[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2024-29415
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f75fd0dd by Salvatore Bonaccorso at 2024-05-29T20:40:59+02:00 Update notes for CVE-2024-29415 The fix landed for now only in experimental, so move the fixing version there. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -339,7 +339,8 @@ CVE-2024-34477 (configureNFS in lib/common/functions.sh in FOG through 1.5.10 al CVE-2024-32978 (Kaminari is a paginator for web app frameworks and object relational m ...) - ruby-kaminari (Doesn't affect Kaminari as shipped by Debian) CVE-2024-29415 (The ip package through 2.0.1 for Node.js might allow SSRF because some ...) - - node-ip 2.0.1+~1.1.3-2 (bug #1072121) + [experimental] - node-ip 2.0.1+~1.1.3-2 + - node-ip (bug #1072121) [bookworm] - node-ip (Minor issue) [bullseye] - node-ip (Minor issue) NOTE: https://github.com/indutny/node-ip/issues/150 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f75fd0dd2b46f9c4e032c67e31c50b7f91a4f31e -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f75fd0dd2b46f9c4e032c67e31c50b7f91a4f31e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2023-50387
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b2604b1f by Salvatore Bonaccorso at 2024-02-23T20:30:05+01:00 Update notes for CVE-2023-50387 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2519,13 +2519,17 @@ CVE-2023-50387 (Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4 - pdns-recursor 4.9.3-1 (bug #1063852) - unbound 1.19.1-1 (bug #1063845) NOTE: https://kb.isc.org/docs/cve-2023-50387 + NOTE: https://gitlab.isc.org/isc-projects/bind9/-/commit/c12608ca934c0433d280e65fe6c631013e200cfe (v9.16.48) + NOTE: https://gitlab.isc.org/isc-projects/bind9/-/commit/751b7cc4750ede6d8c5232751d60aad8ad84aa67 (v9.16.48) + NOTE: https://gitlab.isc.org/isc-projects/bind9/-/commit/6a65a425283d70da86bf732449acd6d7c8dec718 (v9.16.48) + NOTE: https://gitlab.isc.org/isc-projects/bind9/-/commit/3d206e918b3efbc20074629ad9d99095fbd2e5fd (v9.16.48) + NOTE: https://gitlab.isc.org/isc-projects/bind9/-/commit/a520fbc0470a0d6b72db6aa0b8deda8798551614 (v9.16.48) NOTE: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html NOTE: https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html NOTE: https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released NOTE: https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ NOTE: https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt NOTE: Fixed by: https://github.com/NLnetLabs/unbound/commit/882903f2fa800c4cb6f5e225b728e2887bb7b9ae (release-1.19.1) - NOTE: https://gitlab.isc.org/isc-projects/bind9/-/commit/a520fbc0470a0d6b72db6aa0b8deda8798551614 and four previous commits (bind9 9.16) CVE-2023-50868 (The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 whe ...) {DSA-5626-1 DSA-5621-1 DSA-5620-1 DLA-3736-1} - bind9 1:9.19.21-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2604b1f68ed20dc9784fd263dd1060bd95143a1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2604b1f68ed20dc9784fd263dd1060bd95143a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes of squid and bouncycastle in dla-needed.txt and reclaim the
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bfb04929 by Markus Koschany at 2023-12-18T15:47:48+01:00 Update notes of squid and bouncycastle in dla-needed.txt and reclaim the packages. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -37,10 +37,11 @@ bind9 (Thorsten Alteholz) NOTE: 20231008: backporting patches NOTE: 20231217: almost done with testing -- -bouncycastle +bouncycastle (Markus Koschany) NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 was fixed in stretch-lts (Beuc/front-desk) NOTE: 20231128: I can't find changes in PEMParser.java related to CVE-2023-33202, maybe contact upstream (Beuc/front-desk) + NOTE: 20231218: Decision impending. (apo) -- cacti (Sylvain Beucler) NOTE: 20230906: Added by Front-Desk (lamby) @@ -205,8 +206,9 @@ salt samba NOTE: 20230918: Added by Front-Desk (apo) -- -squid +squid (Markus Koschany) NOTE: 20231102: Added by Front-Desk (lamby) + NOTE: 20231218: Investigating new CVE. (apo) -- suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfb04929cfee7d2f42db0a4d284c88fffe92132e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfb04929cfee7d2f42db0a4d284c88fffe92132e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2023-45866/bluez
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fef5975a by Salvatore Bonaccorso at 2023-12-10T17:15:30+01:00 Update notes for CVE-2023-45866/bluez - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -230,6 +230,8 @@ CVE-2023-32460 (Dell PowerEdge BIOS contains an improper privilege management se CVE-2023-45866 (Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral ...) - bluez NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675 + NOTE: The fix for CVE-2020-0556 allows to set manually the "ClassicBondedOnly" + NOTE: configuration options but defaulted to false. CVE-2023-6588 (Offline mode is always enabled, even if permission disallows it, in D ...) NOT-FOR-US: Devolutions Server CVE-2023-6575 (A vulnerability was found in Beijing Baichuo S210 up to 20231121. It h ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fef5975a7c1fdb10e5abf88a967865e8bb8804e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fef5975a7c1fdb10e5abf88a967865e8bb8804e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for outstanding freeimage issues
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e1308ad by Anton Gladky at 2023-11-24T06:15:04+01:00 Update notes for outstanding freeimage issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -157555,26 +157555,31 @@ CVE-2021-40266 (FreeImage before 1.18.0, ReadPalette function in PluginTIFF.cpp - freeimage (bug #1055305) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/334/ CVE-2021-40265 (A heap overflow bug exists FreeImage before 1.18.0 via ofLoad function ...) - freeimage (bug #1055304) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/337/ CVE-2021-40264 (NULL pointer dereference vulnerability in FreeImage before 1.18.0 via ...) - freeimage (bug #1055303) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/335/ CVE-2021-40263 (A heap overflow vulnerability in FreeImage 1.18.0 via the ofLoad funct ...) - freeimage (bug #1055302) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/336/ CVE-2021-40262 (A stack exhaustion issue was discovered in FreeImage before 1.18.0 via ...) - freeimage (bug #1055301) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/338/ CVE-2021-40261 (Multiple Cross Site Scripting (XSS) vulnerabilities exist in SourceCod ...) NOT-FOR-US: SourceCodester @@ -236524,6 +236529,7 @@ CVE-2020-21427 (Buffer Overflow vulnerability in function LoadPixelDataRLE8 in P CVE-2020-21426 (Buffer Overflow vulnerability in function C_IStream::read in PluginEXR ...) - freeimage (bug #1051736) NOTE: https://sourceforge.net/p/freeimage/bugs/300/ + NOTE: it looks like the issue is in openexr. No relevant patches in freeimage are detected CVE-2020-21425 RESERVED CVE-2020-21424 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e1308ad75a56bf0dd66cb4d1ec18df92aff30ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e1308ad75a56bf0dd66cb4d1ec18df92aff30ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: f6897319 by Thorsten Alteholz at 2023-11-05T23:30:19+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,7 +31,7 @@ audiofile bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) NOTE: 20231008: backporting patches - NOTE: 20231023: testing package + NOTE: 20231105: still testing package -- cacti (guilhem) NOTE: 20230906: Added by Front-Desk (lamby) @@ -112,7 +112,7 @@ libreswan -- libspf2 (Thorsten Alteholz) NOTE: 20231016: Added by Front-Desk (ta) - NOTE: 20231029: upstream does not know yet, whether available patch is enough (ta) + NOTE: 20231105: upstream does not know yet, whether available patch is enough (ta) -- libstb (Adrian Bunk) NOTE: 20231029: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6897319f6fbce7eaa243477211f3a32c40b2531 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6897319f6fbce7eaa243477211f3a32c40b2531 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 337a1513 by Thorsten Alteholz at 2023-10-23T16:18:11+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ rather than remove/replace existing ones. -- amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) - NOTE: 20231008: still testing package (ta) + NOTE: 20231023: still testing package (ta) -- audiofile NOTE: 20230918: Added by Front-Desk (apo) @@ -32,6 +32,7 @@ audiofile bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) NOTE: 20231008: backporting patches + NOTE: 20231023: testing package -- cacti (guilhem) NOTE: 20230906: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/337a15137d3e938077c0525ca653a1de279af71b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/337a15137d3e938077c0525ca653a1de279af71b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 64d8c820 by Thorsten Alteholz at 2023-10-08T19:51:12+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ rather than remove/replace existing ones. -- amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) - NOTE: 20230924: still testing package (ta) + NOTE: 20231008: still testing package (ta) -- audiofile NOTE: 20230918: Added by Front-Desk (apo) @@ -38,6 +38,7 @@ batik (rouca) -- bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) + NOTE: 20231008: backporting patches -- cacti NOTE: 20230906: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64d8c820333be8e1c0506529c8446dcaa2bce266 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64d8c820333be8e1c0506529c8446dcaa2bce266 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 47559126 by Utkarsh Gupta at 2023-08-28T07:45:20+05:30 Update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -184,6 +184,7 @@ rails (utkarsh) NOTE: 20221024: Delay upload, see above comment, users have done workaround. Not a good idea NOTE: 20221024: to break thrice in less than 2 month. NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) + NOTE: 20230828: want to rollout ruby-rack first. (utkarsh) -- ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47559126daaf1b4a5373f5e9130b7804dddcdf7b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47559126daaf1b4a5373f5e9130b7804dddcdf7b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 5cf84920 by Thorsten Alteholz at 2023-08-27T19:41:19+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ rather than remove/replace existing ones. -- amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) - NOTE: 20230813: testing packages (ta) + NOTE: 20230827: still testing package (ta) -- aom (Markus Koschany) NOTE: 20230823: Added by Front-Desk (apo) @@ -169,8 +169,7 @@ rails (utkarsh) -- ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) - NOTE: 20230507: testing package - NOTE: 20230813: testing package, not all tests pass yet + NOTE: 20230827: testing package, almost done -- ruby-loofah NOTE: 20221231: Added by Front-Desk (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cf84920c5e395b3ebe4a04dae823724d0c650fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cf84920c5e395b3ebe4a04dae823724d0c650fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: e47056c8 by Thorsten Alteholz at 2023-08-13T20:44:44+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,6 +23,7 @@ rather than remove/replace existing ones. -- amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) + NOTE: 20230813: testing packages (ta) -- cairosvg (gladk) NOTE: 20230323: Added by Front-Desk (gladk) @@ -197,7 +198,7 @@ rar (Markus Koschany) ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) NOTE: 20230507: testing package - NOTE: 20230730: testing package, not all tests pass yet + NOTE: 20230813: testing package, not all tests pass yet -- ruby-loofah NOTE: 20221231: Added by Front-Desk (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e47056c8c5814246254f5fb5ce4fcd7713f03527 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e47056c8c5814246254f5fb5ce4fcd7713f03527 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2023-30549
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8671af22 by Salvatore Bonaccorso at 2023-08-01T17:10:14+02:00 Update notes for CVE-2023-30549 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12148,8 +12148,14 @@ CVE-2023-30551 (Rekor is an open source software supply chain transparency log. CVE-2023-30550 (MeterSphere is an open source continuous testing platform, covering fu ...) NOT-FOR-US: MeterSphere CVE-2023-30549 (Apptainer is an open source container platform for Linux. There is an ...) - - singularity-container (bug #1035026) + - singularity-container (bug #1035026; unimportant) NOTE: https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg + NOTE: Sylabs and Apptainer projects are in disagreement to track this issue and + NOTE: their handling with respect to unpatches filesystem vulnerabilities. Sylanbs + NOTE: will add a configuration option to disable all mounts of extfs file systems + NOTE: as well in a future singularity-container version, as similar done by the + NOTE: Apptainer project. + NOTE: Details in https://sylabs.io/2023/04/response-to-cve-2023-30549/ CVE-2023-30548 (gatsby-plugin-sharp is a plugin for the gatsby framework which exposes ...) NOT-FOR-US: gatsby-plugin-sharp CVE-2023-30547 (vm2 is a sandbox that can run untrusted code with whitelisted Node's b ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8671af22eda83143c6c33508a7ead2ff3c6aebaa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8671af22eda83143c6c33508a7ead2ff3c6aebaa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: d21adee2 by Thorsten Alteholz at 2023-07-16T23:46:42+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -56,12 +56,15 @@ grpc -- gst-plugins-bad1.0 (Thorsten Alteholz) NOTE: 20230702: Added by Front-Desk (ta) + NOTE: 20230716: still backporting patches -- gst-plugins-base1.0 (Thorsten Alteholz) NOTE: 20230702: Added by Front-Desk (ta) + NOTE: 20230716: still backporting patches -- gst-plugins-good1.0 (Thorsten Alteholz) NOTE: 20230702: Added by Front-Desk (ta) + NOTE: 20230716: still backporting patches -- hdf5 NOTE: 20230318: Added by Front-Desk (utkarsh) @@ -164,7 +167,7 @@ renderdoc (tobi) ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) NOTE: 20230507: testing package - NOTE: 20230701: testing package, not all tests pass yet + NOTE: 20230716: testing package, not all tests pass yet -- ruby-loofah NOTE: 20221231: Added by Front-Desk (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d21adee29f966870b4226f1f37b51b0290013e20 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d21adee29f966870b4226f1f37b51b0290013e20 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: d0ae311f by Thorsten Alteholz at 2023-06-19T00:03:24+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -78,7 +78,7 @@ hdf5 libfastjson (Thorsten Alteholz) NOTE: 20230507: Added by Front-Desk (ta) NOTE: 20230507: the CVE was fixed in json-c already - NOTE: 20230605: upload timing could be improved here + NOTE: 20230619: testing package, not all tests pass yet -- libreoffice (Abhijith PA) NOTE: 20230530: Added by Front-Desk (pochu) @@ -187,7 +187,7 @@ rails ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) NOTE: 20230507: testing package - NOTE: 20230605: upload timing could be improved here + NOTE: 20230619: testing package, not all tests pass yet -- ruby-doorkeeper NOTE: 20230618: Added by Front-Desk (opal) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0ae311f69c76f1ed243b5eaf0215490af46108c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0ae311f69c76f1ed243b5eaf0215490af46108c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for ruby2.7 and ruby-rack in dsa-needed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9073e3c4 by Salvatore Bonaccorso at 2023-06-08T22:50:00+02:00 Update notes for ruby2.7 and ruby-rack in dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -56,11 +56,12 @@ ring might make sense to rebase to current version -- ruby2.7 + Utkarsh Gupta offered help in preparing updates -- ruby-nokogiri -- ruby-rack - Utkarsh Gupta available for preparing updates + Utkarsh Gupta available for preparing updates, debdiff ready for review -- ruby-sinatra Maintainer posted packaging repository link with proposed changes for review View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9073e3c481a89b65b50ddecb1bd0c43681474469 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9073e3c481a89b65b50ddecb1bd0c43681474469 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d61c835 by Thorsten Alteholz at 2023-06-05T00:21:38+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -76,7 +76,7 @@ libcap2 (Abhijith PA) libfastjson (Thorsten Alteholz) NOTE: 20230507: Added by Front-Desk NOTE: 20230507: the CVE was fixed in json-c already - NOTE: 20230521: an RCE CVE of cups-filter made a mess of the timing + NOTE: 20230605: upload timing could be improved here -- libreoffice NOTE: 20230530: Added by Front-Desk @@ -157,7 +157,7 @@ rails ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk NOTE: 20230507: testing package - NOTE: 20230521: an RCE CVE of cups-filter made a mess of the timing + NOTE: 20230605: upload timing could be improved here -- ruby-loofah NOTE: 20221231: Added by Front-Desk View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d61c835fb9696dd147850b7cd205ec70552135e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d61c835fb9696dd147850b7cd205ec70552135e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2023-32307/sofia-sip
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c938bb6c by Salvatore Bonaccorso at 2023-05-27T22:41:56+02:00 Update notes for CVE-2023-32307/sofia-sip - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -47,7 +47,8 @@ CVE-2023-32311 (CloudExplorer Lite is an open source cloud management platform. CVE-2023-32307 (Sofia-SIP is an open-source SIP User-Agent library, compliant with the ...) - sofia-sip NOTE: https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c - TODO: check if affecting Debian's used fork + NOTE: https://github.com/freeswitch/sofia-sip/pull/214 + NOTE: Fixed by: https://github.com/freeswitch/sofia-sip/commit/c3bbc50c88d168065de34ca01b9b1d98c1b0e810 (v1.13.15) CVE-2023-2924 (A vulnerability, which was classified as critical, has been found in S ...) TODO: check CVE-2023-2923 (A vulnerability classified as critical was found in Tenda AC6 US_AC6V1 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c938bb6cdb8117e15b8e9d5035f088acdc9b58c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c938bb6cdb8117e15b8e9d5035f088acdc9b58c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 03b044cf by Thorsten Alteholz at 2023-05-22T02:10:53+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -71,6 +71,7 @@ libcap2 (Abhijith PA) libfastjson (Thorsten Alteholz) NOTE: 20230507: Programming language: C. NOTE: 20230507: the CVE was fixed in json-c already + NOTE: 20230521: an RCE CVE of cups-filter made a mess of the timing -- libraw (guilhem) NOTE: 20230520: Programming language: C++. @@ -181,6 +182,7 @@ ring (Thorsten Alteholz) NOTE: 20221120: Programming language: C. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ring.git NOTE: 20230507: testing package + NOTE: 20230521: an RCE CVE of cups-filter made a mess of the timing -- ruby-loofah NOTE: 20221231: Programming language: Ruby. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03b044cf88afc3351833a772c596d3588e5c1c99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03b044cf88afc3351833a772c596d3588e5c1c99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for sysstat CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 64582bbf by Salvatore Bonaccorso at 2023-05-18T14:20:09+02:00 Update notes for sysstat CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,9 @@ CVE-2023-33204 (sysstat through 12.7.2 allows a multiplication integer overflow in che ...) - sysstat + [bullseye] - sysstat (Incomplete fix for CVE-2022-39377 not applied) NOTE: https://github.com/sysstat/sysstat/pull/360 NOTE: https://github.com/sysstat/sysstat/commit/954ff2e2673cef48f0ed44668c466eab041db387 + NOTE: this issue exists because of an incomplete fix for CVE-2022-39377. CVE-2023-33203 (The Linux kernel before 6.2.9 has a race condition and resultant use-a ...) - linux 6.1.25-1 [bullseye] - linux 5.10.178-1 @@ -57226,6 +57228,7 @@ CVE-2022-39377 (sysstat is a set of system performance tools for the Linux opera [bullseye] - sysstat (Minor issue) NOTE: https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x NOTE: https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540 (v12.7.1) + NOTE: The original fix is incomplete and opens up CVE-2023-33204. CVE-2022-39376 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Fre ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-6rh5-m5g7-327w View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64582bbfb009a8c72a067a8738edb41846c86ae1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64582bbfb009a8c72a067a8738edb41846c86ae1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2022-23134
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2931ba7d by Salvatore Bonaccorso at 2023-04-09T20:51:09+02:00 Update notes for CVE-2022-23134 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -100442,8 +100442,8 @@ CVE-2022-23135 (There is a directory traversal vulnerability in some home gatewa CVE-2022-23134 (After the initial setup process, some steps of setup.php file are reac ...) {DLA-2914-1} - zabbix 1:6.0.7+dfsg-2 - [bullseye] - zabbix (See NOTE below) - [buster] - zabbix (See NOTE below) + [bullseye] - zabbix (Vulnerable code not present; session data not stored in cookies) + [buster] - zabbix (Vulnerable code not present) NOTE: https://support.zabbix.com/browse/ZBX-20384 NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa0fecfbcc9794bc00206630a7424575dfc944df (5.0.19rc2) NOTE: 4.0 and 5.0 are not affected: https://support.zabbix.com/browse/ZBX-20384?focusedCommentId=648239=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-648239 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2931ba7d83e543308104d42de4c5049e5fbd5288 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2931ba7d83e543308104d42de4c5049e5fbd5288 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: fc28cbbe by Thorsten Alteholz at 2023-03-26T23:27:22+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -56,6 +56,7 @@ docker.io (gladk) duktape (Thorsten Alteholz, maintainer) NOTE: 20230311: Programming language: C. NOTE: 20230311: Maintainer notes: Maintainer prepares o-o-s updates. + NOTE: 20230326: testing package -- emacs (Adrian Bunk) NOTE: 20230223: Programming language: Lisp. @@ -128,6 +129,7 @@ intel-microcode (tobi) -- libmicrohttpd (Thorsten Alteholz) NOTE: 20230313: Programming language: C. + NOTE: 20230326: testing package -- linux (Ben Hutchings) NOTE: 20230111: Programming language: C View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc28cbbea8b9ba52d5b8952a979ce95979363c38 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc28cbbea8b9ba52d5b8952a979ce95979363c38 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for sofia-sip
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61ac7f22 by Salvatore Bonaccorso at 2023-02-08T15:57:35+01:00 Update notes for sofia-sip - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -58,7 +58,7 @@ salt samba -- sofia-sip - Maintainer proposed debdiff for review with additional question + Maintainer proposed debdiff for review with additional question and sent a followup -- sox patch needed for CVE-2021-40426, check with upstream View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ac7f22b348afd13e431f9fe38819637f0b3c96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ac7f22b348afd13e431f9fe38819637f0b3c96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2022-3854/ceph
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cc28091e by Salvatore Bonaccorso at 2022-12-25T22:36:26+01:00 Update notes for CVE-2022-3854/ceph - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11949,7 +11949,9 @@ CVE-2022-3854 [possible DoS issue in ceph URL processing on RGW backends] RESERVED - ceph NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2139925 - TODO: check details, none provided in RHBZ#2139925 + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1205025 + NOTE: https://tracker.ceph.com/issues/55765 + TODO: check details, none provided in RHBZ#2139925, SuSE contains excerpt from the closed bugzilla entry CVE-2022-44664 RESERVED CVE-2022-44663 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc28091ed8240200c428fca6612f1d9560d200b1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc28091ed8240200c428fca6612f1d9560d200b1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a131135 by Thorsten Alteholz at 2022-11-16T11:38:43+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -84,8 +84,9 @@ golang-websocket NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies -- -graphicsmagick +graphicsmagick (Thorsten Alteholz) NOTE: 20221027: Programming language: C. + NOTE: 20221116: testing package -- hsqldb NOTE: 20221031: Programming language: Java. @@ -386,7 +387,7 @@ vim (Helmut) NOTE: 20221108: Programming language: C. NOTE: 20221108: VCS: https://salsa.debian.org/lts-team/packages/vim.git -- -virglrenderer +virglrenderer (Thorsten Alteholz) NOTE: 20221009: Programming language: C. -- zabbix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a1311355dcc2525847f3c7119b64b16c2be4d8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a1311355dcc2525847f3c7119b64b16c2be4d8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for libpgjava in dsa-needed.txt.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b8787a63 by Markus Koschany at 2022-07-11T00:39:55+02:00 Update notes for libpgjava in dsa-needed.txt. also claim curl - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -16,7 +16,7 @@ asterisk -- chromium (jmm) -- -curl +curl (Markus Koschany) -- epiphany-browser -- @@ -29,6 +29,8 @@ kopanocore/oldstable librecad -- libpgjava (apo) + NOTE: 20220711: libscram-java is missing in bullseye-security. I am currently + NOTE: 20220711: waiting for #1014409 being resolved. -- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8787a637da667cfa6149d87ea13469318c33fbe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8787a637da667cfa6149d87ea13469318c33fbe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2022-31213
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1469aa7a by Salvatore Bonaccorso at 2022-07-01T20:16:39+02:00 Update notes for CVE-2022-31213 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9594,9 +9594,12 @@ CVE-2022-31214 (A Privilege Context Switching issue was discovered in join.c in NOTE: https://github.com/netblue30/firejail/files/8913178/CVE-2022-31214.zip (0.9.58.2 - 0.9.68 backports) CVE-2022-31213 [null pointer reference when supplying a malformed XML config file] RESERVED - - dbus-broker + - dbus-broker 30-1 [bullseye] - dbus-broker (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2094722 + NOTE: "CHANGES WITH 30:" mention: Fix NULL-derefs in the XML configuration parser. Empty XML tags could + NOTE: have caused NULL-derefs before. + TODO: Isolate upstream commit. CVE-2022-31212 RESERVED - dbus-broker 30-1 (bug #1013343) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1469aa7ab6db651ec393e557a6ff7355193fbbca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1469aa7ab6db651ec393e557a6ff7355193fbbca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ffed317 by Thorsten Alteholz at 2022-06-26T23:48:42+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -28,7 +28,7 @@ blender (Thorsten Alteholz) NOTE: 20220529: Programming language: C++. NOTE: 20220528: 3 CVEs now fixed in unstable, but maintainer never was approached to fix in stable/oldstable, NOTE: 20220528: maybe coordinate with them (Beuc/front-desk) - NOTE: 20220613: testing package + NOTE: 20220626: testing package -- cgal NOTE: 20220529: Programming language: C++. @@ -80,7 +80,7 @@ golang-github-hashicorp-go-getter (Thorsten Alteholz) NOTE: 20220529: Programming language: Go. NOTE: 20220528: limited golang support in stretch (cf. stretch release notes) NOTE: 20220528: no rdeps AFAICS so no need to rebuild other golang packages (Beuc/front-desk) - NOTE: 20220613: testing package + NOTE: 20220626: testing package -- golang-go.crypto (Dominik George) NOTE: 20220529: Programming language: Go. @@ -188,7 +188,7 @@ modsecurity-crs (Andreas Rönnquist) ncurses (Thorsten Alteholz) NOTE: 20220529: Programming language: C. NOTE: 20220524: Follow buster: harmonize with with Debian 10.2 (2-3 CVEs + some non-CVE'd issues) (Beuc/front-desk) - NOTE: 20220613: testing package + NOTE: 20220626: testing package -- netatalk NOTE: 20220616: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ffed317b7f870462b7e01f2f733668364e83103 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ffed317b7f870462b7e01f2f733668364e83103 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: debb0e2a by Thorsten Alteholz at 2022-06-13T10:25:36+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -25,6 +25,7 @@ blender (Thorsten Alteholz) NOTE: 20220529: Programming language: C++. NOTE: 20220528: 3 CVEs now fixed in unstable, but maintainer never was approached to fix in stable/oldstable, NOTE: 20220528: maybe coordinate with them (Beuc/front-desk) + NOTE: 20220613: testing package -- cgal NOTE: 20220529: Programming language: C++. @@ -75,6 +76,7 @@ golang-github-hashicorp-go-getter (Thorsten Alteholz) NOTE: 20220529: Programming language: Go. NOTE: 20220528: limited golang support in stretch (cf. stretch release notes) NOTE: 20220528: no rdeps AFAICS so no need to rebuild other golang packages (Beuc/front-desk) + NOTE: 20220613: testing package -- golang-go.crypto NOTE: 20220529: Programming language: Go. @@ -175,6 +177,7 @@ modsecurity-crs ncurses (Thorsten Alteholz) NOTE: 20220529: Programming language: C. NOTE: 20220524: Follow buster: harmonize with with Debian 10.2 (2-3 CVEs + some non-CVE'd issues) (Beuc/front-desk) + NOTE: 20220613: testing package -- ntfs-3g NOTE: 20220529: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/debb0e2a201d08b07f97426d6b5c54f5cf42fb21 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/debb0e2a201d08b07f97426d6b5c54f5cf42fb21 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2021-3643/sox
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 69665a31 by Salvatore Bonaccorso at 2022-04-28T23:01:54+02:00 Update notes for CVE-2021-3643/sox - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52273,6 +52273,8 @@ CVE-2021-3643 RESERVED - sox NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1980626 + NOTE: Triggered by same reproducer as for CVE-2021-23210 + NOTE: https://sourceforge.net/p/sox/bugs/351/ CVE-2021-38193 (An issue was discovered in the ammonia crate before 3.1.0 for Rust. XS ...) - rust-ammonia 3.1.2-1 (bug #991497) NOTE: https://github.com/rust-ammonia/ammonia/commit/4b8426b89b861d9bea20e126576b0febb9d13515 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69665a311841f503430982d624a43fad219664f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69665a311841f503430982d624a43fad219664f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e8a88a7 by Thorsten Alteholz at 2022-04-24T23:53:19+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -82,7 +82,7 @@ kvmtool NOTE: 20220402: CVE-2021-45464 looks critical, check with upstream for acknowledgments/fixes (Beuc) -- libarchive (Thorsten Alteholz) - NOTE: 20220410: still testing + NOTE: 20220423: still testing, some tests still fail -- liblouis NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN @@ -91,7 +91,7 @@ liblouis libpgjava -- libvirt (Thorsten Alteholz) - NOTE: 20220410: wait for upload in newer releases + NOTE: 20220423: wait for upload in newer releases, dependency loop seems to be resolved now -- libz-mingw-w64 NOTE: 20220231: upcoming DSA (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e8a88a7e2b094f331e937d2c8042af067ba2602 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e8a88a7e2b094f331e937d2c8042af067ba2602 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f0a152c by Thorsten Alteholz at 2022-03-27T23:14:52+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -58,7 +58,7 @@ jackson-databind kicad -- libarchive (Thorsten Alteholz) - NOTE: 20220225: fix seems to be incomplete + NOTE: 20220327: next round of testing -- libdatetime-timezone-perl (Emilio) -- @@ -82,6 +82,7 @@ mariadb-10.1 mbedtls (Utkarsh) -- minidlna (Thorsten Alteholz) + NOTE: 20220327: update other releases first -- nvidia-graphics-drivers NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f0a152c5f11b7c79ecf0b03de3e2651e143b21d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f0a152c5f11b7c79ecf0b03de3e2651e143b21d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 45d8534d by Thorsten Alteholz at 2022-01-02T23:42:52+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,6 +49,7 @@ gpac (Roberto C. Sánchez) NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto) -- libarchive (Thorsten Alteholz) + NOTE: 20220102: testing package -- libgit2 (Utkarsh) NOTE: 20211029: CVE-2018-10887/CVE-2018-10888/CVE-2018-15501 were fixed @@ -95,6 +96,7 @@ slurm-llnl (Sylvain Beucler) NOTE: 20211229: should also be checked. (bunk) -- sphinxsearch (Thorsten Alteholz) + NOTE: 20220103: waiting for Buster upload -- thunderbird (Emilio) NOTE: 20211122: blocked on toolchain backports (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45d8534dcaee8406eed40565a0cafd771db55eec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45d8534dcaee8406eed40565a0cafd771db55eec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2021-45959/fmtlib
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a1b4bd0b by Salvatore Bonaccorso at 2022-01-02T15:03:27+01:00 Update notes for CVE-2021-45959/fmtlib Pending REJECT from MITRE to clean up the CVE entry. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -64,10 +64,12 @@ CVE-2022-0079 CVE-2022-0078 RESERVED CVE-2021-45959 ({fmt} 7.1.0 through 8.0.1 has a stack-based buffer overflow in fmt::v8 ...) - - fmtlib + - fmtlib (unimportant) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36110 + NOTE: https://github.com/fmtlib/fmt/issues/2685 NOTE: Fixed by: https://github.com/fmtlib/fmt/commit/2038bf61831eb8faede0883965364a974d1350fe - TODO: check correctness, introducing commit in oss-fuzz report is related when fuzzing started + NOTE: The CVE is basically invalid, as the report was one of a series of false positives + NOTE: and the "upstream fix" is effectively a noop. CVE-2021-45958 (UltraJSON (aka ujson) 4.0.2 through 5.0.0 has a stack-based buffer ove ...) - ujson NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1b4bd0b76afefa7abf5b0211385ae0a22e651ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1b4bd0b76afefa7abf5b0211385ae0a22e651ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for nvidia-graphics-drivers in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a92991a7 by Markus Koschany at 2021-12-10T22:45:52+01:00 Update notes for nvidia-graphics-drivers in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -66,6 +66,9 @@ nvidia-graphics-drivers (Markus Koschany) NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 NOTE: 20211108: nvidia-graphics-drivers-legacy-390xx 390.144-1 in buster/bullseye/bookworm NOTE: 20211108: now fixes all 5 CVEs (bunk) + NOTE: 20211210: I am currently testing the backport of + NOTE: nvidia-graphics-drivers-legacy-390xx but will ask for more testing on the lts + NOTE: mailing list tomorrow (apo) -- pgbouncer (Thorsten Alteholz) NOTE: 20211128: also help with other releases View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a92991a7cea3efcca506c2e3f8b8213715f1f6f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a92991a7cea3efcca506c2e3f8b8213715f1f6f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2021-41190
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d56d88cc by Salvatore Bonaccorso at 2021-11-20T10:20:37+01:00 Update notes on CVE-2021-41190 This is bit cumbersome to track. My understanding is that the CVE is specifically for the specification issue. Several container projects have mitigated the issue by releasing updates. Such as the mentioned containerd and golang-github-opencontainers-image-spec. As such keep it for now as NFU, tough making a note on the mitigations in software. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9993,7 +9993,12 @@ CVE-2021-41192 CVE-2021-41191 (Roblox-Purchasing-Hub is an open source Roblox product purchasing hub. ...) NOT-FOR-US: Roblox-Purchasing-Hub CVE-2021-41190 (The OCI Distribution Spec project defines an API protocol to facilitat ...) - NOT-FOR-US: OCI Distribution Spec + NOT-FOR-US: OCI Distribution Specification + NOTE: Issue in the OCI Distribution Specification. Software mitigations are applied to + NOTE: containerd/1.5.8~ds1-1 and golang-github-opencontainers-image-spec/1.0.2-1 + NOTE: https://www.openwall.com/lists/oss-security/2021/11/19/10 + NOTE: https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m + NOTE: https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh CVE-2021-41189 (DSpace is an open source turnkey repository application. In version 7. ...) NOT-FOR-US: DSpace CVE-2021-41188 (Shopware is open source e-commerce software. Versions prior to 5.7.6 c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d56d88cc5c785d969a508f0628331a10384de55d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d56d88cc5c785d969a508f0628331a10384de55d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2021-42343/dask
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 95e44ad5 by Salvatore Bonaccorso at 2021-11-11T07:53:12+01:00 Update notes for CVE-2021-42343/dask - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4789,8 +4789,9 @@ CVE-2021-42345 CVE-2021-42344 RESERVED CVE-2021-42343 (An issue was discovered in the Dask distributed package before 2021.10 ...) - - dask - TODO: check details if fixed upstream in 2021.10.0 + - dask.distributed + NOTE: https://github.com/dask/distributed/pull/5427 + NOTE: https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr CVE-2021-42342 (An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. In the fi ...) NOT-FOR-US: Embedthis GoAhead CVE-2021-42341 (checkpath in OpenRC before 0.44.7 uses the direct output of strlen() t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95e44ad53194e3611bc264045c330fcf8b52e92a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95e44ad53194e3611bc264045c330fcf8b52e92a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: ec87c80f by Thorsten Alteholz at 2021-10-11T00:14:37+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,8 +31,10 @@ debian-archive-keyring (Utkarsh) NOTE: 20211003: failing. Or at least appears to be. :( (utkarsh) -- exiv2 (Thorsten Alteholz) + NOTE: 20211010: WIP, also taking care of older issues -- faad2 (Thorsten Alteholz) + NOTE: 20211010: WIP, also taking care of older issues -- ffmpeg (Anton Gladky) NOTE: probably wait until stuff is fixed in Buster @@ -111,7 +113,7 @@ smarty3 (Markus Koschany) NOTE: 20210906: prepared a build for testing. Waiting for bug submitter's reply (abhijith) -- squashfs-tools (Thorsten Alteholz) - NOTE: 20210926: coordinate with upload to other releases + NOTE: 20211010: coordinate with upload to other releases -- thunderbird (Emilio) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec87c80f36288b03c7df0c6ad1acea4f6138ba10 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec87c80f36288b03c7df0c6ad1acea4f6138ba10 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for two libgcrypt20 CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ff7bba42 by Salvatore Bonaccorso at 2021-09-19T13:35:23+02:00 Update notes for two libgcrypt20 CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1905,7 +1905,11 @@ CVE-2021-40528 (The ElGamal implementation in Libgcrypt before 1.9.4 allows plai NOTE: https://eprint.iacr.org/2021/923 NOTE: https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1 NOTE: https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2 - NOTE: Related to CVE-2021-33560, but not a duplicate + NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=e8b7f10be275bcedb5fc05ed4837a89bfd605c61 (1.9.x) + NOTE: Related to CVE-2021-33560, but not a duplicate. Unfortunately scope of CVE-2021-33560 and + NOTE: CVE-2021-40528 got switched at some point, and CVE-2021-33560 referring to the blinding + NOTE: hardening. We keep the original association as per 2021-09-19 (until MITRE clarifies on + NOTE: a query). CVE-2021-40527 RESERVED CVE-2021-40526 @@ -18003,7 +18007,10 @@ CVE-2021-33560 (Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal [buster] - libgcrypt20 1.8.4-5+deb10u1 NOTE: https://dev.gnupg.org/T5328 NOTE: https://eprint.iacr.org/2021/923.pdf - NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=3462280f2e23e16adf3ed5176e0f2413d8861320 + NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=3462280f2e23e16adf3ed5176e0f2413d8861320 (1.9.x) + NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=707c3c5c511ee70ad0e39ec613471f665305fbea (1.8.x) + NOTE: See notes on CVE-2021-40528 on the confusion about swapping of scope of + NOTE: CVE-2021-40528 and CVE-2021-33560. CVE-2021-33559 RESERVED CVE-2021-33558 (Boa 0.94.13 allows remote attackers to obtain sensitive information vi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff7bba427b8f21ddd1849d525f153f05aafc9abe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff7bba427b8f21ddd1849d525f153f05aafc9abe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 9760c2b8 by Thorsten Alteholz at 2021-09-12T23:30:05+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -38,6 +38,7 @@ gnutls28 (Sylvain Beucler) -- grilo (Thorsten Alteholz) NOTE: 20210825: ssl-use-system-ca-file is used in libsoup2.4 since version 2.38 + NOTE: 20210912: maintainer ok, testing package -- krb5 (Adrian Bunk) NOTE: 20210905: testing fixes @@ -66,8 +67,10 @@ nvidia-graphics-drivers NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 -- openssl (Thorsten Alteholz) + NOTE: 20210912: testing package, upload probably after LE fix -- openssl1.0 (Thorsten Alteholz) + NOTE: 20210912: testing package, upload probably after LE fix -- plib NOTE: 20210829: no fix yet. (thorsten) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9760c2b8fb7e31f701c02800701bf70cec74f44d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9760c2b8fb7e31f701c02800701bf70cec74f44d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2021-3592
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: eea83f8e by Markus Koschany at 2021-09-11T23:07:30+02:00 Update notes for CVE-2021-3592 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14440,6 +14440,7 @@ CVE-2021-3592 (An invalid pointer initialization issue was found in the SLiRP ne NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f13cad45b25d92760bb0ad67bec0300a4d7d5275 (v4.6.0) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2eca0838eee1da96204545e22cdaed860d9d7c6c (v4.6.0) NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. + NOTE: The patch introduced a regression, see Debian bug #994080 for more information. CVE-2021-34558 (The crypto/tls package of Go through 1.16.5 does not properly assert t ...) - golang-1.16 1.16.6-1 - golang-1.15 1.15.9-6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eea83f8e70d13b256142eaa8b904f50ed364f2d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eea83f8e70d13b256142eaa8b904f50ed364f2d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2021-20291
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 58fe2932 by Neil Williams at 2021-09-09T14:00:18+01:00 Update notes for CVE-2021-20291 golang-github-containers-buildah uses golang-github-containers-storage compression support. docker.io already uses the same library as the fix for golang-github-containers-storage. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -50511,7 +50511,8 @@ CVE-2021-20291 (A deadlock vulnerability was found in 'github.com/containers/sto [experimental] - golang-github-containers-storage 1.29.0+ds1-1 - golang-github-containers-storage 1.34.1+ds1-1 (bug #988942) NOTE: https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1 - TODO: check golang-github-containers-buildah, docker.io + NOTE: golang-github-containers-buildah uses golang-github-containers-storage compression support. + NOTE: docker.io already uses the same library as the fix for golang-github-containers-storage. CVE-2021-20290 RESERVED - foreman (bug #663101) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58fe29321a5f31da48f7384e63f99829698638a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58fe29321a5f31da48f7384e63f99829698638a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes on mosquitto and mupdf
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 5dcb8fff by Neil Williams at 2021-08-17T14:53:27+01:00 Update notes on mosquitto and mupdf - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -33,11 +33,12 @@ linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- -mosquitto (codehelp) +mosquitto NOTE: 20210805: coordinating upload to buster before DLA for Stretch (codehelp) NOTE: 20210806: CVE-2021-34432 ignored in buster and stretch. Vulnerable code not accessible. (codehelp) -- mupdf (codehelp) + NOTE: 20210817: fix for CVE-2020-19609 and CVE-2021-37220 in buster are to be put into a point release. -- nettle NOTE: 20210719: difficult backport, wip (Emilio) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dcb8fff2e3e65326fd304c3776e7d157ad70f4d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dcb8fff2e3e65326fd304c3776e7d157ad70f4d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2020-19715 and CVE-2019-13110
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 97c06621 by Salvatore Bonaccorso at 2021-08-10T22:49:22+02:00 Update notes on CVE-2020-19715 and CVE-2019-13110 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -74311,8 +74311,6 @@ CVE-2020-19716 (A buffer overflow vulnerability in the Databuf function in types TODO: check, unclear if fixed or not, upstream cannot reproduce as well in 0.27.1 as reported CVE-2020-19715 REJECTED - - exiv2 0.27.2-6 - NOTE: https://github.com/Exiv2/exiv2/issues/979 CVE-2020-19714 RESERVED CVE-2020-19713 @@ -145419,6 +145417,7 @@ CVE-2019-13110 (A CiffDirectory::readDirectory integer overflow and out-of-bound [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue, read segfault) NOTE: https://github.com/Exiv2/exiv2/issues/843 + NOTE: https://github.com/Exiv2/exiv2/pull/844 NOTE: https://github.com/Exiv2/exiv2/commit/9628f82084ed30d494ddd4f7360d233801e22967 CVE-2019-13109 (An integer overflow in Exiv2 through 0.27.1 allows an attacker to caus ...) - exiv2 0.27.2-6 (low) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97c0662107f18af0ff4beffc2ab3c38a947aee26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97c0662107f18af0ff4beffc2ab3c38a947aee26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2021-3502
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 00c78f5b by Salvatore Bonaccorso at 2021-08-09T21:15:06+02:00 Update notes for CVE-2021-3502 CVE-2021-36217 is marked (will be updated soon in the feed) as REJECTED, it is a duplicate of CVE-2021-3502, which MITRE is going to retain. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4647,14 +4647,8 @@ CVE-2021-36219 RESERVED CVE-2021-36218 RESERVED -CVE-2021-36217 (Avahi 0.8 allows a local denial of service (NULL pointer dereference a ...) - - avahi (bug #990900) - [bullseye] - avahi (Minor issue) - [buster] - avahi (Vulnerable code introduced later) - [stretch] - avahi (Vulnerable code introduced later) - NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1188083 - NOTE: Fixed by: https://github.com/lathiat/avahi/commit/9d31939e55280a733d930b15ac9e4dda4497680c - NOTE: Introduced by: https://github.com/lathiat/avahi/commit/8f75a045709a780c8cf92a6a21e9d35b593bdecd (v0.8) +CVE-2021-36217 + REJECTED CVE-2021-36216 RESERVED CVE-2021-36215 @@ -16176,6 +16170,7 @@ CVE-2021-3502 (A flaw was found in avahi 0.8-5. A reachable assertion is present [buster] - avahi (Vulnerable code introduced later) [stretch] - avahi (Vulnerable code introduced later) NOTE: https://github.com/lathiat/avahi/issues/338 + NOTE: Fixed by: https://github.com/lathiat/avahi/commit/9d31939e55280a733d930b15ac9e4dda4497680c NOTE: Introduced by: https://github.com/lathiat/avahi/commit/80c98fa16782e921f5b5d5c880f1d80f5c43bd49 (v0.8) CVE-2021-3500 (A flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in ...) {DLA-2667-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00c78f5baa695400efa184b78b220712d118532f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00c78f5baa695400efa184b78b220712d118532f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for mupdf
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 602f0b44 by Neil Williams at 2021-08-06T13:00:16+01:00 Update notes for mupdf - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1974,8 +1974,10 @@ CVE-2021-37221 RESERVED CVE-2021-37220 (MuPDF through 1.18.1 has an out-of-bounds write because the cached col ...) - mupdf 1.17.0+ds1-2 (bug #991402) + [stretch] - mupdf (Vulnerable code not present) NOTE: http://git.ghostscript.com/?p=mupdf.git;h=f5712c9949d026e4b891b25837edd2edc166151f NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=703791 + NOTE: On Stretch, an earlier version of the code exits early instead of crashing. CVE-2021-37219 RESERVED CVE-2021-37218 @@ -178181,6 +178183,8 @@ CVE-2018-19777 (In Artifex MuPDF 1.14.0, there is an infinite loop in the functi - mupdf 1.15.0+ds1-1 (unimportant; bug #915137) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700301 NOTE: No security impact, hang in GUI/CLI tool + NOTE: Not able to reproduce on buster or stretch + NOTE: upstream fix for bug #700301 may be incomplete CVE-2018-19776 RESERVED CVE-2018-19775 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) @@ -268478,14 +268482,12 @@ CVE-2016-10248 (The jpc_tsfb_synthesize function in jpc_tsfb.c in JasPer before CVE-2016-10247 (Buffer overflow in the my_getline function in jstest_main.c in Mujstes ...) - mupdf 1.11+ds1-1 (unimportant) [wheezy] - mupdf (Vulnerable code not present) - [stretch] - mupdf (Vulnerable code not packaged or compiled) NOTE: Although jstest_main.c compiled during build and mujstest is created NOTE: it is not included in the produced binary packages NOTE: https://www.openwall.com/lists/oss-security/2016/10/16/19 CVE-2016-10246 (Buffer overflow in the main function in jstest_main.c in Mujstest in A ...) - mupdf 1.11+ds1-1 (unimportant) [wheezy] - mupdf (Vulnerable code not present) - [stretch] - mupdf (Vulnerable code not packaged or compiled) NOTE: Although jstest_main.c compiled during build and mujstest is created NOTE: it is not included in the produced binary packages NOTE: https://www.openwall.com/lists/oss-security/2016/10/16/20 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/602f0b44ec4e6ec96ef1d26935ae9c712421918f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/602f0b44ec4e6ec96ef1d26935ae9c712421918f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2019-8396/hdf5
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 54bbd370 by Neil Williams at 2021-08-05T10:27:17+01:00 Update notes on CVE-2019-8396/hdf5 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -158993,6 +158993,8 @@ CVE-2019-8396 (A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF - hdf5 NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul4 NOTE: https://jira.hdfgroup.org/browse/HDFFV-10712 + NOTE: HDFFV-10712 is marked to be closed in a future 1.10.8 upstream release. + NOTE: Upstream fix was made in May 2021 after the 1.12.0 release (Mar 2020) CVE-2019-8395 (An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoh ...) NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus CVE-2019-8394 (Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allow ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54bbd370cbdf487de1b4453fe5c11c94f871fbe1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54bbd370cbdf487de1b4453fe5c11c94f871fbe1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for condor and ceph in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 51306ebc by Markus Koschany at 2021-07-26T09:45:19+02:00 Update notes for condor and ceph in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -25,6 +25,8 @@ ceph (Markus Koschany) NOTE: 20200928: Packages prepared and available at http://apt.inguza.net/stretch-lts/ceph/ NOTE: 20200928: If someone know how to test the packages please take this build and upload (after testing it). NOTE: 20210118: wip (Emilio) + NOTE: 20210726: https://people.debian.org/~apo/lts/ceph/ + NOTE: 20210726: Patch for CVE-2018-16846 is not complete yet. -- condor (Markus Koschany) NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto) @@ -35,6 +37,8 @@ condor (Markus Koschany) NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto) NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) NOTE: 20210205: Some patches seems to be available but not clear if it solves the whole issue or not. (ola) + NOTE: 20210726: https://people.debian.org/~apo/lts/condor/ + NOTE: 20210726: Needs more testing -- curl (Adrian Bunk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51306ebcf742138e3d37aca3266191bc9711d1ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51306ebcf742138e3d37aca3266191bc9711d1ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update NOTES for ruby-kaminari.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a0a199d by Markus Koschany at 2021-07-19T17:58:33+02:00 Update NOTES for ruby-kaminari. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -104,6 +104,9 @@ ruby-kaminari NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh) NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh) + NOTE: 20210719: https://people.debian.org/~apo/lts/ruby-kaminari/CVE-2020-11082.patch + NOTE: 20210719: I believe the fix is just adding and extending the blacklist for ruby-kaminari. + NOTE: 20210719: Will discuss this with Utkarsh (maintainer) shortly. -- runc (Anton Gladky) NOTE: 20210612: Not sure if applies to this version. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a0a199d55f485e997c38c9131c8a7fa7fd3beaf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a0a199d55f485e997c38c9131c8a7fa7fd3beaf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 71f14cb7 by Thorsten Alteholz at 2021-06-20T23:48:35+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,7 +49,7 @@ ffmpeg (Anton Gladky) NOTE: 20210607: won't just be dropped too, etc. etc. (lamby) -- gpac (Thorsten Alteholz) - NOTE: 20210607: WIP + NOTE: 20210620: WIP -- htmldoc (Utkarsh Gupta) -- @@ -121,7 +121,7 @@ shiro (Roberto C. Sánchez) NOTE: 20210511: Upstream provided suggestions/guidance on testing of backported fixes; testing/tweaking is in progress. (roberto) -- slapi-nis (Thorsten Alteholz) - NOTE: 20210607: WIP + NOTE: 20210620: WIP -- sogo (Anton Gladky) NOTE: 20210603: maybe mention in announcement the recommendation to invalidate user View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71f14cb7706b10e27fa736ac083a52a01186fee7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71f14cb7706b10e27fa736ac083a52a01186fee7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ee5eb5f by Thorsten Alteholz at 2021-05-10T09:43:10+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -60,6 +60,7 @@ golang-gogoprotobuf NOTE: 20210329: See discussion at https://lists.debian.org/debian-lts/2021/03/msg00011.html -- gpac (Thorsten Alteholz) + NOTE: 20210510: WIP -- gsoap (Abhijith PA) NOTE: 20210420: upstream only responded with suggestion to upgrade (abhijith) @@ -97,6 +98,7 @@ phpseclib (Abhijith PA) rails (Utkarsh) -- ring (Thorsten Alteholz) + NOTE: 20210510: WIP (need to update other releases first) -- ruby-actionpack-page-caching NOTE: 20200819: Upstream's patch on does not apply due to subsequent View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ee5eb5f6a9c93a4430cf00ca72244f46cc131f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ee5eb5f6a9c93a4430cf00ca72244f46cc131f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2019-20790 (indicating revisit)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e9fa2a99 by Salvatore Bonaccorso at 2021-04-07T21:50:54+02:00 Update notes for CVE-2019-20790 (indicating revisit) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71056,8 +71056,9 @@ CVE-2019-20790 (OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf NOTE: https://sourceforge.net/p/opendmarc/tickets/235/ NOTE: https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf NOTE: Issue is disputed upstream and considered "work as designed" (wontfix) - NOTE: https://github.com/trusteddomainproject/OpenDMARC/blob/develop/SECURITY/CVE-2019-20970 - NOTE: (there ia typo in above reference) + NOTE: https://github.com/trusteddomainproject/OpenDMARC/blob/develop/SECURITY/CVE-2019-20790 + NOTE: Upstream reconsidering position: + NOTE: https://github.com/trusteddomainproject/OpenDMARC/issues/158 CVE-2020-12266 (An issue was discovered where there are multiple externally accessible ...) NOT-FOR-US: WAVLINK CVE-2020-12265 (The decompress package before 4.2.1 for Node.js is vulnerable to Arbit ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9fa2a9934ec5d52d995bc69b0155a16c054d36a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9fa2a9934ec5d52d995bc69b0155a16c054d36a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: c790f7ed by Thorsten Alteholz at 2021-04-04T19:35:19+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,7 +52,7 @@ firmware-nonfree golang-github-appc-cni (Thorsten Alteholz) NOTE: 20210221: also taking care of reverse dependencies NOTE: 20210221: also taking care of other suites - NOTE: 20210321: still WIP + NOTE: 20210304: still WIP, trying to automize golang updates -- golang-gogoprotobuf NOTE: 20210218: If you have any idea why this is called the "skippy peanut butter" issue, I would be mildly interested. (lamby) @@ -66,8 +66,8 @@ golang-gogoprotobuf gsoap -- libebml (Thorsten Alteholz) - NOTE: 20210307: testing package NOTE: 20210321: preparing buster debdiff as well + NOTE: 20210404: still WIP -- linux (Ben Hutchings) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c790f7ed7c84ad9d9efbafc9803b088df9ad0bcb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c790f7ed7c84ad9d9efbafc9803b088df9ad0bcb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2019-18790 and CVE-2019-18351 for asterisk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e54e9076 by Salvatore Bonaccorso at 2021-03-13T21:26:46+01:00 Update notes for CVE-2019-18790 and CVE-2019-18351 for asterisk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -97998,6 +97998,9 @@ CVE-2019-18790 (An issue was discovered in channels/chan_sip.c in Sangoma Asteri [stretch] - asterisk (Minor issue) NOTE: https://downloads.asterisk.org/pub/security/AST-2019-006.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28589 + NOTE: Technically CVE-2019-18790 exists because of an incomplete fix of CVE-2019-18351, both + NOTE: referring to AST-2019-006. The upstream advisory never used though CVE-2019-18351, but + NOTE: only referenced CVE-2019-18790. CVE-2019-18789 RESERVED CVE-2019-18788 @@ -101477,7 +101480,11 @@ CVE-2019-18353 CVE-2019-18352 (Improper access control exists on PHOENIX CONTACT FL NAT 2208 devices ...) NOT-FOR-US: PHOENIX CONTACT FL NAT 2208 devices CVE-2019-18351 (An issue was discovered in channels/chan_sip.c in Sangoma Asterisk thr ...) - TODO: check + NOTE: https://downloads.asterisk.org/pub/security/AST-2019-006.html + NOTE: Technically CVE-2019-18790 exists because of an incomplete fix of CVE-2019-18351, both + NOTE: referring to AST-2019-006. The upstream advisory never used though CVE-2019-18351, but + NOTE: only referenced CVE-2019-18790. CVE-2019-18351 only got picked up later on. + TODO: check with MITRE if CVE-2019-18351 simply should be dropped CVE-2019-18350 (In Ant Design Pro 4.0.0, reflected XSS in the user/login redirect GET ...) NOT-FOR-US: Ant Design Pro CVE-2019-18349 (HotkeyP through 4.9 r96 allows privilege escalation in the privilege f ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e54e90769e80057ca5469ac296d0f38d58207011 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e54e90769e80057ca5469ac296d0f38d58207011 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 48428dda by Thorsten Alteholz at 2021-03-07T23:14:30+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,6 +49,7 @@ golang-1.8 (Sylvain Beucler) -- golang-github-appc-cni (Thorsten Alteholz) NOTE: 20210221: also taking care of reverse dependencies + NOTE: 20210221: also taking care of other suites -- golang-gogoprotobuf (Ola Lundqvist) NOTE: 20210218: If you have any idea why this is called the "skippy peanut butter" issue, I would be mildly interested. (lamby) @@ -56,7 +57,7 @@ golang-gogoprotobuf (Ola Lundqvist) gsoap -- libebml (Thorsten Alteholz) - NOTE: 20210221: testing package + NOTE: 20210307: testing package (not yet finished) -- linux (Ben Hutchings) -- @@ -121,7 +122,7 @@ spotweb NOTE: 20210127: Upstream says "we can fix this but it may take some time", revisit later (Beuc) -- subversion (Thorsten Alteholz) - NOTE: 20210221: solving build problems + NOTE: 20210307: solving build problems (on IPv6 only host) -- tomcat7 (Utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48428dda6dda968cb3c67bdb2ddfdb276c181722 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48428dda6dda968cb3c67bdb2ddfdb276c181722 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 532f3a0c by Thorsten Alteholz at 2021-02-21T15:46:19+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -53,6 +53,7 @@ golang-1.7 (Sylvain Beucler) golang-1.8 (Sylvain Beucler) -- golang-github-appc-cni (Thorsten Alteholz) + NOTE: 20210221: also taking care of reverse dependencies -- golang-gogoprotobuf NOTE: 20210218: If you have any idea why this is called the "skippy peanut butter" issue, I would be mildly interested. (lamby) @@ -63,6 +64,7 @@ guacamole-server (Anton Gladky) jackson-dataformat-cbor -- libebml (Thorsten Alteholz) + NOTE: 20210221: testing package -- linux (Ben Hutchings) -- @@ -119,6 +121,7 @@ spotweb NOTE: 20210127: Upstream says "we can fix this but it may take some time", revisit later (Beuc) -- subversion (Thorsten Alteholz) + NOTE: 20210221: solving build problems -- xmlbeans (Roberto C. Sánchez) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/532f3a0c052db82e5fdbab7a78322d01a4a0fbf0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/532f3a0c052db82e5fdbab7a78322d01a4a0fbf0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 0abb3700 by Thorsten Alteholz at 2021-01-17T22:32:09+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -75,7 +75,7 @@ opendmarc (Abhijith PA) -- openjpeg2 (Thorsten Alteholz) NOTE: 20201220: more CVEs appeared - NOTE: 20210104: testing package + NOTE: 20210117: testing package -- php-horde-trean NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) @@ -122,7 +122,7 @@ slirp (pu-Thorsten Alteholz) NOTE: CVE-2020-7039 to be applied patched first, as they both patch NOTE: the same lines of code in tcp_subr.c (bam). NOTE: update has to done in sid->buster->stretch - NOTE: 20200401: waiting for pu + NOTE: 20200417: still waiting for pu, probably 30.01.2021 -- spotweb NOTE: 20201220: The affected code (PHP!) uses string concatenation to construct a SQL query. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0abb37001dc1169b329e9776e5f5d20e69617a94 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0abb37001dc1169b329e9776e5f5d20e69617a94 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2020-28374/tcmu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 46270ab9 by Salvatore Bonaccorso at 2021-01-13T16:40:35+01:00 Update notes on CVE-2020-28374/tcmu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16325,8 +16325,13 @@ CVE-2020-28374 (In drivers/target/target_core_xcopy.c in the Linux kernel before - tcmu (bug #980007) NOTE: https://git.kernel.org/linus/2896c93811e39d63a4d9b63ccf12a8fbc226e5e4 NOTE: https://www.openwall.com/lists/oss-security/2021/01/12/12 - NOTE: tcmu-runner patch: https://bugzilla.suse.com/attachment.cgi?id=844924=diff=patch==1=raw NOTE: https://github.com/open-iscsi/tcmu-runner/issues/645 + NOTE: https://github.com/open-iscsi/tcmu-runner/pull/644 + NOTE: Fixed by: https://github.com/open-iscsi/tcmu-runner/commit/2b16e96e6b63d0419d857f53e4cc67f0adb383fd + NOTE: Some followup fixes: https://github.com/open-iscsi/tcmu-runner/pull/646 + NOTE: https://github.com/open-iscsi/tcmu-runner/commit/b202dc06ef391c6ab9a7561856238a258de04663 + NOTE: https://github.com/open-iscsi/tcmu-runner/commit/170bfa63288a399b38c35eb646b2835d4ba7c08a + NOTE: https://github.com/open-iscsi/tcmu-runner/commit/01685b2ab8c430c0fb9ce397e7e76b60fe6cbde5 CVE-2020-28373 (upnpd on certain NETGEAR devices allows remote (LAN) attackers to exec ...) NOT-FOR-US: Netgear CVE-2020-28372 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46270ab9f4e9faef5a3682df176dc520f3d2fa3c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46270ab9f4e9faef5a3682df176dc520f3d2fa3c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 5554e2df by Thorsten Alteholz at 2021-01-04T08:39:47+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -95,6 +95,7 @@ opendmarc (Abhijith PA) -- openjpeg2 (Thorsten Alteholz) NOTE: 20201220: more CVEs appeared + NOTE: 20210104: testing package -- pacemaker (Markus Koschany) NOTE: 20201228: See #974563 for further information. @@ -142,11 +143,12 @@ shiro (Roberto C. Sánchez) NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) NOTE: 20201220: Upstream has responded. Working with them to backport fixes. (roberto) -- -slirp (Thorsten Alteholz) +slirp (pu-Thorsten Alteholz) NOTE: Upstream patch for CVE-2020-8608 requires patches for NOTE: CVE-2020-7039 to be applied patched first, as they both patch NOTE: the same lines of code in tcp_subr.c (bam). NOTE: update has to done in sid->buster->stretch + NOTE: 20200401: waiting for pu -- snapd (Brian May) NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5554e2dfa73a693ad4a74ba74c29138c6ab7d7f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5554e2dfa73a693ad4a74ba74c29138c6ab7d7f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-15719/openldap
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 69e0366f by Salvatore Bonaccorso at 2020-07-17T21:21:03+02:00 Update notes for CVE-2020-15719/openldap In general it looks we might simply consider this a Red Hat specific problem. The issue was disputed upstream of beeing valid, with the comment that the behaviour in libldap conforms with RFC4513 and it is still authoritative for OpenLDAP as RFC6125 does not supersede the rules for verifying service identity provided in specifications for existing application like LDAPs. For details see the comments from Ryan Tandy as raised in https://bugs.debian.org/965184#10;. It would seem reasonable to not diverge from upstream in Debian unless this problem is considered severe enough. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -195,10 +195,13 @@ CVE-2020-15720 (In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class NOTE: https://github.com/dogtagpki/pki/commit/50c23ec146ee9abf28c9de87a5f7787d495f0b72 CVE-2020-15719 (libldap in certain third-party OpenLDAP packages has a certificate-val ...) - openldap (bug #965184) - NOTE: https://bugs.openldap.org/show_bug.cgi?id=9266 (private) + NOTE: https://bugs.openldap.org/show_bug.cgi?id=9266 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1740070 - NOTE: RedHat/CentOS Patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch - NOTE: Affected file is compiled but Debian openssl uses GnuTLS. + NOTE: RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch + NOTE: OpenLDAP upstream did dispute the issue as beeing valid, as the current libldap + NOTE: behaviour does conform with RFC4513. RFC6125 does not superseed the rules for + NOTE: verifying service identity provided in specifications for existing application + NOTE: protocols published prior to RFC6125, like RFC4513 for LDAP. CVE-2020-15718 (RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation o ...) NOT-FOR-US: RosarioSIS CVE-2020-15717 (RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation o ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69e0366f2ae0bdfdfc4898690141afa6410b93f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69e0366f2ae0bdfdfc4898690141afa6410b93f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-11989
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b157e921 by Salvatore Bonaccorso at 2020-06-29T21:41:30+02:00 Update notes for CVE-2020-11989 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8170,7 +8170,9 @@ CVE-2020-11990 CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic ...) - shiro NOTE: https://www.openwall.com/lists/oss-security/2020/06/22/1 - TODO: check details + NOTE: https://github.com/apache/shiro/pull/211 + NOTE: https://issues.apache.org/jira/browse/SHIRO-753 + TODO: checking with shiro security team CVE-2020-11988 RESERVED CVE-2020-11987 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b157e92149c5070726d943a694411d02875c4e27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b157e92149c5070726d943a694411d02875c4e27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2442ef0d by Thorsten Alteholz at 2020-06-21T23:02:53+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -94,14 +94,13 @@ nss (Adrian Bunk) NOTE: 20200615: work is ongoing (bunk) -- opendmarc (Thorsten Alteholz) - NOTE: 20200511: new CVEs arrived (thorsten) - NOTE: 20200524: testing package + NOTE: 20200621: testing package (thorsten) -- perl (Abhijith PA) NOTE: 20200622: Working on failing tests (abhijith) -- php5 (Thorsten Alteholz) - NOTE: 20200524: new CVE arrived (thorsten) + NOTE: 20200621: testing package (thorsten) -- pound NOTE: 20200619: No explicit patch mentioned. Needs deeper research. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2442ef0d29254d1a861eab144a18956ea16ae0e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2442ef0d29254d1a861eab144a18956ea16ae0e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-12049/dbus
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d5e3d90b by Salvatore Bonaccorso at 2020-06-04T13:13:02+02:00 Update notes for CVE-2020-12049/dbus - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4225,8 +4225,10 @@ CVE-2020-12049 - dbus 1.12.18-1 [buster] - dbus (Minor issue) [stretch] - dbus (Minor issue) - NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5 - NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/commit/8bc1381819e5a845331650bfa28dacf6d2ac1748 + NOTE: https://www.openwall.com/lists/oss-security/2020/06/04/3 + NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/issues/294 + NOTE: Fixed by: https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5 + NOTE: Test: https://gitlab.freedesktop.org/dbus/dbus/-/commit/8bc1381819e5a845331650bfa28dacf6d2ac1748 CVE-2020-12048 RESERVED CVE-2020-12047 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5e3d90b5ae0c691520565bc3cabf79813c26eb2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5e3d90b5ae0c691520565bc3cabf79813c26eb2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-12740
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e6e86210 by Salvatore Bonaccorso at 2020-06-02T06:11:36+02:00 Update notes for CVE-2020-12740 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2284,6 +2284,8 @@ CVE-2020-12740 (tcprewrite in Tcpreplay through 4.3.2 has a heap-based buffer ov - tcpreplay (unimportant) [jessie] - tcpreplay (Vulnerable code added later) NOTE: https://github.com/appneta/tcpreplay/issues/576 + NOTE: https://github.com/appneta/tcpreplay/pull/590 + NOTE: Fixed with: https://github.com/appneta/tcpreplay/issues/578 NOTE: --fuzz-seed in PoC not present until version 4.2.0 NOTE: Crash in CLI tool, no security impact CVE-2020-12739 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6e8621066c481aa5091bee088bc4724e749394a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6e8621066c481aa5091bee088bc4724e749394a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-8161/ruby-rack
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: df0654cc by Salvatore Bonaccorso at 2020-05-22T23:56:20+02:00 Update notes for CVE-2020-8161/ruby-rack Add a needed followup commit to fix issue uncovered in the testsuite. Reference as well the testcase for the directory traversal issue in Rack::Directory app. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13709,7 +13709,9 @@ CVE-2020-8161 [Directory traversal in Rack::Directory] {DLA-2216-1} - ruby-rack 2.1.1-5 NOTE: https://groups.google.com/forum/#!msg/rubyonrails-security/IOO1vNZTzPA/Ylzi1UYLAAAJ - NOTE: https://github.com/rack/rack/commit/dddb7ad18ed79ca6ab06ccc417a169fde451246e + NOTE: Fixed by: https://github.com/rack/rack/commit/dddb7ad18ed79ca6ab06ccc417a169fde451246e + NOTE: Required followup: https://github.com/rack/rack/commit/e7ba1b0557d3ad97af1ef113bbeb5f27417983fa + NOTE: Test: https://github.com/rack/rack/commit/775c836bdd25b63340399fea739532d746860a94 CVE-2020-8160 RESERVED CVE-2020-8159 (There is a vulnerability in actionpack_page-caching gem v1.2.1 th ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df0654cceafb9bf02ef7b4342db61cb098276b20 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df0654cceafb9bf02ef7b4342db61cb098276b20 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-12762/json-c
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c6fe75e8 by Salvatore Bonaccorso at 2020-05-15T22:51:32+02:00 Update notes for CVE-2020-12762/json-c Include two additional commits to address the regression (for the master branch) and reference the pull request including backports for 0.13.x, 0.12.x, 0.11 and 0.10. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -703,12 +703,15 @@ CVE-2020-12763 (TRENDnet ProView Wireless camera TV-IP512WN 1.0R 1.0.4 is vulner CVE-2020-12762 (json-c through 0.14 has an integer overflow and out-of-bounds write vi ...) - json-c (bug #960326) NOTE: https://github.com/json-c/json-c/pull/592 - NOTE: https://github.com/json-c/json-c/commit/77d935b7ae7871a1940cd827e850e6063044ec45 NOTE: https://github.com/json-c/json-c/commit/099016b7e8d70a6d5dd814e788bba08d33d48426 + NOTE: https://github.com/json-c/json-c/commit/77d935b7ae7871a1940cd827e850e6063044ec45 NOTE: https://github.com/json-c/json-c/commit/d07b91014986900a3a75f306d302e13e005e9d67 + NOTE: https://github.com/json-c/json-c/commit/519dfe1591d85432986f9762d41d1a883198c157 + NOTE: https://github.com/json-c/json-c/commit/a59d5acfab4485d5133114df61785b1fc633e0c6 NOTE: d07b91014986 ("Fix integer overflows.") introduces a regression tracked as: NOTE: https://github.com/json-c/json-c/issues/599 NOTE: https://github.com/json-c/json-c/pull/610 + NOTE: Working backports for older branches: https://github.com/json-c/json-c/pull/608 CVE-2020-12761 (modules/loaders/loader_ico.c in imlib2 1.6.0 has an integer overflow ( ...) - imlib2 1.6.1-2 (bug #960192) [buster] - imlib2 (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6fe75e8ee2ce0cd9af1849179f01b12a45fc943 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6fe75e8ee2ce0cd9af1849179f01b12a45fc943 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-12762/json-c
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 045d8c1a by Salvatore Bonaccorso at 2020-05-15T22:21:00+02:00 Update notes for CVE-2020-12762/json-c - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -706,6 +706,9 @@ CVE-2020-12762 (json-c through 0.14 has an integer overflow and out-of-bounds wr NOTE: https://github.com/json-c/json-c/commit/77d935b7ae7871a1940cd827e850e6063044ec45 NOTE: https://github.com/json-c/json-c/commit/099016b7e8d70a6d5dd814e788bba08d33d48426 NOTE: https://github.com/json-c/json-c/commit/d07b91014986900a3a75f306d302e13e005e9d67 + NOTE: d07b91014986 ("Fix integer overflows.") introduces a regression tracked as: + NOTE: https://github.com/json-c/json-c/issues/599 + NOTE: https://github.com/json-c/json-c/pull/610 CVE-2020-12761 (modules/loaders/loader_ico.c in imlib2 1.6.0 has an integer overflow ( ...) - imlib2 1.6.1-2 (bug #960192) [buster] - imlib2 (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/045d8c1a2c2f16fa99a66bad94cfa20579168084 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/045d8c1a2c2f16fa99a66bad94cfa20579168084 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for ansible
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 30d7d0ff by Brian May at 2020-05-08T07:31:43+10:00 Update notes for ansible - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -11,12 +11,15 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- ansible - NOTE: 20200506: DLA-2202-1 from (20200505) covers CVE-2019-14846, - NOTE: 20200506: CVE-2020-1733, CVE-2020-1739 and CVE-2020-1740 but not - NOTE: 20200506: CVE-2020-1736. The version in jessie does not use the - NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0777 and 0666 + NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the + NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666 NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable. NOTE: 20200506: (lamby) + NOTE: 20200508: bam: Problem exists with new files only. Existing files + NOTE: 20200508: bam: code resets permissions to same value, should be fine. + NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970 + NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983 + NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794 -- apache-log4j2 (Abhijith PA) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30d7d0ff2ca51867e1917a180573e6597f940118 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30d7d0ff2ca51867e1917a180573e6597f940118 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for shiro in jessie LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: aaa1bfe0 by Chris Lamb at 2020-03-29T10:52:37+01:00 Update notes for shiro in jessie LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -83,7 +83,8 @@ ruby-rack NOTE: 20200216: Discussion ongoing on -lts list. (lamby) -- shiro - NOTE: 20200329: https://github.com/apache/shiro/pull/203 + NOTE: 20200329: https://github.com/apache/shiro/pull/203 (lamby) + NOTE: 20200329: See 53dc30bf6823c98 in this repo. (lamby) -- squid3 (Markus Koschany) NOTE: 20200309: Requires more tests. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aaa1bfe0865de13a653731e025177f0a40703a42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aaa1bfe0865de13a653731e025177f0a40703a42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes regarding CVE-2020-10188 in netkit-telnet and netkit-telnet-ssl.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 326b5db2 by Chris Lamb at 2020-03-27T09:28:39+00:00 Update notes regarding CVE-2020-10188 in netkit-telnet and netkit-telnet-ssl. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2001,6 +2001,7 @@ CVE-2020-10188 (utility.c in telnetd in netkit telnet through 0.17 allows remote - netkit-telnet (bug #953477) - netkit-telnet-ssl (bug #953478) NOTE: https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html + NOTE: https://github.com/marado/netkit-telnet-ssl/issues/5 TODO: check further details CVE-2019-20503 (usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_address ...) {DSA-4645-1 DSA-4642-1 DSA-4639-1 DLA-2150-1 DLA-2140-1} = data/dla-needed.txt = @@ -52,10 +52,12 @@ mumble (Abhijith PA) netkit-telnet NOTE: 20200310: No patch available, yet. Only PoC. (sunweaver) NOTE: 20200320: Upstream's dead, keep an eye on other distros and krb5-appl (embed). (beuc) + NOTE: 20200327: Pinged issue on the ~new upstream. (lamby) -- netkit-telnet-ssl NOTE: 20200310: No patch available, yet. Only PoC. (sunweaver) NOTE: 20200320: Upstream's dead, keep an eye on other distros and krb5-appl (embed). (beuc) + NOTE: 20200327: Pinged issue on the ~new upstream. (lamby) -- nss (Thorsten Alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/326b5db2a068cc9b1890a16c49e5dd6284e6e42d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/326b5db2a068cc9b1890a16c49e5dd6284e6e42d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 99a09904 by Thorsten Alteholz at 2020-03-09T09:24:19+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -45,6 +45,7 @@ lua-cgi NOTE: 20200227: may not be entirelly reliable. One possibility is to declare it unsupported. (Ola) -- nova (Thorsten Alteholz) + NOTE: 20200309: work is ongoing -- opendmarc (Thorsten Alteholz) NOTE: 20200302: still testing package, original patch does not seem to be enough, still ongoing @@ -89,6 +90,7 @@ tomcat8 (Abhijith PA) NOTE: 20200224: Guess embedding latest branch of 8.5.x in debian package is the way to go (abhijith) -- weechat (Thorsten Alteholz) + NOTE: 20200309: work is ongoing -- wpa NOTE: 20200218: fix for CVE-2019-5061 removes IAPP functionality from hostapd, which is View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99a09904b9e074f5ae8e940f5314663df4d73d14 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99a09904b9e074f5ae8e940f5314663df4d73d14 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes on CVE-2020-9274/pure-ftpd
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: ef8e3564 by Roberto C. Sánchez at 2020-02-27T18:31:49-05:00 update notes on CVE-2020-9274/pure-ftpd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -362,8 +362,10 @@ CVE-2020-9275 CVE-2020-9274 (An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer ...) - pure-ftpd 1.0.49-4 (bug #952666) NOTE: https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa - NOTE: though the CVE description does not specifically say, the issue seems to be a heap out-of-bounds read - NOTE: probably not the end of the world, but it is made worse by use of the rather unsafe strcmp() instead of strncmp() in the vulnerable functions + NOTE: though the CVE description does not specifically say, the issue seems to be an + NOTE: out-of-bounds memory read which may result in information disclosure; + NOTE: probably not the end of the world, but it is made worse by use of the rather + NOTE: unsafe strcmp() instead of strncmp() in the vulnerable functions CVE-2020-9273 (In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interru ...) {DSA-4635-1 DLA-2115-1} - proftpd-dfsg 1.3.6c-1 (bug #951800) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef8e356471d8d32e15f7a590d76b91ccfd0af502 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef8e356471d8d32e15f7a590d76b91ccfd0af502 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes on CVE-2020-9274/pure-ftpd
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: d691cbad by Roberto C. Sánchez at 2020-02-27T17:14:35-05:00 update notes on CVE-2020-9274/pure-ftpd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -362,6 +362,8 @@ CVE-2020-9275 CVE-2020-9274 (An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer ...) - pure-ftpd 1.0.49-4 (bug #952666) NOTE: https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa + NOTE: though the CVE description does not specifically say, the issue seems to be a heap out-of-bounds read + NOTE: probably not the end of the world, but it is made worse by use of the rather unsafe strcmp() instead of strncmp() in the vulnerable functions CVE-2020-9273 (In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interru ...) {DSA-4635-1 DLA-2115-1} - proftpd-dfsg 1.3.6c-1 (bug #951800) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d691cbade58a84e3f21ac01363145eac315275b1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d691cbade58a84e3f21ac01363145eac315275b1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-7105 in src:hiredis.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: db08594d by Chris Lamb at 2020-01-29T12:12:24+01:00 Update notes for CVE-2020-7105 in src:hiredis. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2839,7 +2839,8 @@ CVE-2020-7106 (Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_i NOTE: https://github.com/Cacti/cacti/commit/b1c70e19466a6e69284e24cde437b55ccc454bee CVE-2020-7105 (async.c and dict.c in libhiredis.a in hiredis through 0.14.0 allow a N ...) - hiredis (bug #949995) - NOTE: https://github.com/redis/hiredis/issues/754 + NOTE: https://github.com/redis/hiredis/pull/754 + NOTE: https://github.com/redis/hiredis/pull/756 CVE-2020-7104 (The chained-quiz plugin 1.1.8.1 for WordPress has reflected XSS via th ...) NOT-FOR-US: chained-quiz plugin for WordPress CVE-2019-20380 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/db08594dadd325d674a6213fb5288a9e3145fc39 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/db08594dadd325d674a6213fb5288a9e3145fc39 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e426d65 by Thorsten Alteholz at 2020-01-19T22:53:35+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -22,6 +22,7 @@ gpac (Sylvain Beucler) NOTE: triaging when more information are available. (apo) -- graphicsmagick (Thorsten Alteholz) + NOTE: 20200119: WIP -- hiredis (Chris Lamb) NOTE: 20200118: no upstream patches, yet, but should be easy to fix (sunweaver) @@ -69,7 +70,7 @@ linux-4.9 (Ben Hutchings) nss (Markus Koschany) -- opendmarc (Thorsten Alteholz) - NOTE: 20200105: still testing package, original patch does not seem to be enough, still ongoing + NOTE: 20200119: still testing package, original patch does not seem to be enough, still ongoing -- openjdk-7 (Emilio) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6e426d65892d1521674fb48ca662b5788a4a6793 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6e426d65892d1521674fb48ca662b5788a4a6793 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: ea4afc40 by Utkarsh Gupta at 2020-01-10T23:33:04+05:30 Update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -87,13 +87,13 @@ radare2 NOTE: https://lists.debian.org/debian-lts/2019/08/msg00064.html -- ruby-excon (Utkarsh Gupta) + NOTE: 20200110: Pinged upstream for help in debugging freezing tests. -- ruby-rack NOTE: 20191219: The security update causes a regression and also, there's a NOTE: slight possibility of this patch inducing a backdoor on its own. (utkarsh2102) -- ruby-rack-cors - NOTE: 20191218: Debugging test failures. (utkarsh2102) -- slurm-llnl NOTE: 20191125: up for testing https://people.debian.org/~abhijith/upload/slurm-llnl_14.03.9-5+deb8u5.dsc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea4afc403873be3613516776e519e0fecd38cfd5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea4afc403873be3613516776e519e0fecd38cfd5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2019-16787
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 73b39fcd by Salvatore Bonaccorso at 2019-12-21T07:59:44Z Update notes on CVE-2019-16787 CVE-2019-19905 was assigned by the same issue in netcat. CVE-2019-16787 by the Github team, CVE-2019-19905, by MITRE CNA. Handling of both CVEs requested to MITRE. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -96,6 +96,10 @@ CVE-2019-19906 (cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write le - cyrus-sasl2 (bug #947043) NOTE: https://github.com/cyrusimap/cyrus-sasl/issues/587 NOTE: https://www.openldap.org/its/index.cgi/Incoming?id=9123 +CVE-2019-16787 + NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-3cm7-rgh5-9pq5 + NOTE: Duplicate of CVE-2019-19905 + TODO: wait for MITRE CNA on feedback CVE-2019-19905 (NetHack before 3.6.4 is prone to a buffer overflow vulnerability when ...) - nethack (low; bug #947005) [buster] - nethack (Minor issue) @@ -15623,8 +15627,6 @@ CVE-2019-16789 RESERVED CVE-2019-16788 RESERVED -CVE-2019-16787 - RESERVED CVE-2019-16786 RESERVED CVE-2019-16785 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73b39fcdf9e687edd114bbe8fe44ca2e00cbd614 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73b39fcdf9e687edd114bbe8fe44ca2e00cbd614 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for ibus
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 2bde5a62 by Brian May at 2019-12-09T06:44:30Z Update notes for ibus - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,7 +26,9 @@ freeimage (hle) NOTE: 20191123: upstream appears to have merged a modified version of my patch -- ibus - NOTE: 20191020: Fix for regression in KDE apps still not available (apo) + NOTE: 20191210: Requires glib2.0 to be patched also. + NOTE: 20191210: See https://bugs.debian.org/941018 + NOTE: 20191210: See https://gitlab.gnome.org/GNOME/glib/merge_requests/1176 -- intel-microcode NOTE: 20191113: Waiting for DSA-4565-2 first View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2bde5a628d806700db91d89962d8b99cbca1553e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2bde5a628d806700db91d89962d8b99cbca1553e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2019-17498/libssh2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 18a22792 by Salvatore Bonaccorso at 2019-10-27T12:51:55Z Update notes on CVE-2019-17498/libssh2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3179,6 +3179,10 @@ CVE-2019-17498 (In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT l - libssh2 (bug #943562) NOTE: https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c NOTE: https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/ + NOTE: Backported SUSE patch for versions <= 1.8.0 (including struct string_buf, + NOTE: and the functions _libssh2_check_length(), _libssh2_get_u32() and + NOTE: libssh2_get_string(), forming part of the fix): + NOTE: https://bugzilla.suse.com/attachment.cgi?id=822416 CVE-2018-21028 (Boa through 0.94.14rc21 allows remote attackers to trigger a memory le ...) - boa CVE-2018-21027 (Boa through 0.94.14rc21 allows remote attackers to trigger an out-of-m ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18a227922360dec6b17b78c2ff96d034fa8d93b0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18a227922360dec6b17b78c2ff96d034fa8d93b0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2019-14368/exiv2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: abcd624d by Salvatore Bonaccorso at 2019-10-26T13:54:07Z Update notes for CVE-2019-14368/exiv2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12581,8 +12581,10 @@ CVE-2019-14369 (Exiv2::PngImage::readMetadata() in pngimage.cpp in Exiv2 0.27.99 NOTE: fixed through CVE-2019-13504 NOTE: https://github.com/Exiv2/exiv2/commit/bd0afe0390439b2c424d881c8c6eb0c5624e31d9 CVE-2019-14368 (Exiv2 0.27.99.0 has a heap-based buffer over-read in Exiv2::RafImage:: ...) - - exiv2 (Doesn't seem to affect 0.25) + - exiv2 (Vulnerable code introduced later) NOTE: https://github.com/Exiv2/exiv2/issues/952 + NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/bd0afe0390439b2c424d881c8c6eb0c5624e31d9 + NOTE: Introduced by: https://github.com/Exiv2/exiv2/commit/c72d16f4c402a8acc2dfe06fe3d58bf6cf99069e CVE-2019-14367 RESERVED CVE-2019-14366 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/abcd624d2e534bb42de9c843cb0e3d014b805363 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/abcd624d2e534bb42de9c843cb0e3d014b805363 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2018-20839/{systemd,xorg-server}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 90438d65 by Salvatore Bonaccorso at 2019-07-23T04:50:32Z Update notes for CVE-2018-20839/{systemd,xorg-server} The status is overall not yet fully clear. What is clear is that the original fix introduces regressions and is not the right approach. Unclear if the tracking and fixing should happen in xorg-server or in systemd. For now track both source packages an monitor how the discussion evolve. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6015,12 +6015,16 @@ CVE-2018-20839 (systemd 242 changes the VT1 mode upon a logout, which allows att [buster] - systemd (Minor issue) [stretch] - systemd (Minor issue) [jessie] - systemd (Not reproducible without Ubuntu-style persistant VT1 greeter; too invasive to fix) + - xorg-server NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993 NOTE: https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f NOTE: https://github.com/systemd/systemd/pull/12378 NOTE: The fix introduced a regression, cf. https://bugs.debian.org/929229 NOTE: Issue was originally fixed for unstable in 241-4 but was reverted in 241-5 NOTE: https://gitlab.freedesktop.org/xorg/xserver/issues/857 + NOTE: Upstream from systemd claimed originally it's not an issue in systemd, but + NOTE: might revisit. Furthermore the issue might be fixed in the xorg xserver. + NOTE: Tentative merge request: https://gitlab.freedesktop.org/xorg/xserver/merge_requests/241 CVE-2019-12149 (SQL injection vulnerability in silverstripe/restfulserver module 1.0.x ...) NOT-FOR-US: SilverStripe CVE-2019-12148 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90438d65f866be55bb7759c5f391bc75bcb835c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90438d65f866be55bb7759c5f391bc75bcb835c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2018-15587 in data/CVE/list
Jonas Meurer pushed to branch master at Debian Security Tracker / security-tracker Commits: 32e93f1d by Jonas Meurer at 2019-04-24T14:03:50Z Update notes for CVE-2018-15587 in data/CVE/list - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40554,6 +40554,8 @@ CVE-2018-15587 (GNOME Evolution through 3.28.2 is prone to OpenPGP signatures be NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/commit/93306a296c64b48d12c356804f131048643eaa0a (evolution-data-server) NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/commit/accb0e2415681565e4dac00cf1c4303c313ad29e (evolution-data-server) NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/commit/5cd59aee67450e8750eb3cb2d357d0947f199f61 (evolution-data-server) + NOTE: The CVE is about signature spoofing and only affects evolution (issue #120) + NOTE: The other issues (encryption spoofing) are unrelated and have low(er) severity. CVE-2018-15586 (Enigmail before 2.0.6 is prone to to OpenPGP signatures being spoofed ...) - enigmail 2:2.0.6.1-2 [jessie] - enigmail (see https://lists.debian.org/debian-lts-announce/2019/02/msg2.html) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/32e93f1d6689641dc90e8d21b7bff72aff22f46a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/32e93f1d6689641dc90e8d21b7bff72aff22f46a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes on evolution in data/dla-needed.txt
Jonas Meurer pushed to branch master at Debian Security Tracker / security-tracker Commits: ec0ae80b by Jonas Meurer at 2019-04-23T15:18:25Z Update notes on evolution in data/dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,8 @@ claws-mail NOTE: 20190408: patch not yet available -- evolution (Jonas Meurer) - NOTE: 20190418: working on it, but needs more debugging + NOTE: 20190423: I have a fixed version ready for upload, but futher debugging + NOTE: 20190423: is required for evolution-data-server. -- evolution-data-server (Jonas Meurer) NOTE: 20190418: working on it, but needs more debugging View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec0ae80b441d84b19ad5120f7e95fb6d01d97d4e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec0ae80b441d84b19ad5120f7e95fb6d01d97d4e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes and TODO item for CVE-2018-20764
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 93701f8f by Salvatore Bonaccorso at 2019-02-17T07:25:50Z Update notes and TODO item for CVE-2018-20764 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1538,7 +1538,8 @@ CVE-2019-7635 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 [stretch] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4498 CVE-2018-20764 (A buffer overflow exists in HelpSystems tcpcrypt on Linux, used for ...) - TODO: check + NOTE: https://community.helpsystems.com/knowledge-base/fox-technologies/hotfix/515/ + TODO: check, if it affects src:tcpcrypt, as it is about tcpcrypt as used in BoKS CVE-2019-7634 RESERVED CVE-2019-7633 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93701f8fd973644bd7c992d634dd36d52e5c8014 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93701f8fd973644bd7c992d634dd36d52e5c8014 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2019-3815/systemd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e13356e by Salvatore Bonaccorso at 2019-01-19T21:50:22Z Update notes on CVE-2019-3815/systemd The CVE is affecting specifically our backport of the CVE-2018-16864 fix for stretch which was based on both upstreams and Red Hats backport work for v219. Details in the regression fix at https://lists.debian.org/debian-security-announce/2019/msg8.html . - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5783,12 +5783,14 @@ CVE-2019-3817 RESERVED CVE-2019-3816 RESERVED -CVE-2019-3815 +CVE-2019-3815 [systemd: memory leak in journald-server.c introduced by fix for CVE-2018-16864] RESERVED - systemd (This only affected backports to older suites, not the version in sid) [stretch] - systemd 232-25+deb9u8 - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3815 + [jessie] - systemd (Broken fix for CVE-2018-16864 not applied) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=190 NOTE: For stable it affected DSA-4367-1 and was corrected in DSA-4367-2 + NOTE: specifically the backport of the fix for CVE-2018-16864. CVE-2019-3814 RESERVED CVE-2019-3813 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e13356ebe28dd61cf418f814688fc5960e10118 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e13356ebe28dd61cf418f814688fc5960e10118 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2018-19295/singularity-container
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 03e897f5 by Salvatore Bonaccorso at 2018-12-13T15:07:03Z Update notes for CVE-2018-19295/singularity-container - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6422,6 +6422,8 @@ CVE-2018-19296 (PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an CVE-2018-19295 RESERVED - singularity-container 2.6.1-1 + NOTE: https://www.openwall.com/lists/oss-security/2018/12/12/2 + NOTE: https://bugzilla.novell.com/show_bug.cgi?id=411 CVE-2018-19294 RESERVED CVE-2018-19293 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/03e897f52dc932b2a5d2410a74d46adcd6363a42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/03e897f52dc932b2a5d2410a74d46adcd6363a42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c76e37a by Thorsten Alteholz at 2018-11-10T18:57:29Z update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,6 +29,7 @@ icu (Roberto C. Sánchez) imagemagick (Thorsten Alteholz) NOTE: 20181023: add additional Ubuntu patch to disable ghostscript handled formats NOTE: 20181023: wait with upload until this is done in unstable -> #907336 + NOTE: 20181110: bug still open so upload without ubuntu patch -- jasper (apo) NOTE: 20181104: consider fixing no-dsa issues too because the package is used @@ -59,6 +60,7 @@ mysql-connector-java nsis (Thorsten Alteholz) NOTE: 20181007: Windows installer, but issue was reported by gpg4win so NOTE: 20181007: likely affects UNIX systems. (Chris Lamb) + NOTE: 20181110: waiting for email answer -- openjdk-7 -- @@ -85,6 +87,7 @@ squid3 (Abhijith PA) NOTE:20181101: to mention in DLA, and others very intrusive to backport. Substantial change from 3.4 -> 3.5. -- symfony (Thorsten Alteholz) + NOTE: 20181110: patches ready, struggling with test suite, waiting for email -- systemd NOTE: 20181101: I recommend to fix all open issues including the postponed View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c76e37ab4f58708d04706438e7c2343869015ff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c76e37ab4f58708d04706438e7c2343869015ff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2018-14648/389-ds-base
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 64498864 by Salvatore Bonaccorso at 2018-10-22T17:22:05Z Update notes on CVE-2018-14648/389-ds-base - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9462,9 +9462,12 @@ CVE-2018-14650 (It was discovered that sos-collector does not properly set the d CVE-2018-14649 (It was found that ceph-isci-cli package as shipped by Red Hat Ceph ...) NOT-FOR-US: ceph-iscsi-cli CVE-2018-14648 (A flaw was found in 389 Directory Server. A specially crafted search ...) - - 389-ds-base + - 389-ds-base 1.4.0.18-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1630668 - TODO: check, not much detail provided + NOTE: https://pagure.io/389-ds-base/c/a49bd03d6 (1.4.0.17) + NOTE: 1.3.7: https://pagure.io/389-ds-base/c/c8ec6e58c + NOTE: 1.3.8: https://pagure.io/389-ds-base/c/5fc374b43 + NOTE: https://pagure.io/389-ds-base/issue/49969 CVE-2018-14647 (Python's elementtree C accelerator failed to initialise Expat's hash ...) {DSA-4307-1 DSA-4306-1} - python3.7 3.7.0-7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/644988643c348086cc5a760532652086bb0fc753 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/644988643c348086cc5a760532652086bb0fc753 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2017-7893
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a2aa1c94 by Salvatore Bonaccorso at 2018-08-06T18:28:50Z Update notes for CVE-2017-7893 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -69345,10 +69345,9 @@ CVE-2017-7893 (In SaltStack Salt before 2016.3.6, compromised salt-minions can . - salt NOTE: https://docs.saltstack.com/en/2017.7/topics/releases/2016.3.6.html NOTE: https://github.com/saltstack/salt/issues/48939 - NOTE: The first version in Debian unstable containing the fix is likely - NOTE: 2016.11.5+ds-1 which is the first merging changes from 2016.3.6 - NOTE: that is the "previous branch". - TODO: check, pinpoint fixing version, check with maintainers on issue, upstream asked + NOTE: https://github.com/saltstack/salt/commit/0a0f46fb1478be5eb2f90882a90390cb35ec43cb + NOTE: The behaviour though was back off by default in a later commit again + NOTE: cf. https://github.com/saltstack/salt/pull/40206 CVE-2017-7892 (Sandstorm Cap'n Proto before 0.5.3.1 allows remote crashes related to a ...) - capnproto 0.6.1-1 (unimportant; bug #860960) NOTE: https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2017-04-17-0-apple-clang-elides-bounds-check.md View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2aa1c94016addb69c0ed64d09220ec18caaec9e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2aa1c94016addb69c0ed64d09220ec18caaec9e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2017-14992 and add golang-github-vbatts-tar-split
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6195da8d by Salvatore Bonaccorso at 2018-05-27T08:20:40+02:00 Update notes for CVE-2017-14992 and add golang-github-vbatts-tar-split - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -38173,7 +38173,12 @@ CVE-2017-14994 (ReadDCMImage in coders/dcm.c in GraphicsMagick 1.3.26 allows rem CVE-2017-14993 (OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x ...) NOT-FOR-US: OXID eShop Community Edition CVE-2017-14992 (Lack of content verification in Docker-CE (Also known as Moby) ...) - - docker.io + - docker.io + - golang-github-vbatts-tar-split 0.10.2-1 + NOTE: Issue needs to be fixed in src:golang-github-vbatts-tar-split first + NOTE: https://github.com/vbatts/tar-split/issues/41 + NOTE: docker.io needs then a rebuild with a fixed golang-github-vbatts-tar-split + NOTE: version. CVE-2017-14991 (The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before ...) - linux 4.13.4-1 [stretch] - linux (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6195da8deb160449de5cc98c4d5ac1af9f484c40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6195da8deb160449de5cc98c4d5ac1af9f484c40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits