[Git][security-tracker-team/security-tracker][master] data/CVE/list: Mark CVE-2019-14902/samba/jessie as . Too difficult and risky to backport.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 537b9801 by Mike Gabriel at 2020-11-02T14:45:58+01:00 data/CVE/list: Mark CVE-2019-14902/samba/jessie as ignored. Too difficult and risky to backport. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -81240,8 +81240,9 @@ CVE-2019-14902 (There is an issue in all samba 4.11.x versions before 4.11.5, al - samba 2:4.11.5+dfsg-1 [buster] - samba (Minor issue) [stretch] - samba (Minor issue) - [jessie] - samba (Minor issue) + [jessie] - samba (difficult and risky backport to 4.2 in jessie) NOTE: https://www.samba.org/samba/security/CVE-2019-14902.html + NOTE: Workaround: Use of 'samba-tool drs replicate $DC1 $DC2 $NC --full-sync' will cause all ACLs to be syncronised from DC2 to DC1, for the given NC (naming context) CVE-2019-14901 (A heap overflow flaw was found in the Linux kernel, all versions 3.x.x ...) {DLA-2114-1 DLA-2068-1} - linux 5.4.13-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/537b9801f16be8ce5678d30020e1373f71f2a5ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/537b9801f16be8ce5678d30020e1373f71f2a5ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] org/lts-frontdesk.2020.txt: Remove my self from LTS frontdesk schedule (Nov + Dec).
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: e20ecbd5 by Mike Gabriel at 2020-10-30T21:41:08+01:00 org/lts-frontdesk.2020.txt: Remove my self from LTS frontdesk schedule (Nov + Dec). - - - - - 1 changed file: - org/lts-frontdesk.2020.txt Changes: = org/lts-frontdesk.2020.txt = @@ -56,10 +56,10 @@ From 19-10 to 25-10:Thorsten Alteholz From 26-10 to 01-11:Utkarsh Gupta From 02-11 to 08-11:Chris Lamb From 09-11 to 15-11:Thorsten Alteholz -From 16-11 to 22-11:Mike Gabriel +From 16-11 to 22-11: From 23-11 to 29-11:Abhijith PA From 30-11 to 06-12:Thorsten Alteholz From 07-12 to 13-12:Chris Lamb -From 14-12 to 20-12:Mike Gabriel +From 14-12 to 20-12: From 21-12 to 27-12:Utkarsh Gupta From 28-12 to 03-01: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e20ecbd548d2fed27960b2aa537c994b4ff1ff42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e20ecbd548d2fed27960b2aa537c994b4ff1ff42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix previous commit (wrong bug number, copy+paste flaw).
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: ffeb12cb by Mike Gabriel at 2020-09-29T15:54:06+02:00 Fix previous commit (wrong bug number, copy+paste flaw). - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37,7 +37,7 @@ CVE-2020-26119 CVE-2020-26118 RESERVED CVE-2020-26117 (In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1 ...) - - tigervnc 1.10.1+dfsg-9 (bug #970932) + - tigervnc 1.10.1+dfsg-9 (bug #971272) NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=1176733 NOTE: https://github.com/TigerVNC/tigervnc/commit/20dea801e747318525a5859fe4f37c52b05310cb (v1.11.0) NOTE: https://github.com/TigerVNC/tigervnc/commit/7399eab79a4365434d26494fa1628ce1eb91562b (v1.11.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffeb12cb94301870f1f6436968bef2eaf19dc554 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffeb12cb94301870f1f6436968bef2eaf19dc554 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Add bug reference for CVE-2020-26117 (tigervnc) as requested by maintainer.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 934c18d3 by Mike Gabriel at 2020-09-29T15:45:16+02:00 data/CVE/list: Add bug reference for CVE-2020-26117 (tigervnc) as requested by maintainer. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37,7 +37,7 @@ CVE-2020-26119 CVE-2020-26118 RESERVED CVE-2020-26117 (In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1 ...) - - tigervnc 1.10.1+dfsg-9 + - tigervnc 1.10.1+dfsg-9 (bug #970932) NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=1176733 NOTE: https://github.com/TigerVNC/tigervnc/commit/20dea801e747318525a5859fe4f37c52b05310cb (v1.11.0) NOTE: https://github.com/TigerVNC/tigervnc/commit/7399eab79a4365434d26494fa1628ce1eb91562b (v1.11.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/934c18d3e110f7938afd76689b5d370e8c20328e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/934c18d3e110f7938afd76689b5d370e8c20328e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: re-claim php-hord-trean.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ae93680 by Mike Gabriel at 2020-09-18T22:29:23+02:00 data/dla-needed.txt: re-claim php-hord-trean. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -127,7 +127,7 @@ openssl1.0 -- osc (Adrian Bunk) -- -php-horde-trean +php-horde-trean (Mike Gabriel) NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ae936808d4db09d272d676d41823b886d4bd48d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ae936808d4db09d272d676d41823b886d4bd48d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: take samba from Ola and look into Samba AD related CVEs
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: f1e11b90 by Mike Gabriel at 2020-09-03T14:40:03+02:00 data/dla-needed.txt: take samba from Ola and look into Samba AD related CVEs - - - - - 5f4994db by Mike Gabriel at 2020-09-03T14:42:49+02:00 data/dla-needed.txt: unclaim fossil instead - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -63,7 +63,10 @@ firefox-esr (Emilio) NOTE: 20200720: working on ESR 78 backport. (pochu) NOTE: 20200831: backported llvm 10 and wasi-libc, looking into rustc/cargo (pochu) -- -fossil (Mike Gabriel) +fossil + NOTE: 20200903: looked into CVE-2020-24614: the fix for this CVE partially applies, but does not apply around a + NOTE: 20200903: database query in src/add.c. In fact, the patch fixing this CVE is quite invasive. Maybe decide + NOTE: 20200903: not to fix it? -- freerdp (Mike Gabriel) -- @@ -154,12 +157,13 @@ ruby-rack-cors (Utkarsh Gupta) NOTE: 20200817: Was fixed in DLA-2096-1 for jessie LTS but is now re-vulnerable again in stretch LTS AFAICT. (lamby) NOTE: 20200831: got a reproducer very recently. (utkarsh) -- -samba (Ola Lundqvist) +samba (Mike Gabriel) NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh) NOTE: 20200801: Stretch update already released, so no conflict. (roberto) NOTE: 20200801: Patches for CVE-2020-14303, CVE-2020-10760, CVE-2020-10745, and CVE-2020-10740, are ready. (roberto) NOTE: 20200801: Best to wait for additional CVEs before uploading; check with Roberto for patches. (roberto) NOTE: 20200830: Will remove this entry and mark all current CVEs as postponed. But first I need to know were the patches are (ola). + NOTE: 20200903: As discussed internally, I will look into Samba AD CVEs and revisit the risk assessment, plus fix the more severe issues (sunweaver) -- shiro -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f332654ee928678ed666de2316998a0bcce57f3b...5f4994db4e0aab92666095e2b0393be5f5bbcdde -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f332654ee928678ed666de2316998a0bcce57f3b...5f4994db4e0aab92666095e2b0393be5f5bbcdde You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: re-claim guacamole-client
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: a3d8dbe6 by Mike Gabriel at 2020-08-31T10:31:18+02:00 data/dla-needed.txt: re-claim guacamole-client - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -84,7 +84,7 @@ golang-go.crypto -- golang-golang-x-net-dev -- -guacamole-client +guacamole-client (Mike Gabriel) -- imagemagick (Markus Koschany) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3d8dbe6030a3b7fa8cba6f9e955dc9ed0daacb9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3d8dbe6030a3b7fa8cba6f9e955dc9ed0daacb9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/CVE/list: Mark CVE-2019-12094/php-horde as ignored for all releases of Debian.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 51f575ae by Mike Gabriel at 2020-08-31T10:00:12+02:00 data/CVE/list: Mark CVE-2019-12094/php-horde as ignored for all releases of Debian. cf. https://bugs.horde.org/ticket/14926#c4 - - - - - 33a68a1d by Mike Gabriel at 2020-08-31T10:00:13+02:00 data/CVE/list: Mark CVE-2019-12095/php-horde-trean as ignored for all releases of Debian. cf. https://bugs.horde.org/ticket/14926#c4 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -83038,9 +83038,9 @@ CVE-2019-12096 CVE-2019-12095 (Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 ...) {DLA-2033-1} - php-horde-trean - [buster] - php-horde-trean (Minor issue) - [stretch] - php-horde-trean (Minor issue) - [jessie] - php-horde-trean (Minor issue) + [buster] - php-horde-trean (Minor issue) + [stretch] - php-horde-trean (Minor issue) + [jessie] - php-horde-trean (Minor issue) - php-horde 5.2.21+debian0-1 [buster] - php-horde 5.2.20+debian0-1+deb10u1 [stretch] - php-horde 5.2.13+debian0-1+deb9u1 @@ -83048,9 +83048,9 @@ CVE-2019-12095 (Horde Trean, as used in Horde Groupware Webmail Edition through NOTE: https://bugs.horde.org/ticket/14926 (for the stored XSS) CVE-2019-12094 (Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin ...) - php-horde - [buster] - php-horde (Minor issue) - [stretch] - php-horde (Minor issue) - [jessie] - php-horde (Minor issue) + [buster] - php-horde (Minor issue) + [stretch] - php-horde (Minor issue) + [jessie] - php-horde (Minor issue) NOTE: https://bugs.horde.org/ticket/14926 (for the reflected XSS) CVE-2019-12093 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/232bd5ad9baa63af3422edcc4ef97c9cf6cbdb63...33a68a1d8da5bd07a06335fb4f0c4f4e4c1fa299 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/232bd5ad9baa63af3422edcc4ef97c9cf6cbdb63...33a68a1d8da5bd07a06335fb4f0c4f4e4c1fa299 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Mark freerdp/stretch as not affected by CVE-2020-15103.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 02fab9be by Mike Gabriel at 2020-08-30T01:59:19+02:00 data/CVE/list: Mark freerdp/stretch as not affected by CVE-2020-15103. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20521,6 +20521,7 @@ CVE-2020-15103 (In FreeRDP less than or equal to 2.1.2, an integer overflow exis - freerdp2 2.2.0+dfsg1-1 (bug #965979) [buster] - freerdp2 (Minor issue) - freerdp + [stretch] - freerdp (Vulnerable gfx code not present) NOTE: https://github.com/FreeRDP/FreeRDP/pull/6381 NOTE: https://github.com/FreeRDP/FreeRDP/commit/be8c8640ead04b1e4fc9176c504bf688351c8924 (stable-2.0) NOTE: https://github.com/FreeRDP/FreeRDP/commit/da684f5335c2b3b726a39f3c091ce804e55f4f8e (stable-2.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02fab9be66a31848cd805b222f723fd2d1339332 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02fab9be66a31848cd805b222f723fd2d1339332 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: re-add freerdp and claim it, more issues to look at in more depth
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 255698cf by Mike Gabriel at 2020-08-30T01:57:30+02:00 data/dla-needed.txt: re-add freerdp and claim it, more issues to look at in more depth - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -72,6 +72,8 @@ firefox-esr (Emilio) -- fossil (Mike Gabriel) -- +freerdp (Mike Gabriel) +-- gnome-shell (Mike Gabriel) NOTE: 20200829: https://salsa.debian.org/gnome-team/gnome-shell/-/merge_requests/41 (sunweaver) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/255698cfad0291b93124ba17d24c3cc20ad02cb8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/255698cfad0291b93124ba17d24c3cc20ad02cb8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2356-1 for freerdp
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 660fddf9 by Mike Gabriel at 2020-08-30T01:38:46+02:00 Reserve DLA-2356-1 for freerdp - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -25048,19 +25048,16 @@ CVE-2020-13398 (An issue was discovered in FreeRDP before 2.1.1. An out-of-bound - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp - [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/commit/8305349a943c68b1bc8c158f431dc607655aadea CVE-2020-13397 (An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp - [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/commit/d6cd14059b257318f176c0ba3ee0a348826a9ef8 CVE-2020-13396 (An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp - [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/commit/48361c411e50826cb602c7aab773a8a20e1da6bc CVE-2020-13395 RESERVED @@ -31012,7 +31009,6 @@ CVE-2020-11526 (libfreerdp/core/update.c in FreeRDP versions 1.1 through 2. - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u2 - freerdp - [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-97jw-m5w5-xvf9 NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/192856cb59974ee4d7d3e72cbeafa676aa7565cf NOTE: https://github.com/FreeRDP/FreeRDP/issues/6012 @@ -31020,7 +31016,6 @@ CVE-2020-11525 (libfreerdp/cache/bitmap.c in FreeRDP versions 1.0 through 2 - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u2 - freerdp - [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9755-fphh-gmjg NOTE: https://github.com/FreeRDP/FreeRDP/commit/0b6b92a25a77d533b8a92d6acc840a81e103684e CVE-2020-11524 (libfreerdp/codec/interleaved.c in FreeRDP versions 1.0 through 2. ...) @@ -31034,21 +31029,18 @@ CVE-2020-11523 (libfreerdp/gdi/region.c in FreeRDP versions 1.0 through 2.0 - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u2 - freerdp - [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4qrh-8cp8-4x42 NOTE: https://github.com/FreeRDP/FreeRDP/commit/ce21b9d7ecd967e0bc98ed31a6b3757848aa6c9e CVE-2020-11522 (libfreerdp/gdi/gdi.c in FreeRDP 1.0 through 2.0.0-rc4 has an Out- ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u2 - freerdp - [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-48wx-7vgj-fffh NOTE: https://github.com/FreeRDP/FreeRDP/commit/907640a924fa7a9a99c80a48ac225e9d8e41548b CVE-2020-11521 (libfreerdp/codec/planar.c in FreeRDP version 1.0 through 2.0.0-rc ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u2 - freerdp - [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5cwc-6wc9-255w NOTE: https://github.com/FreeRDP/FreeRDP/commit/17f547ae11835bb11baa3d045245dc1694866845 CVE-2020-11520 (The SDDisk2k.sys driver of WinMagic SecureDoc v8.5 and earlier allows ...) @@ -32111,7 +32103,6 @@ CVE-2020-11058 (In FreeRDP after 1.1 and before 2.0.0, a stream out-of-bounds se - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp - [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-wjg2-2f82-466g NOTE: https://github.com/FreeRDP/FreeRDP/commit/3627aaf7d289315b614a584afb388f04abfb5bbf NOTE: https://github.com/FreeRDP/FreeRDP/issues/6011 @@ -32146,7 +32137,6 @@ CVE-2020-11048 (In FreeRDP after 1.0 and before 2.0.0, there is an out-of-bounds - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp - [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hv8w-f2hx-5gcv NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/9301bfe730c66180263248b74353daa99f5a969b NOTE: https://github.com/FreeRDP/FreeRDP/issues/6007 @@ -32162,7 +32152,6 @@ CVE-2020-11046 (In FreeRDP after 1.0 and before
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Revert the idea of EOL'ing freerdp. The Ubuntu security...
