[Git][security-tracker-team/security-tracker][master] Process more NFUs

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3ba98c8b by Salvatore Bonaccorso at 2020-08-25T06:51:44+02:00
Process more NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -509,7 +509,7 @@ CVE-2020-24366
 CVE-2020-24365
RESERVED
 CVE-2020-24364 (MineTime through 1.8.5 allows XSS via the notes field in a 
meeting inv ...)
-   TODO: check
+   NOT-FOR-US: MineTime
 CVE-2020-24363
RESERVED
 CVE-2016-11085 (php/qmn_options_questions_tab.php in the quiz-master-next 
plugin befor ...)
@@ -9477,35 +9477,35 @@ CVE-2020-19893
 CVE-2020-19892
RESERVED
 CVE-2020-19891 (DBHcms v1.2.0 has an Arbitrary file write vulnerability in 
dbhcms\mod\ ...)
-   TODO: check
+   NOT-FOR-US: DBHcms
 CVE-2020-19890 (DBHcms v1.2.0 has an Arbitrary file read vulnerability in 
dbhcms\mod\m ...)
-   TODO: check
+   NOT-FOR-US: DBHcms
 CVE-2020-19889 (DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated 
by CSRF ...)
-   TODO: check
+   NOT-FOR-US: DBHcms
 CVE-2020-19888 (DBHcms v1.2.0 has an unauthorized operation vulnerability 
because ther ...)
-   TODO: check
+   NOT-FOR-US: DBHcms
 CVE-2020-19887 (DBHcms v1.2.0 has a stored XSS vulnerability as there is no 
htmlspecia ...)
-   TODO: check
+   NOT-FOR-US: DBHcms
 CVE-2020-19886 (DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated 
by CSRF ...)
-   TODO: check
+   NOT-FOR-US: DBHcms
 CVE-2020-19885 (DBHcms v1.2.0 has a stored xss vulnerability as there is no 
htmlspecia ...)
-   TODO: check
+   NOT-FOR-US: DBHcms
 CVE-2020-19884 (DBHcms v1.2.0 has a stored xss vulnerability as there is no 
htmlspecia ...)
-   TODO: check
+   NOT-FOR-US: DBHcms
 CVE-2020-19883 (DBHcms v1.2.0 has a stored xss vulnerability as there is no 
security f ...)
-   TODO: check
+   NOT-FOR-US: DBHcms
 CVE-2020-19882 (DBHcms v1.2.0 has a stored xss vulnerability as there is no 
htmlspecia ...)
-   TODO: check
+   NOT-FOR-US: DBHcms
 CVE-2020-19881 (DBHcms v1.2.0 has a reflected xss vulnerability as there is no 
securit ...)
-   TODO: check
+   NOT-FOR-US: DBHcms
 CVE-2020-19880 (DBHcms v1.2.0 has a stored xss vulnerability as there is no 
htmlspecia ...)
-   TODO: check
+   NOT-FOR-US: DBHcms
 CVE-2020-19879 (DBHcms v1.2.0 has a stored xss vulnerability as there is no 
security f ...)
-   TODO: check
+   NOT-FOR-US: DBHcms
 CVE-2020-19878 (DBHcms v1.2.0 has a sensitive information leaks vulnerability 
as there ...)
-   TODO: check
+   NOT-FOR-US: DBHcms
 CVE-2020-19877 (DBHcms v1.2.0 has a directory traversal vulnerability as there 
is no d ...)
-   TODO: check
+   NOT-FOR-US: DBHcms
 CVE-2020-19876
RESERVED
 CVE-2020-19875
@@ -22426,9 +22426,9 @@ CVE-2020-14046
 CVE-2020-14045
RESERVED
 CVE-2020-14044 (** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Server-Side 
Request Forger ...)
-   TODO: check
+   NOT-FOR-US: Codiad
 CVE-2020-14043 (** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Cross Side Request 
Forgery ...)
-   TODO: check
+   NOT-FOR-US: Codiad
 CVE-2020-14042
RESERVED
 CVE-2020-14041
@@ -24849,7 +24849,7 @@ CVE-2020-13103
 CVE-2020-13102
RESERVED
 CVE-2020-13101 (In OASIS Digital Signature Services (DSS) 1.0, an attacker can 
control ...)
-   TODO: check
+   NOT-FOR-US: OASIS Digital Signature Services (DSS)
 CVE-2020-13100
RESERVED
 CVE-2020-13099



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ba98c8b5c54407da6f1af6ba39cea007d153294

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ba98c8b5c54407da6f1af6ba39cea007d153294
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process NFUs

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6f141ea5 by Salvatore Bonaccorso at 2020-08-25T06:40:48+02:00
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -887,7 +887,7 @@ CVE-2020-24188
 CVE-2020-24187
RESERVED
 CVE-2020-24186 (A Remote Code Execution vulnerability exists in the gVectors 
wpDiscuz  ...)
-   TODO: check
+   NOT-FOR-US: gVectors wpDiscuz plugin for WordPress
 CVE-2020-24185
RESERVED
 CVE-2020-24184
@@ -47720,7 +47720,7 @@ CVE-2020-4600
 CVE-2020-4599
RESERVED
 CVE-2020-4598 (IBM Security Guardium Insights 2.0.1 could allow a remote 
attacker to  ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4597
RESERVED
 CVE-2020-4596
@@ -47730,7 +47730,7 @@ CVE-2020-4595
 CVE-2020-4594
RESERVED
 CVE-2020-4593 (IBM Security Guardium Insights 2.0.1 stores user credentials in 
plain  ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4592
RESERVED
 CVE-2020-4591
@@ -47742,7 +47742,7 @@ CVE-2020-4589 (IBM WebSphere Application Server 7.0, 
8.0, 8.5, and 9.0 could all
 CVE-2020-4588
RESERVED
 CVE-2020-4587 (IBM Sterling Connect:Direct for UNIX 4.2.0, 4.3.0, 6.0.0, and 
6.1.0 is ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4586
RESERVED
 CVE-2020-4585
@@ -48150,9 +48150,9 @@ CVE-2020-4385 (IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 
contains hard-coded cred
 CVE-2020-4384 (IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is 
vulnerable t ...)
NOT-FOR-US: IBM
 CVE-2020-4383 (IBM Spectrum Scale for IBM Elastic Storage Server 5.3.0 through 
5.3.5  ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4382 (IBM Spectrum Scale for IBM Elastic Storage Server 5.3.0 through 
5.3.5  ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4381 (IBM Spectrum Scale for IBM Elastic Storage Server 5.3.0 through 
5.3.6  ...)
NOT-FOR-US: IBM
 CVE-2020-4380 (IBM Workload Scheduler 9.3.0.4 is vulnerable to cross-site 
scripting.  ...)
@@ -48576,7 +48576,7 @@ CVE-2020-4172
 CVE-2020-4171
RESERVED
 CVE-2020-4170 (IBM Security Guardium Insights 2.0.1 is vulnerable to 
cross-site reque ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4169
RESERVED
 CVE-2020-4168
@@ -48586,7 +48586,7 @@ CVE-2020-4167
 CVE-2020-4166
RESERVED
 CVE-2020-4165 (IBM Security Guardium Insights 2.0.1 could allow a remote 
attacker to  ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2020-4164 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 
1.0.3, 1.0. ...)
NOT-FOR-US: IBM
 CVE-2020-4163 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, under 
special ...)
@@ -164880,7 +164880,7 @@ CVE-2018-1987 (IBM Spectrum Protect for Enterprise 
Resource Planning 7.1 and 8.1
 CVE-2018-1986
RESERVED
 CVE-2018-1985 (IBM Trusteer Rapport/Apex 3.6.1908.22 contains an unused legacy 
driver ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2018-1984 (IBM Rational Team Concert 5.0 through 6.0.6 is vulnerable to 
cross-sit ...)
NOT-FOR-US: IBM
 CVE-2018-1983 (IBM Rational Team Concert 5.0 through 6.0.6 is vulnerable to 
cross-sit ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f141ea5bf2d6cf6f272164ff76028e0a497ed88

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f141ea5bf2d6cf6f272164ff76028e0a497ed88
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2344-1 for mongodb

[Roberto C . Sánchez]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1036b602 by Roberto C. Sánchez at 2020-08-24T18:54:48-04:00
Reserve DLA-2344-1 for mongodb

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[24 Aug 2020] DLA-2344-1 mongodb - security update
+   {CVE-2020-7923}
+   [stretch] - mongodb 1:3.2.11-2+deb9u2
 [24 Aug 2020] DLA-2343-1 icingaweb2 - security update
{CVE-2020-24368}
[stretch] - icingaweb2 2.4.1-1+deb9u1


=
data/dla-needed.txt
=
@@ -102,8 +102,6 @@ linux-4.9 (Ben Hutchings)
 --
 lua5.3
 --
-mongodb (Roberto C. Sánchez)
---
 mumble
   NOTE: 20200325: Regression in last upload, forgot to follow up.
   NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1036b602b31f2725971acb7c3bbba4da82676bff

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1036b602b31f2725971acb7c3bbba4da82676bff
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: update issues which are to be fixed in stretch

[Roberto C . Sánchez]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
469d4967 by Roberto C. Sánchez at 2020-08-24T18:31:57-04:00
LTS: update issues which are to be fixed in stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -40888,7 +40888,6 @@ CVE-2020-7238 (Netty 4.1.43.Final allows HTTP Request 
Smuggling because it misha
{DLA-2110-1 DLA-2109-1}
- netty 1:4.1.45-1 (bug #950967)
- netty-3.9 
-   [stretch] - netty-3.9  (CVE-2019-16869 not fixed for 
stretch)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1796225
NOTE: https://github.com/jdordonezn/CVE-2020-72381/issues/1
NOTE: Issue exists because of incomplete fix for CVE-2019-16869.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/469d496742e20fdfda0c6f83e6c0fb71cc406c8a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/469d496742e20fdfda0c6f83e6c0fb71cc406c8a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: mark nim CVEs as no-dsa

[Thorsten Alteholz]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c471acdf by Thorsten Alteholz at 2020-08-24T23:21:06+02:00
mark nim CVEs as no-dsa

- - - - -
f7d26275 by Thorsten Alteholz at 2020-08-24T23:23:04+02:00
ignore CVE-2020-13124 of sabnzbdplus as it is in contrib

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -18192,12 +18192,15 @@ CVE-2020-15695 (An issue was discovered in Joomla! 
through 3.9.19. A missing tok
 CVE-2020-15694 (In Nim 1.2.4, the standard library httpClient fails to 
properly valida ...)
- nim 1.2.6-1
[buster] - nim  (Minor issue)
+   [stretch] - nim  (Minor issue)
 CVE-2020-15693 (In Nim 1.2.4, the standard library httpClient is vulnerable to 
a CR-LF ...)
- nim 1.2.6-1
[buster] - nim  (Minor issue)
+   [stretch] - nim  (Minor issue)
 CVE-2020-15692 (In Nim 1.2.4, the standard library browsers mishandles the URL 
argumen ...)
- nim 1.2.6-1
[buster] - nim  (Minor issue)
+   [stretch] - nim  (Minor issue)
 CVE-2020-15691
RESERVED
 CVE-2020-15690
@@ -24785,6 +24788,7 @@ CVE-2020-13125 (An issue was discovered in the 
"Ultimate Addons for Elementor" p
 CVE-2020-13124 (SABnzbd 2.3.9 and 3.0.0Alpha2 has a command injection 
vulnerability in ...)
- sabnzbdplus 
[buster] - sabnzbdplus  (Minor update, can be fixed via point 
release, contrib not supported)
+   [stretch] - sabnzbdplus  (contrib not supported)
NOTE: 
https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-9x87-96gg-33w2
NOTE: 
https://github.com/sabnzbd/sabnzbd/commit/dfcba6e2fb37f58fea06b453b1ba258c7f110429
NOTE: 
https://github.com/sabnzbd/sabnzbd/commit/73d3f7b5c248fc369de3454fe53e3e93924ebfe3



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/93edc9ba7c7de6c174204560b5f853994f9db9d9...f7d2627520fd6a36d05e856788054cbe0ab4c0dd

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/93edc9ba7c7de6c174204560b5f853994f9db9d9...f7d2627520fd6a36d05e856788054cbe0ab4c0dd
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
93edc9ba by security tracker role at 2020-08-24T20:10:19+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,25 @@
+CVE-2020-24608
+   RESERVED
+CVE-2020-24607
+   RESERVED
+CVE-2020-24605
+   RESERVED
+CVE-2020-24604
+   RESERVED
+CVE-2020-24603
+   RESERVED
+CVE-2020-24602
+   RESERVED
+CVE-2020-24601
+   RESERVED
+CVE-2020-24600
+   RESERVED
+CVE-2020-24599
+   RESERVED
+CVE-2020-24598
+   RESERVED
+CVE-2020-24597
+   RESERVED
 CVE-2020-24596
RESERVED
 CVE-2020-24595
@@ -474,7 +496,7 @@ CVE-2020-24369 (ldebug.c in Lua 5.4.0 attempts to access 
debug information via t
NOTE: 
https://github.com/lua/lua/commit/ae5b5ba529753c7a653901ffc29b5ea24c3fdf3a
NOTE: https://www.lua.org/bugs.html#5.4.0-12
 CVE-2020-24368 (Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a 
Director ...)
-   {DSA-4747-1}
+   {DSA-4747-1 DLA-2343-1}
- icingaweb2 2.8.2-1 (bug #968833)
NOTE: 
https://icinga.com/2020/08/19/icinga-web-security-release-v2-6-4-v2-7-4-and-v2-8-2/
NOTE: https://github.com/Icinga/icingaweb2/issues/4226
@@ -486,8 +508,8 @@ CVE-2020-24366
RESERVED
 CVE-2020-24365
RESERVED
-CVE-2020-24364
-   RESERVED
+CVE-2020-24364 (MineTime through 1.8.5 allows XSS via the notes field in a 
meeting inv ...)
+   TODO: check
 CVE-2020-24363
RESERVED
 CVE-2016-11085 (php/qmn_options_questions_tab.php in the quiz-master-next 
plugin befor ...)
@@ -864,8 +886,8 @@ CVE-2020-24188
RESERVED
 CVE-2020-24187
RESERVED
-CVE-2020-24186
-   RESERVED
+CVE-2020-24186 (A Remote Code Execution vulnerability exists in the gVectors 
wpDiscuz  ...)
+   TODO: check
 CVE-2020-24185
RESERVED
 CVE-2020-24184
@@ -9454,36 +9476,36 @@ CVE-2020-19893
RESERVED
 CVE-2020-19892
RESERVED
-CVE-2020-19891
-   RESERVED
-CVE-2020-19890
-   RESERVED
-CVE-2020-19889
-   RESERVED
-CVE-2020-19888
-   RESERVED
-CVE-2020-19887
-   RESERVED
-CVE-2020-19886
-   RESERVED
-CVE-2020-19885
-   RESERVED
-CVE-2020-19884
-   RESERVED
-CVE-2020-19883
-   RESERVED
-CVE-2020-19882
-   RESERVED
-CVE-2020-19881
-   RESERVED
-CVE-2020-19880
-   RESERVED
-CVE-2020-19879
-   RESERVED
-CVE-2020-19878
-   RESERVED
-CVE-2020-19877
-   RESERVED
+CVE-2020-19891 (DBHcms v1.2.0 has an Arbitrary file write vulnerability in 
dbhcms\mod\ ...)
+   TODO: check
+CVE-2020-19890 (DBHcms v1.2.0 has an Arbitrary file read vulnerability in 
dbhcms\mod\m ...)
+   TODO: check
+CVE-2020-19889 (DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated 
by CSRF ...)
+   TODO: check
+CVE-2020-19888 (DBHcms v1.2.0 has an unauthorized operation vulnerability 
because ther ...)
+   TODO: check
+CVE-2020-19887 (DBHcms v1.2.0 has a stored XSS vulnerability as there is no 
htmlspecia ...)
+   TODO: check
+CVE-2020-19886 (DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated 
by CSRF ...)
+   TODO: check
+CVE-2020-19885 (DBHcms v1.2.0 has a stored xss vulnerability as there is no 
htmlspecia ...)
+   TODO: check
+CVE-2020-19884 (DBHcms v1.2.0 has a stored xss vulnerability as there is no 
htmlspecia ...)
+   TODO: check
+CVE-2020-19883 (DBHcms v1.2.0 has a stored xss vulnerability as there is no 
security f ...)
+   TODO: check
+CVE-2020-19882 (DBHcms v1.2.0 has a stored xss vulnerability as there is no 
htmlspecia ...)
+   TODO: check
+CVE-2020-19881 (DBHcms v1.2.0 has a reflected xss vulnerability as there is no 
securit ...)
+   TODO: check
+CVE-2020-19880 (DBHcms v1.2.0 has a stored xss vulnerability as there is no 
htmlspecia ...)
+   TODO: check
+CVE-2020-19879 (DBHcms v1.2.0 has a stored xss vulnerability as there is no 
security f ...)
+   TODO: check
+CVE-2020-19878 (DBHcms v1.2.0 has a sensitive information leaks vulnerability 
as there ...)
+   TODO: check
+CVE-2020-19877 (DBHcms v1.2.0 has a directory traversal vulnerability as there 
is no d ...)
+   TODO: check
 CVE-2020-19876
RESERVED
 CVE-2020-19875
@@ -17857,7 +17879,7 @@ CVE-2020-15811
- squid3 
NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv
NOTE: Squid 4: 
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_8.patch
-CVE-2020-24606 [SQUID-2020:9 Denial of Service processing Cache Digest 
Response]
+CVE-2020-24606 (Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer 
to perfor ...)
- squid 4.13-1 (bug #968933)
- squid3 
NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg
@@ -21524,8 +21546,7 @@ CVE-2020-14369
RESERVED
 CVE-2020-14368
RESERVED

[Git][security-tracker-team/security-tracker][master] LTS: claim netty, netty-3.9

[Roberto C . Sánchez]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
78083c57 by Roberto C. Sánchez at 2020-08-24T16:04:34-04:00
LTS: claim netty, netty-3.9

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -113,9 +113,9 @@ mumble
 --
 ndpi (Thorsten Alteholz)
 --
-netty
+netty (Roberto C. Sánchez)
 --
-netty-3.9
+netty-3.9 (Roberto C. Sánchez)
 --
 nss
   NOTE: 20200706: from dsa-needed.txt: Roberto proposed an update including 
fixes for CVE-2018-12404 and CVE-2018-18508 (Beuc)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78083c5785ff0834d6f32a7e061b3a0071db6364

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78083c5785ff0834d6f32a7e061b3a0071db6364
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2343-1 for icingaweb2

[Roberto C . Sánchez]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
457c4691 by Roberto C. Sánchez at 2020-08-24T15:42:28-04:00
Reserve DLA-2343-1 for icingaweb2

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[24 Aug 2020] DLA-2343-1 icingaweb2 - security update
+   {CVE-2020-24368}
+   [stretch] - icingaweb2 2.4.1-1+deb9u1
 [24 Aug 2020] DLA-2342-1 libjackson-json-java - security update
{CVE-2017-7525 CVE-2017-15095 CVE-2019-10172}
[stretch] - libjackson-json-java 1.9.2-8+deb9u1


=
data/dla-needed.txt
=
@@ -89,8 +89,6 @@ guacamole-client (Mike Gabriel)
   NOTE: 20200815: The bad maintenance is not because of the maintainer, but 
because of upstream's delay to port the software
   NOTE: 20200815: over to the freerdp2 API. (sunweaver)
 --
-icingaweb2 (Roberto C. Sánchez)
---
 jetty9
 --
 jupyter-notebook (Mike Gabriel)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/457c4691ebc85c6f574e395225a67b2fc23593e1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/457c4691ebc85c6f574e395225a67b2fc23593e1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-16117/evolution-data-server

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7f6535e4 by Salvatore Bonaccorso at 2020-08-24T20:42:40+02:00
Mark CVE-2020-16117/evolution-data-server

To exploit the issue a malicious server is required and it just 
causes
a crash of the client. The fix can thus be included in an upcoming point
release.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17150,6 +17150,7 @@ CVE-2020-16118 (In GNOME Balsa before 2.6.0, a 
malicious server operator or man
 CVE-2020-16117 (In GNOME evolution-data-server before 3.35.91, a malicious 
server can  ...)
{DLA-2309-1}
- evolution-data-server 3.36.0-1
+   [buster] - evolution-data-server  (Minor issue)
NOTE: 
https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/2cc39592b532cf0dc994fd3694b8e6bf924c9ab5
NOTE: 
https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/627c3cdbfd077e59aa288c85ff8272950577f1d7
NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/189



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f6535e4ece0c94f420625731288d587ca36fb75

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f6535e4ece0c94f420625731288d587ca36fb75
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim icingaweb2

[Roberto C . Sánchez]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
74a51ec9 by Roberto C. Sánchez at 2020-08-24T14:39:17-04:00
LTS: claim icingaweb2

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -89,7 +89,7 @@ guacamole-client (Mike Gabriel)
   NOTE: 20200815: The bad maintenance is not because of the maintainer, but 
because of upstream's delay to port the software
   NOTE: 20200815: over to the freerdp2 API. (sunweaver)
 --
-icingaweb2
+icingaweb2 (Roberto C. Sánchez)
 --
 jetty9
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74a51ec950d8dfa4525c9b79a9c82a266b68fc79

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74a51ec950d8dfa4525c9b79a9c82a266b68fc79
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: remove chrony from dla-needed.txt, no remaining open issues

[Roberto C . Sánchez]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
48d502e5 by Roberto C. Sánchez at 2020-08-24T14:36:25-04:00
LTS: remove chrony from dla-needed.txt, no remaining open issues

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -46,8 +46,6 @@ ceph
   NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
   NOTE: 20200707: Some discussion regarding removal 
 (lamby)
 --
-chrony (Roberto C. Sánchez)
---
 cimg
   NOTE: 20200709: Upstream patch is against a newer "load_network_external"
   NOTE: 20200709: method (vs "load_network") but is still missing the argument



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48d502e5bd2b6b77b31ffa4340c65196439e7c6e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48d502e5bd2b6b77b31ffa4340c65196439e7c6e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2020-24606/squid assigned for SQUID-2020:9 issue

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3cb68ff7 by Salvatore Bonaccorso at 2020-08-24T20:32:36+02:00
CVE-2020-24606/squid assigned for SQUID-2020:9 issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17856,7 +17856,7 @@ CVE-2020-15811
- squid3 
NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv
NOTE: Squid 4: 
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_8.patch
-CVE-2020- [SQUID-2020:9 Denial of Service processing Cache Digest Response]
+CVE-2020-24606 [SQUID-2020:9 Denial of Service processing Cache Digest 
Response]
- squid 4.13-1 (bug #968933)
- squid3 
NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb68ff7b65e36d715e9ffb8f28440feb00acf45

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb68ff7b65e36d715e9ffb8f28440feb00acf45
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-14367/chrony as non-issue

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8f2aa9a5 by Salvatore Bonaccorso at 2020-08-24T20:20:15+02:00
Mark CVE-2020-14367/chrony as non-issue

While problematic sourcewise up to the fixed version in Debian the issue
is mitigated by not using /run/chrony/chronyd.pid for the pidfile as the
pidfile location in stretch used the default /var/run/chronyd.pid and
later versions override the setting to /run/chronyd.pid.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21525,11 +21525,13 @@ CVE-2020-14368
RESERVED
 CVE-2020-14367 [Insecure writing to PID file]
RESERVED
-   - chrony 3.5.1-1
+   - chrony 3.5.1-1 (unimportant)
NOTE: https://www.openwall.com/lists/oss-security/2020/08/21/1
NOTE: Fixed by: 
https://git.tuxfamily.org/chrony/chrony.git/commit/util.c?id=7a4c396bba8f92a3ee8018620983529152050c74
 (4.0-pre1)
NOTE: Fixed by: 
https://git.tuxfamily.org/chrony/chrony.git/commit/main.c?id=e18903a6b56341481a2e08469c0602010bf7bfe3
 (4.0-pre1)
NOTE: Minimal backport: 
https://git.tuxfamily.org/chrony/chrony.git/commit/?id=f00fed20092b6a42283f29c6ee1f58244d74b545
 (3.5.1)
+   NOTE: Debian packaging relocates chronyd.pid as well to /run since 3.1-3
+   NOTE: additionally mitigating the issue. Earlier versions used 
/var/run/chronyd.pid.
 CVE-2020-14366
RESERVED
 CVE-2020-14365



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f2aa9a554520cba7b12432d233745e24d91f616

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f2aa9a554520cba7b12432d233745e24d91f616
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add ghostscript to dsa-needed list

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
eab0fbd2 by Salvatore Bonaccorso at 2020-08-24T18:22:43+02:00
Add ghostscript to dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -18,6 +18,8 @@ chromium
 --
 curl (ghedo)
 --
+ghostscript (jmm)
+--
 knot-resolver
   Santiago Ruano Rincón proposed a debdiff for review
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eab0fbd210023e4baea263d5987dbb196ab8b8cb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eab0fbd210023e4baea263d5987dbb196ab8b8cb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add bind9 to dsa-needed list

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
641c148c by Salvatore Bonaccorso at 2020-08-24T18:23:15+02:00
Add bind9 to dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the 
name of the source pa
 --
 apache2
 --
+bind9
+--
 chromium
 --
 curl (ghedo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/641c148c8e40e717ff50361fdf74708c0cd4aa22

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/641c148c8e40e717ff50361fdf74708c0cd4aa22
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Sync CVE-2020-11061/bacula status with bareos

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
67375315 by Salvatore Bonaccorso at 2020-08-24T18:21:10+02:00
Sync CVE-2020-11061/bacula status with bareos

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -31107,6 +31107,7 @@ CVE-2020-11062 (In GLPI after 0.68.1 and before 9.4.6, 
multiple reflexive XSS oc
NOTE: Only supported behind an authenticated HTTP zone
 CVE-2020-11061 (In Bareos Director less than or equal to 16.2.10, 17.2.9, 
18.2.8, and  ...)
- bacula 9.6.5-1
+   [buster] - bacula  (Minor issue; can be fixed via point release)
- bareos  (bug #968957)
[buster] - bareos  (Minor issue; can be fixed via point release)
[stretch] - bareos  (minor issue, low priority)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67375315977516e8ea2b27ede131bb8a5d3b4dd4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67375315977516e8ea2b27ede131bb8a5d3b4dd4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-11061/bareos as no-dsa

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
549b7025 by Salvatore Bonaccorso at 2020-08-24T18:19:06+02:00
Mark CVE-2020-11061/bareos as no-dsa

To some extend file daemons must be trusted from the directory anyway.
So it should be safe enought to defer a fix into a point release.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -31108,6 +31108,7 @@ CVE-2020-11062 (In GLPI after 0.68.1 and before 9.4.6, 
multiple reflexive XSS oc
 CVE-2020-11061 (In Bareos Director less than or equal to 16.2.10, 17.2.9, 
18.2.8, and  ...)
- bacula 9.6.5-1
- bareos  (bug #968957)
+   [buster] - bareos  (Minor issue; can be fixed via point release)
[stretch] - bareos  (minor issue, low priority)
NOTE: 
https://github.com/bareos/bareos/security/advisories/GHSA-mm45-cg35-54j4
NOTE: https://bugs.bareos.org/view.php?id=1210



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/549b7025b4745ce821a1098c9cf00ef6b0a349d7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/549b7025b4745ce821a1098c9cf00ef6b0a349d7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-4042/bareos rather as ignored than no-dsa

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c82b88bb by Salvatore Bonaccorso at 2020-08-24T18:02:12+02:00
Mark CVE-2020-4042/bareos rather as ignored than no-dsa

It is intrusive to backport as such, and unlikely we want to take the
risk to do so in buster. So ignore it for an update.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -48810,7 +48810,7 @@ CVE-2020-4043 (phpMussel from versions 1.0.0 and less 
than 1.6.0 has an unserial
NOT-FOR-US: phpMussel
 CVE-2020-4042 (Bareos before version 19.2.8 and earlier allows a malicious 
client to  ...)
- bareos  (bug #965985)
-   [buster] - bareos  (Minor issue; workaround exists; intrusive 
to backport to older versions)
+   [buster] - bareos  (Minor issue; workaround exists; intrusive 
to backport to older versions)
[stretch] - bareos  (minor issue, low priority)
NOTE: 
https://github.com/bareos/bareos/security/advisories/GHSA-vqpj-2vhj-h752
NOTE: https://bugs.bareos.org/view.php?id=1250



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c82b88bb58fade348ea47b0178d8cf87e553b88e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c82b88bb58fade348ea47b0178d8cf87e553b88e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Replace Debian bug reference for CVE-2020-11061/bareos

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d958f86f by Salvatore Bonaccorso at 2020-08-24T17:52:57+02:00
Replace Debian bug reference for CVE-2020-11061/bareos

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -31107,7 +31107,7 @@ CVE-2020-11062 (In GLPI after 0.68.1 and before 9.4.6, 
multiple reflexive XSS oc
NOTE: Only supported behind an authenticated HTTP zone
 CVE-2020-11061 (In Bareos Director less than or equal to 16.2.10, 17.2.9, 
18.2.8, and  ...)
- bacula 9.6.5-1
-   - bareos  (bug #965985)
+   - bareos  (bug #968957)
[stretch] - bareos  (minor issue, low priority)
NOTE: 
https://github.com/bareos/bareos/security/advisories/GHSA-mm45-cg35-54j4
NOTE: https://bugs.bareos.org/view.php?id=1210



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d958f86f4f8b2465f55d71ed8137f99cfb733bb4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d958f86f4f8b2465f55d71ed8137f99cfb733bb4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Three squid issues fixed in unstable upload

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
26e1d953 by Salvatore Bonaccorso at 2020-08-24T17:51:23+02:00
Three squid issues fixed in unstable upload

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17852,18 +17852,18 @@ CVE-2020-15812
RESERVED
 CVE-2020-15811
RESERVED
-   - squid  (bug #968932)
+   - squid 4.13-1 (bug #968932)
- squid3 
NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv
NOTE: Squid 4: 
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_8.patch
 CVE-2020- [SQUID-2020:9 Denial of Service processing Cache Digest Response]
-   - squid  (bug #968933)
+   - squid 4.13-1 (bug #968933)
- squid3 
NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg
NOTE: Squid 4: 
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_9.patch
 CVE-2020-15810
RESERVED
-   - squid  (bug #968934)
+   - squid 4.13-1 (bug #968934)
- squid3 
NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m
NOTE: Squid 4: 
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_10.patch



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26e1d9533197ab4e7ef91d8e48b969bb79d25cfc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26e1d9533197ab4e7ef91d8e48b969bb79d25cfc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track CVE-2020-11061 as well for bacula

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5d8c007c by Salvatore Bonaccorso at 2020-08-24T17:29:10+02:00
Track CVE-2020-11061 as well for bacula

Following the upstream report https://bugs.bareos.org/view.php?id=1210;
for bareos it looks that Bareos upstream agreed that the same issue is
affecting Bacula, though the code diverged.

For now track both source packages affected by the issue with the same
CVE, but clarification pending with MITRE to assess if a secondary CVE
is needed.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -31106,11 +31106,13 @@ CVE-2020-11062 (In GLPI after 0.68.1 and before 
9.4.6, multiple reflexive XSS oc
NOTE: 
https://github.com/glpi-project/glpi/commit/5e1c52c5e8a30ceb4e9572964da7ed89ddfb1aaf
NOTE: Only supported behind an authenticated HTTP zone
 CVE-2020-11061 (In Bareos Director less than or equal to 16.2.10, 17.2.9, 
18.2.8, and  ...)
+   - bacula 9.6.5-1
- bareos  (bug #965985)
[stretch] - bareos  (minor issue, low priority)
NOTE: 
https://github.com/bareos/bareos/security/advisories/GHSA-mm45-cg35-54j4
NOTE: https://bugs.bareos.org/view.php?id=1210
NOTE: 
https://github.com/bareos/bareos/commit/86c6fa479a21a1464366babb74e6cf33770ed7ae
 (master)
+   NOTE: 
https://www.bacula.org/git/cgit.cgi/bacula/commit/?id=f9472227317b8e1d26a781d042e0efdf432a633f
 (Release-9.6.4)
 CVE-2020-11060 (In GLPI before 9.4.6, an attacker can execute system commands 
by abusi ...)
- glpi  (unimportant)
NOTE: 
https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d8c007c3dca610b98b9e9f7519d7f78dce3e644

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d8c007c3dca610b98b9e9f7519d7f78dce3e644
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update status for CVE-2020-4042/bareos

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
92ae9434 by Salvatore Bonaccorso at 2020-08-24T17:17:48+02:00
Update status for CVE-2020-4042/bareos

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -48808,10 +48808,14 @@ CVE-2020-4043 (phpMussel from versions 1.0.0 and less 
than 1.6.0 has an unserial
NOT-FOR-US: phpMussel
 CVE-2020-4042 (Bareos before version 19.2.8 and earlier allows a malicious 
client to  ...)
- bareos  (bug #965985)
+   [buster] - bareos  (Minor issue; workaround exists; intrusive 
to backport to older versions)
[stretch] - bareos  (minor issue, low priority)
NOTE: 
https://github.com/bareos/bareos/security/advisories/GHSA-vqpj-2vhj-h752
NOTE: https://bugs.bareos.org/view.php?id=1250
NOTE: 
https://github.com/bareos/bareos/commit/93f2db6451a684fbb224a7d24cdd85e77b2b51fc
 (master)
+   NOTE: Workaround: Make sure the director will not connect to a client 
that can
+   NOTE: initiate connections. As a rule: every client with "Connection 
From Client
+   NOTE: To Director = yes" must also set "Connection From Director To 
Client = no".
 CVE-2020-4041 (In Bolt CMS before version 3.7.1, the filename of uploaded 
files was v ...)
NOT-FOR-US: Bolt CMS
 CVE-2020-4040 (Bolt CMS before version 3.7.1 lacked CSRF protection in the 
preview ge ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92ae94344e1b2a014fc7fc1579d22a62be842fae

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92ae94344e1b2a014fc7fc1579d22a62be842fae
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Reference upstream commit for CVE-2020-11061/bareos

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d02146dc by Salvatore Bonaccorso at 2020-08-24T16:51:15+02:00
Reference upstream commit for CVE-2020-11061/bareos

- - - - -
413d37a2 by Salvatore Bonaccorso at 2020-08-24T16:52:37+02:00
Reference upstream commit for CVE-2020-4042/bareos

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -31110,6 +31110,7 @@ CVE-2020-11061 (In Bareos Director less than or equal 
to 16.2.10, 17.2.9, 18.2.8
[stretch] - bareos  (minor issue, low priority)
NOTE: 
https://github.com/bareos/bareos/security/advisories/GHSA-mm45-cg35-54j4
NOTE: https://bugs.bareos.org/view.php?id=1210
+   NOTE: 
https://github.com/bareos/bareos/commit/86c6fa479a21a1464366babb74e6cf33770ed7ae
 (master)
 CVE-2020-11060 (In GLPI before 9.4.6, an attacker can execute system commands 
by abusi ...)
- glpi  (unimportant)
NOTE: 
https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f
@@ -48810,6 +48811,7 @@ CVE-2020-4042 (Bareos before version 19.2.8 and earlier 
allows a malicious clien
[stretch] - bareos  (minor issue, low priority)
NOTE: 
https://github.com/bareos/bareos/security/advisories/GHSA-vqpj-2vhj-h752
NOTE: https://bugs.bareos.org/view.php?id=1250
+   NOTE: 
https://github.com/bareos/bareos/commit/93f2db6451a684fbb224a7d24cdd85e77b2b51fc
 (master)
 CVE-2020-4041 (In Bolt CMS before version 3.7.1, the filename of uploaded 
files was v ...)
NOT-FOR-US: Bolt CMS
 CVE-2020-4040 (Bolt CMS before version 3.7.1 lacked CSRF protection in the 
preview ge ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ded2c43cce3649797f540dcf19b7099d956b9258...413d37a20342a1eff91fd01e72cb6d0469fd9e84

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ded2c43cce3649797f540dcf19b7099d956b9258...413d37a20342a1eff91fd01e72cb6d0469fd9e84
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reference upstream issue for CVE-2020-4042

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ded2c43c by Salvatore Bonaccorso at 2020-08-24T16:33:45+02:00
Reference upstream issue for CVE-2020-4042

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -48809,6 +48809,7 @@ CVE-2020-4042 (Bareos before version 19.2.8 and earlier 
allows a malicious clien
- bareos  (bug #965985)
[stretch] - bareos  (minor issue, low priority)
NOTE: 
https://github.com/bareos/bareos/security/advisories/GHSA-vqpj-2vhj-h752
+   NOTE: https://bugs.bareos.org/view.php?id=1250
 CVE-2020-4041 (In Bolt CMS before version 3.7.1, the filename of uploaded 
files was v ...)
NOT-FOR-US: Bolt CMS
 CVE-2020-4040 (Bolt CMS before version 3.7.1 lacked CSRF protection in the 
preview ge ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ded2c43cce3649797f540dcf19b7099d956b9258

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ded2c43cce3649797f540dcf19b7099d956b9258
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reference upstream issue for CVE-2020-11061/bareos

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
867e8632 by Salvatore Bonaccorso at 2020-08-24T16:32:19+02:00
Reference upstream issue for CVE-2020-11061/bareos

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -31109,6 +31109,7 @@ CVE-2020-11061 (In Bareos Director less than or equal 
to 16.2.10, 17.2.9, 18.2.8
- bareos  (bug #965985)
[stretch] - bareos  (minor issue, low priority)
NOTE: 
https://github.com/bareos/bareos/security/advisories/GHSA-mm45-cg35-54j4
+   NOTE: https://bugs.bareos.org/view.php?id=1210
 CVE-2020-11060 (In GLPI before 9.4.6, an attacker can execute system commands 
by abusi ...)
- glpi  (unimportant)
NOTE: 
https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/867e8632d1d3bc542ec3fe7f7c094cdafe4862ac

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/867e8632d1d3bc542ec3fe7f7c094cdafe4862ac
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] tracker_service.py: Source: more: Link to vendor information via HTTPS

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3e548183 by Salvatore Bonaccorso at 2020-08-24T16:23:24+02:00
tracker_service.py: Source: more: Link to vendor information via HTTPS

- - - - -


1 changed file:

- bin/tracker_service.py


Changes:

=
bin/tracker_service.py
=
@@ -408,7 +408,7 @@ data source.""")],
   ", ",
   self.make_web_search_bug_ref(url, 
bug.name, 'web search'),
   ", ",
-  
A(url.absolute('http://oss-security.openwall.org/wiki/vendors'), 'more'),
+  
A(url.absolute('https://oss-security.openwall.org/wiki/vendors'), 'more'),
   ")")
 elif source == 'DSA':
 source_xref = self.make_dsa_ref(url, bug.name, 'Debian')



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e548183bbaac42458a2bcdc3a93e98e5d1756ea

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e548183bbaac42458a2bcdc3a93e98e5d1756ea
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Drop some trailing whitespaces

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4d9e74c7 by Salvatore Bonaccorso at 2020-08-24T16:15:34+02:00
Drop some trailing whitespaces

- - - - -
9a79bfa8 by Salvatore Bonaccorso at 2020-08-24T16:17:56+02:00
Use HTTPS transport for www.openwall.com/lists/oss-security URLs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
The diff for this file was not included because it is too large.


View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/879501354b84093198db99881759da4eb7bf...9a79bfa8fec4f6e2cf11cca9fc9cd8de5a9cd68b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/879501354b84093198db99881759da4eb7bf...9a79bfa8fec4f6e2cf11cca9fc9cd8de5a9cd68b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] mark CVE-2020-24352 as unimportant

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
87950135 by Moritz Muehlenhoff at 2020-08-24T15:53:03+02:00
mark CVE-2020-24352 as unimportant

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -515,10 +515,11 @@ CVE-2020-24353
RESERVED
 CVE-2020-24352
RESERVED
-   - qemu  (bug #968820)
+   - qemu  (unimportant; bug #968820)
[buster] - qemu  (Vulnerable code introduced in ATI VGA 
device emulation added later)
[stretch] - qemu  (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1847584
+   NOTE: Feature isn't production-ready/experimental: 
https://lists.gnu.org/archive/html/qemu-devel/2020-08/msg05528.html
 CVE-2020-24351
RESERVED
 CVE-2020-24350



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/879501354b84093198db99881759da4eb7bf

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/879501354b84093198db99881759da4eb7bf
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add additional reference for CVE-2020-14364

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6df8bd69 by Salvatore Bonaccorso at 2020-08-24T15:21:31+02:00
Add additional reference for CVE-2020-14364

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21537,6 +21537,7 @@ CVE-2020-14364 [usb: out-of-bounds r/w access issue]
RESERVED
- qemu  (bug #968947)
NOTE: https://xenbits.xen.org/xsa/advisory-335.html
+   NOTE: https://www.openwall.com/lists/oss-security/2020/08/24/3
 CVE-2020-14363
RESERVED
 CVE-2020-14362



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6df8bd6941c87c3475f7270ed35329e7f580a998

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6df8bd6941c87c3475f7270ed35329e7f580a998
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-14364/qemu

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
48a14fbb by Salvatore Bonaccorso at 2020-08-24T14:55:00+02:00
Add Debian bug reference for CVE-2020-14364/qemu

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21535,7 +21535,7 @@ CVE-2020-14365
RESERVED
 CVE-2020-14364 [usb: out-of-bounds r/w access issue]
RESERVED
-   - qemu 
+   - qemu  (bug #968947)
NOTE: https://xenbits.xen.org/xsa/advisory-335.html
 CVE-2020-14363
RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48a14fbb903941d0b3a6688c591c6eff9c7dd5eb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48a14fbb903941d0b3a6688c591c6eff9c7dd5eb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim chrony, mongodb

[Roberto C . Sánchez]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
91624166 by Roberto C. Sánchez at 2020-08-24T08:49:41-04:00
LTS: claim chrony, mongodb

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -46,7 +46,7 @@ ceph
   NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
   NOTE: 20200707: Some discussion regarding removal 
 (lamby)
 --
-chrony
+chrony (Roberto C. Sánchez)
 --
 cimg
   NOTE: 20200709: Upstream patch is against a newer "load_network_external"
@@ -106,7 +106,7 @@ linux-4.9 (Ben Hutchings)
 --
 lua5.3
 --
-mongodb
+mongodb (Roberto C. Sánchez)
 --
 mumble
   NOTE: 20200325: Regression in last upload, forgot to follow up.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9162416630498e359aa7535a3f8d8e0689a29e53

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9162416630498e359aa7535a3f8d8e0689a29e53
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove one spurious whitespace in temporary description

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0273a8f4 by Salvatore Bonaccorso at 2020-08-24T14:24:16+02:00
Remove one spurious whitespace in temporary description

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21533,7 +21533,7 @@ CVE-2020-14366
RESERVED
 CVE-2020-14365
RESERVED
-CVE-2020-14364 [usb:  out-of-bounds r/w access issue]
+CVE-2020-14364 [usb: out-of-bounds r/w access issue]
RESERVED
- qemu 
NOTE: https://xenbits.xen.org/xsa/advisory-335.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0273a8f408ae1188c81dc2ffbdf4ce12b3177ecd

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0273a8f408ae1188c81dc2ffbdf4ce12b3177ecd
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-14364/qemu

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
64383fec by Salvatore Bonaccorso at 2020-08-24T14:23:33+02:00
Add CVE-2020-14364/qemu

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21533,8 +21533,10 @@ CVE-2020-14366
RESERVED
 CVE-2020-14365
RESERVED
-CVE-2020-14364
+CVE-2020-14364 [usb:  out-of-bounds r/w access issue]
RESERVED
+   - qemu 
+   NOTE: https://xenbits.xen.org/xsa/advisory-335.html
 CVE-2020-14363
RESERVED
 CVE-2020-14362



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64383fec2a4bb9bc621bfb2f9cbb2c70ce359953

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64383fec2a4bb9bc621bfb2f9cbb2c70ce359953
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: dla: drop notes about CVE-2020-4046

[Sylvain Beucler]

Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3dc92515 by Sylvain Beucler at 2020-08-24T12:33:21+02:00
dla: drop notes about CVE-2020-4046
fixed by 59fccc83dfbef0f75cfe3787ca660c878b89aa7e later that day

- - - - -
88919eff by Sylvain Beucler at 2020-08-24T12:35:51+02:00
dla: claim wordpress

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -199,11 +199,7 @@ sympa
   NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh)
   NOTE: 20200604: shall process the upload once the confirmation is given. 
(utkarsh)
 --
-wordpress
-  NOTE: 20200710: Vulnerable to at least CVE-2020-4046. (lamby)
-  NOTE: 20200710: During triage noticed that CVE-2020-4046 was marked as fixed
-  NOTE: 20200710: in 4.1.31+dfsg-0+deb8u1 in jessie LTS, yet does not seem that
-  NOTE: 20200710: it was vulnerable to begin with. (lamby)
+wordpress (Sylvain Beucler)
 --
 xcftools
   NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for 
upstream review (hle)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dfa153e8d171e9c44dce5c3562cafd952f8198c6...88919eff42fd705f1c35982a9756d37dfa994b49

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dfa153e8d171e9c44dce5c3562cafd952f8198c6...88919eff42fd705f1c35982a9756d37dfa994b49
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] curl fixed in sid

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dfa153e8 by Moritz Muehlenhoff at 2020-08-24T12:04:16+02:00
curl fixed in sid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21609,8 +21609,8 @@ CVE-2020-14344 (An integer overflow leading to a 
heap-buffer overflow was found
NOTE: 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
NOTE: 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
NOTE: 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
-   NOTE: Original patchset introduces regression: 
https://bugs.debian.org/966691
-   NOTE: Follow-up for regression: 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/116
+   NOTE: Original patchset introduces regression: 
https://bugs.debian.org/966691 and 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/116
+   NOTE: Follow-up for regression: 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b
 CVE-2020-14343 [.load() and FullLoader still vulnerable to fairly trivial RCE]
RESERVED
- pyyaml  (bug #966233)
@@ -38445,7 +38445,7 @@ CVE-2020-8232 (An information disclosure vulnerability 
exists in EdgeMax EdgeSwi
NOT-FOR-US: Edgeswitch
 CVE-2020-8231
RESERVED
-   - curl  (bug #968831)
+   - curl 7.72.0-1 (bug #968831)
NOTE: https://curl.haxx.se/docs/CVE-2020-8231.html
NOTE: https://github.com/curl/curl/pull/5824
NOTE: 
https://github.com/curl/curl/commit/3c9e021f86872baae412a427e807fbfa2f3e8
@@ -38571,7 +38571,7 @@ CVE-2020-8178 (Insufficient input validation in npm 
package `jison` = 0.4.18
 CVE-2020-8177
RESERVED
{DLA-2295-1}
-   - curl  (bug #965281)
+   - curl 7.72.0-1 (bug #965281)
NOTE: https://curl.haxx.se/docs/CVE-2020-8177.html
NOTE: 
https://github.com/curl/curl/commit/8236aba58542c5f89f1d41ca09d84579efb05e22 
(7.71.0)
 CVE-2020-8176 (A cross-site scripting vulnerability exists in koa-shopify-auth 
v3.1.6 ...)
@@ -38595,7 +38595,7 @@ CVE-2020-8170 (We have recently released new version of 
AirMax AirOS firmware v6
NOT-FOR-US: AirMax AirOS
 CVE-2020-8169
RESERVED
-   - curl  (bug #965280)
+   - curl 7.72.0-1 (bug #965280)
[stretch] - curl  (Vulnerable code introduced later)
[jessie] - curl  (Vulnerable code introduced later)
NOTE: https://curl.haxx.se/docs/CVE-2020-8169.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dfa153e8d171e9c44dce5c3562cafd952f8198c6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dfa153e8d171e9c44dce5c3562cafd952f8198c6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2020-24361/snmptt

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0f2f38b6 by Salvatore Bonaccorso at 2020-08-24T11:46:07+02:00
Add reference for CVE-2020-24361/snmptt

Unfortunately upstream does not seem to properly split the commits into
single changes. Might be worth stripping the unnecessary bits on an
update.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -496,6 +496,7 @@ CVE-2020-24362
RESERVED
 CVE-2020-24361 (SNMPTT before 1.4.2 allows attackers to execute shell code via 
EXEC, P ...)
- snmptt 1.4.2-1
+   NOTE: 
https://sourceforge.net/p/snmptt/git/ci/f6aef5223bc9ed8126268a273ac9f5c341af835a
 CVE-2020-24360
RESERVED
 CVE-2020-24359 (HashiCorp vault-ssh-helper up to and including version 0.1.6 
incorrect ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f2f38b6be2b4a44ad27aa461ae4f69ff98b10ce

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f2f38b6be2b4a44ad27aa461ae4f69ff98b10ce
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Holger Levsen]

Holger Levsen pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0185f305 by Holger Levsen at 2020-08-24T10:48:47+02:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Holger Levsen hol...@layer-acht.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -121,7 +121,7 @@ netty
 --
 netty-3.9
 --
-nss (Adrian Bunk)
+nss
   NOTE: 20200706: from dsa-needed.txt: Roberto proposed an update including 
fixes for CVE-2018-12404 and CVE-2018-18508 (Beuc)
   NOTE: 20200810: packages are being tested (bunk)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0185f3056d2a6152fe333e1bd03dc6b05b53ff58

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0185f3056d2a6152fe333e1bd03dc6b05b53ff58
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Correct data/DLA/list due to syntax error in the changelog

[Adrian Bunk]

Adrian Bunk pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f19d2a03 by Adrian Bunk at 2020-08-24T11:39:53+03:00
Correct data/DLA/list due to syntax error in the changelog

CVE 2017-15095 was wrong (space instead of hyphen).

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -1,5 +1,5 @@
 [24 Aug 2020] DLA-2342-1 libjackson-json-java - security update
-   {CVE-2017-7525 CVE-2019-10172}
+   {CVE-2017-7525 CVE-2017-15095 CVE-2019-10172}
[stretch] - libjackson-json-java 1.9.2-8+deb9u1
 [24 Aug 2020] DLA-2341-1 inetutils - security update
{CVE-2020-10188}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f19d2a03e7d90e187285484fc74c852938864146

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f19d2a03e7d90e187285484fc74c852938864146
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2342-1 for libjackson-json-java

[Adrian Bunk]

Adrian Bunk pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c932b484 by Adrian Bunk at 2020-08-24T11:38:34+03:00
Reserve DLA-2342-1 for libjackson-json-java

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[24 Aug 2020] DLA-2342-1 libjackson-json-java - security update
+   {CVE-2017-7525 CVE-2019-10172}
+   [stretch] - libjackson-json-java 1.9.2-8+deb9u1
 [24 Aug 2020] DLA-2341-1 inetutils - security update
{CVE-2020-10188}
[stretch] - inetutils 2:1.9.4-2+deb9u1


=
data/dla-needed.txt
=
@@ -98,8 +98,6 @@ jetty9
 jupyter-notebook (Mike Gabriel)
   NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby)
 --
-libjackson-json-java (Adrian Bunk)
---
 libvncserver (Mike Gabriel)
 --
 linux (Ben Hutchings)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c932b4848efef451c24e6962f055dd33c5c73fb0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c932b4848efef451c24e6962f055dd33c5c73fb0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2341-1 for inetutils

[Adrian Bunk]

Adrian Bunk pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
04688030 by Adrian Bunk at 2020-08-24T11:11:00+03:00
Reserve DLA-2341-1 for inetutils

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[24 Aug 2020] DLA-2341-1 inetutils - security update
+   {CVE-2020-10188}
+   [stretch] - inetutils 2:1.9.4-2+deb9u1
 [22 Aug 2020] DLA-2340-1 sqlite3 - security update
{CVE-2018-8740 CVE-2018-20346 CVE-2018-20506 CVE-2019-5827 
CVE-2019-9936 CVE-2019-9937 CVE-2019-16168 CVE-2019-20218 CVE-2020-11655 
CVE-2020-13434 CVE-2020-13630 CVE-2020-13632 CVE-2020-13871}
[stretch] - sqlite3 3.16.2-5+deb9u2


=
data/dla-needed.txt
=
@@ -93,8 +93,6 @@ guacamole-client (Mike Gabriel)
 --
 icingaweb2
 --
-inetutils (Adrian Bunk)
---
 jetty9
 --
 jupyter-notebook (Mike Gabriel)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04688030ad1acd17b792a0c4783e297a00045705

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04688030ad1acd17b792a0c4783e297a00045705
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
36a11349 by security tracker role at 2020-08-24T08:10:28+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -474,6 +474,7 @@ CVE-2020-24369 (ldebug.c in Lua 5.4.0 attempts to access 
debug information via t
NOTE: 
https://github.com/lua/lua/commit/ae5b5ba529753c7a653901ffc29b5ea24c3fdf3a
NOTE: https://www.lua.org/bugs.html#5.4.0-12
 CVE-2020-24368 (Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a 
Director ...)
+   {DSA-4747-1}
- icingaweb2 2.8.2-1 (bug #968833)
NOTE: 
https://icinga.com/2020/08/19/icinga-web-security-release-v2-6-4-v2-7-4-and-v2-8-2/
NOTE: https://github.com/Icinga/icingaweb2/issues/4226
@@ -24816,8 +24817,8 @@ CVE-2020-13103
RESERVED
 CVE-2020-13102
RESERVED
-CVE-2020-13101
-   RESERVED
+CVE-2020-13101 (In OASIS Digital Signature Services (DSS) 1.0, an attacker can 
control ...)
+   TODO: check
 CVE-2020-13100
RESERVED
 CVE-2020-13099



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36a11349a74b42aba2e70a6ed565e648db68661c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36a11349a74b42aba2e70a6ed565e648db68661c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Fix for CVE-2020-15503/libraw moved to unstable

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
13017a37 by Salvatore Bonaccorso at 2020-08-24T09:42:16+02:00
Fix for CVE-2020-15503/libraw moved to unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -18683,7 +18683,7 @@ CVE-2020-15504 (A SQL injection vulnerability in the 
user and admin web interfac
NOT-FOR-US: Sophos
 CVE-2020-15503 (LibRaw before 0.20-RC1 lacks a thumbnail size range check. 
This affect ...)
[experimental] - libraw 0.20.0-1
-   - libraw  (bug #964747)
+   - libraw 0.20.0-4 (bug #964747)
[buster] - libraw  (Minor issue)
[stretch] - libraw  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1853477



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13017a377990e2f46562c82c3b7fa94cbaa724b3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13017a377990e2f46562c82c3b7fa94cbaa724b3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track proposed fix for CVE-2019-0193 via buster-pu

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0b6c9524 by Salvatore Bonaccorso at 2020-08-24T09:39:45+02:00
Track proposed fix for CVE-2019-0193 via buster-pu

- - - - -


1 changed file:

- data/next-point-update.txt


Changes:

=
data/next-point-update.txt
=
@@ -24,3 +24,5 @@ CVE-2020-14350
[buster] - postgresql-11 11.9-0+deb10u1
 CVE-2020-10289
[buster] - ros-actionlib 1.11.15-1+deb10u1
+CVE-2019-0193
+   [buster] - lucene-solr 3.6.2+dfsg-20+deb10u2



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b6c952461c4e996ad0da582f179915dfb526f12

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b6c952461c4e996ad0da582f179915dfb526f12
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add apache2 to dsa-needed list

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
147dd34e by Salvatore Bonaccorso at 2020-08-24T09:37:03+02:00
Add apache2 to dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source 
package.
 
+--
+apache2
 --
 chromium
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/147dd34e1096fa769826f0b4dd4e35ca16a61200

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/147dd34e1096fa769826f0b4dd4e35ca16a61200
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-15810/squid

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c5d9d94b by Salvatore Bonaccorso at 2020-08-24T09:35:27+02:00
Add Debian bug reference for CVE-2020-15810/squid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17860,7 +17860,7 @@ CVE-2020- [SQUID-2020:9 Denial of Service 
processing Cache Digest Response]
NOTE: Squid 4: 
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_9.patch
 CVE-2020-15810
RESERVED
-   - squid 
+   - squid  (bug #968934)
- squid3 
NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m
NOTE: Squid 4: 
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_10.patch



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5d9d94be81f6a6bc4ca8b700cf76dbff141e16d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5d9d94be81f6a6bc4ca8b700cf76dbff141e16d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for SQUID-2020:9/squid

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c644fecc by Salvatore Bonaccorso at 2020-08-24T09:35:01+02:00
Add Debian bug reference for SQUID-2020:9/squid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17854,7 +17854,7 @@ CVE-2020-15811
NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv
NOTE: Squid 4: 
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_8.patch
 CVE-2020- [SQUID-2020:9 Denial of Service processing Cache Digest Response]
-   - squid 
+   - squid  (bug #968933)
- squid3 
NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg
NOTE: Squid 4: 
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_9.patch



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c644fecc4044fa480a7b4dc630908b139c41a783

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c644fecc4044fa480a7b4dc630908b139c41a783
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-15811/squid

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
86ce40af by Salvatore Bonaccorso at 2020-08-24T09:34:16+02:00
Add Debian bug reference for CVE-2020-15811/squid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17849,7 +17849,7 @@ CVE-2020-15812
RESERVED
 CVE-2020-15811
RESERVED
-   - squid 
+   - squid  (bug #968932)
- squid3 
NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv
NOTE: Squid 4: 
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_8.patch



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86ce40afc6b9619d01ca469f35e020e08ffb8a36

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86ce40afc6b9619d01ca469f35e020e08ffb8a36
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add squid to dsa-needed list

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6b7e5e8d by Salvatore Bonaccorso at 2020-08-24T09:27:16+02:00
Add squid to dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -29,6 +29,8 @@ nginx
 rails (jmm)
   Sylvain Beucler proposed to help for the update, remaining CVEs to be done
 --
+squid
+--
 teeworlds (jmm)
 --
 xcftools



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b7e5e8da066036f77144717eed8708712a3d891

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b7e5e8da066036f77144717eed8708712a3d891
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add another squid issue (SQUID-2020:9)

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1878e43f by Salvatore Bonaccorso at 2020-08-24T09:24:49+02:00
Add another squid issue (SQUID-2020:9)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17853,6 +17853,11 @@ CVE-2020-15811
- squid3 
NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv
NOTE: Squid 4: 
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_8.patch
+CVE-2020- [SQUID-2020:9 Denial of Service processing Cache Digest Response]
+   - squid 
+   - squid3 
+   NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg
+   NOTE: Squid 4: 
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_9.patch
 CVE-2020-15810
RESERVED
- squid 



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1878e43fe8242cfcba14d28cbbf864d306435d21

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1878e43fe8242cfcba14d28cbbf864d306435d21
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: ATI VGA emulation introduced in...

[Abhijith PA]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7fdf456c by Abhijith PA at 2020-08-24T12:40:02+05:30
ATI VGA emulation introduced in 
https://github.com/qemu/qemu/commit/862b4a291dcf143fdb227e97feb7fd45e6466aca

- - - - -
9e8b9b4d by Abhijith PA at 2020-08-24T12:41:11+05:30
Update note in dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -515,6 +515,7 @@ CVE-2020-24352
RESERVED
- qemu  (bug #968820)
[buster] - qemu  (Vulnerable code introduced in ATI VGA 
device emulation added later)
+   [stretch] - qemu  (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1847584
 CVE-2020-24351
RESERVED


=
data/dla-needed.txt
=
@@ -28,6 +28,7 @@ apache2
 ark (Abhijith PA)
   NOTE: 20200731: given PoC not working as intended. (abhijith)
   NOTE: 20200801: though testing with other PoC's available over internet 
seems exploitable (abhijith)
+  NOTE: 20200820: pinged upstream for help (abhijith)
 --
 asyncpg (Utkarsh Gupta)
   NOTE: 20200815: Minor issue, but easy to fix. (sunweaver)
@@ -139,6 +140,7 @@ puma
   NOTE: 20200708: Vulnerable to (at least) CVE-2020-11076. (lamby)
 --
 qemu (Abhijith PA)
+  NOTE: 20200824: currently all are minor issues. Reduce frequent upload 
(abhijith)
 --
 qt4-x11 (Adrian Bunk)
   NOTE: 20200815: Minor issue, but easy to fix (CVE-2020-17507). Low prio.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0d4e1a3fd84a5ed7bcbd5583ef50425d971ff84a...9e8b9b4d0b910a6995a6997f731492e98359134c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0d4e1a3fd84a5ed7bcbd5583ef50425d971ff84a...9e8b9b4d0b910a6995a6997f731492e98359134c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-7711

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0d4e1a3f by Salvatore Bonaccorso at 2020-08-24T08:55:05+02:00
Add Debian bug reference for CVE-2020-7711

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -39802,7 +39802,7 @@ CVE-2020-7713
 CVE-2020-7712
RESERVED
 CVE-2020-7711 (This affects all versions of package 
github.com/russellhaering/goxmlds ...)
-   - golang-github-russellhaering-goxmldsig 
+   - golang-github-russellhaering-goxmldsig  (bug #968928)
NOTE: https://github.com/russellhaering/goxmldsig/issues/48
 CVE-2020-7710 (This affects all versions of package safe-eval. It is possible 
for an  ...)
NOT-FOR-US: Node safe-eval



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d4e1a3fd84a5ed7bcbd5583ef50425d971ff84a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d4e1a3fd84a5ed7bcbd5583ef50425d971ff84a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-13941/lucene-solr

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
86f84ff9 by Salvatore Bonaccorso at 2020-08-24T08:51:39+02:00
Add CVE-2020-13941/lucene-solr

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -22672,7 +22672,10 @@ CVE-2020-13943
 CVE-2020-13942
RESERVED
 CVE-2020-13941 (Reported in SOLR-14515 (private) and fixed in SOLR-14561 
(public), rel ...)
-   TODO: check
+   - lucene-solr 
+   NOTE: https://www.openwall.com/lists/oss-security/2020/08/15/1
+   NOTE: https://issues.apache.org/jira/browse/SOLR-14561
+   NOTE: 
https://github.com/apache/lucene-solr/commit/936b9d770e769c9018a9f408d576f52e7c4e8be2
 CVE-2020-13940
RESERVED
 CVE-2020-13939



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86f84ff92ce41af9c9c7ba5531347f664c543836

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86f84ff92ce41af9c9c7ba5531347f664c543836
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-15810/squid

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d40106f7 by Salvatore Bonaccorso at 2020-08-24T08:48:33+02:00
Add CVE-2020-15810/squid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17854,6 +17854,10 @@ CVE-2020-15811
NOTE: Squid 4: 
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_8.patch
 CVE-2020-15810
RESERVED
+   - squid 
+   - squid3 
+   NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m
+   NOTE: Squid 4: 
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_10.patch
 CVE-2020-15809
RESERVED
 CVE-2020-15808



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d40106f78862ae7415f88a652af056de0a23e1ee

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d40106f78862ae7415f88a652af056de0a23e1ee
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-15811/squid

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
491549be by Salvatore Bonaccorso at 2020-08-24T08:47:15+02:00
Add CVE-2020-15811/squid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17848,6 +17848,10 @@ CVE-2020-15812
RESERVED
 CVE-2020-15811
RESERVED
+   - squid 
+   - squid3 
+   NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv
+   NOTE: Squid 4: 
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_8.patch
 CVE-2020-15810
RESERVED
 CVE-2020-15809



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/491549bea46e3d8da44a2cfeb699ff2e624c8a2e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/491549bea46e3d8da44a2cfeb699ff2e624c8a2e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2020-7711/golang-github-russellhaering-goxmldsig

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e61840e6 by Salvatore Bonaccorso at 2020-08-24T08:43:15+02:00
Add CVE-2020-7711/golang-github-russellhaering-goxmldsig

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -39791,7 +39791,8 @@ CVE-2020-7713
 CVE-2020-7712
RESERVED
 CVE-2020-7711 (This affects all versions of package 
github.com/russellhaering/goxmlds ...)
-   TODO: check
+   - golang-github-russellhaering-goxmldsig 
+   NOTE: https://github.com/russellhaering/goxmldsig/issues/48
 CVE-2020-7710 (This affects all versions of package safe-eval. It is possible 
for an  ...)
NOT-FOR-US: Node safe-eval
 CVE-2020-7709



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e61840e6f7947579d3902f772c49442a8927602e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e61840e6f7947579d3902f772c49442a8927602e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits