2.10.2-3.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * clone: fix directory traversal (CVE-2018-14912) (Closes: #905382)
+
+ -- Salvatore Bonaccorso Sat, 04 Aug 2018 12:27:48 +0200
+
cgit (1.1+git2.10.2-3) unstable; urgency=medium
* Build-depend on asciidoc-base | asciidoc.
Control: severity -1 important
Control: tags -1 + moreinfo
Hi Loreno,
On Sun, Aug 05, 2018 at 01:23:30PM +0200, Loreno Heer wrote:
> Package: src:linux
> Version: 4.17.8-1
> Severity: critical
> Justification: breaks the whole system
>
> Dear Maintainer,
>
> *** Reporter, please consider answer
Source: lxc
Version: 1:2.0.9-1
Severity: grave
Tags: patch security upstream
Forwarded: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591
Hi,
The following vulnerability was published for lxc.
CVE-2018-6556[0]:
lxc-user-nic allows unprivileged users to open arbitrary files
If you fix t
Hi Antonio,
On Tue, Aug 07, 2018 at 09:55:59AM +0100, Antonio Radici wrote:
> Package: mutt
> Version: 1.7.2-1
> Severity: grave
> Tags: security upstream
> Justification: security update
>
> Tracking bug for security updates for mutt in stretch.
>
> Details on https://security-tracker.debian.or
Source: mariadb-10.3
Version: 10.3.0-0+exp1
Severity: grave
Tags: security upstream fixed-upstream
Hi
As per http://www.openwall.com/lists/oss-security/2018/04/08/2,
MariaDB is similarly affected by CVE-2018-2767 . Upsream confirmed
that for MariaDB this means that if one connects to the remote s
close 905751 4.9.110-3+deb9u1
thanks
Source: libykneomgr
Version: 0.1.8-1
Severity: grave
Tags: security upstream
Hi
See https://www.x41-dsec.de/lab/advisories/x41-2018-004-libykneomgr/
for details. Upstream will not issue a patch for it as vendor does
not support the library anymore.
Should we consider removing libykneomgr from D
Hi Nicolas,
On Tue, Aug 14, 2018 at 08:36:10PM +0200, Nicolas Braud-Santoni wrote:
> Hi,
>
> Gunnar Wolf sponsored the upload to sid (thanks!) and I just prepared an
> upload for stretch-security. It is available in the branch debian/stretch on:
>
> https://salsa.debian.org/auth-team/yubico-p
Hi Simon,
On Tue, Aug 14, 2018 at 10:35:26PM +0200, Simon Josefsson wrote:
> Yes, removing the package from testing seems reasonable to me.
Can you fill a separate bug to ftp.debian.org to request a removal from
unstable (and so buster/testing)? Having this RC bug will at least
though ensure it w
Source: spice
Version: 0.14.0-1
Severity: grave
Tags: patch security upstream
Control: clone -1 -2
Control: reassign -2 src:spice-gtk 0.34-1.1
Control: retitle -2 spice-gtk: CVE-2018-10873: Missing check in
demarshal.py:write_validate_array_item() allows for buffer overflow and denial
of service
Hi,
On Fri, Aug 17, 2018 at 04:54:05AM +0200, Salvatore Bonaccorso wrote:
> CVE-2018-10873[0]:
> |Missing check in demarshal.py:write_validate_array_item() allows for
> |buffer overflow and denial of service
>
> If you fix the vulnerability please also make sure to include th
Hi,
On Fri, Aug 17, 2018 at 10:20:13AM +0200, Simon Josefsson wrote:
> Done, see:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906319
Perfect, thank you!
Regards,
Salvatore
Hi
I have put in
https://people.debian.org/~carnil/tmp/linux/arm64/
https://people.debian.org/~carnil/tmp/linux/armel/
[https://people.debian.org/~carnil/tmp/linux/all/]
built packages available for testing. armhf builds are at the time of
writing not yet done, but can put those there as well.
Source: dropbear
Version: 2016.74-1
Severity: grave
Tags: security
Forwarded: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html
Hi,
The following vulnerability was published for dropbear.
CVE-2018-15599[0]:
| The recv_msg_userauth_request function in svr-auth.c in Dropbear
| t
Hi,
On Tue, Aug 21, 2018 at 10:07:42PM +0200, Salvatore Bonaccorso wrote:
> I have put in
>
> https://people.debian.org/~carnil/tmp/linux/arm64/
> https://people.debian.org/~carnil/tmp/linux/armel/
> [https://people.debian.org/~carnil/tmp/linux/all/]
armhf packages:
https://pe
Source: fscrypt
Version: 0.2.3-2
Severity: grave
Tags: security upstream fixed-upstream
Forwarded: https://github.com/google/fscrypt/issues/77
Hi,
The following vulnerability was published for fscrypt.
CVE-2018-6558[0]:
privilege escalation
If you fix the vulnerability please also make sure to
Hi,
On Sun, Aug 26, 2018 at 06:08:58PM +0100, Nicolas Braud-Santoni wrote:
> Tavis Ormandy disclosed a new ghoscript security issue, leading directly to
> code
> execution: http://openwall.com/lists/oss-security/2018/08/21/2
There are actually several issues, see the whole thread. For now since
Hi,
On Mon, Aug 27, 2018 at 08:34:25PM +0200, Jonas Smedegaard wrote:
> Quoting Salvatore Bonaccorso (2018-08-26 21:55:14)
> > Hi,
> >
> > On Sun, Aug 26, 2018 at 06:08:58PM +0100, Nicolas Braud-Santoni wrote:
> > > Tavis Ormandy disclosed a new ghoscript se
Source: grafana
Version: 2.6.0+dfsg-3
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for grafana.
CVE-2018-15727[0]:
| Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows
| authentication bypass because an attacker can generate a valid
| "rem
9-6.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * utils: add LXC_PROC_PID_FD_LEN
+ * CVE 2018-6556: verify netns fd in lxc-user-nic (Closes: #905586)
+
+ -- Salvatore Bonaccorso Wed, 29 Aug 2018 15:22:46 +0200
+
lxc (1:2.0.9-6) unstable; urgency=medium
* 0004-debian-Use-ipr
Hi Antonio,
On Fri, Aug 31, 2018 at 08:14:57AM -0300, Antonio Terceiro wrote:
> On Thu, Aug 30, 2018 at 10:06:15PM +0200, Salvatore Bonaccorso wrote:
> > Control: tags 905586 + pending
> >
> >
> > Dear maintainer,
> >
> > I've prepared an NMU for lxc
Source: ghostscript
Version: 9.22~dfsg-3
Severity: grave
Tags: patch security upstream
Control: found -1 9.20~dfsg-1
There is one more followup fix needed:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486
https://bugs.ghostscript.com/show_bug.cgi?id=699654
Decoupling this f
Hi Antonio,
On Fri, Aug 31, 2018 at 04:07:56PM -0300, Antonio Terceiro wrote:
> On Fri, Aug 31, 2018 at 02:42:15PM +0200, Salvatore Bonaccorso wrote:
> > Hi Antonio,
> >
> > On Fri, Aug 31, 2018 at 08:14:57AM -0300, Antonio Terceiro wrote:
> > > On Thu, Au
Source: lcms2
Version: 2.8-4
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/mm2/Little-CMS/issues/171
Control: fixed -1 2.8-4+deb9u1
Hi,
The following vulnerability was published for lcms2.
CVE-2018-16435[0]:
| Little CMS (aka Little Color Management System) 2.9 has
Hi
I have been working on an update for libvncserver for unstable
(buster) as NMU. I will post a proposed debdiff when I'm relatively
confident on the result.
Regards,
Salvatore
-2018-15126 removes CloseUndoneFileTransfer and
+introduces new CloseUndoneFileDownload and CloseUndoneFileUpload.
+
+ -- Salvatore Bonaccorso Wed, 02 Jan 2019 16:26:53 +0100
+
libvncserver (0.9.11+dfsg-1.1) unstable; urgency=high
* Non-maintainer upload.
diff -Nru libvncserver-0.9.11
Source: gitlab
Version: 11.5.5+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 11.6.0+dfsg-1
Hi,
The following vulnerabilities were published for gitlab, fixed in the
11.6.1, 11.5.6, and 11.4.13 versions, cf [15].
CVE-2018-20488[0]:
Secret CI va
Source: yaml-cpp
Version: 0.5.3-0.2
Severity: grave
Tags: security
Forwarded: https://github.com/jbeder/yaml-cpp/issues/654
Control: clone -1 -2
Control: reassign -2 src:yaml-cpp0.3 0.3.0-1.2
Control: retitle -2 yaml-cpp0.3: CVE-2018-20574: Stack Overflow in
SingleDocParser::HandleFlowMap()
Hi,
Control: tags -1 + confirmed help
Hi Santiago,
On Thu, Jan 03, 2019 at 09:06:05PM +, Santiago Vila wrote:
> Package: src:lnav
> Version: 0.8.4-4
> Severity: serious
> Tags: ftbfs
>
> Hello Salvatore.
>
> I tried to build this package in buster but it failed:
>
> ---
Source: linux
Version: 4.9.144-1
Severity: serious
Justification: FTBFS
For tracking the issue:
4.9.144-1 FTBFS on arm64:
> LD vmlinux.o
> MODPOST vmlinux.o
> GEN .version
> CHK include/generated/compile.h
> UPD include/generated/compile.h
> CC init/version.o
>
Control: tag -1 pending
Hello,
Bug #918153 in lnav reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/carnil/lnav/commit/b69adf9adbbc760b66a72da3791277e90e5c5455
Source: python-django
Version: 1:1.11.17-2
Severity: grave
Tags: patch security upstream
Justification: user security hole
Control: found -1 2:2.1.4-2
Hi,
The following vulnerability was published for python-django.
CVE-2019-3498[0]:
Content spoofing possibility in the default 404 page
If you f
07)
+ * Update symbols file for libvncserver1.
+The fix for CVE-2018-15126 removes CloseUndoneFileTransfer and
+introduces new CloseUndoneFileDownload and CloseUndoneFileUpload.
+
+ -- Salvatore Bonaccorso Wed, 02 Jan 2019 16:26:53 +0100
+
libvncserver (0.9.11+dfsg-1.1) unstable; urgency=
Source: linux
Version: 4.9.144-1
Severity: serious
Justification: FTBFS
Control: tags -1 + ftbfs
Control: affects -1 + release.debian.org
For tracking: linux/4.9.144-1 FTBFS on mips, mips64el and mipsel due
to ABI changes:
https://buildd.debian.org/status/fetch.php?pkg=linux&arch=mips&ver=4.9.144
Hi Chris,
Thanks for working on the update.
[disclaimer: not a full review, but something jumped on while i was
reading the debdiff]
On Sat, Jan 05, 2019 at 09:39:38PM +0100, Chris Lamb wrote:
> Hi Moritz,
>
> > > This also affects stable from my reading of the code. Shall I
> > > prepare an up
Hi Chris,
On Sun, Jan 06, 2019 at 09:39:30AM +0100, Chris Lamb wrote:
> Hi Salvatore,
>
> > With the 0017-CVE-2019-3498.patch patch there is something strange.
> > While it touches correctly the files django/views/defaults.py and the
> > tests, it touches and modifies files in debian/*, other pat
Source: systemd
Version: 204-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 232-25+deb9u6
Control: found -1 240-2
Hi,
The following vulnerability was published for systemd.
CVE-2018-16864[0]:
memory corruption
If you fix the vulnerability please al
Source: systemd
Version: 43-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 232-25+deb9u6
Control: found -1 240-2
Hi,
The following vulnerability was published for systemd, opening
tracking bug.
CVE-2018-16865[0]:
memory corruption
If you fix the vu
Hi,
On Wed, Jan 09, 2019 at 10:50:32PM +0100, Michael Biebl wrote:
> Am 09.01.19 um 22:45 schrieb Michael Biebl:
> > Should CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866 be handled
> > separately, i.e. do you plan to file separate bug reports?
>
> Hm, for some reason I only received #918848 j
Hi Michael,
On Thu, Jan 10, 2019 at 01:41:17AM +0100, Michael Biebl wrote:
> On Wed, 09 Jan 2019 21:08:51 +0100 Salvatore Bonaccorso
> wrote:
> > Source: systemd
> > Version: 204-1
> > Severity: grave
> > Tags: security upstream
> > Justification: user securi
Source: wolfssl
Version: 3.15.3+dfsg-2
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/wolfSSL/wolfssl/pull/1950
Hi,
The following vulnerability was published for wolfssl.
CVE-2018-16870[0]:
| It was found that wolfssl before 3.15.7 is vulnerable to a new variant
| of
Source: tmpreaper
Version: 1.6.13+nmu1
Severity: grave
Tags: security
Control: fixed -1 1.6.13+nmu1+deb9u1
Hi,
The following vulnerability was published for tmpreaper, as per DSA
4365-1.
CVE-2019-3461[0]:
Stephen Roettger discovered a race condition in tmpreaper, a program that
cleans up files i
Source: mupdf
Version: 1.14.0+ds1-2
Severity: grave
Tags: security
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=700442
Hi,
The following vulnerability was published for mupdf.
CVE-2019-6131[0]:
| svg-run.c in Artifex MuPDF 1.14.0 has infinite recursion with stack
| consumption in svg_
Source: linux
Version: 4.19.13-1
Severity: serious
Tags: upstream patch
Justification: Regression / Causes FTBFS on glibc (testfailures)
Control: affects -1 src:glibc
Control: found -1 4.20-1~exp1
Control: forwarded -1 https://lkml.org/lkml/2018/12/30/169
Upstream fix 0e334db6bb4b ("posix-timers:
Hi Magnus,
On Fri, Dec 28, 2018 at 10:22:53AM +0100, Moritz Mühlenhoff wrote:
> On Wed, Dec 26, 2018 at 05:20:40PM +0100, Magnus Holmgren wrote:
> > > CVE-2018-19518[0]:
> > > | University of Washington IMAP Toolkit 2007f on UNIX, as used in
> > > | imap_open() in PHP and other products, launches
Source: php-pear
Version: 1:1.10.6+submodules+notgz-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://pear.php.net/bugs/bug.php?id=23782
Control: found -1 1:1.10.1+submodules+notgz-9
Hi,
The following vulnerability was published for php-pear.
CV
table; urgency=medium
+
+ * Non-maintainer upload.
+ * Don't allow filenames to start with phar:// (CVE-2018-1000888)
+(Closes: #919147)
+
+ -- Salvatore Bonaccorso Sun, 13 Jan 2019 11:49:26 +0100
+
php-pear (1:1.10.6+submodules+notgz-1) unstable; urgency=medium
* Update PEAR to 1
Hi Mathieu,
On Mon, Jan 14, 2019 at 09:21:10AM +0100, Mathieu Parent wrote:
> Hi Salvatore,
>
> Please go ahead and reduce the delay !
Thank you, rescheduled!
Regards,
Salvatore
Source: mysql-5.7
Version: 5.7.24-3
Severity: grave
Tags: security upstream
Justification: user security hole
Hi
Details at
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#AppendixMSQL
Regards,
Salvatore
Hey!
On Thu, Jan 17, 2019 at 12:00:13AM +0100, Sebastian Ramacher wrote:
> Control: found -1 2016.11.28-1
>
> On 2019-01-16 23:19:45, Moritz Muehlenhoff wrote:
> > Source: liblivemedia
> > Severity: grave
> > Tags: security
> >
> > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-201
Source: mysql-connector-python
Version: 8.0.11-1
Severity: grave
Tags: security upstream
Control: found -1 2.1.6-1
Hi,
The following vulnerability was published for mysql-connector-python.
CVE-2019-2435[0]:
| Vulnerability in the MySQL Connectors component of Oracle MySQL
| (subcomponent: Connec
Source: gitlab
Version: 11.5.6+dfsg-1
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
Hi,
The following vulnerability was published for gitlab, and fixed in
11.6.4, 11.5.7, and 11.4.14.
CVE-2019-6240[0]:
RESERVED
If you fix the vulnerability please also
Hi,
On Sun, Jan 20, 2019 at 03:22:31PM +0100, Sebastian Ramacher wrote:
> On 2019-01-19 22:36:05, Salvatore Bonaccorso wrote:
> > Hey!
> >
> > On Thu, Jan 17, 2019 at 12:00:13AM +0100, Sebastian Ramacher wrote:
> > > Control: found -1 2016.11.28-1
> > >
Source: apache2
Version: 2.4.37-1
Severity: grave
Tags: patch security upstream
Hi (Stefan),
I agree the severity is not the best choosen one for this issue, it is
more to ensure we could release buster with an appropriate fix already
before the release. If you disagree, please do downgrade.
The
Control: tags -1 + fixed-upstream
Control: tags -1 - patch
Hi Xavier,
On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote:
> Hello,
>
> Debian bug is tagged as "patch", but I didn't find any patch in the
> related documents. Can you give me the link to patch ?
Well you are right, not a patch
Hi Xavier,
On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote:
> Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit :
> > Control: tags -1 + fixed-upstream
> > Control: tags -1 - patch
> >
> > Hi Xavier,
> >
> > On Wed, Jan 23, 2019 at 09:
Hi Xavier,
On Wed, Jan 23, 2019 at 09:54:29PM +0100, Xavier wrote:
> Le 23/01/2019 à 21:50, Salvatore Bonaccorso a écrit :
> > Hi Xavier,
> >
> > On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote:
> >> Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit :
Hi,
On Mon, Jan 14, 2019 at 04:53:14AM +, Chris Knadle wrote:
> Package: mumble
> Version: 1.2.19-3
> Severity: important
> Tags: security fixed-upstream fixed-in-experimental
>
>
> It is currently possible to cause mumble-server to freeze and/or crash by
> sending specifically it crafted co
Source: golang-1.12
Version: 1.12~beta2-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/golang/go/issues/29903
Hi,
The following vulnerability was published for golang-1.12, which was
already fixed for the released version 1.11.5 and 1.10.8 upstream.
CVE-2019-6486[0]:
| G
Hi Cinnamon Team,
Can you adress this issue via an upcoming point release?
Regards,
Salvatore
Source: libgd2
Version: 2.2.5-5
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 2.2.4-2+deb9u3
Control: found -1 2.2.4-2
Hi,
The following vulnerability was published for libgd2.
CVE-2019-6977[0]:
| gdImageColorMatch in gd_color_match.c in the GD Graph
Source: libgd2
Version: 2.2.5-5
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/libgd/libgd/issues/492
Hi,
The following vulnerability was published for libgd2.
CVE-2019-6978[0]:
| The GD Graphics Library (aka LibGD) 2.2.5 has a double free
Source: spice
Version: 0.14.0-1.2
Severity: grave
Tags: security upstream
Control: found -1 0.12.8-2.1+deb9u2
Control: found -1 0.12.8-2.1
Control: fixed -1 0.12.8-2.1+deb9u3
Hi,
The following vulnerability was published for spice.
CVE-2019-3813[0]:
Off-by-one error in array access in spice/serv
/slot boundary check (CVE-2019-3813)
+(Closes: #920762)
+
+ -- Salvatore Bonaccorso Mon, 28 Jan 2019 13:04:44 +0100
+
spice (0.14.0-1.2) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru spice-0.14.0/debian/patches/memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch spice-0
Source: phpmyadmin
Version: 4:4.6.6-5
Severity: grave
Tags: security upstream
Control: found -1 4:4.6.6-4
Hi,
The following vulnerability was published for phpmyadmin.
CVE-2019-6798[0]:
| An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was
| reported where a specially crafted
Source: phpmyadmin
Version: 4:4.6.6-5
Severity: grave
Tags: security upstream
Control: found -1 4:4.6.6-4
Hi,
The following vulnerability was published for phpmyadmin.
CVE-2019-6799[0]:
| An issue was discovered in phpMyAdmin before 4.8.5. When the
| AllowArbitraryServer configuration setting is
Hi,
Thanks for the ping.
On Wed, Jan 30, 2019 at 02:45:35PM +0200, UAB "Bona Mens" paslaugos wrote:
> Hi,
>
> You reported critical bug 4 years ago, when latest criu release was 1.6
> Since 2015 lots of criu versions with lots bugfixes were released.
> Latest criu version is 3.11
>
> Maybe now
close 920882 3.1.2-2
thanks
Source: mariadb-10.3
Version: 1:10.3.12-2
Severity: grave
Tags: security upstream
Hi,
The following vulnerabilities were published for mariadb-10.3, they
are listed as to be fixed in 10.3.13[2].
CVE-2019-2510[0]:
| Vulnerability in the MySQL Server component of Oracle MySQL
| (subcomponent: Inno
Source: libvncserver
Version: 0.9.11+dfsg-1.2
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerabilities were published for libvncserver, stretch
is not affected by those CVEs as no inocomplete fix was ever applied
there yet in a released version.
e now-useless cast (CVE-2018-20748) (Closes: #920941)
+ * Error out in rfbProcessFileTransferReadBuffer if length can not be
+allocated (CVE-2018-20749) (Closes: #920941)
+ * Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer()
+(CVE-2018-20750) (Closes: #920941)
+
+ -- Salv
Source: slurm-llnl
Version: 18.08.3-1
Severity: grave
Tags: security upstream
Control: found -1 16.05.9-1+deb9u2
Control: found -1 16.05.9-1
Hi,
The following vulnerability was published for slurm-llnl.
CVE-2019-6438[0]:
| SchedMD Slurm before 17.11.13 and 18.x before 18.08.5 mishandles 32-bit
|
Source: zoneminder
Version: 1.32.3-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/ZoneMinder/zoneminder/issues/2445
Hi,
The following vulnerability was published for zoneminder.
CVE-2019-6992[0]:
| A stored-self XSS exists in web/skins/classic/views/controlcaps.php of
|
Source: zoneminder
Version: 1.32.3-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/ZoneMinder/zoneminder/pull/2482
Hi,
The following vulnerability was published for zoneminder.
CVE-2019-6991[0]:
| A classic Stack-based buffer overflow exi
Source: zoneminder
Version: 1.32.3-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/ZoneMinder/zoneminder/issues/2444
Hi,
The following vulnerability was published for zoneminder.
CVE-2019-6990[0]:
| A stored-self XSS exists in web/skins/classic/views/zones.php of
| ZoneMi
Source: gitlab
Version: 11.5.7+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi
See
https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/
for details to the announce and fixes in 11.7.3, 11.6.8, and 11.5.10.
Regards,
Salvatore
Control: reopen -1
Control: found -1 2.7.15-6
Hi
On Fri, Feb 01, 2019 at 08:51:07AM +, Debian Bug Tracking System wrote:
> - CVE-2018-14647: _elementtree.c doesn't call XML_SetHashSalt().
>Closes: #921039.
The change
https://github.com/python/cpython/commit/18b20bad75b4ff0486940f
Source: etcd
Version: 3.2.18+dfsg-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/coreos/etcd/issues/9353
Hi,
The following vulnerabilities were published for etcd. Not sure
exactly on the severity but prefer to be rather safe than sorry
afterwards.
CVE-2018-1098[0]:
| A
Source: gnutls28
Version: 3.6.6-2
Severity: serious
Justification: FTBFS
Hi
gnutls28/3.6.6-2 FTBFS on mipsel:
https://buildd.debian.org/status/fetch.php?pkg=gnutls28&arch=mipsel&ver=3.6.6-2&stamp=1549113962&raw=0
apparently a failing test, not sure if it was already know, so
filling the bug for
Contol: tags -1 + patch
On Mon, Jan 28, 2019 at 04:50:27PM +0100, Salvatore Bonaccorso wrote:
> Source: libgd2
> Version: 2.2.5-5
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Forwarded: https://github.com/libgd/libgd/issues/492
>
>
Control: tags -1 + patch
On Sun, Jan 27, 2019 at 09:11:16PM +0100, Salvatore Bonaccorso wrote:
> Source: libgd2
> Version: 2.2.5-5
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Control: found -1 2.2.4-2+deb9u3
> Control: found -1 2.2.
Source: buildbot
Version: 1.8.0-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for buildbot.
CVE-2019-7313[0]:
| www/resource.py in Buildbot before 1.8.1 allows CRLF injection in the
| Location header of /auth/login and /auth/logout via the redirect
| par
Source: libpng1.6
Version: 1.6.36-3
Severity: grave
Tags: security upstream
Forwarded: https://github.com/glennrp/libpng/issues/275
Control: found -1 1.6.28-1
Control: found -1 1.6.36-2
Hi,
The following vulnerability was published for libpng1.6.
CVE-2019-7317[0]:
| png_image_free in png.c in li
uffer overflow in gdImageColorMatch (CVE-2019-6977)
+(Closes: #920645)
+ * Potential double-free in gdImage*Ptr() (CVE-2019-6978) (Closes: #920728)
+
+ -- Salvatore Bonaccorso Sat, 02 Feb 2019 10:55:00 +0100
+
libgd2 (2.2.5-5) unstable; urgency=medium
* Update Vcs-* links to salsa.d.o
Source: prometheus
Version: 2.6.0+ds-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/prometheus/prometheus/pull/5163
Hi,
The following vulnerability was published for prometheus.
CVE-2019-3826[0]:
Stored DOM cross-site scripting (XSS) attack via crafted URL
If you fix th
Source: libu2f-host
Version: 1.1.2-2
Severity: grave
Tags: security upstream
Control: found -1 1.1.6-1
Hi,
The following vulnerability was published for libu2f-host.
CVE-2018-20340[0]:
buffer overflow
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities
Hi Emmanual,
On Wed, Jul 22, 2015 at 03:24:45PM +0200, Emmanuel Bourg wrote:
> The fix has been confirmed by an upstream developer:
>
> http://mail-archives.apache.org/mod_mbox/activemq-dev/201507.mbox/%3CCAKChZ-TruL3Sm3GW9B3Nr1L3fsxDH_X95rGhm85rfXh9_zVJfg%40mail.gmail.com%3E
Any news on an upda
Hi Emmanuel,
On Fri, Aug 14, 2015 at 11:50:18AM +0200, Emmanuel Bourg wrote:
> Le 14/08/2015 11:42, Salvatore Bonaccorso a écrit :
>
> > Any news on an update for sid->stretch as well?
>
> I can't do it before the end of the month. I'll combine the fix with an
Hi,
On Sat, Aug 15, 2015 at 04:53:19PM +0200, gregor herrmann wrote:
> Control: tag -1 + unreproducible
>
> On Sat, 15 Aug 2015 14:34:29 +0100, Chris Lamb wrote:
>
> > Source: libmath-planepath-perl
> > Version: 119-1
> > Severity: serious
> > Justification: fails to build from source
> >
> > D
Hi Chris,
Thanks for the report. As Gregor I can confirm the FTBFS, and I know
it builded fine at upload time. Looking at the different versions in
Build-Depends there was an update from subversion 1.8.x to 1.9.x which
might be a candidate.
Will look at it closer.
Regards,
Salvatore
Hi,
On Mon, Aug 17, 2015 at 06:27:13PM +0200, Salvatore Bonaccorso wrote:
> Hi Chris,
>
> Thanks for the report. As Gregor I can confirm the FTBFS, and I know
> it builded fine at upload time. Looking at the different versions in
> Build-Depends there was an update from subversion
Source: vlc
Version: 2.2.0~rc2-2
Severity: grave
Tags: security upstream patch fixed-upstream
Justification: user security hole
Control: fixed -1 2.2.0~rc2-2+deb8u1
Hi,
the following vulnerability was published for vlc.
CVE-2015-5949[0]:
No description was found (try on a search engine)
If you
Source: qemu
Version: 1:2.1+dfsg-1
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerability was published for qemu.
CVE-2015-5225[0]:
ui: vnc: heap memory corruption in vnc_refresh_server_surface
If you fix the vulnerability please also make sure to include the
CVE (Common
Source: criu
Version: 1.6-2
Severity: serious
I'm filling this bug as blocking bug for criu for testing. Criu is by
now still a fast moving project and at this point it is not yet ready
to be effectively used in a stable release.
Hi Chris,
Upstream for SVN-Hooks looked into it so it seems to be triggered by a
subversion bug in 1.9:
On Sat, Aug 22, 2015 at 01:09:32PM -0700, Gustavo Chaves wrote:
> It seems that this is a bug on Subversion 1.9. I've just sent a
> message to the us...@subversion.apache.org list with the subj
Source: zendframework
Version: 1.12.9+dfsg-1
Severity: grave
Tags: upstream security
Justification: user security hole
Hi,
the following vulnerability was published for zendframework.
CVE-2016-10034[0]:
| The setFrom function in the Sendmail adapter in the zend-mail
| component before 2.4.11, 2.
Source: mysql-5.6
Version: 5.6.30-1
Severity: grave
Tags: security
Justification: user security hole
Hi
When installing myssql-server-5.6 in stretch and sid, then mysqld is
started and listend not binding on localhost only, but listen on *.
tcpLISTEN 0 80 :::mysql
close 850007 0.9.11+dfsg-1
close 850008 0.9.11+dfsg-1
thanks
Hi Reiner,
On Wed, Jan 04, 2017 at 11:21:05PM +, Debian Bug Tracking System wrote:
>* Add upstream fix for CVE-2017-5180 (Closes: #850160).
Thanks. The fix had a followup which does not seem to be applied, cf.
https://github.com/netblue30/firejail/issues/1020#issuecomment-270514760
Regar
Hi David,
On Sun, Mar 27, 2016 at 01:33:01PM +0200, Moritz Mühlenhoff wrote:
> On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote:
> > Package: php-tcpdf
> > Version: 6.0.093+dfsg-1
> > Severity: serious
> > Tags: security upstream
> >
> > According to their changelog [1], upstream fixe
201 - 300 of 3946 matches
Mail list logo