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: a87a5398 by Mike Gabriel at 2020-08-30T01:25:50+02:00 data/dla-needed.txt: Revert the idea of EOLing freerdp. The Ubuntu security team did a fabulous amount of work on backporting FreeRDP v2 patches back to FreeRDP v1.1. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,8 +74,6 @@ fossil (Mike Gabriel) -- freerdp (Mike Gabriel) NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) - NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver) - NOTE: 20200815: freerdp 1.1 will be EOL'ed this month (sunweaver) -- gnome-shell (Mike Gabriel) NOTE: 20200829: https://salsa.debian.org/gnome-team/gnome-shell/-/merge_requests/41 (sunweaver) @@ -85,10 +83,6 @@ golang-go.crypto golang-golang-x-net-dev -- guacamole-client (Mike Gabriel) - NOTE: 20200815: As part of the EOL'ing of freerdp 1.1, guacamole-client will also be EOL'ed this month. - NOTE: 20200815: This package is scarcely maintained in Debian, there is no point in providing any more support for it in LTS. - NOTE: 20200815: The bad maintenance is not because of the maintainer, but because of upstream's delay to port the software - NOTE: 20200815: over to the freerdp2 API. (sunweaver) -- jetty9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a87a53989c2d3b82525fd7b7f4516d72986c31b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a87a53989c2d3b82525fd7b7f4516d72986c31b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add notes for CVE-2019-12095/php-horde-trean.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ac06818 by Mike Gabriel at 2020-08-29T22:52:19+02:00 data/dla-needed.txt: Add notes for CVE-2019-12095/php-horde-trean. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -133,6 +133,8 @@ opendmarc openexr (Adrian Bunk) -- php-horde-trean (Mike Gabriel) + NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) + NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver) -- puma NOTE: 20200708: Vulnerable to (at least) CVE-2020-11076. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ac068181d7b2667c7bc1d224ffee2745baa46bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ac068181d7b2667c7bc1d224ffee2745baa46bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add note for gnome-shell.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 560d826a by Mike Gabriel at 2020-08-29T22:41:19+02:00 data/dla-needed.txt: Add note for gnome-shell. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -82,6 +82,7 @@ freerdp (Mike Gabriel) NOTE: 20200815: freerdp 1.1 will be EOL'ed this month (sunweaver) -- gnome-shell (Mike Gabriel) + NOTE: 20200829: https://salsa.debian.org/gnome-team/gnome-shell/-/merge_requests/41 (sunweaver) -- golang-go.crypto -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/560d826a6f6a6e2ddfafaaa4290321a237569ace -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/560d826a6f6a6e2ddfafaaa4290321a237569ace You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Typo fix in pkg name.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 72d2321b by Mike Gabriel at 2020-08-29T22:25:07+02:00 data/dla-needed.txt: Typo fix in pkg name. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -131,7 +131,7 @@ opendmarc -- openexr (Adrian Bunk) -- -php-horde-tream (Mike Gabriel) +php-horde-trean (Mike Gabriel) -- puma NOTE: 20200708: Vulnerable to (at least) CVE-2020-11076. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72d2321bd7558889413b9eaa8308397c8ee797cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72d2321bd7558889413b9eaa8308397c8ee797cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2352-1 for php-horde-gollem
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 19180022 by Mike Gabriel at 2020-08-29T22:02:34+02:00 Reserve DLA-2352-1 for php-horde-gollem - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -177703,7 +177703,6 @@ CVE-2017-15236 (Tiandy IP cameras 5.56.17.120 do not properly restrict a certain NOT-FOR-US: Tiandy IP cameras CVE-2017-15235 (The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allo ...) - php-horde-gollem 3.0.12-1 - [stretch] - php-horde-gollem (Minor issue) [jessie] - php-horde-gollem (Minor issue) NOTE: https://blogs.securiteam.com/index.php/archives/3454 NOTE: https://lists.horde.org/archives/announce/2017/001260.html = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Aug 2020] DLA-2352-1 php-horde-gollem - security update + {CVE-2017-15235} + [stretch] - php-horde-gollem 3.0.10-1+deb9u2 [29 Aug 2020] DLA-2351-1 php-horde-kronolith - security update {CVE-2017-16906} [stretch] - php-horde-kronolith 4.2.19-1+deb9u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1918002284988b41ff55fee88e867417f3cf1a1c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1918002284988b41ff55fee88e867417f3cf1a1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2351-1 for php-horde-kronolith
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: be5460f5 by Mike Gabriel at 2020-08-29T21:49:53+02:00 Reserve DLA-2351-1 for php-horde-kronolith - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -172386,7 +172386,6 @@ CVE-2017-16907 (In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color CVE-2017-16906 (In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a ...) {DLA-1537-1} - php-horde-kronolith 4.2.24-1 (bug #909737) - [stretch] - php-horde-kronolith (Minor issue) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html NOTE: https://bugs.horde.org/ticket/14857 NOTE: https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Aug 2020] DLA-2351-1 php-horde-kronolith - security update + {CVE-2017-16906} + [stretch] - php-horde-kronolith 4.2.19-1+deb9u2 [29 Aug 2020] DLA-2350-1 php-horde-kronolith - security update {CVE-2017-16908} [stretch] - php-horde-kronolith 4.2.19-1+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be5460f55d8cfa11cf2fd5e1504754683e7ca8a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be5460f55d8cfa11cf2fd5e1504754683e7ca8a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2350-1 for php-horde-kronolith
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 92bcaa0a by Mike Gabriel at 2020-08-29T21:36:13+02:00 Reserve DLA-2350-1 for php-horde-kronolith - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -172371,7 +172371,6 @@ CVE-2017-16909 (An error related to the "LibRaw::panasonic_load_raw()" function NOTE: https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e CVE-2017-16908 (In Horde Groupware 5.2.19, there is XSS via the Name field during crea ...) - php-horde-kronolith 4.2.24-1 (bug #909738) - [stretch] - php-horde-kronolith (Minor issue) [jessie] - php-horde-kronolith (vulnerable code not present) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html NOTE: https://bugs.horde.org/ticket/14857 = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Aug 2020] DLA-2350-1 php-horde-kronolith - security update + {CVE-2017-16908} + [stretch] - php-horde-kronolith 4.2.19-1+deb9u1 [29 Aug 2020] DLA-2349-1 php-horde - security update {CVE-2017-16907} [stretch] - php-horde 5.2.13+debian0-1+deb9u3 = data/dla-needed.txt = @@ -131,8 +131,6 @@ opendmarc -- openexr (Adrian Bunk) -- -php-horde-kronolith (Mike Gabriel) --- php-horde-tream (Mike Gabriel) -- puma View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92bcaa0a32a516cbaa871688da8862ef7839ddcd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92bcaa0a32a516cbaa871688da8862ef7839ddcd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Mark CVE-2020-5818 as fixed by php-horde-data 2.1.5-1 (uploaded in 07/2020).
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: be8f145c by Mike Gabriel at 2020-08-29T21:15:40+02:00 data/CVE/list: Mark CVE-2020-5818 as fixed by php-horde-data 2.1.5-1 (uploaded in 07/2020). - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38780,7 +38780,7 @@ CVE-2020-8519 (SQL injection with the search parameter in Records.php for phpzag NOT-FOR-US: phpzag CVE-2020-8518 (Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary P ...) {DLA-2174-1} - - php-horde-data (bug #951537) + - php-horde-data 2.1.5-1 (bug #951537) [buster] - php-horde-data 2.1.4-5+deb10u1 [stretch] - php-horde-data 2.1.4-3+deb9u1 NOTE: https://lists.horde.org/archives/announce/2020/001285.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be8f145c4001f697190d9db00ef5b7ad3cdc9a45 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be8f145c4001f697190d9db00ef5b7ad3cdc9a45 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2349-1 for php-horde
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 415e3b18 by Mike Gabriel at 2020-08-29T17:38:52+02:00 Reserve DLA-2349-1 for php-horde - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -172379,7 +172379,6 @@ CVE-2017-16908 (In Horde Groupware 5.2.19, there is XSS via the Name field durin CVE-2017-16907 (In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field ...) {DLA-1536-1 DLA-1535-1} - php-horde 5.2.18+debian0-1 (bug #909739) - [stretch] - php-horde (Minor issue) - php-horde-core 2.31.3+debian0-1 (bug #909800) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html NOTE: https://bugs.horde.org/ticket/14857 = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Aug 2020] DLA-2349-1 php-horde - security update + {CVE-2017-16907} + [stretch] - php-horde 5.2.13+debian0-1+deb9u3 [29 Aug 2020] DLA-2348-1 php-horde-core - security update {CVE-2017-16907} [stretch] - php-horde-core 2.27.6+debian1-2+deb9u1 = data/dla-needed.txt = @@ -131,8 +131,6 @@ opendmarc -- openexr (Adrian Bunk) -- -php-horde (Mike Gabriel) --- php-horde-kronolith (Mike Gabriel) -- php-horde-tream (Mike Gabriel) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/415e3b1838934a68747eaa9ffb17a4ad69a31e55 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/415e3b1838934a68747eaa9ffb17a4ad69a31e55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2348-1 for php-horde-core
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: c0056003 by Mike Gabriel at 2020-08-29T17:36:49+02:00 Reserve DLA-2348-1 for php-horde-core - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -172381,7 +172381,6 @@ CVE-2017-16907 (In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color - php-horde 5.2.18+debian0-1 (bug #909739) [stretch] - php-horde (Minor issue) - php-horde-core 2.31.3+debian0-1 (bug #909800) - [stretch] - php-horde-core (Minor issue) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html NOTE: https://bugs.horde.org/ticket/14857 NOTE: php-horde: https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230 = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Aug 2020] DLA-2348-1 php-horde-core - security update + {CVE-2017-16907} + [stretch] - php-horde-core 2.27.6+debian1-2+deb9u1 [28 Aug 2020] DLA-2347-1 libvncserver - security update {CVE-2019-20839 CVE-2020-14397 CVE-2020-14399 CVE-2020-14400 CVE-2020-14401 CVE-2020-14402 CVE-2020-14403 CVE-2020-14404 CVE-2020-14405} [stretch] - libvncserver 0.9.11+dfsg-1.3~deb9u5 = data/dla-needed.txt = @@ -133,8 +133,6 @@ openexr (Adrian Bunk) -- php-horde (Mike Gabriel) -- -php-horde-core (Mike Gabriel) --- php-horde-kronolith (Mike Gabriel) -- php-horde-tream (Mike Gabriel) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0056003e9cd45e082727bcd1fc50104ef0b4c25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0056003e9cd45e082727bcd1fc50104ef0b4c25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: data/dla-needed.txt: Add various php-horde-* components and claim them.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 73171607 by Mike Gabriel at 2020-08-29T12:06:32+02:00 data/dla-needed.txt: Add various php-horde-* components and claim them. - - - - - 42e89034 by Mike Gabriel at 2020-08-29T12:09:02+02:00 data/dla-needed.txt: Claim fossil. - - - - - 59087f0c by Mike Gabriel at 2020-08-29T12:11:51+02:00 data/CVE/list: Update CVE-2020-17489; Switch it back to no-dsa for buster (fix via buster-pu); for stretch lets fix it via LTS upload. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -15139,8 +15139,7 @@ CVE-2020-17490 RESERVED CVE-2020-17489 (An issue was discovered in certain configurations of GNOME gnome-shell ...) - gnome-shell 3.36.5-1 (bug #968311) - [buster] - gnome-shell (Visible passwords in GDM3/lock-screen only got introduced in GNOME 3.36) - [stretch] - gnome-shell (Visible passwords in GDM3/lock-screen only got introduced in GNOME 3.36) + [buster] - gnome-shell (Visible passwords in GDM3/lock-screen introduced in 3.36, only password length revealed in earlier versions) NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997 NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1377 NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/13137aad9db52223e8b62cecbd3456f4a7f66f04 = data/dla-needed.txt = @@ -74,7 +74,7 @@ firefox-esr (Emilio) NOTE: 20200720: working on ESR 78 backport. (pochu) NOTE: 20200810: backported llvm 10, looking into wasi-libc and rustc/cargo (pochu) -- -fossil +fossil (Mike Gabriel) -- freerdp (Mike Gabriel) NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) @@ -131,6 +131,14 @@ opendmarc -- openexr (Adrian Bunk) -- +php-horde (Mike Gabriel) +-- +php-horde-core (Mike Gabriel) +-- +php-horde-kronolith (Mike Gabriel) +-- +php-horde-tream (Mike Gabriel) +-- puma NOTE: 20200708: Vulnerable to (at least) CVE-2020-11076. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/89d26b8bc4c476a87257e1f35ade4b6f8ad3bea4...59087f0cdbbdc1f49b28fe17e6987e7ffbed509d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/89d26b8bc4c476a87257e1f35ade4b6f8ad3bea4...59087f0cdbbdc1f49b28fe17e6987e7ffbed509d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "data/dla-needed.txt: Drop gnome-shell, nothing to be done (see prev commit)."
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 89d26b8b by Mike Gabriel at 2020-08-29T11:54:10+02:00 Revert data/dla-needed.txt: Drop gnome-shell, nothing to be done (see prev commit). This reverts commit a94c4ff91126b3ff31e2035dce97749e9614898b after having discussed the issue with Salvatore Bonaccorso from the Debian Security Team. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -81,6 +81,8 @@ freerdp (Mike Gabriel) NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver) NOTE: 20200815: freerdp 1.1 will be EOL'ed this month (sunweaver) -- +gnome-shell (Mike Gabriel) +-- golang-go.crypto -- golang-golang-x-net-dev View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89d26b8bc4c476a87257e1f35ade4b6f8ad3bea4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89d26b8bc4c476a87257e1f35ade4b6f8ad3bea4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Drop gnome-shell, nothing to be done (see prev commit).
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: a94c4ff9 by Mike Gabriel at 2020-08-29T08:16:49+02:00 data/dla-needed.txt: Drop gnome-shell, nothing to be done (see prev commit). - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -81,8 +81,6 @@ freerdp (Mike Gabriel) NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver) NOTE: 20200815: freerdp 1.1 will be EOL'ed this month (sunweaver) -- -gnome-shell (Mike Gabriel) --- golang-go.crypto -- golang-golang-x-net-dev View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a94c4ff91126b3ff31e2035dce97749e9614898b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a94c4ff91126b3ff31e2035dce97749e9614898b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Mark gnome-shell/stretch and gnome-shell/buster as not affected by CVE-2020-17489.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 11b15e87 by Mike Gabriel at 2020-08-29T08:02:24+02:00 data/CVE/list: Mark gnome-shell/stretch and gnome-shell/buster as not affected by CVE-2020-17489. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15137,7 +15137,8 @@ CVE-2020-17490 RESERVED CVE-2020-17489 (An issue was discovered in certain configurations of GNOME gnome-shell ...) - gnome-shell 3.36.5-1 (bug #968311) - [buster] - gnome-shell (Minor issue) + [buster] - gnome-shell (Visible passwords in GDM3/lock-screen only got introduced in GNOME 3.36) + [stretch] - gnome-shell (Visible passwords in GDM3/lock-screen only got introduced in GNOME 3.36) NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997 NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1377 NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/13137aad9db52223e8b62cecbd3456f4a7f66f04 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11b15e8790eef508bd40d4f2c05c2cbfb92474b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11b15e8790eef508bd40d4f2c05c2cbfb92474b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/CVE/list: Go over open CVEs for libvncserver (stretch+buster) and tag...
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b2699bf by Mike Gabriel at 2020-08-28T23:22:13+02:00 data/CVE/list: Go over open CVEs for libvncserver (stretch+buster) and tag some as not-affected or ignored. - - - - - 40134cf4 by Mike Gabriel at 2020-08-28T23:23:45+02:00 Reserve DLA-2347-1 for libvncserver - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -19851,6 +19851,8 @@ CVE-2019-20893 (An issue was discovered in Activision Infinity Ward Call of Duty NOT-FOR-US: Activision CVE-2017-18922 (It was discovered that websockets.c in LibVNCServer prior to 0.9.12 di ...) - libvncserver 0.9.12+dfsg-3 + [buster] - libvncserver (Required change too invasive, minor issue) + [stretch] - libvncserver (Required change too invasive, minor issue) NOTE: https://github.com/LibVNC/libvncserver/commit/aac95a9dcf4bbba87b76c72706c3221a842ca433 NOTE: https://www.openwall.com/lists/oss-security/2020/06/30/2 CVE-2020-15393 (In the Linux kernel through 5.7.6, usbtest_disconnect in drivers/usb/m ...) @@ -22361,7 +22363,9 @@ CVE-2020-14399 (** DISPUTED ** An issue was discovered in LibVNCServer before 0. NOTE: https://github.com/LibVNC/libvncserver/commit/23e5cbe6b090d7f22982aee909a6a618174d3c2d CVE-2020-14398 (An issue was discovered in LibVNCServer before 0.9.13. An improperly c ...) - libvncserver 0.9.13+dfsg-1 - [jessie] - libvncserver (Proposed patch might break ABI consumers) + [buster] - libvncserver (Proposed patch might break ABI for consumers) + [stretch] - libvncserver (Proposed patch might break ABI for consumers) + [jessie] - libvncserver (Proposed patch might break ABI for consumers) NOTE: https://github.com/LibVNC/libvncserver/commit/57433015f856cc12753378254ce4f1c78f5d9c7b CVE-2020-14397 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/rf ...) {DLA-2264-1} @@ -22369,6 +22373,8 @@ CVE-2020-14397 (An issue was discovered in LibVNCServer before 0.9.13. libvncser NOTE: https://github.com/LibVNC/libvncserver/commit/38e98ee61d74f5f5ab4aa4c77146faad1962d6d0 CVE-2020-14396 (An issue was discovered in LibVNCServer before 0.9.13. libvncclient/tl ...) - libvncserver 0.9.13+dfsg-1 + [buster] - libvncserver (Vulnerable code not present) + [stretch] - libvncserver (Vulnerable code not present) [jessie] - libvncserver (Vulnerable code not present) NOTE: https://github.com/LibVNC/libvncserver/commit/33441d90a506d5f3ae9388f2752901227e430553 CVE-2020-14395 @@ -22872,6 +22878,8 @@ CVE-2020-14216 RESERVED CVE-2019-20840 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/ws ...) - libvncserver 0.9.13+dfsg-1 + [buster] - libvncserver (Vulnerable code not present) + [stretch] - libvncserver (Vulnerable code not present) [jessie] - libvncserver (Vulnerable code not present) NOTE: https://github.com/LibVNC/libvncserver/commit/0cf1400c61850065de590d403f6d49e32882fd76 CVE-2019-20839 (libvncclient/sockets.c in LibVNCServer before 0.9.13 has a buffer over ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Aug 2020] DLA-2347-1 libvncserver - security update + {CVE-2019-20839 CVE-2020-14397 CVE-2020-14399 CVE-2020-14400 CVE-2020-14401 CVE-2020-14402 CVE-2020-14403 CVE-2020-14404 CVE-2020-14405} + [stretch] - libvncserver 0.9.11+dfsg-1.3~deb9u5 [27 Aug 2020] DLA-2346-1 firefox-esr - security update {CVE-2020-15664 CVE-2020-15669} [stretch] - firefox-esr 68.12.0esr-1~deb9u1 = data/dla-needed.txt = @@ -98,8 +98,6 @@ jetty9 jupyter-notebook (Mike Gabriel) NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby) -- -libvncserver (Mike Gabriel) --- libx11 (Emilio) NOTE: 20200825: regression update (pochu) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/08ea8b40f384ca8e484161b0fe3ac32c866c6e25...40134cf446c649b78b7321254dd29bb772a920d2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/08ea8b40f384ca8e484161b0fe3ac32c866c6e25...40134cf446c649b78b7321254dd29bb772a920d2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add netty and netty-3.9
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: af683634 by Mike Gabriel at 2020-08-15T15:36:38+02:00 data/dla-needed.txt: add netty and netty-3.9 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -122,6 +122,10 @@ mumble -- ndpi -- +netty +-- +netty-3.9 +-- nss (Adrian Bunk) NOTE: 20200706: from dsa-needed.txt: Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508 (Beuc) NOTE: 20200810: packages are being tested (bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af6836342e6bce8824a64e39726dfe0a6ec80189 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af6836342e6bce8824a64e39726dfe0a6ec80189 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add openexr
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 07a49ad1 by Mike Gabriel at 2020-08-15T15:34:58+02:00 data/dla-needed.txt: add openexr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -129,6 +129,8 @@ nss (Adrian Bunk) opendmarc NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten) -- +openexr +-- postgresql-9.6 (Emilio) NOTE: 20200814: coordinating announcement with maintainer (pochu) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07a49ad1a22057c7972d7de4ea1136ab051edb4b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07a49ad1a22057c7972d7de4ea1136ab051edb4b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add qt4-x11 and qtbase-opensource-src.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 463c016a by Mike Gabriel at 2020-08-15T15:27:50+02:00 data/dla-needed.txt: add qt4-x11 and qtbase-opensource-src. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -140,6 +140,14 @@ python2.7 (Thorsten Alteholz) -- qemu (Abhijith PA) -- +qt4-x11 + NOTE: 20200815: Minor issue, but easy to fix (CVE-2020-17507). Low prio. + NOTE: 20200815: One could possibly look at the other issues and decide whether they are worth fixing along. (sunweaver) +-- +qtbase-opensource-src + NOTE: 20200815: Minor issue, but easy to fix (CVE-2020-17507). Low prio. + NOTE: 20200815: One could possibly look at the other issues and decide whether they are worth fixing along. (sunweaver) +-- samba NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh) NOTE: 20200801: Stretch update already released, so no conflict. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/463c016abd66faa1c02eb675a0d6edc3a2fc3c2e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/463c016abd66faa1c02eb675a0d6edc3a2fc3c2e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add software-properties
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 1a4e7447 by Mike Gabriel at 2020-08-15T15:23:26+02:00 data/dla-needed.txt: add software-properties - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -153,6 +153,8 @@ sane-backends (Sylvain Beucler) slirp NOTE: 20200724: Version in stretch also requires backport of patch from CVE-2020-7039 (lamby) -- +software-properties +-- sqlite3 (Roberto C. Sánchez) NOTE: 20200712: Vulnerable to at least CVE-2020-13630. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a4e7447b25672af75b24f328b20189b44b8fa68 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a4e7447b25672af75b24f328b20189b44b8fa68 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: re-order packages
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: e8cb0db2 by Mike Gabriel at 2020-08-15T15:19:34+02:00 data/dla-needed.txt: re-order packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -153,13 +153,13 @@ sane-backends (Sylvain Beucler) slirp NOTE: 20200724: Version in stretch also requires backport of patch from CVE-2020-7039 (lamby) -- +sqlite3 (Roberto C. Sánchez) + NOTE: 20200712: Vulnerable to at least CVE-2020-13630. (lamby) +-- squid3 (Markus Koschany) NOTE: 20200813: CVE-2020-15049 requires more testing but backport works in NOTE: principle. -- -sqlite3 (Roberto C. Sánchez) - NOTE: 20200712: Vulnerable to at least CVE-2020-13630. (lamby) --- sympa NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh) NOTE: 20200525: But that is weird, given their announcement. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8cb0db2c2f9de8d7c80defe3d6dbc4db3dfe943 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8cb0db2c2f9de8d7c80defe3d6dbc4db3dfe943 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: data/CVE/list: wireshark/stretch not affected by CVE-2020-17499
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: b686d26c by Mike Gabriel at 2020-08-15T15:00:39+02:00 data/CVE/list: wireshark/stretch not affected by CVE-2020-17499 - - - - - 8959c85e by Mike Gabriel at 2020-08-15T15:05:53+02:00 data/dla-needed.txt: add yubico-piv-tool - - - - - fa6f220f by Mike Gabriel at 2020-08-15T15:14:33+02:00 data/CVE/list: mark CVE-2020-2433{0,1,2}/trousers/stretch as ignored. Service does not get launched as root. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -54,16 +54,19 @@ CVE-2020-24333 RESERVED CVE-2020-24332 (An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon ...) - trousers + [stretch] - trousers (tss service gets started as non-root user via init script) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1164472 NOTE: https://sourceforge.net/p/trousers/mailman/message/37015817/ NOTE: http://www.openwall.com/lists/oss-security/2020/08/14/1 CVE-2020-24331 (An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon ...) - trousers + [stretch] - trousers (tss service gets started as non-root user via init script) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1164472 NOTE: https://sourceforge.net/p/trousers/mailman/message/37015817/ NOTE: http://www.openwall.com/lists/oss-security/2020/08/14/1 CVE-2020-24330 (An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon ...) - trousers + [stretch] - trousers (tss service gets started as non-root user via init script) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1164472 NOTE: https://sourceforge.net/p/trousers/mailman/message/37015817/ NOTE: http://www.openwall.com/lists/oss-security/2020/08/14/1 @@ -13737,6 +13740,7 @@ CVE-2020-17499 RESERVED CVE-2020-17498 (In Wireshark 3.2.0 to 3.2.5, the Kafka protocol dissector could crash. ...) - wireshark 3.2.6-1 + [stretch] - wireshark (Vulnerable compose_tvb code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16672 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=76afda963de4f0b9be24f2d8e873990a5cbf221b NOTE: https://www.wireshark.org/security/wnpa-sec-2020-10.html = data/dla-needed.txt = @@ -187,3 +187,7 @@ xcftools NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk) NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk) -- +yubico-piv-tool + NOTE: 20200815: About CVE-2020-13131. Blog post available, but patch URLs seemingly not provided. + NOTE: 20200815: Needs deeper research. (sunweaver) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/54d17f9ed798f9a298678e389a2ca3834947e1b9...fa6f220f759eae6570e41004db5a9bf6851975a6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/54d17f9ed798f9a298678e389a2ca3834947e1b9...fa6f220f759eae6570e41004db5a9bf6851975a6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add tomcat7
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: d503a896 by Mike Gabriel at 2020-08-15T14:26:17+02:00 data/dla-needed.txt: add tomcat7 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -171,6 +171,8 @@ sympa NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh) NOTE: 20200604: shall process the upload once the confirmation is given. (utkarsh) -- +tomcat7 +-- wordpress NOTE: 20200710: Vulnerable to at least CVE-2020-4046. (lamby) NOTE: 20200710: During triage noticed that CVE-2020-4046 was marked as fixed View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d503a89609eee8da1c9c499bea44b9f625b8c348 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d503a89609eee8da1c9c499bea44b9f625b8c348 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add ndpi
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 918ae2e7 by Mike Gabriel at 2020-08-15T14:24:42+02:00 data/dla-needed.txt: add ndpi - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -120,6 +120,8 @@ mumble NOTE: 20200504: discussion going on with t...@security.debian.org and mumble maintainer (abhijith) NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg8.html (abhijith) -- +ndpi +-- nss (Adrian Bunk) NOTE: 20200706: from dsa-needed.txt: Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508 (Beuc) NOTE: 20200810: packages are being tested (bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/918ae2e781183310f7dbc1c7c9b6f3b08ed40f8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/918ae2e781183310f7dbc1c7c9b6f3b08ed40f8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add libjackson-json-java (and add PR reference for CVE-2019-10172)
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: ba21a9ec by Mike Gabriel at 2020-08-15T14:22:24+02:00 data/dla-needed.txt: add libjackson-json-java (and add PR reference for CVE-2019-10172) - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -86680,6 +86680,7 @@ CVE-2019-10172 (A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9. - libjackson-json-java NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1715075 NOTE: https://stackoverflow.com/questions/38017676/small-fix-for-cve-2016-3720-with-older-versions-of-jackson-all-1-9-11-and-in-ja/38017721 + NOTE: https://github.com/FasterXML/jackson-1/pull/1 CVE-2019-10171 (It was found that the fix for CVE-2018-14648 in 389-ds-base, versions ...) - 389-ds-base (Incomplete RHEL backport) CVE-2019-10170 (A flaw was found in the Keycloak admin console, where the realm manage ...) = data/dla-needed.txt = @@ -103,6 +103,8 @@ jupyter-notebook (Mike Gabriel) -- libetpan -- +libjackson-json-java +-- libvncserver (Mike Gabriel) -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba21a9ec97ec3d470a1a83f24f08e8a7f29d97b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba21a9ec97ec3d470a1a83f24f08e8a7f29d97b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add libetpan
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 35f5c605 by Mike Gabriel at 2020-08-15T14:18:58+02:00 data/dla-needed.txt: add libetpan - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -16946,6 +16946,7 @@ CVE-2020-15954 (KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 commu CVE-2020-15953 (LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other ...) - libetpan (bug #966647) NOTE: https://github.com/dinhvh/libetpan/issues/386 + NOTE: https://github.com/dinhvh/libetpan/pull/388 CVE-2020-15952 RESERVED CVE-2020-15951 = data/dla-needed.txt = @@ -101,6 +101,8 @@ jruby (Adrian Bunk) jupyter-notebook (Mike Gabriel) NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby) -- +libetpan +-- libvncserver (Mike Gabriel) -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35f5c60546c3594835013e407eb4cab0f2960d61 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35f5c60546c3594835013e407eb4cab0f2960d61 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add and claim libvncserver (as maintainer)
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 4dad73f9 by Mike Gabriel at 2020-08-15T14:16:03+02:00 data/dla-needed.txt: add and claim libvncserver (as maintainer) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -101,6 +101,8 @@ jruby (Adrian Bunk) jupyter-notebook (Mike Gabriel) NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby) -- +libvncserver (Mike Gabriel) +-- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4dad73f9c528f4df41282a54f1f89537f3e8b0ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4dad73f9c528f4df41282a54f1f89537f3e8b0ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim jupyter-notebook
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 8eb27011 by Mike Gabriel at 2020-08-15T14:15:15+02:00 data/dla-needed.txt: claim jupyter-notebook - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -98,7 +98,7 @@ jetty9 jruby (Adrian Bunk) NOTE: 20200706: all open CVEs were fixed in jessie (Beuc) -- -jupyter-notebook +jupyter-notebook (Mike Gabriel) NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby) -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8eb270116bd7ab08e864fbe282aaadfcba101e35 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8eb270116bd7ab08e864fbe282aaadfcba101e35 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add jetty9
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: db4c04f4 by Mike Gabriel at 2020-08-15T14:01:12+02:00 data/dla-needed.txt: add jetty9 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -93,6 +93,8 @@ imagemagick (Markus Koschany) -- inetutils (Adrian Bunk) -- +jetty9 +-- jruby (Adrian Bunk) NOTE: 20200706: all open CVEs were fixed in jessie (Beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db4c04f4a6aca2b42177307d2f0967d8fcb9455b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db4c04f4a6aca2b42177307d2f0967d8fcb9455b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Attribute my comments with my nickname.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: ba8b424d by Mike Gabriel at 2020-08-15T13:57:30+02:00 data/dla-needed.txt: Attribute my comments with my nickname. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,7 +29,7 @@ ark (Abhijith PA) NOTE: 20200801: though testing with other PoC's available over internet seems exploitable (abhijith) -- asyncpg (Utkarsh Gupta) - NOTE: 20200815: Minor issue, but easy to fix. + NOTE: 20200815: Minor issue, but easy to fix. (sunweaver) -- cacti NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith) @@ -62,7 +62,7 @@ eclipse-wtp -- f2fs-tools NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to - NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. + NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver) -- firefox-esr (Emilio) NOTE: 20200720: working on ESR 78 backport. (pochu) @@ -73,7 +73,7 @@ firejail freerdp (Mike Gabriel) NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver) - NOTE: 20200815: freerdp 1.1 will be EOL'ed this month + NOTE: 20200815: freerdp 1.1 will be EOL'ed this month (sunweaver) -- ghostscript (Sylvain Beucler) -- @@ -83,7 +83,7 @@ guacamole-client (Mike Gabriel) NOTE: 20200815: As part of the EOL'ing of freerdp 1.1, guacamole-client will also be EOL'ed this month. NOTE: 20200815: This package is scarcely maintained in Debian, there is no point in providing any more support for it in LTS. NOTE: 20200815: The bad maintenance is not because of the maintainer, but because of upstream's delay to port the software - NOTE: 20200815: over to the freerdp2 API. + NOTE: 20200815: over to the freerdp2 API. (sunweaver) -- htmlunit -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba8b424d15ea9f6fde60203a9b5a43bb1e7d89d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba8b424d15ea9f6fde60203a9b5a43bb1e7d89d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add htmlunit
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: ae4a7b48 by Mike Gabriel at 2020-08-15T13:51:34+02:00 data/dla-needed.txt: add htmlunit - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -91,6 +91,8 @@ imagemagick (Markus Koschany) -- inetutils (Adrian Bunk) -- +htmlunit +-- jruby (Adrian Bunk) NOTE: 20200706: all open CVEs were fixed in jessie (Beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae4a7b48574f1bdc4606b390aa1d5078f745b2d9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae4a7b48574f1bdc4606b390aa1d5078f745b2d9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add guacamole-client and internally announce its EOL for...
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e3db5f7 by Mike Gabriel at 2020-08-15T13:48:53+02:00 data/dla-needed.txt: add guacamole-client and internally announce its EOL for Debian stretch (along with freerdp 1.1). - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -70,14 +70,21 @@ firefox-esr (Emilio) -- firejail -- -freerdp +freerdp (Mike Gabriel) NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver) + NOTE: 20200815: freerdp 1.1 will be EOL'ed this month -- ghostscript (Sylvain Beucler) -- gnome-shell (Mike Gabriel) -- +guacamole-client (Mike Gabriel) + NOTE: 20200815: As part of the EOL'ing of freerdp 1.1, guacamole-client will also be EOL'ed this month. + NOTE: 20200815: This package is scarcely maintained in Debian, there is no point in providing any more support for it in LTS. + NOTE: 20200815: The bad maintenance is not because of the maintainer, but because of upstream's delay to port the software + NOTE: 20200815: over to the freerdp2 API. +-- imagemagick (Markus Koschany) NOTE: 20200813: Intend to split the work into two updates because of the numerous NOTE: patches. Will upload part 1 tomorrow und part 2 next week. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e3db5f70541ae61be5d815564addce9c0e812d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e3db5f70541ae61be5d815564addce9c0e812d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Mark icinga2/stretch as not affected by CVE-2020-14004.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 61e36734 by Mike Gabriel at 2020-08-15T13:36:25+02:00 data/CVE/list: Mark icinga2/stretch as not affected by CVE-2020-14004. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21938,6 +21938,7 @@ CVE-2020-14005 (Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platf NOT-FOR-US: Solarwinds CVE-2020-14004 (An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dir ...) - icinga2 + [stretch] - icinga2 (prepare-dirs script not shipped) [jessie] - icinga2 (prepare-dirs script not shipped) NOTE: https://www.openwall.com/lists/oss-security/2020/06/12/1 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1172171 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61e36734b82af3ec64607813af71a80f8c366c69 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61e36734b82af3ec64607813af71a80f8c366c69 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add gnome-shell (and claim it).
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: af956f0b by Mike Gabriel at 2020-08-15T13:32:55+02:00 data/dla-needed.txt: add gnome-shell (and claim it). - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -76,6 +76,8 @@ freerdp -- ghostscript (Sylvain Beucler) -- +gnome-shell (Mike Gabriel) +-- imagemagick (Markus Koschany) NOTE: 20200813: Intend to split the work into two updates because of the numerous NOTE: patches. Will upload part 1 tomorrow und part 2 next week. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af956f0b49b9f458d09a4f8bb4a2f70cf6dc6b7c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af956f0b49b9f458d09a4f8bb4a2f70cf6dc6b7c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add firefail
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 0eb8d6bb by Mike Gabriel at 2020-08-15T13:26:47+02:00 data/dla-needed.txt: add firefail - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -68,6 +68,8 @@ firefox-esr (Emilio) NOTE: 20200720: working on ESR 78 backport. (pochu) NOTE: 20200810: backported llvm 10, looking into wasi-libc and rustc/cargo (pochu) -- +firejail +-- freerdp NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0eb8d6bb37f39c45d2e1aff537f3f65d267f8890 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0eb8d6bb37f39c45d2e1aff537f3f65d267f8890 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add f2fs-tools.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 1897e57b by Mike Gabriel at 2020-08-15T13:23:56+02:00 data/dla-needed.txt: Add f2fs-tools. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -60,6 +60,10 @@ dovecot (Roberto C. Sánchez) -- eclipse-wtp -- +f2fs-tools + NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to + NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. +-- firefox-esr (Emilio) NOTE: 20200720: working on ESR 78 backport. (pochu) NOTE: 20200810: backported llvm 10, looking into wasi-libc and rustc/cargo (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1897e57b086ec989eca3dfe03b3efe0ebb797641 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1897e57b086ec989eca3dfe03b3efe0ebb797641 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add eclipse-wtp (and add upstream fix to data/CVE/list).
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 11379a06 by Mike Gabriel at 2020-08-15T13:03:13+02:00 data/dla-needed.txt: add eclipse-wtp (and add upstream fix to data/CVE/list). - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -63301,6 +63301,7 @@ CVE-2019-17638 (In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, CVE-2019-17637 (In all versions of Eclipse Web Tools Platform through release 3.18 (20 ...) - eclipse-wtp NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=458571 + NOTE: http://git.eclipse.org/c/sourceediting/webtools.sourceediting.git/commit/?id=9644d4217cd6e3be367d654a8320104d88ddfd6b CVE-2019-17636 (In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre ...) NOT-FOR-US: Eclipse Theia CVE-2019-17635 (Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a dese ...) = data/dla-needed.txt = @@ -58,6 +58,8 @@ condor -- dovecot (Roberto C. Sánchez) -- +eclipse-wtp +-- firefox-esr (Emilio) NOTE: 20200720: working on ESR 78 backport. (pochu) NOTE: 20200810: backported llvm 10, looking into wasi-libc and rustc/cargo (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11379a065103dd7c46caa196494055592292 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11379a065103dd7c46caa196494055592292 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Add asyncpg.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 042f2392 by Mike Gabriel at 2020-08-15T12:58:10+02:00 data/dla-needed.txt: Add asyncpg. - - - - - c9900a1e by Mike Gabriel at 2020-08-15T12:58:45+02:00 data/dla-needed.txt: white-space fix at EOL. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,7 +26,10 @@ apache2 (Utkarsh Gupta) -- ark (Abhijith PA) NOTE: 20200731: given PoC not working as intended. (abhijith) - NOTE: 20200801: though testing with other PoC's available over internet seems exploitable (abhijith) + NOTE: 20200801: though testing with other PoC's available over internet seems exploitable (abhijith) +-- +asyncpg + NOTE: 20200815: Minor issue, but easy to fix. -- cacti NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/578c16aa52c7b6f81381420ade34dbe369f40983...c9900a1e6ea7409f6bd3d5eac6cf52a025f5c41b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/578c16aa52c7b6f81381420ade34dbe369f40983...c9900a1e6ea7409f6bd3d5eac6cf52a025f5c41b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2268-2 for mutt
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 352c370d by Mike Gabriel at 2020-06-30T22:52:30+02:00 Reserve DLA-2268-2 for mutt - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Jun 2020] DLA-2268-2 mutt - regression update + {CVE-2020-14093 CVE-2020-14954} + [jessie] - mutt 1.5.23-3+deb8u3 [30 Jun 2020] DLA-2268-1 mutt - security update {CVE-2020-14093 CVE-2020-14954} [jessie] - mutt 1.5.23-3+deb8u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/352c370d4e8466f4888ea51c0a9753a36824ad1c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/352c370d4e8466f4888ea51c0a9753a36824ad1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2268-1 for mutt
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: e1ed797f by Mike Gabriel at 2020-06-30T22:35:47+02:00 Reserve DLA-2268-1 for mutt - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Jun 2020] DLA-2268-1 mutt - security update + {CVE-2020-14093 CVE-2020-14954} + [jessie] - mutt 1.5.23-3+deb8u2 [30 Jun 2020] DLA-2267-1 libmatio - security update {CVE-2019-17533} [jessie] - libmatio 1.5.2-3+deb8u1 = data/dla-needed.txt = @@ -77,8 +77,6 @@ mumble NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith) NOTE: 20200504: discussion going on with t...@security.debian.org and mumble maintainer (abhijith) -- -mutt (Mike Gabriel) --- net-snmp NOTE: 20200628: be aware of the ABI break introduced by the patches! (thorsten) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1ed797f8db16e16f3f0e10256cc47c4bf7477c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1ed797f8db16e16f3f0e10256cc47c4bf7477c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2265-1 for mailman
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 04b5918b by Mike Gabriel at 2020-06-30T11:51:12+02:00 Reserve DLA-2265-1 for mailman - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Jun 2020] DLA-2265-1 mailman - security update + {CVE-2020-15011} + [jessie] - mailman 1:2.1.18-2+deb8u7 [30 Jun 2020] DLA-2264-1 libvncserver - security update {CVE-2019-20839 CVE-2020-14397 CVE-2020-14399 CVE-2020-14400 CVE-2020-14401 CVE-2020-14402 CVE-2020-14403 CVE-2020-14404 CVE-2020-14405} [jessie] - libvncserver 0.9.9+dfsg2-6.1+deb8u8 = data/dla-needed.txt = @@ -84,8 +84,6 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- -mailman (Mike Gabriel) --- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04b5918bf075660a1852396be881ce55b60aebd4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04b5918bf075660a1852396be881ce55b60aebd4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add mailman and claim it.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: d2b31308 by Mike Gabriel at 2020-06-30T11:39:32+02:00 data/dla-needed.txt: Add mailman and claim it. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -84,6 +84,8 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- +mailman (Mike Gabriel) +-- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2b31308c970a81c7b6ba2c6287bdfc80d401b6d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2b31308c970a81c7b6ba2c6287bdfc80d401b6d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2264-1 for libvncserver
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 1740ef31 by Mike Gabriel at 2020-06-30T11:23:02+02:00 Reserve DLA-2264-1 for libvncserver - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Jun 2020] DLA-2264-1 libvncserver - security update + {CVE-2019-20839 CVE-2020-14397 CVE-2020-14399 CVE-2020-14400 CVE-2020-14401 CVE-2020-14402 CVE-2020-14403 CVE-2020-14404 CVE-2020-14405} + [jessie] - libvncserver 0.9.9+dfsg2-6.1+deb8u8 [29 Jun 2020] DLA-2263-1 drupal7 - security update {CVE-2020-13663} [jessie] - drupal7 7.32-1+deb8u19 = data/dla-needed.txt = @@ -80,8 +80,6 @@ libmatio (Adrian Bunk) NOTE: 20200615: work is ongoing (bunk) NOTE: 20200629: pending release (bunk) -- -libvncserver (Mike Gabriel) --- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1740ef31f8102ce7078bd8f6a544d4de5d696301 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1740ef31f8102ce7078bd8f6a544d4de5d696301 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-14398/libvncserver/jessie: ignore, possibly ABI breakage
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: e6049f97 by Mike Gabriel at 2020-06-29T16:50:00+02:00 CVE-2020-14398/libvncserver/jessie: ignore, possibly ABI breakage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2323,6 +2323,7 @@ CVE-2020-14399 (An issue was discovered in LibVNCServer before 0.9.13. Byte-alig NOTE: https://github.com/LibVNC/libvncserver/commit/23e5cbe6b090d7f22982aee909a6a618174d3c2d CVE-2020-14398 (An issue was discovered in LibVNCServer before 0.9.13. An improperly c ...) - libvncserver + [jessie] - libvncserver (Proposed patch might break ABI consumers) NOTE: https://github.com/LibVNC/libvncserver/commit/57433015f856cc12753378254ce4f1c78f5d9c7b CVE-2020-14397 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/rf ...) - libvncserver View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6049f9728bbaf4b94e255f43001d73ed7c51588 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6049f9728bbaf4b94e255f43001d73ed7c51588 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-14396/libvncserver/jessie: not affected
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 6fc0010d by Mike Gabriel at 2020-06-29T15:51:34+02:00 CVE-2020-14396/libvncserver/jessie: not affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2329,6 +2329,7 @@ CVE-2020-14397 (An issue was discovered in LibVNCServer before 0.9.13. libvncser NOTE: https://github.com/LibVNC/libvncserver/commit/38e98ee61d74f5f5ab4aa4c77146faad1962d6d0 CVE-2020-14396 (An issue was discovered in LibVNCServer before 0.9.13. libvncclient/tl ...) - libvncserver + [jessie] - libvncserver (Vulnerable code not present) NOTE: https://github.com/LibVNC/libvncserver/commit/33441d90a506d5f3ae9388f2752901227e430553 CVE-2020-14395 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fc0010df8ad7378eea4c2db67217dfa5c4259dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fc0010df8ad7378eea4c2db67217dfa5c4259dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-20840/libvncserver/jessie: not affected
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: a7cd14c3 by Mike Gabriel at 2020-06-29T15:36:01+02:00 CVE-2019-20840/libvncserver/jessie: not affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2707,6 +2707,7 @@ CVE-2020-14216 RESERVED CVE-2019-20840 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/ws ...) - libvncserver + [jessie] - libvncserver (Vulnerable code not present) NOTE: https://github.com/LibVNC/libvncserver/commit/0cf1400c61850065de590d403f6d49e32882fd76 CVE-2019-20839 (libvncclient/sockets.c in LibVNCServer before 0.9.13 has a buffer over ...) - libvncserver View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7cd14c32fea5e8abe896ca1dbfdd3a9e4fe045d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7cd14c32fea5e8abe896ca1dbfdd3a9e4fe045d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Add python3.4.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 5650620b by Mike Gabriel at 2020-06-20T20:52:14+02:00 data/dla-needed.txt: Add python3.4. - - - - - b58599c8 by Mike Gabriel at 2020-06-20T20:55:08+02:00 data/dla-needed.txt: Add alpine. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -9,6 +9,8 @@ To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues +-- +alpine -- ansible NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the @@ -105,6 +107,8 @@ php5 (Thorsten Alteholz) pound NOTE: 20200619: No explicit patch mentioned. Needs deeper research. -- +python3.4 +-- qemu (Adrian Bunk) NOTE: 20200531: waiting for CVE-2020-13362 fix to be applied upstream (bunk) NOTE: 20200615: work is ongoing (bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e50fafdcdb2d940255bad98d9123ca11de57244d...b58599c8d34f076e2bdba091e9695ce0a0a86a40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e50fafdcdb2d940255bad98d9123ca11de57244d...b58599c8d34f076e2bdba091e9695ce0a0a86a40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add pcre3.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 49c2a626 by Mike Gabriel at 2020-06-19T16:24:27+02:00 data/dla-needed.txt: Add pcre3. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -95,6 +95,8 @@ opendmarc (Thorsten Alteholz) NOTE: 20200511: new CVEs arrived (thorsten) NOTE: 20200524: testing package -- +pcre3 +-- perl (Abhijith PA) -- php5 (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49c2a626d8374bb8c4701811eeaf40c197b8411f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49c2a626d8374bb8c4701811eeaf40c197b8411f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add ngircd.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: cdba2396 by Mike Gabriel at 2020-06-19T16:15:58+02:00 data/dla-needed.txt: Add ngircd. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -86,6 +86,8 @@ mutt (Mike Gabriel) nginx NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby) -- +ngircd +-- nss (Adrian Bunk) NOTE: 20200615: work is ongoing (bunk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdba2396047aa0851c8188e9cbb067e22ccbde87 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdba2396047aa0851c8188e9cbb067e22ccbde87 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add mutt and claim it.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ec5ead9 by Mike Gabriel at 2020-06-19T16:13:29+02:00 data/dla-needed.txt: Add mutt and claim it. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -81,6 +81,8 @@ mumble NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith) NOTE: 20200504: discussion going on with t...@security.debian.org and mumble maintainer (abhijith) -- +mutt (Mike Gabriel) +-- nginx NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ec5ead9eaab6dab3315bb46f80a93d46fa73831 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ec5ead9eaab6dab3315bb46f80a93d46fa73831 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add lynis.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 9743420a by Mike Gabriel at 2020-06-19T16:11:04+02:00 data/dla-needed.txt: Add lynis. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -73,6 +73,8 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- +lynis +-- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9743420a493ff929256012cd0734f0b0080f26b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9743420a493ff929256012cd0734f0b0080f26b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add libvncserver and claim it.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 72d30c73 by Mike Gabriel at 2020-06-19T16:08:14+02:00 data/dla-needed.txt: Add libvncserver and claim it. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -67,6 +67,8 @@ libmatio (Adrian Bunk) NOTE: 20190428: older changes seem to also be required for them NOTE: 20200615: work is ongoing (bunk) -- +libvncserver (Mike Gabriel) +-- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72d30c73d7713a65b91fb3daeae8be28155d48c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72d30c73d7713a65b91fb3daeae8be28155d48c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Mark CVE-2020-10755/cinder as e-o-l for jessie.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 35095de6 by Mike Gabriel at 2020-06-19T16:06:04+02:00 data/CVE/list: Mark CVE-2020-10755/cinder as e-o-l for jessie. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10777,6 +10777,7 @@ CVE-2020-10756 [lirp: networking out-of-bounds read information disclosure vulne NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1835986#c11 CVE-2020-10755 (An insecure-credentials flaw was found in all openstack-cinder version ...) - cinder + [jessie] - cinder (OpenStack component, not supported in jessie LTS) NOTE: https://bugs.launchpad.net/cinder/+bug/1823200 NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0086 TODO: check, affects as well python-os-brick or needs a respective update? View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35095de6583844f664599ab4740d5e29bf6346e0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35095de6583844f664599ab4740d5e29bf6346e0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla-needed.txt
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: d1835185 by Mike Gabriel at 2020-06-19T15:57:00+02:00 dla-needed.txt data/dla-needed.txt: Add bison (more research needed). - - - - - 11d6d3e9 by Mike Gabriel at 2020-06-19T15:57:36+02:00 data/dla-needed.txt: Fix for f2af1f39, wrong month in date string. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,7 +29,10 @@ apache2 NOTE: 20200604: otherwise the patch is ready for upload. (utkarsh) -- batik - NOTE: 20200519: Patch not explicitly mentioned. Needs deeper research. + NOTE: 20200619: Patch not explicitly mentioned. Needs deeper research. +-- +bison + NOTE: 20200619: Patch not explicitly mentioned. Needs deeper research. -- cacti (Abhijith PA) NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f2af1f3916ed67cec25851f1f91b64106c15031f...11d6d3e93f1206b97d40a4a7ea78744938e237fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f2af1f3916ed67cec25851f1f91b64106c15031f...11d6d3e93f1206b97d40a4a7ea78744938e237fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add batik (more research needed).
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: f2af1f39 by Mike Gabriel at 2020-06-19T15:54:36+02:00 data/dla-needed.txt: Add batik (more research needed). - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -28,6 +28,9 @@ apache2 NOTE: 20200604: wating to hear from CVE team for their decision. (utkarsh) NOTE: 20200604: otherwise the patch is ready for upload. (utkarsh) -- +batik + NOTE: 20200519: Patch not explicitly mentioned. Needs deeper research. +-- cacti (Abhijith PA) NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith) NOTE: 20200620: WIP (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2af1f3916ed67cec25851f1f91b64106c15031f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2af1f3916ed67cec25851f1f91b64106c15031f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add note to freerdp
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: e7d3b1e5 by Mike Gabriel at 2020-05-31T23:12:00+02:00 data/dla-needed.txt: Add note to freerdp - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -45,6 +45,7 @@ drupal7 -- freerdp (Mike Gabriel) NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) + NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver) -- graphicsmagick (Roberto C. Sánchez) NOTE: 20200514: no upstream patch available, yet, for CVE-2020-12672 (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7d3b1e5fab07b166f8d869e4f940be6f6b5feda -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7d3b1e5fab07b166f8d869e4f940be6f6b5feda You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Mark freerdp2/CVE-2020-110{17, 18} as no-dsa issues as discussed with Salvatore.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 31dd7f32 by Mike Gabriel at 2020-05-31T22:57:02+02:00 data/CVE/list: Mark freerdp2/CVE-2020-110{17,18} as no-dsa issues as discussed with Salvatore. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7523,11 +7523,17 @@ CVE-2020-11019 (In FreeRDP less than or equal to 2.0.0, when running with logger NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-wvrr-2f4r-hjvh CVE-2020-11018 (In FreeRDP less than or equal to 2.0.0, a possible resource exhaustion ...) - freerdp2 2.1.1+dfsg1-1 + [buster] - freerdp2 (Minor issue) - freerdp + [stretch] - freerdp (Minor issue) + [jessie] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8cvc-vcw7-6mfw CVE-2020-11017 (In FreeRDP less than or equal to 2.0.0, by providing manipulated input ...) - freerdp2 2.1.1+dfsg1-1 + [buster] - freerdp2 (Minor issue) - freerdp + [stretch] - freerdp (Minor issue) + [jessie] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5c8-fm29-q57c CVE-2020-11016 (IntelMQ Manager from version 1.1.0 and before version 2.1.1 has a vuln ...) NOT-FOR-US: IntelMQ Manager View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31dd7f3276d2efcb6eed666ca6cbbdfc38b46d89 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31dd7f3276d2efcb6eed666ca6cbbdfc38b46d89 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/CVE/list: Drop [postponed] tag from CVE-2020-8035/php-horde.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 06aa7cd4 by Mike Gabriel at 2020-05-31T22:39:28+02:00 data/CVE/list: Drop [postponed] tag from CVE-2020-8035/php-horde. - - - - - 0665037a by Mike Gabriel at 2020-05-31T22:39:28+02:00 Reserve DLA-2230-1 for php-horde - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -14808,7 +14808,6 @@ CVE-2020-8036 RESERVED CVE-2020-8035 (The image view functionality in Horde Groupware Webmail Edition before ...) - php-horde - [jessie] - php-horde (Minor issue, can be fixed along with next releases) NOTE: https://github.com/horde/base/commit/64127fe3c2b9843c9760218e59dae9731cc56bdf NOTE: https://lists.horde.org/archives/announce/2020/001290.html CVE-2020-8034 (Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.2 ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[31 May 2020] DLA-2230-1 php-horde - security update + {CVE-2020-8035} + [jessie] - php-horde 5.2.1+debian0-2+deb8u6 [31 May 2020] DLA-2228-2 json-c - regression update {CVE-2020-12762} [jessie] - json-c 0.11-4+deb8u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dca9ff1430dea31e162bbb8f1ebad4c1ef3ecb45...0665037ad49cb831b1cbe737679b74d043c8cfa2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dca9ff1430dea31e162bbb8f1ebad4c1ef3ecb45...0665037ad49cb831b1cbe737679b74d043c8cfa2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2228-2 for json-c
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b86eaa2 by Mike Gabriel at 2020-05-31T17:50:21+02:00 Reserve DLA-2228-2 for json-c - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 May 2020] DLA-2228-2 json-c - regression update + {CVE-2020-12762} + [jessie] - json-c 0.11-4+deb8u2 [31 May 2020] DLA-2229-1 php-horde-gollem - security update {CVE-2020-8034} [jessie] - php-horde-gollem 3.0.3-2+deb8u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b86eaa2621d4847f89811190e5cbe695d2da844 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b86eaa2621d4847f89811190e5cbe695d2da844 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2229-1 for php-horde-gollem
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 56f611d5 by Mike Gabriel at 2020-05-31T16:48:56+02:00 Reserve DLA-2229-1 for php-horde-gollem - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 May 2020] DLA-2229-1 php-horde-gollem - security update + {CVE-2020-8034} + [jessie] - php-horde-gollem 3.0.3-2+deb8u1 [31 May 2020] DLA-2228-1 json-c - security update {CVE-2020-12762} [jessie] - json-c 0.11-4+deb8u1 = data/dla-needed.txt = @@ -89,8 +89,6 @@ opendmarc (Thorsten Alteholz) NOTE: 20200511: new CVEs arrived (thorsten) NOTE: 20200524: testing package -- -php-horde-gollem (Mike Gabriel) --- php5 (Thorsten Alteholz) NOTE: 20200427: embedded software "file" needs fix for CVE-2019-18218 NOTE: 20200511: still trying to determine how this CVE affects php View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56f611d56826545177085504c0af15789654f13e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56f611d56826545177085504c0af15789654f13e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2228-1 for json-c
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 021ecaae by Mike Gabriel at 2020-05-31T15:46:49+02:00 Reserve DLA-2228-1 for json-c - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 May 2020] DLA-2228-1 json-c - security update + {CVE-2020-12762} + [jessie] - json-c 0.11-4+deb8u1 [30 May 2020] DLA-2227-1 bind9 - security update {CVE-2020-8616 CVE-2020-8617} [jessie] - bind9 1:9.9.5.dfsg-9+deb8u19 = data/dla-needed.txt = @@ -51,9 +51,6 @@ graphicsmagick -- imagemagick (Markus Koschany) -- -json-c (Mike Gabriel) - NOTE: 20200514: json-c is currently orphaned, so possibly fix (old)stable, too? (sunweaver) --- libdatetime-timezone-perl NOTE: 20200514: LTS update must wait on oldstable update first to prevent newer version in LTS (roberto) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/021ecaaebd3646c42f62b1176008eda1e4987b20 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/021ecaaebd3646c42f62b1176008eda1e4987b20 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add php-horde-gollem and claim it (with new maintainer's hat on)
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: c38c1fe7 by Mike Gabriel at 2020-05-28T16:35:11+02:00 data/dla-needed.txt: Add php-horde-gollem and claim it (with new maintainers hat on) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -89,6 +89,8 @@ opendmarc (Thorsten Alteholz) NOTE: 20200511: new CVEs arrived (thorsten) NOTE: 20200524: testing package -- +php-horde-gollem (Mike Gabriel) +-- php5 (Thorsten Alteholz) NOTE: 20200427: embedded software "file" needs fix for CVE-2019-18218 NOTE: 20200511: still trying to determine how this CVE affects php View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c38c1fe7e85a209531907e6ff2bb94f1446107bc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c38c1fe7e85a209531907e6ff2bb94f1446107bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim freerdp
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 6dee89ca by Mike Gabriel at 2020-05-28T16:33:02+02:00 data/dla-needed.txt: claim freerdp - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -41,7 +41,7 @@ condor cups (Anton Gladky) NOTE: 20200514: Two open issues. Added on request from Anton Gladky. (sunweaver) -- -freerdp +freerdp (Mike Gabriel) NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) -- graphicsmagick (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6dee89cac598293835ec2b14fa33f9c4b17e4334 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6dee89cac598293835ec2b14fa33f9c4b17e4334 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Drop tags for CVE-2020-1311{2, 3, 4}/jessie. A fix has been uploaded.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 46eb9522 by Mike Gabriel at 2020-05-28T16:21:48+02:00 data/CVE/list: Drop no-dsa tags for CVE-2020-1311{2,3,4}/jessie. A fix has been uploaded. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1158,19 +1158,16 @@ CVE-2020-13114 (An issue was discovered in libexif before 0.6.22. An unrestricte - libexif (bug #961410) [buster] - libexif (Minor issue) [stretch] - libexif (Minor issue) - [jessie] - libexif (Minor issue) NOTE: https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab (0.6.22) CVE-2020-13113 (An issue was discovered in libexif before 0.6.22. Use of uninitialized ...) - libexif (bug #961409) [buster] - libexif (Minor issue) [stretch] - libexif (Minor issue) - [jessie] - libexif (Minor issue) NOTE: https://github.com/libexif/libexif/commit/ec412aa4583ad71ecabb967d3c77162760169d1f (0.6.22) CVE-2020-13112 (An issue was discovered in libexif before 0.6.22. Several buffer over- ...) - libexif (bug #961407) [buster] - libexif (Minor issue) [stretch] - libexif (Minor issue) - [jessie] - libexif (Minor issue) NOTE: https://github.com/libexif/libexif/commit/435e21f05001fb03f9f186fa7cbc69454afd00d1 (0.6.22) CVE-2020-13111 (NaviServer 4.99.4 to 4.99.19 allows denial of service due to the nsd/d ...) NOT-FOR-US: NaviServer View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46eb95228782ac5262c073dd916e0a8466f1a198 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46eb95228782ac5262c073dd916e0a8466f1a198 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2222-1 for libexif
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 4961eb7c by Mike Gabriel at 2020-05-28T16:18:34+02:00 Reserve DLA--1 for libexif - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 May 2020] DLA--1 libexif - security update + {CVE-2018-20030 CVE-2020-13112 CVE-2020-13113 CVE-2020-13114} + [jessie] - libexif 0.6.21-2+deb8u3 [26 May 2020] DLA-2221-1 sqlite3 - security update {CVE-2020-13434} [jessie] - sqlite3 3.8.7.1-1+deb8u6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4961eb7c174c176c26ec86b1b8cdf322b2a3e53c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4961eb7c174c176c26ec86b1b8cdf322b2a3e53c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2214-1 for libexif
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: add1bfe7 by Mike Gabriel at 2020-05-18T06:32:47+02:00 Reserve DLA-2214-1 for libexif - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 May 2020] DLA-2214-1 libexif - security update + {CVE-2016-6328 CVE-2017-7544 CVE-2018-20030 CVE-2020-0093 CVE-2020-12767} + [jessie] - libexif 0.6.21-2+deb8u2 [16 May 2020] DLA-2213-1 exim4 - security update {CVE-2020-12783} [jessie] - exim4 4.84.2-2+deb8u7 = data/dla-needed.txt = @@ -55,8 +55,6 @@ json-c (Mike Gabriel) libdatetime-timezone-perl NOTE: 20200514: LTS update must wait on oldstable update first to prevent newer version in LTS (roberto) -- -libexif (Mike Gabriel) --- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/add1bfe7a00c68c6c467cb9e63d633847d82a858 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/add1bfe7a00c68c6c467cb9e63d633847d82a858 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2212-1 for openconnect
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: fe3339ca by Mike Gabriel at 2020-05-16T11:25:14+02:00 Reserve DLA-2212-1 for openconnect - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[16 May 2020] DLA-2212-1 openconnect - security update + {CVE-2020-12823} + [jessie] - openconnect 6.00-2+deb8u2 [15 May 2020] DLA-2211-1 log4net - security update {CVE-2018-1285} [jessie] - log4net 1.2.10+dfsg-6+deb8u1 = data/dla-needed.txt = @@ -88,8 +88,6 @@ mumble (Abhijith PA) nginx (Mike Gabriel) NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby) -- -openconnect (Mike Gabriel) --- opendmarc (Thorsten Alteholz) NOTE: 20200420: still testing package, original patch does not seem to be enough, still ongoing (thorsten) NOTE: 20200511: new CVEs arrived (thorsten) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe3339ca09f574f50b0863ed3057eeab04ace9b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe3339ca09f574f50b0863ed3057eeab04ace9b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add cups.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: b578ba7a by Mike Gabriel at 2020-05-14T07:57:06+02:00 data/dla-needed.txt: Add cups. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -41,6 +41,9 @@ bluez condor NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto) -- +cups + NOTE: 20200514: Two open issues. Added on request from Anton Gladky. (sunweaver) +-- exim4 (Roberto C. Sánchez) -- freerdp (Utkarsh Gupta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b578ba7a0b10661a3fe9fcbf0fc60f3dd283f203 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b578ba7a0b10661a3fe9fcbf0fc60f3dd283f203 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add tomcat8.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: b70664f2 by Mike Gabriel at 2020-05-14T07:52:20+02:00 data/dla-needed.txt: Add tomcat8. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -109,6 +109,8 @@ squid3 (Markus Koschany) NOTE: 20200427: Working on squid3 in Stretch which will be used for Jessie NOTE: 20200427: and Stretch. It seems more useful for the future. -- +tomcat8 +-- tzdata (Roberto C. Sánchez) -- varnish (Sylvain Beucler) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b70664f2042e0c7a783dba05403f5a338a2aeada -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b70664f2042e0c7a783dba05403f5a338a2aeada You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add openconnect.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 586472f5 by Mike Gabriel at 2020-05-14T07:45:56+02:00 data/dla-needed.txt: Add openconnect. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -89,6 +89,8 @@ mumble (Abhijith PA) nginx (Mike Gabriel) NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby) -- +openconnect +-- opendmarc (Thorsten Alteholz) NOTE: 20200420: still testing package, original patch does not seem to be enough, still ongoing (thorsten) NOTE: 20200511: new CVEs arrived (thorsten) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/586472f5ef7c81a6f617ad742243cfa82b53f289 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/586472f5ef7c81a6f617ad742243cfa82b53f289 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add log4net.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ab72d21 by Mike Gabriel at 2020-05-14T07:36:12+02:00 data/dla-needed.txt: Add log4net. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -78,6 +78,8 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- +log4net +-- mumble (Abhijith PA) NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ab72d2167afc7d0b2d1c3faeed1d8e2a09dae91 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ab72d2167afc7d0b2d1c3faeed1d8e2a09dae91 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: re-claim nginx
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a1ed100 by Mike Gabriel at 2020-05-14T07:33:02+02:00 data/dla-needed.txt: re-claim nginx - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -84,7 +84,7 @@ mumble (Abhijith PA) NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith) NOTE: 20200504: discussion going on with t...@security.debian.org and mumble maintainer (abhijith) -- -nginx +nginx (Mike Gabriel) NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby) -- opendmarc (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a1ed1009a6d11aac9a95465ee390f6dbe36a363 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a1ed1009a6d11aac9a95465ee390f6dbe36a363 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add libexif and claim it.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: f3f10824 by Mike Gabriel at 2020-05-14T07:31:54+02:00 data/dla-needed.txt: Add libexif and claim it. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -56,6 +56,8 @@ json-c (Mike Gabriel) -- libdatetime-timezone-perl (Roberto C. Sánchez) -- +libexif (Mike Gabriel) +-- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3f1082444ff55a124c3711ee3d70883dc41f2a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3f1082444ff55a124c3711ee3d70883dc41f2a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Tag CVE-2020-12825 in libcroco/jessie as .
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 36e23c71 by Mike Gabriel at 2020-05-14T07:30:31+02:00 data/CVE/list: Tag CVE-2020-12825 in libcroco/jessie as ignored. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22,6 +22,7 @@ CVE-2020-12825 (libcroco through 0.6.13 has excessive recursion in cr_parser_par - libcroco (low; bug #960527) [buster] - libcroco (Minor issue) [stretch] - libcroco (Minor issue) + [jessie] - libcroco (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libcroco/-/issues/8 CVE-2020-12824 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36e23c711c632609bba096dbab75f0fb248a90e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36e23c711c632609bba096dbab75f0fb248a90e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim json-c
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 4350bb73 by Mike Gabriel at 2020-05-14T07:28:36+02:00 data/dla-needed.txt: claim json-c - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -51,7 +51,8 @@ graphicsmagick -- imagemagick (Markus Koschany) -- -json-c +json-c (Mike Gabriel) + NOTE: 20200514: json-c is currently orphaned, so possibly fix (old)stable, too? (sunweaver) -- libdatetime-timezone-perl (Roberto C. Sánchez) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4350bb733309d8e59dbc3cde4ecdf412aee70c24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4350bb733309d8e59dbc3cde4ecdf412aee70c24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add json-c.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 90f4fcf0 by Mike Gabriel at 2020-05-14T07:21:38+02:00 data/dla-needed.txt: Add json-c. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -51,6 +51,8 @@ graphicsmagick -- imagemagick (Markus Koschany) -- +json-c +-- libdatetime-timezone-perl (Roberto C. Sánchez) -- libmatio (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90f4fcf0a39c7498d50dec8dbf3ed2e127aa8ae3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90f4fcf0a39c7498d50dec8dbf3ed2e127aa8ae3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add graphicsmagick.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c713609 by Mike Gabriel at 2020-05-14T07:10:29+02:00 data/dla-needed.txt: Add graphicsmagick. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -46,6 +46,9 @@ exim4 (Roberto C. Sánchez) freerdp (Utkarsh Gupta) NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) -- +graphicsmagick + NOTE: 20200514: no upstream patch available, yet, for CVE-2020-12672 (sunweaver) +-- imagemagick (Markus Koschany) -- libdatetime-timezone-perl (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c71360950b18bf64f198df6b89c8e649550f531 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c71360950b18bf64f198df6b89c8e649550f531 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add apt and ping maintainers.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 63ddc6dd by Mike Gabriel at 2020-05-14T07:03:19+02:00 data/dla-needed.txt: Add apt and ping maintainers. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,6 +26,9 @@ apache2 (Utkarsh Gupta) NOTE: 20200501: No CVE yet. (Ola) NOTE: 20200510: Asking upstream for CVE assignment. (utkarsh) -- +apt + NOTE: 20200514: apt is in lts-do-call-me, wait for feedback on debian-lts ML (sunweaver) +-- bluez NOTE: 20200420: Many upstream refactorings make this hard to see where the NOTE: 20200420: check for bonded connections should go. (eg. 7d9718cfc, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63ddc6dd3c010831cf03c6e96fc50d105db787a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63ddc6dd3c010831cf03c6e96fc50d105db787a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Add exim4, claimed by Roberto on request via IRC.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: e8accfda by Mike Gabriel at 2020-05-14T06:51:02+02:00 data/dla-needed.txt: Add exim4, claimed by Roberto on request via IRC. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -38,6 +38,8 @@ bluez condor NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto) -- +exim4 (Roberto C. Sánchez) +-- freerdp (Utkarsh Gupta) NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8accfdac9e7bbacdf040d116a30a6ef800843a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8accfdac9e7bbacdf040d116a30a6ef800843a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add sqlite3 and claim it
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: c3799643 by Mike Gabriel at 2020-04-16T22:21:03+02:00 data/dla-needed.txt: add sqlite3 and claim it - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -77,6 +77,8 @@ shiro (Chris Lamb) NOTE: 20200411: Pinged maintainer and LTS list. (lamby) NOTE: 20200415: Further work with another ping to bug. (lamby) -- +sqlite3 (Mike Gabriel) +-- squid3 (Markus Koschany) NOTE: 20200330: There is still an issue with CVE-2019-12523 but the rest NOTE: 20200330: looks good now. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c37996431e8a53631a73e6d7f28f4f049c103107 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c37996431e8a53631a73e6d7f28f4f049c103107 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Add libsixel.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: e47ffe0d by Mike Gabriel at 2020-04-16T22:19:36+02:00 data/dla-needed.txt: Add libsixel. - - - - - 95abc1d4 by Mike Gabriel at 2020-04-16T22:19:36+02:00 data/dla-needed.txt: Add nginx and claim it. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,6 +40,9 @@ libmatio (Adrian Bunk) NOTE: 20190428: older changes seem to also be required for them NOTE: 20200406: work is ongoing -- +libsixel + NOTE: 20200416 minor issue(s), not patch(es), yet. +-- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) @@ -48,6 +51,8 @@ mumble (Abhijith PA) NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) -- +nginx (Mike Gabriel) +-- opendmarc (Thorsten Alteholz) NOTE: 20200406: still testing package, original patch does not seem to be enough, still ongoing -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1889740e704d446c09f615f3500a57d5d42b1ebf...95abc1d4c45a00dc5ca92c7606e0de4bb6807897 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1889740e704d446c09f615f3500a57d5d42b1ebf...95abc1d4c45a00dc5ca92c7606e0de4bb6807897 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Drop libperlspeak-perl. EOL'ed by Holger Levsen via...
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e2b99fe by Mike Gabriel at 2020-04-16T22:09:09+02:00 data/dla-needed.txt: Drop libperlspeak-perl. EOLed by Holger Levsen via debian-security-support 2020.04.16. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,10 +40,6 @@ libmatio (Adrian Bunk) NOTE: 20190428: older changes seem to also be required for them NOTE: 20200406: work is ongoing -- -libperlspeak-perl (Mike Gabriel) - NOTE: 20200326: No patches yet. - NOTE: 20200330: Requested EOL/jessie (sunweaver, h01ger). --- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e2b99fe09d35f21d70edc2ad16b8938afb8ff6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e2b99fe09d35f21d70edc2ad16b8938afb8ff6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add note to ansible, upstream patches are available now
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: fb2db3dc by Mike Gabriel at 2020-04-16T22:05:27+02:00 data/dla-needed.txt: add note to ansible, upstream patches are available now - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -12,6 +12,7 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- ansible NOTE: 20200219: no upstream fixes yet + NOTE: 20200416: 8 of 9 CVEs have upstream patches now (sunweaver) -- awl (Utkarsh Gupta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb2db3dc7ce1131716a44765a59809aa07c794da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb2db3dc7ce1131716a44765a59809aa07c794da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Add PR with fix to CVE-2020-1740/ansible
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c1c0859 by Mike Gabriel at 2020-04-16T22:03:08+02:00 data/CVE/list: Add PR with fix to CVE-2020-1740/ansible - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25927,6 +25927,7 @@ CVE-2020-1740 (A flaw was found in Ansible Engine when using Ansible Vault for e - ansible NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802193 NOTE: https://github.com/ansible/ansible/issues/67798 + NOTE: https://github.com/ansible/ansible/pull/68644 CVE-2020-1739 (A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9 ...) - ansible NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802178 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c1c085971091729bc25841446cf10ab672c5d2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c1c085971091729bc25841446cf10ab672c5d2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fix PR number in prev commit
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 22a2c0fe by Mike Gabriel at 2020-04-16T21:53:48+02:00 fix PR number in prev commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25961,7 +25961,7 @@ CVE-2020-1734 (A flaw was found in the pipe lookup plugin of ansible. Arbitrary CVE-2020-1733 (A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2. ...) - ansible NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1801735 - NOTE: https://github.com/ansible/ansible/pull/68692 + NOTE: https://github.com/ansible/ansible/pull/68921 CVE-2020-1732 RESERVED - wildfly (bug #752018) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22a2c0fea00bc9abea6489892ec8df53be144027 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22a2c0fea00bc9abea6489892ec8df53be144027 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Add PR with fix to CVE-2020-1733/ansible
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 2151d428 by Mike Gabriel at 2020-04-16T21:52:12+02:00 data/CVE/list: Add PR with fix to CVE-2020-1733/ansible - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25961,6 +25961,7 @@ CVE-2020-1734 (A flaw was found in the pipe lookup plugin of ansible. Arbitrary CVE-2020-1733 (A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2. ...) - ansible NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1801735 + NOTE: https://github.com/ansible/ansible/pull/68692 CVE-2020-1732 RESERVED - wildfly (bug #752018) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2151d4282ac9ea65685d2c3f0406387665872233 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2151d4282ac9ea65685d2c3f0406387665872233 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Add PR with fix to CVE-2020-10685/ansible
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 860aa1e6 by Mike Gabriel at 2020-04-16T21:50:14+02:00 data/CVE/list: Add PR with fix to CVE-2020-10685/ansible - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3329,6 +3329,7 @@ CVE-2020-10685 [modules which use files encrypted with vault are not properly cl RESERVED - ansible NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1814627 + NOTE: https://github.com/ansible/ansible/pull/68433 CVE-2020-10684 (A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9. ...) - ansible NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1815519 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/860aa1e6140e655c3cc5965f01b3486af68e39a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/860aa1e6140e655c3cc5965f01b3486af68e39a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2166-1 for libpam-krb5
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 08a68745 by Mike Gabriel at 2020-04-01T16:19:16+02:00 Reserve DLA-2166-1 for libpam-krb5 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Apr 2020] DLA-2166-1 libpam-krb5 - security update + {CVE-2020-10595} + [jessie] - libpam-krb5 4.6-3+deb8u1 [31 Mar 2020] DLA-2165-1 apng2gif - security update {CVE-2017-6960} [jessie] - apng2gif 1.5-3+deb8u1 = data/dla-needed.txt = @@ -35,8 +35,6 @@ libmatio (Adrian Bunk) libmtp (Dylan Aïssi) NOTE: 20200323: WIP. (daissi) -- -libpam-krb5 (Mike Gabriel) --- libperlspeak-perl (Mike Gabriel) NOTE: 20200326: No patches yet. NOTE: 20200330: Requested EOL/jessie (sunweaver, h01ger). View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08a687454e43bb68f126eef93280e94ee8ac761d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08a687454e43bb68f126eef93280e94ee8ac761d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Switch CVE-2019-17177/jessie from to ....
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: d9dc4813 by Mike Gabriel at 2020-03-31T15:53:09+02:00 data/CVE/list: Switch CVE-2019-17177/jessie from no-dsa to ignored. Patching this old version of FreeRDP would be very invasive, the old freerdp v1.1 is full of realloc() calls that dont check the result. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32614,7 +32614,7 @@ CVE-2019-17177 (libfreerdp/codec/region.c in FreeRDP through 1.1.x and 2.x throu [buster] - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u1 - freerdp (low) [stretch] - freerdp (Minor issue) - [jessie] - freerdp (Minor issue) + [jessie] - freerdp (Minor issue; Patching this old version would be very invasive; no upstream patch available) NOTE: https://github.com/FreeRDP/FreeRDP/issues/5645 NOTE: https://github.com/akallabeth/FreeRDP/commit/fc80ab45621bd966f70594c0b7393ec005a94007 CVE-2019-17176 (Genesys PureEngage Digital (eServices) 8.1.x allows XSS via HtmlChatPa ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9dc48131d1173d5d10d9d9b9fd1b0ed60dd68bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9dc48131d1173d5d10d9d9b9fd1b0ed60dd68bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Drop stretch's line for CVE-2017-11747/tinyproxy....
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 98a0b5a0 by Mike Gabriel at 2020-03-31T13:36:08+02:00 data/CVE/list: Drop stretchs no-dsa line for CVE-2017-11747/tinyproxy. Issue will get fixed via a pu upload. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -154160,7 +154160,6 @@ CVE-2017-11748 (VIT Spider Player 2.5.3 has an untrusted search path, allowing D NOT-FOR-US: VIT Spider Player CVE-2017-11747 (main.c in Tinyproxy 1.8.4 and earlier creates a /run/tinyproxy/tinypro ...) - tinyproxy 1.10.0-1 (bug #870307) - [stretch] - tinyproxy (Minor issue) [wheezy] - tinyproxy (Minor issue) NOTE: https://github.com/tinyproxy/tinyproxy/issues/106 CVE-2017-11746 (Tenshi 0.15 creates a tenshi.pid file after dropping privileges to a n ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98a0b5a01d90fb541ea5aecbd42d0c9961de79e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98a0b5a01d90fb541ea5aecbd42d0c9961de79e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits