[Git][security-tracker-team/security-tracker][master] Add CVE-2020-0093 (possibly affecting libexif upstream)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d0706e02 by Salvatore Bonaccorso at 2020-05-15T06:16:27+02:00 Add CVE-2020-0093 (possibly affecting libexif upstream) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36008,6 +36008,9 @@ CVE-2020-0094 RESERVED CVE-2020-0093 RESERVED + - libexif + NOTE: https://android.googlesource.com/platform/external/libexif/+/0335ffc17f9b9a4831c242bb08ea92f605fde7a6 + NOTE: https://github.com/libexif/libexif/issues/42 CVE-2020-0092 RESERVED NOT-FOR-US: Android View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0706e02c17300673ce7d43fa56d553b18d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0706e02c17300673ce7d43fa56d553b18d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-1945/ant
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8954b7ea by Salvatore Bonaccorso at 2020-05-14T22:57:49+02:00 Add Debian bug reference for CVE-2020-1945/ant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28585,7 +28585,7 @@ CVE-2020-1947 (In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the Shar CVE-2020-1946 RESERVED CVE-2020-1945 (Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default tempora ...) - - ant (low) + - ant (low; bug #960630) [buster] - ant (Minor issue) [stretch] - ant (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/05/13/1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8954b7eac8bf25ef3d55c589c1ef5c10143389bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8954b7eac8bf25ef3d55c589c1ef5c10143389bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new libspring-security-2.0-java, glpi issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 27e598cb by Moritz Muehlenhoff at 2020-05-14T22:41:24+02:00 new libspring-security-2.0-java, glpi issues NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18537,13 +18537,13 @@ CVE-2020-5579 CVE-2020-5578 RESERVED CVE-2020-5577 (Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movabl ...) - TODO: check + - movabletype-opensource CVE-2020-5576 (Cross-site request forgery (CSRF) vulnerability in Movable Type series ...) - TODO: check + - movabletype-opensource CVE-2020-5575 (Cross-site scripting vulnerability in Movable Type series (Movable Typ ...) - TODO: check + - movabletype-opensource CVE-2020-5574 (HTML attribute value injection vulnerability in Movable Type series (M ...) - TODO: check + - movabletype-opensource CVE-2020-5573 RESERVED CVE-2020-5572 @@ -18934,9 +18934,9 @@ CVE-2020-5410 CVE-2020-5409 (Pivotal Concourse, most versions prior to 6.0.0, allows redirects to u ...) NOT-FOR-US: Pivotal CVE-2020-5408 (Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5 ...) - TODO: check + - libspring-security-2.0-java CVE-2020-5407 (Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 ...) - TODO: check + - libspring-security-2.0-java CVE-2020-5406 (VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6. ...) NOT-FOR-US: VMware CVE-2020-5405 (Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x pri ...) @@ -19351,7 +19351,10 @@ CVE-2020-5249 (In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application usin NOTE: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58 NOTE: https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3 CVE-2020-5248 (GLPI before before version 9.4.6 has a vulnerability involving a defau ...) - TODO: check + - glpi (unimportant) + NOTE: Only supported behind an authenticated HTTP zone + NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-j222-j9mf-h6j9 + NOTE: https://github.com/glpi-project/glpi/commit/efd14468c92c4da4aa9735e65fd20cbc7c6c CVE-2020-5247 (In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application us ...) - puma 3.12.4-1 (bug #952766) NOTE: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v @@ -22173,7 +22176,7 @@ CVE-2020-4094 CVE-2020-4093 RESERVED CVE-2020-4092 ("If port encryption is not enabled on the Domino Server, HCL Nomad on ...) - TODO: check + NOT-FOR-US: HCL Nomad CVE-2020-4091 RESERVED CVE-2020-4090 @@ -28169,35 +28172,35 @@ CVE-2020-2009 (An external control of filename vulnerability in the SD WAN compo CVE-2020-2008 (An OS command injection and external control of filename vulnerability ...) NOT-FOR-US: PAN-OS CVE-2020-2007 (An OS command injection vulnerability in the management server compone ...) - TODO: check + NOT-FOR-US: PAN-OS CVE-2020-2006 (A stack-based buffer overflow vulnerability in the management server c ...) - TODO: check + NOT-FOR-US: PAN-OS CVE-2020-2005 (A cross-site scripting (XSS) vulnerability exists when visiting malici ...) - TODO: check + NOT-FOR-US: PAN-OS CVE-2020-2004 (Under certain circumstances a user's password may be logged in clearte ...) - TODO: check + NOT-FOR-US: PAN-OS CVE-2020-2003 (An external control of filename vulnerability in the command processin ...) - TODO: check + NOT-FOR-US: PAN-OS CVE-2020-2002 (An authentication bypass by spoofing vulnerability exists in the authe ...) - TODO: check + NOT-FOR-US: PAN-OS CVE-2020-2001 (An external control of path and data vulnerability in the Palo Alto Ne ...) - TODO: check + NOT-FOR-US: PAN-OS CVE-2020-2000 RESERVED CVE-2020-1999 RESERVED CVE-2020-1998 (An improper authorization vulnerability in PAN-OS that mistakenly uses ...) - TODO: check + NOT-FOR-US: PAN-OS CVE-2020-1997 (An open redirection vulnerability in the GlobalProtect component of Pa ...) - TODO: check + NOT-FOR-US: PAN-OS CVE-2020-1996 (A missing authorization vulnerability in the management server compone ...) - TODO: check + NOT-FOR-US: PAN-OS CVE-2020-1995 (A NULL pointer dereference vulnerability in Palo Alto Networks PAN-OS ...) - TODO: check + NOT-FOR-US: PAN-OS CVE-2020-1994 (A predictable temporary file vulnerability in PAN-OS allows a local au ...) - TODO: check + NOT-FOR-US: PAN-OS CVE-2020-1993 (The GlobalProtect Portal feature in PAN-OS does not set a new session ...) - TODO: check +
[Git][security-tracker-team/security-tracker][master] Handover openconnect to Mika as requested over IRC
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 35d07218 by Utkarsh Gupta at 2020-05-15T02:02:50+05:30 Handover openconnect to Mika as requested over IRC - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -90,7 +90,7 @@ mumble (Abhijith PA) nginx (Mike Gabriel) NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby) -- -openconnect (Utkarsh Gupta) +openconnect (Mike Gabriel) -- opendmarc (Thorsten Alteholz) NOTE: 20200420: still testing package, original patch does not seem to be enough, still ongoing (thorsten) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35d072185b39845a7e99c050481eb81ab5b08b9f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35d072185b39845a7e99c050481eb81ab5b08b9f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Reserve DLA-2211-1 for openconnect"
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 46cf1b47 by Utkarsh Gupta at 2020-05-15T02:00:27+05:30 Revert Reserve DLA-2211-1 for openconnect This reverts commit a9b3d90aa0cd14d2045ca89aa00917d9adc6d61c. - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,6 +1,3 @@ -[15 May 2020] DLA-2211-1 openconnect - security update - {CVE-2020-12823} - [jessie] - openconnect 6.00-2+deb8u2 [15 May 2020] DLA-2210-1 apt - security update {CVE-2020-3810} [jessie] - apt 1.0.9.8.6 = data/dla-needed.txt = @@ -90,6 +90,8 @@ mumble (Abhijith PA) nginx (Mike Gabriel) NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby) -- +openconnect (Utkarsh Gupta) +-- opendmarc (Thorsten Alteholz) NOTE: 20200420: still testing package, original patch does not seem to be enough, still ongoing (thorsten) NOTE: 20200511: new CVEs arrived (thorsten) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46cf1b477596a8a72350763120fdb5cfaa15f467 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46cf1b477596a8a72350763120fdb5cfaa15f467 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2211-1 for openconnect
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: a9b3d90a by Utkarsh Gupta at 2020-05-15T01:57:31+05:30 Reserve DLA-2211-1 for openconnect - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 May 2020] DLA-2211-1 openconnect - security update + {CVE-2020-12823} + [jessie] - openconnect 6.00-2+deb8u2 [15 May 2020] DLA-2210-1 apt - security update {CVE-2020-3810} [jessie] - apt 1.0.9.8.6 = data/dla-needed.txt = @@ -90,8 +90,6 @@ mumble (Abhijith PA) nginx (Mike Gabriel) NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby) -- -openconnect (Utkarsh Gupta) --- opendmarc (Thorsten Alteholz) NOTE: 20200420: still testing package, original patch does not seem to be enough, still ongoing (thorsten) NOTE: 20200511: new CVEs arrived (thorsten) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9b3d90aa0cd14d2045ca89aa00917d9adc6d61c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9b3d90aa0cd14d2045ca89aa00917d9adc6d61c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2210-1 for apt
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 865532cc by Utkarsh Gupta at 2020-05-15T01:56:29+05:30 Reserve DLA-2210-1 for apt - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 May 2020] DLA-2210-1 apt - security update + {CVE-2020-3810} + [jessie] - apt 1.0.9.8.6 [11 May 2020] DLA-2209-1 tomcat8 - security update {CVE-2019-17563 CVE-2020-1935 CVE-2020-1938} [jessie] - tomcat8 8.0.14-1+deb8u17 = data/dla-needed.txt = @@ -26,9 +26,6 @@ apache2 (Utkarsh Gupta) NOTE: 20200501: No CVE yet. (Ola) NOTE: 20200510: Asking upstream for CVE assignment. (utkarsh) -- -apt (Utkarsh Gupta) - NOTE: 20200514: apt is in lts-do-call-me, wait for feedback on debian-lts ML (sunweaver) --- bluez NOTE: 20200420: Many upstream refactorings make this hard to see where the NOTE: 20200420: check for bonded connections should go. (eg. 7d9718cfc, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/865532cc2ccbce66c88828899b07d6c6821599ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/865532cc2ccbce66c88828899b07d6c6821599ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Proces some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 493889bd by Salvatore Bonaccorso at 2020-05-14T22:14:20+02:00 Proces some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21421,9 +21421,9 @@ CVE-2020-4470 CVE-2020-4469 RESERVED CVE-2020-4468 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4467 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4466 RESERVED CVE-2020-4465 @@ -21513,7 +21513,7 @@ CVE-2020-4424 CVE-2020-4423 RESERVED CVE-2020-4422 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4421 (IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allo ...) NOT-FOR-US: IBM CVE-2020-4420 @@ -21627,7 +21627,7 @@ CVE-2020-4367 CVE-2020-4366 RESERVED CVE-2020-4365 (IBM WebSphere Application Server 8.5 is vulnerable to server-side requ ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4364 RESERVED CVE-2020-4363 @@ -21671,7 +21671,7 @@ CVE-2020-4345 CVE-2020-4344 RESERVED CVE-2020-4343 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4342 RESERVED CVE-2020-4341 @@ -21759,7 +21759,7 @@ CVE-2020-4301 CVE-2020-4300 RESERVED CVE-2020-4299 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.0.3.1 c ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4298 RESERVED CVE-2020-4297 @@ -21781,13 +21781,13 @@ CVE-2020-4290 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, CVE-2020-4289 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0. ...) NOT-FOR-US: IBM CVE-2020-4288 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4287 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4286 RESERVED CVE-2020-4285 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4284 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0. ...) NOT-FOR-US: IBM CVE-2020-4283 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, and ...) @@ -21825,25 +21825,25 @@ CVE-2020-4268 (IBM QRadar 7.3.0 to 7.3.3 Patch 2 is vulnerable to cross-site scr CVE-2020-4267 (IBM MQ and MQ Appliance 8.0, 9.1 LTS, and 9.1 CD could allow an authen ...) NOT-FOR-US: IBM CVE-2020-4266 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a local attacker ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4265 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a local attacker ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4264 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a local attacker ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4263 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a local attacker ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4262 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a local attacker ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4261 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a local attacker ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4260 (IBM UrbanCode Deploy (UCD) 7.0.5 could allow a user with special permi ...) NOT-FOR-US: IBM CVE-2020-4259 (IBM Sterling File Gateway 2.2.0.0 through 6.0.3.1 could allow an authe ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4258 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a local attacker ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4257 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a local attacker ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4256 RESERVED CVE-2020-4255 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/493889bd64f8075d153ac106cbb73727fb982064 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/493889bd64f8075d153ac106cbb73727fb982064 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e48c8dc by security tracker role at 2020-05-14T20:10:36+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,69 @@ +CVE-2020-12877 (Veritas APTARE versions prior to 10.4 allowed sensitive information to ...) + TODO: check +CVE-2020-12876 (Veritas APTARE versions prior to 10.4 allowed remote users to access s ...) + TODO: check +CVE-2020-12875 (Veritas APTARE versions prior to 10.4 did not perform adequate authori ...) + TODO: check +CVE-2020-12874 (Veritas APTARE versions prior to 10.4 included code that bypassed the ...) + TODO: check +CVE-2020-12873 + RESERVED +CVE-2020-12872 + RESERVED +CVE-2020-12871 + RESERVED +CVE-2020-12870 + RESERVED +CVE-2020-12869 + RESERVED +CVE-2020-12868 + RESERVED +CVE-2020-12867 + RESERVED +CVE-2020-12866 + RESERVED +CVE-2020-12865 + RESERVED +CVE-2020-12864 + RESERVED +CVE-2020-12863 + RESERVED +CVE-2020-12862 + RESERVED +CVE-2020-12861 + RESERVED +CVE-2020-12860 + RESERVED +CVE-2020-12859 + RESERVED +CVE-2020-12858 + RESERVED +CVE-2020-12857 + RESERVED +CVE-2020-12856 + RESERVED +CVE-2020-12855 + RESERVED +CVE-2020-12854 + RESERVED +CVE-2020-12853 + RESERVED +CVE-2020-12852 + RESERVED +CVE-2020-12851 + RESERVED +CVE-2020-12850 + RESERVED +CVE-2020-12849 + RESERVED +CVE-2020-12848 + RESERVED +CVE-2020-12847 + RESERVED +CVE-2020-12846 + RESERVED +CVE-2020-12845 + RESERVED CVE-2020-12844 RESERVED CVE-2020-12843 @@ -375,8 +441,8 @@ CVE-2020-12679 (A reflected cross-site scripting (XSS) vulnerability in the Mite NOT-FOR-US: Mitel CVE-2020-12678 REJECTED -CVE-2020-12677 - RESERVED +CVE-2020-12677 (An issue was discovered in Progress MOVEit Automation Web Admin. A Web ...) + TODO: check CVE-2020-12676 RESERVED CVE-2020-12675 @@ -2030,14 +2096,11 @@ CVE-2020-11975 RESERVED CVE-2020-11974 RESERVED -CVE-2020-11973 - RESERVED +CVE-2020-11973 (Apache Camel Netty enables Java deserialization by default. Apache Cam ...) NOT-FOR-US: Apache Camel -CVE-2020-11972 - RESERVED +CVE-2020-11972 (Apache Camel RabbitMQ enables Java deserialization by default. Apache ...) NOT-FOR-US: Apache Camel -CVE-2020-11971 - RESERVED +CVE-2020-11971 (Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, ...) NOT-FOR-US: Apache Camel CVE-2020-11970 RESERVED @@ -6812,8 +6875,8 @@ CVE-2020-10628 RESERVED CVE-2020-10627 RESERVED -CVE-2020-10626 - RESERVED +CVE-2020-10626 (In Fazecast jSerialComm, Version 2.2.2 and prior, an uncontrolled sear ...) + TODO: check CVE-2020-10625 (WebAccess/NMS (versions prior to 3.0.2) allows an unauthenticated remo ...) NOT-FOR-US: WebAccess/NMS CVE-2020-10624 @@ -18870,8 +18933,8 @@ CVE-2020-5410 RESERVED CVE-2020-5409 (Pivotal Concourse, most versions prior to 6.0.0, allows redirects to u ...) NOT-FOR-US: Pivotal -CVE-2020-5408 - RESERVED +CVE-2020-5408 (Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5 ...) + TODO: check CVE-2020-5407 (Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 ...) TODO: check CVE-2020-5406 (VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6. ...) @@ -21357,10 +21420,10 @@ CVE-2020-4470 RESERVED CVE-2020-4469 RESERVED -CVE-2020-4468 - RESERVED -CVE-2020-4467 - RESERVED +CVE-2020-4468 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) + TODO: check +CVE-2020-4467 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) + TODO: check CVE-2020-4466 RESERVED CVE-2020-4465 @@ -21449,8 +21512,8 @@ CVE-2020-4424 RESERVED CVE-2020-4423 RESERVED -CVE-2020-4422 - RESERVED +CVE-2020-4422 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) + TODO: check CVE-2020-4421 (IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allo ...) NOT-FOR-US: IBM CVE-2020-4420 @@ -21563,8 +21626,8 @@ CVE-2020-4367 RESERVED CVE-2020-4366 RESERVED -CVE-2020-4365 - RESERVED +CVE-2020-4365 (IBM WebSphere Application Server 8.5 is vulnerable to server-side requ ...) + TODO: check CVE-2020-4364 RESERVED CVE-2020-4363 @@ -21607,8 +21670,8 @@ CVE-2020-4345 RESERVED CVE-2020-4344 RESERVED -CVE-2020-4343 - RESERVED +CVE-2020-4343 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) + TODO: check CVE-2020-4342
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-12823/openconnect
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7fb20b1b by Salvatore Bonaccorso at 2020-05-14T21:23:19+02:00 Add Debian bug reference for CVE-2020-12823/openconnect - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51,7 +51,7 @@ CVE-2020-12825 (libcroco through 0.6.13 has excessive recursion in cr_parser_par CVE-2020-12824 RESERVED CVE-2020-12823 (OpenConnect 8.09 has a buffer overflow, causing a denial of service (a ...) - - openconnect + - openconnect (bug #960620) NOTE: https://gitlab.com/openconnect/openconnect/-/merge_requests/108 CVE-2020-12822 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fb20b1b496cd893c18497f3053802f3db2e61fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fb20b1b496cd893c18497f3053802f3db2e61fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b69d360a by Moritz Muehlenhoff at 2020-05-14T20:47:15+02:00 NFUs ant no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2032,10 +2032,13 @@ CVE-2020-11974 RESERVED CVE-2020-11973 RESERVED + NOT-FOR-US: Apache Camel CVE-2020-11972 RESERVED + NOT-FOR-US: Apache Camel CVE-2020-11971 RESERVED + NOT-FOR-US: Apache Camel CVE-2020-11970 RESERVED CVE-2020-11969 @@ -28476,6 +28479,7 @@ CVE-2020-1961 (Vulnerability to Server-Side Template Injection on Mail templates NOT-FOR-US: Apache Syncope CVE-2020-1960 RESERVED + NOT-FOR-US: Apache Flink CVE-2020-1959 (A Server-Side Template Injection was identified in Apache Syncope prio ...) NOT-FOR-US: Apache Syncope CVE-2020-1958 (When LDAP authentication is enabled in Apache Druid 0.17.0, callers of ...) @@ -28517,7 +28521,9 @@ CVE-2020-1946 RESERVED CVE-2020-1945 [insecure temporary file vulnerability] RESERVED - - ant + - ant (low) + [buster] - ant (Minor issue) + [stretch] - ant (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/05/13/1 NOTE: https://github.com/apache/ant/commit/9c1f4d905da59bf446570ac28df5b68a37281f35 (1.9.15) NOTE: https://github.com/apache/ant/commit/926f339ea30362bec8e53bf5924ce803938163b7 (1.9.15) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b69d360a9bd61e5f4e9b212a1964bdae17297e35 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b69d360a9bd61e5f4e9b212a1964bdae17297e35 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cbd1181f by Moritz Muehlenhoff at 2020-05-14T17:44:10+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -338,13 +338,13 @@ CVE-2020-12702 CVE-2020-12701 RESERVED CVE-2020-12700 (The direct_mail extension through 5.2.3 for TYPO3 allows Information D ...) - TODO: check + NOT-FOR-US: Typo3 extension CVE-2020-12699 (The direct_mail extension through 5.2.3 for TYPO3 has an Open Redirect ...) - TODO: check + NOT-FOR-US: Typo3 extension CVE-2020-12698 (The direct_mail extension through 5.2.3 for TYPO3 has Broken Access Co ...) - TODO: check + NOT-FOR-US: Typo3 extension CVE-2020-12697 (The direct_mail extension through 5.2.3 for TYPO3 allows Denial of Ser ...) - TODO: check + NOT-FOR-US: Typo3 extension CVE-2020-12696 (The iframe plugin before 4.5 for WordPress does not sanitize a URL. ...) NOT-FOR-US: iframe plugin for WordPress CVE-2020-12695 @@ -962,7 +962,7 @@ CVE-2020-12429 (Online Course Registration 2.0 has multiple SQL injections that CVE-2020-12428 RESERVED CVE-2020-12427 (The Western Digital WD Discovery application before 3.8.229 for MyClou ...) - TODO: check + NOT-FOR-US: Western Digital CVE-2020-12426 RESERVED CVE-2020-12425 @@ -2135,7 +2135,7 @@ CVE-2020-11934 CVE-2020-11933 RESERVED CVE-2020-11932 (It was discovered that the Subiquity installer for Ubuntu Server logge ...) - TODO: check + NOT-FOR-US: Subiquity installer for Ubuntu CVE-2020-11931 RESERVED NOT-FOR-US: Ubuntu snap packaging of Pulseaudio @@ -5298,21 +5298,21 @@ CVE-2020-11072 (In SLP Validate (npm package slp-validate) before version 1.2.1, CVE-2020-11071 (SLPJS (npm package slpjs) before version 0.27.2, has a vulnerability w ...) TODO: check CVE-2020-11070 (The SVG Sanitizer extension for TYPO3 has a cross-site scripting vulne ...) - TODO: check + NOT-FOR-US: TYPO3 CVE-2020-11069 (In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has be ...) - TODO: check + NOT-FOR-US: TYPO3 CVE-2020-11068 RESERVED CVE-2020-11067 (In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has be ...) - TODO: check + NOT-FOR-US: TYPO3 CVE-2020-11066 (In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and g ...) - TODO: check + NOT-FOR-US: TYPO3 CVE-2020-11065 (In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and ...) - TODO: check + NOT-FOR-US: TYPO3 CVE-2020-11064 (In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and g ...) - TODO: check + NOT-FOR-US: TYPO3 CVE-2020-11063 (In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that t ...) - TODO: check + NOT-FOR-US: TYPO3 CVE-2020-11062 (In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-3xxh-f5p2-jg3h @@ -5334,7 +5334,7 @@ CVE-2020-11058 (In FreeRDP after 1.1 and before 2.0.0, a stream out-of-bounds se NOTE: https://github.com/FreeRDP/FreeRDP/commit/3627aaf7d289315b614a584afb388f04abfb5bbf NOTE: https://github.com/FreeRDP/FreeRDP/issues/6011 CVE-2020-11057 (In XWiki Platform 7.2 through 11.10.2, registered users without script ...) - TODO: check + NOT-FOR-US: XWiki CVE-2020-11056 (In Sprout Forms before 3.9.0, there is a potential Server-Side Templat ...) NOT-FOR-US: Sprout Forms CVE-2020-11055 (In BookStack greater than or equal to 0.18.0 and less than 0.29.2, the ...) @@ -6746,7 +6746,7 @@ CVE-2020-10656 CVE-2020-10655 RESERVED CVE-2020-10654 (Ping Identity PingID SSH before 4.0.14 contains a heap buffer overflow ...) - TODO: check + NOT-FOR-US: Ping Identity PingID CVE-2020-10653 RESERVED CVE-2020-10652 @@ -8639,25 +8639,25 @@ CVE-2020-9768 (A use after free issue was addressed with improved memory managem CVE-2020-9767 RESERVED CVE-2020-10028 (Multiple syscalls with insufficient argument validation See NCC-ZEP-00 ...) - TODO: check + NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10027 (An attacker who has obtained code execution within a user thread is ab ...) - TODO: check + NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10026 REJECTED CVE-2020-10025 REJECTED CVE-2020-10024 (The arm platform-specific code uses a signed integer comparison when v ...) - TODO: check + NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10023 (The shell subsystem contains a buffer overflow, whereby an adversary w ...) - TODO: check + NOT-FOR-US: Zephyr,
[Git][security-tracker-team/security-tracker][master] new clamav issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b430f84 by Moritz Muehlenhoff at 2020-05-14T17:34:46+02:00 new clamav issues freeradius no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24774,7 +24774,10 @@ CVE-2020-3343 CVE-2020-3342 RESERVED CVE-2020-3341 (A vulnerability in the PDF archive parsing module in Clam AntiVirus (C ...) - TODO: check + - clamav + [buster] - clamav (ClamAV is updated via -updates) + [stretch] - clamav (ClamAV is updated via -updates) + NOTE: https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html CVE-2020-3340 RESERVED CVE-2020-3339 @@ -24802,7 +24805,10 @@ CVE-2020-3329 (A vulnerability in role-based access control of Cisco Integrated CVE-2020-3328 RESERVED CVE-2020-3327 (A vulnerability in the ARJ archive parsing module in Clam AntiVirus (C ...) - TODO: check + - clamav + [buster] - clamav (ClamAV is updated via -updates) + [stretch] - clamav (ClamAV is updated via -updates) + NOTE: https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html CVE-2020-3326 RESERVED CVE-2020-3325 @@ -38616,6 +38622,8 @@ CVE-2019-17186 (/var/WEB-GUI/cgi-bin/telnet.cgi on FiberHome HG2201T 1.00.M5007_ NOT-FOR-US: FiberHome HG2201T devices CVE-2019-17185 (In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global Op ...) - freeradius 3.0.20+dfsg-1 + [buster] - freeradius (Minor issue) + [stretch] - freeradius (Minor issue) [jessie] - freeradius (Vulnerable code not present; EAP-pwd module introduced in later version) NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/6b522f8780813726799e6b8cf0f1f8e0ce2c8ebf CVE-2019-17184 (Xerox AtlaLink B8045/B8055/B8065/B8075/B8090 C8030/C8035/C8045/C8055/C ...) @@ -51371,6 +51379,8 @@ CVE-2019-13457 (An issue was discovered in Open Ticket Request System (OTRS) 7.0 NOTE: https://otrs.com/release-notes/otrs-security-advisory-2019-11/ CVE-2019-13456 (In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd h ...) - freeradius 3.0.20+dfsg-1 + [buster] - freeradius (Minor issue) + [stretch] - freeradius (Minor issue) [jessie] - freeradius (Vulnerable code introduced later in version 3.0.0) NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa (release_3_0_20) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1737663 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b430f840556ae30a8ca72ac70dcdb0401bce6be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b430f840556ae30a8ca72ac70dcdb0401bce6be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2018-8006/activemq
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 246a1f52 by Salvatore Bonaccorso at 2020-05-14T16:56:17+02:00 Update status for CVE-2018-8006/activemq - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -120069,12 +120069,12 @@ CVE-2018-8007 (Apache CouchDB administrative users can configure the database se - couchdb NOTE: https://blog.couchdb.org/2018/07/10/cve-2018-8007/ CVE-2018-8006 (An instance of a cross-site scripting vulnerability was identified to ...) - - activemq (unimportant) + - activemq 5.15.6-1 (unimportant) NOTE: https://issues.apache.org/jira/browse/AMQ-6954 NOTE: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=d25de5d NOTE: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=d8c80a9 NOTE: Admin console not enabled in the Debian package, see #702670) - NOTE: Fixed in 5.15.5, 5.16.0 + NOTE: Fixed in 5.15.6, 5.16.0 CVE-2018-8005 (When there are multiple ranges in a range request, Apache Traffic Serv ...) {DSA-4282-1} - trafficserver 7.1.4+ds-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/246a1f52f57f8d29c720ccb42b378280090d73ff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/246a1f52f57f8d29c720ccb42b378280090d73ff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-1941/activemq
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a53b1e0 by Salvatore Bonaccorso at 2020-05-14T16:54:31+02:00 Add CVE-2020-1941/activemq - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28531,6 +28531,9 @@ CVE-2020-1942 (In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory gene NOT-FOR-US: Apache NiFi CVE-2020-1941 RESERVED + - activemq (unimportant) + NOTE: Admin console not enabled in the Debian package, see #702670) + NOTE: Fixed in 5.15.12 CVE-2020-1940 (The optional initial password change and password expiration features ...) NOT-FOR-US: Apache Jackrabbit Oak CVE-2020-1939 (The Apache NuttX (Incubating) project provides an optional separate "a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a53b1e0a2a846efe9ec17e2a63d5b179a3d0fac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a53b1e0a2a846efe9ec17e2a63d5b179a3d0fac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-1945/ant
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c1549b6 by Salvatore Bonaccorso at 2020-05-14T16:27:36+02:00 Add CVE-2020-1945/ant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28509,8 +28509,17 @@ CVE-2020-1947 (In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the Shar NOT-FOR-US: Apache ShardingSphere CVE-2020-1946 RESERVED -CVE-2020-1945 - RESERVED +CVE-2020-1945 [insecure temporary file vulnerability] + RESERVED + - ant + NOTE: https://www.openwall.com/lists/oss-security/2020/05/13/1 + NOTE: https://github.com/apache/ant/commit/9c1f4d905da59bf446570ac28df5b68a37281f35 (1.9.15) + NOTE: https://github.com/apache/ant/commit/926f339ea30362bec8e53bf5924ce803938163b7 (1.9.15) + NOTE: https://github.com/apache/ant/commit/d591851ae3921172bb825b5a5344afa3de0e28ca (10.8) + NOTE: https://github.com/apache/ant/commit/9c1f4d905da59bf446570ac28df5b68a37281f35 (10.8) + NOTE: https://github.com/apache/ant/commit/041b058c7bf10a94d56db3ca9dba38cf90ab9943 (10.8) + NOTE: https://github.com/apache/ant/commit/a8645a151bc706259fb1789ef587d05482d98612 (10.8) + NOTE: https://github.com/apache/ant/commit/926f339ea30362bec8e53bf5924ce803938163b7 (10.8) CVE-2020-1944 (There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0. ...) {DSA-4672-1} - trafficserver 8.0.6+ds-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c1549b648cc8016d92f086a63a2378550d3334a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c1549b648cc8016d92f086a63a2378550d3334a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: unclaim and update notes on libdatetime-timezone-perl tzdata
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 960a4aa8 by Roberto C. Sánchez at 2020-05-14T08:26:29-04:00 LTS: unclaim and update notes on libdatetime-timezone-perl tzdata - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -57,7 +57,8 @@ imagemagick (Markus Koschany) json-c (Mike Gabriel) NOTE: 20200514: json-c is currently orphaned, so possibly fix (old)stable, too? (sunweaver) -- -libdatetime-timezone-perl (Roberto C. Sánchez) +libdatetime-timezone-perl + NOTE: 20200514: LTS update must wait on oldstable update first to prevent newer version in LTS (roberto) -- libexif (Mike Gabriel) -- @@ -114,7 +115,8 @@ squid3 (Markus Koschany) -- tomcat8 -- -tzdata (Roberto C. Sánchez) +tzdata + NOTE: 20200514: LTS update must wait on oldstable update first to prevent newer version in LTS (roberto) -- varnish (Sylvain Beucler) NOTE: 20200410: There was a reworking of the functions in cache_req_fsm.c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/960a4aa82b62fb56eb9a64f86bb19cda71426703 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/960a4aa82b62fb56eb9a64f86bb19cda71426703 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim graphicsmagick in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 253f44ac by Roberto C. Sánchez at 2020-05-14T07:57:41-04:00 LTS: claim graphicsmagick in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,7 +49,7 @@ exim4 (Roberto C. Sánchez) freerdp (Utkarsh Gupta) NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) -- -graphicsmagick +graphicsmagick (Roberto C. Sánchez) NOTE: 20200514: no upstream patch available, yet, for CVE-2020-12672 (sunweaver) -- imagemagick (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/253f44acad96984000dd7d942573cb1420c49c21 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/253f44acad96984000dd7d942573cb1420c49c21 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a95e1da by Moritz Muehlenhoff at 2020-05-14T13:19:28+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14082,9 +14082,9 @@ CVE-2020-7457 CVE-2020-7456 RESERVED CVE-2020-7455 (In FreeBSD 12.1-STABLE before r360973, 12.1-RELEASE before p5, 11.4-ST ...) - TODO: check + NOT-FOR-US: FreeBSD CVE-2020-7454 (In FreeBSD 12.1-STABLE before r360971, 12.1-RELEASE before p5, 11.4-ST ...) - TODO: check + NOT-FOR-US: FreeBSD CVE-2020-7453 (In FreeBSD 12.1-STABLE before r359021, 12.1-RELEASE before 12.1-RELEAS ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:08.jail.asc @@ -30168,9 +30168,9 @@ CVE-2019-19171 CVE-2019-19170 RESERVED CVE-2019-19169 (Dext5.ocx ActiveX 5.0.0.116 and eariler versions contain a vulnerabili ...) - TODO: check + NOT-FOR-US: Dext5.ocx ActiveX CVE-2019-19168 (Dext5.ocx ActiveX 5.0.0.116 and eariler versions contain a vulnerabili ...) - TODO: check + NOT-FOR-US: Dext5.ocx ActiveX CVE-2019-19167 (Tobesoft Nexacro v2019.9.25.1 and earlier version have an arbitrary co ...) NOT-FOR-US: Tobesoft Nexacro CVE-2019-19166 (Tobesoft XPlatform v9.1, 9.2.0, 9.2.1 and 9.2.2 have a vulnerability t ...) @@ -30178,11 +30178,11 @@ CVE-2019-19166 (Tobesoft XPlatform v9.1, 9.2.0, 9.2.1 and 9.2.2 have a vulnerabi CVE-2019-19165 (AxECM.cab(ActiveX Control) in Inogard Ebiz4u contains a vulnerability ...) NOT-FOR-US: Inogard Ebiz4u CVE-2019-19164 (dext5.ocx ActiveX Control in Dext5 Upload 5.0.0.112 and earlier versio ...) - TODO: check + NOT-FOR-US: Dext5.ocx ActiveX CVE-2019-19163 RESERVED CVE-2019-19162 (A use-after-free vulnerability in the TOBESOFT XPLATFORM versions 9.1 ...) - TODO: check + NOT-FOR-US: TOBESOFT XPLATFORM CVE-2019-19161 RESERVED CVE-2019-19160 @@ -41716,7 +41716,7 @@ CVE-2019-16114 (In ATutor 2.2.4, an unauthenticated attacker can change the appl CVE-2019-16113 (Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-im ...) NOT-FOR-US: Bludit CVE-2019-16112 (TylerTech Eagle 2018.3.11 deserializes untrusted user input, resulting ...) - TODO: check + NOT-FOR-US: TylerTech Eagle CVE-2019-16111 RESERVED CVE-2019-16110 (The network protocol of Blade Shadow though 2.13.3 allows remote attac ...) @@ -42329,20 +42329,22 @@ CVE-2019-15882 CVE-2019-15881 RESERVED CVE-2019-15880 (In FreeBSD 12.1-STABLE before r356911, and 12.1-RELEASE before p5, ins ...) - TODO: check + NOT-FOR-US: FreeBSD CVE-2019-15879 (In FreeBSD 12.1-STABLE before r356908, 12.1-RELEASE before p5, 11.3-ST ...) - TODO: check + NOT-FOR-US: FreeBSD CVE-2019-15878 (In FreeBSD 12.1-STABLE before r352509, 11.3-STABLE before r352509, and ...) - TODO: check + - kfreebsd-10 (unimportant) + NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:14.sctp.asc CVE-2019-15877 (In FreeBSD 12.1-STABLE before r356606 and 12.1-RELEASE before 12.1-REL ...) - TODO: check + NOT-FOR-US: FreeBSD CVE-2019-15876 (In FreeBSD 12.1-STABLE before r356089, 12.1-RELEASE before 12.1-RELEAS ...) - TODO: check + NOT-FOR-US: FreeBSD CVE-2019-15875 (In FreeBSD 12.1-STABLE before r354734, 12.1-RELEASE before 12.1-RELEAS ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:03.thrmisc.asc CVE-2019-15874 (In FreeBSD 12.1-STABLE before r356035, 12.1-RELEASE before 12.1-RELEAS ...) - TODO: check + - kfreebsd-10 (unimportant) + NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:10.ipfw.asc CVE-2019-15873 (The profilegrid-user-profiles-groups-and-communities plugin before 2.8 ...) NOT-FOR-US: profilegrid-user-profiles-groups-and-communities plugin for WordPress CVE-2019-15872 (The LoginPress plugin before 1.1.4 for WordPress has SQL injection via ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a95e1da66bb2870cd6629a0f867c26701e7de8d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a95e1da66bb2870cd6629a0f867c26701e7de8d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim log4net.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 7b987f99 by Chris Lamb at 2020-05-14T10:12:36+01:00 data/dla-needed.txt: Claim log4net. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -81,7 +81,7 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- -log4net +log4net (Chris Lamb) -- mumble (Abhijith PA) NOTE: 20200325: Regression in last upload, forgot to follow up. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b987f99a7abf32b08187bc3d6a38a4062f95b64 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b987f99a7abf32b08187bc3d6a38a4062f95b64 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim apt
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 988dd2f2 by Utkarsh Gupta at 2020-05-14T14:36:15+05:30 Claim apt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,7 +26,7 @@ apache2 (Utkarsh Gupta) NOTE: 20200501: No CVE yet. (Ola) NOTE: 20200510: Asking upstream for CVE assignment. (utkarsh) -- -apt +apt (Utkarsh Gupta) NOTE: 20200514: apt is in lts-do-call-me, wait for feedback on debian-lts ML (sunweaver) -- bluez View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/988dd2f2a334f16a87074a7cd4faf6ece8b414be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/988dd2f2a334f16a87074a7cd4faf6ece8b414be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim openconnect
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c895652 by Utkarsh Gupta at 2020-05-14T14:35:00+05:30 Claim openconnect - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -92,7 +92,7 @@ mumble (Abhijith PA) nginx (Mike Gabriel) NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby) -- -openconnect +openconnect (Utkarsh Gupta) -- opendmarc (Thorsten Alteholz) NOTE: 20200420: still testing package, original patch does not seem to be enough, still ongoing (thorsten) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c895652d18d79b0e73f01113ae7f309c339093b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c895652d18d79b0e73f01113ae7f309c339093b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fix for CVE-2020-12430/libvirt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6bd5d2e7 by Salvatore Bonaccorso at 2020-05-14T10:44:32+02:00 Track fix for CVE-2020-12430/libvirt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -944,6 +944,7 @@ CVE-2020-12432 CVE-2020-12431 RESERVED CVE-2020-12430 (An issue was discovered in qemuDomainGetStatsIOThread in qemu/qemu_dri ...) + [experimental] - libvirt 6.2.0-1 - libvirt (bug #959447) [stretch] - libvirt (Vulnerable code introduced later) [jessie] - libvirt (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bd5d2e7a92a21f7b9e3ece745ccf005601e6d38 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bd5d2e7a92a21f7b9e3ece745ccf005601e6d38 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cd6248d6 by Salvatore Bonaccorso at 2020-05-14T10:22:27+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,7 +23,7 @@ CVE-2020-12834 CVE-2020-12833 RESERVED CVE-2020-12832 (The simple-file-list plugin before 4.2.8 for WordPress mishandles a .. ...) - TODO: check + NOT-FOR-US: simple-file-list plugin for WordPress CVE-2020-12831 (** DISPUTED ** An issue was discovered in FRRouting FRR (aka Free Rang ...) - frr (unimportant) NOTE: https://github.com/FRRouting/frr/pull/6383 @@ -251,7 +251,7 @@ CVE-2020-12744 CVE-2020-12743 (An issue was discovered in Gazie 7.32. A successful installation does ...) NOT-FOR-US: Gazie CVE-2020-12742 (The iubenda-cookie-law-solution plugin before 2.3.5 for WordPress does ...) - TODO: check + NOT-FOR-US: iubenda-cookie-law-solution plugin for WordPress CVE-2020-12741 RESERVED CVE-2020-12740 (tcprewrite in Tcpreplay through 4.3.2 has a heap-based buffer over-rea ...) @@ -21666,7 +21666,7 @@ CVE-2020-4314 CVE-2020-4313 RESERVED CVE-2020-4312 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 trough 6.0.3.1 co ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4311 (IBM Tivoli Monitoring 6.3.0 could allow a local attacker to execute ar ...) NOT-FOR-US: IBM CVE-2020-4310 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd6248d6a324621d4b77a8715f600b0f05b99b11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd6248d6a324621d4b77a8715f600b0f05b99b11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e22c95f7 by security tracker role at 2020-05-14T08:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,25 @@ +CVE-2020-12844 + RESERVED +CVE-2020-12843 + RESERVED +CVE-2020-12842 + RESERVED +CVE-2020-12841 + RESERVED +CVE-2020-12840 + RESERVED +CVE-2020-12839 + RESERVED +CVE-2020-12838 + RESERVED +CVE-2020-12837 + RESERVED +CVE-2020-12836 + RESERVED +CVE-2020-12835 + RESERVED +CVE-2020-12834 + RESERVED CVE-2020-12833 RESERVED CVE-2020-12832 (The simple-file-list plugin before 4.2.8 for WordPress mishandles a .. ...) @@ -281,8 +303,8 @@ CVE-2020-12719 (XXE during an EventPublisher update can occur in Management Cons NOT-FOR-US: WSO2 CVE-2020-12718 (In administration/comments.php in PHP-Fusion 9.03.50, an authenticated ...) NOT-FOR-US: PHP-Fusion -CVE-2020-12717 - RESERVED +CVE-2020-12717 (The COVIDSafe (Australia) app 1.0 and 1.1 for iOS allows a remote atta ...) + TODO: check CVE-2020-12716 RESERVED CVE-2020-12715 @@ -5276,20 +5298,20 @@ CVE-2020-11071 (SLPJS (npm package slpjs) before version 0.27.2, has a vulnerabi TODO: check CVE-2020-11070 (The SVG Sanitizer extension for TYPO3 has a cross-site scripting vulne ...) TODO: check -CVE-2020-11069 - RESERVED +CVE-2020-11069 (In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has be ...) + TODO: check CVE-2020-11068 RESERVED -CVE-2020-11067 - RESERVED -CVE-2020-11066 - RESERVED -CVE-2020-11065 - RESERVED -CVE-2020-11064 - RESERVED -CVE-2020-11063 - RESERVED +CVE-2020-11067 (In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has be ...) + TODO: check +CVE-2020-11066 (In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and g ...) + TODO: check +CVE-2020-11065 (In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and ...) + TODO: check +CVE-2020-11064 (In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and g ...) + TODO: check +CVE-2020-11063 (In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that t ...) + TODO: check CVE-2020-11062 (In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-3xxh-f5p2-jg3h @@ -18447,14 +18469,14 @@ CVE-2020-5579 RESERVED CVE-2020-5578 RESERVED -CVE-2020-5577 - RESERVED -CVE-2020-5576 - RESERVED -CVE-2020-5575 - RESERVED -CVE-2020-5574 - RESERVED +CVE-2020-5577 (Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movabl ...) + TODO: check +CVE-2020-5576 (Cross-site request forgery (CSRF) vulnerability in Movable Type series ...) + TODO: check +CVE-2020-5575 (Cross-site scripting vulnerability in Movable Type series (Movable Typ ...) + TODO: check +CVE-2020-5574 (HTML attribute value injection vulnerability in Movable Type series (M ...) + TODO: check CVE-2020-5573 RESERVED CVE-2020-5572 @@ -18842,8 +18864,8 @@ CVE-2020-5411 RESERVED CVE-2020-5410 RESERVED -CVE-2020-5409 - RESERVED +CVE-2020-5409 (Pivotal Concourse, most versions prior to 6.0.0, allows redirects to u ...) + TODO: check CVE-2020-5408 RESERVED CVE-2020-5407 (Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 ...) @@ -23519,6 +23541,7 @@ CVE-2020-3811 RESERVED CVE-2020-3810 [apt out-of-bounds read in .ar/.tar implemations] RESERVED + {DSA-4685-1} - apt 2.1.2 NOTE: https://github.com/Debian/apt/issues/111 NOTE: https://bugs.launchpad.net/bugs/1878177 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e22c95f7a442d1e7f7929a61943a67d5e166026f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e22c95f7a442d1e7f7929a61943a67d5e166026f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libvirt fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a59f3ce by Moritz Muehlenhoff at 2020-05-14T09:55:33+02:00 libvirt fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6514,7 +6514,7 @@ CVE-2020-10702 [weak signature generation in Pointer Authentication support for NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=de0b1bae6461f67243282555475f88b2384a1eb9 (v5.0.0-rc0) CVE-2020-10701 [guest agent timeout can be set under read-only mode leading to DoS] RESERVED - - libvirt (bug #955841) + - libvirt 6.0.0-7 (bug #955841) [buster] - libvirt (Vulnerable code introduced later) [stretch] - libvirt (Vulnerable code introduced later) [jessie] - libvirt (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a59f3ceabb6a6a36b5074e92e42115a9df8ddc8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a59f3ceabb6a6a36b5074e92e42115a9df8ddc8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-10742/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 067dc187 by Salvatore Bonaccorso at 2020-05-14T08:53:56+02:00 Add CVE-2020-10742/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6374,6 +6374,8 @@ CVE-2020-10743 RESERVED CVE-2020-10742 RESERVED + - linux + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1835127 CVE-2020-10741 REJECTED CVE-2020-10740 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/067dc187f84d533b26d08ae14b92dee401ec5b81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/067dc187f84d533b26d08ae14b92dee401ec5b81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-12831
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 699f03a0 by Salvatore Bonaccorso at 2020-05-14T08:46:21+02:00 Add CVE-2020-12831 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,9 @@ CVE-2020-12833 CVE-2020-12832 (The simple-file-list plugin before 4.2.8 for WordPress mishandles a .. ...) TODO: check CVE-2020-12831 (** DISPUTED ** An issue was discovered in FRRouting FRR (aka Free Rang ...) - TODO: check + - frr (unimportant) + NOTE: https://github.com/FRRouting/frr/pull/6383 + NOTE: https://github.com/FRRouting/frr/commit/7734484a378052a513c9e21165c13bf85f78ad48 CVE-2020-12830 RESERVED CVE-2020-12829 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/699f03a0b3afd48bd26f093cc2003c3adc4a5d59 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/699f03a0b3afd48bd26f093cc2003c3adc4a5d59 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim cups
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: c69a42f2 by Anton Gladky at 2020-05-14T08:01:07+02:00 LTS: claim cups - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -41,7 +41,7 @@ bluez condor NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto) -- -cups +cups (Anton Gladky) NOTE: 20200514: Two open issues. Added on request from Anton Gladky. (sunweaver) -- exim4 (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c69a42f2ca22dc17cba1463a14e2d8657e249065 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c69a42f2ca22dc17cba1463a14e2d8657e249065 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits