[Git][security-tracker-team/security-tracker][master] Add CVE-2020-25643/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 340eadb8 by Salvatore Bonaccorso at 2020-10-02T06:42:36+02:00 Add CVE-2020-25643/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1856,8 +1856,10 @@ CVE-2020-25645 RESERVED CVE-2020-25644 RESERVED -CVE-2020-25643 +CVE-2020-25643 [hdlc_ppp: add range checks in ppp_cp_parse_cr()] RESERVED + - linux + NOTE: https://git.kernel.org/linus/66d42ed8b25b64eb63111a2b8582c5afc8bf1105 CVE-2020-25642 RESERVED CVE-2020-25641 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/340eadb8b4127100bf5eb437e1e0a5d166cb7721 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/340eadb8b4127100bf5eb437e1e0a5d166cb7721 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim tigervnc
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c02be61 by Roberto C. Sánchez at 2020-10-01T19:27:02-04:00 LTS: claim tigervnc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -188,7 +188,7 @@ sympa -- thunderbird (Emilio) -- -tigervnc +tigervnc (Roberto C. Sánchez) -- tinymce (Abhijith PA) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c02be616ddc256a3a5cae12660b08a4055da512 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c02be616ddc256a3a5cae12660b08a4055da512 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one sqlite3 issue n/a for buster
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 75f51891 by Moritz Muehlenhoff at 2020-10-01T23:18:17+02:00 one sqlite3 issue n/a for buster add more git mirror commit refs for sqlite3 in addition to the crude fossil links - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33946,6 +33946,9 @@ CVE-2020-11655 (SQLite through 3.31.1 allows attackers to cause a denial of serv NOTE: https://www.sqlite.org/cgi/src/tktview?name=af4556bb5c NOTE: Issue covered before: https://www.sqlite.org/cgi/src/info/712e47714863a8ed NOTE: Fixed by: https://www.sqlite.org/cgi/src/info/4a302b42c7bf5e11 + NOTE: https://github.com/sqlite/sqlite/commit/3251a2031bfd29f338a5fda1a08c18878296d354 + NOTE: https://github.com/sqlite/sqlite/commit/c415d91007e1680e4eb17def583b202c3c83c718 + NOTE: https://github.com/sqlite/sqlite/commit/4db7ab53f9c30e2e22731ace93ab6b18eef6c4ae CVE-2020-11654 RESERVED CVE-2020-11653 (An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6 ...) @@ -39232,9 +39235,8 @@ CVE-2020-9796 CVE-2020-9795 (A use after free issue was addressed with improved memory management. ...) NOT-FOR-US: Apple CVE-2020-9794 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) - - sqlite3 - NOTE: https://vuldb.com/?id.155768 - NOTE: As usual Apple advisories are too unspecific + NOT-FOR-US: sqlite3 as used by Apple + NOTE: No details available due to typical Apple intransparency CVE-2020-9793 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2020-9792 (A validation issue was addressed with improved input sanitization. Thi ...) @@ -40418,6 +40420,8 @@ CVE-2020-9327 (In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to tri NOTE: https://www.sqlite.org/cgi/src/info/4374860b29383380 NOTE: https://www.sqlite.org/cgi/src/info/9d0d4ab95dc0c56e NOTE: https://www.sqlite.org/cgi/src/info/abc473fb8fb99900 + NOTE: https://github.com/sqlite/sqlite/commit/bf48ce49f7c25e5d4524de9fdc5c0d505218d06d + NOTE: https://github.com/sqlite/sqlite/commit/78d1d225d87af40f5bdca57fa72f00b6ffaffa21 CVE-2020-9326 (BeyondTrust Privilege Management for Windows and Mac (aka PMWM; former ...) NOT-FOR-US: BeyondTrust Privilege Management for Windows and Mac CVE-2020-9325 (Aquaforest TIFF Server 4.0 allows Unauthenticated Arbitrary File Downl ...) @@ -61303,7 +61307,7 @@ CVE-2019-19243 RESERVED CVE-2019-19242 (SQLite 3.30.1 mishandles pExpr-y.pTab, as demonstrated by the TK_C ...) - sqlite3 3.30.1+fossil191229-1 - [buster] - sqlite3 (Minor issue) + [buster] - sqlite3 (Vulnerable code not present) [stretch] - sqlite3 (Vulnerable code introduced later) [jessie] - sqlite3 (Vulnerable code not present) NOTE: https://github.com/sqlite/sqlite/commit/57f7ece78410a8aae86aa4625fb7556897db384c @@ -73073,6 +73077,7 @@ CVE-2019-16168 (In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c ca NOTE: https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62 NOTE: Fixed by: https://www.sqlite.org/src/info/d93508fc9913cfe6 NOTE: Introduced by: https://www.sqlite.org/src/info/90e36676476e8db0 + NOTE: https://github.com/sqlite/sqlite/commit/725dd72400872da94dcfb6af48128905b93d57fe CVE-2019-16148 (Sakai through 12.6 allows XSS via a chat user name. ...) NOT-FOR-US: Sakai CVE-2019-16147 (Liferay Portal through 7.2.0 GA1 allows XSS via a journal article titl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/75f51891dccb4590375a8b964baacb863788c204 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/75f51891dccb4590375a8b964baacb863788c204 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 12f9b490 by Salvatore Bonaccorso at 2020-10-01T22:55:50+02:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1088,7 +1088,7 @@ CVE-2020-25992 CVE-2020-25991 RESERVED CVE-2020-25990 (WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' ...) - TODO: check + NOT-FOR-US: WebsiteBaker CVE-2020-25989 RESERVED CVE-2020-25988 @@ -2877,7 +2877,7 @@ CVE-2020-25202 CVE-2020-25201 RESERVED CVE-2020-25200 (Pritunl 1.29.2145.25 allows attackers to enumerate valid VPN usernames ...) - TODO: check + NOT-FOR-US: Pritunl CVE-2019-20916 (The pip package before 19.2 for Python allows Directory Traversal when ...) {DLA-2370-1} - python-pip 20.0.2-1 @@ -3616,9 +3616,9 @@ CVE-2020-25016 (A safety violation was discovered in the rgb crate before 0.8.20 NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0029.html NOTE: https://github.com/kornelski/rust-rgb/issues/35 CVE-2020-24861 (GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings p ...) - TODO: check + NOT-FOR-US: GetSimple CMS CVE-2020-24860 (CMS Made Simple 2.2.14 allows an authenticated user with access to the ...) - TODO: check + NOT-FOR-US: CMS Made Simple CVE-2020-24859 RESERVED CVE-2020-24858 @@ -4126,7 +4126,7 @@ CVE-2020-24622 (In Sonatype Nexus Repository 3.26.1, an S3 secret key can be exp CVE-2020-24621 (A remote code execution (RCE) vulnerability was discovered in the html ...) NOT-FOR-US: OpenMRS CVE-2020-24620 (Unisys Stealth(core) before 4.0.132 stores Passwords in a Recoverable ...) - TODO: check + NOT-FOR-US: Unisys CVE-2020-24619 (In mainwindow.cpp in Shotcut before 20.09.13, the upgrade check misuse ...) NOT-FOR-US: Shotcut CVE-2020-24618 (In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020. ...) @@ -22938,7 +22938,7 @@ CVE-2020-15535 (An issue was discovered in the bestsoftinc Car Rental System plu CVE-2020-15534 RESERVED CVE-2020-15533 (In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 1468 ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine Application Manager CVE-2019-20895 RESERVED CVE-2020-15532 (Silicon Labs Bluetooth Low Energy SDK before 2.13.3 has a buffer overf ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12f9b49041f72e3a2e7a12552e6d35caa0d8675d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12f9b49041f72e3a2e7a12552e6d35caa0d8675d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim puma
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 324fc7bf by Abhijith PA at 2020-10-02T02:23:02+05:30 data/dla-needed.txt: claim puma - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -118,7 +118,7 @@ php-horde-trean (Mike Gabriel) NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver) -- -puma +puma (Abhijith PA) NOTE: 20200708: Vulnerable to (at least) CVE-2020-11076. (lamby) -- python3.5 (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/324fc7bfbcc962e9e99f391d03d9735169150e42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/324fc7bfbcc962e9e99f391d03d9735169150e42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dbac1667 by Salvatore Bonaccorso at 2020-10-01T22:45:03+02:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52349,7 +52349,7 @@ CVE-2020-4578 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulner CVE-2020-4577 RESERVED CVE-2020-4576 (IBM WebSphere Application Server 7.5, 8.0, 8.5, and 9.0 traditional co ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4575 (IBM WebSphere Application Server ND 8.5 and 9.0, and IBM WebSphere Vir ...) NOT-FOR-US: IBM CVE-2020-4574 (IBM Tivoli Key Lifecycle Manager does not require that users should ha ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbac1667f57483e74fdda7889d914169439e5418 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbac1667f57483e74fdda7889d914169439e5418 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bea31b07 by security tracker role at 2020-10-01T20:10:28+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,615 @@ +CVE-2020-26510 + RESERVED +CVE-2020-26509 + RESERVED +CVE-2020-26508 + RESERVED +CVE-2020-26507 + RESERVED +CVE-2020-26506 + RESERVED +CVE-2020-26505 + RESERVED +CVE-2020-26504 + RESERVED +CVE-2020-26503 + RESERVED +CVE-2020-26502 + RESERVED +CVE-2020-26501 + RESERVED +CVE-2020-26500 + RESERVED +CVE-2020-26499 + RESERVED +CVE-2020-26498 + RESERVED +CVE-2020-26497 + RESERVED +CVE-2020-26496 + RESERVED +CVE-2020-26495 + RESERVED +CVE-2020-26494 + RESERVED +CVE-2020-26493 + RESERVED +CVE-2020-26492 + RESERVED +CVE-2020-26491 + RESERVED +CVE-2020-26490 + RESERVED +CVE-2020-26489 + RESERVED +CVE-2020-26488 + RESERVED +CVE-2020-26487 + RESERVED +CVE-2020-26486 + RESERVED +CVE-2020-26485 + RESERVED +CVE-2020-26484 + RESERVED +CVE-2020-26483 + RESERVED +CVE-2020-26482 + RESERVED +CVE-2020-26481 + RESERVED +CVE-2020-26480 + RESERVED +CVE-2020-26479 + RESERVED +CVE-2020-26478 + RESERVED +CVE-2020-26477 + RESERVED +CVE-2020-26476 + RESERVED +CVE-2020-26475 + RESERVED +CVE-2020-26474 + RESERVED +CVE-2020-26473 + RESERVED +CVE-2020-26472 + RESERVED +CVE-2020-26471 + RESERVED +CVE-2020-26470 + RESERVED +CVE-2020-26469 + RESERVED +CVE-2020-26468 + RESERVED +CVE-2020-26467 + RESERVED +CVE-2020-26466 + RESERVED +CVE-2020-26465 + RESERVED +CVE-2020-26464 + RESERVED +CVE-2020-26463 + RESERVED +CVE-2020-26462 + RESERVED +CVE-2020-26461 + RESERVED +CVE-2020-26460 + RESERVED +CVE-2020-26459 + RESERVED +CVE-2020-26458 + RESERVED +CVE-2020-26457 + RESERVED +CVE-2020-26456 + RESERVED +CVE-2020-26455 + RESERVED +CVE-2020-26454 + RESERVED +CVE-2020-26453 + RESERVED +CVE-2020-26452 + RESERVED +CVE-2020-26451 + RESERVED +CVE-2020-26450 + RESERVED +CVE-2020-26449 + RESERVED +CVE-2020-26448 + RESERVED +CVE-2020-26447 + RESERVED +CVE-2020-26446 + RESERVED +CVE-2020-26445 + RESERVED +CVE-2020-26444 + RESERVED +CVE-2020-26443 + RESERVED +CVE-2020-26442 + RESERVED +CVE-2020-26441 + RESERVED +CVE-2020-26440 + RESERVED +CVE-2020-26439 + RESERVED +CVE-2020-26438 + RESERVED +CVE-2020-26437 + RESERVED +CVE-2020-26436 + RESERVED +CVE-2020-26435 + RESERVED +CVE-2020-26434 + RESERVED +CVE-2020-26433 + RESERVED +CVE-2020-26432 + RESERVED +CVE-2020-26431 + RESERVED +CVE-2020-26430 + RESERVED +CVE-2020-26429 + RESERVED +CVE-2020-26428 + RESERVED +CVE-2020-26427 + RESERVED +CVE-2020-26426 + RESERVED +CVE-2020-26425 + RESERVED +CVE-2020-26424 + RESERVED +CVE-2020-26423 + RESERVED +CVE-2020-26422 + RESERVED +CVE-2020-26421 + RESERVED +CVE-2020-26420 + RESERVED +CVE-2020-26419 + RESERVED +CVE-2020-26418 + RESERVED +CVE-2020-26417 + RESERVED +CVE-2020-26416 + RESERVED +CVE-2020-26415 + RESERVED +CVE-2020-26414 + RESERVED +CVE-2020-26413 + RESERVED +CVE-2020-26412 + RESERVED +CVE-2020-26411 + RESERVED +CVE-2020-26410 + RESERVED +CVE-2020-26409 + RESERVED +CVE-2020-26408 + RESERVED +CVE-2020-26407 + RESERVED +CVE-2020-26406 + RESERVED +CVE-2020-26405 + RESERVED +CVE-2020-26404 + RESERVED +CVE-2020-26403 + RESERVED +CVE-2020-26402 + RESERVED +CVE-2020-26401 + RESERVED +CVE-2020-26400 + RESERVED +CVE-2020-26399 + RESERVED +CVE-2020-26398 + RESERVED +CVE-2020-26397 + RESERVED +CVE-2020-26396 + RESERVED +CVE-2020-26395 + RESERVED +CVE-2020-26394 + RESERVED +CVE-2020-26393 + RESERVED +CVE-2020-26392 + RESERVED +CVE-2020-26391 + RESERVED +CVE-2020-26390 + RESERVED +CVE-2020-26389 + RESERVED +CVE-2020-26388 + RESERVED +CVE-2020-26387 + RESERVED +CVE-2020-26386 + RESERVED +CVE-2020-26385 + RESERVED +CVE-2020-26384 + RESERVED +CVE-2020-26383 + RESERVED +CVE-2020-26382 + RESERVED +CVE-2020-26381 + RESERVED +CVE-2020-26380 + RESERVED +CVE-2020-26379 + RESERVED +CVE-2020-26378 + RESERVED +CVE-2020-26377 + RESERVED +CVE-2020-26376 + RESERVED +CVE-2020-26375 + RESERVED +CVE-2020-26374 + RESERVED +CVE-2020-26373 + RESERVED +CVE-2020-26372 + RESERVED +CVE-2020-26371 + RESERVED +CVE-2020-26370 +
[Git][security-tracker-team/security-tracker][master] CVE-2020-8021: Add reference to upstream commit
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7672642c by Salvatore Bonaccorso at 2020-10-01T21:15:38+02:00 CVE-2020-8021: Add reference to upstream commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42989,6 +42989,7 @@ CVE-2020-8022 (A Incorrect Default Permissions vulnerability in the packaging of CVE-2020-8021 (a Improper Access Control vulnerability in of Open Build Service allow ...) - open-build-service NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1171649 + NOTE: https://github.com/openSUSE/open-build-service/commit/7323c904f86ba9e04065c23422d06c03647589fb CVE-2020-8020 (A Improper Neutralization of Input During Web Page Generation vulnerab ...) - open-build-service NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1171439 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7672642cdb1458ef281000ae5a80288ff7ec2672 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7672642cdb1458ef281000ae5a80288ff7ec2672 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-26160
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ae85851 by Salvatore Bonaccorso at 2020-10-01T21:11:35+02:00 Add Debian bug reference for CVE-2020-26160 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -87,7 +87,7 @@ CVE-2020-26162 CVE-2020-26161 RESERVED CVE-2020-26160 (jwt-go before 4.0.0-preview1 allows attackers to bypass intended acces ...) - - golang-github-dgrijalva-jwt-go + - golang-github-dgrijalva-jwt-go (bug #971556) NOTE: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515 NOTE: https://github.com/dgrijalva/jwt-go/issues/422 NOTE: https://github.com/dgrijalva/jwt-go/pull/426 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ae85851e77833fb31afb3457cf8da91de4db9c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ae85851e77833fb31afb3457cf8da91de4db9c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-25637/libvirt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 46cd637f by Salvatore Bonaccorso at 2020-10-01T20:56:07+02:00 Add Debian bug reference for CVE-2020-25637/libvirt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1267,7 +1267,7 @@ CVE-2020-25638 RESERVED CVE-2020-25637 [double free in qemuAgentGetInterfaces() in qemu_agent.c] RESERVED - - libvirt + - libvirt (bug #971555) NOTE: Introduced by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=0977b8aa071de550e1a013d35e2c72615e65d520 (v1.2.14-rc1) NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=955029bd0ad7ef96000f529ac38204a8f4a96401 (v6.8.0) NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=50864dcda191eb35732dbd80fb6ca251a6bba923 (v6.8.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46cd637f26b414f35fbb51812a8e210580732be5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46cd637f26b414f35fbb51812a8e210580732be5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-25626/djangorestframework
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0778703a by Salvatore Bonaccorso at 2020-10-01T20:46:54+02:00 Add Debian bug reference for CVE-2020-25626/djangorestframework - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1301,7 +1301,7 @@ CVE-2020-25628 CVE-2020-25627 RESERVED CVE-2020-25626 (A flaw was found in Django REST Framework versions before 3.12.0 and b ...) - - djangorestframework + - djangorestframework (bug #971554) NOTE: https://github.com/encode/django-rest-framework/commit/4121b01b912668c049b26194a9a107c27a332429 NOTE: Fixed upstream in 3.12.0 and 3.11.2 CVE-2020-25625 (hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list ha ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0778703ac9e1ce41e2b7f1e0a19a8eb30ae4b5e9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0778703ac9e1ce41e2b7f1e0a19a8eb30ae4b5e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add tag information for CVE-2020-25637/libvirt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 117783d3 by Salvatore Bonaccorso at 2020-10-01T20:45:44+02:00 Add tag information for CVE-2020-25637/libvirt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1268,11 +1268,11 @@ CVE-2020-25638 CVE-2020-25637 [double free in qemuAgentGetInterfaces() in qemu_agent.c] RESERVED - libvirt - NOTE: Introduced by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=0977b8aa071de550e1a013d35e2c72615e65d520 - NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=955029bd0ad7ef96000f529ac38204a8f4a96401 - NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=50864dcda191eb35732dbd80fb6ca251a6bba923 - NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=e4116eaa44cb366b59f7fe98f4b88d04c04970ad - NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=a63b48c5ecef077bf0f909a85f453a605600cf05 + NOTE: Introduced by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=0977b8aa071de550e1a013d35e2c72615e65d520 (v1.2.14-rc1) + NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=955029bd0ad7ef96000f529ac38204a8f4a96401 (v6.8.0) + NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=50864dcda191eb35732dbd80fb6ca251a6bba923 (v6.8.0) + NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=e4116eaa44cb366b59f7fe98f4b88d04c04970ad (v6.8.0) + NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=a63b48c5ecef077bf0f909a85f453a605600cf05 (v6.8.0) CVE-2020-25636 RESERVED - ansible (Vulnerable connection/aws_ssm plugin not included) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/117783d3f32aa783026ed4a532746903e40e3341 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/117783d3f32aa783026ed4a532746903e40e3341 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2393-1 for snmptt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 892e31b2 by Abhijith PA at 2020-10-01T21:31:37+05:30 Reserve DLA-2393-1 for snmptt - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Oct 2020] DLA-2393-1 snmptt - security update + {CVE-2020-24361} + [stretch] - snmptt 1.4-1+deb8u1 [01 Oct 2020] DLA-2392-1 jruby - security update {CVE-2020-25613} [stretch] - jruby 1.7.26-1+deb9u3 = data/dla-needed.txt = @@ -170,8 +170,6 @@ slirp NOTE: CVE-2020-7039 to be applied patched first, as they both patch NOTE: the same lines of code in tcp_subr.c (bam). -- -snmptt (Abhijith PA) --- squid3 NOTE: 20200831: I have backported the HttpHeader parsing code now and NOTE: incorporated the fixes for the latest CVE. I will send a RFT to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892e31b2364df27692805cf17265411c34f56ae7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892e31b2364df27692805cf17265411c34f56ae7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2392-1 for jruby
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b01bd4c by Utkarsh Gupta at 2020-10-01T21:13:58+05:30 Reserve DLA-2392-1 for jruby - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Oct 2020] DLA-2392-1 jruby - security update + {CVE-2020-25613} + [stretch] - jruby 1.7.26-1+deb9u3 [01 Oct 2020] DLA-2391-1 ruby2.3 - security update {CVE-2020-25613} [stretch] - ruby2.3 2.3.3-1+deb9u9 = data/dla-needed.txt = @@ -83,8 +83,6 @@ golang-golang-x-net-dev -- guacamole-client -- -jruby (Utkarsh) --- jupyter-notebook NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b01bd4c0b1e2b98426241f0d8d14b017785b787 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b01bd4c0b1e2b98426241f0d8d14b017785b787 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2391-1 for ruby2.3
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: eec320ef by Utkarsh Gupta at 2020-10-01T21:13:27+05:30 Reserve DLA-2391-1 for ruby2.3 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Oct 2020] DLA-2391-1 ruby2.3 - security update + {CVE-2020-25613} + [stretch] - ruby2.3 2.3.3-1+deb9u9 [01 Oct 2020] DLA-2390-1 ruby-json-jwt - security update {CVE-2019-18848} [stretch] - ruby-json-jwt 1.6.2-1+deb9u2 = data/dla-needed.txt = @@ -132,8 +132,6 @@ rails (Markus Koschany) reel NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh) -- -ruby2.3 (Utkarsh) --- ruby-actionpack-page-caching NOTE: 20200819: Upstream's patch on does not apply due to subsequent NOTE: 20200819: refactoring. However, a quick look at the private View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eec320efc1ccbe477cdf26aa16d9d9f716917e71 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eec320efc1ccbe477cdf26aa16d9d9f716917e71 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version of ruby2.7 for CVE-2020-25613
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: d12c8d4b by Utkarsh Gupta at 2020-10-01T20:36:08+05:30 Add fixed version of ruby2.7 for CVE-2020-25613 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1344,7 +1344,7 @@ CVE-2014-10402 (An issue was discovered in the DBI module through 1.643 for Perl NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=99508#txn-1911590 CVE-2020-25613 [Potential HTTP Request Smuggling Vulnerability in WEBrick] RESERVED - - ruby2.7 + - ruby2.7 2.7.1-4 - ruby2.5 - ruby2.3 - jruby View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d12c8d4b3368728a61072daf00c830fa761a08ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d12c8d4b3368728a61072daf00c830fa761a08ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim qtsvg-opensource-src
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: bfaba58b by Adrian Bunk at 2020-10-01T15:45:32+03:00 dla: claim qtsvg-opensource-src - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -125,7 +125,7 @@ puma -- python3.5 (Thorsten Alteholz) -- -qtsvg-opensource-src +qtsvg-opensource-src (Adrian Bunk) -- rails (Markus Koschany) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfaba58b0d9e5e00e891356e84b7713a0dff3731 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfaba58b0d9e5e00e891356e84b7713a0dff3731 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Take ruby2.3 & jruby as both are affected by same CVE
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: beb8e0ca by Utkarsh Gupta at 2020-10-01T17:54:30+05:30 Take ruby2.3 jruby as both are affected by same CVE - - - - - 11511ce5 by Utkarsh Gupta at 2020-10-01T17:55:41+05:30 Triage qtsvg-opensource-src for stretch - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -83,6 +83,8 @@ golang-golang-x-net-dev -- guacamole-client -- +jruby (Utkarsh) +-- jupyter-notebook NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby) -- @@ -123,11 +125,15 @@ puma -- python3.5 (Thorsten Alteholz) -- +qtsvg-opensource-src +-- rails (Markus Koschany) -- reel NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh) -- +ruby2.3 (Utkarsh) +-- ruby-actionpack-page-caching NOTE: 20200819: Upstream's patch on does not apply due to subsequent NOTE: 20200819: refactoring. However, a quick look at the private View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d3b6b120b352372ee4ad24e98595e04a6711e14a...11511ce56c4031987ac4e1a2f44e224b3da713d9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d3b6b120b352372ee4ad24e98595e04a6711e14a...11511ce56c4031987ac4e1a2f44e224b3da713d9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2390-1 for ruby-json-jwt
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: d3b6b120 by Utkarsh Gupta at 2020-10-01T17:42:16+05:30 Reserve DLA-2390-1 for ruby-json-jwt - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Oct 2020] DLA-2390-1 ruby-json-jwt - security update + {CVE-2019-18848} + [stretch] - ruby-json-jwt 1.6.2-1+deb9u2 [01 Oct 2020] DLA-2389-1 ruby-rack-cors - security update {CVE-2019-18978} [stretch] - ruby-rack-cors 0.4.0-1+deb9u2 = data/dla-needed.txt = @@ -140,11 +140,6 @@ ruby-doorkeeper NOTE: 20200831: in case it's really DLA worthy, I'd be very careful with this update. (utkarsh) NOTE: 20200831: more investigation needed. (utkarsh) -- -ruby-json-jwt (Utkarsh) - NOTE: 20200928: when explicitly specifying the number of elements when splitting - NOTE: 20200928: JWE string, three are chances of regression. the demonstration doesn't - NOTE: 20200928: work as advertised. (utkarsh) --- ruby-kaminari (Utkarsh) NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to NOTE: 20200819: the one upstream or in its many forks. For example, both dthe View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3b6b120b352372ee4ad24e98595e04a6711e14a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3b6b120b352372ee4ad24e98595e04a6711e14a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2389-1 for ruby-rack-cors
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d4582be by Utkarsh Gupta at 2020-10-01T17:40:49+05:30 Reserve DLA-2389-1 for ruby-rack-cors - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Oct 2020] DLA-2389-1 ruby-rack-cors - security update + {CVE-2019-18978} + [stretch] - ruby-rack-cors 0.4.0-1+deb9u2 [29 Sep 2020] DLA-2387-2 firefox-esr - regression update [stretch] - firefox-esr 78.3.0esr-1~deb9u2 [29 Sep 2020] DLA-2388-1 nss - security update = data/dla-needed.txt = @@ -156,10 +156,6 @@ ruby-kaminari (Utkarsh) -- ruby-oauth -- -ruby-rack-cors (Utkarsh) - NOTE: 20200817: Was fixed in DLA-2096-1 for jessie LTS but is now re-vulnerable again in stretch LTS AFAICT. (lamby) - NOTE: 20200928: last bits of testing + smoke test remains. (utkarsh) --- samba NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh) NOTE: 20200801: Stretch update already released, so no conflict. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d4582be9271b8a7b9ca46d7c4a036a9e692fe88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d4582be9271b8a7b9ca46d7c4a036a9e692fe88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim libvirt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 0beb1f52 by Roberto C. Sánchez at 2020-10-01T08:11:29-04:00 LTS: claim libvirt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -91,7 +91,7 @@ lemonldap-ng -- libproxy (Emilio) -- -libvirt +libvirt (Roberto C. Sánchez) NOTE: 20201001: More investigation needed. (utkarsh) -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0beb1f5299a07ee362e1896f1ea2bba004af2820 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0beb1f5299a07ee362e1896f1ea2bba004af2820 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add notes for open-build-service
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a3de57d by Utkarsh Gupta at 2020-10-01T16:51:07+05:30 Add notes for open-build-service - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -105,8 +105,9 @@ mumble NOTE: 20200504: discussion going on with t...@security.debian.org and mumble maintainer (abhijith) NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg8.html (abhijith) -- -open-build-service (Utkarsh Gupta) - NOTE: 20200928: in touch with upstream - still figuring out the best way to backport. (utkarsh) +open-build-service + NOTE: 20201001: upstream is yet to work on CVE-2020-8021. Pinged them. + NOTE: 20201001: cf: https://bugzilla.suse.com/show_bug.cgi?id=1171649 (utkarsh) -- opendmarc NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a3de57d20ca578291f302b8dfee450a81b374d2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a3de57d20ca578291f302b8dfee450a81b374d2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop notes for CVE-2020-25726 (withdrawn by assigning CNA)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a879d557 by Salvatore Bonaccorso at 2020-10-01T10:43:15+02:00 Drop notes for CVE-2020-25726 (withdrawn by assigning CNA) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1080,7 +1080,6 @@ CVE-2020-25727 (The Reset Password add-on before 1.2.0 for Alfresco suffers from NOT-FOR-US: Reset Password add-on for Alfresco CVE-2020-25726 REJECTED - NOT-FOR-US: Hak5 WiFi Pineapple Mark VII devices CVE-2020-25725 RESERVED CVE-2020-25724 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a879d5575485792d86c5d53d22467b81406eb4db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a879d5575485792d86c5d53d22467b81406eb4db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d75b9ddf by Moritz Muehlenhoff at 2020-10-01T10:38:04+02:00 NFUs glibc commit refs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -102,7 +102,7 @@ CVE-2019-20922 (Handlebars before 4.4.5 allows Regular Expression Denial of Serv NOTE: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388 NOTE: https://www.npmjs.com/advisories/1300 CVE-2019-20921 (bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It d ...) - TODO: check + NOT-FOR-US: bootstrap-select CVE-2019-20920 (Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrar ...) - node-handlebars 3:4.5.3-1 - libjs-handlebars @@ -126,7 +126,7 @@ CVE-2020-26151 CVE-2020-26150 (info.php in Logaritmo Aware CallManager 2012 allows remote attackers t ...) NOT-FOR-US: Logaritmo Aware CallManager 2012 CVE-2020-26149 (NATS nats.js before 2.0.0-209, nats.ws before 1.0.0-111, and nats.deno ...) - TODO: check + NOT-FOR-US: nats.js CVE-2020-26154 (url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when ...) - libproxy (bug #968366) NOTE: https://github.com/libproxy/libproxy/pull/126 @@ -813,7 +813,7 @@ CVE-2020-25832 CVE-2020-25831 RESERVED CVE-2020-25830 (An issue was discovered in MantisBT before 2.24.3. Improper escaping o ...) - TODO: check + - mantis CVE-2020-25829 RESERVED CVE-2020-25828 (An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through ...) @@ -847,7 +847,7 @@ CVE-2020-25818 CVE-2020-25817 RESERVED CVE-2020-25816 (HashiCorp Vault and Vault Enterprise 1.0 before 1.5.4 have Incorrect A ...) - TODO: check + NOT-FOR-US: HashiCorp Vault CVE-2020-25815 (An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34 ...) - mediawiki 1:1.35.0-1 [buster] - mediawiki (Vulnerable code introduced in 1.32) @@ -925,7 +925,7 @@ CVE-2020-25783 CVE-2020-25782 RESERVED CVE-2020-25781 (An issue was discovered in file_download.php in MantisBT before 2.24.3 ...) - TODO: check + - mantis CVE-2020-25796 (An issue was discovered in the sized-chunks crate through 0.6.2 for Ru ...) - rust-sized-chunks (bug #970586) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0041.html @@ -2018,7 +2018,7 @@ CVE-2020-25290 CVE-2020-25289 (The VPN service in AVAST SecureLine before 5.6.4982.470 allows local u ...) NOT-FOR-US: VPN service in AVAST SecureLine CVE-2020-25288 (An issue was discovered in MantisBT before 2.24.3. When editing an Iss ...) - TODO: check + - mantis CVE-2020-25287 (Pligg 2.0.3 allows remote authenticated users to execute arbitrary com ...) NOT-FOR-US: Pligg CMS CVE-2020-25285 (A race condition between hugetlb sysctl handlers in mm/hugetlb.c in th ...) @@ -7887,7 +7887,7 @@ CVE-2020-22483 CVE-2020-22482 RESERVED CVE-2020-22481 (An issue was discovered in HFish 0.5.1. When a payload is inserted whe ...) - TODO: check + NOT-FOR-US: HFish CVE-2020-22480 RESERVED CVE-2020-22479 @@ -13497,7 +13497,7 @@ CVE-2020-19678 CVE-2020-19677 RESERVED CVE-2020-19676 (Nacos 1.1.4 is affected by: Incorrect Access Control. An environment c ...) - TODO: check + NOT-FOR-US: Nacos CVE-2020-19675 RESERVED CVE-2020-19674 @@ -20528,7 +20528,7 @@ CVE-2020-16236 CVE-2020-16235 RESERVED CVE-2020-16234 (In PLC WinProladder Version 3.28 and prior, a stack-based buffer overf ...) - TODO: check + NOT-FOR-US: PLC WinProladder CVE-2020-16233 (An attacker could send a specially crafted packet that could have Code ...) NOT-FOR-US: CodeMeter CVE-2020-16232 @@ -47938,6 +47938,8 @@ CVE-2020-6096 (An exploitable signed comparison vulnerability exists in the ARMv [jessie] - glibc (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25620 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1019 + NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=beea361050728138b82c57dda0c4810402d342b9 + NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=79a4fa341b8a89cb03f84564fd72abaa1a2db394 CVE-2020-6095 (An exploitable denial of service vulnerability exists in the GstRTSPAu ...) - gst-rtsp-server1.0 1.16.2-3 (low) [buster] - gst-rtsp-server1.0 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d75b9ddf033666c61534840a80d5712a7500d615 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d75b9ddf033666c61534840a80d5712a7500d615 You're receiving this email because of your account on salsa.debian.org.
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e09046c1 by security tracker role at 2020-10-01T08:10:25+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,77 @@ +CVE-2020-26204 + RESERVED +CVE-2020-26203 + RESERVED +CVE-2020-26202 + RESERVED +CVE-2020-26201 + RESERVED +CVE-2020-26200 + RESERVED +CVE-2020-26199 + RESERVED +CVE-2020-26198 + RESERVED +CVE-2020-26197 + RESERVED +CVE-2020-26196 + RESERVED +CVE-2020-26195 + RESERVED +CVE-2020-26194 + RESERVED +CVE-2020-26193 + RESERVED +CVE-2020-26192 + RESERVED +CVE-2020-26191 + RESERVED +CVE-2020-26190 + RESERVED +CVE-2020-26189 + RESERVED +CVE-2020-26188 + RESERVED +CVE-2020-26187 + RESERVED +CVE-2020-26186 + RESERVED +CVE-2020-26185 + RESERVED +CVE-2020-26184 + RESERVED +CVE-2020-26183 + RESERVED +CVE-2020-26182 + RESERVED +CVE-2020-26181 + RESERVED +CVE-2020-26180 + RESERVED +CVE-2020-26179 + RESERVED +CVE-2020-26178 + RESERVED +CVE-2020-26177 + RESERVED +CVE-2020-26176 + RESERVED +CVE-2020-26175 + RESERVED +CVE-2020-26174 + RESERVED +CVE-2020-26173 + RESERVED +CVE-2020-26172 + RESERVED +CVE-2020-26171 + RESERVED +CVE-2020-26170 + RESERVED +CVE-2020-26169 + RESERVED +CVE-2020-26168 + RESERVED CVE-2020-26167 RESERVED CVE-2020-26166 @@ -738,8 +812,8 @@ CVE-2020-25832 RESERVED CVE-2020-25831 RESERVED -CVE-2020-25830 - RESERVED +CVE-2020-25830 (An issue was discovered in MantisBT before 2.24.3. Improper escaping o ...) + TODO: check CVE-2020-25829 RESERVED CVE-2020-25828 (An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through ...) @@ -772,8 +846,8 @@ CVE-2020-25818 RESERVED CVE-2020-25817 RESERVED -CVE-2020-25816 - RESERVED +CVE-2020-25816 (HashiCorp Vault and Vault Enterprise 1.0 before 1.5.4 have Incorrect A ...) + TODO: check CVE-2020-25815 (An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34 ...) - mediawiki 1:1.35.0-1 [buster] - mediawiki (Vulnerable code introduced in 1.32) @@ -850,8 +924,8 @@ CVE-2020-25783 RESERVED CVE-2020-25782 RESERVED -CVE-2020-25781 - RESERVED +CVE-2020-25781 (An issue was discovered in file_download.php in MantisBT before 2.24.3 ...) + TODO: check CVE-2020-25796 (An issue was discovered in the sized-chunks crate through 0.6.2 for Ru ...) - rust-sized-chunks (bug #970586) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0041.html @@ -1004,7 +1078,8 @@ CVE-2020-25728 (The Reset Password add-on before 1.2.0 for Alfresco has a broken NOT-FOR-US: Reset Password add-on for Alfresco CVE-2020-25727 (The Reset Password add-on before 1.2.0 for Alfresco suffers from CMIS- ...) NOT-FOR-US: Reset Password add-on for Alfresco -CVE-2020-25726 (A Directory Traversal issue was discovered on Hak5 WiFi Pineapple Mark ...) +CVE-2020-25726 + REJECTED NOT-FOR-US: Hak5 WiFi Pineapple Mark VII devices CVE-2020-25725 RESERVED @@ -1226,8 +1301,7 @@ CVE-2020-25628 RESERVED CVE-2020-25627 RESERVED -CVE-2020-25626 [XSS Vulnerability in API viewer] - RESERVED +CVE-2020-25626 (A flaw was found in Django REST Framework versions before 3.12.0 and b ...) - djangorestframework NOTE: https://github.com/encode/django-rest-framework/commit/4121b01b912668c049b26194a9a107c27a332429 NOTE: Fixed upstream in 3.12.0 and 3.11.2 @@ -1943,8 +2017,8 @@ CVE-2020-25290 RESERVED CVE-2020-25289 (The VPN service in AVAST SecureLine before 5.6.4982.470 allows local u ...) NOT-FOR-US: VPN service in AVAST SecureLine -CVE-2020-25288 - RESERVED +CVE-2020-25288 (An issue was discovered in MantisBT before 2.24.3. When editing an Iss ...) + TODO: check CVE-2020-25287 (Pligg 2.0.3 allows remote authenticated users to execute arbitrary com ...) NOT-FOR-US: Pligg CMS CVE-2020-25285 (A race condition between hugetlb sysctl handlers in mm/hugetlb.c in th ...) @@ -20453,8 +20527,8 @@ CVE-2020-16236 RESERVED CVE-2020-16235 RESERVED -CVE-2020-16234 - RESERVED +CVE-2020-16234 (In PLC WinProladder Version 3.28 and prior, a stack-based buffer overf ...) + TODO: check CVE-2020-16233 (An attacker could send a specially crafted packet that could have Code ...) NOT-FOR-US: CodeMeter CVE-2020-16232 @@ -22088,10 +22162,10 @@ CVE-2019-20905 RESERVED CVE-2019-20904 RESERVED -CVE-2019-20903 - RESERVED -CVE-2019-20902 - RESERVED +CVE-2019-20903 (The hyperlinks functionality in atlaskit/editor-core in before version ...) +
[Git][security-tracker-team/security-tracker][master] Triage libvirt for stretch
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: e7a76f23 by Utkarsh Gupta at 2020-10-01T12:49:27+05:30 Triage libvirt for stretch - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -91,6 +91,9 @@ lemonldap-ng -- libproxy (Emilio) -- +libvirt + NOTE: 20201001: More investigation needed. (utkarsh) +-- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7a76f23c474326ab8406b35b19484faadec7521 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7a76f23c474326ab8406b35b19484faadec7521 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-10763/heketi
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 41cc3de4 by Salvatore Bonaccorso at 2020-10-01T08:42:40+02:00 Add CVE-2020-10763/heketi - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36148,6 +36148,7 @@ CVE-2020-10764 RESERVED CVE-2020-10763 RESERVED + - heketi (bug #903384) CVE-2020-10762 RESERVED CVE-2020-10761 (An assertion failure issue was found in the Network Block Device(NBD) ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41cc3de4ac7c967fe2cdb3ef8f81e957acc6d967 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41cc3de4ac7c967fe2cdb3ef8f81e957acc6d967 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-25018 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 660eb9dd by Salvatore Bonaccorso at 2020-10-01T08:41:57+02:00 Add CVE-2020-25018 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2585,6 +2585,7 @@ CVE-2020-25019 (jitsi-meet-electron (aka Jitsi Meet Electron) before 2.3.0 calls NOT-FOR-US: jitsi-meet-electron CVE-2020-25018 RESERVED + NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2020-25017 RESERVED NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/660eb9dd555ff1d98edcd939295329499918658f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/660eb9dd555ff1d98edcd939295329499918658f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-25626/djangorestframework
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6bcc8bcf by Salvatore Bonaccorso at 2020-10-01T08:35:19+02:00 Add CVE-2020-25626/djangorestframework - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1226,8 +1226,11 @@ CVE-2020-25628 RESERVED CVE-2020-25627 RESERVED -CVE-2020-25626 +CVE-2020-25626 [XSS Vulnerability in API viewer] RESERVED + - djangorestframework + NOTE: https://github.com/encode/django-rest-framework/commit/4121b01b912668c049b26194a9a107c27a332429 + NOTE: Fixed upstream in 3.12.0 and 3.11.2 CVE-2020-25625 (hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list ha ...) - qemu (bug #970542) [buster] - qemu (Can be fixed along in next qemu DSA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bcc8bcf1229fc09a6b99a847d29c041920d760e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bcc8bcf1229fc09a6b99a847d29c041920d760e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits