[Git][security-tracker-team/security-tracker][master] Claim graphicsmagick in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 9355996f by Markus Koschany at 2019-04-09T05:53:54Z Claim graphicsmagick in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -37,6 +37,8 @@ ghostscript NOTE: 20190327: need to backport 9.26b/9.27 when it comes out, like stable-security NOTE: 20190327: https://lists.debian.org/debian-lts/2019/03/msg00122.html -- +graphicsmagick (Markus Koschany) +-- hdf5 (Hugo Lefeuvre) NOTE: requires some prior triage, almost all cves undetermined. NOTE: upstream's bug tracker requires special permissions to open issues. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9355996f8042252f4e39961b790f9942677eb89d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9355996f8042252f4e39961b790f9942677eb89d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark open proftpd-issues as fixed in 1.3.5e-0+deb8u1
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a8f4cc1e by Markus Koschany at 2019-04-08T23:51:22Z Mark open proftpd-issues as fixed in 1.3.5e-0+deb8u1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4035,6 +4035,7 @@ CVE-2019-9625 (JBMC DirectAdmin 1.55 allows CSRF via the /CMD_ACCOUNT_ADMIN URI CVE-2019- [high memory usage with some long running sessions] - proftpd-dfsg 1.3.5d-1 (bug #923926) [stretch] - proftpd-dfsg (Minor issue) + [jessie] - proftpd-dfsg 1.3.5e-0+deb8u1 NOTE: https://github.com/proftpd/proftpd/issues/330#issuecomment-276891713 NOTE: https://forum.armbian.com/topic/9692-nanopi-neo-2-memory-leak-in-proftpd-even-worse-if-ssl-encrypted/?do=findComment=73069 CVE-2019-9624 (Webmin 1.900 allows remote attackers to execute arbitrary code by leve ...) @@ -165553,7 +165554,7 @@ CVE-2015-8377 (SQL injection vulnerability in the host_new_graphs_save function NOTE: http://seclists.org/fulldisclosure/2015/Dec/att-57/cacti_sqli%281%29.txt CVE-2015- [Avoid unbounded SFTP extended attribute key/values] - proftpd-dfsg 1.3.5b-1 - [jessie] - proftpd-dfsg (Minor issue; can be fixed in point release) + [jessie] - proftpd-dfsg 1.3.5e-0+deb8u1 [wheezy] - proftpd-dfsg (Minor issue; can be fixed in point release) [squeeze] - proftpd-dfsg (Vulnerable code not present) NOTE: http://bugs.proftpd.org/show_bug.cgi?id=4210 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a8f4cc1eb14efa3f0ec48e3f6bdbc75c6ac408ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a8f4cc1eb14efa3f0ec48e3f6bdbc75c6ac408ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Drop jessie/no-dsa tags for all currently open samba issues....
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 1aabe8d7 by Mike Gabriel at 2019-04-08T23:12:50Z data/CVE/list: Drop jessie/no-dsa tags for all currently open samba issues. Patches ported over from Ubuntu, upload in-prep. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -80131,7 +80131,6 @@ CVE-2018-1058 (A flaw was found in the way Postgresql allowed a user to modify t CVE-2018-1057 (On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 ...) {DSA-4135-1} - samba 2:4.7.4+dfsg-2 - [jessie] - samba (Too intrusive to backport) [wheezy] - samba (Vulnerable code introduced later in 4.0.0alpha13) NOTE: https://www.samba.org/samba/security/CVE-2018-1057.html NOTE: https://wiki.samba.org/index.php/CVE-2018-1057 @@ -80172,7 +80171,6 @@ CVE-2018-1051 (It was found that the fix for CVE-2016-9606 in versions 3.0.22 an CVE-2018-1050 (All versions of Samba from 4.0.0 onwards are vulnerable to a denial of ...) {DSA-4135-1 DLA-1320-1} - samba 2:4.7.4+dfsg-2 - [jessie] - samba (Minor issue) NOTE: https://www.samba.org/samba/security/CVE-2018-1050.html CVE-2018-1049 (In systemd prior to 234 a race condition exists between .mount and .au ...) {DLA-1580-1} @@ -106261,7 +106259,6 @@ CVE-2017-9462 (In Mercurial before 4.1.3, "hg serve --stdio" allows remote authe NOTE: https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499 CVE-2017-9461 (smbd in Samba before 4.4.10 and 4.5.x before 4.5.6 has a denial of ser ...) - samba 2:4.5.6+dfsg-1 (bug #864291) - [jessie] - samba (Minor issue) [wheezy] - samba (Minor, non reproducible issue) NOTE: https://git.samba.org/?p=samba.git;a=commitdiff;h=10c3e3923022485c720f322ca4f0aca5d7501310 NOTE: https://bugzilla.samba.org/show_bug.cgi?id=12572 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1aabe8d79843ac45abbe4d14d3fd126ffab82afd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1aabe8d79843ac45abbe4d14d3fd126ffab82afd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Re-add poppler.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: a2b9c138 by Mike Gabriel at 2019-04-08T21:23:07Z data/dla-needed.txt: Re-add poppler. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -78,6 +78,9 @@ linux-4.9 (Ben Hutchings) polarssl NOTE: 20181207: Not 100% sure if vulnerable. Upstream would prefer us to move to latest version, etc. (!). (lamby) -- +poppler + NOTE: 20190408: No known upstream patches available for remaining open CVEs (sunweaver) +-- proftpd-dfsg (Markus Koschany) NOTE: 20190405: Waiting for maintainer feedback. Package is ready for upload. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2b9c1380a4fc208720ad0498f0f99cca3c79df0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2b9c1380a4fc208720ad0498f0f99cca3c79df0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1752-1 for poppler
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: ac2ae680 by Mike Gabriel at 2019-04-08T21:20:51Z Reserve DLA-1752-1 for poppler - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[08 Apr 2019] DLA-1752-1 poppler - security update + {CVE-2019-9631} + [jessie] - poppler 0.26.5-2+deb8u9 [08 Apr 2019] DLA-1751-1 suricata - security update {CVE-2018-10242 CVE-2018-10243} [jessie] - suricata 2.0.7-2+deb8u4 = data/dla-needed.txt = @@ -78,11 +78,6 @@ linux-4.9 (Ben Hutchings) polarssl NOTE: 20181207: Not 100% sure if vulnerable. Upstream would prefer us to move to latest version, etc. (!). (lamby) -- -poppler (Mike Gabriel) - NOTE: 20190325: fix in-progress for CVE-2019-9631 - NOTE: 20190325: no fix yet for CVE-2019-9543 nor CVE-2019-9545 - NOTE: 20190325: fix available for CVE-2019-9903 --- proftpd-dfsg (Markus Koschany) NOTE: 20190405: Waiting for maintainer feedback. Package is ready for upload. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac2ae6800f8c481c260ac53c622c7808ba5c25bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac2ae6800f8c481c260ac53c622c7808ba5c25bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim samba
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 44f9e527 by Mike Gabriel at 2019-04-08T21:18:44Z claim samba - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -103,7 +103,7 @@ python3.4 (Roberto C. Sánchez) qemu (Emilio) NOTE: CVE-2018-19665: wait for final patch -- -samba +samba (Mike Gabriel) NOTE: https://lists.debian.org/debian-lts/2019/04/msg00063.html -- sox View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/44f9e527d545575868d7280dd52b426dab563d61 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/44f9e527d545575868d7280dd52b426dab563d61 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Setting CVE-2019-10018 (poppler) to ignored for jessie (agreeing with security team's evaluation).
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: fda9575f by Mike Gabriel at 2019-04-08T21:02:38Z Setting CVE-2019-10018 (poppler) to ignored for jessie (agreeing with security teams evaluation). - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2248,6 +2248,7 @@ CVE-2019-10019 (An issue was discovered in Xpdf 4.01.01. There is an FPE in the CVE-2019-10018 (An issue was discovered in Xpdf 4.01.01. There is an FPE in the functi ...) - poppler (bug #926133) [stretch] - poppler (Minor issue) + [jessie] - poppler (Minor issue) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3=41276 (PostScriptFunction::e...@function.cc:1374-42___FPE PoC) CVE-2019-10017 (CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, ...) NOT-FOR-US: CMS Made Simple View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fda9575f2af755d4f53918f16d66cdf6a438bd6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fda9575f2af755d4f53918f16d66cdf6a438bd6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9773102f by Salvatore Bonaccorso at 2019-04-08T20:50:34Z Process NFUs - - - - - 31a14077 by Salvatore Bonaccorso at 2019-04-08T20:50:35Z Add CVE-2019-10914/matrixssl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32,7 +32,7 @@ CVE-2019-11003 (In Materialize through 1.0.0, XSS is possible via the Autocomple CVE-2019-11002 (In Materialize through 1.0.0, XSS is possible via the Tooltip feature. ...) TODO: check CVE-2019-11001 (On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices th ...) - TODO: check + NOT-FOR-US: Reolink devices CVE-2019-11000 RESERVED CVE-2019-10999 @@ -206,7 +206,9 @@ CVE-2019-10916 CVE-2019-10915 RESERVED CVE-2019-10914 (pubRsaDecryptSignedElementExt in MatrixSSL, as used in Inside Secure T ...) - TODO: check + - matrixssl + NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1785 + NOTE: https://github.com/matrixssl/matrixssl/issues/26 CVE-2019-10913 RESERVED CVE-2019-10912 @@ -375,7 +377,7 @@ CVE-2019-10847 CVE-2019-10846 RESERVED CVE-2019-10845 (An issue was discovered in Uniqkey Password Manager 1.14. When enterin ...) - TODO: check + NOT-FOR-US: Uniqkey Password Manager CVE-2019-10844 (nbla/logger.cpp in libnnabla.a in Sony Neural Network Libraries (aka n ...) NOT-FOR-US: Sony CVE-2019-10843 @@ -826,7 +828,7 @@ CVE-2019-10678 (Domoticz before 4.10579 neglects to categorize \n and \r as inse CVE-2019-10677 RESERVED CVE-2019-10676 (An issue was discovered in Uniqkey Password Manager 1.14. Upon enterin ...) - TODO: check + NOT-FOR-US: Uniqkey Password Manager CVE-2019-10675 REJECTED CVE-2019-10674 @@ -16725,7 +16727,7 @@ CVE-2019-4212 CVE-2019-4211 RESERVED CVE-2019-4210 (IBM QRadar SIEM 7.3.2 could allow a user to bypass authentication expo ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4209 RESERVED CVE-2019-4208 @@ -16835,7 +16837,7 @@ CVE-2019-4157 CVE-2019-4156 RESERVED CVE-2019-4155 (IBM API Connect's Developer Portal 2018.1 and 2018.4.1.3 is impacted b ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4154 RESERVED CVE-2019-4153 @@ -16859,7 +16861,7 @@ CVE-2019-4145 CVE-2019-4144 RESERVED CVE-2019-4143 (The IBM Cloud Private Key Management Service (IBM Cloud Private 3.1.1 ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4142 RESERVED CVE-2019-4141 @@ -17043,7 +17045,7 @@ CVE-2019-4053 CVE-2019-4052 (IBM API Connect 2018.1 and 2018.4.1.2 apis can be leveraged by unauthe ...) NOT-FOR-US: IBM CVE-2019-4051 (Some URIs in IBM API Connect 2018.1 and 2018.4.1.3 disclose system spe ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4050 RESERVED CVE-2019-4049 @@ -17055,7 +17057,7 @@ CVE-2019-4047 CVE-2019-4046 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable ...) NOT-FOR-US: IBM CVE-2019-4045 (IBM Business Automation Workflow and IBM Business Process Manager 18.0 ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4044 RESERVED CVE-2019-4043 (IBM Sterling B2B Integrator Standard Edition 5.2.0 snf 6.0.0.0 is vuln ...) @@ -19541,7 +19543,7 @@ CVE-2018-20343 CVE-2018-20342 (The Floureon IP Camera SP012 provides a root terminal on a UART serial ...) NOT-FOR-US: Floureon IP Camera SP012 CVE-2018-20341 (WINMAGIC SecureDoc Disk Encryption before 8.3 has an Unquoted Search P ...) - TODO: check + NOT-FOR-US: WINMAGIC SecureDoc Disk Encryption CVE-2018-20340 (Yubico libu2f-host 1.1.6 contains unchecked buffers in devs.c, which c ...) {DSA-4389-1} - libu2f-host 1.1.7-1 (bug #921726) @@ -110880,7 +110882,7 @@ CVE-2017-7914 (A Missing Authorization issue was discovered in Rockwell Automati CVE-2017-7913 (A Plaintext Storage of a Password issue was discovered in Moxa OnCell ...) NOT-FOR-US: Moxa CVE-2017-7912 (Hanwha Techwin SRN-4000, SRN-4000 firmware versions prior to SRN4000_v ...) - TODO: check + NOT-FOR-US: Hanwha Techwin firmware CVE-2017-7911 (A Code Injection issue was discovered in CyberVision Kaa IoT Platform, ...) NOT-FOR-US: CyberVision Kaa IoT Platform CVE-2017-7910 (A Stack-Based Buffer Overflow issue was discovered in Digital Canal St ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0de708c7add105a8b6c7494113d1bfad170d2673...31a1407736f4f3a6e9c01248915f5cc36b79de39 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0de708c7add105a8b6c7494113d1bfad170d2673...31a1407736f4f3a6e9c01248915f5cc36b79de39 You're receiving this email because of your account on
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for systemd update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0de708c7 by Salvatore Bonaccorso at 2019-04-08T20:33:29Z Reserve DSA number for systemd update - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[08 Apr 2019] DSA-4428-1 systemd - security update + {CVE-2019-3842} + [stretch] - systemd 232-25+deb9u11 [08 Apr 2019] DSA-4427-1 samba - security update {CVE-2019-3880} [stretch] - samba 2:4.5.16+dfsg-1+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0de708c7add105a8b6c7494113d1bfad170d2673 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0de708c7add105a8b6c7494113d1bfad170d2673 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11005/graphicsmagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 48168793 by Salvatore Bonaccorso at 2019-04-08T20:27:35Z Add CVE-2019-11005/graphicsmagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22,7 +22,9 @@ CVE-2019-11006 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-base NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/f7610c1281c1 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/598/ CVE-2019-11005 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a stack-based buf ...) - TODO: check + - graphicsmagick + NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/b6fb77d7d54d + NOTE: https://sourceforge.net/p/graphicsmagick/bugs/600/ CVE-2019-11004 (In Materialize through 1.0.0, XSS is possible via the Toast feature. ...) TODO: check CVE-2019-11003 (In Materialize through 1.0.0, XSS is possible via the Autocomplete fea ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/481687936fbba8bd1f46af2a880e41cb10e5e0e6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/481687936fbba8bd1f46af2a880e41cb10e5e0e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11006/graphicsmagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 57f34c9b by Salvatore Bonaccorso at 2019-04-08T20:24:21Z Add CVE-2019-11006/graphicsmagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18,7 +18,9 @@ CVE-2019-11007 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-base NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/86a9295e7c83 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/596/ CVE-2019-11006 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) - TODO: check + - graphicsmagick + NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/f7610c1281c1 + NOTE: https://sourceforge.net/p/graphicsmagick/bugs/598/ CVE-2019-11005 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a stack-based buf ...) TODO: check CVE-2019-11004 (In Materialize through 1.0.0, XSS is possible via the Toast feature. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/57f34c9b8ba9be7b06ea49072b7c6463b02db357 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/57f34c9b8ba9be7b06ea49072b7c6463b02db357 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11007/graphicsmagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f5dc6e1 by Salvatore Bonaccorso at 2019-04-08T20:23:22Z Add CVE-2019-11007/graphicsmagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,7 +13,10 @@ CVE-2019-11008 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-base NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/d823d23a474b NOTE: https://sourceforge.net/p/graphicsmagick/bugs/599/ CVE-2019-11007 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) - TODO: check + - graphicsmagick + NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/40fc71472b98 + NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/86a9295e7c83 + NOTE: https://sourceforge.net/p/graphicsmagick/bugs/596/ CVE-2019-11006 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) TODO: check CVE-2019-11005 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a stack-based buf ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f5dc6e1f1b914882e57b6a287bd33602e8e1085 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f5dc6e1f1b914882e57b6a287bd33602e8e1085 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11008/graphicsmagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 509848a1 by Salvatore Bonaccorso at 2019-04-08T20:18:03Z Add CVE-2019-11008/graphicsmagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,9 @@ CVE-2019-11009 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-base NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/7cff2b1792de NOTE: https://sourceforge.net/p/graphicsmagick/bugs/597/ CVE-2019-11008 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) - TODO: check + - graphicsmagick + NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/d823d23a474b + NOTE: https://sourceforge.net/p/graphicsmagick/bugs/599/ CVE-2019-11007 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) TODO: check CVE-2019-11006 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/509848a14f1bbaaa5bf127a6d6200921cdaa0d9a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/509848a14f1bbaaa5bf127a6d6200921cdaa0d9a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11009/graphicsmagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eee61377 by Salvatore Bonaccorso at 2019-04-08T20:16:51Z Add CVE-2019-11009/graphicsmagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,9 @@ CVE-2019-11010 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a memory le NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/a348d9661019 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/601/ CVE-2019-11009 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) - TODO: check + - graphicsmagick + NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/7cff2b1792de + NOTE: https://sourceforge.net/p/graphicsmagick/bugs/597/ CVE-2019-11008 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) TODO: check CVE-2019-11007 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eee613778383727150fbc51686bdb32253e6ab8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eee613778383727150fbc51686bdb32253e6ab8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11010/graphicsmagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ab0202d by Salvatore Bonaccorso at 2019-04-08T20:15:12Z Add CVE-2019-11010/graphicsmagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,9 @@ CVE-2019-11011 RESERVED CVE-2019-11010 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a memory leak in ...) - TODO: check + - graphicsmagick + NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/a348d9661019 + NOTE: https://sourceforge.net/p/graphicsmagick/bugs/601/ CVE-2019-11009 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) TODO: check CVE-2019-11008 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3ab0202d81d5b7b1123c17ac348f3adaaef79458 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3ab0202d81d5b7b1123c17ac348f3adaaef79458 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1751-1 for suricata
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 703a234f by Hugo Lefeuvre at 2019-04-08T20:11:10Z Reserve DLA-1751-1 for suricata - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[08 Apr 2019] DLA-1751-1 suricata - security update + {CVE-2018-10242 CVE-2018-10243} + [jessie] - suricata 2.0.7-2+deb8u4 [07 Apr 2019] DLA-1750-1 roundup - security update {CVE-2019-10904} [jessie] - roundup 1.4.20-1.1+deb8u2 = data/dla-needed.txt = @@ -110,9 +110,6 @@ sox NOTE: 20190305: CVE-2019-835{4,5,6,7} no upstream patch yet, might take some time. NOTE: Check again later. - hle -- -suricata (Hugo Lefeuvre) - NOTE: three CVEs remaining, we should either release a dla or triage no-dsa. --- wget (Thorsten Alteholz) -- wordpress View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/703a234f9212c96a13052337d180b0f72a11f246 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/703a234f9212c96a13052337d180b0f72a11f246 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7829451a by security tracker role at 2019-04-08T20:10:19Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,199 @@ +CVE-2019-11011 + RESERVED +CVE-2019-11010 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a memory leak in ...) + TODO: check +CVE-2019-11009 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) + TODO: check +CVE-2019-11008 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) + TODO: check +CVE-2019-11007 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) + TODO: check +CVE-2019-11006 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) + TODO: check +CVE-2019-11005 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a stack-based buf ...) + TODO: check +CVE-2019-11004 (In Materialize through 1.0.0, XSS is possible via the Toast feature. ...) + TODO: check +CVE-2019-11003 (In Materialize through 1.0.0, XSS is possible via the Autocomplete fea ...) + TODO: check +CVE-2019-11002 (In Materialize through 1.0.0, XSS is possible via the Tooltip feature. ...) + TODO: check +CVE-2019-11001 (On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices th ...) + TODO: check +CVE-2019-11000 + RESERVED +CVE-2019-10999 + RESERVED +CVE-2019-10998 + RESERVED +CVE-2019-10997 + RESERVED +CVE-2019-10996 + RESERVED +CVE-2019-10995 + RESERVED +CVE-2019-10994 + RESERVED +CVE-2019-10993 + RESERVED +CVE-2019-10992 + RESERVED +CVE-2019-10991 + RESERVED +CVE-2019-10990 + RESERVED +CVE-2019-10989 + RESERVED +CVE-2019-10988 + RESERVED +CVE-2019-10987 + RESERVED +CVE-2019-10986 + RESERVED +CVE-2019-10985 + RESERVED +CVE-2019-10984 + RESERVED +CVE-2019-10983 + RESERVED +CVE-2019-10982 + RESERVED +CVE-2019-10981 + RESERVED +CVE-2019-10980 + RESERVED +CVE-2019-10979 + RESERVED +CVE-2019-10978 + RESERVED +CVE-2019-10977 + RESERVED +CVE-2019-10976 + RESERVED +CVE-2019-10975 + RESERVED +CVE-2019-10974 + RESERVED +CVE-2019-10973 + RESERVED +CVE-2019-10972 + RESERVED +CVE-2019-10971 + RESERVED +CVE-2019-10970 + RESERVED +CVE-2019-10969 + RESERVED +CVE-2019-10968 + RESERVED +CVE-2019-10967 + RESERVED +CVE-2019-10966 + RESERVED +CVE-2019-10965 + RESERVED +CVE-2019-10964 + RESERVED +CVE-2019-10963 + RESERVED +CVE-2019-10962 + RESERVED +CVE-2019-10961 + RESERVED +CVE-2019-10960 + RESERVED +CVE-2019-10959 + RESERVED +CVE-2019-10958 + RESERVED +CVE-2019-10957 + RESERVED +CVE-2019-10956 + RESERVED +CVE-2019-10955 + RESERVED +CVE-2019-10954 + RESERVED +CVE-2019-10953 + RESERVED +CVE-2019-10952 + RESERVED +CVE-2019-10951 + RESERVED +CVE-2019-10950 + RESERVED +CVE-2019-10949 + RESERVED +CVE-2019-10948 + RESERVED +CVE-2019-10947 + RESERVED +CVE-2019-10946 + RESERVED +CVE-2019-10945 + RESERVED +CVE-2019-10944 + RESERVED +CVE-2019-10943 + RESERVED +CVE-2019-10942 + RESERVED +CVE-2019-10941 + RESERVED +CVE-2019-10940 + RESERVED +CVE-2019-10939 + RESERVED +CVE-2019-10938 + RESERVED +CVE-2019-10937 + RESERVED +CVE-2019-10936 + RESERVED +CVE-2019-10935 + RESERVED +CVE-2019-10934 + RESERVED +CVE-2019-10933 + RESERVED +CVE-2019-10932 + RESERVED +CVE-2019-10931 + RESERVED +CVE-2019-10930 + RESERVED +CVE-2019-10929 + RESERVED +CVE-2019-10928 + RESERVED +CVE-2019-10927 + RESERVED +CVE-2019-10926 + RESERVED +CVE-2019-10925 + RESERVED +CVE-2019-10924 + RESERVED +CVE-2019-10923 + RESERVED +CVE-2019-10922 + RESERVED +CVE-2019-10921 + RESERVED +CVE-2019-10920 + RESERVED +CVE-2019-10919 + RESERVED +CVE-2019-10918 + RESERVED +CVE-2019-10917 + RESERVED +CVE-2019-10916 + RESERVED +CVE-2019-10915 + RESERVED +CVE-2019-10914 (pubRsaDecryptSignedElementExt in MatrixSSL, as used in Inside Secure T ...) + TODO: check CVE-2019-10913 RESERVED CVE-2019-10912 @@ -12,7 +208,7 @@ CVE-2019-10908 (In Airsonic 10.2.1, RecoverController.java generates passwords v NOT-FOR-US: Airsonic CVE-2019-10907 (Airsonic 10.2.1 uses Spring's default remember-me mechanism based on M ...) NOT-FOR-US: Airsonic -CVE-2016-10745 [issue related to CVE-2019-10906, str.format vulnerability] +CVE-2016-10745 (In Pallets Jinja before 2.8.1, str.format allows a sandbox escape. ...) - jinja2 2.9.4-1 NOTE: Fixed by:
[Git][security-tracker-team/security-tracker][master] update fixed status for a number of older nodejs and node-foo packages
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c9d96e49 by Moritz Muehlenhoff at 2019-04-08T19:19:58Z update fixed status for a number of older nodejs and node-foo packages - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -47982,17 +47982,17 @@ CVE-2018-12125 CVE-2018-12124 RESERVED CVE-2018-12123 (Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ...) - - nodejs (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ NOTE: Nodejs not covered by security support NOTE: Patch (v8): https://github.com/nodejs/node/commit/53a6e4eb2002efc66eb9aefe24529fb63715094e CVE-2018-12122 (Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ...) - - nodejs (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ NOTE: Nodejs not covered by security support NOTE: Patch (v8): https://github.com/nodejs/node/commit/696f063c5e9157fd10859515da00fd8bd190d76d CVE-2018-12121 (Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ...) - - nodejs (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ NOTE: Nodejs not covered by security support NOTE: Patch (v8): https://github.com/nodejs/node/commit/93dba83fb0fb46ee2ea87163f435392490b4d59b @@ -48009,12 +48009,13 @@ CVE-2018-12118 CVE-2018-12117 RESERVED CVE-2018-12116 (Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request ...) - - nodejs (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ NOTE: Nodejs not covered by security support NOTE: Patch (v8): https://github.com/nodejs/node/commit/513e9747a22386bc9c93a12f9698561827a1e631 + NOTE: Only affects 6.x and 8.x, marking first 10.x release as fixed CVE-2018-12115 (In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when use ...) - - nodejs (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/ NOTE: Nodejs not covered by security support NOTE: https://github.com/nodejs/node/commit/fc14d812b7 @@ -61711,17 +61712,17 @@ CVE-2018-7169 (An issue was discovered in shadow 4.5. newgidmap (in shadow-utils CVE-2018-7168 RESERVED CVE-2018-7167 (Calling Buffer.fill() or Buffer.alloc() with some parameters can lead ...) - - nodejs (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#calls-to-buffer-fill-and-or-buffer-alloc-may-hang-cve-2018-7167 + NOTE: Doesn't affect 10.x, marking first 10.x upload to sid as fixed CVE-2018-7166 (In all versions of Node.js 10 prior to 10.9.0, an argument processing ...) - [experimental] - nodejs - nodejs (Only affects 10.x and later) NOTE: https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/ NOTE: https://github.com/nodejs/node/commit/40a7beeddac9b9ec9ef5b49157daaf8470648b08 CVE-2018-7165 RESERVED CVE-2018-7164 (Node.js versions 9.7.0 and later and 10.x are vulnerable and the sever ...) - - nodejs (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) [stretch] - nodejs (Only affects >= 9.x) [jessie] - nodejs (Only affects >= 9.x) NOTE: https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#memory-exhaustion-dos-on-v9-x-cve-2018-7164 @@ -61729,24 +61730,24 @@ CVE-2018-7164 (Node.js versions 9.7.0 and later and 10.x are vulnerable and the CVE-2018-7163 RESERVED CVE-2018-7162 (All versions of Node.js 9.x and 10.x are vulnerable and the severity i ...) - - nodejs (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) [stretch] - nodejs (Only affects >= 8.x) [jessie] - nodejs (Only affects >= 8.x) NOTE: https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#denial-of-service-vulnerability-in-tls-cve-2018-7162 NOTE: https://github.com/nodejs/node/commit/0cb3325f1 CVE-2018-7161 (All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the seve ...) - - nodejs (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) [stretch] - nodejs (Only affects >= 8.x) [jessie] - nodejs (Only affects >= 8.x) NOTE: https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#denial-of-service-vulnerability-in-http-2-cve-2018-7161
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove TODO item for CVE-2019-9631/poppler
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e10df915 by Salvatore Bonaccorso at 2019-04-08T19:11:41Z Remove TODO item for CVE-2019-9631/poppler - - - - - ba4ae95a by Salvatore Bonaccorso at 2019-04-08T19:15:56Z Add Debian bug reference for CVE-2019-9631/poppler - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3800,10 +3800,9 @@ CVE-2019-9633 (gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a p CVE-2019-9632 (ESAFENET CDG V3 and V5 has an arbitrary file download vulnerability vi ...) NOT-FOR-US: ESAFENET CDG CVE-2019-9631 (Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBo ...) - - poppler + - poppler (bug #926673) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/736 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/8122f6d6d409b53151a20c5578fc525ee97315e8 - TODO: check details CVE-2019-9630 RESERVED CVE-2019-9629 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/3c5219d6f6f32823a1521ee9c2e510838c61fd2c...ba4ae95aae8e3549c778a5e289a4d8d082abe7d9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/3c5219d6f6f32823a1521ee9c2e510838c61fd2c...ba4ae95aae8e3549c778a5e289a4d8d082abe7d9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-0542/node-xterm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c5219d6 by Salvatore Bonaccorso at 2019-04-08T19:08:45Z Add Debian bug reference for CVE-2019-0542/node-xterm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27415,7 +27415,7 @@ CVE-2019-0544 CVE-2019-0543 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2019-0542 (A remote code execution vulnerability exists in Xterm.js when the comp ...) - - node-xterm (unimportant) + - node-xterm (unimportant; bug #926670) NOTE: nodejs not covered by security support CVE-2019-0541 (A remote code execution vulnerability exists in the way that the MSHTM ...) NOT-FOR-US: Microsoft View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c5219d6f6f32823a1521ee9c2e510838c61fd2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c5219d6f6f32823a1521ee9c2e510838c61fd2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ffmpeg, podofo bugs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ed79f37 by Moritz Muehlenhoff at 2019-04-08T18:50:08Z ffmpeg, podofo bugs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -413,7 +413,7 @@ CVE-2019-10725 CVE-2019-10724 RESERVED CVE-2019-10723 (An issue was discovered in PoDoFo 0.9.6. The PdfPagesTreeCache class i ...) - - libpodofo + - libpodofo (bug #926667) [jessie] - libpodofo (DoS, not used by any sponsor) NOTE: https://sourceforge.net/p/podofo/tickets/46/ CVE-2019-1003099 (A missing permission check in Jenkins openid Plugin in the OpenIdSsoSe ...) @@ -3527,7 +3527,7 @@ CVE-2019-9723 CVE-2019-9722 RESERVED CVE-2019-9721 (A denial of service in the subtitle decoder in FFmpeg 4.1 allows attac ...) - - ffmpeg + - ffmpeg (bug #92) [stretch] - ffmpeg (Vulnerable code not present) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/894995c41e0795c7a44f81adc4838dedc3932e65 CVE-2019-9720 @@ -3535,7 +3535,7 @@ CVE-2019-9720 CVE-2019-9719 RESERVED CVE-2019-9718 (In FFmpeg 4.1, a denial of service in the subtitle decoder allows atta ...) - - ffmpeg (low) + - ffmpeg (low; bug #92) [stretch] - ffmpeg (Wait until fixed in 3.2.x release) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/1f00c97bc3475c477f3c468cf2d924d5761d0982 CVE-2019-9717 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9ed79f375e586e14a67ef57fd1a704940b4c9a82 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9ed79f375e586e14a67ef57fd1a704940b4c9a82 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark poppler in jessie as not affected by CVE-2019-9903.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 579869f3 by Mike Gabriel at 2019-04-08T18:24:51Z Mark poppler in jessie as not affected by CVE-2019-9903. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2310,6 +2310,7 @@ CVE-2019-9904 (An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphv NOTE: https://gitlab.com/graphviz/graphviz/issues/1512 CVE-2019-9903 (PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict mark ...) - poppler (bug #925264) + [jessie] - poppler (Vulnerable code not present) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/741 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/fada09a2ccc11a3a1d308e810f1336d8df6011fd CVE-2019-9902 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/579869f33bf3331b77c7838c62607ca878f7e753 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/579869f33bf3331b77c7838c62607ca878f7e753 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: poppler in jessie: not affected by CVE-2019-10873
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 6953ca4e by Mike Gabriel at 2019-04-08T18:17:21Z poppler in jessie: not affected by CVE-2019-10873 - - - - - e8d48c61 by Mike Gabriel at 2019-04-08T18:20:58Z CVE-2019-9631 (poppler): Add note with patch URL. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -106,6 +106,7 @@ CVE-2019-10874 (Cross Site Request Forgery (CSRF) in the bolt/upload File Upload NOT-FOR-US: Bolt CMS CVE-2019-10873 (An issue was discovered in Poppler 0.74.0. There is a NULL pointer der ...) - poppler (bug #926532) + [jessie] - poppler (vulnerable code is not present) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/748 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/8dbe2e6c480405dab9347075cf4be626f90f1d05 CVE-2019-10872 (An issue was discovered in Poppler 0.74.0. There is a heap-based buffe ...) @@ -3800,6 +3801,7 @@ CVE-2019-9632 (ESAFENET CDG V3 and V5 has an arbitrary file download vulnerabili CVE-2019-9631 (Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBo ...) - poppler NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/736 + NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/8122f6d6d409b53151a20c5578fc525ee97315e8 TODO: check details CVE-2019-9630 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/8dc79a3fbfda82f058d135e60d46749f0e659626...e8d48c614e7cba2217a080d0cf2905e72fb9da14 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/8dc79a3fbfda82f058d135e60d46749f0e659626...e8d48c614e7cba2217a080d0cf2905e72fb9da14 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla: libpodofo/CVE-2019-10723: ignored
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 704eca22 by Sylvain Beucler at 2019-04-08T17:51:43Z dla: libpodofo/CVE-2019-10723: ignored - - - - - 8dc79a3f by Sylvain Beucler at 2019-04-08T17:52:05Z dla: add claws-mail - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -413,6 +413,7 @@ CVE-2019-10724 RESERVED CVE-2019-10723 (An issue was discovered in PoDoFo 0.9.6. The PdfPagesTreeCache class i ...) - libpodofo + [jessie] - libpodofo (DoS, not used by any sponsor) NOTE: https://sourceforge.net/p/podofo/tickets/46/ CVE-2019-1003099 (A missing permission check in Jenkins openid Plugin in the OpenIdSsoSe ...) NOT-FOR-US: Jenkins openid Plugin = data/dla-needed.txt = @@ -19,6 +19,9 @@ checkstyle (Adrian Bunk) -- clamav (Ola Lundqvist) -- +claws-mail + NOTE: 20190408: patch not yet available +-- evolution -- evolution-data-server View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/f6a44b487909d655ebd29f358ff797b69f4e2fc9...8dc79a3fbfda82f058d135e60d46749f0e659626 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/f6a44b487909d655ebd29f358ff797b69f4e2fc9...8dc79a3fbfda82f058d135e60d46749f0e659626 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS/python2.7, python3.4, python-urllib3 status update
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: b92b976a by Roberto C. Sánchez at 2019-04-08T16:41:46Z LTS/python2.7, python3.4, python-urllib3 status update - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -39,12 +39,12 @@ hdf5 (Hugo Lefeuvre) NOTE: upstream's bug tracker requires special permissions to open issues. NOTE: unclear how upstream handles security backlog, contacted them. -- -imagemagick +imagemagick (Roberto C. Sánchez) NOTE: 20181227: We should address the many open issues in imagemagick either NOTE: by patching them separetely as we did in Wheezy or by updating to a NOTE: new upstream version like the security team did with Graphicsmagick in NOTE: Stretch. (apo) - NOTE: 20190321: Still waiting on security team response to inquiries from (apo) and (roberto) + NOTE: 20190408: Still waiting on security team response to inquiries from (apo) and (roberto) -- jinja2 (Hugo Lefeuvre) NOTE: patch available for CVE-2019-10906. @@ -86,16 +86,16 @@ proftpd-dfsg (Markus Koschany) putty (Thorsten Alteholz) NOTE: 20190407: stick to Stretch patches -- -python-urllib3 - NOTE: 20190321: Waiting on upstream action for CVE-2019-9740 (roberto) +python-urllib3 (Roberto C. Sánchez) + NOTE: 20190408: Waiting on upstream action for CVE-2019-9740 (roberto) -- -python2.7 +python2.7 (Roberto C. Sánchez) NOTE: 20190321: Patches integrated for CVE-2018-14647, CVE-2019-5010, and CVE-2019-9636 - NOTE: 20190321: Waiting on upstream action for CVE-2019-9740 (roberto) + NOTE: 20190408: Waiting on upstream action for CVE-2019-9740 (roberto) -- -python3.4 +python3.4 (Roberto C. Sánchez) NOTE: 20190321: Patches integrated for CVE-2018-14647 and CVE-2019-9636 - NOTE: 20190321: Waiting on upstream action for CVE-2019-9740 (roberto) + NOTE: 20190408: Waiting on upstream action for CVE-2019-9740 (roberto) -- qemu (Emilio) NOTE: CVE-2018-19665: wait for final patch View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b92b976a751f36dacb5d54d7cc60aef1def09efc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b92b976a751f36dacb5d54d7cc60aef1def09efc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bwa spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d1302bb by Moritz Muehlenhoff at 2019-04-08T16:01:19Z bwa spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -139,4 +139,6 @@ CVE-2019-6778 [stretch] - qemu 1:2.8+dfsg-6+deb9u6 CVE-2019-9824 [stretch] - qemu 1:2.8+dfsg-6+deb9u6 +CVE-2019-10269 + [stretch] - bwa 0.7.15-2+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8d1302bbc184eeb12e0615f69960bcd50964ef02 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8d1302bbc184eeb12e0615f69960bcd50964ef02 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust source package name from jinja to jinja2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 36111694 by Salvatore Bonaccorso at 2019-04-08T15:00:58Z Adjust source package name from jinja to jinja2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -46,7 +46,7 @@ imagemagick NOTE: Stretch. (apo) NOTE: 20190321: Still waiting on security team response to inquiries from (apo) and (roberto) -- -jinja (Hugo Lefeuvre) +jinja2 (Hugo Lefeuvre) NOTE: patch available for CVE-2019-10906. -- jruby (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/36111694307113508d591d51185805a79e9d149a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/36111694307113508d591d51185805a79e9d149a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2016-10745/jinja2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 803a1855 by Salvatore Bonaccorso at 2019-04-08T13:08:05Z Add CVE-2016-10745/jinja2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12,15 +12,13 @@ CVE-2019-10908 (In Airsonic 10.2.1, RecoverController.java generates passwords v NOT-FOR-US: Airsonic CVE-2019-10907 (Airsonic 10.2.1 uses Spring's default remember-me mechanism based on M ...) NOT-FOR-US: Airsonic +CVE-2016-10745 [issue related to CVE-2019-10906, str.format vulnerability] + - jinja2 2.9.4-1 + NOTE: Fixed by: https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16 + NOTE: Followup bugfix: https://github.com/pallets/jinja/commit/74bd64e56387f5b2931040dc7235a3509cde1611 CVE-2019-10906 (In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape ...) - jinja2 (bug #926602) NOTE: https://palletsprojects.com/blog/jinja-2-10-1-released/ - NOTE: same issue as str.format vulnerability (did not receive CVE number, still affecting - NOTE: jessie and stretch, fixed in 2.8.1). Both issues should be fixed together. - NOTE: str.format fix: - NOTE: https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16 - NOTE: https://github.com/pallets/jinja/commit/74bd64e56387f5b2931040dc7235a3509cde1611 - NOTE: str.format_map fix: NOTE: https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26 CVE-2019-10905 (Parsedown before 1.7.2, when safe mode is used and HTML markup is disa ...) NOT-FOR-US: Parsedown View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/803a1855713384f4a9734d48d0c232db250b49d9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/803a1855713384f4a9734d48d0c232db250b49d9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Merge information for systemd/232-25+deb9u10 into CVE list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 48795aab by Salvatore Bonaccorso at 2019-04-08T12:54:14Z Merge information for systemd/232-25+deb9u10 into CVE list The version for the DSA will be build upon the 232-25+deb9u10 packages so superseeding the point release. Track the released version correctly as the archive has seen this via stretch-proposed-updates. - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -38671,7 +38671,7 @@ CVE-2018-15687 (A race condition in chown_one() of systemd allows an attacker to CVE-2018-15686 (A vulnerability in unit_deserialize of systemd allows an attacker to s ...) {DLA-1580-1} - systemd 239-12 (bug #912005) - [stretch] - systemd (Minor issue) + [stretch] - systemd 232-25+deb9u10 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1687 NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796402 NOTE: https://github.com/systemd/systemd/pull/10519 @@ -79961,7 +79961,7 @@ CVE-2018-1050 (All versions of Samba from 4.0.0 onwards are vulnerable to a deni CVE-2018-1049 (In systemd prior to 234 a race condition exists between .mount and .au ...) {DLA-1580-1} - systemd 234-1 - [stretch] - systemd (Minor issue, can either be included in future DSA or point release) + [stretch] - systemd 232-25+deb9u10 [wheezy] - systemd (Minor issue, can be fixed along in next DLA) NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1709649 NOTE: https://github.com/systemd/systemd/pull/5916 = data/next-point-update.txt = @@ -66,10 +66,6 @@ CVE-2018-7998 [stretch] - vips 8.4.5-1+deb9u1 CVE-2019-6976 [stretch] - vips 8.4.5-1+deb9u1 -CVE-2018-1049 - [stretch] - systemd 232-25+deb9u10 -CVE-2018-15686 - [stretch] - systemd 232-25+deb9u10 CVE-2019-5736 [stretch] - runc 0.1.1+dfsg1-2+deb9u1 CVE-2018-12181 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/48795aab8015bcec9182b69a1c34688ac8117897 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/48795aab8015bcec9182b69a1c34688ac8117897 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-9619/systemd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d5024644 by Salvatore Bonaccorso at 2019-04-08T12:52:20Z Add CVE-2019-9619/systemd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3832,8 +3832,12 @@ CVE-2019-9621 RESERVED CVE-2019-9620 RESERVED -CVE-2019-9619 +CVE-2019-9619 [not enabled pam_systemd for non-interactive sessions] RESERVED + - systemd + [buster] - systemd (Too intrusive change for a stable release) + [stretch] - systemd (Too intrusive change for a stable release) + NOTE: https://bugs.launchpad.net/bugs/1812316 CVE-2019-9618 RESERVED CVE-2019-9617 (An issue was discovered in OFCMS before 1.1.3. Remote attackers can ex ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d502464403702caadf0a663f0425bd71f56074d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d502464403702caadf0a663f0425bd71f56074d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-3842/systemd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 87e72bed by Salvatore Bonaccorso at 2019-04-08T12:51:12Z Add CVE-2019-3842/systemd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17331,8 +17331,11 @@ CVE-2019-3844 RESERVED CVE-2019-3843 RESERVED -CVE-2019-3842 +CVE-2019-3842 [unsafe environment usage in pam_systemd] RESERVED + - systemd 241-3 + NOTE: https://bugs.launchpad.net/bugs/1812316 + NOTE: https://github.com/systemd/systemd/commit/83d4ab55336ff8a0643c6aa627b31e351a24040a CVE-2019-3841 (Kubevirt/virt-cdi-importer, versions 1.4.0 to 1.5.3 inclusive, were re ...) NOT-FOR-US: KubeVirt CVE-2019-3840 (A NULL pointer dereference flaw was discovered in libvirt before versi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/87e72bede6ec5d142d2a4708f7401e8a3be3b3e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/87e72bede6ec5d142d2a4708f7401e8a3be3b3e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: clamav: link recent lts discussion
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 7bf02944 by Sylvain Beucler at 2019-04-08T12:36:37Z clamav: link recent lts discussion - - - - - e14fbbea by Sylvain Beucler at 2019-04-08T12:36:37Z dla: add evolution-ews - - - - - 3 changed files: - data/CVE/list - data/dla-needed.txt - packages/clamav Changes: = data/CVE/list = @@ -17166,6 +17166,7 @@ CVE-2019-3890 - evolution-ews NOTE: https://gitlab.gnome.org/GNOME/evolution-ews/issues/36 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1678313 + NOTE: depends on evolution-data-server patch (unrelated to CVE-2018-15587) CVE-2019-3889 RESERVED CVE-2019-3888 = data/dla-needed.txt = @@ -23,6 +23,8 @@ evolution -- evolution-data-server -- +evolution-ews +-- faad2 (Hugo Lefeuvre) NOTE: 20190407: CVE-2018-20362: wrote a patch, currently testing it. This might fix many other NOTE: issues at the same time. This is a complex issue which requires a lot of digging in = packages/clamav = @@ -5,6 +5,7 @@ signatures. The security team updates clamav via {old,}stable-updates. https://lists.debian.org/debian-lts/2018/03/msg00033.html +https://lists.debian.org/debian-lts/2019/03/msg00161.html LTS updates need to wait until a respective SUA has been issued to avoid breaking upgrades. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/a8825ccde3dc7f576824cfb59e6216096f943630...e14fbbea96f867bde1d16a92a8be2983d4455d7d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/a8825ccde3dc7f576824cfb59e6216096f943630...e14fbbea96f867bde1d16a92a8be2983d4455d7d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: a8825ccd by Holger Levsen at 2019-04-08T12:24:27Z semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Holger Levsen hol...@layer-acht.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -37,7 +37,7 @@ hdf5 (Hugo Lefeuvre) NOTE: upstream's bug tracker requires special permissions to open issues. NOTE: unclear how upstream handles security backlog, contacted them. -- -imagemagick (Roberto C. Sánchez) +imagemagick NOTE: 20181227: We should address the many open issues in imagemagick either NOTE: by patching them separetely as we did in Wheezy or by updating to a NOTE: new upstream version like the security team did with Graphicsmagick in @@ -84,14 +84,14 @@ proftpd-dfsg (Markus Koschany) putty (Thorsten Alteholz) NOTE: 20190407: stick to Stretch patches -- -python-urllib3 (Roberto C. Sánchez) +python-urllib3 NOTE: 20190321: Waiting on upstream action for CVE-2019-9740 (roberto) -- -python2.7 (Roberto C. Sánchez) +python2.7 NOTE: 20190321: Patches integrated for CVE-2018-14647, CVE-2019-5010, and CVE-2019-9636 NOTE: 20190321: Waiting on upstream action for CVE-2019-9740 (roberto) -- -python3.4 (Roberto C. Sánchez) +python3.4 NOTE: 20190321: Patches integrated for CVE-2018-14647 and CVE-2019-9636 NOTE: 20190321: Waiting on upstream action for CVE-2019-9740 (roberto) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a8825ccde3dc7f576824cfb59e6216096f943630 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a8825ccde3dc7f576824cfb59e6216096f943630 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-10244: mark jessie not-affected
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: a10d0567 by Hugo Lefeuvre at 2019-04-08T11:52:16Z CVE-2018-10244: mark jessie not-affected EtherNet/IP and CIP support introduced in 3.2beta1, see https://github.com/OISF/suricata/blob/master/ChangeLog - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53230,6 +53230,7 @@ CVE-2018-10245 (A Full Path Disclosure vulnerability in AWStats through 7.6 allo NOTE: Path disclosure for awstats negligible within Debian CVE-2018-10244 (Suricata version 4.0.4 incorrectly handles the parsing of an EtherNet/ ...) - suricata 1:4.0.5-1 + [jessie] - suricata (EtherNet/IP and CIP support introduced in 3.2beta1) NOTE: https://redmine.openinfosecfoundation.org/issues/2545 NOTE: https://redmine.openinfosecfoundation.org/issues/2543 NOTE: https://github.com/OISF/suricata/commit/f68bf3301ad4d25f0a5ecb13405f4e26316cdf8d View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a10d0567365c8445bec7d85f4453d29d251a81b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a10d0567365c8445bec7d85f4453d29d251a81b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add samba
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c2cf3d1 by Sylvain Beucler at 2019-04-08T11:18:19Z dla: add samba - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -98,6 +98,9 @@ python3.4 (Roberto C. Sánchez) qemu (Emilio) NOTE: CVE-2018-19665: wait for final patch -- +samba + NOTE: https://lists.debian.org/debian-lts/2019/04/msg00063.html +-- sox NOTE: 20190305: CVE-2019-835{4,5,6,7} no upstream patch yet, might take some time. NOTE: Check again later. - hle View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c2cf3d17d7f788d0800c4e17d3c198d3c8ff543 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c2cf3d17d7f788d0800c4e17d3c198d3c8ff543 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add jessie version for CVE-2018-0496/freedink-dfarc
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 82dbc2ca by Sylvain Beucler at 2019-04-08T11:05:55Z Add jessie version for CVE-2018-0496/freedink-dfarc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -81984,6 +81984,7 @@ CVE-2018-0496 (Directory traversal issues in the D-Mod extractor in DFArc and DF {DLA-1686-1} - freedink-dfarc 3.14-1 [stretch] - freedink-dfarc 3.12-1+deb9u1 + [jessie] - freedink-dfarc 3.12-1+deb8u1 NOTE: https://savannah.gnu.org/forum/forum.php?forum_id=9169 NOTE: https://git.savannah.gnu.org/cgit/freedink/dfarc.git/commit/?id=40cc957f52e772f45125126439ba9333cf2d2998 CVE-2018-0495 (Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache s ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/82dbc2ca53e89967ead1ee8d6b5fbdee3a7256c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/82dbc2ca53e89967ead1ee8d6b5fbdee3a7256c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-3886 as not affecting (old)stable
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: c96b4bd0 by Guido Günther at 2019-04-08T09:35:25Z Mark CVE-2019-3886 as not affecting (old)stable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17177,10 +17177,12 @@ CVE-2019-3887 [KVM: x86: nVMX: close leak of L0's x2APIC MSR] NOTE: Fixed by: https://git.kernel.org/linus/c73f4c998e1fd4249b9edfa39e23f4fda2b9b041 CVE-2019-3886 (An incorrect permissions check was discovered in libvirt 4.8.0 and abo ...) - libvirt 5.0.0-2 (low; bug #926418) - [stretch] - libvirt (Minor issue) + [stretch] - libvirt (Vulnerable code not present) + [jessie] - libvirt (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1694880 NOTE: https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1131595#c3 + NOTE: Introduced in https://libvirt.org/git/?p=libvirt.git;a=commit;h=25736a4c7ed50c101b4f87935f350f1a39a89f6e CVE-2019-3885 RESERVED CVE-2019-3884 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c96b4bd0082181c9a844fcb66d7c4bcdcd655503 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c96b4bd0082181c9a844fcb66d7c4bcdcd655503 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Mark jessie as not affected by CVE-2019-3870 (samba)
Sebastien Delafond pushed to branch master at Debian Security Tracker / security-tracker Commits: 54de2672 by Sébastien Delafond at 2019-04-08T09:08:22Z Mark jessie as not affected by CVE-2019-3870 (samba) - - - - - cd4c5e23 by Sébastien Delafond at 2019-04-08T09:09:21Z Mark CVE-2019-3824 (samba) as fixed by 2:4.9.5+dfsg-1 - - - - - 6bb0dd85 by Sébastien Delafond at 2019-04-08T09:12:22Z Mark CVE-2019-3870 and CVE-2019-3880 (samba) as fixed by 2:4.9.5+dfsg-3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17199,7 +17199,7 @@ CVE-2019-3881 RESERVED CVE-2019-3880 [Save registry file outside share as unprivileged user] {DSA-4427-1} - - samba + - samba 2:4.9.5+dfsg-3 NOTE: https://www.samba.org/samba/security/CVE-2019-3880.html CVE-2019-3879 (It was discovered that in the ovirt's REST API before version 4.3.2.1, ...) NOT-FOR-US: ovirt-engine @@ -17233,8 +17233,9 @@ CVE-2019-3871 (A vulnerability was found in PowerDNS Authoritative Server before NOTE: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html NOTE: Patches: https://downloads.powerdns.com/patches/2019-03/ CVE-2019-3870 [During the provision of a new Active Directory DC, some files in the ...] - - samba + - samba 2:4.9.5+dfsg-3 [stretch] - samba (Vulnerable code not present) + [jessie] - samba (Vulnerable code not present) NOTE: https://www.samba.org/samba/security/CVE-2019-3870.html CVE-2019-3869 (When running Tower before 3.4.3 on OpenShift or Kubernetes, applicatio ...) NOT-FOR-US: Ansible Tower @@ -17417,7 +17418,7 @@ CVE-2019-3825 (A vulnerability was discovered in gdm before 3.31.4. When timed l CVE-2019-3824 (A flaw was found in the way an LDAP search expression could crash the ...) {DSA-4397-1 DLA-1699-1} - ldb 2:1.5.1+really1.4.3-2 - - samba (unimportant) + - samba 2:4.9.5+dfsg-1 (unimportant) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13773 NOTE: Samba uses the System ldb library CVE-2019-3823 (libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/11c067424206aaed50d61af7c3d652cfdba33fed...6bb0dd8535efbdc7911de6c80e8a29bf31d5d0fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/11c067424206aaed50d61af7c3d652cfdba33fed...6bb0dd8535efbdc7911de6c80e8a29bf31d5d0fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Put temporary description in [] brackets
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c5b5911 by Salvatore Bonaccorso at 2019-04-08T08:40:08Z Put temporary description in [] brackets - - - - - 11c06742 by Salvatore Bonaccorso at 2019-04-08T08:40:27Z Remove trailing whitespaces - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -101,7 +101,7 @@ CVE-2019-10876 (An issue was discovered in OpenStack Neutron 11.x before 11.0.7, [stretch] - neutron (Vulnerable code introduced later; Around Pike Openstack release) [jessie] - neutron (Vulnerable code introduced later; Around Pike Openstack release) NOTE: https://bugs.launchpad.net/ossa/+bug/1813007 - NOTE: https://review.openstack.org/#/q/topic:bug/1813007 + NOTE: https://review.openstack.org/#/q/topic:bug/1813007 CVE-2019-10875 (A URL spoofing vulnerability was found in all international versions o ...) TODO: check CVE-2019-10874 (Cross Site Request Forgery (CSRF) in the bolt/upload File Upload featu ...) @@ -17197,10 +17197,10 @@ CVE-2019-3882 [DoS through vfio/type1 DMA mappings] NOTE: Fixed by: https://git.kernel.org/linus/492855939bdb59c6f947b0b5b44af9ad82b7e38c CVE-2019-3881 RESERVED -CVE-2019-3880 (Save registry file outside share as unprivileged user) +CVE-2019-3880 [Save registry file outside share as unprivileged user] {DSA-4427-1} -- samba -NOTE: https://www.samba.org/samba/security/CVE-2019-3880.html + - samba + NOTE: https://www.samba.org/samba/security/CVE-2019-3880.html CVE-2019-3879 (It was discovered that in the ovirt's REST API before version 4.3.2.1, ...) NOT-FOR-US: ovirt-engine CVE-2019-3878 (A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache ...) @@ -17232,10 +17232,10 @@ CVE-2019-3871 (A vulnerability was found in PowerDNS Authoritative Server before NOTE: https://github.com/PowerDNS/pdns/issues/7573 NOTE: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html NOTE: Patches: https://downloads.powerdns.com/patches/2019-03/ -CVE-2019-3870 (During the provision of a new Active Directory DC, some files in the ...) +CVE-2019-3870 [During the provision of a new Active Directory DC, some files in the ...] - samba [stretch] - samba (Vulnerable code not present) -NOTE: https://www.samba.org/samba/security/CVE-2019-3870.html + NOTE: https://www.samba.org/samba/security/CVE-2019-3870.html CVE-2019-3869 (When running Tower before 3.4.3 on OpenShift or Kubernetes, applicatio ...) NOT-FOR-US: Ansible Tower CVE-2019-3868 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/52c62481cdec2b24711122ab32f97940b1ef1822...11c067424206aaed50d61af7c3d652cfdba33fed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/52c62481cdec2b24711122ab32f97940b1ef1822...11c067424206aaed50d61af7c3d652cfdba33fed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Reserve DSA-4427-1 for samba (CVE-2019-3880)
Sebastien Delafond pushed to branch master at Debian Security Tracker / security-tracker Commits: 3803387f by Sébastien Delafond at 2019-04-08T08:24:40Z Reserve DSA-4427-1 for samba (CVE-2019-3880) - - - - - 52c62481 by Sébastien Delafond at 2019-04-08T08:24:41Z Add recent samba issues (CVE-2019-3870, CVE-2019-3880) - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -17197,8 +17197,10 @@ CVE-2019-3882 [DoS through vfio/type1 DMA mappings] NOTE: Fixed by: https://git.kernel.org/linus/492855939bdb59c6f947b0b5b44af9ad82b7e38c CVE-2019-3881 RESERVED -CVE-2019-3880 - RESERVED +CVE-2019-3880 (Save registry file outside share as unprivileged user) + {DSA-4427-1} +- samba +NOTE: https://www.samba.org/samba/security/CVE-2019-3880.html CVE-2019-3879 (It was discovered that in the ovirt's REST API before version 4.3.2.1, ...) NOT-FOR-US: ovirt-engine CVE-2019-3878 (A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache ...) @@ -17230,8 +17232,10 @@ CVE-2019-3871 (A vulnerability was found in PowerDNS Authoritative Server before NOTE: https://github.com/PowerDNS/pdns/issues/7573 NOTE: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html NOTE: Patches: https://downloads.powerdns.com/patches/2019-03/ -CVE-2019-3870 - RESERVED +CVE-2019-3870 (During the provision of a new Active Directory DC, some files in the ...) + - samba + [stretch] - samba (Vulnerable code not present) +NOTE: https://www.samba.org/samba/security/CVE-2019-3870.html CVE-2019-3869 (When running Tower before 3.4.3 on OpenShift or Kubernetes, applicatio ...) NOT-FOR-US: Ansible Tower CVE-2019-3868 = data/DSA/list = @@ -1,3 +1,6 @@ +[08 Apr 2019] DSA-4427-1 samba - security update + {CVE-2019-3880} + [stretch] - samba 2:4.5.16+dfsg-1+deb9u1 [07 Apr 2019] DSA-4426-1 tryton-server - security update {CVE-2019-10868} [stretch] - tryton-server 4.2.1-2+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/2fbda38d41060ffa23305d54346659eb64ff197e...52c62481cdec2b24711122ab32f97940b1ef1822 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/2fbda38d41060ffa23305d54346659eb64ff197e...52c62481cdec2b24711122ab32f97940b1ef1822 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-10906: add links to str.format fixes
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 2fbda38d by Hugo Lefeuvre at 2019-04-08T08:19:41Z CVE-2019-10906: add links to str.format fixes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,6 +17,10 @@ CVE-2019-10906 (In Pallets Jinja before 2.10.1, str.format_map allows a sandbox NOTE: https://palletsprojects.com/blog/jinja-2-10-1-released/ NOTE: same issue as str.format vulnerability (did not receive CVE number, still affecting NOTE: jessie and stretch, fixed in 2.8.1). Both issues should be fixed together. + NOTE: str.format fix: + NOTE: https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16 + NOTE: https://github.com/pallets/jinja/commit/74bd64e56387f5b2931040dc7235a3509cde1611 + NOTE: str.format_map fix: NOTE: https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26 CVE-2019-10905 (Parsedown before 1.7.2, when safe mode is used and HTML markup is disa ...) NOT-FOR-US: Parsedown View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2fbda38d41060ffa23305d54346659eb64ff197e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2fbda38d41060ffa23305d54346659eb64ff197e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add notes to CVE-2019-10906/jinja2 entry
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: bac3735a by Hugo Lefeuvre at 2019-04-08T07:54:13Z add notes to CVE-2019-10906/jinja2 entry This issue is the exact same issue as the one addressed in jinja 2.8.1, except it is affecting str.format_map instead of str.format. The previous issue did not receive a CVE number which explains why it is still affecting jessie and stretch. Both issues should be addressed together or not at all. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,6 +15,8 @@ CVE-2019-10907 (Airsonic 10.2.1 uses Spring's default remember-me mechanism base CVE-2019-10906 (In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape ...) - jinja2 (bug #926602) NOTE: https://palletsprojects.com/blog/jinja-2-10-1-released/ + NOTE: same issue as str.format vulnerability (did not receive CVE number, still affecting + NOTE: jessie and stretch, fixed in 2.8.1). Both issues should be fixed together. NOTE: https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26 CVE-2019-10905 (Parsedown before 1.7.2, when safe mode is used and HTML markup is disa ...) NOT-FOR-US: Parsedown View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bac3735ad213936b84b0bcc0380d260a1731fb2e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bac3735ad213936b84b0bcc0380d260a1731fb2e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference Debian bug for CVE-2018-3750/node-deep-extend
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 01cd16ed by Salvatore Bonaccorso at 2019-04-08T07:34:44Z Reference Debian bug for CVE-2018-3750/node-deep-extend - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71637,7 +71637,7 @@ CVE-2018-3752 (The utilities function in all versions = 1.0.0 of the merge-o CVE-2018-3751 (The utilities function in all versions = 0.3.0 of the merge-recurs ...) NOT-FOR-US: merge-recursive CVE-2018-3750 (The utilities function in all versions = 0.5.0 of the deep-extend ...) - - node-deep-extend (unimportant) + - node-deep-extend (unimportant; bug #926616) NOTE: https://nodesecurity.io/advisories/612 NOTE: nodejs not covered by security support CVE-2018-3749 (The utilities function in all versions 1.0.1 of the deap node mod ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/01cd16ed2c0d60083503b6dec71e7952399f8409 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/01cd16ed2c0d60083503b6dec71e7952399f8409 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim libvirt
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 1375e199 by Brian May at 2019-04-08T07:32:52Z Claim libvirt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -63,7 +63,7 @@ libmatio (Adrian Bunk) NOTE: triage work needed, help security team for fixes if needed. NOTE: 20190331: work ongoing -- -libvirt +libvirt (Brian May) NOTE: check CVE-2019-3886, might deserve a dla -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1375e199eef0372351574ae2ac8d1ecf50b2f891 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1375e199eef0372351574ae2ac8d1ecf50b2f891 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: add jinja entry and claim it
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 7b9ddf7f by Hugo Lefeuvre at 2019-04-08T06:56:06Z dla-needed: add jinja entry and claim it - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -44,6 +44,9 @@ imagemagick (Roberto C. Sánchez) NOTE: Stretch. (apo) NOTE: 20190321: Still waiting on security team response to inquiries from (apo) and (roberto) -- +jinja (Hugo Lefeuvre) + NOTE: patch available for CVE-2019-10906. +-- jruby (Abhijith PA) -- libav View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7b9ddf7f70f676955f2f9c745ebfa66a490eb04c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7b9ddf7f70f676955f2f9c745ebfa66a490eb04c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits