[Git][security-tracker-team/security-tracker][master] Claim graphicsmagick in dla-needed.txt

[Markus Koschany]

Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9355996f by Markus Koschany at 2019-04-09T05:53:54Z
Claim graphicsmagick in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -37,6 +37,8 @@ ghostscript
   NOTE: 20190327: need to backport 9.26b/9.27 when it comes out, like 
stable-security
   NOTE: 20190327: https://lists.debian.org/debian-lts/2019/03/msg00122.html
 --
+graphicsmagick (Markus Koschany)
+--
 hdf5 (Hugo Lefeuvre)
   NOTE: requires some prior triage, almost all cves undetermined.
   NOTE: upstream's bug tracker requires special permissions to open issues.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9355996f8042252f4e39961b790f9942677eb89d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9355996f8042252f4e39961b790f9942677eb89d
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark open proftpd-issues as fixed in 1.3.5e-0+deb8u1

[Markus Koschany]

Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a8f4cc1e by Markus Koschany at 2019-04-08T23:51:22Z
Mark open proftpd-issues as fixed in 1.3.5e-0+deb8u1

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4035,6 +4035,7 @@ CVE-2019-9625 (JBMC DirectAdmin 1.55 allows CSRF via the 
/CMD_ACCOUNT_ADMIN URI
 CVE-2019- [high memory usage with some long running sessions]
- proftpd-dfsg 1.3.5d-1 (bug #923926)
[stretch] - proftpd-dfsg  (Minor issue)
+   [jessie] - proftpd-dfsg 1.3.5e-0+deb8u1
NOTE: 
https://github.com/proftpd/proftpd/issues/330#issuecomment-276891713
NOTE: 
https://forum.armbian.com/topic/9692-nanopi-neo-2-memory-leak-in-proftpd-even-worse-if-ssl-encrypted/?do=findComment=73069
 CVE-2019-9624 (Webmin 1.900 allows remote attackers to execute arbitrary code 
by leve ...)
@@ -165553,7 +165554,7 @@ CVE-2015-8377 (SQL injection vulnerability in the 
host_new_graphs_save function
NOTE: 
http://seclists.org/fulldisclosure/2015/Dec/att-57/cacti_sqli%281%29.txt
 CVE-2015- [Avoid unbounded SFTP extended attribute key/values]
- proftpd-dfsg 1.3.5b-1
-   [jessie] - proftpd-dfsg  (Minor issue; can be fixed in point 
release)
+   [jessie] - proftpd-dfsg 1.3.5e-0+deb8u1
[wheezy] - proftpd-dfsg  (Minor issue; can be fixed in point 
release)
[squeeze] - proftpd-dfsg  (Vulnerable code not present)
NOTE: http://bugs.proftpd.org/show_bug.cgi?id=4210



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a8f4cc1eb14efa3f0ec48e3f6bdbc75c6ac408ca

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a8f4cc1eb14efa3f0ec48e3f6bdbc75c6ac408ca
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/CVE/list: Drop jessie/no-dsa tags for all currently open samba issues....

[Mike Gabriel]

Mike Gabriel pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1aabe8d7 by Mike Gabriel at 2019-04-08T23:12:50Z
data/CVE/list: Drop jessie/no-dsa tags for all currently open samba issues. 
Patches ported over from Ubuntu, upload in-prep.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -80131,7 +80131,6 @@ CVE-2018-1058 (A flaw was found in the way Postgresql 
allowed a user to modify t
 CVE-2018-1057 (On a Samba 4 AD DC the LDAP server in all versions of Samba 
from 4.0.0 ...)
{DSA-4135-1}
- samba 2:4.7.4+dfsg-2
-   [jessie] - samba  (Too intrusive to backport)
[wheezy] - samba  (Vulnerable code introduced later in 
4.0.0alpha13)
NOTE: https://www.samba.org/samba/security/CVE-2018-1057.html
NOTE: https://wiki.samba.org/index.php/CVE-2018-1057
@@ -80172,7 +80171,6 @@ CVE-2018-1051 (It was found that the fix for 
CVE-2016-9606 in versions 3.0.22 an
 CVE-2018-1050 (All versions of Samba from 4.0.0 onwards are vulnerable to a 
denial of ...)
{DSA-4135-1 DLA-1320-1}
- samba 2:4.7.4+dfsg-2
-   [jessie] - samba  (Minor issue)
NOTE: https://www.samba.org/samba/security/CVE-2018-1050.html
 CVE-2018-1049 (In systemd prior to 234 a race condition exists between .mount 
and .au ...)
{DLA-1580-1}
@@ -106261,7 +106259,6 @@ CVE-2017-9462 (In Mercurial before 4.1.3, "hg serve 
--stdio" allows remote authe
NOTE: https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499
 CVE-2017-9461 (smbd in Samba before 4.4.10 and 4.5.x before 4.5.6 has a denial 
of ser ...)
- samba 2:4.5.6+dfsg-1 (bug #864291)
-   [jessie] - samba  (Minor issue)
[wheezy] - samba  (Minor, non reproducible issue)
NOTE: 
https://git.samba.org/?p=samba.git;a=commitdiff;h=10c3e3923022485c720f322ca4f0aca5d7501310
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=12572



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1aabe8d79843ac45abbe4d14d3fd126ffab82afd

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1aabe8d79843ac45abbe4d14d3fd126ffab82afd
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Re-add poppler.

[Mike Gabriel]

Mike Gabriel pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a2b9c138 by Mike Gabriel at 2019-04-08T21:23:07Z
data/dla-needed.txt: Re-add poppler.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -78,6 +78,9 @@ linux-4.9 (Ben Hutchings)
 polarssl
   NOTE: 20181207: Not 100% sure if vulnerable. Upstream would prefer us to 
move to latest version, etc. (!). (lamby)
 --
+poppler
+  NOTE: 20190408: No known upstream patches available for remaining open CVEs 
(sunweaver)
+--
 proftpd-dfsg (Markus Koschany)
   NOTE: 20190405: Waiting for maintainer feedback. Package is ready for upload.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2b9c1380a4fc208720ad0498f0f99cca3c79df0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2b9c1380a4fc208720ad0498f0f99cca3c79df0
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-1752-1 for poppler

[Mike Gabriel]

Mike Gabriel pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ac2ae680 by Mike Gabriel at 2019-04-08T21:20:51Z
Reserve DLA-1752-1 for poppler

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[08 Apr 2019] DLA-1752-1 poppler - security update
+   {CVE-2019-9631}
+   [jessie] - poppler 0.26.5-2+deb8u9
 [08 Apr 2019] DLA-1751-1 suricata - security update
{CVE-2018-10242 CVE-2018-10243}
[jessie] - suricata 2.0.7-2+deb8u4


=
data/dla-needed.txt
=
@@ -78,11 +78,6 @@ linux-4.9 (Ben Hutchings)
 polarssl
   NOTE: 20181207: Not 100% sure if vulnerable. Upstream would prefer us to 
move to latest version, etc. (!). (lamby)
 --
-poppler (Mike Gabriel)
-  NOTE: 20190325: fix in-progress for CVE-2019-9631
-  NOTE: 20190325: no fix yet for CVE-2019-9543 nor CVE-2019-9545
-  NOTE: 20190325: fix available for CVE-2019-9903
---
 proftpd-dfsg (Markus Koschany)
   NOTE: 20190405: Waiting for maintainer feedback. Package is ready for upload.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac2ae6800f8c481c260ac53c622c7808ba5c25bb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac2ae6800f8c481c260ac53c622c7808ba5c25bb
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] claim samba

[Mike Gabriel]

Mike Gabriel pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
44f9e527 by Mike Gabriel at 2019-04-08T21:18:44Z
claim samba

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -103,7 +103,7 @@ python3.4 (Roberto C. Sánchez)
 qemu (Emilio)
   NOTE: CVE-2018-19665: wait for final patch
 --
-samba
+samba (Mike Gabriel)
   NOTE: https://lists.debian.org/debian-lts/2019/04/msg00063.html
 --
 sox



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/44f9e527d545575868d7280dd52b426dab563d61

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/44f9e527d545575868d7280dd52b426dab563d61
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Setting CVE-2019-10018 (poppler) to ignored for jessie (agreeing with security team's evaluation).

[Mike Gabriel]

Mike Gabriel pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fda9575f by Mike Gabriel at 2019-04-08T21:02:38Z
Setting CVE-2019-10018 (poppler) to ignored for jessie (agreeing with security 
teams evaluation).

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2248,6 +2248,7 @@ CVE-2019-10019 (An issue was discovered in Xpdf 4.01.01. 
There is an FPE in the
 CVE-2019-10018 (An issue was discovered in Xpdf 4.01.01. There is an FPE in 
the functi ...)
- poppler  (bug #926133)
[stretch] - poppler  (Minor issue)
+   [jessie] - poppler  (Minor issue)
NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3=41276 
(PostScriptFunction::e...@function.cc:1374-42___FPE PoC)
 CVE-2019-10017 (CMS Made Simple 2.2.10 has XSS via the moduleinterface.php 
Name field, ...)
NOT-FOR-US: CMS Made Simple



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/fda9575f2af755d4f53918f16d66cdf6a438bd6e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/fda9575f2af755d4f53918f16d66cdf6a438bd6e
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Process NFUs

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9773102f by Salvatore Bonaccorso at 2019-04-08T20:50:34Z
Process NFUs

- - - - -
31a14077 by Salvatore Bonaccorso at 2019-04-08T20:50:35Z
Add CVE-2019-10914/matrixssl

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -32,7 +32,7 @@ CVE-2019-11003 (In Materialize through 1.0.0, XSS is possible 
via the Autocomple
 CVE-2019-11002 (In Materialize through 1.0.0, XSS is possible via the Tooltip 
feature. ...)
TODO: check
 CVE-2019-11001 (On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W 
devices th ...)
-   TODO: check
+   NOT-FOR-US: Reolink devices
 CVE-2019-11000
RESERVED
 CVE-2019-10999
@@ -206,7 +206,9 @@ CVE-2019-10916
 CVE-2019-10915
RESERVED
 CVE-2019-10914 (pubRsaDecryptSignedElementExt in MatrixSSL, as used in Inside 
Secure T ...)
-   TODO: check
+   - matrixssl 
+   NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1785
+   NOTE: https://github.com/matrixssl/matrixssl/issues/26
 CVE-2019-10913
RESERVED
 CVE-2019-10912
@@ -375,7 +377,7 @@ CVE-2019-10847
 CVE-2019-10846
RESERVED
 CVE-2019-10845 (An issue was discovered in Uniqkey Password Manager 1.14. When 
enterin ...)
-   TODO: check
+   NOT-FOR-US: Uniqkey Password Manager
 CVE-2019-10844 (nbla/logger.cpp in libnnabla.a in Sony Neural Network 
Libraries (aka n ...)
NOT-FOR-US: Sony
 CVE-2019-10843
@@ -826,7 +828,7 @@ CVE-2019-10678 (Domoticz before 4.10579 neglects to 
categorize \n and \r as inse
 CVE-2019-10677
RESERVED
 CVE-2019-10676 (An issue was discovered in Uniqkey Password Manager 1.14. Upon 
enterin ...)
-   TODO: check
+   NOT-FOR-US: Uniqkey Password Manager
 CVE-2019-10675
REJECTED
 CVE-2019-10674
@@ -16725,7 +16727,7 @@ CVE-2019-4212
 CVE-2019-4211
RESERVED
 CVE-2019-4210 (IBM QRadar SIEM 7.3.2 could allow a user to bypass 
authentication expo ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2019-4209
RESERVED
 CVE-2019-4208
@@ -16835,7 +16837,7 @@ CVE-2019-4157
 CVE-2019-4156
RESERVED
 CVE-2019-4155 (IBM API Connect's Developer Portal 2018.1 and 2018.4.1.3 is 
impacted b ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2019-4154
RESERVED
 CVE-2019-4153
@@ -16859,7 +16861,7 @@ CVE-2019-4145
 CVE-2019-4144
RESERVED
 CVE-2019-4143 (The IBM Cloud Private Key Management Service (IBM Cloud Private 
3.1.1  ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2019-4142
RESERVED
 CVE-2019-4141
@@ -17043,7 +17045,7 @@ CVE-2019-4053
 CVE-2019-4052 (IBM API Connect 2018.1 and 2018.4.1.2 apis can be leveraged by 
unauthe ...)
NOT-FOR-US: IBM
 CVE-2019-4051 (Some URIs in IBM API Connect 2018.1 and 2018.4.1.3 disclose 
system spe ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2019-4050
RESERVED
 CVE-2019-4049
@@ -17055,7 +17057,7 @@ CVE-2019-4047
 CVE-2019-4046 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is 
vulnerable  ...)
NOT-FOR-US: IBM
 CVE-2019-4045 (IBM Business Automation Workflow and IBM Business Process 
Manager 18.0 ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2019-4044
RESERVED
 CVE-2019-4043 (IBM Sterling B2B Integrator Standard Edition 5.2.0 snf 6.0.0.0 
is vuln ...)
@@ -19541,7 +19543,7 @@ CVE-2018-20343
 CVE-2018-20342 (The Floureon IP Camera SP012 provides a root terminal on a 
UART serial ...)
NOT-FOR-US: Floureon IP Camera SP012
 CVE-2018-20341 (WINMAGIC SecureDoc Disk Encryption before 8.3 has an Unquoted 
Search P ...)
-   TODO: check
+   NOT-FOR-US: WINMAGIC SecureDoc Disk Encryption
 CVE-2018-20340 (Yubico libu2f-host 1.1.6 contains unchecked buffers in devs.c, 
which c ...)
{DSA-4389-1}
- libu2f-host 1.1.7-1 (bug #921726)
@@ -110880,7 +110882,7 @@ CVE-2017-7914 (A Missing Authorization issue was 
discovered in Rockwell Automati
 CVE-2017-7913 (A Plaintext Storage of a Password issue was discovered in Moxa 
OnCell  ...)
NOT-FOR-US: Moxa
 CVE-2017-7912 (Hanwha Techwin SRN-4000, SRN-4000 firmware versions prior to 
SRN4000_v ...)
-   TODO: check
+   NOT-FOR-US: Hanwha Techwin firmware
 CVE-2017-7911 (A Code Injection issue was discovered in CyberVision Kaa IoT 
Platform, ...)
NOT-FOR-US: CyberVision Kaa IoT Platform
 CVE-2017-7910 (A Stack-Based Buffer Overflow issue was discovered in Digital 
Canal St ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/0de708c7add105a8b6c7494113d1bfad170d2673...31a1407736f4f3a6e9c01248915f5cc36b79de39

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/0de708c7add105a8b6c7494113d1bfad170d2673...31a1407736f4f3a6e9c01248915f5cc36b79de39
You're receiving this email because of your account on 

[Git][security-tracker-team/security-tracker][master] Reserve DSA number for systemd update

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0de708c7 by Salvatore Bonaccorso at 2019-04-08T20:33:29Z
Reserve DSA number for systemd update

- - - - -


1 changed file:

- data/DSA/list


Changes:

=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[08 Apr 2019] DSA-4428-1 systemd - security update
+   {CVE-2019-3842}
+   [stretch] - systemd 232-25+deb9u11
 [08 Apr 2019] DSA-4427-1 samba - security update
{CVE-2019-3880}
[stretch] - samba 2:4.5.16+dfsg-1+deb9u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0de708c7add105a8b6c7494113d1bfad170d2673

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0de708c7add105a8b6c7494113d1bfad170d2673
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11005/graphicsmagick

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
48168793 by Salvatore Bonaccorso at 2019-04-08T20:27:35Z
Add CVE-2019-11005/graphicsmagick

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -22,7 +22,9 @@ CVE-2019-11006 (In GraphicsMagick 1.4 snapshot-20190322 Q8, 
there is a heap-base
NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/f7610c1281c1
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/598/
 CVE-2019-11005 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
stack-based buf ...)
-   TODO: check
+   - graphicsmagick 
+   NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/b6fb77d7d54d
+   NOTE: https://sourceforge.net/p/graphicsmagick/bugs/600/
 CVE-2019-11004 (In Materialize through 1.0.0, XSS is possible via the Toast 
feature. ...)
TODO: check
 CVE-2019-11003 (In Materialize through 1.0.0, XSS is possible via the 
Autocomplete fea ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/481687936fbba8bd1f46af2a880e41cb10e5e0e6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/481687936fbba8bd1f46af2a880e41cb10e5e0e6
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11006/graphicsmagick

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
57f34c9b by Salvatore Bonaccorso at 2019-04-08T20:24:21Z
Add CVE-2019-11006/graphicsmagick

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -18,7 +18,9 @@ CVE-2019-11007 (In GraphicsMagick 1.4 snapshot-20190322 Q8, 
there is a heap-base
NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/86a9295e7c83
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/596/
 CVE-2019-11006 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
heap-based buff ...)
-   TODO: check
+   - graphicsmagick 
+   NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/f7610c1281c1
+   NOTE: https://sourceforge.net/p/graphicsmagick/bugs/598/
 CVE-2019-11005 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
stack-based buf ...)
TODO: check
 CVE-2019-11004 (In Materialize through 1.0.0, XSS is possible via the Toast 
feature. ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/57f34c9b8ba9be7b06ea49072b7c6463b02db357

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/57f34c9b8ba9be7b06ea49072b7c6463b02db357
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11007/graphicsmagick

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0f5dc6e1 by Salvatore Bonaccorso at 2019-04-08T20:23:22Z
Add CVE-2019-11007/graphicsmagick

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13,7 +13,10 @@ CVE-2019-11008 (In GraphicsMagick 1.4 snapshot-20190322 Q8, 
there is a heap-base
NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/d823d23a474b
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/599/
 CVE-2019-11007 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
heap-based buff ...)
-   TODO: check
+   - graphicsmagick 
+   NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/40fc71472b98
+   NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/86a9295e7c83
+   NOTE: https://sourceforge.net/p/graphicsmagick/bugs/596/
 CVE-2019-11006 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
heap-based buff ...)
TODO: check
 CVE-2019-11005 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
stack-based buf ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f5dc6e1f1b914882e57b6a287bd33602e8e1085

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f5dc6e1f1b914882e57b6a287bd33602e8e1085
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11008/graphicsmagick

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
509848a1 by Salvatore Bonaccorso at 2019-04-08T20:18:03Z
Add CVE-2019-11008/graphicsmagick

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -9,7 +9,9 @@ CVE-2019-11009 (In GraphicsMagick 1.4 snapshot-20190322 Q8, 
there is a heap-base
NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/7cff2b1792de
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/597/
 CVE-2019-11008 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
heap-based buff ...)
-   TODO: check
+   - graphicsmagick 
+   NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/d823d23a474b
+   NOTE: https://sourceforge.net/p/graphicsmagick/bugs/599/
 CVE-2019-11007 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
heap-based buff ...)
TODO: check
 CVE-2019-11006 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
heap-based buff ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/509848a14f1bbaaa5bf127a6d6200921cdaa0d9a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/509848a14f1bbaaa5bf127a6d6200921cdaa0d9a
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11009/graphicsmagick

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
eee61377 by Salvatore Bonaccorso at 2019-04-08T20:16:51Z
Add CVE-2019-11009/graphicsmagick

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5,7 +5,9 @@ CVE-2019-11010 (In GraphicsMagick 1.4 snapshot-20190322 Q8, 
there is a memory le
NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/a348d9661019
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/601/
 CVE-2019-11009 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
heap-based buff ...)
-   TODO: check
+   - graphicsmagick 
+   NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/7cff2b1792de
+   NOTE: https://sourceforge.net/p/graphicsmagick/bugs/597/
 CVE-2019-11008 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
heap-based buff ...)
TODO: check
 CVE-2019-11007 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
heap-based buff ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/eee613778383727150fbc51686bdb32253e6ab8a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/eee613778383727150fbc51686bdb32253e6ab8a
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11010/graphicsmagick

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3ab0202d by Salvatore Bonaccorso at 2019-04-08T20:15:12Z
Add CVE-2019-11010/graphicsmagick

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,7 +1,9 @@
 CVE-2019-11011
RESERVED
 CVE-2019-11010 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a memory 
leak in  ...)
-   TODO: check
+   - graphicsmagick 
+   NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/a348d9661019
+   NOTE: https://sourceforge.net/p/graphicsmagick/bugs/601/
 CVE-2019-11009 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
heap-based buff ...)
TODO: check
 CVE-2019-11008 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
heap-based buff ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3ab0202d81d5b7b1123c17ac348f3adaaef79458

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3ab0202d81d5b7b1123c17ac348f3adaaef79458
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-1751-1 for suricata

[Hugo Lefeuvre]

Hugo Lefeuvre pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
703a234f by Hugo Lefeuvre at 2019-04-08T20:11:10Z
Reserve DLA-1751-1 for suricata

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[08 Apr 2019] DLA-1751-1 suricata - security update
+   {CVE-2018-10242 CVE-2018-10243}
+   [jessie] - suricata 2.0.7-2+deb8u4
 [07 Apr 2019] DLA-1750-1 roundup - security update
{CVE-2019-10904}
[jessie] - roundup 1.4.20-1.1+deb8u2


=
data/dla-needed.txt
=
@@ -110,9 +110,6 @@ sox
   NOTE: 20190305: CVE-2019-835{4,5,6,7} no upstream patch yet, might take some 
time.
   NOTE: Check again later. - hle
 --
-suricata (Hugo Lefeuvre)
-  NOTE: three CVEs remaining, we should either release a dla or triage no-dsa.
---
 wget (Thorsten Alteholz)
 --
 wordpress



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/703a234f9212c96a13052337d180b0f72a11f246

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/703a234f9212c96a13052337d180b0f72a11f246
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7829451a by security tracker role at 2019-04-08T20:10:19Z
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,199 @@
+CVE-2019-11011
+   RESERVED
+CVE-2019-11010 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a memory 
leak in  ...)
+   TODO: check
+CVE-2019-11009 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
heap-based buff ...)
+   TODO: check
+CVE-2019-11008 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
heap-based buff ...)
+   TODO: check
+CVE-2019-11007 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
heap-based buff ...)
+   TODO: check
+CVE-2019-11006 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
heap-based buff ...)
+   TODO: check
+CVE-2019-11005 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a 
stack-based buf ...)
+   TODO: check
+CVE-2019-11004 (In Materialize through 1.0.0, XSS is possible via the Toast 
feature. ...)
+   TODO: check
+CVE-2019-11003 (In Materialize through 1.0.0, XSS is possible via the 
Autocomplete fea ...)
+   TODO: check
+CVE-2019-11002 (In Materialize through 1.0.0, XSS is possible via the Tooltip 
feature. ...)
+   TODO: check
+CVE-2019-11001 (On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W 
devices th ...)
+   TODO: check
+CVE-2019-11000
+   RESERVED
+CVE-2019-10999
+   RESERVED
+CVE-2019-10998
+   RESERVED
+CVE-2019-10997
+   RESERVED
+CVE-2019-10996
+   RESERVED
+CVE-2019-10995
+   RESERVED
+CVE-2019-10994
+   RESERVED
+CVE-2019-10993
+   RESERVED
+CVE-2019-10992
+   RESERVED
+CVE-2019-10991
+   RESERVED
+CVE-2019-10990
+   RESERVED
+CVE-2019-10989
+   RESERVED
+CVE-2019-10988
+   RESERVED
+CVE-2019-10987
+   RESERVED
+CVE-2019-10986
+   RESERVED
+CVE-2019-10985
+   RESERVED
+CVE-2019-10984
+   RESERVED
+CVE-2019-10983
+   RESERVED
+CVE-2019-10982
+   RESERVED
+CVE-2019-10981
+   RESERVED
+CVE-2019-10980
+   RESERVED
+CVE-2019-10979
+   RESERVED
+CVE-2019-10978
+   RESERVED
+CVE-2019-10977
+   RESERVED
+CVE-2019-10976
+   RESERVED
+CVE-2019-10975
+   RESERVED
+CVE-2019-10974
+   RESERVED
+CVE-2019-10973
+   RESERVED
+CVE-2019-10972
+   RESERVED
+CVE-2019-10971
+   RESERVED
+CVE-2019-10970
+   RESERVED
+CVE-2019-10969
+   RESERVED
+CVE-2019-10968
+   RESERVED
+CVE-2019-10967
+   RESERVED
+CVE-2019-10966
+   RESERVED
+CVE-2019-10965
+   RESERVED
+CVE-2019-10964
+   RESERVED
+CVE-2019-10963
+   RESERVED
+CVE-2019-10962
+   RESERVED
+CVE-2019-10961
+   RESERVED
+CVE-2019-10960
+   RESERVED
+CVE-2019-10959
+   RESERVED
+CVE-2019-10958
+   RESERVED
+CVE-2019-10957
+   RESERVED
+CVE-2019-10956
+   RESERVED
+CVE-2019-10955
+   RESERVED
+CVE-2019-10954
+   RESERVED
+CVE-2019-10953
+   RESERVED
+CVE-2019-10952
+   RESERVED
+CVE-2019-10951
+   RESERVED
+CVE-2019-10950
+   RESERVED
+CVE-2019-10949
+   RESERVED
+CVE-2019-10948
+   RESERVED
+CVE-2019-10947
+   RESERVED
+CVE-2019-10946
+   RESERVED
+CVE-2019-10945
+   RESERVED
+CVE-2019-10944
+   RESERVED
+CVE-2019-10943
+   RESERVED
+CVE-2019-10942
+   RESERVED
+CVE-2019-10941
+   RESERVED
+CVE-2019-10940
+   RESERVED
+CVE-2019-10939
+   RESERVED
+CVE-2019-10938
+   RESERVED
+CVE-2019-10937
+   RESERVED
+CVE-2019-10936
+   RESERVED
+CVE-2019-10935
+   RESERVED
+CVE-2019-10934
+   RESERVED
+CVE-2019-10933
+   RESERVED
+CVE-2019-10932
+   RESERVED
+CVE-2019-10931
+   RESERVED
+CVE-2019-10930
+   RESERVED
+CVE-2019-10929
+   RESERVED
+CVE-2019-10928
+   RESERVED
+CVE-2019-10927
+   RESERVED
+CVE-2019-10926
+   RESERVED
+CVE-2019-10925
+   RESERVED
+CVE-2019-10924
+   RESERVED
+CVE-2019-10923
+   RESERVED
+CVE-2019-10922
+   RESERVED
+CVE-2019-10921
+   RESERVED
+CVE-2019-10920
+   RESERVED
+CVE-2019-10919
+   RESERVED
+CVE-2019-10918
+   RESERVED
+CVE-2019-10917
+   RESERVED
+CVE-2019-10916
+   RESERVED
+CVE-2019-10915
+   RESERVED
+CVE-2019-10914 (pubRsaDecryptSignedElementExt in MatrixSSL, as used in Inside 
Secure T ...)
+   TODO: check
 CVE-2019-10913
RESERVED
 CVE-2019-10912
@@ -12,7 +208,7 @@ CVE-2019-10908 (In Airsonic 10.2.1, RecoverController.java 
generates passwords v
NOT-FOR-US: Airsonic
 CVE-2019-10907 (Airsonic 10.2.1 uses Spring's default remember-me mechanism 
based on M ...)
NOT-FOR-US: Airsonic
-CVE-2016-10745 [issue related to CVE-2019-10906, str.format vulnerability]
+CVE-2016-10745 (In Pallets Jinja before 2.8.1, str.format allows a sandbox 
escape. ...)
- jinja2 2.9.4-1
NOTE: Fixed by: 

[Git][security-tracker-team/security-tracker][master] update fixed status for a number of older nodejs and node-foo packages

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c9d96e49 by Moritz Muehlenhoff at 2019-04-08T19:19:58Z
update fixed status for a number of older nodejs and node-foo packages

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -47982,17 +47982,17 @@ CVE-2018-12125
 CVE-2018-12124
RESERVED
 CVE-2018-12123 (Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 
and 11. ...)
-   - nodejs  (unimportant)
+   - nodejs 10.15.0~dfsg-6 (unimportant)
NOTE: 
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
NOTE: Nodejs not covered by security support
NOTE: Patch (v8): 
https://github.com/nodejs/node/commit/53a6e4eb2002efc66eb9aefe24529fb63715094e
 CVE-2018-12122 (Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 
and 11. ...)
-   - nodejs  (unimportant)
+   - nodejs 10.15.0~dfsg-6 (unimportant)
NOTE: 
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
NOTE: Nodejs not covered by security support
NOTE: Patch (v8): 
https://github.com/nodejs/node/commit/696f063c5e9157fd10859515da00fd8bd190d76d
 CVE-2018-12121 (Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 
and 11. ...)
-   - nodejs  (unimportant)
+   - nodejs 10.15.0~dfsg-6 (unimportant)
NOTE: 
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
NOTE: Nodejs not covered by security support
NOTE: Patch (v8): 
https://github.com/nodejs/node/commit/93dba83fb0fb46ee2ea87163f435392490b4d59b
@@ -48009,12 +48009,13 @@ CVE-2018-12118
 CVE-2018-12117
RESERVED
 CVE-2018-12116 (Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP 
request ...)
-   - nodejs  (unimportant)
+   - nodejs 10.15.0~dfsg-6 (unimportant)
NOTE: 
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
NOTE: Nodejs not covered by security support
NOTE: Patch (v8): 
https://github.com/nodejs/node/commit/513e9747a22386bc9c93a12f9698561827a1e631
+   NOTE: Only affects 6.x and 8.x, marking first 10.x release as fixed
 CVE-2018-12115 (In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 
when use ...)
-   - nodejs  (unimportant)
+   - nodejs 10.15.0~dfsg-6 (unimportant)
NOTE: 
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
NOTE: Nodejs not covered by security support
NOTE: https://github.com/nodejs/node/commit/fc14d812b7
@@ -61711,17 +61712,17 @@ CVE-2018-7169 (An issue was discovered in shadow 4.5. 
newgidmap (in shadow-utils
 CVE-2018-7168
RESERVED
 CVE-2018-7167 (Calling Buffer.fill() or Buffer.alloc() with some parameters 
can lead  ...)
-   - nodejs  (unimportant)
+   - nodejs 10.15.0~dfsg-6 (unimportant)
NOTE: 
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#calls-to-buffer-fill-and-or-buffer-alloc-may-hang-cve-2018-7167
+   NOTE: Doesn't affect 10.x, marking first 10.x upload to sid as fixed
 CVE-2018-7166 (In all versions of Node.js 10 prior to 10.9.0, an argument 
processing  ...)
-   [experimental] - nodejs 
- nodejs  (Only affects 10.x and later)
NOTE: 
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
NOTE: 
https://github.com/nodejs/node/commit/40a7beeddac9b9ec9ef5b49157daaf8470648b08
 CVE-2018-7165
RESERVED
 CVE-2018-7164 (Node.js versions 9.7.0 and later and 10.x are vulnerable and 
the sever ...)
-   - nodejs  (unimportant)
+   - nodejs 10.15.0~dfsg-6 (unimportant)
[stretch] - nodejs  (Only affects >= 9.x)
[jessie] - nodejs  (Only affects >= 9.x)
NOTE: 
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#memory-exhaustion-dos-on-v9-x-cve-2018-7164
@@ -61729,24 +61730,24 @@ CVE-2018-7164 (Node.js versions 9.7.0 and later and 
10.x are vulnerable and the
 CVE-2018-7163
RESERVED
 CVE-2018-7162 (All versions of Node.js 9.x and 10.x are vulnerable and the 
severity i ...)
-   - nodejs  (unimportant)
+   - nodejs 10.15.0~dfsg-6 (unimportant)
[stretch] - nodejs  (Only affects >= 8.x)
[jessie] - nodejs  (Only affects >= 8.x)
NOTE: 
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#denial-of-service-vulnerability-in-tls-cve-2018-7162
NOTE: https://github.com/nodejs/node/commit/0cb3325f1
 CVE-2018-7161 (All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and 
the seve ...)
-   - nodejs  (unimportant)
+   - nodejs 10.15.0~dfsg-6 (unimportant)
[stretch] - nodejs  (Only affects >= 8.x)
[jessie] - nodejs  (Only affects >= 8.x)
NOTE: 
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#denial-of-service-vulnerability-in-http-2-cve-2018-7161

[Git][security-tracker-team/security-tracker][master] 2 commits: Remove TODO item for CVE-2019-9631/poppler

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e10df915 by Salvatore Bonaccorso at 2019-04-08T19:11:41Z
Remove TODO item for CVE-2019-9631/poppler

- - - - -
ba4ae95a by Salvatore Bonaccorso at 2019-04-08T19:15:56Z
Add Debian bug reference for CVE-2019-9631/poppler

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3800,10 +3800,9 @@ CVE-2019-9633 (gio/gsocketclient.c in GNOME GLib 2.59.2 
does not ensure that a p
 CVE-2019-9632 (ESAFENET CDG V3 and V5 has an arbitrary file download 
vulnerability vi ...)
NOT-FOR-US: ESAFENET CDG
 CVE-2019-9631 (Poppler 0.74.0 has a heap-based buffer over-read in the 
CairoRescaleBo ...)
-   - poppler 
+   - poppler  (bug #926673)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/736
NOTE: 
https://gitlab.freedesktop.org/poppler/poppler/commit/8122f6d6d409b53151a20c5578fc525ee97315e8
-   TODO: check details
 CVE-2019-9630
RESERVED
 CVE-2019-9629



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/3c5219d6f6f32823a1521ee9c2e510838c61fd2c...ba4ae95aae8e3549c778a5e289a4d8d082abe7d9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/3c5219d6f6f32823a1521ee9c2e510838c61fd2c...ba4ae95aae8e3549c778a5e289a4d8d082abe7d9
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-0542/node-xterm

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3c5219d6 by Salvatore Bonaccorso at 2019-04-08T19:08:45Z
Add Debian bug reference for CVE-2019-0542/node-xterm

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -27415,7 +27415,7 @@ CVE-2019-0544
 CVE-2019-0543 (An elevation of privilege vulnerability exists when Windows 
improperly ...)
NOT-FOR-US: Microsoft
 CVE-2019-0542 (A remote code execution vulnerability exists in Xterm.js when 
the comp ...)
-   - node-xterm  (unimportant)
+   - node-xterm  (unimportant; bug #926670)
NOTE: nodejs not covered by security support
 CVE-2019-0541 (A remote code execution vulnerability exists in the way that 
the MSHTM ...)
NOT-FOR-US: Microsoft



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c5219d6f6f32823a1521ee9c2e510838c61fd2c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c5219d6f6f32823a1521ee9c2e510838c61fd2c
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] ffmpeg, podofo bugs

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9ed79f37 by Moritz Muehlenhoff at 2019-04-08T18:50:08Z
ffmpeg, podofo bugs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -413,7 +413,7 @@ CVE-2019-10725
 CVE-2019-10724
RESERVED
 CVE-2019-10723 (An issue was discovered in PoDoFo 0.9.6. The PdfPagesTreeCache 
class i ...)
-   - libpodofo 
+   - libpodofo  (bug #926667)
[jessie] - libpodofo  (DoS, not used by any sponsor)
NOTE: https://sourceforge.net/p/podofo/tickets/46/
 CVE-2019-1003099 (A missing permission check in Jenkins openid Plugin in the 
OpenIdSsoSe ...)
@@ -3527,7 +3527,7 @@ CVE-2019-9723
 CVE-2019-9722
RESERVED
 CVE-2019-9721 (A denial of service in the subtitle decoder in FFmpeg 4.1 
allows attac ...)
-   - ffmpeg 
+   - ffmpeg  (bug #92)
[stretch] - ffmpeg  (Vulnerable code not present)
NOTE: 
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/894995c41e0795c7a44f81adc4838dedc3932e65
 CVE-2019-9720
@@ -3535,7 +3535,7 @@ CVE-2019-9720
 CVE-2019-9719
RESERVED
 CVE-2019-9718 (In FFmpeg 4.1, a denial of service in the subtitle decoder 
allows atta ...)
-   - ffmpeg  (low)
+   - ffmpeg  (low; bug #92)
[stretch] - ffmpeg  (Wait until fixed in 3.2.x release)
NOTE: 
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/1f00c97bc3475c477f3c468cf2d924d5761d0982
 CVE-2019-9717



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9ed79f375e586e14a67ef57fd1a704940b4c9a82

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9ed79f375e586e14a67ef57fd1a704940b4c9a82
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark poppler in jessie as not affected by CVE-2019-9903.

[Mike Gabriel]

Mike Gabriel pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
579869f3 by Mike Gabriel at 2019-04-08T18:24:51Z
Mark poppler in jessie as not affected by CVE-2019-9903.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2310,6 +2310,7 @@ CVE-2019-9904 (An issue was discovered in 
lib\cdt\dttree.c in libcdt.a in graphv
NOTE: https://gitlab.com/graphviz/graphviz/issues/1512
 CVE-2019-9903 (PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles 
dict mark ...)
- poppler  (bug #925264)
+   [jessie] - poppler  (Vulnerable code not present)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/741
NOTE: 
https://gitlab.freedesktop.org/poppler/poppler/commit/fada09a2ccc11a3a1d308e810f1336d8df6011fd
 CVE-2019-9902



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/579869f33bf3331b77c7838c62607ca878f7e753

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/579869f33bf3331b77c7838c62607ca878f7e753
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: poppler in jessie: not affected by CVE-2019-10873

[Mike Gabriel]

Mike Gabriel pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6953ca4e by Mike Gabriel at 2019-04-08T18:17:21Z
poppler in jessie: not affected by CVE-2019-10873

- - - - -
e8d48c61 by Mike Gabriel at 2019-04-08T18:20:58Z
CVE-2019-9631 (poppler): Add note with patch URL.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -106,6 +106,7 @@ CVE-2019-10874 (Cross Site Request Forgery (CSRF) in the 
bolt/upload File Upload
NOT-FOR-US: Bolt CMS
 CVE-2019-10873 (An issue was discovered in Poppler 0.74.0. There is a NULL 
pointer der ...)
- poppler  (bug #926532)
+   [jessie] - poppler  (vulnerable code is not present)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/748
NOTE: 
https://gitlab.freedesktop.org/poppler/poppler/commit/8dbe2e6c480405dab9347075cf4be626f90f1d05
 CVE-2019-10872 (An issue was discovered in Poppler 0.74.0. There is a 
heap-based buffe ...)
@@ -3800,6 +3801,7 @@ CVE-2019-9632 (ESAFENET CDG V3 and V5 has an arbitrary 
file download vulnerabili
 CVE-2019-9631 (Poppler 0.74.0 has a heap-based buffer over-read in the 
CairoRescaleBo ...)
- poppler 
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/736
+   NOTE: 
https://gitlab.freedesktop.org/poppler/poppler/commit/8122f6d6d409b53151a20c5578fc525ee97315e8
TODO: check details
 CVE-2019-9630
RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/8dc79a3fbfda82f058d135e60d46749f0e659626...e8d48c614e7cba2217a080d0cf2905e72fb9da14

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/8dc79a3fbfda82f058d135e60d46749f0e659626...e8d48c614e7cba2217a080d0cf2905e72fb9da14
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: dla: libpodofo/CVE-2019-10723: ignored

[Sylvain Beucler]

Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
704eca22 by Sylvain Beucler at 2019-04-08T17:51:43Z
dla: libpodofo/CVE-2019-10723: ignored

- - - - -
8dc79a3f by Sylvain Beucler at 2019-04-08T17:52:05Z
dla: add claws-mail

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -413,6 +413,7 @@ CVE-2019-10724
RESERVED
 CVE-2019-10723 (An issue was discovered in PoDoFo 0.9.6. The PdfPagesTreeCache 
class i ...)
- libpodofo 
+   [jessie] - libpodofo  (DoS, not used by any sponsor)
NOTE: https://sourceforge.net/p/podofo/tickets/46/
 CVE-2019-1003099 (A missing permission check in Jenkins openid Plugin in the 
OpenIdSsoSe ...)
NOT-FOR-US: Jenkins openid Plugin


=
data/dla-needed.txt
=
@@ -19,6 +19,9 @@ checkstyle (Adrian Bunk)
 --
 clamav (Ola Lundqvist)
 --
+claws-mail
+  NOTE: 20190408: patch not yet available
+--
 evolution
 --
 evolution-data-server



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/f6a44b487909d655ebd29f358ff797b69f4e2fc9...8dc79a3fbfda82f058d135e60d46749f0e659626

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/f6a44b487909d655ebd29f358ff797b69f4e2fc9...8dc79a3fbfda82f058d135e60d46749f0e659626
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS/python2.7, python3.4, python-urllib3 status update

[Roberto C . Sánchez]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b92b976a by Roberto C. Sánchez at 2019-04-08T16:41:46Z
LTS/python2.7, python3.4, python-urllib3 status update

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -39,12 +39,12 @@ hdf5 (Hugo Lefeuvre)
   NOTE: upstream's bug tracker requires special permissions to open issues.
   NOTE: unclear how upstream handles security backlog, contacted them.
 --
-imagemagick
+imagemagick (Roberto C. Sánchez)
   NOTE: 20181227: We should address the many open issues in imagemagick either
   NOTE: by patching them separetely as we did in Wheezy or by updating to a
   NOTE: new upstream version like the security team did with Graphicsmagick in
   NOTE: Stretch. (apo)
-  NOTE: 20190321: Still waiting on security team response to inquiries from 
(apo) and (roberto)
+  NOTE: 20190408: Still waiting on security team response to inquiries from 
(apo) and (roberto)
 --
 jinja2 (Hugo Lefeuvre)
   NOTE: patch available for CVE-2019-10906.
@@ -86,16 +86,16 @@ proftpd-dfsg (Markus Koschany)
 putty (Thorsten Alteholz)
   NOTE: 20190407: stick to Stretch patches
 --
-python-urllib3
-  NOTE: 20190321: Waiting on upstream action for CVE-2019-9740 (roberto)
+python-urllib3 (Roberto C. Sánchez)
+  NOTE: 20190408: Waiting on upstream action for CVE-2019-9740 (roberto)
 --
-python2.7
+python2.7 (Roberto C. Sánchez)
   NOTE: 20190321: Patches integrated for CVE-2018-14647, CVE-2019-5010, and 
CVE-2019-9636
-  NOTE: 20190321: Waiting on upstream action for CVE-2019-9740 (roberto)
+  NOTE: 20190408: Waiting on upstream action for CVE-2019-9740 (roberto)
 --
-python3.4
+python3.4 (Roberto C. Sánchez)
   NOTE: 20190321: Patches integrated for CVE-2018-14647 and CVE-2019-9636
-  NOTE: 20190321: Waiting on upstream action for CVE-2019-9740 (roberto)
+  NOTE: 20190408: Waiting on upstream action for CVE-2019-9740 (roberto)
 --
 qemu (Emilio)
   NOTE: CVE-2018-19665: wait for final patch



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b92b976a751f36dacb5d54d7cc60aef1def09efc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b92b976a751f36dacb5d54d7cc60aef1def09efc
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bwa spu

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8d1302bb by Moritz Muehlenhoff at 2019-04-08T16:01:19Z
bwa spu

- - - - -


1 changed file:

- data/next-point-update.txt


Changes:

=
data/next-point-update.txt
=
@@ -139,4 +139,6 @@ CVE-2019-6778
[stretch] - qemu 1:2.8+dfsg-6+deb9u6
 CVE-2019-9824
[stretch] - qemu 1:2.8+dfsg-6+deb9u6
+CVE-2019-10269
+   [stretch] - bwa 0.7.15-2+deb9u1
 



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/8d1302bbc184eeb12e0615f69960bcd50964ef02

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/8d1302bbc184eeb12e0615f69960bcd50964ef02
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Adjust source package name from jinja to jinja2

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
36111694 by Salvatore Bonaccorso at 2019-04-08T15:00:58Z
Adjust source package name from jinja to jinja2

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -46,7 +46,7 @@ imagemagick
   NOTE: Stretch. (apo)
   NOTE: 20190321: Still waiting on security team response to inquiries from 
(apo) and (roberto)
 --
-jinja (Hugo Lefeuvre)
+jinja2 (Hugo Lefeuvre)
   NOTE: patch available for CVE-2019-10906.
 --
 jruby (Abhijith PA)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/36111694307113508d591d51185805a79e9d149a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/36111694307113508d591d51185805a79e9d149a
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2016-10745/jinja2

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
803a1855 by Salvatore Bonaccorso at 2019-04-08T13:08:05Z
Add CVE-2016-10745/jinja2

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -12,15 +12,13 @@ CVE-2019-10908 (In Airsonic 10.2.1, RecoverController.java 
generates passwords v
NOT-FOR-US: Airsonic
 CVE-2019-10907 (Airsonic 10.2.1 uses Spring's default remember-me mechanism 
based on M ...)
NOT-FOR-US: Airsonic
+CVE-2016-10745 [issue related to CVE-2019-10906, str.format vulnerability]
+   - jinja2 2.9.4-1
+   NOTE: Fixed by: 
https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16
+   NOTE: Followup bugfix: 
https://github.com/pallets/jinja/commit/74bd64e56387f5b2931040dc7235a3509cde1611
 CVE-2019-10906 (In Pallets Jinja before 2.10.1, str.format_map allows a 
sandbox escape ...)
- jinja2  (bug #926602)
NOTE: https://palletsprojects.com/blog/jinja-2-10-1-released/
-   NOTE: same issue as str.format vulnerability (did not receive CVE 
number, still affecting
-   NOTE: jessie and stretch, fixed in 2.8.1). Both issues should be fixed 
together.
-   NOTE: str.format fix:
-   NOTE: 
https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16
-   NOTE: 
https://github.com/pallets/jinja/commit/74bd64e56387f5b2931040dc7235a3509cde1611
-   NOTE: str.format_map fix:
NOTE: 
https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26
 CVE-2019-10905 (Parsedown before 1.7.2, when safe mode is used and HTML markup 
is disa ...)
NOT-FOR-US: Parsedown



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/803a1855713384f4a9734d48d0c232db250b49d9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/803a1855713384f4a9734d48d0c232db250b49d9
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Merge information for systemd/232-25+deb9u10 into CVE list

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
48795aab by Salvatore Bonaccorso at 2019-04-08T12:54:14Z
Merge information for systemd/232-25+deb9u10 into CVE list

The version for the DSA will be build upon the 232-25+deb9u10 packages
so superseeding the point release. Track the released version
correctly as the archive has seen this via stretch-proposed-updates.

- - - - -


2 changed files:

- data/CVE/list
- data/next-point-update.txt


Changes:

=
data/CVE/list
=
@@ -38671,7 +38671,7 @@ CVE-2018-15687 (A race condition in chown_one() of 
systemd allows an attacker to
 CVE-2018-15686 (A vulnerability in unit_deserialize of systemd allows an 
attacker to s ...)
{DLA-1580-1}
- systemd 239-12 (bug #912005)
-   [stretch] - systemd  (Minor issue)
+   [stretch] - systemd 232-25+deb9u10
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1687
NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796402
NOTE: https://github.com/systemd/systemd/pull/10519
@@ -79961,7 +79961,7 @@ CVE-2018-1050 (All versions of Samba from 4.0.0 onwards 
are vulnerable to a deni
 CVE-2018-1049 (In systemd prior to 234 a race condition exists between .mount 
and .au ...)
{DLA-1580-1}
- systemd 234-1
-   [stretch] - systemd  (Minor issue, can either be included in 
future DSA or point release)
+   [stretch] - systemd 232-25+deb9u10
[wheezy] - systemd   (Minor issue, can be fixed along in 
next DLA)
NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1709649
NOTE: https://github.com/systemd/systemd/pull/5916


=
data/next-point-update.txt
=
@@ -66,10 +66,6 @@ CVE-2018-7998
[stretch] - vips 8.4.5-1+deb9u1
 CVE-2019-6976
[stretch] - vips 8.4.5-1+deb9u1
-CVE-2018-1049
-   [stretch] - systemd 232-25+deb9u10
-CVE-2018-15686
-   [stretch] - systemd 232-25+deb9u10
 CVE-2019-5736
[stretch] - runc 0.1.1+dfsg1-2+deb9u1
 CVE-2018-12181



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/48795aab8015bcec9182b69a1c34688ac8117897

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/48795aab8015bcec9182b69a1c34688ac8117897
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2019-9619/systemd

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d5024644 by Salvatore Bonaccorso at 2019-04-08T12:52:20Z
Add CVE-2019-9619/systemd

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3832,8 +3832,12 @@ CVE-2019-9621
RESERVED
 CVE-2019-9620
RESERVED
-CVE-2019-9619
+CVE-2019-9619 [not enabled pam_systemd for non-interactive sessions]
RESERVED
+   - systemd 
+   [buster] - systemd  (Too intrusive change for a stable release)
+   [stretch] - systemd  (Too intrusive change for a stable 
release)
+   NOTE: https://bugs.launchpad.net/bugs/1812316
 CVE-2019-9618
RESERVED
 CVE-2019-9617 (An issue was discovered in OFCMS before 1.1.3. Remote attackers 
can ex ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d502464403702caadf0a663f0425bd71f56074d4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d502464403702caadf0a663f0425bd71f56074d4
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2019-3842/systemd

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
87e72bed by Salvatore Bonaccorso at 2019-04-08T12:51:12Z
Add CVE-2019-3842/systemd

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17331,8 +17331,11 @@ CVE-2019-3844
RESERVED
 CVE-2019-3843
RESERVED
-CVE-2019-3842
+CVE-2019-3842 [unsafe environment usage in pam_systemd]
RESERVED
+   - systemd 241-3
+   NOTE: https://bugs.launchpad.net/bugs/1812316
+   NOTE: 
https://github.com/systemd/systemd/commit/83d4ab55336ff8a0643c6aa627b31e351a24040a
 CVE-2019-3841 (Kubevirt/virt-cdi-importer, versions 1.4.0 to 1.5.3 inclusive, 
were re ...)
NOT-FOR-US: KubeVirt
 CVE-2019-3840 (A NULL pointer dereference flaw was discovered in libvirt 
before versi ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/87e72bede6ec5d142d2a4708f7401e8a3be3b3e4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/87e72bede6ec5d142d2a4708f7401e8a3be3b3e4
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: clamav: link recent lts discussion

[Sylvain Beucler]

Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7bf02944 by Sylvain Beucler at 2019-04-08T12:36:37Z
clamav: link recent lts discussion

- - - - -
e14fbbea by Sylvain Beucler at 2019-04-08T12:36:37Z
dla: add evolution-ews

- - - - -


3 changed files:

- data/CVE/list
- data/dla-needed.txt
- packages/clamav


Changes:

=
data/CVE/list
=
@@ -17166,6 +17166,7 @@ CVE-2019-3890
- evolution-ews 
NOTE: https://gitlab.gnome.org/GNOME/evolution-ews/issues/36
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1678313
+   NOTE: depends on evolution-data-server patch (unrelated to 
CVE-2018-15587)
 CVE-2019-3889
RESERVED
 CVE-2019-3888


=
data/dla-needed.txt
=
@@ -23,6 +23,8 @@ evolution
 --
 evolution-data-server
 --
+evolution-ews
+--
 faad2 (Hugo Lefeuvre)
   NOTE: 20190407: CVE-2018-20362: wrote a patch, currently testing it. This 
might fix many other
   NOTE: issues at the same time. This is a complex issue which requires a lot 
of digging in


=
packages/clamav
=
@@ -5,6 +5,7 @@ signatures.
 The security team updates clamav via {old,}stable-updates.
 
 https://lists.debian.org/debian-lts/2018/03/msg00033.html
+https://lists.debian.org/debian-lts/2019/03/msg00161.html
 
 LTS updates need to wait until a respective SUA has been issued to avoid
 breaking upgrades.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/a8825ccde3dc7f576824cfb59e6216096f943630...e14fbbea96f867bde1d16a92a8be2983d4455d7d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/a8825ccde3dc7f576824cfb59e6216096f943630...e14fbbea96f867bde1d16a92a8be2983d4455d7d
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Holger Levsen]

Holger Levsen pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a8825ccd by Holger Levsen at 2019-04-08T12:24:27Z
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Holger Levsen hol...@layer-acht.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -37,7 +37,7 @@ hdf5 (Hugo Lefeuvre)
   NOTE: upstream's bug tracker requires special permissions to open issues.
   NOTE: unclear how upstream handles security backlog, contacted them.
 --
-imagemagick (Roberto C. Sánchez)
+imagemagick
   NOTE: 20181227: We should address the many open issues in imagemagick either
   NOTE: by patching them separetely as we did in Wheezy or by updating to a
   NOTE: new upstream version like the security team did with Graphicsmagick in
@@ -84,14 +84,14 @@ proftpd-dfsg (Markus Koschany)
 putty (Thorsten Alteholz)
   NOTE: 20190407: stick to Stretch patches
 --
-python-urllib3 (Roberto C. Sánchez)
+python-urllib3
   NOTE: 20190321: Waiting on upstream action for CVE-2019-9740 (roberto)
 --
-python2.7 (Roberto C. Sánchez)
+python2.7
   NOTE: 20190321: Patches integrated for CVE-2018-14647, CVE-2019-5010, and 
CVE-2019-9636
   NOTE: 20190321: Waiting on upstream action for CVE-2019-9740 (roberto)
 --
-python3.4 (Roberto C. Sánchez)
+python3.4
   NOTE: 20190321: Patches integrated for CVE-2018-14647 and CVE-2019-9636
   NOTE: 20190321: Waiting on upstream action for CVE-2019-9740 (roberto)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a8825ccde3dc7f576824cfb59e6216096f943630

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a8825ccde3dc7f576824cfb59e6216096f943630
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2018-10244: mark jessie not-affected

[Hugo Lefeuvre]

Hugo Lefeuvre pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a10d0567 by Hugo Lefeuvre at 2019-04-08T11:52:16Z
CVE-2018-10244: mark jessie not-affected

EtherNet/IP and CIP support introduced in 3.2beta1, see
https://github.com/OISF/suricata/blob/master/ChangeLog

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -53230,6 +53230,7 @@ CVE-2018-10245 (A Full Path Disclosure vulnerability in 
AWStats through 7.6 allo
NOTE: Path disclosure for awstats negligible within Debian
 CVE-2018-10244 (Suricata version 4.0.4 incorrectly handles the parsing of an 
EtherNet/ ...)
- suricata 1:4.0.5-1
+   [jessie] - suricata  (EtherNet/IP and CIP support 
introduced in 3.2beta1)
NOTE: https://redmine.openinfosecfoundation.org/issues/2545
NOTE: https://redmine.openinfosecfoundation.org/issues/2543
NOTE: 
https://github.com/OISF/suricata/commit/f68bf3301ad4d25f0a5ecb13405f4e26316cdf8d



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a10d0567365c8445bec7d85f4453d29d251a81b5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a10d0567365c8445bec7d85f4453d29d251a81b5
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla: add samba

[Sylvain Beucler]

Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3c2cf3d1 by Sylvain Beucler at 2019-04-08T11:18:19Z
dla: add samba

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -98,6 +98,9 @@ python3.4 (Roberto C. Sánchez)
 qemu (Emilio)
   NOTE: CVE-2018-19665: wait for final patch
 --
+samba
+  NOTE: https://lists.debian.org/debian-lts/2019/04/msg00063.html
+--
 sox
   NOTE: 20190305: CVE-2019-835{4,5,6,7} no upstream patch yet, might take some 
time.
   NOTE: Check again later. - hle



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c2cf3d17d7f788d0800c4e17d3c198d3c8ff543

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c2cf3d17d7f788d0800c4e17d3c198d3c8ff543
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add jessie version for CVE-2018-0496/freedink-dfarc

[Sylvain Beucler]

Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
82dbc2ca by Sylvain Beucler at 2019-04-08T11:05:55Z
Add jessie version for CVE-2018-0496/freedink-dfarc

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -81984,6 +81984,7 @@ CVE-2018-0496 (Directory traversal issues in the D-Mod 
extractor in DFArc and DF
{DLA-1686-1}
- freedink-dfarc 3.14-1
[stretch] - freedink-dfarc 3.12-1+deb9u1
+   [jessie] - freedink-dfarc 3.12-1+deb8u1
NOTE: https://savannah.gnu.org/forum/forum.php?forum_id=9169
NOTE: 
https://git.savannah.gnu.org/cgit/freedink/dfarc.git/commit/?id=40cc957f52e772f45125126439ba9333cf2d2998
 CVE-2018-0495 (Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a 
memory-cache s ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/82dbc2ca53e89967ead1ee8d6b5fbdee3a7256c8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/82dbc2ca53e89967ead1ee8d6b5fbdee3a7256c8
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-3886 as not affecting (old)stable

[Guido Günther]

Guido Günther pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c96b4bd0 by Guido Günther at 2019-04-08T09:35:25Z
Mark CVE-2019-3886 as not affecting (old)stable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17177,10 +17177,12 @@ CVE-2019-3887 [KVM: x86: nVMX: close leak of L0's 
x2APIC MSR]
NOTE: Fixed by: 
https://git.kernel.org/linus/c73f4c998e1fd4249b9edfa39e23f4fda2b9b041
 CVE-2019-3886 (An incorrect permissions check was discovered in libvirt 4.8.0 
and abo ...)
- libvirt 5.0.0-2 (low; bug #926418)
-   [stretch] - libvirt  (Minor issue)
+   [stretch] - libvirt  (Vulnerable code not present)
+   [jessie] - libvirt  (Vulnerable code not present)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1694880
NOTE: 
https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html
NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1131595#c3
+   NOTE: Introduced in 
https://libvirt.org/git/?p=libvirt.git;a=commit;h=25736a4c7ed50c101b4f87935f350f1a39a89f6e
 CVE-2019-3885
RESERVED
 CVE-2019-3884



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c96b4bd0082181c9a844fcb66d7c4bcdcd655503

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c96b4bd0082181c9a844fcb66d7c4bcdcd655503
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 3 commits: Mark jessie as not affected by CVE-2019-3870 (samba)

[Sebastien Delafond]

Sebastien Delafond pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
54de2672 by Sébastien Delafond at 2019-04-08T09:08:22Z
Mark jessie as not affected by CVE-2019-3870 (samba)

- - - - -
cd4c5e23 by Sébastien Delafond at 2019-04-08T09:09:21Z
Mark CVE-2019-3824 (samba) as fixed by 2:4.9.5+dfsg-1

- - - - -
6bb0dd85 by Sébastien Delafond at 2019-04-08T09:12:22Z
Mark CVE-2019-3870 and CVE-2019-3880 (samba) as fixed by 2:4.9.5+dfsg-3

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17199,7 +17199,7 @@ CVE-2019-3881
RESERVED
 CVE-2019-3880 [Save registry file outside share as unprivileged user]
{DSA-4427-1}
-   - samba 
+   - samba 2:4.9.5+dfsg-3
NOTE: https://www.samba.org/samba/security/CVE-2019-3880.html
 CVE-2019-3879 (It was discovered that in the ovirt's REST API before version 
4.3.2.1, ...)
NOT-FOR-US: ovirt-engine
@@ -17233,8 +17233,9 @@ CVE-2019-3871 (A vulnerability was found in PowerDNS 
Authoritative Server before
NOTE: 
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
NOTE: Patches: https://downloads.powerdns.com/patches/2019-03/
 CVE-2019-3870 [During the provision of a new Active Directory DC, some files 
in the ...]
-   - samba 
+   - samba 2:4.9.5+dfsg-3
[stretch] - samba  (Vulnerable code not present)
+   [jessie] - samba  (Vulnerable code not present)
NOTE: https://www.samba.org/samba/security/CVE-2019-3870.html
 CVE-2019-3869 (When running Tower before 3.4.3 on OpenShift or Kubernetes, 
applicatio ...)
NOT-FOR-US: Ansible Tower
@@ -17417,7 +17418,7 @@ CVE-2019-3825 (A vulnerability was discovered in gdm 
before 3.31.4. When timed l
 CVE-2019-3824 (A flaw was found in the way an LDAP search expression could 
crash the  ...)
{DSA-4397-1 DLA-1699-1}
- ldb 2:1.5.1+really1.4.3-2
-   - samba  (unimportant)
+   - samba 2:4.9.5+dfsg-1 (unimportant)
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13773
NOTE: Samba uses the System ldb library
 CVE-2019-3823 (libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to 
a heap ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/11c067424206aaed50d61af7c3d652cfdba33fed...6bb0dd8535efbdc7911de6c80e8a29bf31d5d0fb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/11c067424206aaed50d61af7c3d652cfdba33fed...6bb0dd8535efbdc7911de6c80e8a29bf31d5d0fb
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Put temporary description in [] brackets

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2c5b5911 by Salvatore Bonaccorso at 2019-04-08T08:40:08Z
Put temporary description in [] brackets

- - - - -
11c06742 by Salvatore Bonaccorso at 2019-04-08T08:40:27Z
Remove trailing whitespaces

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -101,7 +101,7 @@ CVE-2019-10876 (An issue was discovered in OpenStack 
Neutron 11.x before 11.0.7,
[stretch] - neutron  (Vulnerable code introduced later; 
Around Pike Openstack release)
[jessie] - neutron  (Vulnerable code introduced later; 
Around Pike Openstack release)
NOTE: https://bugs.launchpad.net/ossa/+bug/1813007
-   NOTE: https://review.openstack.org/#/q/topic:bug/1813007 
+   NOTE: https://review.openstack.org/#/q/topic:bug/1813007
 CVE-2019-10875 (A URL spoofing vulnerability was found in all international 
versions o ...)
TODO: check
 CVE-2019-10874 (Cross Site Request Forgery (CSRF) in the bolt/upload File 
Upload featu ...)
@@ -17197,10 +17197,10 @@ CVE-2019-3882 [DoS through vfio/type1 DMA mappings]
NOTE: Fixed by: 
https://git.kernel.org/linus/492855939bdb59c6f947b0b5b44af9ad82b7e38c
 CVE-2019-3881
RESERVED
-CVE-2019-3880 (Save registry file outside share as unprivileged user)
+CVE-2019-3880 [Save registry file outside share as unprivileged user]
{DSA-4427-1}
-- samba 
-NOTE: https://www.samba.org/samba/security/CVE-2019-3880.html
+   - samba 
+   NOTE: https://www.samba.org/samba/security/CVE-2019-3880.html
 CVE-2019-3879 (It was discovered that in the ovirt's REST API before version 
4.3.2.1, ...)
NOT-FOR-US: ovirt-engine
 CVE-2019-3878 (A vulnerability was found in mod_auth_mellon before v0.14.2. If 
Apache ...)
@@ -17232,10 +17232,10 @@ CVE-2019-3871 (A vulnerability was found in PowerDNS 
Authoritative Server before
NOTE: https://github.com/PowerDNS/pdns/issues/7573
NOTE: 
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
NOTE: Patches: https://downloads.powerdns.com/patches/2019-03/
-CVE-2019-3870 (During the provision of a new Active Directory DC, some files 
in the ...)
+CVE-2019-3870 [During the provision of a new Active Directory DC, some files 
in the ...]
- samba 
[stretch] - samba  (Vulnerable code not present)
-NOTE: https://www.samba.org/samba/security/CVE-2019-3870.html
+   NOTE: https://www.samba.org/samba/security/CVE-2019-3870.html
 CVE-2019-3869 (When running Tower before 3.4.3 on OpenShift or Kubernetes, 
applicatio ...)
NOT-FOR-US: Ansible Tower
 CVE-2019-3868



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/52c62481cdec2b24711122ab32f97940b1ef1822...11c067424206aaed50d61af7c3d652cfdba33fed

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/52c62481cdec2b24711122ab32f97940b1ef1822...11c067424206aaed50d61af7c3d652cfdba33fed
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Reserve DSA-4427-1 for samba (CVE-2019-3880)

[Sebastien Delafond]

Sebastien Delafond pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3803387f by Sébastien Delafond at 2019-04-08T08:24:40Z
Reserve DSA-4427-1 for samba (CVE-2019-3880)

- - - - -
52c62481 by Sébastien Delafond at 2019-04-08T08:24:41Z
Add recent samba issues (CVE-2019-3870, CVE-2019-3880)

- - - - -


2 changed files:

- data/CVE/list
- data/DSA/list


Changes:

=
data/CVE/list
=
@@ -17197,8 +17197,10 @@ CVE-2019-3882 [DoS through vfio/type1 DMA mappings]
NOTE: Fixed by: 
https://git.kernel.org/linus/492855939bdb59c6f947b0b5b44af9ad82b7e38c
 CVE-2019-3881
RESERVED
-CVE-2019-3880
-   RESERVED
+CVE-2019-3880 (Save registry file outside share as unprivileged user)
+   {DSA-4427-1}
+- samba 
+NOTE: https://www.samba.org/samba/security/CVE-2019-3880.html
 CVE-2019-3879 (It was discovered that in the ovirt's REST API before version 
4.3.2.1, ...)
NOT-FOR-US: ovirt-engine
 CVE-2019-3878 (A vulnerability was found in mod_auth_mellon before v0.14.2. If 
Apache ...)
@@ -17230,8 +17232,10 @@ CVE-2019-3871 (A vulnerability was found in PowerDNS 
Authoritative Server before
NOTE: https://github.com/PowerDNS/pdns/issues/7573
NOTE: 
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
NOTE: Patches: https://downloads.powerdns.com/patches/2019-03/
-CVE-2019-3870
-   RESERVED
+CVE-2019-3870 (During the provision of a new Active Directory DC, some files 
in the ...)
+   - samba 
+   [stretch] - samba  (Vulnerable code not present)
+NOTE: https://www.samba.org/samba/security/CVE-2019-3870.html
 CVE-2019-3869 (When running Tower before 3.4.3 on OpenShift or Kubernetes, 
applicatio ...)
NOT-FOR-US: Ansible Tower
 CVE-2019-3868


=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[08 Apr 2019] DSA-4427-1 samba - security update
+   {CVE-2019-3880}
+   [stretch] - samba 2:4.5.16+dfsg-1+deb9u1
 [07 Apr 2019] DSA-4426-1 tryton-server - security update
{CVE-2019-10868}
[stretch] - tryton-server 4.2.1-2+deb9u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/2fbda38d41060ffa23305d54346659eb64ff197e...52c62481cdec2b24711122ab32f97940b1ef1822

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/2fbda38d41060ffa23305d54346659eb64ff197e...52c62481cdec2b24711122ab32f97940b1ef1822
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2019-10906: add links to str.format fixes

[Hugo Lefeuvre]

Hugo Lefeuvre pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2fbda38d by Hugo Lefeuvre at 2019-04-08T08:19:41Z
CVE-2019-10906: add links to str.format fixes

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17,6 +17,10 @@ CVE-2019-10906 (In Pallets Jinja before 2.10.1, 
str.format_map allows a sandbox
NOTE: https://palletsprojects.com/blog/jinja-2-10-1-released/
NOTE: same issue as str.format vulnerability (did not receive CVE 
number, still affecting
NOTE: jessie and stretch, fixed in 2.8.1). Both issues should be fixed 
together.
+   NOTE: str.format fix:
+   NOTE: 
https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16
+   NOTE: 
https://github.com/pallets/jinja/commit/74bd64e56387f5b2931040dc7235a3509cde1611
+   NOTE: str.format_map fix:
NOTE: 
https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26
 CVE-2019-10905 (Parsedown before 1.7.2, when safe mode is used and HTML markup 
is disa ...)
NOT-FOR-US: Parsedown



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2fbda38d41060ffa23305d54346659eb64ff197e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2fbda38d41060ffa23305d54346659eb64ff197e
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] add notes to CVE-2019-10906/jinja2 entry

[Hugo Lefeuvre]

Hugo Lefeuvre pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bac3735a by Hugo Lefeuvre at 2019-04-08T07:54:13Z
add notes to CVE-2019-10906/jinja2 entry

This issue is the exact same issue as the one addressed in jinja 2.8.1,
except it is affecting str.format_map instead of str.format. The previous
issue did not receive a CVE number which explains why it is still affecting
jessie and stretch.

Both issues should be addressed together or not at all.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -15,6 +15,8 @@ CVE-2019-10907 (Airsonic 10.2.1 uses Spring's default 
remember-me mechanism base
 CVE-2019-10906 (In Pallets Jinja before 2.10.1, str.format_map allows a 
sandbox escape ...)
- jinja2  (bug #926602)
NOTE: https://palletsprojects.com/blog/jinja-2-10-1-released/
+   NOTE: same issue as str.format vulnerability (did not receive CVE 
number, still affecting
+   NOTE: jessie and stretch, fixed in 2.8.1). Both issues should be fixed 
together.
NOTE: 
https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26
 CVE-2019-10905 (Parsedown before 1.7.2, when safe mode is used and HTML markup 
is disa ...)
NOT-FOR-US: Parsedown



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/bac3735ad213936b84b0bcc0380d260a1731fb2e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/bac3735ad213936b84b0bcc0380d260a1731fb2e
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reference Debian bug for CVE-2018-3750/node-deep-extend

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
01cd16ed by Salvatore Bonaccorso at 2019-04-08T07:34:44Z
Reference Debian bug for CVE-2018-3750/node-deep-extend

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -71637,7 +71637,7 @@ CVE-2018-3752 (The utilities function in all versions 
= 1.0.0 of the merge-o
 CVE-2018-3751 (The utilities function in all versions = 0.3.0 of the 
merge-recurs ...)
NOT-FOR-US: merge-recursive
 CVE-2018-3750 (The utilities function in all versions = 0.5.0 of the 
deep-extend  ...)
-   - node-deep-extend  (unimportant)
+   - node-deep-extend  (unimportant; bug #926616)
NOTE: https://nodesecurity.io/advisories/612
NOTE: nodejs not covered by security support
 CVE-2018-3749 (The utilities function in all versions  1.0.1 of the deap 
node mod ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/01cd16ed2c0d60083503b6dec71e7952399f8409

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/01cd16ed2c0d60083503b6dec71e7952399f8409
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Claim libvirt

[Brian May]

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1375e199 by Brian May at 2019-04-08T07:32:52Z
Claim libvirt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -63,7 +63,7 @@ libmatio (Adrian Bunk)
   NOTE: triage work needed, help security team for fixes if needed.
   NOTE: 20190331: work ongoing
 --
-libvirt
+libvirt (Brian May)
   NOTE: check CVE-2019-3886, might deserve a dla
 --
 linux (Ben Hutchings)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1375e199eef0372351574ae2ac8d1ecf50b2f891

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1375e199eef0372351574ae2ac8d1ecf50b2f891
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla-needed: add jinja entry and claim it

[Hugo Lefeuvre]

Hugo Lefeuvre pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7b9ddf7f by Hugo Lefeuvre at 2019-04-08T06:56:06Z
dla-needed: add jinja entry and claim it

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -44,6 +44,9 @@ imagemagick (Roberto C. Sánchez)
   NOTE: Stretch. (apo)
   NOTE: 20190321: Still waiting on security team response to inquiries from 
(apo) and (roberto)
 --
+jinja (Hugo Lefeuvre)
+  NOTE: patch available for CVE-2019-10906.
+--
 jruby (Abhijith PA)
 --
 libav



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7b9ddf7f70f676955f2f9c745ebfa66a490eb04c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7b9ddf7f70f676955f2f9c745ebfa66a490eb04c
You're receiving this email because of your account on salsa.debian.org.

___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits