[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: triage tomcat7 CVEs in stretch; none affect libservlet3.0-java, which is...

[Roberto C . Sánchez]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
227dec84 by Roberto C. Sánchez at 2020-08-22T20:18:30-04:00
LTS: triage tomcat7 CVEs in stretch; none affect libservlet3.0-java, which is 
the only binary package built from the tomcat7 source package in stretch

- - - - -
09345bb5 by Roberto C. Sánchez at 2020-08-22T20:19:12-04:00
LTS: remove tomcat7 from dla-needed.txt, no open issues remain

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -35398,6 +35398,7 @@ CVE-2020-9484 (When using Apache Tomcat versions 
10.0.0-M1 to 10.0.0-M4, 9.0.0.M
- tomcat9 9.0.35-1 (bug #961209)
- tomcat8 
- tomcat7 
+   [stretch] - tomcat7  (No components in libservlet3.0-java 
binary package are affected)
NOTE: 
https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca89023b1b
 (10.0.0-M5)
NOTE: 
https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a
 (9.0.35)
NOTE: 
https://github.com/apache/tomcat/commit/ec08af18d0f9ddca3f2d800ef66fe7fd20afef2f
 (8.5.55)
@@ -55160,6 +55161,7 @@ CVE-2020-1938 (When using the Apache JServ Protocol 
(AJP), care must be taken wh
- tomcat9 9.0.31-1 (bug #952437)
- tomcat8  (bug #952438)
- tomcat7  (bug #952436)
+   [stretch] - tomcat7  (No components in libservlet3.0-java 
binary package are affected)
NOTE: AJP disabled in Debian in default configuration since 2008
NOTE: fixed in upstream versions 9.0.31, 8.5.51, 7.0.100
NOTE: 
https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
@@ -55186,6 +55188,7 @@ CVE-2020-1935 (In Apache Tomcat 9.0.0.M1 to 9.0.30, 
8.5.0 to 8.5.50 and 7.0.0 to
- tomcat9 9.0.31-1
- tomcat8 
- tomcat7 
+   [stretch] - tomcat7  (No components in libservlet3.0-java 
binary package are affected)
NOTE: 
https://github.com/apache/tomcat/commit/8bfb0ff7f25fe7555a5eb2f7984f73546c11aa26
 (9.0.31)
NOTE: 
https://github.com/apache/tomcat/commit/8fbe2e962f0ea138d92361921643fe5abe0c4f56
 (8.5.51)
NOTE: 
https://github.com/apache/tomcat/commit/702bf15bea292915684d931526d95d4990b2e73d
 (7.0.100)
@@ -64175,6 +64178,7 @@ CVE-2019-17569 (The refactoring present in Apache 
Tomcat 9.0.28 to 9.0.30, 8.5.4
- tomcat8 
[jessie] - tomcat8  (vulnerable code introduced in later 
version)
- tomcat7 
+   [stretch] - tomcat7  (No components in libservlet3.0-java 
binary package are affected)
NOTE: 
https://github.com/apache/tomcat/commit/060ecc5eb839208687b7fcc9e35287ac8eb46998
 (9.0.31)
NOTE: 
https://github.com/apache/tomcat/commit/959f1dfd767bf3cb64776b44f7395d1d8d8f7ab3
 (8.5.51)
NOTE: 
https://github.com/apache/tomcat/commit/b191a0d9cf06f4e04257c221bfe41d2b108a9cc8
 (7.0.100)
@@ -64202,6 +64206,7 @@ CVE-2019-17563 (When using FORM authentication with 
Apache Tomcat 9.0.0.M1 to 9.
- tomcat9 9.0.31-1
- tomcat8 
- tomcat7 
+   [stretch] - tomcat7  (No components in libservlet3.0-java 
binary package are affected)
NOTE: 
https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652
 (9.0.30)
NOTE: 
https://github.com/apache/tomcat/commit/e19a202ee43b6e2a538be5515ae0ab32d8ef112c
 (8.5.50)
NOTE: 
https://github.com/apache/tomcat/commit/ab72a106fe5d992abddda954e30849d7cf8cc583
 (7.0.99)
@@ -81001,6 +81006,7 @@ CVE-2019-12418 (When Apache Tomcat 9.0.0.M1 to 9.0.28, 
8.5.0 to 8.5.47, 7.0.0 an
- tomcat9 9.0.31-1
- tomcat8 
- tomcat7 
+   [stretch] - tomcat7  (No components in libservlet3.0-java 
binary package are affected)
NOTE: 
https://github.com/apache/tomcat/commit/1fc9f589dbdd8295cf313b2667ab041c425f99c3
 (9.0.29)
NOTE: 
https://github.com/apache/tomcat/commit/a91d7db4047d372b2f12999d3cf2bc3254c20d00
 (8.5.48)
NOTE: 
https://github.com/apache/tomcat/commit/bef3f40400243348d12f4abfe9b413f43897c02b
 (7.0.98)
@@ -116675,6 +116681,7 @@ CVE-2019-0221 (The SSI printenv command in Apache 
Tomcat 9.0.0.M1 to 9.0.0.17, 8
- tomcat9 9.0.16-4 (bug #929895)
- tomcat8 
- tomcat7 
+   [stretch] - tomcat7  (No components in libservlet3.0-java 
binary package are affected)
NOTE: affects debug channel, unlikely to be present in production 
websites:
NOTE: 
https://mail-archives.apache.org/mod_mbox/www-announce/201905.mbox/%3cb1905aa6-f340-8d0b-58c4-8ac3ebcbf...@apache.org%3E
NOTE: https://github.com/apache/tomcat/commit/15fcd16 (9.0.19)


=
data/dla-needed.txt
=
@@ -197,8 +197,6 @@ sympa
   NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh)
   NOTE: 20200604: shall 

[Git][security-tracker-team/security-tracker][master] LTS: claim tomcat7

[Roberto C . Sánchez]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ccdff3a4 by Roberto C. Sánchez at 2020-08-22T19:00:03-04:00
LTS: claim tomcat7

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -197,7 +197,7 @@ sympa
   NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh)
   NOTE: 20200604: shall process the upload once the confirmation is given. 
(utkarsh)
 --
-tomcat7
+tomcat7 (Roberto C. Sánchez)
 --
 wordpress
   NOTE: 20200710: Vulnerable to at least CVE-2020-4046. (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccdff3a4b7042f419304f947f419d8b634f75ed7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccdff3a4b7042f419304f947f419d8b634f75ed7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2340-1 for sqlite3

[Roberto C . Sánchez]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b9ad057d by Roberto C. Sánchez at 2020-08-22T18:32:46-04:00
Reserve DLA-2340-1 for sqlite3

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[22 Aug 2020] DLA-2340-1 sqlite3 - security update
+   {CVE-2018-8740 CVE-2018-20346 CVE-2018-20506 CVE-2019-5827 
CVE-2019-9936 CVE-2019-9937 CVE-2019-16168 CVE-2019-20218 CVE-2020-11655 
CVE-2020-13434 CVE-2020-13630 CVE-2020-13632 CVE-2020-13871}
+   [stretch] - sqlite3 3.16.2-5+deb9u2
 [22 Aug 2020] DLA-2339-1 software-properties - security update
{CVE-2020-15709}
[stretch] - software-properties 0.96.20.2-1+deb9u1


=
data/dla-needed.txt
=
@@ -182,10 +182,6 @@ shiro
 slirp
   NOTE: 20200724: Version in stretch also requires backport of patch from 
CVE-2020-7039 (lamby)
 --
-sqlite3 (Roberto C. Sánchez)
-  NOTE: 20200712: Vulnerable to at least CVE-2020-13630. (lamby)
-  NOTE: 20200817: New CVEs have appeared.  Working on those now. (roberto)
---
 squid3 (Markus Koschany)
   NOTE: 20200813: CVE-2020-15049 requires more testing but backport works in
   NOTE: principle.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9ad057dc4a54749a5cd37f0326e9b7ede071ac9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9ad057dc4a54749a5cd37f0326e9b7ede071ac9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: update issues which are to be fixed in stretch

[Roberto C . Sánchez]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1796ddef by Roberto C. Sánchez at 2020-08-22T18:30:05-04:00
LTS: update issues which are to be fixed in stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -23962,7 +23962,6 @@ CVE-2020-13434 (SQLite through 3.32.0 has an integer 
overflow in sqlite3_str_vap
{DLA-2221-1}
- sqlite3 3.32.1-1
[buster] - sqlite3  (Minor issue)
-   [stretch] - sqlite3  (Minor issue)
NOTE: https://www.sqlite.org/src/info/23439ea582241138
NOTE: https://www.sqlite.org/src/info/d08d3405878d394e
 CVE-2020-13433 (Jason2605 AdminPanel 4.0 allows SQL Injection via the 
editPlayer.php h ...)
@@ -29365,7 +29364,6 @@ CVE-2020-11655 (SQLite through 3.31.1 allows attackers 
to cause a denial of serv
{DLA-2203-1}
- sqlite3 3.31.1-5
[buster] - sqlite3  (Minor issue)
-   [stretch] - sqlite3  (Minor issue)
NOTE: https://www.sqlite.org/cgi/src/tktview?name=af4556bb5c
NOTE: Issue covered before: 
https://www.sqlite.org/cgi/src/info/712e47714863a8ed
NOTE: Fixed by: https://www.sqlite.org/cgi/src/info/4a302b42c7bf5e11
@@ -46274,7 +46272,6 @@ CVE-2019-20219 (ngiflib 0.4 has a heap-based buffer 
over-read in GifIndexToTrueC
 CVE-2019-20218 (selectExpander in select.c in SQLite 3.30.1 proceeds with WITH 
stack u ...)
- sqlite3 3.30.1+fossil191229-1
[buster] - sqlite3  (Minor issue)
-   [stretch] - sqlite3  (Minor issue)
[jessie] - sqlite3  (Minor issue)
NOTE: Fixed by: 
https://github.com/sqlite/sqlite/commit/a6c1a71cde082e09750465d5675699062922e387
 CVE-2019-20217 (D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote 
attackers  ...)
@@ -68344,7 +68341,6 @@ CVE-2019-16149
 CVE-2019-16168 (In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c 
can cras ...)
- sqlite3 3.29.0-2
[buster] - sqlite3  (Minor issue)
-   [stretch] - sqlite3  (Minor issue)
[jessie] - sqlite3  (Minor issue)
NOTE: 
https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html
NOTE: 
https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62
@@ -88059,12 +88055,10 @@ CVE-2019-9938 (The SHAREit application before 4.0.42 
for Android allows a remote
NOT-FOR-US: SHAREit
 CVE-2019-9937 (In SQLite 3.27.2, interleaving reads and writes in a single 
transactio ...)
- sqlite3 3.27.2-2 (low; bug #925290)
-   [stretch] - sqlite3  (Minor issue)
[jessie] - sqlite3  (fts5 introducded later, function not 
available for fts3)
NOTE: https://sqlite.org/src/info/45c73deb440496e8
 CVE-2019-9936 (In SQLite 3.27.2, running fts5 prefix queries inside a 
transaction cou ...)
- sqlite3 3.27.2-2 (low; bug #925289)
-   [stretch] - sqlite3  (Minor issue)
[jessie] - sqlite3  (fts5 introducded later, function not 
available for fts3)
NOTE: https://sqlite.org/src/info/b3fa58dd7403dbd4
 CVE-2019-9935 (Various Lexmark products have Incorrect Access Control (issue 2 
of 2). ...)
@@ -99895,7 +99889,6 @@ CVE-2019-5827 (Integer overflow in SQLite via WebSQL in 
Google Chrome prior to 7
- chromium 75.0.3770.80-1
[stretch] - chromium  (see DSA 4562)
- sqlite3 3.27.2-3
-   [stretch] - sqlite3  (Minor issue; mainly with inpact in 
chromium)
[jessie] - sqlite3  (Minor issue; mainly with inpact in 
chromium)
NOTE: https://www.sqlite.org/src/info/07ee06fd390bfebe
NOTE: https://www.sqlite.org/src/info/0b6ae032c28e7fe3
@@ -106133,7 +106126,6 @@ CVE-2018-20507 (An issue was discovered in GitLab 
Enterprise Edition 11.2.x thro
 CVE-2018-20506 (SQLite before 3.25.3, when the FTS3 extension is enabled, 
encounters a ...)
{DLA-1613-1}
- sqlite3 3.25.3-1
-   [stretch] - sqlite3  (Minor issue)
NOTE: https://sqlite.org/src/info/940f2adc8541a838
 CVE-2018-20505 (SQLite 3.25.2, when queries are run on a table with a 
malformed PRIMAR ...)
- sqlite3 3.25.3-1
@@ -107287,7 +107279,6 @@ CVE-2018-20173 (Zoho ManageEngine OpManager 12.3 
before 123238 allows SQL inject
 CVE-2018-20346 (SQLite before 3.25.3, when the FTS3 extension is enabled, 
encounters a ...)
{DSA-4352-1 DLA-1613-1}
- sqlite3 3.25.3-1
-   [stretch] - sqlite3  (Minor issue)
- chromium 71.0.3578.80-1
NOTE: https://blade.tencent.com/magellan/index_en.html
NOTE: RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1659379
@@ -145240,7 +145231,6 @@ CVE-2018-8741 (A directory traversal flaw in 
SquirrelMail 1.4.22 allows an authe
 CVE-2018-8740 (In SQLite through 3.22.0, databases whose schema is corrupted 
using a  ...)
{DLA-1633-1}
- sqlite3 3.22.0-2 (bug #893195)
-   [stretch] - sqlite3  (Minor issue)
[wheezy] - sqlite3  (Minor 

[Git][security-tracker-team/security-tracker][master] Update information including minimal backport for CVE-2020-14367/chrony

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
79abc738 by Salvatore Bonaccorso at 2020-08-22T22:29:37+02:00
Update information including minimal backport for CVE-2020-14367/chrony

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21500,8 +21500,10 @@ CVE-2020-14368
 CVE-2020-14367 [Insecure writing to PID file]
RESERVED
- chrony 3.5.1-1
-   NOTE: 
https://git.tuxfamily.org/chrony/chrony.git/commit/util.c?id=7a4c396bba8f92a3ee8018620983529152050c74
-   NOTE: 
https://git.tuxfamily.org/chrony/chrony.git/commit/main.c?id=e18903a6b56341481a2e08469c0602010bf7bfe3
+   NOTE: https://www.openwall.com/lists/oss-security/2020/08/21/1
+   NOTE: Fixed by: 
https://git.tuxfamily.org/chrony/chrony.git/commit/util.c?id=7a4c396bba8f92a3ee8018620983529152050c74
 (4.0-pre1)
+   NOTE: Fixed by: 
https://git.tuxfamily.org/chrony/chrony.git/commit/main.c?id=e18903a6b56341481a2e08469c0602010bf7bfe3
 (4.0-pre1)
+   NOTE: Minimal backport: 
https://git.tuxfamily.org/chrony/chrony.git/commit/?id=f00fed20092b6a42283f29c6ee1f58244d74b545
 (3.5.1)
 CVE-2020-14366
RESERVED
 CVE-2020-14365



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79abc73841bbaeb10fa0423397162f1ea81938c3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79abc73841bbaeb10fa0423397162f1ea81938c3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5aded3a4 by security tracker role at 2020-08-22T20:10:25+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -14521,11 +14521,11 @@ CVE-2020-17370
 CVE-2020-17369
RESERVED
 CVE-2020-17368 (Firejail through 0.9.62 mishandles shell metacharacters during 
use of  ...)
-   {DSA-4742-1}
+   {DSA-4742-1 DLA-2336-1}
- firejail 0.9.62-4
NOTE: 
https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b
 CVE-2020-17367 (Firejail through 0.9.62 does not honor the -- end-of-options 
indicator ...)
-   {DSA-4742-1}
+   {DSA-4742-1 DLA-2336-1}
- firejail 0.9.62-4
NOTE: 
https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37
 CVE-2020-17366 (An issue was discovered in NLnet Labs Routinator 0.1.0 through 
0.7.1.  ...)
@@ -18088,6 +18088,7 @@ CVE-2020-15710
RESERVED
 CVE-2020-15709
RESERVED
+   {DLA-2339-1}
- software-properties  (bug #968850)
[buster] - software-properties  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/08/03/1
@@ -18165,6 +18166,7 @@ CVE-2019-20908 (An issue was discovered in 
drivers/firmware/efi/efi.c in the Lin
NOTE: https://www.openwall.com/lists/oss-security/2020/06/14/1
NOTE: Fixed by: 
https://git.kernel.org/linus/1957a85b0032a81e6482ca4aab883643b8dae06e
 CVE-2019-20907 (In Lib/tarfile.py in Python through 3.8.3, an attacker is able 
to craf ...)
+   {DLA-2337-1}
- python3.9 3.9.0~b5-1 (low)
- python3.8 3.8.5-1 (low)
- python3.7  (low)
@@ -68565,7 +68567,7 @@ CVE-2019-16058 (An issue was discovered in the pam_p11 
component 0.2.0 and 0.3.0
 CVE-2019-16057 (The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is 
vulnera ...)
NOT-FOR-US: D-Link
 CVE-2019-16056 (An issue was discovered in Python through 2.7.16, 3.x through 
3.5.7, 3 ...)
-   {DLA-2280-1 DLA-1925-1 DLA-1924-1}
+   {DLA-2337-1 DLA-2280-1 DLA-1925-1 DLA-1924-1}
- python3.8 3.8.0~b4-1
- python3.7 3.7.4-4
[buster] - python3.7 3.7.3-2+deb10u1
@@ -1,7 +3,7 @@ CVE-2019-13578 (A SQL injection vulnerability exists in 
the Impress GiveWP Give
 CVE-2019-13577 (SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an 
Unauthe ...)
NOT-FOR-US: SnmpAdm.exe in MAPLE WBT SNMP Administrator
 CVE-2018-20852 (http.cookiejar.DefaultPolicy.domain_return_ok in 
Lib/http/cookiejar.py ...)
-   {DLA-2280-1 DLA-1906-1 DLA-1889-1}
+   {DLA-2337-1 DLA-2280-1 DLA-1906-1 DLA-1889-1}
- python3.7 3.7.3~rc1-1
- python3.5 
- python3.4 
@@ -87995,7 +87997,7 @@ CVE-2019-9950 (Western Digital My Cloud, My Cloud 
Mirror Gen2, My Cloud EX2 Ultr
 CVE-2019-9949 (Western Digital My Cloud Cloud, Mirror Gen2, EX2 Ultra, EX2100, 
EX4100 ...)
NOT-FOR-US: Western Digital
 CVE-2019-9948 (urllib in Python 2.x through 2.7.16 supports the local_file: 
scheme, w ...)
-   {DLA-2280-1 DLA-1852-1 DLA-1834-1}
+   {DLA-2337-1 DLA-2280-1 DLA-1852-1 DLA-1834-1}
- python3.7 3.7.4~rc2-2
[buster] - python3.7 3.7.3-2+deb10u1
- python3.6 
@@ -88009,7 +88011,7 @@ CVE-2019-9948 (urllib in Python 2.x through 2.7.16 
supports the local_file: sche
NOTE: 
https://github.com/python/cpython/commit/b15bde8058e821b383d81fcae68b335a752083ca
 (2.7)
NOTE: 
https://github.com/python/cpython/commit/942c31dffbe886ff02e25a319cc3891220b8c641
 (2.7)
 CVE-2019-9947 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 
and ur ...)
-   {DLA-2280-1 DLA-1835-1 DLA-1834-1}
+   {DLA-2337-1 DLA-2280-1 DLA-1835-1 DLA-1834-1}
- python3.7 3.7.4~rc2-2
[buster] - python3.7 3.7.3-2+deb10u1
- python3.6 
@@ -89559,7 +89561,7 @@ CVE-2019-9741 (An issue was discovered in net/http in 
Go 1.11.5. CRLF injection
NOTE: 
https://github.com/golang/go/commit/829c5df58694b3345cb5ea41206783c8ccf5c3ca#diff-b97af51863ce82bf2a13003b52034aa9
NOTE: 
https://github.com/golang/go/commit/f1d662f34788f4a5f087581d0951cdf4e0f6e708#diff-b97af51863ce82bf2a13003b52034aa9
 CVE-2019-9740 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 
and ur ...)
-   {DLA-2280-1 DLA-1835-1 DLA-1834-1}
+   {DLA-2337-1 DLA-2280-1 DLA-1835-1 DLA-1834-1}
- python3.7 3.7.4~rc2-2
[buster] - python3.7 3.7.3-2+deb10u1
- python3.6 
@@ -89837,7 +89839,7 @@ CVE-2019-9643
 CVE-2019-9642 (An issue was discovered in proxy.php in pydio-core in Pydio 
through 8. ...)
- extplorer 
 CVE-2019-9636 (Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected 
by: Impr ...)
-   {DLA-2280-1 DLA-1835-1 DLA-1834-1}
+   {DLA-2337-1 DLA-2280-1 DLA-1835-1 DLA-1834-1}
- 

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-7068/php for tracking

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
00e2b543 by Salvatore Bonaccorso at 2020-08-22T21:51:25+02:00
Add CVE-2020-7068/php for tracking

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -41193,6 +41193,12 @@ CVE-2020-7069
RESERVED
 CVE-2020-7068
RESERVED
+   - php7.4 7.4.9-1
+   - php7.3 
+   - php7.0 
+   NOTE: Fixed in PHP 7.4.9, 7.3.21, 7.2.33
+   NOTE: PHP Bug: https://bugs.php.net/79797
+   NOTE: 
https://git.php.net/?p=php-src.git;a=commit;h=7355ab81763a3d6a04ac11660e6a16d58838d187
 CVE-2020-7067 (In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 
7.4.x below ...)
{DSA-4719-1 DSA-4717-1 DLA-2188-1}
- php7.4 7.4.5-1 (unimportant)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00e2b543c118fd4ee540326edee67e1d99ef3666

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00e2b543c118fd4ee540326edee67e1d99ef3666
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-11048/php7.4 as fixed with last unstable upload

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
994c9c4c by Salvatore Bonaccorso at 2020-08-22T21:50:08+02:00
Mark CVE-2019-11048/php7.4 as fixed with last unstable upload

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -84861,7 +84861,7 @@ CVE-2019-11049 (In PHP versions 7.3.x below 7.3.13 and 
7.4.0 on Windows, when su
NOTE: PHP Bug: http://bugs.php.net/78943
 CVE-2019-11048 (In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 
7.4.x below ...)
{DSA-4719-1 DSA-4717-1 DLA-2261-1}
-   - php7.4 
+   - php7.4 7.4.9-1
- php7.3 
- php7.0 
- php5 



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/994c9c4ca28f6e57bf4face8289d02e6e46a8c3f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/994c9c4ca28f6e57bf4face8289d02e6e46a8c3f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update status for CVE-2020-24352/qemu

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0cc72d87 by Salvatore Bonaccorso at 2020-08-22T21:36:08+02:00
Update status for CVE-2020-24352/qemu

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -514,7 +514,7 @@ CVE-2020-24353
 CVE-2020-24352
RESERVED
- qemu  (bug #968820)
-   [buster] - qemu  (Can be fixed along in later DSA)
+   [buster] - qemu  (Vulnerable code introduced in ATI VGA 
device emulation added later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1847584
 CVE-2020-24351
RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cc72d87dfa5ff221548af4124f6a663457e281d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cc72d87dfa5ff221548af4124f6a663457e281d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2020-13776/systemd fixed in unstable via 246-2 upload

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d6aee4c1 by Salvatore Bonaccorso at 2020-08-22T21:29:41+02:00
CVE-2020-13776/systemd fixed in unstable via 246-2 upload

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -23154,7 +23154,7 @@ CVE-2020-13777 (GnuTLS 3.6.x before 3.6.14 uses 
incorrect cryptography for encry
NOTE: 
https://gitlab.com/gnutls/gnutls/-/commit/c2646aeee94e71cb15c90a3147cf3b5b0ca158ca
NOTE: 
https://gitlab.com/gnutls/gnutls/-/commit/3d7fae761e65e9d0f16d7247ee8a464d4fe002da
 CVE-2020-13776 (systemd through v245 mishandles numerical usernames such as 
ones compo ...)
-   - systemd  (unimportant)
+   - systemd 246-2 (unimportant)
NOTE: https://github.com/systemd/systemd/issues/15985
NOTE: 
https://github.com/systemd/systemd/commit/156a5fd297b61bce31630d7a52c15614bf784843
 (v246-rc1)
NOTE: 
https://github.com/systemd/systemd/commit/6495ceddf38aed2c9efdcf9d3440140190800b55
 (v246-rc1)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6aee4c1d7e9ab0823fca8c13afd01795dc07077

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6aee4c1d7e9ab0823fca8c13afd01795dc07077
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reference second commit for CVE-2020-13776/systemd

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
85c344bd by Salvatore Bonaccorso at 2020-08-22T21:28:38+02:00
Reference second commit for CVE-2020-13776/systemd

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -23157,6 +23157,7 @@ CVE-2020-13776 (systemd through v245 mishandles 
numerical usernames such as ones
- systemd  (unimportant)
NOTE: https://github.com/systemd/systemd/issues/15985
NOTE: 
https://github.com/systemd/systemd/commit/156a5fd297b61bce31630d7a52c15614bf784843
 (v246-rc1)
+   NOTE: 
https://github.com/systemd/systemd/commit/6495ceddf38aed2c9efdcf9d3440140190800b55
 (v246-rc1)
NOTE: Issue exists due to an incomplete fix for CVE-2017-182.
 CVE-2020-13775 (ZNC 1.8.0 up to 1.8.1-rc1 allows authenticated users to 
trigger an app ...)
- znc 1.8.1-1 (bug #962105)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85c344bd59c5ae6fe8511b1bec405b4fc55faef6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85c344bd59c5ae6fe8511b1bec405b4fc55faef6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2020-13776

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5916cce4 by Salvatore Bonaccorso at 2020-08-22T21:24:49+02:00
Reference upstream commit for CVE-2020-13776

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -23156,6 +23156,7 @@ CVE-2020-13777 (GnuTLS 3.6.x before 3.6.14 uses 
incorrect cryptography for encry
 CVE-2020-13776 (systemd through v245 mishandles numerical usernames such as 
ones compo ...)
- systemd  (unimportant)
NOTE: https://github.com/systemd/systemd/issues/15985
+   NOTE: 
https://github.com/systemd/systemd/commit/156a5fd297b61bce31630d7a52c15614bf784843
 (v246-rc1)
NOTE: Issue exists due to an incomplete fix for CVE-2017-182.
 CVE-2020-13775 (ZNC 1.8.0 up to 1.8.1-rc1 allows authenticated users to 
trigger an app ...)
- znc 1.8.1-1 (bug #962105)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5916cce4f1a5e141e8bda1849662baa7c9bd397e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5916cce4f1a5e141e8bda1849662baa7c9bd397e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2020-15954/kdepim-runtime fixed in unstable upload

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
99bfbae8 by Salvatore Bonaccorso at 2020-08-22T21:15:04+02:00
CVE-2020-15954/kdepim-runtime fixed in unstable upload

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17479,7 +17479,7 @@ CVE-2020-15955
RESERVED
 CVE-2020-15954 (KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 
communicati ...)
{DLA-2300-1}
-   - kdepim-runtime  (bug #96)
+   - kdepim-runtime 4:20.04.1-2 (bug #96)
[buster] - kdepim-runtime  (Minor issue)
- kmail-account-wizard 4:20.04.1-2 (bug #97)
[buster] - kmail-account-wizard  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99bfbae86f379a892dbee8a476aba9c90ff8e890

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99bfbae86f379a892dbee8a476aba9c90ff8e890
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] proftpd-dfsg, memory leaks fixed in 1.3.5e+r1.3.5b-4+deb9u1

[Markus Koschany]

Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a5829ecb by Markus Koschany at 2020-08-22T18:34:45+02:00
proftpd-dfsg, memory leaks fixed in 1.3.5e+r1.3.5b-4+deb9u1

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -89935,6 +89935,7 @@ CVE-2019-9625 (JBMC DirectAdmin 1.55 allows CSRF via 
the /CMD_ACCOUNT_ADMIN URI
NOT-FOR-US: JBMC DirectAdmin
 CVE-2019- [high memory usage with some long running sessions]
- proftpd-dfsg 1.3.5d-1 (bug #923926)
+   [stretch] - proftpd-dfsg 1.3.5e+r1.3.5b-4+deb9u1
[jessie] - proftpd-dfsg 1.3.5e-0+deb8u1
NOTE: 
https://github.com/proftpd/proftpd/issues/330#issuecomment-276891713
NOTE: 
https://forum.armbian.com/topic/9692-nanopi-neo-2-memory-leak-in-proftpd-even-worse-if-ssl-encrypted/?do=findComment=73069



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5829ecb98eaef8b1f6f933da58af5696e9455ae

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5829ecb98eaef8b1f6f933da58af5696e9455ae
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2339-1 for software-properties

[Sylvain Beucler]

Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
54212a58 by Sylvain Beucler at 2020-08-22T18:29:33+02:00
Reserve DLA-2339-1 for software-properties

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[22 Aug 2020] DLA-2339-1 software-properties - security update
+   {CVE-2020-15709}
+   [stretch] - software-properties 0.96.20.2-1+deb9u1
 [22 Aug 2020] DLA-2338-1 proftpd-dfsg - security update
[stretch] - proftpd-dfsg 1.3.5e+r1.3.5b-4+deb9u1
 [22 Aug 2020] DLA-2337-1 python2.7 - security update


=
data/dla-needed.txt
=
@@ -182,8 +182,6 @@ shiro
 slirp
   NOTE: 20200724: Version in stretch also requires backport of patch from 
CVE-2020-7039 (lamby)
 --
-software-properties (Sylvain Beucler)
---
 sqlite3 (Roberto C. Sánchez)
   NOTE: 20200712: Vulnerable to at least CVE-2020-13630. (lamby)
   NOTE: 20200817: New CVEs have appeared.  Working on those now. (roberto)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54212a589e03bfe800d11c8f1ac35e735aa81237

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54212a589e03bfe800d11c8f1ac35e735aa81237
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Remove no-dsa, proftpd-dfsg memory leak issue from 2019. Upload is pending.

[Markus Koschany]

Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b276b174 by Markus Koschany at 2020-08-22T18:09:01+02:00
Remove no-dsa, proftpd-dfsg memory leak issue from 2019. Upload is pending.

- - - - -
e5a2965a by Markus Koschany at 2020-08-22T18:10:26+02:00
Reserve DLA-2338-1 for proftpd-dfsg

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=
data/CVE/list
=
@@ -89935,7 +89935,6 @@ CVE-2019-9625 (JBMC DirectAdmin 1.55 allows CSRF via 
the /CMD_ACCOUNT_ADMIN URI
NOT-FOR-US: JBMC DirectAdmin
 CVE-2019- [high memory usage with some long running sessions]
- proftpd-dfsg 1.3.5d-1 (bug #923926)
-   [stretch] - proftpd-dfsg  (Minor issue)
[jessie] - proftpd-dfsg 1.3.5e-0+deb8u1
NOTE: 
https://github.com/proftpd/proftpd/issues/330#issuecomment-276891713
NOTE: 
https://forum.armbian.com/topic/9692-nanopi-neo-2-memory-leak-in-proftpd-even-worse-if-ssl-encrypted/?do=findComment=73069


=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[22 Aug 2020] DLA-2338-1 proftpd-dfsg - security update
+   [stretch] - proftpd-dfsg 1.3.5e+r1.3.5b-4+deb9u1
 [22 Aug 2020] DLA-2337-1 python2.7 - security update
{CVE-2018-20852 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740 CVE-2019-9947 
CVE-2019-9948 CVE-2019-16056 CVE-2019-20907}
[stretch] - python2.7 2.7.13-2+deb9u4



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f16f1f789acda233b8a9b6b679d82f01115079d0...e5a2965a738b0c0990ccbc8891462e2f8efbd9a8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f16f1f789acda233b8a9b6b679d82f01115079d0...e5a2965a738b0c0990ccbc8891462e2f8efbd9a8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark golang-x-text as removed from unstable

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f16f1f78 by Salvatore Bonaccorso at 2020-08-22T17:43:51+02:00
Mark golang-x-text as removed from unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -22375,7 +22375,7 @@ CVE-2020-14041
RESERVED
 CVE-2020-14040 (The x/text package before 0.3.3 for Go has a vulnerability in 
encoding ...)
- golang-golang-x-text 0.3.3-1 (bug #964272)
-   - golang-x-text  (bug #964271)
+   - golang-x-text  (bug #964271)
[buster] - golang-x-text  (Minor issue)
[stretch] - golang-x-text  (Minor issue)
NOTE: https://github.com/golang/go/issues/39491



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f16f1f789acda233b8a9b6b679d82f01115079d0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f16f1f789acda233b8a9b6b679d82f01115079d0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove CVE-2019-10160 from listing for DLA-2337-1

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
66ea04a5 by Salvatore Bonaccorso at 2020-08-22T17:41:26+02:00
Remove CVE-2019-10160 from listing for DLA-2337-1

The CVE-2019-10160 was specifically for an incomplete fix from
CVE-2019-9636. As stretch did not apply the incomplete fix in a released
version it is not affected by CVE-2019-10160. Thus restore the previous
status partially.

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=
data/CVE/list
=
@@ -87332,6 +87332,7 @@ CVE-2019-10160 (A security regression of CVE-2019-9636 
was discovered in python
- python3.4  (Vulnerable fix to regression introduced by 
fix for CVE-2019-9636 not applied)
- python2.7 2.7.16-3
[buster] - python2.7 2.7.16-2+deb10u1
+   [stretch] - python2.7  (Incomplete fix for CVE-2019-9636 
not applied)
[jessie] - python2.7  (Incomplete fix for CVE-2019-9636 
not applied)
NOTE: Introduced by: 
https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3
 (v3.8.0a4)
NOTE: Fixed by: 
https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e
 (v3.8.0b1)


=
data/DLA/list
=
@@ -1,5 +1,5 @@
 [22 Aug 2020] DLA-2337-1 python2.7 - security update
-   {CVE-2018-20852 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740 CVE-2019-9947 
CVE-2019-9948 CVE-2019-10160 CVE-2019-16056 CVE-2019-20907}
+   {CVE-2018-20852 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740 CVE-2019-9947 
CVE-2019-9948 CVE-2019-16056 CVE-2019-20907}
[stretch] - python2.7 2.7.13-2+deb9u4
 [22 Aug 2020] DLA-2336-1 firejail - security update
{CVE-2020-17367 CVE-2020-17368}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66ea04a549f3f7ae95720eb6d530135d918aad25

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66ea04a549f3f7ae95720eb6d530135d918aad25
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: remove no-dsa and postponed tags that are fixed in latest python2.7 upload

[Thorsten Alteholz]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6c48e35e by Thorsten Alteholz at 2020-08-22T16:42:13+02:00
remove no-dsa and postponed tags that are fixed in latest python2.7 upload

- - - - -
57b80af5 by Thorsten Alteholz at 2020-08-22T16:43:10+02:00
Reserve DLA-2337-1 for python2.7

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -68565,7 +68565,6 @@ CVE-2019-16056 (An issue was discovered in Python 
through 2.7.16, 3.x through 3.
- python3.4 
- python2.7 2.7.17~rc1-1 (bug #940901)
[buster] - python2.7 2.7.16-2+deb10u1
-   [stretch] - python2.7  (Minor issue)
NOTE: https://bugs.python.org/issue34155
NOTE: 
https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9
 (master)
NOTE: 
https://github.com/python/cpython/commit/217077440a6938a0b428f67cfef6e053c4f8673c
 (v3.8.0b4)
@@ -0,7 +77769,6 @@ CVE-2018-20852 
(http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookie
- python3.4 
- python2.7 2.7.16-3
[buster] - python2.7 2.7.16-2+deb10u1
-   [stretch] - python2.7  (Minor issue)
NOTE: https://bugs.python.org/issue35121
NOTE: 
https://python-security.readthedocs.io/vuln/cookie-domain-check.html
NOTE: 
https://github.com/python/cpython/commit/979daae300916adb399ab5b51410b6ebd0888f13
 (2.7.x branch)
@@ -87334,7 +87332,6 @@ CVE-2019-10160 (A security regression of CVE-2019-9636 
was discovered in python
- python3.4  (Vulnerable fix to regression introduced by 
fix for CVE-2019-9636 not applied)
- python2.7 2.7.16-3
[buster] - python2.7 2.7.16-2+deb10u1
-   [stretch] - python2.7  (Incomplete fix for CVE-2019-9636 
not applied)
[jessie] - python2.7  (Incomplete fix for CVE-2019-9636 
not applied)
NOTE: Introduced by: 
https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3
 (v3.8.0a4)
NOTE: Fixed by: 
https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e
 (v3.8.0b1)
@@ -87996,7 +87993,6 @@ CVE-2019-9948 (urllib in Python 2.x through 2.7.16 
supports the local_file: sche
- python3.5 
- python3.4 
- python2.7 2.7.16-2
-   [stretch] - python2.7  (Minor issue)
NOTE: https://bugs.python.org/issue35907
NOTE: https://github.com/python/cpython/pull/11842
NOTE: 
https://github.com/python/cpython/commit/34bab215596671d0dec2066ae7d7450cd73f638b
 (3.7)
@@ -88012,7 +88008,6 @@ CVE-2019-9947 (An issue was discovered in urllib2 in 
Python 2.x through 2.7.16 a
- python3.4 
- python2.7 2.7.16-3
[buster] - python2.7 2.7.16-2+deb10u1
-   [stretch] - python2.7  (Minor issue)
NOTE: https://bugs.python.org/issue35906
NOTE: Introduced by: 
https://github.com/python/cpython/commit/cc54c1c0d2d05fe7404ba64c53df4b1352ed2262
NOTE: CVE-2019-9947 issue fixed with same fix as for CVE-2019-9740
@@ -89563,7 +89558,6 @@ CVE-2019-9740 (An issue was discovered in urllib2 in 
Python 2.x through 2.7.16 a
- python3.4 
- python2.7 2.7.16-3
[buster] - python2.7 2.7.16-2+deb10u1
-   [stretch] - python2.7  (Minor issue)
NOTE: https://bugs.python.org/issue30458
NOTE: https://bugs.python.org/issue36276 (duplicate)
NOTE: https://bugs.python.org/issue36274 (common regression fix)
@@ -89840,7 +89834,6 @@ CVE-2019-9636 (Python 2.7.x through 2.7.16 and 3.x 
through 3.7.2 is affected by:
- python3.5 
- python3.4 
- python2.7 2.7.16-2 (bug #924073)
-   [stretch] - python2.7  (Minor issue)
NOTE: https://bugs.python.org/issue36216
NOTE: https://github.com/python/cpython/pull/12201
NOTE: 
https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
@@ -102035,7 +102028,6 @@ CVE-2019-5010 (An exploitable denial-of-service 
vulnerability exists in the X509
- python3.5 
- python3.4 
- python2.7 2.7.15-6 (bug #921040)
-   [stretch] - python2.7  (Minor issue, can be fixed along in a 
future DSA)
NOTE: https://bugs.python.org/issue35746
NOTE: https://github.com/python/cpython/pull/11569
NOTE: 
https://github.com/python/cpython/commit/be5de958e9052e322b0087c6dba81cdad0c3e031
 (3.7.x)


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[22 Aug 2020] DLA-2337-1 python2.7 - security update
+   {CVE-2018-20852 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740 CVE-2019-9947 
CVE-2019-9948 CVE-2019-10160 CVE-2019-16056 CVE-2019-20907}
+   [stretch] - python2.7 2.7.13-2+deb9u4
 [22 Aug 2020] DLA-2336-1 firejail - security update
{CVE-2020-17367 CVE-2020-17368}
[stretch] - firejail 0.9.44.8-2+deb9u1

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2336-1 for firejail

[Thorsten Alteholz]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6aaece3c by Thorsten Alteholz at 2020-08-22T16:35:58+02:00
Reserve DLA-2336-1 for firejail

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[22 Aug 2020] DLA-2336-1 firejail - security update
+   {CVE-2020-17367 CVE-2020-17368}
+   [stretch] - firejail 0.9.44.8-2+deb9u1
 [20 Aug 2020] DLA-2335-1 ghostscript - security update
{CVE-2020-16287 CVE-2020-16288 CVE-2020-16289 CVE-2020-16290 
CVE-2020-16291 CVE-2020-16292 CVE-2020-16293 CVE-2020-16294 CVE-2020-16295 
CVE-2020-16296 CVE-2020-16297 CVE-2020-16298 CVE-2020-16299 CVE-2020-16300 
CVE-2020-16301 CVE-2020-16302 CVE-2020-16303 CVE-2020-16304 CVE-2020-16305 
CVE-2020-16306 CVE-2020-16307 CVE-2020-16308 CVE-2020-16309 CVE-2020-16310 
CVE-2020-17538}
[stretch] - ghostscript 9.26a~dfsg-0+deb9u7


=
data/dla-needed.txt
=
@@ -73,8 +73,6 @@ firefox-esr (Emilio)
   NOTE: 20200720: working on ESR 78 backport. (pochu)
   NOTE: 20200810: backported llvm 10, looking into wasi-libc and rustc/cargo 
(pochu)
 --
-firejail (Thorsten Alteholz)
---
 freerdp (Mike Gabriel)
   NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby)
   NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense 
(sunweaver)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6aaece3cce56ede9ece2ea1d7c8d5926f6752159

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6aaece3cce56ede9ece2ea1d7c8d5926f6752159
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage chrony for stretch LTS (CVE-2020-14367).

[Chris Lamb]

Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fa460f73 by Chris Lamb at 2020-08-22T12:59:15+01:00
data/dla-needed.txt: Triage chrony for stretch LTS (CVE-2020-14367).

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -45,6 +45,8 @@ ceph
   NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
   NOTE: 20200707: Some discussion regarding removal 
 (lamby)
 --
+chrony
+--
 cimg
   NOTE: 20200709: Upstream patch is against a newer "load_network_external"
   NOTE: 20200709: method (vs "load_network") but is still missing the argument



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa460f73803dbb8a8ee389218a857585080a15c9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa460f73803dbb8a8ee389218a857585080a15c9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 3 commits: data/dla-needed.txt: Triage ros-actionlib for stretch LTS (CVE-2020-10289).

[Chris Lamb]

Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
94d5dc4d by Chris Lamb at 2020-08-22T12:54:44+01:00
data/dla-needed.txt: Triage ros-actionlib for stretch LTS (CVE-2020-10289).

- - - - -
5c2cedbc by Chris Lamb at 2020-08-22T12:55:17+01:00
Triage CVE-2019-14562 in edk2 for stretch LTS.

- - - - -
e86ee1cb by Chris Lamb at 2020-08-22T12:57:53+01:00
data/dla-needed.txt: Triage icingaweb2 for stretch LTS (CVE-2020-24368).

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -73403,6 +73403,7 @@ CVE-2019-14562
RESERVED
- edk2  (bug #968819)
[buster] - edk2  (Minor issue)
+   [stretch] - edk2  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1869245
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
 CVE-2019-14561


=
data/dla-needed.txt
=
@@ -90,6 +90,8 @@ guacamole-client (Mike Gabriel)
   NOTE: 20200815: The bad maintenance is not because of the maintainer, but 
because of upstream's delay to port the software
   NOTE: 20200815: over to the freerdp2 API. (sunweaver)
 --
+icingaweb2
+--
 inetutils (Adrian Bunk)
 --
 jetty9
@@ -145,6 +147,10 @@ qtbase-opensource-src (Adrian Bunk)
   NOTE: 20200815: Minor issue, but easy to fix (CVE-2020-17507). Low prio.
   NOTE: 20200815: One could possibly look at the other  issues and 
decide whether they are worth fixing along. (sunweaver)
 --
+ros-actionlib
+  NOTE: 20200822: Marked as no-dsa in buster, but appears to be used in remote
+  NOTE: 20200822: IPC (?) so severity should be confirmed. (lamby)
+--
 ruby-actionpack-page-caching
   NOTE: 20200819: Upstream's patch on does not apply due to subsequent
   NOTE: 20200819: refactoring. However, a quick look at the private



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7a39a48a718acbb8644be6c07974270372bbaa1a...e86ee1cbc8695525dcee1fe4ff98b90537278bf5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7a39a48a718acbb8644be6c07974270372bbaa1a...e86ee1cbc8695525dcee1fe4ff98b90537278bf5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track upstream commits for CVE-2020-8624

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7a39a48a by Salvatore Bonaccorso at 2020-08-22T13:37:03+02:00
Track upstream commits for CVE-2020-8624

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -37488,6 +37488,9 @@ CVE-2020-8625
 CVE-2020-8624 (In BIND 9.9.12 - 9.9.13, 9.10.7 - 9.10.8, 9.11.3 - 
9.11.21 ...)
- bind9 1:9.16.6-1 (bug #966497)
NOTE: https://kb.isc.org/docs/cve-2020-8624
+   NOTE: 
https://gitlab.isc.org/isc-projects/bind9/commit/7630a64141a997b5247d9ad4a7dfff6ac6d9a485
 (v9_16_6)
+   NOTE: 
https://gitlab.isc.org/isc-projects/bind9/commit/5bf457e89a3fdc355aad74140f5e010b42d1df82
 (v9_16_6)
+   NOTE: 
https://gitlab.isc.org/isc-projects/bind9/commit/14aa0c5df65d28cf6aaf437151c6a008afb66fb1
 (v9_16_6)
 CVE-2020-8623 (In BIND 9.10.0 - 9.11.21, 9.12.0 - 9.16.5, 9.17.0 - 
9.17.3 ...)
- bind9 1:9.16.6-1
NOTE: https://kb.isc.org/docs/cve-2020-8623



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a39a48a718acbb8644be6c07974270372bbaa1a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a39a48a718acbb8644be6c07974270372bbaa1a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track upstream commit for CVE-2020-8623

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f19d1925 by Salvatore Bonaccorso at 2020-08-22T13:36:37+02:00
Track upstream commit for CVE-2020-8623

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -37491,6 +37491,7 @@ CVE-2020-8624 (In BIND 9.9.12 - 9.9.13, 9.10.7 
- 9.10.8, 9.11.3 - 9.
 CVE-2020-8623 (In BIND 9.10.0 - 9.11.21, 9.12.0 - 9.16.5, 9.17.0 - 
9.17.3 ...)
- bind9 1:9.16.6-1
NOTE: https://kb.isc.org/docs/cve-2020-8623
+   NOTE: 
https://gitlab.isc.org/isc-projects/bind9/commit/ac3862a5da95bb07b6cf748b0958175687a9de1d
 (v9_16_6)
 CVE-2020-8622 (In BIND 9.0.0 - 9.11.21, 9.12.0 - 9.16.5, 9.17.0 - 
9.17.3, ...)
- bind9 1:9.16.6-1
NOTE: https://kb.isc.org/docs/cve-2020-8622



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f19d1925f6fd490a11a203e3b3adfb5561484e57

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f19d1925f6fd490a11a203e3b3adfb5561484e57
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track upstream commit for CVE-2020-8622

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
870b6cc3 by Salvatore Bonaccorso at 2020-08-22T13:35:56+02:00
Track upstream commit for CVE-2020-8622

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -37494,6 +37494,7 @@ CVE-2020-8623 (In BIND 9.10.0 - 9.11.21, 9.12.0 
- 9.16.5, 9.17.0 - 9
 CVE-2020-8622 (In BIND 9.0.0 - 9.11.21, 9.12.0 - 9.16.5, 9.17.0 - 
9.17.3, ...)
- bind9 1:9.16.6-1
NOTE: https://kb.isc.org/docs/cve-2020-8622
+   NOTE: 
https://gitlab.isc.org/isc-projects/bind9/commit/0eec632d6a5a474280017ec949d8a8014612f3b3
 (v9_16_6)
 CVE-2020-8621 (In BIND 9.14.0 - 9.16.5, 9.17.0 - 9.17.3, If a server 
is confi ...)
- bind9 1:9.16.6-1
[buster] - bind9  (Vulnerable code introduced in 9.14.x)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/870b6cc327e6dc8a03ffde864bf40328eb463ab4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/870b6cc327e6dc8a03ffde864bf40328eb463ab4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track upstream commit for CVE-2020-8621

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f3e65a23 by Salvatore Bonaccorso at 2020-08-22T13:33:02+02:00
Track upstream commit for CVE-2020-8621

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -37499,6 +37499,7 @@ CVE-2020-8621 (In BIND 9.14.0 - 9.16.5, 9.17.0 
- 9.17.3, If a server is
[buster] - bind9  (Vulnerable code introduced in 9.14.x)
[stretch] - bind9  (Vulnerable code introduced in 9.14.x)
NOTE: https://kb.isc.org/docs/cve-2020-8621
+   NOTE: 
https://gitlab.isc.org/isc-projects/bind9/commit/81514ff925dfc6e0c293745e0fc8320a8af95586
 (v9_16_6)
 CVE-2020-8620 (In BIND 9.15.6 - 9.16.5, 9.17.0 - 9.17.3, An attacker 
who can  ...)
- bind9 1:9.16.6-1
[buster] - bind9  (Vulnerable code introduced later)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3e65a2340cc2214b3c58620d836b2aefca0a0ec

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3e65a2340cc2214b3c58620d836b2aefca0a0ec
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track upstream commit for CVE-2020-8620

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9f99fb86 by Salvatore Bonaccorso at 2020-08-22T13:31:57+02:00
Track upstream commit for CVE-2020-8620

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -37504,6 +37504,7 @@ CVE-2020-8620 (In BIND 9.15.6 - 9.16.5, 9.17.0 
- 9.17.3, An attacker who
[buster] - bind9  (Vulnerable code introduced later)
[stretch] - bind9  (Vulnerable code introduced later)
NOTE: https://kb.isc.org/docs/cve-2020-8620
+   NOTE: 
https://gitlab.isc.org/isc-projects/bind9/commit/9a372f2bce642545164d2b4408eb6c4e301acc5e
 (v9_16_6)
 CVE-2020-8619 (In ISC BIND9 versions BIND 9.11.14 - 9.11.19, BIND 9.14.9 
- 9. ...)
- bind9 1:9.16.4-1
[buster] - bind9  (Vulnerable code introduced later)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f99fb868a3e3464eefc66b669564530994a9028

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f99fb868a3e3464eefc66b669564530994a9028
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update status for CVE-2020-8620/bind9

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b5511724 by Salvatore Bonaccorso at 2020-08-22T13:27:58+02:00
Update status for CVE-2020-8620/bind9

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -37501,6 +37501,8 @@ CVE-2020-8621 (In BIND 9.14.0 - 9.16.5, 9.17.0 
- 9.17.3, If a server is
NOTE: https://kb.isc.org/docs/cve-2020-8621
 CVE-2020-8620 (In BIND 9.15.6 - 9.16.5, 9.17.0 - 9.17.3, An attacker 
who can  ...)
- bind9 1:9.16.6-1
+   [buster] - bind9  (Vulnerable code introduced later)
+   [stretch] - bind9  (Vulnerable code introduced later)
NOTE: https://kb.isc.org/docs/cve-2020-8620
 CVE-2020-8619 (In ISC BIND9 versions BIND 9.11.14 - 9.11.19, BIND 9.14.9 
- 9. ...)
- bind9 1:9.16.4-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5511724ab22f39b74eb6e56bec5ae344dfca453

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5511724ab22f39b74eb6e56bec5ae344dfca453
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update status for CVE-2020-8621

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5c83f929 by Salvatore Bonaccorso at 2020-08-22T13:26:51+02:00
Update status for CVE-2020-8621

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -37496,6 +37496,8 @@ CVE-2020-8622 (In BIND 9.0.0 - 9.11.21, 9.12.0 
- 9.16.5, 9.17.0 - 9.
NOTE: https://kb.isc.org/docs/cve-2020-8622
 CVE-2020-8621 (In BIND 9.14.0 - 9.16.5, 9.17.0 - 9.17.3, If a server 
is confi ...)
- bind9 1:9.16.6-1
+   [buster] - bind9  (Vulnerable code introduced in 9.14.x)
+   [stretch] - bind9  (Vulnerable code introduced in 9.14.x)
NOTE: https://kb.isc.org/docs/cve-2020-8621
 CVE-2020-8620 (In BIND 9.15.6 - 9.16.5, 9.17.0 - 9.17.3, An attacker 
who can  ...)
- bind9 1:9.16.6-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c83f929ea24e7c832f189575d41aacd327bb2e8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c83f929ea24e7c832f189575d41aacd327bb2e8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-15709/software-properties

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cec8e410 by Salvatore Bonaccorso at 2020-08-22T13:15:55+02:00
Add Debian bug reference for CVE-2020-15709/software-properties

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -18088,7 +18088,7 @@ CVE-2020-15710
RESERVED
 CVE-2020-15709
RESERVED
-   - software-properties 
+   - software-properties  (bug #968850)
[buster] - software-properties  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/08/03/1
NOTE: 
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cec8e410423f17ffba1e93fac351399de8119b94

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cec8e410423f17ffba1e93fac351399de8119b94
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-15709/software-properties as no-dsa for buster

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
48414111 by Salvatore Bonaccorso at 2020-08-22T13:14:55+02:00
Mark CVE-2020-15709/software-properties as no-dsa for buster

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -18089,6 +18089,7 @@ CVE-2020-15710
 CVE-2020-15709
RESERVED
- software-properties 
+   [buster] - software-properties  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/08/03/1
NOTE: 
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286
 CVE-2020-15708 [incorrect permissions on the UNIX domain socket allows local 
attacker to escalate privileges]



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48414111bdf2dfc8dbeccfc4832892435f883952

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48414111bdf2dfc8dbeccfc4832892435f883952
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-15954/kmail-account-wizard

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d0b1bfe0 by Salvatore Bonaccorso at 2020-08-22T13:01:19+02:00
Add fixed version for CVE-2020-15954/kmail-account-wizard

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17481,7 +17481,7 @@ CVE-2020-15954 (KDE KMail 19.12.3 (aka 5.13.3) engages 
in unencrypted POP3 commu
{DLA-2300-1}
- kdepim-runtime  (bug #96)
[buster] - kdepim-runtime  (Minor issue)
-   - kmail-account-wizard  (bug #97)
+   - kmail-account-wizard 4:20.04.1-2 (bug #97)
[buster] - kmail-account-wizard  (Minor issue)
NOTE: https://bugs.kde.org/show_bug.cgi?id=423426
NOTE: kdepim-runtime: 
https://invent.kde.org/pim/kdepim-runtime/commit/bd64ab29116aa7318fdee7f95878ff97580162f2



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0b1bfe02b06f00e88fada796441c753d3ed98b9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0b1bfe02b06f00e88fada796441c753d3ed98b9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 5 commits: Process some NFUs

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8c8c4488 by Salvatore Bonaccorso at 2020-08-22T12:45:55+02:00
Process some NFUs

- - - - -
790660d5 by Salvatore Bonaccorso at 2020-08-22T12:46:18+02:00
Add CVE-2020-{8189,8227}/nextcloud-desktop

- - - - -
843f9dcb by Salvatore Bonaccorso at 2020-08-22T12:46:45+02:00
Add CVE-2020-7923/mongodb

- - - - -
728cd5b5 by Salvatore Bonaccorso at 2020-08-22T12:47:03+02:00
AddCVE-2020-7019/elasticsearch

- - - - -
e42d42e9 by Salvatore Bonaccorso at 2020-08-22T12:50:35+02:00
Merge remote-tracking branch origin/master into master

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -809,7 +809,7 @@ CVE-2020-24214
 CVE-2020-24213
RESERVED
 CVE-2020-24212 (**REJECTED**Kaldin 4.0 is affected by: Insecure Permissions. 
The impac ...)
-   TODO: check
+   NOT-FOR-US: Kaldin
 CVE-2020-24211
RESERVED
 CVE-2020-24210
@@ -1357,7 +1357,7 @@ CVE-2020-23940
 CVE-2020-23939
RESERVED
 CVE-2020-23938 (***REJECTED***Out of bounds read (CWE-125) in AnnLab V3 Lite 
4.0.8.3 c ...)
-   TODO: check
+   NOT-FOR-US: AnnLab V3 Lite
 CVE-2020-23937
RESERVED
 CVE-2020-23936 (PHPGurukul Vehicle Parking Management System 1.0 is vulnerable 
to Auth ...)
@@ -17734,7 +17734,7 @@ CVE-2020-15859 (QEMU 4.2.0 has a use-after-free in 
hw/net/e1000e_core.c because
NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2020-07/msg05895.html
NOTE: https://bugs.launchpad.net/qemu/+bug/1886362
 CVE-2020-15858 (Some devices of Thales DIS (formerly Gemalto, formerly 
Cinterion) allo ...)
-   TODO: check
+   NOT-FOR-US: Thales DIS
 CVE-2020-15857
RESERVED
 CVE-2020-15856
@@ -33896,13 +33896,13 @@ CVE-2020-10128
 CVE-2020-10127
RESERVED
 CVE-2020-10126 (NCR SelfServ ATMs running APTRA XFS 05.01.00 do not properly 
validate  ...)
-   TODO: check
+   NOT-FOR-US: NCR SelfServ ATMs
 CVE-2020-10125 (NCR SelfServ ATMs running APTRA XFS 04.02.01 and 05.01.00 
implement 51 ...)
-   TODO: check
+   NOT-FOR-US: NCR SelfServ ATMs
 CVE-2020-10124 (NCR SelfServ ATMs running APTRA XFS 05.01.00 do not encrypt, 
authentic ...)
-   TODO: check
+   NOT-FOR-US: NCR SelfServ ATMs
 CVE-2020-10123 (The currency dispenser of NCR SelfSev ATMs running APTRA XFS 
05.01.00  ...)
-   TODO: check
+   NOT-FOR-US: NCR SelfServ ATMs
 CVE-2019-20501 (D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated 
OS comm ...)
NOT-FOR-US: D-Link
 CVE-2019-20500 (D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated 
OS comm ...)
@@ -36409,9 +36409,9 @@ CVE-2020-9065 (Huawei smart phone Taurus-AL00B with 
versions earlier than 10.0.0
 CVE-2020-9064 (Huawei smartphone Honor V30 with versions earlier than 
OxfordS-AN00A 1 ...)
NOT-FOR-US: Huawei
 CVE-2020-9063 (NCR SelfServ ATMs running APTRA XFS 05.01.00 or earlier do not 
authent ...)
-   TODO: check
+   NOT-FOR-US: NCR SelfServ ATMs
 CVE-2020-9062 (Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase 
version ...)
-   TODO: check
+   NOT-FOR-US: Diebold Nixdorf ProCash 2100xe USB ATMs
 CVE-2020-9061
RESERVED
 CVE-2020-9060
@@ -38384,7 +38384,7 @@ CVE-2020-8236
 CVE-2020-8235
RESERVED
 CVE-2020-8234 (A vulnerability exists in The EdgeMax EdgeSwitch firmware 
v1.9.1 w ...)
-   TODO: check
+   NOT-FOR-US: EdgeMax EdgeSwitch firmware
 CVE-2020-8233 (A command injection vulnerability exists in EdgeSwitch firmware 
v1 ...)
NOT-FOR-US: Edgeswitch
 CVE-2020-8232 (An information disclosure vulnerability exists in EdgeMax 
EdgeSwitch f ...)
@@ -38403,7 +38403,8 @@ CVE-2020-8229 (A memory leak in the OCUtil.dll library 
used by Nextcloud Desktop
 CVE-2020-8228
RESERVED
 CVE-2020-8227 (Missing sanitization of a server response in Nextcloud Desktop 
Client  ...)
-   TODO: check
+   - nextcloud-desktop 
+   NOTE: https://nextcloud.com/security/advisory/?id=NC-SA-2020-032
 CVE-2020-8226 (A vulnerability exists in phpBB v3.2.10 and v3.3.1 
which allow ...)
NOT-FOR-US: phpBB
 CVE-2020-8225
@@ -38483,7 +38484,8 @@ CVE-2020-8191 (Improper input validation in Citrix ADC 
and Citrix Gateway versio
 CVE-2020-8190 (Incorrect file permissions in Citrix ADC and Citrix Gateway 
before ver ...)
NOT-FOR-US: Citrix
 CVE-2020-8189 (A cross-site scripting error in Nextcloud Desktop client 2.6.4 
allowed ...)
-   TODO: check
+   - nextcloud-desktop 
+   NOTE: https://nextcloud.com/security/advisory/?id=NC-SA-2020-027
 CVE-2020-8188 (We have recently released new version of UniFi Protect firmware 
v1.13. ...)
NOT-FOR-US: UniFi Protect
 CVE-2020-8187 (Improper input validation in Citrix ADC and Citrix Gateway 
versions be ...)
@@ -39214,7 +39216,8 @@ CVE-2020-7925
 CVE-2020-7924
RESERVED
 CVE-2020-7923 (A user 

[Git][security-tracker-team/security-tracker][master] mark CVE-2019-12499 and CVE-2019-12589 as not-affected for Stretch

[Thorsten Alteholz]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b377e48a by Thorsten Alteholz at 2020-08-22T12:41:18+02:00
mark CVE-2019-12499 and CVE-2019-12589 as not-affected for Stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -80830,12 +80830,12 @@ CVE-2018-20840 (An unhandled exception vulnerability 
exists during Google Sign-I
NOT-FOR-US: Google Sign-In
 CVE-2019-12499 (Firejail before 0.9.60 allows truncation (resizing to length 
0) of the ...)
- firejail 0.9.58.2-2 (bug #929733)
-   [stretch] - firejail  (Minor issue)
+   [stretch] - firejail  (Vulnerable code introduced later)
NOTE: https://github.com/netblue30/firejail/issues/2401
NOTE: 
https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134
 CVE-2019-12589 (In Firejail before 0.9.60, seccomp filters are writable inside 
the jai ...)
- firejail 0.9.58.2-2 (bug #929732)
-   [stretch] - firejail  (Minor issue)
+   [stretch] - firejail  (Vulnerable code introduced later)
NOTE: https://github.com/netblue30/firejail/issues/2718
NOTE: 
https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134
 CVE-2019-12456 (** DISPUTED ** An issue was discovered in the MPT3COMMAND case 
in _ctl ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b377e48a4b0cc7d8507f865e084ab1a9dae34285

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b377e48a4b0cc7d8507f865e084ab1a9dae34285
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track proposed fix for CVE-2020-10289/ros-actionlib via buster-pu

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d8d28f48 by Salvatore Bonaccorso at 2020-08-22T12:27:41+02:00
Track proposed fix for CVE-2020-10289/ros-actionlib via buster-pu

- - - - -


1 changed file:

- data/next-point-update.txt


Changes:

=
data/next-point-update.txt
=
@@ -22,3 +22,5 @@ CVE-2020-14349
[buster] - postgresql-11 11.9-0+deb10u1
 CVE-2020-14350
[buster] - postgresql-11 11.9-0+deb10u1
+CVE-2020-10289
+   [buster] - ros-actionlib 1.11.15-1+deb10u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8d28f48133754c508f845a7ee8243cb69cd4819

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8d28f48133754c508f845a7ee8243cb69cd4819
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: mark CVE-2020-15473 as not affected for stretch

[Thorsten Alteholz]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a265fde4 by Thorsten Alteholz at 2020-08-22T12:12:12+02:00
mark CVE-2020-15473 as not affected for stretch

- - - - -
197ae415 by Thorsten Alteholz at 2020-08-22T12:20:09+02:00
claim bind9 and curl

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -18731,6 +18731,7 @@ CVE-2020-15474 (In nDPI through 3.2, there is a stack 
overflow in extractRDNSequ
NOTE: 
https://github.com/ntop/nDPI/commit/23594f036536468072198a57c59b6e9d63caf6ce
 CVE-2020-15473 (In nDPI through 3.2, the OpenVPN dissector is vulnerable to a 
heap-bas ...)
- ndpi 
+   [stretch] - ndpi  (Vulnerable code introduced later)
NOTE: 
https://github.com/ntop/nDPI/commit/8e7b1ea7a136cc4e4aa9880072ec2d69900a825e
 CVE-2020-15472 (In nDPI through 3.2, the H.323 dissector is vulnerable to a 
heap-based ...)
- ndpi 


=
data/dla-needed.txt
=
@@ -32,6 +32,8 @@ ark (Abhijith PA)
 asyncpg (Utkarsh Gupta)
   NOTE: 20200815: Minor issue, but easy to fix. (sunweaver)
 --
+bind9 (Thorsten Alteholz)
+--
 cacti
   NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for 
jessie version (abhijith)
   NOTE: 20200620: WIP (abhijith)
@@ -57,6 +59,8 @@ condor
   NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o 
(roberto)
   NOTE: 20200727: Waiting on maintainer feedback: 
https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
 --
+curl (Thorsten Alteholz)
+--
 eclipse-wtp
 --
 f2fs-tools



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e6019f4b02ecf5e10488f1d01b4c37122dfc6b3...197ae4159e9512e0ca8f1e0c8da90469a833d0da

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e6019f4b02ecf5e10488f1d01b4c37122dfc6b3...197ae4159e9512e0ca8f1e0c8da90469a833d0da
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version of CVE-2018-6353/electrum

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9e6019f4 by Salvatore Bonaccorso at 2020-08-22T10:43:17+02:00
Track fixed version of CVE-2018-6353/electrum

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -152249,7 +152249,7 @@ CVE-2018-6355 (/goform/setLang on iBall 300M devices 
with "iB-WRB302N_1.0.1-Sep
 CVE-2018-6354 (templates/forms/thanks.html in Formspree before 2018-01-23 
allows XSS  ...)
NOT-FOR-US: Formspree
 CVE-2018-6353 (The Python console in Electrum through 2.9.4 and 3.x through 
3.0.5 sup ...)
-   - electrum  (bug #890003; unimportant)
+   - electrum 3.2.3-1 (bug #890003; unimportant)
NOTE: https://github.com/spesmilo/electrum/issues/3678
NOTE: https://github.com/spesmilo/electrum/pull/3700
 CVE-2018-6352 (In PoDoFo 0.9.5, there is an Excessive Iteration in the 
PdfParser::Rea ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e6019f4b02ecf5e10488f1d01b4c37122dfc6b3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e6019f4b02ecf5e10488f1d01b4c37122dfc6b3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reference commit for CVE-2020-15890/luajit

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bd36f5d1 by Salvatore Bonaccorso at 2020-08-22T10:27:06+02:00
Reference commit for CVE-2020-15890/luajit

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17638,6 +17638,7 @@ CVE-2020-15890 (LuaJit through 2.1.0-beta3 has an 
out-of-bounds read because __g
{DLA-2296-1}
- luajit  (unimportant; bug #966148)
NOTE: https://github.com/LuaJIT/LuaJIT/issues/601
+   NOTE: 
https://github.com/LuaJIT/LuaJIT/commit/53f82e6e2e858a0a62fd1a2ff47e9866693382e6
NOTE: No security impact, only "exploitable" with untrusted Lua code
 CVE-2020-15889 (Lua through 5.4.0 has a getobjname heap-based buffer over-read 
because ...)
- lua5.4 5.4.0-2



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd36f5d1c833ba153ab3152bd1be470c8ebff058

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd36f5d1c833ba153ab3152bd1be470c8ebff058
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2018-8043

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
24a7c813 by Salvatore Bonaccorso at 2020-08-22T10:19:29+02:00
Track fixed version for CVE-2018-8043

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -146796,7 +146796,7 @@ CVE-2018-8044
 CVE-2017-18223 (BMC Remedy AR System before 9.1 SP3, when Remedy AR 
Authentication is  ...)
NOT-FOR-US: BMC Remedy AR System
 CVE-2018-8043 (The unimac_mdio_probe function in 
drivers/net/phy/mdio-bcm-unimac.c in ...)
-   - linux  (unimportant)
+   - linux 4.16.5-1 (unimportant)
[jessie] - linux  (Vulnerable code not present)
[wheezy] - linux  (Vulnerable code not present)
NOTE: Fixed by: 
https://git.kernel.org/linus/297a6961ffb8ff4dc66c9fbf53b924bd1dda05d5



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24a7c8137c90200037dc152bb776f734be73682f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24a7c8137c90200037dc152bb776f734be73682f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b2489633 by security tracker role at 2020-08-22T08:10:39+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,13 @@
+CVE-2020-24596
+   RESERVED
+CVE-2020-24595
+   RESERVED
+CVE-2020-24594
+   RESERVED
+CVE-2020-24593
+   RESERVED
+CVE-2020-24592
+   RESERVED
 CVE-2020-24591 (The Management Console in certain WSO2 products allows XXE 
attacks dur ...)
NOT-FOR-US: WSO2
 CVE-2020-24590 (The Management Console in WSO2 API Manager through 3.1.0 and 
API Micro ...)
@@ -17722,8 +17732,8 @@ CVE-2020-15859 (QEMU 4.2.0 has a use-after-free in 
hw/net/e1000e_core.c because
[buster] - qemu  (Minor issue, can be fixed along in next 
DSA)
NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2020-07/msg05895.html
NOTE: https://bugs.launchpad.net/qemu/+bug/1886362
-CVE-2020-15858
-   RESERVED
+CVE-2020-15858 (Some devices of Thales DIS (formerly Gemalto, formerly 
Cinterion) allo ...)
+   TODO: check
 CVE-2020-15857
RESERVED
 CVE-2020-15856
@@ -33883,14 +33893,14 @@ CVE-2020-10128
RESERVED
 CVE-2020-10127
RESERVED
-CVE-2020-10126
-   RESERVED
-CVE-2020-10125
-   RESERVED
-CVE-2020-10124
-   RESERVED
-CVE-2020-10123
-   RESERVED
+CVE-2020-10126 (NCR SelfServ ATMs running APTRA XFS 05.01.00 do not properly 
validate  ...)
+   TODO: check
+CVE-2020-10125 (NCR SelfServ ATMs running APTRA XFS 04.02.01 and 05.01.00 
implement 51 ...)
+   TODO: check
+CVE-2020-10124 (NCR SelfServ ATMs running APTRA XFS 05.01.00 do not encrypt, 
authentic ...)
+   TODO: check
+CVE-2020-10123 (The currency dispenser of NCR SelfSev ATMs running APTRA XFS 
05.01.00  ...)
+   TODO: check
 CVE-2019-20501 (D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated 
OS comm ...)
NOT-FOR-US: D-Link
 CVE-2019-20500 (D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated 
OS comm ...)
@@ -36396,10 +36406,10 @@ CVE-2020-9065 (Huawei smart phone Taurus-AL00B with 
versions earlier than 10.0.0
NOT-FOR-US: Huawei
 CVE-2020-9064 (Huawei smartphone Honor V30 with versions earlier than 
OxfordS-AN00A 1 ...)
NOT-FOR-US: Huawei
-CVE-2020-9063
-   RESERVED
-CVE-2020-9062
-   RESERVED
+CVE-2020-9063 (NCR SelfServ ATMs running APTRA XFS 05.01.00 or earlier do not 
authent ...)
+   TODO: check
+CVE-2020-9062 (Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase 
version ...)
+   TODO: check
 CVE-2020-9061
RESERVED
 CVE-2020-9060
@@ -37472,24 +37482,19 @@ CVE-2020-8626
RESERVED
 CVE-2020-8625
RESERVED
-CVE-2020-8624
-   RESERVED
+CVE-2020-8624 (In BIND 9.9.12 - 9.9.13, 9.10.7 - 9.10.8, 9.11.3 - 
9.11.21 ...)
- bind9 1:9.16.6-1 (bug #966497)
NOTE: https://kb.isc.org/docs/cve-2020-8624
-CVE-2020-8623
-   RESERVED
+CVE-2020-8623 (In BIND 9.10.0 - 9.11.21, 9.12.0 - 9.16.5, 9.17.0 - 
9.17.3 ...)
- bind9 1:9.16.6-1
NOTE: https://kb.isc.org/docs/cve-2020-8623
-CVE-2020-8622
-   RESERVED
+CVE-2020-8622 (In BIND 9.0.0 - 9.11.21, 9.12.0 - 9.16.5, 9.17.0 - 
9.17.3, ...)
- bind9 1:9.16.6-1
NOTE: https://kb.isc.org/docs/cve-2020-8622
-CVE-2020-8621
-   RESERVED
+CVE-2020-8621 (In BIND 9.14.0 - 9.16.5, 9.17.0 - 9.17.3, If a server 
is confi ...)
- bind9 1:9.16.6-1
NOTE: https://kb.isc.org/docs/cve-2020-8621
-CVE-2020-8620
-   RESERVED
+CVE-2020-8620 (In BIND 9.15.6 - 9.16.5, 9.17.0 - 9.17.3, An attacker 
who can  ...)
- bind9 1:9.16.6-1
NOTE: https://kb.isc.org/docs/cve-2020-8620
 CVE-2020-8619 (In ISC BIND9 versions BIND 9.11.14 - 9.11.19, BIND 9.14.9 
- 9. ...)
@@ -38376,8 +38381,8 @@ CVE-2020-8236
RESERVED
 CVE-2020-8235
RESERVED
-CVE-2020-8234
-   RESERVED
+CVE-2020-8234 (A vulnerability exists in The EdgeMax EdgeSwitch firmware 
v1.9.1 w ...)
+   TODO: check
 CVE-2020-8233 (A command injection vulnerability exists in EdgeSwitch firmware 
v1 ...)
NOT-FOR-US: Edgeswitch
 CVE-2020-8232 (An information disclosure vulnerability exists in EdgeMax 
EdgeSwitch f ...)
@@ -38395,8 +38400,8 @@ CVE-2020-8229 (A memory leak in the OCUtil.dll library 
used by Nextcloud Desktop
NOTE: https://nextcloud.com/security/advisory/?id=NC-SA-2020-034
 CVE-2020-8228
RESERVED
-CVE-2020-8227
-   RESERVED
+CVE-2020-8227 (Missing sanitization of a server response in Nextcloud Desktop 
Client  ...)
+   TODO: check
 CVE-2020-8226 (A vulnerability exists in phpBB v3.2.10 and v3.3.1 
which allow ...)
NOT-FOR-US: phpBB
 CVE-2020-8225
@@ -38475,8 +38480,8 @@ CVE-2020-8191 (Improper input validation in Citrix ADC 
and Citrix Gateway versio
NOT-FOR-US: Citrix
 CVE-2020-8190 (Incorrect file permissions in Citrix ADC 

[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-15138/node-prosmjs via unstable

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ff1bfb19 by Salvatore Bonaccorso at 2020-08-22T09:41:44+02:00
Add fixed version for CVE-2020-15138/node-prosmjs via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -19454,7 +19454,7 @@ CVE-2020-15140 (In Red Discord Bot before version 
3.3.11, a RCE exploit has been
 CVE-2020-15139 (In MyBB before version 1.8.24, the custom MyCode (BBCode) for 
the visu ...)
NOT-FOR-US: MyBB
 CVE-2020-15138 (Prism is vulnerable to Cross-Site Scripting. The easing 
preview of the ...)
-   - node-prismjs  (bug #968094)
+   - node-prismjs 1.11.0+dfsg-4 (bug #968094)
NOTE: 
https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9
NOTE: 
https://github.com/PrismJS/prism/commit/8bba4880202ef6bd7a1e379fe9aebe69dd75f7be
 CVE-2020-15137 (All versions of HoRNDIS are affected by an integer overflow in 
the RND ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff1bfb196dee3395d9201f8ebbd916c75398f46f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff1bfb196dee3395d9201f8ebbd916c75398f46f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed versions fixed in unstable for openexr

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f1ea57ff by Salvatore Bonaccorso at 2020-08-22T09:40:33+02:00
Track fixed versions fixed in unstable for openexr

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -19107,17 +19107,17 @@ CVE-2020-15307 (Nozomi Guardian before 19.0.4 allows 
attackers to achieve stored
NOT-FOR-US: Nozomi Guardian
 CVE-2020-15306 (An issue was discovered in OpenEXR before v2.5.2. Invalid 
chunkCount a ...)
[experimental] - openexr 2.5.2-1
-   - openexr 
+   - openexr 2.5.3-2
[jessie] - openexr  (Minor issue)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/738
 CVE-2020-15305 (An issue was discovered in OpenEXR before 2.5.2. Invalid input 
could c ...)
[experimental] - openexr 2.5.2-1
-   - openexr 
+   - openexr 2.5.3-2
[jessie] - openexr  (Minor issue)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/730
 CVE-2020-15304 (An issue was discovered in OpenEXR before 2.5.2. An invalid 
tiled inpu ...)
[experimental] - openexr 2.5.2-1
-   - openexr 
+   - openexr 2.5.3-2
[buster] - openexr  (Vulnerable code not present)
[stretch] - openexr  (Vulnerable code not present)
[jessie] - openexr  (Minor issue)
@@ -29023,53 +29023,53 @@ CVE-2020-11766 (sendfax.php in iFAX AvantFAX before 
3.3.6 and HylaFAX Enterprise
NOT-FOR-US: iFAX AvantFAX
 CVE-2020-11765 (An issue was discovered in OpenEXR before 2.4.1. There is an 
off-by-on ...)
[experimental] - openexr 2.5.0-1
-   - openexr  (bug #959444)
+   - openexr 2.5.3-2 (bug #959444)
[jessie] - openexr  (Minor issue)
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
NOTE: 
https://github.com/AcademySoftwareFoundation/openexr/commit/3eda5d70aba127bae9bd6bae9956fcf024b64031
NOTE: 
https://github.com/AcademySoftwareFoundation/openexr/commit/2ae5f8376b0a6c3e2bb100042f5de79503ba837a
 CVE-2020-11764 (An issue was discovered in OpenEXR before 2.4.1. There is an 
out-of-bo ...)
[experimental] - openexr 2.5.0-1
-   - openexr  (bug #959444)
+   - openexr 2.5.3-2 (bug #959444)
[jessie] - openexr  (Minor issue)
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
NOTE: 
https://github.com/AcademySoftwareFoundation/openexr/commit/e7c26f6ef5bf7ae8ea21ecf19963186cd1391720
NOTE: 
https://github.com/AcademySoftwareFoundation/openexr/commit/a6408c90339bdf19f89476578d7f936b741be9b2
 CVE-2020-11763 (An issue was discovered in OpenEXR before 2.4.1. There is an 
std::vect ...)
[experimental] - openexr 2.5.0-1
-   - openexr  (bug #959444)
+   - openexr 2.5.3-2 (bug #959444)
[jessie] - openexr  (Minor issue)
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
NOTE: 
https://github.com/AcademySoftwareFoundation/openexr/pull/643/commits/d0303d1785d2a8cb994efee9efa81f8ee4be4c17
 CVE-2020-11762 (An issue was discovered in OpenEXR before 2.4.1. There is an 
out-of-bo ...)
[experimental] - openexr 2.5.0-1
-   - openexr  (bug #959444)
+   - openexr 2.5.3-2 (bug #959444)
[jessie] - openexr  (Minor issue)
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
NOTE: 
https://github.com/AcademySoftwareFoundation/openexr/commit/3eda5d70aba127bae9bd6bae9956fcf024b64031
NOTE: 
https://github.com/AcademySoftwareFoundation/openexr/commit/2ae5f8376b0a6c3e2bb100042f5de79503ba837a
 CVE-2020-11761 (An issue was discovered in OpenEXR before 2.4.1. There is an 
out-of-bo ...)
[experimental] - openexr 2.5.0-1
-   - openexr  (bug #959444)
+   - openexr 2.5.3-2 (bug #959444)
[jessie] - openexr  (Minor issue)
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
NOTE: 
https://github.com/AcademySoftwareFoundation/openexr/commit/b1c34c496b62117115b1089b18a44e0031800a09
 CVE-2020-11760 (An issue was discovered in OpenEXR before 2.4.1. There is an 
out-of-bo ...)
[experimental] - openexr 2.5.0-1
-   - openexr  (bug #959444)
+   - openexr 2.5.3-2 (bug #959444)
[jessie] - openexr  (Minor issue)
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
NOTE: 
https://github.com/AcademySoftwareFoundation/openexr/commit/37750013830def57f19f3c3b7faaa9fc1dae81b3
 CVE-2020-11759 (An issue was discovered in OpenEXR before 2.4.1. Because of 
integer ov ...)
[experimental] - openexr 2.5.0-1
-   - openexr  (bug #959444)
+   - openexr 2.5.3-2 (bug #959444)
[jessie] - openexr  (Minor issue)
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
NOTE: 

[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2020-10289/ros-actionlib

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9da95368 by Salvatore Bonaccorso at 2020-08-22T09:36:40+02:00
Add fixed version via unstable for CVE-2020-10289/ros-actionlib

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -33484,7 +33484,7 @@ CVE-2020-10291
 CVE-2020-10290 (Universal Robots controller execute URCaps (zip files 
containing Java- ...)
NOT-FOR-US: Universal Robots controller 
 CVE-2020-10289 (Use of unsafe yaml load. Allows instantiation of arbitrary 
objects. Th ...)
-   - ros-actionlib  (bug #968830)
+   - ros-actionlib 1.13.1-4 (bug #968830)
[buster] - ros-actionlib  (Minor issue)
NOTE: https://github.com/ros/actionlib/pull/171
 CVE-2020-10288 (IRC5 exposes an ftp server (port 21). Upon attempting to gain 
access y ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9da95368937ce485045df8f01da0b998f4a8d5be

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9da95368937ce485045df8f01da0b998f4a8d5be
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add pull request reference for CVE-2020-8231

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
52a54ed9 by Salvatore Bonaccorso at 2020-08-22T09:11:23+02:00
Add pull request reference for CVE-2020-8231

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -38386,6 +38386,7 @@ CVE-2020-8231
RESERVED
- curl  (bug #968831)
NOTE: https://curl.haxx.se/docs/CVE-2020-8231.html
+   NOTE: https://github.com/curl/curl/pull/5824
NOTE: 
https://github.com/curl/curl/commit/3c9e021f86872baae412a427e807fbfa2f3e8
 CVE-2020-8230 (A memory corruption vulnerability exists in NextCloud Desktop 
Client v ...)
- nextcloud-desktop  (Windows-specific)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52a54ed9db913d570fe229f2e82e250166af553b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52a54ed9db913d570fe229f2e82e250166af553b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add upstream commit reference for CVE-2020-12457/wolfssl

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
012b4f7d by Salvatore Bonaccorso at 2020-08-22T09:07:28+02:00
Add upstream commit reference for CVE-2020-12457/wolfssl

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -26346,7 +26346,7 @@ CVE-2020-12458 (An information-disclosure flaw was 
found in Grafana through 6.7.
NOTE: https://github.com/grafana/grafana/issues/8283
 CVE-2020-12457 (An issue was discovered in wolfSSL before 4.5.0. It mishandles 
the cha ...)
- wolfssl 
-   NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v4.5.0-stable
+   NOTE: 
https://github.com/wolfSSL/wolfssl/commit/df1b7f34f173cfc2968ce12e8fcd2fd8bcc61a59
 (v4.5.0-stable)
NOTE: https://github.com/wolfSSL/wolfssl/pull/2927
 CVE-2020-12456
RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/012b4f7dee605e67cdb836d3f7572f9b76ef4c73

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/012b4f7dee605e67cdb836d3f7572f9b76ef4c73
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2020-24585/wolfssl

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a69e8ddd by Salvatore Bonaccorso at 2020-08-22T09:04:28+02:00
Reference upstream commit for CVE-2020-24585/wolfssl

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13,7 +13,7 @@ CVE-2020-24586
 CVE-2020-24585 (An issue was discovered in the DTLS handshake implementation 
in wolfSS ...)
- wolfssl 
NOTE: https://github.com/wolfSSL/wolfssl/pull/3219
-   NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v4.5.0-stable
+   NOTE: 
https://github.com/wolfSSL/wolfssl/commit/3be7f3ea3a56d178acf0f7f84ee4ae8cbfee8915
 (v4.5.0-stable)
 CVE-2020-24584
RESERVED
 CVE-2020-24583



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a69e8dddc9c46c72c8db260a851817f9278cc18b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a69e8dddc9c46c72c8db260a851817f9278cc18b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add upstream pull reference for CVE-2020-10289/ros-actionlib

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5a5921e5 by Salvatore Bonaccorso at 2020-08-22T09:00:40+02:00
Add upstream pull reference for CVE-2020-10289/ros-actionlib

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -33486,6 +33486,7 @@ CVE-2020-10290 (Universal Robots controller execute 
URCaps (zip files containing
 CVE-2020-10289 (Use of unsafe yaml load. Allows instantiation of arbitrary 
objects. Th ...)
- ros-actionlib  (bug #968830)
[buster] - ros-actionlib  (Minor issue)
+   NOTE: https://github.com/ros/actionlib/pull/171
 CVE-2020-10288 (IRC5 exposes an ftp server (port 21). Upon attempting to gain 
access y ...)
NOT-FOR-US: ABB IRC5
 CVE-2020-10287 (The IRC5 family with UAS service enabled comes by default with 
credent ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a5921e5c06b59a0ad334a7e1670ed108187415a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a5921e5c06b59a0ad334a7e1670ed108187415a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add upstream commits for CVE-2020-24368/icingaweb2

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a2de494e by Salvatore Bonaccorso at 2020-08-22T08:50:48+02:00
Add upstream commits for CVE-2020-24368/icingaweb2

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -467,6 +467,8 @@ CVE-2020-24368 (Icinga Icinga Web2 2.0.0 through 2.6.4, 
2.7.4 and 2.8.2 has a Di
- icingaweb2 2.8.2-1 (bug #968833)
NOTE: 
https://icinga.com/2020/08/19/icinga-web-security-release-v2-6-4-v2-7-4-and-v2-8-2/
NOTE: https://github.com/Icinga/icingaweb2/issues/4226
+   NOTE: 
https://github.com/Icinga/icingaweb2/commit/5700caf5f2ebd8a20ce2bd9ca30cb471f8b7487e
 (support/2.6)
+   NOTE: 
https://github.com/Icinga/icingaweb2/commit/3035efac65ca2f7977916bd117056aa411776dfd
 (master)
 CVE-2020-24367
RESERVED
 CVE-2020-24366



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2de494e7baa522875202e4f8d862918410a9f38

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2de494e7baa522875202e4f8d862918410a9f38
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2020-24368/icingaweb2 fixed via unstable upload

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
714f3fff by Salvatore Bonaccorso at 2020-08-22T08:48:38+02:00
CVE-2020-24368/icingaweb2 fixed via unstable upload

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -464,7 +464,7 @@ CVE-2020-24369 (ldebug.c in Lua 5.4.0 attempts to access 
debug information via t
NOTE: 
https://github.com/lua/lua/commit/ae5b5ba529753c7a653901ffc29b5ea24c3fdf3a
NOTE: https://www.lua.org/bugs.html#5.4.0-12
 CVE-2020-24368 (Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a 
Director ...)
-   - icingaweb2  (bug #968833)
+   - icingaweb2 2.8.2-1 (bug #968833)
NOTE: 
https://icinga.com/2020/08/19/icinga-web-security-release-v2-6-4-v2-7-4-and-v2-8-2/
NOTE: https://github.com/Icinga/icingaweb2/issues/4226
 CVE-2020-24367



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/714f3fff3f9ecdf2fd15c599abb7c8d8003c582e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/714f3fff3f9ecdf2fd15c599abb7c8d8003c582e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add additional forum reference for fossil issue

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8cd2aa7d by Salvatore Bonaccorso at 2020-08-22T08:44:20+02:00
Add additional forum reference for fossil issue

Upstrema change is not yet in the timeline though.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -75,6 +75,7 @@ CVE-2020-24556
 CVE-2020- [fossil RCE]
- fossil 1:2.12.1-1
NOTE: https://www.openwall.com/lists/oss-security/2020/08/20/1
+   NOTE: https://fossil-scm.org/forum/info/a05ae3ce7760daf6
 CVE-2020-24555
RESERVED
 CVE-2020-24554



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8cd2aa7df42c64208b6d95fd7a8d0769a3d8b5f8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8cd2aa7df42c64208b6d95fd7a8d0769a3d8b5f8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2020-12403/nss fixed in unstable with 3.55 upstream version

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f2f8db25 by Salvatore Bonaccorso at 2020-08-22T08:32:50+02:00
CVE-2020-12403/nss fixed in unstable with 3.55 upstream version

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -26531,7 +26531,7 @@ CVE-2020-12404 (For native-to-JS bridging the app 
requires a unique token to be
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-19/#CVE-2020-12404
 CVE-2020-12403
RESERVED
-   - nss 
+   - nss 2:3.55-1
NOTE: 
https://hg.mozilla.org/projects/nss/rev/f282556e6cc7715f5754aeaadda6f902590e7e38
NOTE: 
https://hg.mozilla.org/projects/nss/rev/c25adfdfab34ddb08d3262aac3242e3399de1095
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1636771



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2f8db25c8cec14d9c728f1dcfd3cdb9ceb55f26

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2f8db25c8cec14d9c728f1dcfd3cdb9ceb55f26
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add information for CVE-2020-14367

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4d545535 by Salvatore Bonaccorso at 2020-08-22T08:29:53+02:00
Add information for CVE-2020-14367

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21479,9 +21479,11 @@ CVE-2020-14369
RESERVED
 CVE-2020-14368
RESERVED
-CVE-2020-14367
+CVE-2020-14367 [Insecure writing to PID file]
RESERVED
- chrony 3.5.1-1
+   NOTE: 
https://git.tuxfamily.org/chrony/chrony.git/commit/util.c?id=7a4c396bba8f92a3ee8018620983529152050c74
+   NOTE: 
https://git.tuxfamily.org/chrony/chrony.git/commit/main.c?id=e18903a6b56341481a2e08469c0602010bf7bfe3
 CVE-2020-14366
RESERVED
 CVE-2020-14365



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d54553502a12640ef793f4463e83d0fe024a2ba

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d54553502a12640ef793f4463e83d0fe024a2ba
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add upstream tag reference for CVE-2020-15900

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4e7f6fdf by Salvatore Bonaccorso at 2020-08-22T08:27:42+02:00
Add upstream tag reference for CVE-2020-15900

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17602,7 +17602,7 @@ CVE-2020-15900 (A memory corruption issue was found in 
Artifex Ghostscript 9.50
[stretch] - ghostscript  (Vulnerable code introduced 
later)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=702582
NOTE: Introduced by: 
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff
 (9.28rc1)
-   NOTE: Fixed by: 
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b
+   NOTE: Fixed by: 
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b
 (9.53.0rc1)
 CVE-2020-15899 (Grin 3.0.0 before 4.0.0 has insufficient validation of data 
related to ...)
NOT-FOR-US: Grin
 CVE-2020-15898



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e7f6fdff09f29ea828d611e3e7430e3a52b1438

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e7f6fdff09f29ea828d611e3e7430e3a52b1438
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Fix typo in source package name: nextcloud-desktop

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f0494749 by Salvatore Bonaccorso at 2020-08-22T08:18:09+02:00
Fix typo in source package name: nextcloud-desktop

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -38382,9 +38382,9 @@ CVE-2020-8231
NOTE: https://curl.haxx.se/docs/CVE-2020-8231.html
NOTE: 
https://github.com/curl/curl/commit/3c9e021f86872baae412a427e807fbfa2f3e8
 CVE-2020-8230 (A memory corruption vulnerability exists in NextCloud Desktop 
Client v ...)
-   - netxcloud-desktop  (Windows-specific)
+   - nextcloud-desktop  (Windows-specific)
 CVE-2020-8229 (A memory leak in the OCUtil.dll library used by Nextcloud 
Desktop Clie ...)
-   - netxcloud-desktop  (bug #968822)
+   - nextcloud-desktop  (bug #968822)
NOTE: https://nextcloud.com/security/advisory/?id=NC-SA-2020-034
 CVE-2020-8228
RESERVED
@@ -38395,7 +38395,7 @@ CVE-2020-8226 (A vulnerability exists in phpBB 
v3.2.10 and v3.3.1 which
 CVE-2020-8225
RESERVED
 CVE-2020-8224 (A code injection in Nextcloud Desktop Client 2.6.4 allowed to 
load arb ...)
-   - netxcloud-desktop  (bug #968822)
+   - nextcloud-desktop  (bug #968822)
NOTE: https://nextcloud.com/security/advisory/?id=NC-SA-2020-030
 CVE-2020-8223
RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0494749031d385e456e8b2871b60218d5bf04cb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0494749031d385e456e8b2871b60218d5bf04cb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Move tracking from CVE-2019-13305 to DSA

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7ad84d6b by Salvatore Bonaccorso at 2020-08-22T08:04:12+02:00
Move tracking from CVE-2019-13305 to DSA

- - - - -


2 changed files:

- data/CVE/list
- data/DSA/list


Changes:

=
data/CVE/list
=
@@ -78460,7 +78460,6 @@ CVE-2019-13306 (ImageMagick 7.0.8-50 Q16 has a 
stack-based buffer overflow at co
 CVE-2019-13305 (ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at 
coders/p ...)
{DSA-4712-1 DLA-1888-1}
- imagemagick 8:6.9.11.24+dfsg-1 (bug #931452)
-   [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u8
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1613
NOTE: 
https://github.com/ImageMagick/ImageMagick6/commit/5c7fbf9a14fb83c9685ad69d48899f490a37609d
 CVE-2019-13304 (ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at 
coders/p ...)


=
data/DSA/list
=
@@ -99,7 +99,7 @@
{CVE-2020-13401}
[buster] - docker.io 18.09.1+dfsg1-7.1+deb10u2
 [02 Jul 2020] DSA-4715-1 imagemagick - security update
-   {CVE-2019-13300 CVE-2019-13304 CVE-2019-13306 CVE-2019-13307 
CVE-2019-15140 CVE-2019-19948}
+   {CVE-2019-13300 CVE-2019-13304 CVE-2019-13305 CVE-2019-13306 
CVE-2019-13307 CVE-2019-15140 CVE-2019-19948}
[stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u8
 [01 Jul 2020] DSA-4714-1 chromium - security update
{CVE-2020-6423 CVE-2020-6430 CVE-2020-6431 CVE-2020-6432 CVE-2020-6433 
CVE-2020-6434 CVE-2020-6435 CVE-2020-6436 CVE-2020-6437 CVE-2020-6438 
CVE-2020-6439 CVE-2020-6440 CVE-2020-6441 CVE-2020-6442 CVE-2020-6443 
CVE-2020-6444 CVE-2020-6445 CVE-2020-6446 CVE-2020-6447 CVE-2020-6448 
CVE-2020-6454 CVE-2020-6455 CVE-2020-6456 CVE-2020-6457 CVE-2020-6458 
CVE-2020-6459 CVE-2020-6460 CVE-2020-6461 CVE-2020-6462 CVE-2020-6463 
CVE-2020-6464 CVE-2020-6465 CVE-2020-6466 CVE-2020-6467 CVE-2020-6468 
CVE-2020-6469 CVE-2020-6470 CVE-2020-6471 CVE-2020-6472 CVE-2020-6473 
CVE-2020-6474 CVE-2020-6475 CVE-2020-6476 CVE-2020-6478 CVE-2020-6479 
CVE-2020-6480 CVE-2020-6481 CVE-2020-6482 CVE-2020-6483 CVE-2020-6484 
CVE-2020-6485 CVE-2020-6486 CVE-2020-6487 CVE-2020-6488 CVE-2020-6489 
CVE-2020-6490 CVE-2020-6491 CVE-2020-6493 CVE-2020-6494 CVE-2020-6495 
CVE-2020-6496 CVE-2020-6497 CVE-2020-6498 CVE-2020-6505 CVE-2020-6506 
CVE-2020-6507 CVE-2020-6509 CVE-2020-6831}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ad84d6b86bedcf9ddf1ed9db8add2f700390ada

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ad84d6b86bedcf9ddf1ed9db8add2f700390ada
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits