[Git][security-tracker-team/security-tracker][master] reclaim packages
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 21ae6d51 by Thorsten Alteholz at 2019-11-11T07:31:57Z reclaim packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -80,8 +80,8 @@ linux-4.9 (Ben Hutchings) -- mesa (Sylvain Beucler) -- -opendmarc - NOTE: 20191027: still testing package +opendmarc (Thorsten Alteholz) + NOTE: 2019: still testing package -- openjdk-7 (Markus Koschany) NOTE: 20191103: According to upstream there is ongoing work on a new IcedTea release. @@ -123,7 +123,7 @@ slurm-llnl thunderbird (Emilio) NOTE: 20191105: toolchain almost ready (waiting for NEW) -- -tiff +tiff (Thorsten Alteholz) NOTE: 20191020: Time to fix the postponed CVE as well? (apo) -- tightvnc (Mike Gabriel) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/21ae6d51736262525256a9ccb5a84f0284a2a56a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/21ae6d51736262525256a9ccb5a84f0284a2a56a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Unclaim ansible
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 906b03ba by Brian May at 2019-11-11T06:36:02Z Unclaim ansible CVE-2019-14846: Easy to fix CVE-2019-14858: Cant find required code to patch CVE-2019-14864: Cant find required code to patch Leaving for hopefully somebody who has a better idea how ansible internals work. - - - - - 12de6011 by Brian May at 2019-11-11T06:36:43Z Claiming angular.js - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -18,9 +18,9 @@ ampache (Roberto C. Sánchez) NOTE: 20191103: Upstream has provided a patch which does not apply to the version in jessie. NOTE: 20191109: Adapted upstream-provided patch to apply to Debian version. Waiting on feedback from upstream. (roberto) -- -angular.js +angular.js (Brian May) -- -ansible (Brian May) +ansible NOTE: 20191011: Code appears to be in lib/ansible/callbacks.py in jessie's version. (lamby) NOTE: CVE-2019-14846 should be an easy fix. NOTE: CVE-2019-14858's upstream patch is too big; fails to work properly. (utkarsh2102) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d1d837e9eb5e56cf8ab6ec403910ed262ac85f0d...12de60117c2672412210e33c2c386a20eadcc91c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d1d837e9eb5e56cf8ab6ec403910ed262ac85f0d...12de60117c2672412210e33c2c386a20eadcc91c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: d1d837e9 by Holger Levsen at 2019-11-11T02:36:31Z semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Holger Levsen hol...@layer-acht.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -18,7 +18,7 @@ ampache (Roberto C. Sánchez) NOTE: 20191103: Upstream has provided a patch which does not apply to the version in jessie. NOTE: 20191109: Adapted upstream-provided patch to apply to Debian version. Waiting on feedback from upstream. (roberto) -- -angular.js (Thorsten Alteholz) +angular.js -- ansible (Brian May) NOTE: 20191011: Code appears to be in lib/ansible/callbacks.py in jessie's version. (lamby) @@ -80,7 +80,7 @@ linux-4.9 (Ben Hutchings) -- mesa (Sylvain Beucler) -- -opendmarc (Thorsten Alteholz) +opendmarc NOTE: 20191027: still testing package -- openjdk-7 (Markus Koschany) @@ -123,7 +123,7 @@ slurm-llnl thunderbird (Emilio) NOTE: 20191105: toolchain almost ready (waiting for NEW) -- -tiff (Thorsten Alteholz) +tiff NOTE: 20191020: Time to fix the postponed CVE as well? (apo) -- tightvnc (Mike Gabriel) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d1d837e9eb5e56cf8ab6ec403910ed262ac85f0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d1d837e9eb5e56cf8ab6ec403910ed262ac85f0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: This is still ongoing
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: c26804d0 by Adrian Bunk at 2019-11-10T22:00:46Z dla-needed: This is still ongoing - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -63,7 +63,7 @@ libmatio (Adrian Bunk) NOTE: 20190428: is likely vulnerable NOTE: 20190428: some CVE testcases still fail after applying the fix, NOTE: 20190428: older changes seem to also be required for them - NOTE: 20191027: work is ongoing + NOTE: 2019: work is ongoing -- libqb (Roberto C. Sánchez) NOTE: 20190616: Upstream patch does not apply at all, but it appears that View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c26804d04320b39f2cd1ed8b9cfbff9846e5cb5f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c26804d04320b39f2cd1ed8b9cfbff9846e5cb5f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] squid fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c161a8de by Moritz Muehlenhoff at 2019-11-10T21:29:25Z squid fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2536,26 +2536,26 @@ CVE-2019-18680 (An issue was discovered in the Linux kernel 4.4.x before 4.4.195 NOTE: https://lkml.org/lkml/2019/9/18/337 CVE-2019-18679 [Information Disclosure issue in HTTP Digest Authentication] RESERVED - - squid + - squid 4.9-1 - squid3 NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_11.txt CVE-2019-18678 [HTTP Request Splitting issue in HTTP message processing] RESERVED - - squid + - squid 4.9-1 - squid3 NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_10.txt CVE-2019-18677 [Cross-Site Request Forgery issue in HTTP Request processing] RESERVED - - squid + - squid 4.9-1 - squid3 NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch NOTE: Squid 3.5: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_9.txt CVE-2019-18676 [Multiple issues in URI processing] RESERVED - - squid + - squid 4.9-1 - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_8.txt NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch @@ -21740,7 +21740,7 @@ CVE-2019-12527 (An issue was discovered in Squid 4.0.23 through 4.7. When checki NOTE: without regard for the size of the target buffer. CVE-2019-12526 [Heap Overflow issue in URN processing] RESERVED - - squid + - squid 4.9-1 - squid3 NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-7aa0184a720fd216191474e079f4fe87de7c4f5a.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_7.txt @@ -21755,7 +21755,7 @@ CVE-2019-12524 RESERVED CVE-2019-12523 [Multiple issues in URI processing] RESERVED - - squid + - squid 4.9-1 - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_8.txt NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c161a8de1303a3dbdf606dfc90beda60d51c6cac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c161a8de1303a3dbdf606dfc90beda60d51c6cac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c7f5c226 by security tracker role at 2019-11-10T20:10:28Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -10665,7 +10665,7 @@ CVE-2019-15905
CVE-2019-15904
RESERVED
CVE-2019-15903 (In libexpat before 2.2.8, crafted XML input could fool the
parser into ...)
- {DSA-4549-1 DSA-4530-1 DLA-1912-1}
+ {DSA-4549-1 DSA-4530-1 DLA-1987-1 DLA-1912-1}
- expat 2.2.7-2 (bug #939394)
- firefox 70.0-1
- firefox-esr 68.2.0esr-1
@@ -23736,7 +23736,7 @@ CVE-2019-11765
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-11765
CVE-2019-11764
RESERVED
- {DSA-4549-1}
+ {DSA-4549-1 DLA-1987-1}
- firefox 70.0-1
- firefox-esr 68.2.0esr-1
- thunderbird 1:68.2.1-1
@@ -23745,7 +23745,7 @@ CVE-2019-11764
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-11764
CVE-2019-11763
RESERVED
- {DSA-4549-1}
+ {DSA-4549-1 DLA-1987-1}
- firefox 70.0-1
- firefox-esr 68.2.0esr-1
- thunderbird 1:68.2.1-1
@@ -23754,7 +23754,7 @@ CVE-2019-11763
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-11763
CVE-2019-11762
RESERVED
- {DSA-4549-1}
+ {DSA-4549-1 DLA-1987-1}
- firefox 70.0-1
- firefox-esr 68.2.0esr-1
- thunderbird 1:68.2.1-1
@@ -23763,7 +23763,7 @@ CVE-2019-11762
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-11762
CVE-2019-11761
RESERVED
- {DSA-4549-1}
+ {DSA-4549-1 DLA-1987-1}
- firefox 70.0-1
- firefox-esr 68.2.0esr-1
- thunderbird 1:68.2.1-1
@@ -23772,7 +23772,7 @@ CVE-2019-11761
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-11761
CVE-2019-11760
RESERVED
- {DSA-4549-1}
+ {DSA-4549-1 DLA-1987-1}
- firefox 70.0-1
- firefox-esr 68.2.0esr-1
- thunderbird 1:68.2.1-1
@@ -23781,7 +23781,7 @@ CVE-2019-11760
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-11760
CVE-2019-11759
RESERVED
- {DSA-4549-1}
+ {DSA-4549-1 DLA-1987-1}
- firefox 70.0-1
- firefox-esr 68.2.0esr-1
- thunderbird 1:68.2.1-1
@@ -23796,7 +23796,7 @@ CVE-2019-11758
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-11758
CVE-2019-11757
RESERVED
- {DSA-4549-1}
+ {DSA-4549-1 DLA-1987-1}
- firefox 70.0-1
- firefox-esr 68.2.0esr-1
- thunderbird 1:68.2.1-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c7f5c226c1bc7b482ca9e56e99284dd23ad88a7d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c7f5c226c1bc7b482ca9e56e99284dd23ad88a7d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2019-12922/phpmyadmin
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 54ace7d6 by Salvatore Bonaccorso at 2019-11-10T19:48:52Z Track fixed version for CVE-2019-12922/phpmyadmin - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20765,7 +20765,7 @@ CVE-2019-12924 (MailEnable Enterprise Premium 10.23 was vulnerable to XML Extern CVE-2019-12923 (In MailEnable Enterprise Premium 10.23, the potential cross-site reque ...) NOT-FOR-US: MailEnable Enterprise Premium CVE-2019-12922 (A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in th ...) - - phpmyadmin + - phpmyadmin 4:4.9.1+dfsg1-2 [jessie] - phpmyadmin (Minor issue, target only accessible is setup is enabled and htpasswd.setup populated) NOTE: https://seclists.org/fulldisclosure/2019/Sep/23 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/427fbed55d3154d96ecfc1c7784d49eaa3c04161 (4.9.1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/54ace7d65dfdab9158b86cc557576aad0861bc7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/54ace7d65dfdab9158b86cc557576aad0861bc7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-18840/wolfssl fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d7910e2f by Salvatore Bonaccorso at 2019-11-10T19:43:31Z CVE-2019-18840/wolfssl fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,7 @@ CVE-2019-18842 CVE-2019-18841 RESERVED CVE-2019-18840 (In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of me ...) - - wolfssl + - wolfssl 4.2.0+dfsg-3 NOTE: https://github.com/wolfSSL/wolfssl/issues/2555 NOTE: https://github.com/wolfSSL/wolfssl/commit/52f28bd5149360f8e3bf8ca13d3fb9a77283df7c CVE-2019-18839 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d7910e2f798a2a4dd54c700e619276d1d054df46 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d7910e2f798a2a4dd54c700e619276d1d054df46 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed versions for phpmyadmin via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
853565d1 by Salvatore Bonaccorso at 2019-11-10T19:36:01Z
Track fixed versions for phpmyadmin via unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -21536,7 +21536,7 @@ CVE-2019-12617 (In SilverStripe through 4.3.3, there is
access escalation for CM
NOT-FOR-US: SilverStripe
CVE-2019-12616 (An issue was discovered in phpMyAdmin before 4.9.0. A
vulnerability wa ...)
{DLA-1821-1}
- - phpmyadmin (bug #930017)
+ - phpmyadmin 4:4.9.1+dfsg1-2 (bug #930017)
[stretch] - phpmyadmin (Minor issue; can be fixed via point
release)
NOTE: https://www.phpmyadmin.net/security/PMASA-2019-4/
NOTE:
https://github.com/phpmyadmin/phpmyadmin/commit/015c404038c44279d95b6430ee5a0dddc97691ec
@@ -23714,7 +23714,7 @@ CVE-2019-11770 (In Eclipse Buildship versions prior to
3.1.1, the build files in
CVE-2019-11769 (An issue was discovered in TeamViewer 14.2.2558. Updating the
product ...)
NOT-FOR-US: TeamViewer
CVE-2019-11768 (An issue was discovered in phpMyAdmin before 4.9.0.1. A
vulnerability ...)
- - phpmyadmin (bug #930048)
+ - phpmyadmin 4:4.9.1+dfsg1-2 (bug #930048)
[stretch] - phpmyadmin (Minor issue; can be fixed via point
release)
[jessie] - phpmyadmin (vulnerable code is not present)
NOTE: https://www.phpmyadmin.net/security/PMASA-2019-3/
@@ -38181,13 +38181,13 @@ CVE-2019-6800 (In TitanHQ SpamTitan through 7.03, a
vulnerability exists in the
NOT-FOR-US: TitanHQ SpamTitan
CVE-2019-6799 (An issue was discovered in phpMyAdmin before 4.8.5. When the
AllowArbi ...)
{DLA-1692-1}
- - phpmyadmin (bug #920823)
+ - phpmyadmin 4:4.9.1+dfsg1-2 (bug #920823)
[stretch] - phpmyadmin (Minor issue; can be fixed via point
release)
NOTE: https://www.phpmyadmin.net/security/PMASA-2019-1/
NOTE:
https://github.com/phpmyadmin/phpmyadmin/commit/aeac90623e525057a7672ab3d98154b5c57c15ec
NOTE:
https://github.com/phpmyadmin/phpmyadmin/commit/c5e01f84ad48c5c626001cb92d7a95500920a900
CVE-2019-6798 (An issue was discovered in phpMyAdmin before 4.8.5. A
vulnerability wa ...)
- - phpmyadmin (bug #920822)
+ - phpmyadmin 4:4.9.1+dfsg1-2 (bug #920822)
[stretch] - phpmyadmin (Minor issue; can be fixed via point
release)
[jessie] - phpmyadmin (Vulnerable code introduced later
>= 4.5.0)
NOTE: https://www.phpmyadmin.net/security/PMASA-2019-2/
@@ -51745,19 +51745,19 @@ CVE-2018-19971 (JFrog Artifactory Pro 6.5.9 has
Incorrect Access Control. ...)
NOT-FOR-US: JFrog Artifactory Pro
CVE-2018-19970 (In phpMyAdmin before 4.8.4, an XSS vulnerability was found in
the navi ...)
{DLA-1658-1}
- - phpmyadmin
+ - phpmyadmin 4:4.9.1+dfsg1-2
[stretch] - phpmyadmin (Minor issue; can be fixed via point
release)
NOTE: https://www.phpmyadmin.net/security/PMASA-2018-8/
NOTE:
https://github.com/phpmyadmin/phpmyadmin/commit/b293ff5f234ef493336ed8638f623a12164d359e
CVE-2018-19969 (phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are
affected by a s ...)
- - phpmyadmin
+ - phpmyadmin 4:4.9.1+dfsg1-2
[jessie] - phpmyadmin (invasive with 49 patches to backport,
only mitigate with _REQUEST->_POST instead of adding CSRF tokens)
NOTE: https://www.phpmyadmin.net/security/PMASA-2018-7/
NOTE: Upstream explicitly fixed only the 4.7/4.8 branch but the problem
exists in
NOTE: earlier versions as well. At least parts of the listed commits
are needed.
CVE-2018-19968 (An attacker can exploit phpMyAdmin before 4.8.4 to leak the
contents o ...)
{DLA-1658-1}
- - phpmyadmin
+ - phpmyadmin 4:4.9.1+dfsg1-2
[stretch] - phpmyadmin (Minor issue; can be fixed via point
release)
NOTE: https://www.phpmyadmin.net/security/PMASA-2018-6/
NOTE:
https://github.com/phpmyadmin/phpmyadmin/commit/6a1ba61e29002f0305a9322a8af4eaaeb11c0732
@@ -75044,7 +75044,7 @@ CVE-2018-12583 (An issue was discovered in AKCMS 6.1.
CSRF can delete an article
CVE-2018-12582 (An issue was discovered in AKCMS 6.1. CSRF can add an admin
account vi ...)
NOT-FOR-US: AKCMS
CVE-2018-12581 (An issue was discovered in js/designer/move.js in phpMyAdmin
before 4. ...)
- - phpmyadmin (low)
+ - phpmyadmin 4:4.9.1+dfsg1-2 (low)
[stretch] - phpmyadmin (Vulnerable code not present)
[jessie] - phpmyadmin (vulnerable code not present)
NOTE: https://www.phpmyadmin.net/security/PMASA-2018-3/
@@ -81934,7 +81934,7 @@ CVE-2018-10190 (A vulnerability in London Trust Media
Private Internet Access (P
CVE-2018-10189 (An issue was discovered in Mautic 1.x and 2.x before 2.13.0.
It is pos ...)
NOT-FOR-US: Mautic
[Git][security-tracker-team/security-tracker][master] 2 commits: Triage CVE for libgig. Mark as no-dsa for Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b8a54735 by Markus Koschany at 2019-11-10T17:32:17Z Triage CVE for libgig. Mark as no-dsa for Jessie. Minor security risk. See #931309 for more information. - - - - - 8589d5e5 by Markus Koschany at 2019-11-10T17:33:40Z Remove libgig from dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -60594,21 +60594,27 @@ CVE-2018-18198 (The $opener_input_field variable in addons/mediapool/pages/index NOT-FOR-US: REDAXO CVE-2018-18197 (An issue was discovered in libgig 4.1.0. There is an operator new[] fa ...) - libgig (bug #931309) + [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18196 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) - libgig (bug #931309) + [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18195 (An issue was discovered in libgig 4.1.0. There is an FPE (divide-by-ze ...) - libgig (bug #931309) + [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18194 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) - libgig (bug #931309) + [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18193 (An issue was discovered in libgig 4.1.0. There is operator new[] failu ...) - libgig (bug #931309) + [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18192 (An issue was discovered in libgig 4.1.0. There is a NULL pointer deref ...) - libgig (bug #931309) + [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18191 (Cross-site request forgery (CSRF) vulnerability in /admin.php?c=member ...) NOT-FOR-US: FineCms @@ -70348,36 +70354,47 @@ CVE-2018-14460 (An issue was discovered in the HDF HDF5 1.8.20 library. There is NOTE: https://github.com/TeamSeri0us/pocs/blob/master/hdf5/README3.md CVE-2018-14459 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds wri ...) - libgig (bug #931309) + [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14458 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) - libgig (bug #931309) + [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14457 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds wri ...) - libgig (bug #931309) + [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14456 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds wri ...) - libgig (bug #931309) + [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14455 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds wri ...) - libgig (bug #931309) + [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14454 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds rea ...) - libgig (bug #931309) + [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14453 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) - libgig (bug #931309) + [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14452 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds rea ...) - libgig (bug #931309) + [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14451 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) - libgig (bug #931309) + [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14450 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds rea ...) - libgig (bug #931309) + [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14449 (An issue was discovered in libgig 4.1.0.
[Git][security-tracker-team/security-tracker][master] CVE-2019-17666/linux fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 504c464f by Salvatore Bonaccorso at 2019-11-10T11:43:21Z CVE-2019-17666/linux fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5892,7 +5892,7 @@ CVE-2019-17668 (Samsung Galaxy S10 and Note10 devices allow unlock operations vi CVE-2019-17667 (Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HTML inj ...) NOT-FOR-US: Comtech H8 Heights Remote Gateway devices CVE-2019-17666 (rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Lin ...) - - linux + - linux 5.3.9-1 NOTE: https://lkml.org/lkml/2019/10/16/1226 CVE-2019-17665 (NSA Ghidra before 9.0.2 is vulnerable to DLL hijacking because it load ...) - ghidra (bug #923851) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/504c464f2c496292844fb4db1bcac1e7ad689c9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/504c464f2c496292844fb4db1bcac1e7ad689c9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-18397/fribidi via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2cb18882 by Salvatore Bonaccorso at 2019-11-10T10:02:57Z
Add fixed version for CVE-2019-18397/fribidi via unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -3402,7 +3402,7 @@ CVE-2019-18398
CVE-2019-18397
RESERVED
{DSA-4561-1}
- - fribidi (bug #944327)
+ - fribidi 1.0.7-1.1 (bug #944327)
[stretch] - fribidi (Vulnerable code not present)
[jessie] - fribidi (Vulnerable code not present)
NOTE: Fixed by:
https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2cb18882cbd136d427bc1ce89ff3e8e455e9ee42
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2cb18882cbd136d427bc1ce89ff3e8e455e9ee42
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1987-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8b2ee5e9 by Emilio Pozuelo Monfort at 2019-11-10T09:47:35Z
Reserve DLA-1987-1 for firefox-esr
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[10 Nov 2019] DLA-1987-1 firefox-esr - security update
+ {CVE-2019-11757 CVE-2019-11759 CVE-2019-11760 CVE-2019-11761
CVE-2019-11762 CVE-2019-11763 CVE-2019-11764 CVE-2019-15903}
+ [jessie] - firefox-esr 68.2.0esr-1~deb8u1
[09 Nov 2019] DLA-1986-1 ruby-haml - security update
{CVE-2017-1002201}
[jessie] - ruby-haml 4.0.5-2+deb8u1
=
data/dla-needed.txt
=
@@ -25,9 +25,6 @@ ansible (Brian May)
NOTE: CVE-2019-14846 should be an easy fix.
NOTE: CVE-2019-14858's upstream patch is too big; fails to work properly.
(utkarsh2102)
--
-firefox-esr (Emilio)
- NOTE: 20191105: toolchain almost ready (waiting for NEW)
---
freeimage (Hugo Lefeuvre)
NOTE: Maintainer will take care of the update.
NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/8b2ee5e9f8d0d492678ebd043bbe35e590340d5c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/8b2ee5e9f8d0d492678ebd043bbe35e590340d5c
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-15903 as unimportant for chromium
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2876c2c0 by Salvatore Bonaccorso at 2019-11-10T08:15:50Z
Mark CVE-2019-15903 as unimportant for chromium
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -10669,7 +10669,7 @@ CVE-2019-15903 (In libexpat before 2.2.8, crafted XML
input could fool the parse
- expat 2.2.7-2 (bug #939394)
- firefox 70.0-1
- firefox-esr 68.2.0esr-1
- - chromium (uses system expat library)
+ - chromium (unimportant)
- thunderbird 1:68.2.1-1
NOTE:
https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43
NOTE: https://github.com/libexpat/libexpat/issues/317
@@ -10677,6 +10677,7 @@ CVE-2019-15903 (In libexpat before 2.2.8, crafted XML
input could fool the parse
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-15903
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/#CVE-2019-15903
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-15903
+ NOTE: src:hromium uses the system expat library.
CVE-2019-15902 (A backporting error was discovered in the Linux
stable/longterm kernel ...)
{DSA-4531-1 DLA-1940-1}
- linux
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2876c2c0db1bb513fa59e1d5914bd020f086728e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2876c2c0db1bb513fa59e1d5914bd020f086728e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e4011de0 by security tracker role at 2019-11-10T08:10:34Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -17460,94 +17460,123 @@ CVE-2019-13722
RESERVED
CVE-2019-13721
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13720
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13719
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13718
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13717
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13716
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13715
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13714
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13713
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13712
RESERVED
CVE-2019-13711
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13710
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13709
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13708
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13707
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13706
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13705
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13704
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13703
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13702
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13701
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13700
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13699
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13698
RESERVED
CVE-2019-13697
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13696
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13695
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13694
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13693
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13692
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13691
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13690
RESERVED
@@ -17555,91 +17584,119 @@ CVE-2019-13689
RESERVED
CVE-2019-13688
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13687
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13686
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13685
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13684
RESERVED
CVE-2019-13683
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13682
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13681
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13680
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13679
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13678
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13677
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13676
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13675
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13674
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13673
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13672
RESERVED
CVE-2019-13671
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13670
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13669
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13668
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13667
RESERVED
+ {DSA-4562-1}
- chromium 78.0.3904.87-1
CVE-2019-13666
RESERVED
+ {DSA-4562-1}
- chromium
[Git][security-tracker-team/security-tracker][master] chromium dsa
Michael Gilbert pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e9a0a53e by Michael Gilbert at 2019-11-10T08:14:31Z
chromium dsa
- - - - -
3 changed files:
- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -10669,7 +10669,7 @@ CVE-2019-15903 (In libexpat before 2.2.8, crafted XML
input could fool the parse
- expat 2.2.7-2 (bug #939394)
- firefox 70.0-1
- firefox-esr 68.2.0esr-1
- - chromium
+ - chromium (uses system expat library)
- thunderbird 1:68.2.1-1
NOTE:
https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43
NOTE: https://github.com/libexpat/libexpat/issues/317
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[10 Nov 2019] DSA-4562-1 chromium - security update
+ {CVE-2019-5869 CVE-2019-5870 CVE-2019-5871 CVE-2019-5872 CVE-2019-5874
CVE-2019-5875 CVE-2019-5876 CVE-2019-5877 CVE-2019-5878 CVE-2019-5879
CVE-2019-5880 CVE-2019-13659 CVE-2019-13660 CVE-2019-13661 CVE-2019-13662
CVE-2019-13663 CVE-2019-13664 CVE-2019-13665 CVE-2019-13666 CVE-2019-13667
CVE-2019-13668 CVE-2019-13669 CVE-2019-13670 CVE-2019-13671 CVE-2019-13673
CVE-2019-13674 CVE-2019-13675 CVE-2019-13676 CVE-2019-13677 CVE-2019-13678
CVE-2019-13679 CVE-2019-13680 CVE-2019-13681 CVE-2019-13682 CVE-2019-13683
CVE-2019-13685 CVE-2019-13686 CVE-2019-13687 CVE-2019-13688 CVE-2019-13691
CVE-2019-13692 CVE-2019-13693 CVE-2019-13694 CVE-2019-13695 CVE-2019-13696
CVE-2019-13697 CVE-2019-13699 CVE-2019-13700 CVE-2019-13701 CVE-2019-13702
CVE-2019-13703 CVE-2019-13704 CVE-2019-13705 CVE-2019-13706 CVE-2019-13707
CVE-2019-13708 CVE-2019-13709 CVE-2019-13710 CVE-2019-13711 CVE-2019-13713
CVE-2019-13714 CVE-2019-13715 CVE-2019-13716 CVE-2019-13717 CVE-2019-13718
CVE-2019-13719 CVE-2019-13720 CVE-2019-13721}
+ [buster] - chromium 78.0.3904.97-1~deb10u1
[08 Nov 2019] DSA-4561-1 fribidi - security update
{CVE-2019-18397}
[buster] - fribidi 1.0.5-3.1+deb10u1
=
data/dsa-needed.txt
=
@@ -17,8 +17,6 @@ If needed, specify the release by adding a slash after the
name of the source pa
--
cacti (hle)
--
-chromium
---
curl (ghedo)
--
evince/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e9a0a53e86880149c35576e38fb1be24ce3cb6fc
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e9a0a53e86880149c35576e38fb1be24ce3cb6fc
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
