09:12:57+01:00 Triage CVE-2023-31794 in mupdf for buster LTS. - - - - - 52a76281 by Chris Lamb at 2023-11-03T09:13:29+01:00 data/dla-needed.txt: Triage tang for buster LTS (CVE-2023-1672) - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -727,6 +727,7 @@ CVE-2023-31794 (MuPDF v1.21.1 was discovered to contain an infinite recursion in - mupdf 1.22.1+ds1-1 [bookworm] - mupdf (Minor issue) [bullseye] - mupdf (Minor issue) + [buster] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706506 NOTE: Fixed by: https://git.ghostscript.com/?p=mupdf.git;a=commit;h=c0015401693b58e2deb5d75c39f27bc1216e47c6 (1.22.0-rc1) CVE-2019-25155 (DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-targe ...) = data/dla-needed.txt = @@ -238,6 +238,10 @@ suricata (Adrian Bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) -- +tang + NOTE: 20231103: Added by Front-Desk (lamby) + NOTE: 20231103: Sync with stable. (lamby) +-- trafficserver (Adrian Bunk) NOTE: 20231011: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d7d3cf931ae82787e2f716aa54466d953b54d277...52a7628150b8c9561290fa30d528144544fe9410 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d7d3cf931ae82787e2f716aa54466d953b54d277...52a7628150b8c9561290fa30d528144544fe9410 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3644-1 for phppgadmin
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 1717ab24 by Chris Lamb at 2023-11-02T15:48:23+01:00 Reserve DLA-3644-1 for phppgadmin - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[02 Nov 2023] DLA-3644-1 phppgadmin - security update + {CVE-2023-40619} + [buster] - phppgadmin 5.1+ds-4+deb10u1 [31 Oct 2023] DLA-3643-1 pmix - security update {CVE-2023-41915} [buster] - pmix 3.1.2-3+deb10u1 = data/dla-needed.txt = @@ -170,9 +170,6 @@ osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. -- -phppgadmin (Chris Lamb) - NOTE: 20230925: Added by Front-Desk (apo) --- python-django (Chris Lamb) NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1717ab249b78fadf5e90296a38fb86d47716622e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1717ab249b78fadf5e90296a38fb86d47716622e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2023-46927, CVE-2023-46928, CVE-2023-46930 & CVE-2023-46931 in gpac for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e9014be by Chris Lamb at 2023-11-02T15:36:02+01:00 Triage CVE-2023-46927, CVE-2023-46928, CVE-2023-46930 CVE-2023-46931 in gpac for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66,18 +66,22 @@ CVE-2023-4452 (A vulnerability has been identified in the EDR-810, EDR-G902, and NOT-FOR-US: Moxa CVE-2023-46931 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-overflow ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2664 NOTE: https://github.com/gpac/gpac/commit/671976fccc971b3dff8d3dcf6ebd600472ca64bf CVE-2023-46930 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box i ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2666 NOTE: https://github.com/gpac/gpac/commit/3809955065afa3da1ad580012ec43deadbb0f2c8 CVE-2023-46928 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box i ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2661 NOTE: https://github.com/gpac/gpac/commit/0753bf6d867343a80a044bf47a27d0b7accc8bf1 CVE-2023-46927 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-overflow ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2657 NOTE: https://github.com/gpac/gpac/commit/a7b467b151d9b54badbc4dd71e7a366b7c391817 CVE-2023-46911 (There is a Cross Site Scripting (XSS) vulnerability in the choose_styl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e9014bec18058c797befc9d4c616621560cd11e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e9014bec18058c797befc9d4c616621560cd11e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage keystone for buster LTS (CVE-2021-38155)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 16a9d5b3 by Chris Lamb at 2023-11-02T15:38:40+01:00 data/dla-needed.txt: Triage keystone for buster LTS (CVE-2021-38155) - - - - - d4888ee4 by Chris Lamb at 2023-11-02T15:39:17+01:00 data/dla-needed.txt: Triage squid for buster LTS (CVE-2023-46846, CVE-2023-46847 CVE-2023-5824) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -91,6 +91,10 @@ imagemagick NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) NOTE: 20231014: Some work under git branch debian/buster but unease -- +keystone + NOTE: 20231102: Added by Front-Desk (lamby) + NOTE: 20231102: Sync (eg. CVE-2021-38155) with stable etc. (lamby) +-- knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- @@ -225,6 +229,9 @@ salt samba (Lee Garrett) NOTE: 20230918: Added by Front-Desk (apo) -- +squid + NOTE: 20231102: Added by Front-Desk (lamby) +-- suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1e9014bec18058c797befc9d4c616621560cd11e...d4888ee494255bca33f9328a9574f701195e860d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1e9014bec18058c797befc9d4c616621560cd11e...d4888ee494255bca33f9328a9574f701195e860d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage horizon for buster LTS (CVE-2022-45582)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b94efe1 by Chris Lamb at 2023-11-01T16:26:53+01:00 data/dla-needed.txt: Triage horizon for buster LTS (CVE-2022-45582) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -78,6 +78,10 @@ galera-3 (Adrian Bunk) NOTE: 20231028: Added by Front-Desk (gladk) NOTE: 20231028: Acc. to CVE notes the open issue is fixed in 26.4.12. Please, try to find a corresponding commit and try to backport it. Otherwise - no-dsa. (gladk) -- +horizon + NOTE: 20231101: Added by Front-Desk (lamby) + NOTE: 20231101: Sync with bullseye (CVE-2022-45582). (lamby) +-- i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b94efe12e658f9655a6e9c589879f76199cdf27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b94efe12e658f9655a6e9c589879f76199cdf27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage lwip for buster LTS (CVE-2020-22283 & CVE-2020-22284)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: c68b7606 by Chris Lamb at 2023-11-01T16:24:51+01:00 data/dla-needed.txt: Triage lwip for buster LTS (CVE-2020-22283 CVE-2020-22284) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -113,6 +113,10 @@ linux (Ben Hutchings) linux-5.10 NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- +lwip + NOTE: 20231101: Added by Front-Desk (lamby) + NOTE: 20231101: Sync with bullseye (CVE-2020-22283 & CVE-2020-22284). (lamby) +-- mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c68b7606c6d10db9f594eab1d21ee36e9b7de093 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c68b7606c6d10db9f594eab1d21ee36e9b7de093 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 11 commits: Triage CVE-2023-31022 in nvidia-graphics-drivers for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 24d48946 by Chris Lamb at 2023-11-01T16:17:35+01:00 Triage CVE-2023-31022 in nvidia-graphics-drivers for buster LTS. - - - - - a29108c9 by Chris Lamb at 2023-11-01T16:18:55+01:00 Triage CVE-2023-31022 in nvidia-graphics-drivers-legacy-390xx for buster LTS. - - - - - 5e574f7f by Chris Lamb at 2023-11-01T16:19:20+01:00 Triage CVE-2023-40217 in pypy3 for buster LTS. - - - - - e6fb2459 by Chris Lamb at 2023-11-01T16:19:40+01:00 Triage CVE-2023-5574 in xorg-server for buster LTS. - - - - - 9e242514 by Chris Lamb at 2023-11-01T16:19:59+01:00 Triage CVE-2023-46586 in weborf for buster LTS. - - - - - 141fbf0f by Chris Lamb at 2023-11-01T16:20:20+01:00 Triage CVE-2023-46137 in twisted for buster LTS. - - - - - de0f775a by Chris Lamb at 2023-11-01T16:20:36+01:00 Triage CVE-2023-46316 in traceroute for buster LTS. - - - - - 908afea2 by Chris Lamb at 2023-11-01T16:21:01+01:00 Triage CVE-2023-5752 in python-pip for buster LTS. - - - - - 46ec7f45 by Chris Lamb at 2023-11-01T16:21:37+01:00 Triage CVE-2023-39325 in golang-1.11 for buster LTS. - - - - - 35acb928 by Chris Lamb at 2023-11-01T16:22:36+01:00 Triage CVE-2023-31022 in nvidia-graphics-drivers-legacy-340xx for buster LTS. - - - - - b66fc533 by Chris Lamb at 2023-11-01T16:23:17+01:00 Triage CVE-2023-45818 CVE-2023-45819 in tinymce for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -915,6 +915,7 @@ CVE-2023-46137 (Twisted is an event-based framework for internet applications. P - twisted (bug #1054913) [bookworm] - twisted (Minor issue) [bullseye] - twisted (Minor issue) + [buster] - twisted (Minor issue) NOTE: https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm CVE-2023-46134 (D-Tale is the combination of a Flask back-end and a React front-end to ...) NOT-FOR-US: D-Tale @@ -1227,6 +1228,7 @@ CVE-2023-5752 (When installing a package from a Mercurial VCS URL (ie "pip inst - python-pip 23.3+dfsg-1 [bookworm] - python-pip (Minor issue) [bullseye] - python-pip (Minor issue) + [buster] - python-pip (Minor issue) NOTE: https://github.com/pypa/pip/pull/12306 NOTE: https://mail.python.org/archives/list/security-annou...@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/ CVE-2023-5311 (The WP EXtra plugin for WordPress is vulnerable to unauthorized modifi ...) @@ -1334,6 +1336,7 @@ CVE-2023-5574 (A use-after-free flaw was found in xorg-x11-server-Xvfb. This iss - xorg-server [bookworm] - xorg-server (Minor issue) [bullseye] - xorg-server (Minor issue) + [buster] - xorg-server (Minor issue) NOTE: https://lists.x.org/archives/xorg-announce/2023-October/003430.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1189 CVE-2023-5380 (A use-after-free flaw was found in the xorg-x11-server. An X server cr ...) @@ -1649,11 +1652,13 @@ CVE-2023-46316 (In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper - traceroute 1:2.1.3-1 [bookworm] - traceroute (Minor issue) [bullseye] - traceroute (Minor issue) + [buster] - traceroute (Minor issue) NOTE: https://sourceforge.net/projects/traceroute/files/traceroute/traceroute-2.1.3/ CVE-2023-46586 - weborf 1.0-1 (bug #1054417) [bookworm] - weborf (Minor issue) [bullseye] - weborf (Minor issue) + [buster] - weborf (Minor issue) NOTE: https://github.com/ltworf/weborf/pull/88 NOTE: Fixed by: https://github.com/ltworf/weborf/commit/49824204add55aab0568d90a6b1e7c822d32120d (1.0) CVE-2023-5702 (A vulnerability was found in Viessmann Vitogate 300 up to 2.1.3.0 and ...) @@ -2132,8 +2137,10 @@ CVE-2023-45821 (Artifact Hub is a web-based application that enables finding, in NOT-FOR-US: Artifact Hub CVE-2023-45819 (TinyMCE is an open source rich text editor. A cross-site scripting (XS ...) - tinymce + [buster] - tinymce (Minor issue) CVE-2023-45818 (TinyMCE is an open source rich text editor. A mutation cross-site scri ...) - tinymce + [buster] - tinymce (Minor issue) CVE-2023-45815 (ArchiveBox is an open source self-hosted web archiving system. Any use ...) NOT-FOR-US: ArchiveBox CVE-2023-45471 (The QAD Search Server is vulnerable to Stored Cross-Site Scripting (XS ...) @@ -3608,6 +3615,7 @@ CVE-2023-39325 (A malicious HTTP/2 client which rapidly creates requests and imm - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 + [buster] - golang-1.11 (Minor issue) NOTE: https://github.com/golang/go/issues/63417 CVE-2023-5473 (Use after free in Cast in Google Chrome prior to 118.0.5993.70 allowed ...) {DSA
[Git][security-tracker-team/security-tracker][master] 2 commits: Triage CVE-2023-46287 in nagvis for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: d067464a by Chris Lamb at 2023-10-31T20:36:31+01:00 Triage CVE-2023-46287 in nagvis for buster LTS. - - - - - 83673535 by Chris Lamb at 2023-10-31T20:38:24+01:00 Triage CVE-2023-5388 in nss for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1474,6 +1474,7 @@ CVE-2023-5388 - nss [bookworm] - nss (Minor issue, revisit once fixed upstream) [bullseye] - nss (Minor issue, revisit once fixed upstream) + [buster] - nss (Minor issue) NOTE: https://people.redhat.com/~hkario/marvin/ CVE-2023-5551 - moodle @@ -1681,6 +1682,7 @@ CVE-2023-46287 (XSS exists in NagVis before 1.9.38 via the select function in sh - nagvis 1:1.9.38-1 [bookworm] - nagvis (Minor issue) [bullseye] - nagvis (Minor issue) + [buster] - nagvis (Minor issue) NOTE: https://github.com/NagVis/nagvis/pull/356 NOTE: https://github.com/NagVis/nagvis/commit/093c2b0b31001bb74c78452858a0a9d27fa0a9b5 (nagvis-1.9.38) CVE-2023-46117 (reconFTW is a tool designed to perform automated recon on a target dom ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1897a2471b91122c57482ef78371c102963989bc...836735355b2e7b4c44b96c7881efd8cd67c21d53 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1897a2471b91122c57482ef78371c102963989bc...836735355b2e7b4c44b96c7881efd8cd67c21d53 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage open-vm-tools for buster LTS (CVE-2023-34058 & CVE-2023-34059)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 1897a247 by Chris Lamb at 2023-10-31T20:33:40+01:00 data/dla-needed.txt: Triage open-vm-tools for buster LTS (CVE-2023-34058 CVE-2023-34059) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -146,6 +146,10 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- +open-vm-tools + NOTE: 20230514: Added by Front-Desk (lamby) + NOTE: 20231031: Last added to dla-needed.txt. 20230907. (lamby) +-- opendkim NOTE: 20230821: Added by Front-Desk (ta) NOTE: 20231006: Unfixed upstream as of today. (spwhitton) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1897a2471b91122c57482ef78371c102963989bc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1897a2471b91122c57482ef78371c102963989bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3643-1 for pmix
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: f5f7e66a by Chris Lamb at 2023-10-31T17:13:50+01:00 Reserve DLA-3643-1 for pmix - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Oct 2023] DLA-3643-1 pmix - security update + {CVE-2023-41915} + [buster] - pmix 3.1.2-3+deb10u1 [31 Oct 2023] DLA-3642-1 request-tracker4 - security update {CVE-2023-41259 CVE-2023-41260} [buster] - request-tracker4 4.4.3-2+deb10u3 = data/dla-needed.txt = @@ -157,9 +157,6 @@ osslsigncode phppgadmin (Chris Lamb) NOTE: 20230925: Added by Front-Desk (apo) -- -pmix (Chris Lamb) - NOTE: 20231024: Added by Front-Desk (gladk) --- python-django (Chris Lamb) NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5f7e66a1de618630d6d739c7e211f8f6ad2834a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5f7e66a1de618630d6d739c7e211f8f6ad2834a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim pmix.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c7b1dbf by Chris Lamb at 2023-10-25T10:35:10+01:00 data/dla-needed.txt: Claim pmix. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -162,7 +162,7 @@ osslsigncode phppgadmin (Chris Lamb) NOTE: 20230925: Added by Front-Desk (apo) -- -pmix +pmix (Chris Lamb) NOTE: 20231024: Added by Front-Desk (gladk) -- python-django (Chris Lamb) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c7b1dbf8375391e80c95884bd1bde28f3bd0c76 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c7b1dbf8375391e80c95884bd1bde28f3bd0c76 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits