[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2024-29415

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f75fd0dd by Salvatore Bonaccorso at 2024-05-29T20:40:59+02:00
Update notes for CVE-2024-29415

The fix landed for now only in experimental, so move the fixing version
there.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -339,7 +339,8 @@ CVE-2024-34477 (configureNFS in lib/common/functions.sh in 
FOG through 1.5.10 al
 CVE-2024-32978 (Kaminari is a paginator for web app frameworks and object 
relational m ...)
- ruby-kaminari  (Doesn't affect Kaminari as shipped by 
Debian)
 CVE-2024-29415 (The ip package through 2.0.1 for Node.js might allow SSRF 
because some ...)
-   - node-ip 2.0.1+~1.1.3-2 (bug #1072121)
+   [experimental] - node-ip 2.0.1+~1.1.3-2
+   - node-ip  (bug #1072121)
[bookworm] - node-ip  (Minor issue)
[bullseye] - node-ip  (Minor issue)
NOTE: https://github.com/indutny/node-ip/issues/150



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f75fd0dd2b46f9c4e032c67e31c50b7f91a4f31e

-- 
This project does not include diff previews in email notifications.
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f75fd0dd2b46f9c4e032c67e31c50b7f91a4f31e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2023-50387

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b2604b1f by Salvatore Bonaccorso at 2024-02-23T20:30:05+01:00
Update notes for CVE-2023-50387

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2519,13 +2519,17 @@ CVE-2023-50387 (Certain DNSSEC aspects of the DNS 
protocol (in RFC 4033, 4034, 4
- pdns-recursor 4.9.3-1 (bug #1063852)
- unbound 1.19.1-1 (bug #1063845)
NOTE: https://kb.isc.org/docs/cve-2023-50387
+   NOTE: 
https://gitlab.isc.org/isc-projects/bind9/-/commit/c12608ca934c0433d280e65fe6c631013e200cfe
 (v9.16.48)
+   NOTE: 
https://gitlab.isc.org/isc-projects/bind9/-/commit/751b7cc4750ede6d8c5232751d60aad8ad84aa67
 (v9.16.48)
+   NOTE: 
https://gitlab.isc.org/isc-projects/bind9/-/commit/6a65a425283d70da86bf732449acd6d7c8dec718
 (v9.16.48)
+   NOTE: 
https://gitlab.isc.org/isc-projects/bind9/-/commit/3d206e918b3efbc20074629ad9d99095fbd2e5fd
 (v9.16.48)
+   NOTE: 
https://gitlab.isc.org/isc-projects/bind9/-/commit/a520fbc0470a0d6b72db6aa0b8deda8798551614
 (v9.16.48)
NOTE: 
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
NOTE: https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html
NOTE: 
https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released
NOTE: https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
NOTE: 
https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt
NOTE: Fixed by: 
https://github.com/NLnetLabs/unbound/commit/882903f2fa800c4cb6f5e225b728e2887bb7b9ae
 (release-1.19.1)
-   NOTE: 
https://gitlab.isc.org/isc-projects/bind9/-/commit/a520fbc0470a0d6b72db6aa0b8deda8798551614
 and four previous commits (bind9 9.16)
 CVE-2023-50868 (The Closest Encloser Proof aspect of the DNS protocol (in RFC 
5155 whe ...)
{DSA-5626-1 DSA-5621-1 DSA-5620-1 DLA-3736-1}
- bind9 1:9.19.21-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2604b1f68ed20dc9784fd263dd1060bd95143a1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2604b1f68ed20dc9784fd263dd1060bd95143a1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes of squid and bouncycastle in dla-needed.txt and reclaim the

[Markus Koschany (@apo)]

Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bfb04929 by Markus Koschany at 2023-12-18T15:47:48+01:00
Update notes of squid and bouncycastle in dla-needed.txt and reclaim the

packages.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -37,10 +37,11 @@ bind9 (Thorsten Alteholz)
   NOTE: 20231008: backporting patches
   NOTE: 20231217: almost done with testing
 --
-bouncycastle
+bouncycastle (Markus Koschany)
   NOTE: 20231127: Added by Front-Desk (Beuc)
   NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 
was fixed in stretch-lts (Beuc/front-desk)
   NOTE: 20231128: I can't find changes in PEMParser.java related to 
CVE-2023-33202, maybe contact upstream (Beuc/front-desk)
+  NOTE: 20231218: Decision impending. (apo)
 --
 cacti (Sylvain Beucler)
   NOTE: 20230906: Added by Front-Desk (lamby)
@@ -205,8 +206,9 @@ salt
 samba
   NOTE: 20230918: Added by Front-Desk (apo)
 --
-squid
+squid (Markus Koschany)
   NOTE: 20231102: Added by Front-Desk (lamby)
+  NOTE: 20231218: Investigating new CVE. (apo)
 --
 suricata (Adrian Bunk)
   NOTE: 20230620: Added by Front-Desk (Beuc)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfb04929cfee7d2f42db0a4d284c88fffe92132e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfb04929cfee7d2f42db0a4d284c88fffe92132e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2023-45866/bluez

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fef5975a by Salvatore Bonaccorso at 2023-12-10T17:15:30+01:00
Update notes for CVE-2023-45866/bluez

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -230,6 +230,8 @@ CVE-2023-32460 (Dell PowerEdge BIOS contains an improper 
privilege management se
 CVE-2023-45866 (Bluetooth HID Hosts in BlueZ may permit an unauthenticated 
Peripheral  ...)
- bluez 
NOTE: 
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675
+   NOTE: The fix for CVE-2020-0556 allows to set manually the 
"ClassicBondedOnly"
+   NOTE: configuration options but defaulted to false.
 CVE-2023-6588 (Offline mode is always enabled, even if permission disallows 
it, in  D ...)
NOT-FOR-US: Devolutions Server
 CVE-2023-6575 (A vulnerability was found in Beijing Baichuo S210 up to 
20231121. It h ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fef5975a7c1fdb10e5abf88a967865e8bb8804e3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fef5975a7c1fdb10e5abf88a967865e8bb8804e3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for outstanding freeimage issues

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8e1308ad by Anton Gladky at 2023-11-24T06:15:04+01:00
Update notes for outstanding freeimage issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -157555,26 +157555,31 @@ CVE-2021-40266 (FreeImage before 1.18.0, 
ReadPalette function in PluginTIFF.cpp
- freeimage  (bug #1055305)
[bookworm] - freeimage  (Minor issue)
[bullseye] - freeimage  (Minor issue)
+   [buster] - freeimage  (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/334/
 CVE-2021-40265 (A heap overflow bug exists FreeImage before 1.18.0 via ofLoad 
function ...)
- freeimage  (bug #1055304)
[bookworm] - freeimage  (Minor issue)
[bullseye] - freeimage  (Minor issue)
+   [buster] - freeimage  (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/337/
 CVE-2021-40264 (NULL pointer dereference vulnerability in FreeImage before 
1.18.0 via  ...)
- freeimage  (bug #1055303)
[bookworm] - freeimage  (Minor issue)
[bullseye] - freeimage  (Minor issue)
+   [buster] - freeimage  (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/335/
 CVE-2021-40263 (A heap overflow vulnerability in FreeImage 1.18.0 via the 
ofLoad funct ...)
- freeimage  (bug #1055302)
[bookworm] - freeimage  (Minor issue)
[bullseye] - freeimage  (Minor issue)
+   [buster] - freeimage  (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/336/
 CVE-2021-40262 (A stack exhaustion issue was discovered in FreeImage before 
1.18.0 via ...)
- freeimage  (bug #1055301)
[bookworm] - freeimage  (Minor issue)
[bullseye] - freeimage  (Minor issue)
+   [buster] - freeimage  (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/338/
 CVE-2021-40261 (Multiple Cross Site Scripting (XSS) vulnerabilities exist in 
SourceCod ...)
NOT-FOR-US: SourceCodester
@@ -236524,6 +236529,7 @@ CVE-2020-21427 (Buffer Overflow vulnerability in 
function LoadPixelDataRLE8 in P
 CVE-2020-21426 (Buffer Overflow vulnerability in function C_IStream::read in 
PluginEXR ...)
- freeimage  (bug #1051736)
NOTE: https://sourceforge.net/p/freeimage/bugs/300/
+   NOTE: it looks like the issue is in openexr. No relevant patches in 
freeimage are detected
 CVE-2020-21425
RESERVED
 CVE-2020-21424



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e1308ad75a56bf0dd66cb4d1ec18df92aff30ab

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e1308ad75a56bf0dd66cb4d1ec18df92aff30ab
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f6897319 by Thorsten Alteholz at 2023-11-05T23:30:19+01:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -31,7 +31,7 @@ audiofile
 bind9 (Thorsten Alteholz)
   NOTE: 20230921: Added by Front-Desk (apo)
   NOTE: 20231008: backporting patches
-  NOTE: 20231023: testing package
+  NOTE: 20231105: still testing package
 --
 cacti (guilhem)
   NOTE: 20230906: Added by Front-Desk (lamby)
@@ -112,7 +112,7 @@ libreswan
 --
 libspf2 (Thorsten Alteholz)
   NOTE: 20231016: Added by Front-Desk (ta)
-  NOTE: 20231029: upstream does not know yet, whether available patch is 
enough (ta)
+  NOTE: 20231105: upstream does not know yet, whether available patch is 
enough (ta)
 --
 libstb (Adrian Bunk)
   NOTE: 20231029: Added by Front-Desk (gladk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6897319f6fbce7eaa243477211f3a32c40b2531

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6897319f6fbce7eaa243477211f3a32c40b2531
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
337a1513 by Thorsten Alteholz at 2023-10-23T16:18:11+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -23,7 +23,7 @@ rather than remove/replace existing ones.
 --
 amanda (Thorsten Alteholz)
   NOTE: 20230730: Added by Front-Desk (apo)
-  NOTE: 20231008: still testing package (ta)
+  NOTE: 20231023: still testing package (ta)
 --
 audiofile
   NOTE: 20230918: Added by Front-Desk (apo)
@@ -32,6 +32,7 @@ audiofile
 bind9 (Thorsten Alteholz)
   NOTE: 20230921: Added by Front-Desk (apo)
   NOTE: 20231008: backporting patches
+  NOTE: 20231023: testing package
 --
 cacti (guilhem)
   NOTE: 20230906: Added by Front-Desk (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/337a15137d3e938077c0525ca653a1de279af71b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/337a15137d3e938077c0525ca653a1de279af71b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
64d8c820 by Thorsten Alteholz at 2023-10-08T19:51:12+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -23,7 +23,7 @@ rather than remove/replace existing ones.
 --
 amanda (Thorsten Alteholz)
   NOTE: 20230730: Added by Front-Desk (apo)
-  NOTE: 20230924: still testing package (ta)
+  NOTE: 20231008: still testing package (ta)
 --
 audiofile
   NOTE: 20230918: Added by Front-Desk (apo)
@@ -38,6 +38,7 @@ batik (rouca)
 --
 bind9 (Thorsten Alteholz)
   NOTE: 20230921: Added by Front-Desk (apo)
+  NOTE: 20231008: backporting patches
 --
 cacti
   NOTE: 20230906: Added by Front-Desk (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64d8c820333be8e1c0506529c8446dcaa2bce266

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64d8c820333be8e1c0506529c8446dcaa2bce266
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes

[Utkarsh Gupta (@utkarsh)]

Utkarsh Gupta pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
47559126 by Utkarsh Gupta at 2023-08-28T07:45:20+05:30
Update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -184,6 +184,7 @@ rails (utkarsh)
   NOTE: 20221024: Delay upload, see above comment, users have done workaround. 
Not a good idea
   NOTE: 20221024: to break thrice in less than 2 month.
   NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the 
possible path forward. (utkarsh)
+  NOTE: 20230828: want to rollout ruby-rack first. (utkarsh)
 --
 ring (Thorsten Alteholz)
   NOTE: 20221120: Added by Front-Desk (ta)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47559126daaf1b4a5373f5e9130b7804dddcdf7b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47559126daaf1b4a5373f5e9130b7804dddcdf7b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5cf84920 by Thorsten Alteholz at 2023-08-27T19:41:19+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -23,7 +23,7 @@ rather than remove/replace existing ones.
 --
 amanda (Thorsten Alteholz)
   NOTE: 20230730: Added by Front-Desk (apo)
-  NOTE: 20230813: testing packages (ta)
+  NOTE: 20230827: still testing package (ta)
 --
 aom (Markus Koschany)
   NOTE: 20230823: Added by Front-Desk (apo)
@@ -169,8 +169,7 @@ rails (utkarsh)
 --
 ring (Thorsten Alteholz)
   NOTE: 20221120: Added by Front-Desk (ta)
-  NOTE: 20230507: testing package
-  NOTE: 20230813: testing package, not all tests pass yet
+  NOTE: 20230827: testing package, almost done
 --
 ruby-loofah
   NOTE: 20221231: Added by Front-Desk (ola)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cf84920c5e395b3ebe4a04dae823724d0c650fb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cf84920c5e395b3ebe4a04dae823724d0c650fb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e47056c8 by Thorsten Alteholz at 2023-08-13T20:44:44+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -23,6 +23,7 @@ rather than remove/replace existing ones.
 --
 amanda (Thorsten Alteholz)
   NOTE: 20230730: Added by Front-Desk (apo)
+  NOTE: 20230813: testing packages (ta)
 --
 cairosvg (gladk)
   NOTE: 20230323: Added by Front-Desk (gladk)
@@ -197,7 +198,7 @@ rar (Markus Koschany)
 ring (Thorsten Alteholz)
   NOTE: 20221120: Added by Front-Desk (ta)
   NOTE: 20230507: testing package
-  NOTE: 20230730: testing package, not all tests pass yet
+  NOTE: 20230813: testing package, not all tests pass yet
 --
 ruby-loofah
   NOTE: 20221231: Added by Front-Desk (ola)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e47056c8c5814246254f5fb5ce4fcd7713f03527

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e47056c8c5814246254f5fb5ce4fcd7713f03527
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2023-30549

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8671af22 by Salvatore Bonaccorso at 2023-08-01T17:10:14+02:00
Update notes for CVE-2023-30549

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -12148,8 +12148,14 @@ CVE-2023-30551 (Rekor is an open source software 
supply chain transparency log.
 CVE-2023-30550 (MeterSphere is an open source continuous testing platform, 
covering fu ...)
NOT-FOR-US: MeterSphere
 CVE-2023-30549 (Apptainer is an open source container platform for Linux. 
There is an  ...)
-   - singularity-container  (bug #1035026)
+   - singularity-container  (bug #1035026; unimportant)
NOTE: 
https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg
+   NOTE: Sylabs and Apptainer projects are in disagreement to track this 
issue and
+   NOTE: their handling with respect to unpatches filesystem 
vulnerabilities. Sylanbs
+   NOTE: will add a configuration option to disable all mounts of extfs 
file systems
+   NOTE: as well in a future singularity-container version, as similar 
done by the
+   NOTE: Apptainer project.
+   NOTE: Details in https://sylabs.io/2023/04/response-to-cve-2023-30549/
 CVE-2023-30548 (gatsby-plugin-sharp is a plugin for the gatsby framework which 
exposes ...)
NOT-FOR-US: gatsby-plugin-sharp
 CVE-2023-30547 (vm2 is a sandbox that can run untrusted code with whitelisted 
Node's b ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8671af22eda83143c6c33508a7ead2ff3c6aebaa

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8671af22eda83143c6c33508a7ead2ff3c6aebaa
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d21adee2 by Thorsten Alteholz at 2023-07-16T23:46:42+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -56,12 +56,15 @@ grpc
 --
 gst-plugins-bad1.0 (Thorsten Alteholz)
   NOTE: 20230702: Added by Front-Desk (ta)
+  NOTE: 20230716: still backporting patches
 --
 gst-plugins-base1.0 (Thorsten Alteholz)
   NOTE: 20230702: Added by Front-Desk (ta)
+  NOTE: 20230716: still backporting patches
 --
 gst-plugins-good1.0 (Thorsten Alteholz)
   NOTE: 20230702: Added by Front-Desk (ta)
+  NOTE: 20230716: still backporting patches
 --
 hdf5
   NOTE: 20230318: Added by Front-Desk (utkarsh)
@@ -164,7 +167,7 @@ renderdoc (tobi)
 ring (Thorsten Alteholz)
   NOTE: 20221120: Added by Front-Desk (ta)
   NOTE: 20230507: testing package
-  NOTE: 20230701: testing package, not all tests pass yet
+  NOTE: 20230716: testing package, not all tests pass yet
 --
 ruby-loofah
   NOTE: 20221231: Added by Front-Desk (ola)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d21adee29f966870b4226f1f37b51b0290013e20

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d21adee29f966870b4226f1f37b51b0290013e20
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d0ae311f by Thorsten Alteholz at 2023-06-19T00:03:24+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -78,7 +78,7 @@ hdf5
 libfastjson (Thorsten Alteholz)
   NOTE: 20230507: Added by Front-Desk (ta)
   NOTE: 20230507: the CVE was fixed in json-c already
-  NOTE: 20230605: upload timing could be improved here
+  NOTE: 20230619: testing package, not all tests pass yet
 --
 libreoffice (Abhijith PA)
   NOTE: 20230530: Added by Front-Desk (pochu)
@@ -187,7 +187,7 @@ rails
 ring (Thorsten Alteholz)
   NOTE: 20221120: Added by Front-Desk (ta)
   NOTE: 20230507: testing package
-  NOTE: 20230605: upload timing could be improved here
+  NOTE: 20230619: testing package, not all tests pass yet
 --
 ruby-doorkeeper
   NOTE: 20230618: Added by Front-Desk (opal)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0ae311f69c76f1ed243b5eaf0215490af46108c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0ae311f69c76f1ed243b5eaf0215490af46108c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for ruby2.7 and ruby-rack in dsa-needed

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9073e3c4 by Salvatore Bonaccorso at 2023-06-08T22:50:00+02:00
Update notes for ruby2.7 and ruby-rack in dsa-needed

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -56,11 +56,12 @@ ring
   might make sense to rebase to current version
 --
 ruby2.7
+  Utkarsh Gupta offered help in preparing updates
 --
 ruby-nokogiri
 --
 ruby-rack
-  Utkarsh Gupta available for preparing updates
+  Utkarsh Gupta available for preparing updates, debdiff ready for review
 --
 ruby-sinatra
   Maintainer posted packaging repository link with proposed changes for review



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9073e3c481a89b65b50ddecb1bd0c43681474469

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9073e3c481a89b65b50ddecb1bd0c43681474469
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1d61c835 by Thorsten Alteholz at 2023-06-05T00:21:38+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -76,7 +76,7 @@ libcap2 (Abhijith PA)
 libfastjson (Thorsten Alteholz)
   NOTE: 20230507: Added by Front-Desk
   NOTE: 20230507: the CVE was fixed in json-c already
-  NOTE: 20230521: an RCE CVE of cups-filter made a mess of the timing
+  NOTE: 20230605: upload timing could be improved here
 --
 libreoffice
   NOTE: 20230530: Added by Front-Desk
@@ -157,7 +157,7 @@ rails
 ring (Thorsten Alteholz)
   NOTE: 20221120: Added by Front-Desk
   NOTE: 20230507: testing package
-  NOTE: 20230521: an RCE CVE of cups-filter made a mess of the timing
+  NOTE: 20230605: upload timing could be improved here
 --
 ruby-loofah
   NOTE: 20221231: Added by Front-Desk



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d61c835fb9696dd147850b7cd205ec70552135e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d61c835fb9696dd147850b7cd205ec70552135e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2023-32307/sofia-sip

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c938bb6c by Salvatore Bonaccorso at 2023-05-27T22:41:56+02:00
Update notes for CVE-2023-32307/sofia-sip

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -47,7 +47,8 @@ CVE-2023-32311 (CloudExplorer Lite is an open source cloud 
management platform.
 CVE-2023-32307 (Sofia-SIP is an open-source SIP User-Agent library, compliant 
with the ...)
- sofia-sip 
NOTE: 
https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c
-   TODO: check if affecting Debian's used fork
+   NOTE: https://github.com/freeswitch/sofia-sip/pull/214
+   NOTE: Fixed by: 
https://github.com/freeswitch/sofia-sip/commit/c3bbc50c88d168065de34ca01b9b1d98c1b0e810
 (v1.13.15)
 CVE-2023-2924 (A vulnerability, which was classified as critical, has been 
found in S ...)
TODO: check
 CVE-2023-2923 (A vulnerability classified as critical was found in Tenda AC6 
US_AC6V1 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c938bb6cdb8117e15b8e9d5035f088acdc9b58c9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c938bb6cdb8117e15b8e9d5035f088acdc9b58c9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
03b044cf by Thorsten Alteholz at 2023-05-22T02:10:53+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -71,6 +71,7 @@ libcap2 (Abhijith PA)
 libfastjson (Thorsten Alteholz)
   NOTE: 20230507: Programming language: C.
   NOTE: 20230507: the CVE was fixed in json-c already
+  NOTE: 20230521: an RCE CVE of cups-filter made a mess of the timing
 --
 libraw (guilhem)
   NOTE: 20230520: Programming language: C++.
@@ -181,6 +182,7 @@ ring (Thorsten Alteholz)
   NOTE: 20221120: Programming language: C.
   NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ring.git
   NOTE: 20230507: testing package
+  NOTE: 20230521: an RCE CVE of cups-filter made a mess of the timing
 --
 ruby-loofah
   NOTE: 20221231: Programming language: Ruby.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03b044cf88afc3351833a772c596d3588e5c1c99

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03b044cf88afc3351833a772c596d3588e5c1c99
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for sysstat CVEs

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
64582bbf by Salvatore Bonaccorso at 2023-05-18T14:20:09+02:00
Update notes for sysstat CVEs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,7 +1,9 @@
 CVE-2023-33204 (sysstat through 12.7.2 allows a multiplication integer 
overflow in che ...)
- sysstat 
+   [bullseye] - sysstat  (Incomplete fix for CVE-2022-39377 
not applied)
NOTE: https://github.com/sysstat/sysstat/pull/360
NOTE: 
https://github.com/sysstat/sysstat/commit/954ff2e2673cef48f0ed44668c466eab041db387
+   NOTE: this issue exists because of an incomplete fix for CVE-2022-39377.
 CVE-2023-33203 (The Linux kernel before 6.2.9 has a race condition and 
resultant use-a ...)
- linux 6.1.25-1
[bullseye] - linux 5.10.178-1
@@ -57226,6 +57228,7 @@ CVE-2022-39377 (sysstat is a set of system performance 
tools for the Linux opera
[bullseye] - sysstat  (Minor issue)
NOTE: 
https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
NOTE: 
https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540
 (v12.7.1)
+   NOTE: The original fix is incomplete and opens up CVE-2023-33204.
 CVE-2022-39376 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI 
is a Fre ...)
- glpi  (unimportant)
NOTE: 
https://github.com/glpi-project/glpi/security/advisories/GHSA-6rh5-m5g7-327w



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64582bbfb009a8c72a067a8738edb41846c86ae1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64582bbfb009a8c72a067a8738edb41846c86ae1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2022-23134

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2931ba7d by Salvatore Bonaccorso at 2023-04-09T20:51:09+02:00
Update notes for CVE-2022-23134

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -100442,8 +100442,8 @@ CVE-2022-23135 (There is a directory traversal 
vulnerability in some home gatewa
 CVE-2022-23134 (After the initial setup process, some steps of setup.php file 
are reac ...)
{DLA-2914-1}
- zabbix 1:6.0.7+dfsg-2
-   [bullseye] - zabbix  (See NOTE below)
-   [buster] - zabbix  (See NOTE below)
+   [bullseye] - zabbix  (Vulnerable code not present; 
session data not stored in cookies)
+   [buster] - zabbix  (Vulnerable code not present)
NOTE: https://support.zabbix.com/browse/ZBX-20384
NOTE: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa0fecfbcc9794bc00206630a7424575dfc944df
 (5.0.19rc2)
NOTE: 4.0 and 5.0 are not affected: 
https://support.zabbix.com/browse/ZBX-20384?focusedCommentId=648239=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-648239



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2931ba7d83e543308104d42de4c5049e5fbd5288

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2931ba7d83e543308104d42de4c5049e5fbd5288
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fc28cbbe by Thorsten Alteholz at 2023-03-26T23:27:22+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -56,6 +56,7 @@ docker.io (gladk)
 duktape (Thorsten Alteholz, maintainer)
   NOTE: 20230311: Programming language: C.
   NOTE: 20230311: Maintainer notes: Maintainer prepares o-o-s updates.
+  NOTE: 20230326: testing package
 --
 emacs (Adrian Bunk)
   NOTE: 20230223: Programming language: Lisp.
@@ -128,6 +129,7 @@ intel-microcode (tobi)
 --
 libmicrohttpd (Thorsten Alteholz)
   NOTE: 20230313: Programming language: C.
+  NOTE: 20230326: testing package
 --
 linux (Ben Hutchings)
   NOTE: 20230111: Programming language: C



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc28cbbea8b9ba52d5b8952a979ce95979363c38

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc28cbbea8b9ba52d5b8952a979ce95979363c38
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for sofia-sip

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
61ac7f22 by Salvatore Bonaccorso at 2023-02-08T15:57:35+01:00
Update notes for sofia-sip

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -58,7 +58,7 @@ salt
 samba
 --
 sofia-sip
-  Maintainer proposed debdiff for review with additional question
+  Maintainer proposed debdiff for review with additional question and sent a 
followup
 --
 sox
   patch needed for CVE-2021-40426, check with upstream



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ac7f22b348afd13e431f9fe38819637f0b3c96

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ac7f22b348afd13e431f9fe38819637f0b3c96
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2022-3854/ceph

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cc28091e by Salvatore Bonaccorso at 2022-12-25T22:36:26+01:00
Update notes for CVE-2022-3854/ceph

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -11949,7 +11949,9 @@ CVE-2022-3854 [possible DoS issue in ceph URL 
processing on RGW backends]
RESERVED
- ceph 
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2139925
-   TODO: check details, none provided in RHBZ#2139925
+   NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1205025
+   NOTE: https://tracker.ceph.com/issues/55765
+   TODO: check details, none provided in RHBZ#2139925, SuSE contains 
excerpt from the closed bugzilla entry
 CVE-2022-44664
RESERVED
 CVE-2022-44663



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc28091ed8240200c428fca6612f1d9560d200b1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc28091ed8240200c428fca6612f1d9560d200b1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3a131135 by Thorsten Alteholz at 2022-11-16T11:38:43+01:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -84,8 +84,9 @@ golang-websocket
   NOTE: 20220915: 1 CVE fixed in stretch and bullseye 
(golang-github-gorilla-websocket) (Beuc/front-desk)
   NOTE: 20220915: Special attention: limited support; requires rebuilding 
reverse dependencies
 --
-graphicsmagick
+graphicsmagick (Thorsten Alteholz)
   NOTE: 20221027: Programming language: C.
+  NOTE: 20221116: testing package
 --
 hsqldb
   NOTE: 20221031: Programming language: Java.
@@ -386,7 +387,7 @@ vim (Helmut)
   NOTE: 20221108: Programming language: C.
   NOTE: 20221108: VCS: https://salsa.debian.org/lts-team/packages/vim.git
 --
-virglrenderer
+virglrenderer (Thorsten Alteholz)
   NOTE: 20221009: Programming language: C.
 --
 zabbix



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a1311355dcc2525847f3c7119b64b16c2be4d8b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a1311355dcc2525847f3c7119b64b16c2be4d8b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for libpgjava in dsa-needed.txt.

[Markus Koschany (@apo)]

Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b8787a63 by Markus Koschany at 2022-07-11T00:39:55+02:00
Update notes for libpgjava in dsa-needed.txt.

also claim curl

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -16,7 +16,7 @@ asterisk
 --
 chromium (jmm)
 --
-curl
+curl (Markus Koschany)
 --
 epiphany-browser
 --
@@ -29,6 +29,8 @@ kopanocore/oldstable
 librecad
 --
 libpgjava (apo)
+  NOTE: 20220711: libscram-java is missing in bullseye-security. I am currently
+  NOTE: 20220711: waiting for #1014409 being resolved.
 --
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8787a637da667cfa6149d87ea13469318c33fbe

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8787a637da667cfa6149d87ea13469318c33fbe
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2022-31213

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1469aa7a by Salvatore Bonaccorso at 2022-07-01T20:16:39+02:00
Update notes for CVE-2022-31213

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -9594,9 +9594,12 @@ CVE-2022-31214 (A Privilege Context Switching issue was 
discovered in join.c in
NOTE: 
https://github.com/netblue30/firejail/files/8913178/CVE-2022-31214.zip 
(0.9.58.2 - 0.9.68 backports)
 CVE-2022-31213 [null pointer reference when supplying a malformed XML config 
file]
RESERVED
-   - dbus-broker 
+   - dbus-broker 30-1
[bullseye] - dbus-broker  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2094722
+   NOTE: "CHANGES WITH 30:" mention: Fix NULL-derefs in the XML 
configuration parser. Empty XML tags could
+   NOTE: have caused NULL-derefs before.
+   TODO: Isolate upstream commit.
 CVE-2022-31212
RESERVED
- dbus-broker 30-1 (bug #1013343)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1469aa7ab6db651ec393e557a6ff7355193fbbca

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1469aa7ab6db651ec393e557a6ff7355193fbbca
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7ffed317 by Thorsten Alteholz at 2022-06-26T23:48:42+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -28,7 +28,7 @@ blender (Thorsten Alteholz)
   NOTE: 20220529: Programming language: C++.
   NOTE: 20220528: 3 CVEs now fixed in unstable, but maintainer never was 
approached to fix in stable/oldstable,
   NOTE: 20220528: maybe coordinate with them (Beuc/front-desk)
-  NOTE: 20220613: testing package
+  NOTE: 20220626: testing package
 --
 cgal
   NOTE: 20220529: Programming language: C++.
@@ -80,7 +80,7 @@ golang-github-hashicorp-go-getter (Thorsten Alteholz)
   NOTE: 20220529: Programming language: Go.
   NOTE: 20220528: limited golang support in stretch (cf. stretch release notes)
   NOTE: 20220528: no rdeps AFAICS so no need to rebuild other golang packages 
(Beuc/front-desk)
-  NOTE: 20220613: testing package
+  NOTE: 20220626: testing package
 --
 golang-go.crypto (Dominik George)
   NOTE: 20220529: Programming language: Go.
@@ -188,7 +188,7 @@ modsecurity-crs (Andreas Rönnquist)
 ncurses (Thorsten Alteholz)
   NOTE: 20220529: Programming language: C.
   NOTE: 20220524: Follow buster: harmonize with with Debian 10.2 (2-3 CVEs + 
some non-CVE'd issues) (Beuc/front-desk)
-  NOTE: 20220613: testing package
+  NOTE: 20220626: testing package
 --
 netatalk
   NOTE: 20220616: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ffed317b7f870462b7e01f2f733668364e83103

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ffed317b7f870462b7e01f2f733668364e83103
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
debb0e2a by Thorsten Alteholz at 2022-06-13T10:25:36+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -25,6 +25,7 @@ blender (Thorsten Alteholz)
   NOTE: 20220529: Programming language: C++.
   NOTE: 20220528: 3 CVEs now fixed in unstable, but maintainer never was 
approached to fix in stable/oldstable,
   NOTE: 20220528: maybe coordinate with them (Beuc/front-desk)
+  NOTE: 20220613: testing package
 --
 cgal
   NOTE: 20220529: Programming language: C++.
@@ -75,6 +76,7 @@ golang-github-hashicorp-go-getter (Thorsten Alteholz)
   NOTE: 20220529: Programming language: Go.
   NOTE: 20220528: limited golang support in stretch (cf. stretch release notes)
   NOTE: 20220528: no rdeps AFAICS so no need to rebuild other golang packages 
(Beuc/front-desk)
+  NOTE: 20220613: testing package
 --
 golang-go.crypto
   NOTE: 20220529: Programming language: Go.
@@ -175,6 +177,7 @@ modsecurity-crs
 ncurses (Thorsten Alteholz)
   NOTE: 20220529: Programming language: C.
   NOTE: 20220524: Follow buster: harmonize with with Debian 10.2 (2-3 CVEs + 
some non-CVE'd issues) (Beuc/front-desk)
+  NOTE: 20220613: testing package
 --
 ntfs-3g
   NOTE: 20220529: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/debb0e2a201d08b07f97426d6b5c54f5cf42fb21

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/debb0e2a201d08b07f97426d6b5c54f5cf42fb21
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2021-3643/sox

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
69665a31 by Salvatore Bonaccorso at 2022-04-28T23:01:54+02:00
Update notes for CVE-2021-3643/sox

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -52273,6 +52273,8 @@ CVE-2021-3643
RESERVED
- sox 
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1980626
+   NOTE: Triggered by same reproducer as for CVE-2021-23210
+   NOTE: https://sourceforge.net/p/sox/bugs/351/
 CVE-2021-38193 (An issue was discovered in the ammonia crate before 3.1.0 for 
Rust. XS ...)
- rust-ammonia 3.1.2-1 (bug #991497)
NOTE: 
https://github.com/rust-ammonia/ammonia/commit/4b8426b89b861d9bea20e126576b0febb9d13515



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69665a311841f503430982d624a43fad219664f5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69665a311841f503430982d624a43fad219664f5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5e8a88a7 by Thorsten Alteholz at 2022-04-24T23:53:19+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -82,7 +82,7 @@ kvmtool
   NOTE: 20220402: CVE-2021-45464 looks critical, check with upstream for 
acknowledgments/fixes (Beuc)
 --
 libarchive (Thorsten Alteholz)
-  NOTE: 20220410: still testing
+  NOTE: 20220423: still testing, some tests still fail
 --
 liblouis
   NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN
@@ -91,7 +91,7 @@ liblouis
 libpgjava
 --
 libvirt (Thorsten Alteholz)
-  NOTE: 20220410: wait for upload in newer releases
+  NOTE: 20220423: wait for upload in newer releases, dependency loop seems to 
be resolved now
 --
 libz-mingw-w64
   NOTE: 20220231: upcoming DSA (Beuc)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e8a88a7e2b094f331e937d2c8042af067ba2602

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e8a88a7e2b094f331e937d2c8042af067ba2602
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4f0a152c by Thorsten Alteholz at 2022-03-27T23:14:52+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -58,7 +58,7 @@ jackson-databind
 kicad
 --
 libarchive (Thorsten Alteholz)
-  NOTE: 20220225: fix seems to be incomplete
+  NOTE: 20220327: next round of testing
 --
 libdatetime-timezone-perl (Emilio)
 --
@@ -82,6 +82,7 @@ mariadb-10.1
 mbedtls (Utkarsh)
 --
 minidlna (Thorsten Alteholz)
+  NOTE: 20220327: update other releases first
 --
 nvidia-graphics-drivers
NOTE: 20220203: package is in non-free but also in packages-to-support 
(Beuc)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f0a152c5f11b7c79ecf0b03de3e2651e143b21d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f0a152c5f11b7c79ecf0b03de3e2651e143b21d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
45d8534d by Thorsten Alteholz at 2022-01-02T23:42:52+01:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -49,6 +49,7 @@ gpac (Roberto C. Sánchez)
   NOTE: 20211228: Returning to active work on this now that llvm/rustc update 
is complete (roberto)
 --
 libarchive (Thorsten Alteholz)
+  NOTE: 20220102: testing package
 --
 libgit2 (Utkarsh)
   NOTE: 20211029: CVE-2018-10887/CVE-2018-10888/CVE-2018-15501 were fixed
@@ -95,6 +96,7 @@ slurm-llnl (Sylvain Beucler)
   NOTE: 20211229: should also be checked. (bunk)
 --
 sphinxsearch (Thorsten Alteholz)
+  NOTE: 20220103: waiting for Buster upload
 --
 thunderbird (Emilio)
   NOTE: 20211122: blocked on toolchain backports (pochu)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45d8534dcaee8406eed40565a0cafd771db55eec

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45d8534dcaee8406eed40565a0cafd771db55eec
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2021-45959/fmtlib

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a1b4bd0b by Salvatore Bonaccorso at 2022-01-02T15:03:27+01:00
Update notes for CVE-2021-45959/fmtlib

Pending REJECT from MITRE to clean up the CVE entry.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -64,10 +64,12 @@ CVE-2022-0079
 CVE-2022-0078
RESERVED
 CVE-2021-45959 ({fmt} 7.1.0 through 8.0.1 has a stack-based buffer overflow in 
fmt::v8 ...)
-   - fmtlib 
+   - fmtlib  (unimportant)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36110
+   NOTE: https://github.com/fmtlib/fmt/issues/2685
NOTE: Fixed by: 
https://github.com/fmtlib/fmt/commit/2038bf61831eb8faede0883965364a974d1350fe
-   TODO: check correctness, introducing commit in oss-fuzz report is 
related when fuzzing started
+   NOTE: The CVE is basically invalid, as the report was one of a series 
of false positives
+   NOTE: and the "upstream fix" is effectively a noop.
 CVE-2021-45958 (UltraJSON (aka ujson) 4.0.2 through 5.0.0 has a stack-based 
buffer ove ...)
- ujson 
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1b4bd0b76afefa7abf5b0211385ae0a22e651ac

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1b4bd0b76afefa7abf5b0211385ae0a22e651ac
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for nvidia-graphics-drivers in dla-needed.txt

[Markus Koschany (@apo)]

Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a92991a7 by Markus Koschany at 2021-12-10T22:45:52+01:00
Update notes for nvidia-graphics-drivers in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -66,6 +66,9 @@ nvidia-graphics-drivers (Markus Koschany)
   NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in 
Stretch, no fix available for CVE-2021-1077
   NOTE: 20211108: nvidia-graphics-drivers-legacy-390xx 390.144-1 in 
buster/bullseye/bookworm
   NOTE: 20211108: now fixes all 5 CVEs (bunk)
+  NOTE: 20211210: I am currently testing the backport of
+  NOTE: nvidia-graphics-drivers-legacy-390xx but will ask for more testing on 
the lts
+  NOTE: mailing list tomorrow (apo)
 --
 pgbouncer (Thorsten Alteholz)
   NOTE: 20211128: also help with other releases



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a92991a7cea3efcca506c2e3f8b8213715f1f6f4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a92991a7cea3efcca506c2e3f8b8213715f1f6f4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2021-41190

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d56d88cc by Salvatore Bonaccorso at 2021-11-20T10:20:37+01:00
Update notes on CVE-2021-41190

This is bit cumbersome to track. My understanding is that the CVE is
specifically for the specification issue. Several container projects
have mitigated the issue by releasing updates. Such as the mentioned
containerd and golang-github-opencontainers-image-spec.

As such keep it for now as NFU, tough making a note on the mitigations
in software.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -9993,7 +9993,12 @@ CVE-2021-41192
 CVE-2021-41191 (Roblox-Purchasing-Hub is an open source Roblox product 
purchasing hub. ...)
NOT-FOR-US: Roblox-Purchasing-Hub
 CVE-2021-41190 (The OCI Distribution Spec project defines an API protocol to 
facilitat ...)
-   NOT-FOR-US: OCI Distribution Spec
+   NOT-FOR-US: OCI Distribution Specification
+   NOTE: Issue in the OCI Distribution Specification. Software mitigations 
are applied to
+   NOTE: containerd/1.5.8~ds1-1 and 
golang-github-opencontainers-image-spec/1.0.2-1
+   NOTE: https://www.openwall.com/lists/oss-security/2021/11/19/10
+   NOTE: 
https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
+   NOTE: 
https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
 CVE-2021-41189 (DSpace is an open source turnkey repository application. In 
version 7. ...)
NOT-FOR-US: DSpace
 CVE-2021-41188 (Shopware is open source e-commerce software. Versions prior to 
5.7.6 c ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d56d88cc5c785d969a508f0628331a10384de55d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d56d88cc5c785d969a508f0628331a10384de55d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2021-42343/dask

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
95e44ad5 by Salvatore Bonaccorso at 2021-11-11T07:53:12+01:00
Update notes for CVE-2021-42343/dask

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4789,8 +4789,9 @@ CVE-2021-42345
 CVE-2021-42344
RESERVED
 CVE-2021-42343 (An issue was discovered in the Dask distributed package before 
2021.10 ...)
-   - dask 
-   TODO: check details if fixed upstream in 2021.10.0
+   - dask.distributed 
+   NOTE: https://github.com/dask/distributed/pull/5427
+   NOTE: 
https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr
 CVE-2021-42342 (An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. 
In the fi ...)
NOT-FOR-US: Embedthis GoAhead
 CVE-2021-42341 (checkpath in OpenRC before 0.44.7 uses the direct output of 
strlen() t ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95e44ad53194e3611bc264045c330fcf8b52e92a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95e44ad53194e3611bc264045c330fcf8b52e92a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ec87c80f by Thorsten Alteholz at 2021-10-11T00:14:37+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -31,8 +31,10 @@ debian-archive-keyring (Utkarsh)
   NOTE: 20211003: failing. Or at least appears to be. :( (utkarsh)
 --
 exiv2 (Thorsten Alteholz)
+  NOTE: 20211010: WIP, also taking care of older issues
 --
 faad2 (Thorsten Alteholz)
+  NOTE: 20211010: WIP, also taking care of older issues
 --
 ffmpeg (Anton Gladky)
   NOTE: probably wait until stuff is fixed in Buster
@@ -111,7 +113,7 @@ smarty3 (Markus Koschany)
   NOTE: 20210906: prepared a build for testing. Waiting for bug submitter's 
reply (abhijith)
 --
 squashfs-tools (Thorsten Alteholz)
-  NOTE: 20210926: coordinate with upload to other releases
+  NOTE: 20211010: coordinate with upload to other releases
 --
 thunderbird (Emilio)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec87c80f36288b03c7df0c6ad1acea4f6138ba10

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec87c80f36288b03c7df0c6ad1acea4f6138ba10
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for two libgcrypt20 CVEs

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ff7bba42 by Salvatore Bonaccorso at 2021-09-19T13:35:23+02:00
Update notes for two libgcrypt20 CVEs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1905,7 +1905,11 @@ CVE-2021-40528 (The ElGamal implementation in Libgcrypt 
before 1.9.4 allows plai
NOTE: https://eprint.iacr.org/2021/923
NOTE: 
https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
NOTE: 
https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2
-   NOTE: Related to CVE-2021-33560, but not a duplicate
+   NOTE: 
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=e8b7f10be275bcedb5fc05ed4837a89bfd605c61
 (1.9.x)
+   NOTE: Related to CVE-2021-33560, but not a duplicate. Unfortunately 
scope of CVE-2021-33560 and
+   NOTE: CVE-2021-40528 got switched at some point, and CVE-2021-33560 
referring to the blinding
+   NOTE: hardening. We keep the original association as per 2021-09-19 
(until MITRE clarifies on
+   NOTE: a query).
 CVE-2021-40527
RESERVED
 CVE-2021-40526
@@ -18003,7 +18007,10 @@ CVE-2021-33560 (Libgcrypt before 1.8.8 and 1.9.x 
before 1.9.3 mishandles ElGamal
[buster] - libgcrypt20 1.8.4-5+deb10u1
NOTE: https://dev.gnupg.org/T5328
NOTE: https://eprint.iacr.org/2021/923.pdf
-   NOTE: 
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=3462280f2e23e16adf3ed5176e0f2413d8861320
+   NOTE: 
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=3462280f2e23e16adf3ed5176e0f2413d8861320
 (1.9.x)
+   NOTE: 
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=707c3c5c511ee70ad0e39ec613471f665305fbea
 (1.8.x)
+   NOTE: See notes on CVE-2021-40528 on the confusion about swapping of 
scope of
+   NOTE: CVE-2021-40528 and CVE-2021-33560.
 CVE-2021-33559
RESERVED
 CVE-2021-33558 (Boa 0.94.13 allows remote attackers to obtain sensitive 
information vi ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff7bba427b8f21ddd1849d525f153f05aafc9abe

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff7bba427b8f21ddd1849d525f153f05aafc9abe
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9760c2b8 by Thorsten Alteholz at 2021-09-12T23:30:05+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -38,6 +38,7 @@ gnutls28 (Sylvain Beucler)
 --
 grilo (Thorsten Alteholz)
   NOTE: 20210825: ssl-use-system-ca-file is used in libsoup2.4 since version 
2.38
+  NOTE: 20210912: maintainer ok, testing package
 --
 krb5 (Adrian Bunk)
   NOTE: 20210905: testing fixes
@@ -66,8 +67,10 @@ nvidia-graphics-drivers
   NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in 
Stretch, no fix available for CVE-2021-1077
 --
 openssl (Thorsten Alteholz)
+  NOTE: 20210912: testing package, upload probably after LE fix
 --
 openssl1.0 (Thorsten Alteholz)
+  NOTE: 20210912: testing package, upload probably after LE fix
 --
 plib
   NOTE: 20210829: no fix yet. (thorsten)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9760c2b8fb7e31f701c02800701bf70cec74f44d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9760c2b8fb7e31f701c02800701bf70cec74f44d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2021-3592

[Markus Koschany (@apo)]

Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
eea83f8e by Markus Koschany at 2021-09-11T23:07:30+02:00
Update notes for CVE-2021-3592

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -14440,6 +14440,7 @@ CVE-2021-3592 (An invalid pointer initialization issue 
was found in the SLiRP ne
NOTE: 
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f13cad45b25d92760bb0ad67bec0300a4d7d5275
 (v4.6.0)
NOTE: 
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2eca0838eee1da96204545e22cdaed860d9d7c6c
 (v4.6.0)
NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as 
fixed.
+   NOTE: The patch introduced a regression, see Debian bug #994080 for 
more information.
 CVE-2021-34558 (The crypto/tls package of Go through 1.16.5 does not properly 
assert t ...)
- golang-1.16 1.16.6-1
- golang-1.15 1.15.9-6



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eea83f8e70d13b256142eaa8b904f50ed364f2d0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eea83f8e70d13b256142eaa8b904f50ed364f2d0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2021-20291

[Neil Williams (@codehelp)]

Neil Williams pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
58fe2932 by Neil Williams at 2021-09-09T14:00:18+01:00
Update notes for CVE-2021-20291

golang-github-containers-buildah uses golang-github-containers-storage 
compression support.
docker.io already uses the same library as the fix for 
golang-github-containers-storage.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -50511,7 +50511,8 @@ CVE-2021-20291 (A deadlock vulnerability was found in 
'github.com/containers/sto
[experimental] - golang-github-containers-storage 1.29.0+ds1-1
- golang-github-containers-storage 1.34.1+ds1-1 (bug #988942)
NOTE: 
https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1
-   TODO: check golang-github-containers-buildah, docker.io
+   NOTE: golang-github-containers-buildah uses 
golang-github-containers-storage compression support.
+   NOTE: docker.io already uses the same library as the fix for 
golang-github-containers-storage.
 CVE-2021-20290
RESERVED
- foreman  (bug #663101)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58fe29321a5f31da48f7384e63f99829698638a2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58fe29321a5f31da48f7384e63f99829698638a2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes on mosquitto and mupdf

[Neil Williams (@codehelp)]

Neil Williams pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5dcb8fff by Neil Williams at 2021-08-17T14:53:27+01:00
Update notes on mosquitto and mupdf

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -33,11 +33,12 @@ linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)
 --
-mosquitto (codehelp)
+mosquitto
   NOTE: 20210805: coordinating upload to buster before DLA for Stretch 
(codehelp)
   NOTE: 20210806: CVE-2021-34432 ignored in buster and stretch. Vulnerable 
code not accessible. (codehelp)
 --
 mupdf (codehelp)
+  NOTE: 20210817: fix for CVE-2020-19609 and CVE-2021-37220 in buster are to 
be put into a point release.
 --
 nettle
   NOTE: 20210719: difficult backport, wip (Emilio)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dcb8fff2e3e65326fd304c3776e7d157ad70f4d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dcb8fff2e3e65326fd304c3776e7d157ad70f4d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2020-19715 and CVE-2019-13110

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
97c06621 by Salvatore Bonaccorso at 2021-08-10T22:49:22+02:00
Update notes on CVE-2020-19715 and CVE-2019-13110

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -74311,8 +74311,6 @@ CVE-2020-19716 (A buffer overflow vulnerability in the 
Databuf function in types
TODO: check, unclear if fixed or not, upstream cannot reproduce as well 
in 0.27.1 as reported
 CVE-2020-19715
REJECTED
-   - exiv2 0.27.2-6
-   NOTE: https://github.com/Exiv2/exiv2/issues/979
 CVE-2020-19714
RESERVED
 CVE-2020-19713
@@ -145419,6 +145417,7 @@ CVE-2019-13110 (A CiffDirectory::readDirectory 
integer overflow and out-of-bound
[stretch] - exiv2  (Minor issue)
[jessie] - exiv2  (Minor issue, read segfault)
NOTE: https://github.com/Exiv2/exiv2/issues/843
+   NOTE: https://github.com/Exiv2/exiv2/pull/844
NOTE: 
https://github.com/Exiv2/exiv2/commit/9628f82084ed30d494ddd4f7360d233801e22967
 CVE-2019-13109 (An integer overflow in Exiv2 through 0.27.1 allows an attacker 
to caus ...)
- exiv2 0.27.2-6 (low)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97c0662107f18af0ff4beffc2ab3c38a947aee26

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97c0662107f18af0ff4beffc2ab3c38a947aee26
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2021-3502

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
00c78f5b by Salvatore Bonaccorso at 2021-08-09T21:15:06+02:00
Update notes for CVE-2021-3502

CVE-2021-36217 is marked (will be updated soon in the feed) as REJECTED,
it is a duplicate of CVE-2021-3502, which MITRE is going to retain.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4647,14 +4647,8 @@ CVE-2021-36219
RESERVED
 CVE-2021-36218
RESERVED
-CVE-2021-36217 (Avahi 0.8 allows a local denial of service (NULL pointer 
dereference a ...)
-   - avahi  (bug #990900)
-   [bullseye] - avahi  (Minor issue)
-   [buster] - avahi  (Vulnerable code introduced later)
-   [stretch] - avahi  (Vulnerable code introduced later)
-   NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1188083
-   NOTE: Fixed by: 
https://github.com/lathiat/avahi/commit/9d31939e55280a733d930b15ac9e4dda4497680c
-   NOTE: Introduced by: 
https://github.com/lathiat/avahi/commit/8f75a045709a780c8cf92a6a21e9d35b593bdecd
 (v0.8)
+CVE-2021-36217
+   REJECTED
 CVE-2021-36216
RESERVED
 CVE-2021-36215
@@ -16176,6 +16170,7 @@ CVE-2021-3502 (A flaw was found in avahi 0.8-5. A 
reachable assertion is present
[buster] - avahi  (Vulnerable code introduced later)
[stretch] - avahi  (Vulnerable code introduced later)
NOTE: https://github.com/lathiat/avahi/issues/338
+   NOTE: Fixed by: 
https://github.com/lathiat/avahi/commit/9d31939e55280a733d930b15ac9e4dda4497680c
NOTE: Introduced by: 
https://github.com/lathiat/avahi/commit/80c98fa16782e921f5b5d5c880f1d80f5c43bd49
 (v0.8)
 CVE-2021-3500 (A flaw was found in djvulibre-3.5.28 and earlier. A Stack 
overflow in  ...)
{DLA-2667-1}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00c78f5baa695400efa184b78b220712d118532f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00c78f5baa695400efa184b78b220712d118532f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for mupdf

[Neil Williams (@codehelp)]

Neil Williams pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
602f0b44 by Neil Williams at 2021-08-06T13:00:16+01:00
Update notes for mupdf

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1974,8 +1974,10 @@ CVE-2021-37221
RESERVED
 CVE-2021-37220 (MuPDF through 1.18.1 has an out-of-bounds write because the 
cached col ...)
- mupdf 1.17.0+ds1-2 (bug #991402)
+   [stretch] - mupdf  (Vulnerable code not present)
NOTE: 
http://git.ghostscript.com/?p=mupdf.git;h=f5712c9949d026e4b891b25837edd2edc166151f
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=703791
+   NOTE: On Stretch, an earlier version of the code exits early instead of 
crashing.
 CVE-2021-37219
RESERVED
 CVE-2021-37218
@@ -178181,6 +178183,8 @@ CVE-2018-19777 (In Artifex MuPDF 1.14.0, there is an 
infinite loop in the functi
- mupdf 1.15.0+ds1-1 (unimportant; bug #915137)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700301
NOTE: No security impact, hang in GUI/CLI tool
+   NOTE: Not able to reproduce on buster or stretch
+   NOTE: upstream fix for bug #700301 may be incomplete
 CVE-2018-19776
RESERVED
 CVE-2018-19775 (Cross Site Scripting exists in InfoVista VistaPortal SE 
Version 5.1 (b ...)
@@ -268478,14 +268482,12 @@ CVE-2016-10248 (The jpc_tsfb_synthesize function in 
jpc_tsfb.c in JasPer before
 CVE-2016-10247 (Buffer overflow in the my_getline function in jstest_main.c in 
Mujstes ...)
- mupdf 1.11+ds1-1 (unimportant)
[wheezy] - mupdf  (Vulnerable code not present)
-   [stretch] - mupdf  (Vulnerable code not packaged or compiled)
NOTE: Although jstest_main.c compiled during build and mujstest is 
created
NOTE: it is not included in the produced binary packages
NOTE: https://www.openwall.com/lists/oss-security/2016/10/16/19
 CVE-2016-10246 (Buffer overflow in the main function in jstest_main.c in 
Mujstest in A ...)
- mupdf 1.11+ds1-1 (unimportant)
[wheezy] - mupdf  (Vulnerable code not present)
-   [stretch] - mupdf  (Vulnerable code not packaged or compiled)
NOTE: Although jstest_main.c compiled during build and mujstest is 
created
NOTE: it is not included in the produced binary packages
NOTE: https://www.openwall.com/lists/oss-security/2016/10/16/20



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/602f0b44ec4e6ec96ef1d26935ae9c712421918f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/602f0b44ec4e6ec96ef1d26935ae9c712421918f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2019-8396/hdf5

[Neil Williams (@codehelp)]

Neil Williams pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
54bbd370 by Neil Williams at 2021-08-05T10:27:17+01:00
Update notes on CVE-2019-8396/hdf5

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -158993,6 +158993,8 @@ CVE-2019-8396 (A buffer overflow in 
H5O__layout_encode in H5Olayout.c in the HDF
- hdf5 
NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul4
NOTE: https://jira.hdfgroup.org/browse/HDFFV-10712
+   NOTE: HDFFV-10712 is marked to be closed in a future 1.10.8 upstream 
release.
+   NOTE: Upstream fix was made in May 2021 after the 1.12.0 release (Mar 
2020)
 CVE-2019-8395 (An Insecure Direct Object Reference (IDOR) vulnerability exists 
in Zoh ...)
NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus
 CVE-2019-8394 (Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 
10012 allow ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54bbd370cbdf487de1b4453fe5c11c94f871fbe1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54bbd370cbdf487de1b4453fe5c11c94f871fbe1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for condor and ceph in dla-needed.txt

[Markus Koschany (@apo)]

Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
51306ebc by Markus Koschany at 2021-07-26T09:45:19+02:00
Update notes for condor and ceph in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -25,6 +25,8 @@ ceph (Markus Koschany)
   NOTE: 20200928: Packages prepared and available at 
http://apt.inguza.net/stretch-lts/ceph/
   NOTE: 20200928: If someone know how to test the packages please take this 
build and upload (after testing it).
   NOTE: 20210118: wip (Emilio)
+  NOTE: 20210726: https://people.debian.org/~apo/lts/ceph/
+  NOTE: 20210726: Patch for CVE-2018-16846 is not complete yet.
 --
 condor (Markus Koschany)
   NOTE: 20200502: Upstream has only released workarounds; complete fix is 
still embargoed (roberto)
@@ -35,6 +37,8 @@ condor (Markus Koschany)
   NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o 
(roberto)
   NOTE: 20200727: Waiting on maintainer feedback: 
https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
   NOTE: 20210205: Some patches seems to be available but not clear if it 
solves the whole issue or not. (ola)
+  NOTE: 20210726: https://people.debian.org/~apo/lts/condor/
+  NOTE: 20210726: Needs more testing
 --
 curl (Adrian Bunk)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51306ebcf742138e3d37aca3266191bc9711d1ab

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51306ebcf742138e3d37aca3266191bc9711d1ab
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update NOTES for ruby-kaminari.

[Markus Koschany (@apo)]

Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0a0a199d by Markus Koschany at 2021-07-19T17:58:33+02:00
Update NOTES for ruby-kaminari.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -104,6 +104,9 @@ ruby-kaminari
   NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. 
(utkarsh)
   NOTE: 20201009: This (↑) is an app-level patch for a rails app. A 
library-level patch
   NOTE: 20201009: will needed to be written. Opened an issue at upstream, 
though somewhat inactive. (utkarsh)
+  NOTE: 20210719: 
https://people.debian.org/~apo/lts/ruby-kaminari/CVE-2020-11082.patch
+  NOTE: 20210719: I believe the fix is just adding and extending the blacklist 
for ruby-kaminari.
+  NOTE: 20210719: Will discuss this with Utkarsh (maintainer) shortly.
 --
 runc (Anton Gladky)
   NOTE: 20210612: Not sure if applies to this version. (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a0a199d55f485e997c38c9131c8a7fa7fd3beaf

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a0a199d55f485e997c38c9131c8a7fa7fd3beaf
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz (@alteholz)]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
71f14cb7 by Thorsten Alteholz at 2021-06-20T23:48:35+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -49,7 +49,7 @@ ffmpeg (Anton Gladky)
   NOTE: 20210607: won't just be dropped too, etc. etc. (lamby)
 --
 gpac (Thorsten Alteholz)
-  NOTE: 20210607: WIP
+  NOTE: 20210620: WIP
 --
 htmldoc (Utkarsh Gupta)
 --
@@ -121,7 +121,7 @@ shiro (Roberto C. Sánchez)
   NOTE: 20210511: Upstream provided suggestions/guidance on testing of 
backported fixes; testing/tweaking is in progress. (roberto)
 --
 slapi-nis (Thorsten Alteholz)
-  NOTE: 20210607: WIP
+  NOTE: 20210620: WIP
 --
 sogo (Anton Gladky)
   NOTE: 20210603: maybe mention in announcement the recommendation to 
invalidate user



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71f14cb7706b10e27fa736ac083a52a01186fee7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71f14cb7706b10e27fa736ac083a52a01186fee7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7ee5eb5f by Thorsten Alteholz at 2021-05-10T09:43:10+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -60,6 +60,7 @@ golang-gogoprotobuf
   NOTE: 20210329: See discussion at 
https://lists.debian.org/debian-lts/2021/03/msg00011.html
 --
 gpac (Thorsten Alteholz)
+  NOTE: 20210510: WIP
 --
 gsoap (Abhijith PA)
   NOTE: 20210420: upstream only responded with suggestion to upgrade (abhijith)
@@ -97,6 +98,7 @@ phpseclib (Abhijith PA)
 rails (Utkarsh)
 --
 ring (Thorsten Alteholz)
+  NOTE: 20210510: WIP (need to update other releases first)
 --
 ruby-actionpack-page-caching
   NOTE: 20200819: Upstream's patch on does not apply due to subsequent



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ee5eb5f6a9c93a4430cf00ca72244f46cc131f7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ee5eb5f6a9c93a4430cf00ca72244f46cc131f7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2019-20790 (indicating revisit)

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e9fa2a99 by Salvatore Bonaccorso at 2021-04-07T21:50:54+02:00
Update notes for CVE-2019-20790 (indicating revisit)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -71056,8 +71056,9 @@ CVE-2019-20790 (OpenDMARC through 1.3.2 and 1.4.x, when 
used with pypolicyd-spf
NOTE: https://sourceforge.net/p/opendmarc/tickets/235/
NOTE: 
https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf
NOTE: Issue is disputed upstream and considered "work as designed" 
(wontfix)
-   NOTE: 
https://github.com/trusteddomainproject/OpenDMARC/blob/develop/SECURITY/CVE-2019-20970
-   NOTE: (there ia typo in above reference)
+   NOTE: 
https://github.com/trusteddomainproject/OpenDMARC/blob/develop/SECURITY/CVE-2019-20790
+   NOTE: Upstream reconsidering position:
+   NOTE: https://github.com/trusteddomainproject/OpenDMARC/issues/158
 CVE-2020-12266 (An issue was discovered where there are multiple externally 
accessible ...)
NOT-FOR-US: WAVLINK
 CVE-2020-12265 (The decompress package before 4.2.1 for Node.js is vulnerable 
to Arbit ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9fa2a9934ec5d52d995bc69b0155a16c054d36a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9fa2a9934ec5d52d995bc69b0155a16c054d36a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c790f7ed by Thorsten Alteholz at 2021-04-04T19:35:19+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -52,7 +52,7 @@ firmware-nonfree
 golang-github-appc-cni (Thorsten Alteholz)
   NOTE: 20210221: also taking care of reverse dependencies
   NOTE: 20210221: also taking care of other suites
-  NOTE: 20210321: still WIP
+  NOTE: 20210304: still WIP, trying to automize golang updates
 --
 golang-gogoprotobuf
   NOTE: 20210218: If you have any idea why this is called the "skippy peanut 
butter" issue, I would be mildly interested. (lamby)
@@ -66,8 +66,8 @@ golang-gogoprotobuf
 gsoap
 --
 libebml (Thorsten Alteholz)
-  NOTE: 20210307: testing package
   NOTE: 20210321: preparing buster debdiff as well
+  NOTE: 20210404: still WIP
 --
 linux (Ben Hutchings)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c790f7ed7c84ad9d9efbafc9803b088df9ad0bcb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c790f7ed7c84ad9d9efbafc9803b088df9ad0bcb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2019-18790 and CVE-2019-18351 for asterisk

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e54e9076 by Salvatore Bonaccorso at 2021-03-13T21:26:46+01:00
Update notes for CVE-2019-18790 and CVE-2019-18351 for asterisk

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -97998,6 +97998,9 @@ CVE-2019-18790 (An issue was discovered in 
channels/chan_sip.c in Sangoma Asteri
[stretch] - asterisk  (Minor issue)
NOTE: https://downloads.asterisk.org/pub/security/AST-2019-006.html
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28589
+   NOTE: Technically CVE-2019-18790 exists because of an incomplete fix of 
CVE-2019-18351, both
+   NOTE: referring to AST-2019-006. The upstream advisory never used 
though CVE-2019-18351, but
+   NOTE: only referenced CVE-2019-18790.
 CVE-2019-18789
RESERVED
 CVE-2019-18788
@@ -101477,7 +101480,11 @@ CVE-2019-18353
 CVE-2019-18352 (Improper access control exists on PHOENIX CONTACT FL NAT 2208 
devices  ...)
NOT-FOR-US: PHOENIX CONTACT FL NAT 2208 devices
 CVE-2019-18351 (An issue was discovered in channels/chan_sip.c in Sangoma 
Asterisk thr ...)
-   TODO: check
+   NOTE: https://downloads.asterisk.org/pub/security/AST-2019-006.html
+   NOTE: Technically CVE-2019-18790 exists because of an incomplete fix of 
CVE-2019-18351, both
+   NOTE: referring to AST-2019-006. The upstream advisory never used 
though CVE-2019-18351, but
+   NOTE: only referenced CVE-2019-18790. CVE-2019-18351 only got picked up 
later on.
+   TODO: check with MITRE if CVE-2019-18351 simply should be dropped
 CVE-2019-18350 (In Ant Design Pro 4.0.0, reflected XSS in the user/login 
redirect GET  ...)
NOT-FOR-US: Ant Design Pro
 CVE-2019-18349 (HotkeyP through 4.9 r96 allows privilege escalation in the 
privilege f ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e54e90769e80057ca5469ac296d0f38d58207011

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e54e90769e80057ca5469ac296d0f38d58207011
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
48428dda by Thorsten Alteholz at 2021-03-07T23:14:30+01:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -49,6 +49,7 @@ golang-1.8 (Sylvain Beucler)
 --
 golang-github-appc-cni (Thorsten Alteholz)
   NOTE: 20210221: also taking care of reverse dependencies
+  NOTE: 20210221: also taking care of other suites
 --
 golang-gogoprotobuf (Ola Lundqvist)
   NOTE: 20210218: If you have any idea why this is called the "skippy peanut 
butter" issue, I would be mildly interested. (lamby)
@@ -56,7 +57,7 @@ golang-gogoprotobuf (Ola Lundqvist)
 gsoap
 --
 libebml (Thorsten Alteholz)
-  NOTE: 20210221: testing package
+  NOTE: 20210307: testing package (not yet finished)
 --
 linux (Ben Hutchings)
 --
@@ -121,7 +122,7 @@ spotweb
   NOTE: 20210127: Upstream says "we can fix this but it may take some time", 
revisit later (Beuc)
 --
 subversion (Thorsten Alteholz)
-  NOTE: 20210221: solving build problems
+  NOTE: 20210307: solving build problems (on IPv6 only host)
 --
 tomcat7 (Utkarsh)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48428dda6dda968cb3c67bdb2ddfdb276c181722

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48428dda6dda968cb3c67bdb2ddfdb276c181722
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
532f3a0c by Thorsten Alteholz at 2021-02-21T15:46:19+01:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -53,6 +53,7 @@ golang-1.7 (Sylvain Beucler)
 golang-1.8 (Sylvain Beucler)
 --
 golang-github-appc-cni (Thorsten Alteholz)
+  NOTE: 20210221: also taking care of reverse dependencies
 --
 golang-gogoprotobuf
   NOTE: 20210218: If you have any idea why this is called the "skippy peanut 
butter" issue, I would be mildly interested. (lamby)
@@ -63,6 +64,7 @@ guacamole-server (Anton Gladky)
 jackson-dataformat-cbor
 --
 libebml (Thorsten Alteholz)
+  NOTE: 20210221: testing package
 --
 linux (Ben Hutchings)
 --
@@ -119,6 +121,7 @@ spotweb
   NOTE: 20210127: Upstream says "we can fix this but it may take some time", 
revisit later (Beuc)
 --
 subversion (Thorsten Alteholz)
+  NOTE: 20210221: solving build problems
 --
 xmlbeans (Roberto C. Sánchez)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/532f3a0c052db82e5fdbab7a78322d01a4a0fbf0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/532f3a0c052db82e5fdbab7a78322d01a4a0fbf0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0abb3700 by Thorsten Alteholz at 2021-01-17T22:32:09+01:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -75,7 +75,7 @@ opendmarc (Abhijith PA)
 --
 openjpeg2 (Thorsten Alteholz)
   NOTE: 20201220: more CVEs appeared
-  NOTE: 20210104: testing package
+  NOTE: 20210117: testing package
 --
 php-horde-trean
   NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in 
https://bugs.horde.org/ticket/14926 (sunweaver)
@@ -122,7 +122,7 @@ slirp (pu-Thorsten Alteholz)
   NOTE: CVE-2020-7039 to be applied patched first, as they both patch
   NOTE: the same lines of code in tcp_subr.c (bam).
   NOTE: update has to done in sid->buster->stretch
-  NOTE: 20200401: waiting for pu
+  NOTE: 20200417: still waiting for pu, probably 30.01.2021
 --
 spotweb
   NOTE: 20201220: The affected code (PHP!) uses string concatenation to 
construct a SQL query.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0abb37001dc1169b329e9776e5f5d20e69617a94

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0abb37001dc1169b329e9776e5f5d20e69617a94
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2020-28374/tcmu

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
46270ab9 by Salvatore Bonaccorso at 2021-01-13T16:40:35+01:00
Update notes on CVE-2020-28374/tcmu

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -16325,8 +16325,13 @@ CVE-2020-28374 (In drivers/target/target_core_xcopy.c 
in the Linux kernel before
- tcmu  (bug #980007)
NOTE: 
https://git.kernel.org/linus/2896c93811e39d63a4d9b63ccf12a8fbc226e5e4
NOTE: https://www.openwall.com/lists/oss-security/2021/01/12/12
-   NOTE: tcmu-runner patch: 
https://bugzilla.suse.com/attachment.cgi?id=844924=diff=patch==1=raw
NOTE: https://github.com/open-iscsi/tcmu-runner/issues/645
+   NOTE: https://github.com/open-iscsi/tcmu-runner/pull/644
+   NOTE: Fixed by: 
https://github.com/open-iscsi/tcmu-runner/commit/2b16e96e6b63d0419d857f53e4cc67f0adb383fd
+   NOTE: Some followup fixes: 
https://github.com/open-iscsi/tcmu-runner/pull/646
+   NOTE: 
https://github.com/open-iscsi/tcmu-runner/commit/b202dc06ef391c6ab9a7561856238a258de04663
+   NOTE: 
https://github.com/open-iscsi/tcmu-runner/commit/170bfa63288a399b38c35eb646b2835d4ba7c08a
+   NOTE: 
https://github.com/open-iscsi/tcmu-runner/commit/01685b2ab8c430c0fb9ce397e7e76b60fe6cbde5
 CVE-2020-28373 (upnpd on certain NETGEAR devices allows remote (LAN) attackers 
to exec ...)
NOT-FOR-US: Netgear
 CVE-2020-28372



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46270ab9f4e9faef5a3682df176dc520f3d2fa3c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46270ab9f4e9faef5a3682df176dc520f3d2fa3c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5554e2df by Thorsten Alteholz at 2021-01-04T08:39:47+01:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -95,6 +95,7 @@ opendmarc (Abhijith PA)
 --
 openjpeg2 (Thorsten Alteholz)
   NOTE: 20201220: more CVEs appeared
+  NOTE: 20210104: testing package
 --
 pacemaker (Markus Koschany)
   NOTE: 20201228: See #974563 for further information.
@@ -142,11 +143,12 @@ shiro (Roberto C. Sánchez)
   NOTE: 20201004: Sent additional request to upstream dev list; stil no 
response. (roberto)
   NOTE: 20201220: Upstream has responded.  Working with them to backport 
fixes. (roberto)
 --
-slirp (Thorsten Alteholz)
+slirp (pu-Thorsten Alteholz)
   NOTE: Upstream patch for CVE-2020-8608 requires patches for
   NOTE: CVE-2020-7039 to be applied patched first, as they both patch
   NOTE: the same lines of code in tcp_subr.c (bam).
   NOTE: update has to done in sid->buster->stretch
+  NOTE: 20200401: waiting for pu
 --
 snapd (Brian May)
   NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5554e2dfa73a693ad4a74ba74c29138c6ab7d7f4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5554e2dfa73a693ad4a74ba74c29138c6ab7d7f4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-15719/openldap

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
69e0366f by Salvatore Bonaccorso at 2020-07-17T21:21:03+02:00
Update notes for CVE-2020-15719/openldap

In general it looks we might simply consider this a Red Hat specific
problem. The issue was disputed upstream of beeing valid, with the
comment that the behaviour in libldap conforms with RFC4513 and it is
still authoritative for OpenLDAP as RFC6125 does not supersede the rules
for verifying service identity provided in specifications for existing
application like LDAPs. For details see the comments from Ryan Tandy as
raised in https://bugs.debian.org/965184#10;.

It would seem reasonable to not diverge from upstream in Debian unless
this problem is considered severe enough.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -195,10 +195,13 @@ CVE-2020-15720 (In Dogtag PKI through 10.8.3, the 
pki.client.PKIConnection class
NOTE: 
https://github.com/dogtagpki/pki/commit/50c23ec146ee9abf28c9de87a5f7787d495f0b72
 CVE-2020-15719 (libldap in certain third-party OpenLDAP packages has a 
certificate-val ...)
- openldap  (bug #965184)
-   NOTE: https://bugs.openldap.org/show_bug.cgi?id=9266 (private)
+   NOTE: https://bugs.openldap.org/show_bug.cgi?id=9266
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1740070
-   NOTE: RedHat/CentOS Patch: 
https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch
-   NOTE: Affected file is compiled but Debian openssl uses GnuTLS.
+   NOTE: RedHat/CentOS applied patch: 
https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch
+   NOTE: OpenLDAP upstream did dispute the issue as beeing valid, as the 
current libldap
+   NOTE: behaviour does conform with RFC4513. RFC6125 does not superseed 
the rules for
+   NOTE: verifying service identity provided in specifications for 
existing application
+   NOTE: protocols published prior to RFC6125, like RFC4513 for LDAP.
 CVE-2020-15718 (RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper 
validation o ...)
NOT-FOR-US: RosarioSIS
 CVE-2020-15717 (RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper 
validation o ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69e0366f2ae0bdfdfc4898690141afa6410b93f1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69e0366f2ae0bdfdfc4898690141afa6410b93f1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-11989

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b157e921 by Salvatore Bonaccorso at 2020-06-29T21:41:30+02:00
Update notes for CVE-2020-11989

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -8170,7 +8170,9 @@ CVE-2020-11990
 CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring 
dynamic ...)
- shiro 
NOTE: https://www.openwall.com/lists/oss-security/2020/06/22/1
-   TODO: check details
+   NOTE: https://github.com/apache/shiro/pull/211
+   NOTE: https://issues.apache.org/jira/browse/SHIRO-753
+   TODO: checking with shiro security team
 CVE-2020-11988
RESERVED
 CVE-2020-11987



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b157e92149c5070726d943a694411d02875c4e27

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b157e92149c5070726d943a694411d02875c4e27
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2442ef0d by Thorsten Alteholz at 2020-06-21T23:02:53+02:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -94,14 +94,13 @@ nss (Adrian Bunk)
   NOTE: 20200615: work is ongoing (bunk)
 --
 opendmarc (Thorsten Alteholz)
-  NOTE: 20200511: new CVEs arrived (thorsten)
-  NOTE: 20200524: testing package
+  NOTE: 20200621: testing package (thorsten)
 --
 perl (Abhijith PA)
   NOTE: 20200622: Working on failing tests (abhijith)
 --
 php5 (Thorsten Alteholz)
-  NOTE: 20200524: new CVE arrived (thorsten)
+  NOTE: 20200621: testing package (thorsten)
 --
 pound
   NOTE: 20200619: No explicit patch mentioned. Needs deeper research.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2442ef0d29254d1a861eab144a18956ea16ae0e2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2442ef0d29254d1a861eab144a18956ea16ae0e2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-12049/dbus

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d5e3d90b by Salvatore Bonaccorso at 2020-06-04T13:13:02+02:00
Update notes for CVE-2020-12049/dbus

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4225,8 +4225,10 @@ CVE-2020-12049
- dbus 1.12.18-1
[buster] - dbus  (Minor issue)
[stretch] - dbus  (Minor issue)
-   NOTE: 
https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5
-   NOTE: 
https://gitlab.freedesktop.org/dbus/dbus/-/commit/8bc1381819e5a845331650bfa28dacf6d2ac1748
+   NOTE: https://www.openwall.com/lists/oss-security/2020/06/04/3
+   NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/issues/294
+   NOTE: Fixed by: 
https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5
+   NOTE: Test: 
https://gitlab.freedesktop.org/dbus/dbus/-/commit/8bc1381819e5a845331650bfa28dacf6d2ac1748
 CVE-2020-12048
RESERVED
 CVE-2020-12047



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5e3d90b5ae0c691520565bc3cabf79813c26eb2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5e3d90b5ae0c691520565bc3cabf79813c26eb2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-12740

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e6e86210 by Salvatore Bonaccorso at 2020-06-02T06:11:36+02:00
Update notes for CVE-2020-12740

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2284,6 +2284,8 @@ CVE-2020-12740 (tcprewrite in Tcpreplay through 4.3.2 has 
a heap-based buffer ov
- tcpreplay  (unimportant)
[jessie] - tcpreplay  (Vulnerable code added later)
NOTE: https://github.com/appneta/tcpreplay/issues/576
+   NOTE: https://github.com/appneta/tcpreplay/pull/590
+   NOTE: Fixed with: https://github.com/appneta/tcpreplay/issues/578
NOTE: --fuzz-seed in PoC not present until version 4.2.0
NOTE: Crash in CLI tool, no security impact
 CVE-2020-12739



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6e8621066c481aa5091bee088bc4724e749394a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6e8621066c481aa5091bee088bc4724e749394a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-8161/ruby-rack

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
df0654cc by Salvatore Bonaccorso at 2020-05-22T23:56:20+02:00
Update notes for CVE-2020-8161/ruby-rack

Add a needed followup commit to fix issue uncovered in the testsuite.
Reference as well the testcase for the directory traversal issue in
Rack::Directory app.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13709,7 +13709,9 @@ CVE-2020-8161 [Directory traversal in Rack::Directory]
{DLA-2216-1}
- ruby-rack 2.1.1-5
NOTE: 
https://groups.google.com/forum/#!msg/rubyonrails-security/IOO1vNZTzPA/Ylzi1UYLAAAJ
-   NOTE: 
https://github.com/rack/rack/commit/dddb7ad18ed79ca6ab06ccc417a169fde451246e
+   NOTE: Fixed by: 
https://github.com/rack/rack/commit/dddb7ad18ed79ca6ab06ccc417a169fde451246e
+   NOTE: Required followup: 
https://github.com/rack/rack/commit/e7ba1b0557d3ad97af1ef113bbeb5f27417983fa
+   NOTE: Test: 
https://github.com/rack/rack/commit/775c836bdd25b63340399fea739532d746860a94
 CVE-2020-8160
RESERVED
 CVE-2020-8159 (There is a vulnerability in actionpack_page-caching gem  
v1.2.1 th ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df0654cceafb9bf02ef7b4342db61cb098276b20

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df0654cceafb9bf02ef7b4342db61cb098276b20
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-12762/json-c

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c6fe75e8 by Salvatore Bonaccorso at 2020-05-15T22:51:32+02:00
Update notes for CVE-2020-12762/json-c

Include two additional commits to address the regression (for the master
branch) and reference the pull request including backports for 0.13.x,
0.12.x, 0.11 and 0.10.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -703,12 +703,15 @@ CVE-2020-12763 (TRENDnet ProView Wireless camera 
TV-IP512WN 1.0R 1.0.4 is vulner
 CVE-2020-12762 (json-c through 0.14 has an integer overflow and out-of-bounds 
write vi ...)
- json-c  (bug #960326)
NOTE: https://github.com/json-c/json-c/pull/592
-   NOTE: 
https://github.com/json-c/json-c/commit/77d935b7ae7871a1940cd827e850e6063044ec45
NOTE: 
https://github.com/json-c/json-c/commit/099016b7e8d70a6d5dd814e788bba08d33d48426
+   NOTE: 
https://github.com/json-c/json-c/commit/77d935b7ae7871a1940cd827e850e6063044ec45
NOTE: 
https://github.com/json-c/json-c/commit/d07b91014986900a3a75f306d302e13e005e9d67
+   NOTE: 
https://github.com/json-c/json-c/commit/519dfe1591d85432986f9762d41d1a883198c157
+   NOTE: 
https://github.com/json-c/json-c/commit/a59d5acfab4485d5133114df61785b1fc633e0c6
NOTE: d07b91014986 ("Fix integer overflows.") introduces a regression 
tracked as:
NOTE: https://github.com/json-c/json-c/issues/599
NOTE: https://github.com/json-c/json-c/pull/610
+   NOTE: Working backports for older branches: 
https://github.com/json-c/json-c/pull/608
 CVE-2020-12761 (modules/loaders/loader_ico.c in imlib2 1.6.0 has an integer 
overflow ( ...)
- imlib2 1.6.1-2 (bug #960192)
[buster] - imlib2  (Vulnerable code introduced later)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6fe75e8ee2ce0cd9af1849179f01b12a45fc943

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6fe75e8ee2ce0cd9af1849179f01b12a45fc943
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-12762/json-c

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
045d8c1a by Salvatore Bonaccorso at 2020-05-15T22:21:00+02:00
Update notes for CVE-2020-12762/json-c

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -706,6 +706,9 @@ CVE-2020-12762 (json-c through 0.14 has an integer overflow 
and out-of-bounds wr
NOTE: 
https://github.com/json-c/json-c/commit/77d935b7ae7871a1940cd827e850e6063044ec45
NOTE: 
https://github.com/json-c/json-c/commit/099016b7e8d70a6d5dd814e788bba08d33d48426
NOTE: 
https://github.com/json-c/json-c/commit/d07b91014986900a3a75f306d302e13e005e9d67
+   NOTE: d07b91014986 ("Fix integer overflows.") introduces a regression 
tracked as:
+   NOTE: https://github.com/json-c/json-c/issues/599
+   NOTE: https://github.com/json-c/json-c/pull/610
 CVE-2020-12761 (modules/loaders/loader_ico.c in imlib2 1.6.0 has an integer 
overflow ( ...)
- imlib2 1.6.1-2 (bug #960192)
[buster] - imlib2  (Vulnerable code introduced later)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/045d8c1a2c2f16fa99a66bad94cfa20579168084

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/045d8c1a2c2f16fa99a66bad94cfa20579168084
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for ansible

[Brian May]

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
30d7d0ff by Brian May at 2020-05-08T07:31:43+10:00
Update notes for ansible

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -11,12 +11,15 @@ 
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 
 --
 ansible
-  NOTE: 20200506: DLA-2202-1 from (20200505) covers CVE-2019-14846,
-  NOTE: 20200506: CVE-2020-1733, CVE-2020-1739 and CVE-2020-1740 but not
-  NOTE: 20200506: CVE-2020-1736. The version in jessie does not use the
-  NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0777 and 0666
+  NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the
+  NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666
   NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable.
   NOTE: 20200506: (lamby)
+  NOTE: 20200508: bam: Problem exists with new files only. Existing files
+  NOTE: 20200508: bam: code resets permissions to same value, should be fine.
+  NOTE: 20200508: bam: Upstream fix was to use 660 - 
https://github.com/ansible/ansible/pull/68970
+  NOTE: 20200508: bam: Upstream fix was reverted - 
https://github.com/ansible/ansible/pull/68983
+  NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794
 --
 apache-log4j2 (Abhijith PA)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30d7d0ff2ca51867e1917a180573e6597f940118

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30d7d0ff2ca51867e1917a180573e6597f940118
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for shiro in jessie LTS.

[Chris Lamb]

Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
aaa1bfe0 by Chris Lamb at 2020-03-29T10:52:37+01:00
Update notes for shiro in jessie LTS.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -83,7 +83,8 @@ ruby-rack
   NOTE: 20200216: Discussion ongoing on -lts list. (lamby)
 --
 shiro
-  NOTE: 20200329: https://github.com/apache/shiro/pull/203
+  NOTE: 20200329: https://github.com/apache/shiro/pull/203 (lamby)
+  NOTE: 20200329: See 53dc30bf6823c98 in this repo. (lamby)
 --
 squid3 (Markus Koschany)
   NOTE: 20200309: Requires more tests. (apo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aaa1bfe0865de13a653731e025177f0a40703a42

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aaa1bfe0865de13a653731e025177f0a40703a42
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes regarding CVE-2020-10188 in netkit-telnet and netkit-telnet-ssl.

[Chris Lamb]

Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
326b5db2 by Chris Lamb at 2020-03-27T09:28:39+00:00
Update notes regarding CVE-2020-10188 in netkit-telnet and netkit-telnet-ssl.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -2001,6 +2001,7 @@ CVE-2020-10188 (utility.c in telnetd in netkit telnet 
through 0.17 allows remote
- netkit-telnet  (bug #953477)
- netkit-telnet-ssl  (bug #953478)
NOTE: 
https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html
+   NOTE: https://github.com/marado/netkit-telnet-ssl/issues/5
TODO: check further details
 CVE-2019-20503 (usrsctp before 2019-12-20 has out-of-bounds reads in 
sctp_load_address ...)
{DSA-4645-1 DSA-4642-1 DSA-4639-1 DLA-2150-1 DLA-2140-1}


=
data/dla-needed.txt
=
@@ -52,10 +52,12 @@ mumble (Abhijith PA)
 netkit-telnet
   NOTE: 20200310: No patch available, yet. Only PoC. (sunweaver)
   NOTE: 20200320: Upstream's dead, keep an eye on other distros and krb5-appl 
(embed). (beuc)
+  NOTE: 20200327: Pinged issue on the ~new upstream. (lamby)
 --
 netkit-telnet-ssl
   NOTE: 20200310: No patch available, yet. Only PoC. (sunweaver)
   NOTE: 20200320: Upstream's dead, keep an eye on other distros and krb5-appl 
(embed). (beuc)
+  NOTE: 20200327: Pinged issue on the ~new upstream. (lamby)
 --
 nss (Thorsten Alteholz)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/326b5db2a068cc9b1890a16c49e5dd6284e6e42d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/326b5db2a068cc9b1890a16c49e5dd6284e6e42d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
99a09904 by Thorsten Alteholz at 2020-03-09T09:24:19+01:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -45,6 +45,7 @@ lua-cgi
   NOTE: 20200227: may not be entirelly reliable. One possibility is to declare 
it unsupported. (Ola)
 --
 nova (Thorsten Alteholz)
+  NOTE: 20200309: work is ongoing
 --
 opendmarc (Thorsten Alteholz)
   NOTE: 20200302: still testing package, original patch does not seem to be 
enough, still ongoing
@@ -89,6 +90,7 @@ tomcat8 (Abhijith PA)
  NOTE: 20200224: Guess embedding latest branch of 8.5.x in debian package is 
the way to go (abhijith)
 --
 weechat (Thorsten Alteholz)
+  NOTE: 20200309: work is ongoing
 --
 wpa
   NOTE: 20200218: fix for CVE-2019-5061 removes IAPP functionality from 
hostapd, which is



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99a09904b9e074f5ae8e940f5314663df4d73d14

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99a09904b9e074f5ae8e940f5314663df4d73d14
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes on CVE-2020-9274/pure-ftpd

[Roberto C . Sánchez]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ef8e3564 by Roberto C. Sánchez at 2020-02-27T18:31:49-05:00
update notes on CVE-2020-9274/pure-ftpd

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -362,8 +362,10 @@ CVE-2020-9275
 CVE-2020-9274 (An issue was discovered in Pure-FTPd 1.0.49. An uninitialized 
pointer  ...)
- pure-ftpd 1.0.49-4 (bug #952666)
NOTE: 
https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa
-   NOTE: though the CVE description does not specifically say, the issue 
seems to be a heap out-of-bounds read
-   NOTE: probably not the end of the world, but it is made worse by use of 
the rather unsafe strcmp() instead of strncmp() in the vulnerable functions
+   NOTE: though the CVE description does not specifically say, the issue 
seems to be an
+   NOTE: out-of-bounds memory read which may result in information 
disclosure;
+   NOTE: probably not the end of the world, but it is made worse by use of 
the rather 
+   NOTE: unsafe strcmp() instead of strncmp() in the vulnerable functions
 CVE-2020-9273 (In ProFTPD 1.3.7, it is possible to corrupt the memory pool by 
interru ...)
{DSA-4635-1 DLA-2115-1}
- proftpd-dfsg 1.3.6c-1 (bug #951800)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef8e356471d8d32e15f7a590d76b91ccfd0af502

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef8e356471d8d32e15f7a590d76b91ccfd0af502
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes on CVE-2020-9274/pure-ftpd

[Roberto C . Sánchez]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d691cbad by Roberto C. Sánchez at 2020-02-27T17:14:35-05:00
update notes on CVE-2020-9274/pure-ftpd

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -362,6 +362,8 @@ CVE-2020-9275
 CVE-2020-9274 (An issue was discovered in Pure-FTPd 1.0.49. An uninitialized 
pointer  ...)
- pure-ftpd 1.0.49-4 (bug #952666)
NOTE: 
https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa
+   NOTE: though the CVE description does not specifically say, the issue 
seems to be a heap out-of-bounds read
+   NOTE: probably not the end of the world, but it is made worse by use of 
the rather unsafe strcmp() instead of strncmp() in the vulnerable functions
 CVE-2020-9273 (In ProFTPD 1.3.7, it is possible to corrupt the memory pool by 
interru ...)
{DSA-4635-1 DLA-2115-1}
- proftpd-dfsg 1.3.6c-1 (bug #951800)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d691cbade58a84e3f21ac01363145eac315275b1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d691cbade58a84e3f21ac01363145eac315275b1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-7105 in src:hiredis.

[Chris Lamb]

Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
db08594d by Chris Lamb at 2020-01-29T12:12:24+01:00
Update notes for CVE-2020-7105 in src:hiredis.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2839,7 +2839,8 @@ CVE-2020-7106 (Cacti 1.2.8 has stored XSS in 
data_sources.php, color_templates_i
NOTE: 
https://github.com/Cacti/cacti/commit/b1c70e19466a6e69284e24cde437b55ccc454bee
 CVE-2020-7105 (async.c and dict.c in libhiredis.a in hiredis through 0.14.0 
allow a N ...)
- hiredis  (bug #949995)
-   NOTE: https://github.com/redis/hiredis/issues/754
+   NOTE: https://github.com/redis/hiredis/pull/754
+   NOTE: https://github.com/redis/hiredis/pull/756
 CVE-2020-7104 (The chained-quiz plugin 1.1.8.1 for WordPress has reflected XSS 
via th ...)
NOT-FOR-US: chained-quiz plugin for WordPress
 CVE-2019-20380



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/db08594dadd325d674a6213fb5288a9e3145fc39

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/db08594dadd325d674a6213fb5288a9e3145fc39
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6e426d65 by Thorsten Alteholz at 2020-01-19T22:53:35+01:00
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -22,6 +22,7 @@ gpac (Sylvain Beucler)
   NOTE: triaging when more information are available. (apo)
 --
 graphicsmagick (Thorsten Alteholz)
+  NOTE: 20200119: WIP
 --
 hiredis (Chris Lamb)
   NOTE: 20200118: no upstream patches, yet, but should be easy to fix 
(sunweaver)
@@ -69,7 +70,7 @@ linux-4.9 (Ben Hutchings)
 nss (Markus Koschany)
 --
 opendmarc (Thorsten Alteholz)
-  NOTE: 20200105: still testing package, original patch does not seem to be 
enough, still ongoing
+  NOTE: 20200119: still testing package, original patch does not seem to be 
enough, still ongoing
 --
 openjdk-7 (Emilio)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6e426d65892d1521674fb48ca662b5788a4a6793

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6e426d65892d1521674fb48ca662b5788a4a6793
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes

[Utkarsh Gupta]

Utkarsh Gupta pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ea4afc40 by Utkarsh Gupta at 2020-01-10T23:33:04+05:30
Update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -87,13 +87,13 @@ radare2
   NOTE: https://lists.debian.org/debian-lts/2019/08/msg00064.html
 --
 ruby-excon (Utkarsh Gupta)
+  NOTE: 20200110: Pinged upstream for help in debugging freezing tests.
 --
 ruby-rack
   NOTE: 20191219: The security update causes a regression and also, there's a
   NOTE: slight possibility of this patch inducing a backdoor on its own. 
(utkarsh2102)
 --
 ruby-rack-cors
-  NOTE: 20191218: Debugging test failures. (utkarsh2102)
 --
 slurm-llnl
   NOTE: 20191125: up for testing 
https://people.debian.org/~abhijith/upload/slurm-llnl_14.03.9-5+deb8u5.dsc



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea4afc403873be3613516776e519e0fecd38cfd5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea4afc403873be3613516776e519e0fecd38cfd5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2019-16787

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
73b39fcd by Salvatore Bonaccorso at 2019-12-21T07:59:44Z
Update notes on CVE-2019-16787

CVE-2019-19905 was assigned by the same issue in netcat. CVE-2019-16787
by the Github team, CVE-2019-19905, by MITRE CNA.

Handling of both CVEs requested to MITRE.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -96,6 +96,10 @@ CVE-2019-19906 (cyrus-sasl (aka Cyrus SASL) 2.1.27 has an 
out-of-bounds write le
- cyrus-sasl2  (bug #947043)
NOTE: https://github.com/cyrusimap/cyrus-sasl/issues/587
NOTE: https://www.openldap.org/its/index.cgi/Incoming?id=9123
+CVE-2019-16787
+   NOTE: 
https://github.com/NetHack/NetHack/security/advisories/GHSA-3cm7-rgh5-9pq5
+   NOTE: Duplicate of CVE-2019-19905
+   TODO: wait for MITRE CNA on feedback
 CVE-2019-19905 (NetHack before 3.6.4 is prone to a buffer overflow 
vulnerability when  ...)
- nethack  (low; bug #947005)
[buster] - nethack  (Minor issue)
@@ -15623,8 +15627,6 @@ CVE-2019-16789
RESERVED
 CVE-2019-16788
RESERVED
-CVE-2019-16787
-   RESERVED
 CVE-2019-16786
RESERVED
 CVE-2019-16785



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/73b39fcdf9e687edd114bbe8fe44ca2e00cbd614

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/73b39fcdf9e687edd114bbe8fe44ca2e00cbd614
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for ibus

[Brian May]

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2bde5a62 by Brian May at 2019-12-09T06:44:30Z
Update notes for ibus

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -26,7 +26,9 @@ freeimage (hle)
   NOTE: 20191123: upstream appears to have merged a modified version of my 
patch
 --
 ibus
-  NOTE: 20191020: Fix for regression in KDE apps still not available (apo)
+  NOTE: 20191210: Requires glib2.0 to be patched also.
+  NOTE: 20191210: See https://bugs.debian.org/941018
+  NOTE: 20191210: See https://gitlab.gnome.org/GNOME/glib/merge_requests/1176
 --
 intel-microcode
   NOTE: 20191113: Waiting for DSA-4565-2 first



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2bde5a628d806700db91d89962d8b99cbca1553e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2bde5a628d806700db91d89962d8b99cbca1553e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2019-17498/libssh2

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
18a22792 by Salvatore Bonaccorso at 2019-10-27T12:51:55Z
Update notes on CVE-2019-17498/libssh2

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3179,6 +3179,10 @@ CVE-2019-17498 (In libssh2 v1.9.0 and earlier versions, 
the SSH_MSG_DISCONNECT l
- libssh2  (bug #943562)
NOTE: 
https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c
NOTE: https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/
+   NOTE: Backported SUSE patch for versions <= 1.8.0 (including struct 
string_buf,
+   NOTE: and the functions _libssh2_check_length(), _libssh2_get_u32() and
+   NOTE: libssh2_get_string(), forming part of the fix):
+   NOTE: https://bugzilla.suse.com/attachment.cgi?id=822416
 CVE-2018-21028 (Boa through 0.94.14rc21 allows remote attackers to trigger a 
memory le ...)
- boa 
 CVE-2018-21027 (Boa through 0.94.14rc21 allows remote attackers to trigger an 
out-of-m ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/18a227922360dec6b17b78c2ff96d034fa8d93b0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/18a227922360dec6b17b78c2ff96d034fa8d93b0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2019-14368/exiv2

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
abcd624d by Salvatore Bonaccorso at 2019-10-26T13:54:07Z
Update notes for CVE-2019-14368/exiv2

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -12581,8 +12581,10 @@ CVE-2019-14369 (Exiv2::PngImage::readMetadata() in 
pngimage.cpp in Exiv2 0.27.99
NOTE: fixed through CVE-2019-13504
NOTE: 
https://github.com/Exiv2/exiv2/commit/bd0afe0390439b2c424d881c8c6eb0c5624e31d9
 CVE-2019-14368 (Exiv2 0.27.99.0 has a heap-based buffer over-read in 
Exiv2::RafImage:: ...)
-   - exiv2  (Doesn't seem to affect 0.25)
+   - exiv2  (Vulnerable code introduced later)
NOTE: https://github.com/Exiv2/exiv2/issues/952
+   NOTE: Fixed by: 
https://github.com/Exiv2/exiv2/commit/bd0afe0390439b2c424d881c8c6eb0c5624e31d9
+   NOTE: Introduced by: 
https://github.com/Exiv2/exiv2/commit/c72d16f4c402a8acc2dfe06fe3d58bf6cf99069e
 CVE-2019-14367
RESERVED
 CVE-2019-14366



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/abcd624d2e534bb42de9c843cb0e3d014b805363

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/abcd624d2e534bb42de9c843cb0e3d014b805363
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2018-20839/{systemd,xorg-server}

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
90438d65 by Salvatore Bonaccorso at 2019-07-23T04:50:32Z
Update notes for CVE-2018-20839/{systemd,xorg-server}

The status is overall not yet fully clear. What is clear is that the
original fix introduces regressions and is not the right approach.

Unclear if the tracking and fixing should happen in xorg-server or in
systemd. For now track both source packages an monitor how the
discussion evolve.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -6015,12 +6015,16 @@ CVE-2018-20839 (systemd 242 changes the VT1 mode upon a 
logout, which allows att
[buster] - systemd  (Minor issue)
[stretch] - systemd  (Minor issue)
[jessie] - systemd  (Not reproducible without Ubuntu-style 
persistant VT1 greeter; too invasive to fix)
+   - xorg-server 
NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993
NOTE: 
https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f
NOTE: https://github.com/systemd/systemd/pull/12378
NOTE: The fix introduced a regression, cf. 
https://bugs.debian.org/929229
NOTE: Issue was originally fixed for unstable in 241-4 but was reverted 
in 241-5
NOTE: https://gitlab.freedesktop.org/xorg/xserver/issues/857
+   NOTE: Upstream from systemd claimed originally it's not an issue in 
systemd, but
+   NOTE: might revisit. Furthermore the issue might be fixed in the xorg 
xserver.
+   NOTE: Tentative merge request: 
https://gitlab.freedesktop.org/xorg/xserver/merge_requests/241
 CVE-2019-12149 (SQL injection vulnerability in silverstripe/restfulserver 
module 1.0.x ...)
NOT-FOR-US: SilverStripe
 CVE-2019-12148



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/90438d65f866be55bb7759c5f391bc75bcb835c9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/90438d65f866be55bb7759c5f391bc75bcb835c9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2018-15587 in data/CVE/list

[Jonas Meurer]

Jonas Meurer pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
32e93f1d by Jonas Meurer at 2019-04-24T14:03:50Z
Update notes for CVE-2018-15587 in data/CVE/list

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -40554,6 +40554,8 @@ CVE-2018-15587 (GNOME Evolution through 3.28.2 is prone 
to OpenPGP signatures be
NOTE: 
https://gitlab.gnome.org/GNOME/evolution-data-server/commit/93306a296c64b48d12c356804f131048643eaa0a
 (evolution-data-server)
NOTE: 
https://gitlab.gnome.org/GNOME/evolution-data-server/commit/accb0e2415681565e4dac00cf1c4303c313ad29e
 (evolution-data-server)
NOTE: 
https://gitlab.gnome.org/GNOME/evolution-data-server/commit/5cd59aee67450e8750eb3cb2d357d0947f199f61
 (evolution-data-server)
+   NOTE: The CVE is about signature spoofing and only affects evolution 
(issue #120)
+   NOTE: The other issues (encryption spoofing) are unrelated and have 
low(er) severity.
 CVE-2018-15586 (Enigmail before 2.0.6 is prone to to OpenPGP signatures being 
spoofed  ...)
- enigmail 2:2.0.6.1-2
[jessie] - enigmail  (see 
https://lists.debian.org/debian-lts-announce/2019/02/msg2.html)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/32e93f1d6689641dc90e8d21b7bff72aff22f46a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/32e93f1d6689641dc90e8d21b7bff72aff22f46a
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes on evolution in data/dla-needed.txt

[Jonas Meurer]

Jonas Meurer pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ec0ae80b by Jonas Meurer at 2019-04-23T15:18:25Z
Update notes on evolution in data/dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -23,7 +23,8 @@ claws-mail
   NOTE: 20190408: patch not yet available
 --
 evolution (Jonas Meurer)
-  NOTE: 20190418: working on it, but needs more debugging
+  NOTE: 20190423: I have a fixed version ready for upload, but futher debugging
+  NOTE: 20190423: is required for evolution-data-server.
 --
 evolution-data-server (Jonas Meurer)
   NOTE: 20190418: working on it, but needs more debugging



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec0ae80b441d84b19ad5120f7e95fb6d01d97d4e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec0ae80b441d84b19ad5120f7e95fb6d01d97d4e
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes and TODO item for CVE-2018-20764

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
93701f8f by Salvatore Bonaccorso at 2019-02-17T07:25:50Z
Update notes and TODO item for CVE-2018-20764

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1538,7 +1538,8 @@ CVE-2019-7635 (SDL (Simple DirectMedia Layer) through 
1.2.15 and 2.x through 2.0
[stretch] - libsdl2  (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4498
 CVE-2018-20764 (A buffer overflow exists in HelpSystems tcpcrypt on Linux, 
used for ...)
-   TODO: check
+   NOTE: 
https://community.helpsystems.com/knowledge-base/fox-technologies/hotfix/515/
+   TODO: check, if it affects src:tcpcrypt, as it is about tcpcrypt as 
used in BoKS
 CVE-2019-7634
RESERVED
 CVE-2019-7633



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/93701f8fd973644bd7c992d634dd36d52e5c8014

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/93701f8fd973644bd7c992d634dd36d52e5c8014
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2019-3815/systemd

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9e13356e by Salvatore Bonaccorso at 2019-01-19T21:50:22Z
Update notes on CVE-2019-3815/systemd

The CVE is affecting specifically our backport of the CVE-2018-16864 fix
for stretch which was based on both upstreams and Red Hats backport
work for v219.

Details in the regression fix at
https://lists.debian.org/debian-security-announce/2019/msg8.html .

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5783,12 +5783,14 @@ CVE-2019-3817
RESERVED
 CVE-2019-3816
RESERVED
-CVE-2019-3815
+CVE-2019-3815 [systemd: memory leak in journald-server.c introduced by fix for 
CVE-2018-16864]
RESERVED
- systemd  (This only affected backports to older suites, 
not the version in sid)
[stretch] - systemd 232-25+deb9u8
-   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3815
+   [jessie] - systemd  (Broken fix for CVE-2018-16864 not 
applied)
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=190
NOTE: For stable it affected DSA-4367-1 and was corrected in DSA-4367-2
+   NOTE: specifically the backport of the fix for CVE-2018-16864.
 CVE-2019-3814
RESERVED
 CVE-2019-3813



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e13356ebe28dd61cf418f814688fc5960e10118

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e13356ebe28dd61cf418f814688fc5960e10118
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2018-19295/singularity-container

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
03e897f5 by Salvatore Bonaccorso at 2018-12-13T15:07:03Z
Update notes for CVE-2018-19295/singularity-container

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -6422,6 +6422,8 @@ CVE-2018-19296 (PHPMailer before 5.2.27 and 6.x before 
6.0.6 is vulnerable to an
 CVE-2018-19295
RESERVED
- singularity-container 2.6.1-1
+   NOTE: https://www.openwall.com/lists/oss-security/2018/12/12/2
+   NOTE: https://bugzilla.novell.com/show_bug.cgi?id=411
 CVE-2018-19294
RESERVED
 CVE-2018-19293



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/03e897f52dc932b2a5d2410a74d46adcd6363a42

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/03e897f52dc932b2a5d2410a74d46adcd6363a42
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update notes

[Thorsten Alteholz]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2c76e37a by Thorsten Alteholz at 2018-11-10T18:57:29Z
update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -29,6 +29,7 @@ icu (Roberto C. Sánchez)
 imagemagick (Thorsten Alteholz)
   NOTE: 20181023: add additional Ubuntu patch to disable ghostscript handled 
formats
   NOTE: 20181023: wait with upload until this is done in unstable -> #907336
+  NOTE: 20181110: bug still open so upload without ubuntu patch
 --
 jasper (apo)
   NOTE: 20181104: consider fixing no-dsa issues too because the package is used
@@ -59,6 +60,7 @@ mysql-connector-java
 nsis (Thorsten Alteholz)
   NOTE: 20181007: Windows installer, but issue was reported by gpg4win so
   NOTE: 20181007: likely affects UNIX systems. (Chris Lamb)
+  NOTE: 20181110: waiting for email answer
 --
 openjdk-7
 --
@@ -85,6 +87,7 @@ squid3 (Abhijith PA)
   NOTE:20181101: to mention in DLA, and others very intrusive to backport. 
Substantial change from 3.4 -> 3.5.
 --
 symfony (Thorsten Alteholz)
+  NOTE: 20181110: patches ready, struggling with test suite, waiting for email
 --
 systemd
   NOTE: 20181101: I recommend to fix all open issues including the postponed



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c76e37ab4f58708d04706438e7c2343869015ff

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c76e37ab4f58708d04706438e7c2343869015ff
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2018-14648/389-ds-base

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
64498864 by Salvatore Bonaccorso at 2018-10-22T17:22:05Z
Update notes on CVE-2018-14648/389-ds-base

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -9462,9 +9462,12 @@ CVE-2018-14650 (It was discovered that sos-collector 
does not properly set the d
 CVE-2018-14649 (It was found that ceph-isci-cli package as shipped by Red Hat 
Ceph ...)
NOT-FOR-US: ceph-iscsi-cli
 CVE-2018-14648 (A flaw was found in 389 Directory Server. A specially crafted 
search ...)
-   - 389-ds-base 
+   - 389-ds-base 1.4.0.18-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1630668
-   TODO: check, not much detail provided
+   NOTE: https://pagure.io/389-ds-base/c/a49bd03d6 (1.4.0.17)
+   NOTE: 1.3.7: https://pagure.io/389-ds-base/c/c8ec6e58c
+   NOTE: 1.3.8: https://pagure.io/389-ds-base/c/5fc374b43
+   NOTE: https://pagure.io/389-ds-base/issue/49969
 CVE-2018-14647 (Python's elementtree C accelerator failed to initialise 
Expat's hash ...)
{DSA-4307-1 DSA-4306-1}
- python3.7 3.7.0-7



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/644988643c348086cc5a760532652086bb0fc753

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/644988643c348086cc5a760532652086bb0fc753
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2017-7893

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a2aa1c94 by Salvatore Bonaccorso at 2018-08-06T18:28:50Z
Update notes for CVE-2017-7893

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -69345,10 +69345,9 @@ CVE-2017-7893 (In SaltStack Salt before 2016.3.6, 
compromised salt-minions can .
- salt 
NOTE: https://docs.saltstack.com/en/2017.7/topics/releases/2016.3.6.html
NOTE: https://github.com/saltstack/salt/issues/48939
-   NOTE: The first version in Debian unstable containing the fix is likely
-   NOTE: 2016.11.5+ds-1 which is the first merging changes from 2016.3.6
-   NOTE: that is the "previous branch".
-   TODO: check, pinpoint fixing version, check with maintainers on issue, 
upstream asked
+   NOTE: 
https://github.com/saltstack/salt/commit/0a0f46fb1478be5eb2f90882a90390cb35ec43cb
+   NOTE: The behaviour though was back off by default in a later commit 
again
+   NOTE: cf. https://github.com/saltstack/salt/pull/40206
 CVE-2017-7892 (Sandstorm Cap'n Proto before 0.5.3.1 allows remote crashes 
related to a ...)
- capnproto 0.6.1-1 (unimportant; bug #860960)
NOTE: 
https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2017-04-17-0-apple-clang-elides-bounds-check.md



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2aa1c94016addb69c0ed64d09220ec18caaec9e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2aa1c94016addb69c0ed64d09220ec18caaec9e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2017-14992 and add golang-github-vbatts-tar-split

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6195da8d by Salvatore Bonaccorso at 2018-05-27T08:20:40+02:00
Update notes for CVE-2017-14992 and add golang-github-vbatts-tar-split

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -38173,7 +38173,12 @@ CVE-2017-14994 (ReadDCMImage in coders/dcm.c in 
GraphicsMagick 1.3.26 allows rem
 CVE-2017-14993 (OXID eShop Community Edition before 6.0.0 RC3 (development), 
4.10.x ...)
NOT-FOR-US: OXID eShop Community Edition
 CVE-2017-14992 (Lack of content verification in Docker-CE (Also known as Moby) 
...)
-   - docker.io 
+   - docker.io 
+   - golang-github-vbatts-tar-split 0.10.2-1
+   NOTE: Issue needs to be fixed in src:golang-github-vbatts-tar-split 
first
+   NOTE: https://github.com/vbatts/tar-split/issues/41
+   NOTE: docker.io needs then a rebuild with a fixed 
golang-github-vbatts-tar-split
+   NOTE: version.
 CVE-2017-14991 (The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel 
before ...)
- linux 4.13.4-1
[stretch] - linux  (Vulnerable code introduced later)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6195da8deb160449de5cc98c4d5ac1af9f484c40

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6195da8deb160449de5cc98c4d5ac1af9f484c40
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits