Package: ftp.debian.org
Severity: normal
Please remove peframe, it depends on Python 2 and current versions
are blocked by licence and dependency issues. Acked by the maintainer
in #937269.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove vizigrep. It depends on Python 2 and is unmaintained
(last upload in 2018, no reaction at #938789).
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove scap-security-guide. It depends on Python 2 and is unmaintained
(last upload in 2018, no reaction on #938438).
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: sas...@steinbiss.name
Please remove peframe. It depends on Python 2 and packaging the current
releases is blocked by license and dependency issues. Acked by maintainer (Cced)
in #937269.
Cheers,
Moritz
Hi Martin,
On Sat, Aug 28, 2021 at 01:54:50PM +0200, Martin Pitt wrote:
> Hello Salvatore and Laurent,
> Is that ok with you, in particular the not-quite-CVE patches? Should I upload
> directly or put the dsc somewhere?
Ack, that looks good. Please build with -sa (security.d.o and ftp.d.o don't
Package: security-tracker
Severity: normal
We should stop using/displaying the NVD severity in the Security Tracker. Anyone
is free to look up whatever external data source they want, but we should not
give NVD legitimacy by showing in the Security Tracker.
Package: cpio
Version: 2.13+dfsg-4
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
https://github.com/fangqyi/cpiopwn
https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b
https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg0.html
On Fri, Aug 06, 2021 at 08:08:45AM +0200, Salvatore Bonaccorso wrote:
> Hi,
>
> On Thu, Aug 05, 2021 at 11:49:41AM +0200, Moritz Mühlenhoff wrote:
> > Am Thu, Aug 05, 2021 at 09:19:14AM + schrieb Debian FTP Masters:
> > > Source: otrs2
> > > Source-Version: 6.0.32-6
> > > Done: Patrick
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
X-Debbugs-Cc: boxe...@gmail.com
Please remove libgrokj2k/7.6.6-3 from testing (as discussed with the maintainer,
also CCed). libgrokj2k is still in rapid development (upstream is already at
) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2021-32055 (Closes: #988107)
+
+ -- Moritz Muehlenhoff Thu, 29 Jul 2021 23:13:20 +0200
+
neomutt (20201127+dfsg.1-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru neomutt-20201127+dfsg.1/debian/patches/series
Source: rust-ammonia
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
https://rustsec.org/advisories/RUSTSEC-2021-0074.html
Patch:
https://github.com/rust-ammonia/ammonia/commit/4b8426b89b861d9bea20e126576b0febb9d13515
Cheers,
Moritz
Package: prometheus-node-exporter
Severity: important
Tags: patch
The rapl collector is broken with the 5.10 kernel in Bullseye and thus spams
syslog every minute with a message like this:
---
Jul 16 07:03:39 thanos-fe2001 prometheus-node-exporter[593]: level=error
Package: varnish
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
https://varnish-cache.org/security/VSV7.html
Patches:
https://github.com/varnishcache/varnish-cache/commit/9be22198e258d0e7a5c41f4291792214a29405cf
(6.0)
Source: libsixel
Severity: wishlist
https://github.com/saitoha/libsixel/issues/154 states that the original
author in active and there's now a fork, maybe Debian should also switch
to it?
Cheers,
Moritz
On Thu, Jul 08, 2021 at 12:27:08AM +0800, Shengjing Zhu wrote:
> On Wed, Jul 7, 2021 at 11:48 PM Moritz Mühlenhoff wrote:
> >
> > Source: kubernetes
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: important
> > Tags: security
> >
> > Hi,
> >
> > The following vulnerabilities were
On Tue, Jul 06, 2021 at 10:11:36PM +0200, Sebastian Ramacher wrote:
> Control: tags -1 moreinfo
>
> On 2021-07-06 11:20:10 +0200, Alberto Garcia wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> >
> > Please
Package: puppetdb
Version: 6.2.0-5
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
See https://puppet.com/security/cve/cve-2021-27021/
Fixed by
https://github.com/puppetlabs/puppetdb/commit/c146e624d230f7410fb648d58ae28c0e3cd457a2
On Fri, Jun 25, 2021 at 08:59:25AM +0200, Lorenzo Maurizi wrote:
> Package: trafficserver
> Version: 8.0.2+ds-1+deb10u4
> Severity: grave
> Tags: security
> Justification: user security hole
>
> CVE:
> CVE-2021-27577 Incorrect handling of url fragment leads to cache poisoning
> CVE-2021-32565
Source: skimage
Severity: serious
pillow 8.1.2+dfsg-0.2 backported a few security fixes from pillow 8.2.
One of the changes breaks the autopkgtest/testsuite of skimage:
https://ci.debian.net/data/autopkgtest/testing/amd64/s/skimage/13102974/log.gz
I dug around in skimage git and this appears to
On Sat, Jun 19, 2021 at 09:33:37PM +0200, Sebastian Ramacher wrote:
> Hallo Carsten
>
> On 2021-06-19 09:00:13 +0200, Carsten Schoenert wrote:
> > Hello Kevin, hello Sebastian,
> >
> > thanks for working on this issue in between times, I wasn't able to do
> > anything practically the last days.
On Fri, Jun 18, 2021 at 09:01:39AM +, Peter Palfrader wrote:
> On Thu, 17 Jun 2021, Salvatore Bonaccorso wrote:
> > CVE-2021-34548[1], CVE-2021-34549[2] and CVE-2021-34550[3].
>
> Uploaded a 0.3.5.15-1 source package to security master with
>
Package: otrs2
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
Since these affect OTRS 6, they should also Znuny, right?
CVE-2021-21441:
https://otrs.com/release-notes/otrs-security-advisory-2021-11/
CVE-2021-21439:
Package: iotjs
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
There's multiple security issues in jerryscript, which is included in
iotjs:
CVE-2021-26199:
https://github.com/jerryscript-project/jerryscript/issues/4056
CVE-2021-26198:
Package: thefuck
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2021-34363
https://github.com/nvbn/thefuck/pull/1206
Patch:
https://github.com/nvbn/thefuck/commit/e343c577cd7da4d304b837d4a07ab4df1e023092
(3.31)
Cheers,
Moritz
Source: edk2
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2021-28213:
https://bugzilla.tianocore.org/show_bug.cgi?id=1866
Cheers,
Moritz
Package: ntpsec
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2021-22212:
https://gitlab.com/NTPsec/ntpsec/-/issues/699
Patch:
https://gitlab.com/NTPsec/ntpsec/-/commit/b09be47d650280cc7ebdcd45dfa07eca4b9a52f8
Can you please upload a targeted fix
Package: nextcloud-desktop
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
See
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpgp-vf4p-wcw5
Patch:
https://github.com/nextcloud/desktop/commit/b1ddd0e491b2af0ed040e658d8bcde2a7a61c9fc
Can you
: CVE-2018-25009, CVE-2018-25010,
CVE-2018-25011
+CVE-2020-36328, CVE-2018-25013, CVE-2018-25014, CVE-2020-36329,
CVE-2020-36330
+CVE-2020-36331, CVE-2020-36332
+
+ -- Moritz Muehlenhoff Sat, 05 Jun 2021 19:35:57 +0200
+
libwebp (0.6.1-2) unstable; urgency=medium
* Fix lintian warning
On Wed, Mar 17, 2021 at 09:36:44AM +0100, Salvatore Bonaccorso wrote:
> Source: gnome-autoar
> Version: 0.2.4-3
> Severity: important
> Tags: security upstream
> Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/12
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
>
On Fri, Jun 04, 2021 at 08:34:50PM +0200, Florian Weimer wrote:
> * Moritz Mühlenhoff:
>
> > Am Wed, Sep 09, 2020 at 12:30:44PM +0200 schrieb Aurelien Jarno:
> >> control: forcemerge 967938 969926
> >>
> >> Hi,
> >>
> >> On 2020-09-09 02:58, Bernd Zeimetz wrote:
> >> > Source: glibc
> >> >
Package: ffmpeg
Version: 7:4.3.2-0+deb11u1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
A few security issues:
CVE-2020-22033:
https://trac.ffmpeg.org/ticket/8246
https://trac.ffmpeg.org/ticket/8241
Source: kf5-messagelib
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
https://kde.org/info/security/advisory-20210429-1.txt
Patch:
https://commits.kde.org/messagelib/3b5b171e91ce78b966c98b1292a1bcbc8d984799
Cheers,
Moritz
Package: htmldoc
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2021-26948:
https://github.com/michaelrsweet/htmldoc/issues/410
https://github.com/michaelrsweet/htmldoc/commit/008861d8339c6ec777e487770b70b95b1ed0c1d2
CVE-2021-26259;
On Tue, Jun 01, 2021 at 09:51:05PM +, Debian Bug Tracking System wrote:
> The ezxml support module is not built for any of our architectures. Here is
> the related build log excerpt:
Ack, I've updated the meta data on the embedded code copy in the Debian
Security Tracker.
Cheers,
Package: scilab
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
Multiple security issues were found in ezxml, which scilab bundles:
CVE-2021-31598:
https://sourceforge.net/p/ezxml/bugs/28/
CVE-2021-31348 / CVE-2021-31347:
https://sourceforge.net/p/ezxml/bugs/27/
Source: mapcache
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
Multiple security issues were found in ezxml, which mapcache bundles:
CVE-2021-31598:
https://sourceforge.net/p/ezxml/bugs/28/
CVE-2021-31348 / CVE-2021-31347:
https://sourceforge.net/p/ezxml/bugs/27/
Package: navit
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
Multiple security issues were found in ezxml, which navit bundles (not sure if
it really gets built, though as the changelog contains references to an older
remove-ezxml patch?)
CVE-2021-31598:
Source: netcdf
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
Multiple security issues were found in ezxml, which netcdf bundles:
CVE-2021-31598:
https://sourceforge.net/p/ezxml/bugs/28/
CVE-2021-31348 / CVE-2021-31347:
https://sourceforge.net/p/ezxml/bugs/27/
Source: netcdf-parallel
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
Multiple security issues were found in ezxml, which netcdf-parallel bundles:
CVE-2021-31598:
https://sourceforge.net/p/ezxml/bugs/28/
CVE-2021-31348 / CVE-2021-31347:
Package: dacs
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
dacs bundles a copy in src/libradius/src/radlib.c:
https://www.freebsd.org/security/advisories/FreeBSD-SA-21:12.libradius.asc
Cheers,
Moritz
Package: node-css-what
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2021-33587:
https://github.com/fb55/css-what/releases/tag/v5.0.1
Patch:
https://github.com/fb55/css-what/commit/4cdaacfd0d4b6fd00614be030da0dea6c2994655
Cheers,
Moritz
Package: node-got
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
node-got bundles a copy of normalize-url, which is affected by CVE-2021-33502:
https://github.com/sindresorhus/normalize-url/releases/tag/v6.0.1
Patch:
Source: jakarta-el-api
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2021-28170:
https://github.com/eclipse-ee4j/el-ri/issues/155
https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/
Cheers,
Moritz
On Sat, May 29, 2021 at 10:43:21AM +0200, David Bürgin wrote:
> > This appears to have been fixed in
> > https://github.com/trusteddomainproject/OpenDMARC/commit/f3a9a9d4edfaa05102292727d021683f58aa4b6e,
> > could we get that in Bullseye?
>
> This isn’t the only commit for CVE-2020-12272.
On Fri, May 28, 2021 at 02:14:34PM +0200, Jonas Meurer wrote:
> Hey Moritz,
>
> Moritz Muehlenhoff wrote:
> > On Fri, May 28, 2021 at 11:06:31AM +0200, Jonas Meurer wrote:
> > > Moritz Muehlenhoff wrote:
> > > > This was assigned CVE-2021-33038:
> >
On Fri, May 28, 2021 at 11:06:31AM +0200, Jonas Meurer wrote:
> Hey Moritz,
>
> Moritz Muehlenhoff wrote:
> > This was assigned CVE-2021-33038:
> > https://gitlab.com/mailman/hyperkitty/-/issues/380
> >
> > Patch is here:
> > https:/
Package: python3.9
Version: 3.9.2-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2021-29921:
https://bugs.python.org/issue36384#msg392423
Patch for 3.9: (fixed in experimental)
https://github.com/python/cpython/commit/5374fbc31446364bf5f12e5ab88c5493c35eaf04
Source: hyperkitty
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2021-33038:
https://gitlab.com/mailman/hyperkitty/-/issues/380
Patch is here:
https://gitlab.com/mailman/hyperkitty/-/commit/9025324597d60b2dff740e49b70b15589d6804fa
Cheers,
Package: radare2
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2021-32613
https://github.com/radareorg/radare2/issues/18679
https://github.com/radareorg/radare2/commit/049de62730f4954ef9a642f2eeebbca30a8eccdc
Cheers,
Moritz
Package: security-tracker
Severity: wishlist
https://security-tracker.debian.org/tracker/source-package/foo shows
CVEs tagged as "vulnerable (no DSA)". If there's an update
pending (i.e. if a CVE is listed in data/next-point-release.txt) it
could instead be presented as "pending for next point
Source: pillow
Version: 8.1.2+dfsg-0.1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
Fixed in experimental, but open for bullseye/sid:
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos
Source: libyang
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2021-28906
https://github.com/CESNET/libyang/issues/1455
CVE-2021-28905
https://github.com/CESNET/libyang/issues/1452
CVE-2021-28904
https://github.com/CESNET/libyang/issues/1451
CVE-2021-28903
Package: qemu
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
Multiple low severity vhost-user-gpu, none merged yet:
CVE-2021-3544: multiple memory leaks
CVE-2021-3545: information disclosure due to uninitialized memory reads
CVE-2021-3546: out-of-bounds write in
Package: dmg2img
Severity: normal
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2021-32614:
https://github.com/Lekensteyn/dmg2img/issues/11
Cheers,
Moritz
Package: cflow
Severity: normal
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2020-23856:
https://lists.gnu.org/archive/html/bug-cflow/2020-07/msg0.html
Cheers,
Moritz
Source: golang-github-nats-io-jwt
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
https://advisories.nats.io/CVE/CVE-2020-26892.txt
https://advisories.nats.io/CVE/CVE-2020-26521.txt
Cheers,
Moritz
Source: thrift
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2020-13949:
https://seclists.org/oss-sec/2021/q1/140
There's no real information what fixed this and it seems invasive, so
probably safest to only pull this after the end of the freeze?
Cheers,
Source: thrift
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2019-11939:
https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757
Cheers,
Moritz
Package: libhibernate-validator-java
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2020-10693:
https://bugzilla.redhat.com/show_bug.cgi?id=1805501
Cheers,
Moritz
Source: rust-http
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2019-25009:
https://rustsec.org/advisories/RUSTSEC-2019-0034.html
https://github.com/hyperium/http/commit/82d53dbdfdb1ffbeb0323200a0bbd30b5f895fa7
Source: google-oauth-client-java
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2020-7692:
https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276
https://github.com/googleapis/google-oauth-java-client/issues/469
Source: golang-github-gin-gonic-gin
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2020-28483:
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736
https://github.com/gin-gonic/gin/pull/2474
Cheers,
Moritz
Package: golang-github-containers-image
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2021-20291:
https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1
Cheers,
Moritz
Source: rlottie
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2021-31323:
https://www.shielder.it/advisories/telegram-rlottie-lottieparserimpl-parsedashproperty-heap-buffer-overflow/
CVE-2021-31322:
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
X-Debbugs-Cc: ebo...@apache.org
Please remove jodd from bullseye, it has open security issues and
there are currently no rdeps (it was uploaded for jmeter 3, which
didn't enter the archive yet).
Package: lua5.3
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2020-24370:
http://lua-users.org/lists/lua-l/2020-07/msg00324.html
Patch:
https://github.com/lua/lua/commit/b5bc89846721375fe30772eb8c5ab2786f362bf9
Cheers,
Moritz
Package: ruby-twitter-stream
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2020-24392:
https://securitylab.github.com/advisories/GHSL-2020-097-voloko-twitter-stream
Cheers,
Moritz
Package: libphp-phpmailer
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
Please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36326
Patches:
https://github.com/PHPMailer/PHPMailer/commit/26f2848d3bbb57add5f34a467a1e3b2f9ce5cd2a
(v6.4.1)
Package: lxc-templates
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447
This was originally for LXC, but with 3.0.2 the templates are now in
lxc-templates.
Cheers,
Moritz
Source: rust-hyper
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2021-21299:
https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf
https://rustsec.org/advisories/RUSTSEC-2021-0020.html
Cheers,
Moritz
Source: shiro
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2020-17523:
https://www.openwall.com/lists/oss-security/2021/02/01/3
https://issues.apache.org/jira/browse/SHIRO-797
CVE-2020-17510:
https://www.openwall.com/lists/oss-security/2020/11/04/7
Package: 389-ds-base
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2021-3514:
https://github.com/389ds/389-ds-base/issues/4711
CVE-2021-3480:
https://bugzilla.redhat.com/show_bug.cgi?id=1944640
Source: three.js
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2020-28496:
https://github.com/mrdoob/three.js/issues/21132
https://github.com/mrdoob/three.js/pull/21143/commits/4a582355216b620176a291ff319d740e619d583e
Cheers,
Moritz
Source: djvulibre
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
Not many details yet, but this was assigned CVE-2021-3500:
https://bugzilla.redhat.com/show_bug.cgi?id=1943685
Cheers,
Moritz
Package: rails
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2021-22904:
https://github.com/rails/rails/commit/d861fa8ade353390c4419b53a6c6b41f3005b1f2
(v6.0.3.7)
CVE-2021-22902:
Fixed by:
https://github.com/rails/rails/commit/446afbd15360a347c923ca775b21a286dcb5297a
Package: iotjs
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2020-24344:
https://github.com/jerryscript-project/jerryscript/issues/3976
https://github.com/jerryscript-project/jerryscript/commit/841d536fce1ce29267cdf0ea12be4026e1c35d3a
Cheers,
Source: aom
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2021-30473:
| aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not
located on the heap.
Unfortunately https://bugs.chromium.org/p/aomedia/issues/detail?id=2998 is
private,
but the fix
Package: wget
Version: 1.21-1+b1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2021-31879:
https://mail.gnu.org/archive/html/bug-wget/2021-02/msg2.html
Cheers,
Moritz
Source: mapserver
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2021-32062:
https://github.com/mapserver/mapserver/issues/6313
https://github.com/MapServer/MapServer/pull/6314
Patch for branch-7-6:
On Fri, May 07, 2021 at 11:59:33AM +0300, Michael Tokarev wrote:
> 06.05.2021 20:51, Moritz Mühlenhoff wrote:
> > Am Sun, Sep 13, 2020 at 10:42:36PM +0200 schrieb Moritz Muehlenhoff:
> > > Package: qemu
> > > Severity: important
> > > Tags: security
>
Source: libsixel
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2020-36120
https://github.com/saitoha/libsixel/issues/143
Cheers,
Moritz
Package: qemu
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2021-3527:
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg00564.html
Cheers,
Moritz
Package: maven
Version: 3.6.3-3
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2021-26291
https://www.openwall.com/lists/oss-security/2021/04/23/5
https://issues.apache.org/jira/browse/MNG-7118
Patch:
Package: dogtag-pki
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2020-25715:
https://bugzilla.redhat.com/show_bug.cgi?id=1891016
Patch:
https://github.com/dogtagpki/pki/commit/13f4c7fe7d71d42b46b25f3e8472ef7f35da5dd6
Cheers,
Moritz
Package: zypper
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2017-9271:
https://bugzilla.suse.com/show_bug.cgi?id=1050625
Cheers,
Moritz
Source: giflib
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2020-23922:
https://sourceforge.net/p/giflib/bugs/151/
On Sun, Apr 25, 2021 at 08:14:02AM +0200, Salvatore Bonaccorso wrote:
> Hi Tobi,
>
> On Sat, Apr 24, 2021 at 10:33:36PM +0200, Tobias Frost wrote:
> > Package: varnish-modules
> > Followup-For: Bug #985947
> > Control: tags -1 unreproducible
> > Control: close -1
> >
> > According to
Package: phpldapadmin
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2020-35132:
https://bugs.launchpad.net/ubuntu/+source/phpldapadmin/+bug/1906474
https://github.com/leenooks/phpLDAPadmin/issues/130
Original fix was
Package: ruby-sidekiq
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2021-30151:
https://github.com/mperham/sidekiq/issues/4852
https://github.com/mperham/sidekiq/commit/64f70339d1dcf50a55c00d36bfdb61d97ec63ed8
Cheers,
Moritz
Source: google-compute-image-packages
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
https://cloud.google.com/compute/docs/security-bulletins#2020619 seems unfixed
unstable/bullseye still.
Patches:
https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29
Cheers,
Package: consul
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2020-25864:
https://bugzilla.redhat.com/show_bug.cgi?id=1950275
Patches:
https://github.com/hashicorp/consul/pull/10023
Cheers,
Moritz
Package: gradle
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2021-29429
https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8
CVE-2021-29428
https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336
Cheers,
Moritz
Package: security-tracker
Severity: wishlist
https://security-tracker.debian.org/tracker/status/unreported should
gain a filter list, since there are some packages for which filing
bugs makes no sense (e.g. the linux kernel, which is tracked without
filed bugs in the BTS or various legacy Nvidia
Source: seafile-client
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2021-30146:
https://github.com/Security-AVS/CVE-2021-30146
It's not really clear whether that was reported upstream, could
you check with them?
Cheers,
Moritz
Package: gpac
Version: 1.0.1+dfsg1-3
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2021-31262
https://github.com/gpac/gpac/commit/b2eab95e07cb5819375a50358d4806a8813b6e50
https://github.com/gpac/gpac/issues/1738
CVE-2021-31261
Source: libcaca
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2021-30499:
https://github.com/cacalabs/libcaca/issues/54
CVE-2021-30498:
https://github.com/cacalabs/libcaca/issues/53
Cheers,
Moritz
Package: exiv2
Version: 0.27.3-3
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
CVE-2021-29458:
https://github.com/Exiv2/exiv2/security/advisories/GHSA-57jj-75fm-9rq5
https://github.com/Exiv2/exiv2/issues/1530
https://github.com/Exiv2/exiv2/pull/1536
CVE-2021-29457:
Source: openjpeg2
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2021-29338:
https://github.com/uclouvain/openjpeg/issues/1338
Cheers,
Moritz
Source: rust-diesel
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
This was assigned CVE-2021-28305:
https://rustsec.org/advisories/RUSTSEC-2021-0037.html
Cheers,
Moritz
Package: nextcloud-desktop
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
https://nextcloud.com/security/advisory/?id=NC-SA-2021-008
Bumping to 3.1.3 is not in line with the current freeze, but
the patches from https://github.com/nextcloud/desktop/pull/2906
can be applied
301 - 400 of 7407 matches
Mail list logo
