[Git][security-tracker-team/security-tracker][master] Add CVE-2020-4788/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e2f646be by Salvatore Bonaccorso at 2020-11-20T08:55:21+01:00 Add CVE-2020-4788/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61106,8 +61106,9 @@ CVE-2020-4790 RESERVED CVE-2020-4789 RESERVED -CVE-2020-4788 +CVE-2020-4788 [Speculation on incompletely validated data on IBM Power9] RESERVED + - linux CVE-2020-4787 RESERVED CVE-2020-4786 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2f646be3bba5a3b5c8a560d2ea76ec5fdca2422 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2f646be3bba5a3b5c8a560d2ea76ec5fdca2422 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-8569 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ab843df by Salvatore Bonaccorso at 2020-11-20T08:10:11+01:00 Add CVE-2020-8569 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51351,6 +51351,8 @@ CVE-2020-8570 RESERVED CVE-2020-8569 RESERVED + NOT-FOR-US: Kubernetes CSI Snapshotter + NOTE: https://github.com/kubernetes-csi/external-snapshotter/issues/421 CVE-2020-8568 RESERVED CVE-2020-8567 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ab843df6bd478df6b5a759bbb8baf0bd6074c53 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ab843df6bd478df6b5a759bbb8baf0bd6074c53 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-28912/MariaDB
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0d13e634 by Salvatore Bonaccorso at 2020-11-20T08:06:58+01:00 Add CVE-2020-28912/MariaDB - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -90,6 +90,11 @@ CVE-2020-28913 RESERVED CVE-2020-28912 RESERVED + - mariadb-10.5 (Only affects MariaDB on Windows) + - mariadb-10.3 (Only affects MariaDB on Windows) + - mariadb-10.1 (Only affects MariaDB on Windows) + NOTE: https://jira.mariadb.org/browse/MDEV-24040 + NOTE: https://github.com/MariaDB/server/commit/3829b408d6 CVE-2020-28911 RESERVED CVE-2020-28910 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d13e634c849c4aa4987bb85bc8c991ef4957dc2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d13e634c849c4aa4987bb85bc8c991ef4957dc2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2016-6175/php-gettext
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 27a76a9d by Salvatore Bonaccorso at 2020-11-20T07:28:23+01:00 Track fixed version via unstable for CVE-2016-6175/php-gettext - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -246608,7 +246608,7 @@ CVE-2016-6185 (The XSLoader::load method in XSLoader in Perl does not properly l {DSA-3628-1 DLA-565-1} - perl 5.22.2-2 (bug #829578) CVE-2016-6175 (Eval injection vulnerability in php-gettext 1.0.12 and earlier allows ...) - - php-gettext (bug #851771) + - php-gettext 1.0.12-1 (bug #851771) [buster] - php-gettext (Minor issue) [stretch] - php-gettext (Minor issue) [jessie] - php-gettext (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27a76a9d76777645624076e299173a4af40db8fa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27a76a9d76777645624076e299173a4af40db8fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note in dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c09a1cc by Abhijith PA at 2020-11-20T11:10:23+05:30 update note in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -71,6 +71,7 @@ intel-microcode (Utkarsh) NOTE: 20201117: each round of updates had caused regressions. Thanks Moritz! (utkarsh) -- jupyter-notebook + NOTE: 20201120: Defer upload for a week or so. Last DLA release was less than a month (abhijith) -- lemonldap-ng (Utkarsh) NOTE: 20200910: Released a DLA for CVE-2020-24660 a few days ago, so could defer. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c09a1ccd1bb79418697201522dde70cf3e2c993 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c09a1ccd1bb79418697201522dde70cf3e2c993 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-26682
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bc372431 by Salvatore Bonaccorso at 2020-11-20T06:28:04+01:00 Add Debian bug reference for CVE-2020-26682 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8128,7 +8128,7 @@ CVE-2020-26684 CVE-2020-26683 RESERVED CVE-2020-26682 (In libass 0.14.0, the `ass_outline_construct`'s call to `outline_strok ...) - - libass 1:0.15.0-1 + - libass 1:0.15.0-1 (bug #975108) [buster] - libass (Minor issue) [stretch] - libass (Vulnerable code not present) NOTE: https://github.com/libass/libass/issues/431 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc372431995e81c228eddd9d34fd658cbc44b025 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc372431995e81c228eddd9d34fd658cbc44b025 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: LTS: add influxdb to dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c40b39b by Roberto C. Sánchez at 2020-11-19T21:41:19-05:00 LTS: add influxdb to dla-needed.txt - - - - - 22b8bb16 by Roberto C. Sánchez at 2020-11-19T21:51:14-05:00 LTS: add jupyter-notebook to dla-needed.txt - - - - - 2721aad3 by Roberto C. Sánchez at 2020-11-19T21:53:26-05:00 LTS: add php-pear to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -64,10 +64,14 @@ golang-github-dgrijalva-jwt-go -- golang-golang-x-net-dev -- +influxdb +-- intel-microcode (Utkarsh) NOTE: 20201117: hold off the update until it's settled in unstable, at least. NOTE: 20201117: each round of updates had caused regressions. Thanks Moritz! (utkarsh) -- +jupyter-notebook +-- lemonldap-ng (Utkarsh) NOTE: 20200910: Released a DLA for CVE-2020-24660 a few days ago, so could defer. (lamby) -- @@ -109,6 +113,8 @@ php-horde-trean NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver) -- +php-pear +-- pluxml NOTE: 20201011: issue is still open upstream. Also low priority for us (abhijith) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b25005428b88407679100b8d4fc5a65b3829d5a8...2721aad34b88d8f254e0a229d4e8a5d66dfd6f05 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b25005428b88407679100b8d4fc5a65b3829d5a8...2721aad34b88d8f254e0a229d4e8a5d66dfd6f05 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-25723/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b2500542 by Salvatore Bonaccorso at 2020-11-19T22:36:27+01:00 Add Debian bug reference for CVE-2020-25723/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10261,7 +10261,7 @@ CVE-2020-25724 RESERVED CVE-2020-25723 [assertion failure through usb_packet_unmap() in hw/usb/hcd-ehci.c] RESERVED - - qemu + - qemu (bug #975276) [buster] - qemu (Fix along in future DSA) NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6 CVE-2020-25722 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b25005428b88407679100b8d4fc5a65b3829d5a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b25005428b88407679100b8d4fc5a65b3829d5a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-25660/ceph
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: edab4872 by Salvatore Bonaccorso at 2020-11-19T22:24:51+01:00 Add Debian bug reference for CVE-2020-25660/ceph - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10448,7 +10448,7 @@ CVE-2020-25661 (A Red Hat only CVE-2020-12351 regression issue was found in the - linux (Red Hat-specific regression) CVE-2020-25660 [cephx authentication protocol does not verify ceph clients correctly] RESERVED - - ceph + - ceph (bug #975275) [buster] - ceph (Vulnerable code introduced later) [stretch] - ceph (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2020/11/17/4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edab487274a3f727ed28ee8ad35c1c64d243a71d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edab487274a3f727ed28ee8ad35c1c64d243a71d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-25660: Add complete list of upstream commits
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 008697ba by Salvatore Bonaccorso at 2020-11-19T22:16:28+01:00 CVE-2020-25660: Add complete list of upstream commits - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10454,8 +10454,12 @@ CVE-2020-25660 [cephx authentication protocol does not verify ceph clients corre NOTE: https://www.openwall.com/lists/oss-security/2020/11/17/4 NOTE: Proposed patches: https://www.openwall.com/lists/oss-security/2020/11/17/3 NOTE: Introduced by: https://github.com/ceph/ceph/commit/321548010578d6ff7bbf2e5ce8a550008b131423 (v15.1.0, backported to v14.2.5) - NOTE: Fixed by: https://github.com/ceph/ceph/commit/4a82c72e3bdddcb625933e83af8b50a444b961f1 (15.1.x) - NOTE: Fixed by: https://github.com/ceph/ceph/commit/2927fd91d41e505237cc73f9700e5c6a63e5cb4f (14.2.x) + NOTE: Fixed by: https://github.com/ceph/ceph/commit/6c14c2fb5650426285428dfe6ca1597e5ea1d07d (15.2.6) + NOTE: Fixed by: https://github.com/ceph/ceph/commit/1316c82aae8c51b3fe10d8a8f0a87b60db54ee16 (15.2.6) + NOTE: Fixed by: https://github.com/ceph/ceph/commit/bafdfec8f974f1a3f7d404bcfd0a4cfad784937d (15.2.6) + NOTE: Fixed by: https://github.com/ceph/ceph/commit/2927fd91d41e505237cc73f9700e5c6a63e5cb4f (14.2.14) + NOTE: Fixed by: https://github.com/ceph/ceph/commit/4c11203122d729c832a645c9e3f5092db4963840 (14.2.14) + NOTE: Fixed by: https://github.com/ceph/ceph/commit/bb5d3d58bfcae96d2e5f796eaa74fc0987f79e77 (14.2.14) CVE-2020-25659 [bleichenbacher timing oracle attack against RSA decryption] RESERVED - python-cryptography 3.2.1-1 (bug #973247) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/008697ba9717f9a0e45554a46c7adf61c856120a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/008697ba9717f9a0e45554a46c7adf61c856120a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2020-25660/cepth
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 02d5c4ad by Salvatore Bonaccorso at 2020-11-19T22:08:33+01:00 Update information on CVE-2020-25660/cepth - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10453,7 +10453,9 @@ CVE-2020-25660 [cephx authentication protocol does not verify ceph clients corre [stretch] - ceph (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2020/11/17/4 NOTE: Proposed patches: https://www.openwall.com/lists/oss-security/2020/11/17/3 - NOTE: Introduced by: https://github.com/ceph/ceph/commit/321548010578d6ff7bbf2e5ce8a550008b131423 (v15.1.0, backported to 14.2.5) + NOTE: Introduced by: https://github.com/ceph/ceph/commit/321548010578d6ff7bbf2e5ce8a550008b131423 (v15.1.0, backported to v14.2.5) + NOTE: Fixed by: https://github.com/ceph/ceph/commit/4a82c72e3bdddcb625933e83af8b50a444b961f1 (15.1.x) + NOTE: Fixed by: https://github.com/ceph/ceph/commit/2927fd91d41e505237cc73f9700e5c6a63e5cb4f (14.2.x) CVE-2020-25659 [bleichenbacher timing oracle attack against RSA decryption] RESERVED - python-cryptography 3.2.1-1 (bug #973247) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02d5c4adeb49df7e9ab12cbb93358a73c0b5c7dc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02d5c4adeb49df7e9ab12cbb93358a73c0b5c7dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-28196/krb5 fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 15288957 by Salvatore Bonaccorso at 2020-11-19T22:00:24+01:00 CVE-2020-28196/krb5 fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4239,7 +4239,7 @@ CVE-2020-28197 CVE-2020-28196 (MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allow ...) {DLA-2437-1} [experimental] - krb5 1.18.2-1 - - krb5 (bug #973880) + - krb5 1.18.3-1 (bug #973880) NOTE: https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd CVE-2020-28195 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15288957493ee947cc97021ea96f65b4d7270fec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15288957493ee947cc97021ea96f65b4d7270fec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2020-5991/nvidia-cuda-toolkit
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 03647e0b by Salvatore Bonaccorso at 2020-11-19T21:58:32+01:00 Track fixed version via unstable for CVE-2020-5991/nvidia-cuda-toolkit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -57955,7 +57955,7 @@ CVE-2020-5992 (NVIDIA GeForce NOW application software on Windows, all versions NOT-FOR-US: NVIDIA GeForce NOW application software CVE-2020-5991 (NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerab ...) [experimental] - nvidia-cuda-toolkit 11.1.1-1 - - nvidia-cuda-toolkit (bug #973543) + - nvidia-cuda-toolkit 11.1.1-2 (bug #973543) [buster] - nvidia-cuda-toolkit (Non-free not supported) [stretch] - nvidia-cuda-toolkit (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5094 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03647e0b417246ecc373c06e1cf474c9d56f5ca4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03647e0b417246ecc373c06e1cf474c9d56f5ca4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-26215/jupyter-notebook
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a9fb886 by Salvatore Bonaccorso at 2020-11-19T21:53:49+01:00 Add CVE-2020-26215/jupyter-notebook - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9126,7 +9126,9 @@ CVE-2020-26217 (XStream before version 1.4.14 is vulnerable to Remote Code Execu CVE-2020-26216 (TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 ...) TODO: check CVE-2020-26215 (Jupyter Notebook before version 6.1.5 has an Open redirect vulnerabili ...) - TODO: check + - jupyter-notebook + NOTE: https://github.com/jupyter/notebook/security/advisories/GHSA-c7vm-f5p4-8fqh + NOTE: https://github.com/jupyter/notebook/commit/2e1c56b0c4a903606d4a2eb13e32409296b9799d CVE-2020-26214 (In Alerta before version 8.1.0, users may be able to bypass LDAP authe ...) NOT-FOR-US: Alerta CVE-2020-26213 (In teler before version 0.0.1, if you run teler inside a Docker contai ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a9fb8865185bbefd57bdf0997f250f116c482b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a9fb8865185bbefd57bdf0997f250f116c482b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-2894{8,9}/php-pear
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: caf7d7ee by Salvatore Bonaccorso at 2020-11-19T21:33:29+01:00 Add CVE-2020-2894{8,9}/php-pear - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,9 +3,13 @@ CVE-2020-28951 (libuci in OpenWrt before 18.06.9 and 19.x before 19.07.5 may enc CVE-2020-28950 RESERVED CVE-2020-28949 (Archive_Tar through 1.4.10 has :// filename sanitization only to addre ...) - TODO: check + - php-pear + NOTE: https://github.com/pear/Archive_Tar/issues/33 + NOTE: https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da CVE-2020-28948 (Archive_Tar through 1.4.10 allows an unserialization attack because ph ...) - TODO: check + - php-pear + NOTE: https://github.com/pear/Archive_Tar/issues/33 + NOTE: https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da CVE-2020-28947 (In MISP 2.4.134, XSS exists in the template element index view because ...) NOT-FOR-US: MISP CVE-2020-28946 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caf7d7eec73be7acba9b83def498e0d3e4ec9f58 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caf7d7eec73be7acba9b83def498e0d3e4ec9f58 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] c-ares fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fd87a94a by Moritz Muehlenhoff at 2020-11-19T21:20:23+01:00 c-ares fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52015,7 +52015,7 @@ CVE-2020-8279 (Missing validation of server certificates for out-going connectio CVE-2020-8278 (Improper access control in Nextcloud Social app version 0.3.1 allowed ...) TODO: check CVE-2020-8277 (A Node.js application that allows an attacker to trigger a DNS request ...) - - c-ares + - c-ares 1.17.1-1 [buster] - c-ares (Introduced in 1.16) [stretch] - c-ares (Introduced in 1.16) NOTE: Originally reported for nodes, which bundles c-ares: https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/#denial-of-service-through-dns-request-cve-2020-8277 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd87a94a567280ca52d125d997aab1b8cd5d7b04 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd87a94a567280ca52d125d997aab1b8cd5d7b04 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new issues in moodle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 993c784e by Salvatore Bonaccorso at 2020-11-19T21:18:02+01:00 Add new issues in moodle - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10315,17 +10315,17 @@ CVE-2020-25704 - linux 5.9.6-1 NOTE: https://git.kernel.org/linus/7bdb157cdebbf95a1cd94ed2e01b338714075d00 CVE-2020-25703 (The participants table download in Moodle always included user emails, ...) - TODO: check + - moodle CVE-2020-25702 (In Moodle, it was possible to include JavaScript when re-naming conten ...) - TODO: check + - moodle CVE-2020-25701 (If the upload course tool in Moodle was used to delete an enrollment m ...) - TODO: check + - moodle CVE-2020-25700 (In moodle, some database module web services allowed students to add e ...) - TODO: check + - moodle CVE-2020-25699 (In moodle, insufficient capability checks could lead to users with the ...) - TODO: check + - moodle CVE-2020-25698 (Users' enrollment capabilities were not being sufficiently checked in ...) - TODO: check + - moodle CVE-2020-25697 RESERVED NOTE: Long-standing design limitation in X11, unlikely to get fixed until the world moves to Wayland View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/993c784e6eecbb72957f6b7e49d6e5c9d1007d82 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/993c784e6eecbb72957f6b7e49d6e5c9d1007d82 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ff027155 by Salvatore Bonaccorso at 2020-11-19T21:16:47+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2020-28951 (libuci in OpenWrt before 18.06.9 and 19.x before 19.07.5 may encounter ...) - TODO: check + NOT-FOR-US: libuci in OpenWrt CVE-2020-28950 RESERVED CVE-2020-28949 (Archive_Tar through 1.4.10 has :// filename sanitization only to addre ...) @@ -7,7 +7,7 @@ CVE-2020-28949 (Archive_Tar through 1.4.10 has :// filename sanitization only to CVE-2020-28948 (Archive_Tar through 1.4.10 allows an unserialization attack because ph ...) TODO: check CVE-2020-28947 (In MISP 2.4.134, XSS exists in the template element index view because ...) - TODO: check + NOT-FOR-US: MISP CVE-2020-28946 RESERVED CVE-2020-28945 @@ -17,7 +17,7 @@ CVE-2020-28944 CVE-2020-28943 RESERVED CVE-2020-28942 (An issue exists in PrimeKey EJBCA before 7.4.3 when enrolling with EST ...) - TODO: check + NOT-FOR-US: PrimeKey EJBCA CVE-2020-28941 (An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c i ...) - linux NOTE: https://www.openwall.com/lists/oss-security/2020/11/19/3 @@ -4522,7 +4522,7 @@ CVE-2020-28056 CVE-2020-28055 (A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 ...) NOT-FOR-US: TCL Android Smart TV series CVE-2020-28054 (JamoDat TSMManager Collector version up to 6.5.0.21 is vulnerable to a ...) - TODO: check + NOT-FOR-US: JamoDat TSMManager Collector CVE-2020-28053 RESERVED CVE-2020-28052 @@ -17382,7 +17382,7 @@ CVE-2020-22396 CVE-2020-22395 RESERVED CVE-2020-22394 (In YzmCMS v5.5 the member contribution function in the editor contains ...) - TODO: check + NOT-FOR-US: YzmCMS CVE-2020-22393 RESERVED CVE-2020-22392 @@ -61228,7 +61228,7 @@ CVE-2020-4720 CVE-2020-4719 RESERVED CVE-2020-4718 (IBM Jazz Reporting Service 6.0.6, 6.0.6.1, 7.0, and 7.0.1 is vulnerabl ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4717 RESERVED CVE-2020-4716 @@ -61262,7 +61262,7 @@ CVE-2020-4703 (IBM Spectrum Protect Plus 10.1.0 through 10.1.6 Administrative Co CVE-2020-4702 (IBM InfoSphere Information Server 11.7 is vulnerable to stored cross-s ...) NOT-FOR-US: IBM CVE-2020-4701 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.5 ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4700 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.2 a ...) NOT-FOR-US: IBM CVE-2020-4699 (IBM Security Access Manager 9.0.7 and IBM Security Verify Access 10.0. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff02715567b1ea0dc2082b05ad50639ac5e12699 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff02715567b1ea0dc2082b05ad50639ac5e12699 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d5e0a4a by security tracker role at 2020-11-19T20:10:28+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,24 @@ -CVE-2020-28941 +CVE-2020-28951 (libuci in OpenWrt before 18.06.9 and 19.x before 19.07.5 may encounter ...) + TODO: check +CVE-2020-28950 + RESERVED +CVE-2020-28949 (Archive_Tar through 1.4.10 has :// filename sanitization only to addre ...) + TODO: check +CVE-2020-28948 (Archive_Tar through 1.4.10 allows an unserialization attack because ph ...) + TODO: check +CVE-2020-28947 (In MISP 2.4.134, XSS exists in the template element index view because ...) + TODO: check +CVE-2020-28946 + RESERVED +CVE-2020-28945 + RESERVED +CVE-2020-28944 + RESERVED +CVE-2020-28943 + RESERVED +CVE-2020-28942 (An issue exists in PrimeKey EJBCA before 7.4.3 when enrolling with EST ...) + TODO: check +CVE-2020-28941 (An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c i ...) - linux NOTE: https://www.openwall.com/lists/oss-security/2020/11/19/3 CVE-2020-28940 @@ -4501,8 +4521,8 @@ CVE-2020-28056 RESERVED CVE-2020-28055 (A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 ...) NOT-FOR-US: TCL Android Smart TV series -CVE-2020-28054 - RESERVED +CVE-2020-28054 (JamoDat TSMManager Collector version up to 6.5.0.21 is vulnerable to a ...) + TODO: check CVE-2020-28053 RESERVED CVE-2020-28052 @@ -7425,7 +7445,7 @@ CVE-2020-26969 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26969 CVE-2020-26968 RESERVED - {DSA-4793-1} + {DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7446,7 +7466,7 @@ CVE-2020-26966 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/#CVE-2020-26966 CVE-2020-26965 RESERVED - {DSA-4793-1} + {DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7467,7 +7487,7 @@ CVE-2020-26962 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26962 CVE-2020-26961 RESERVED - {DSA-4793-1} + {DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7476,7 +7496,7 @@ CVE-2020-26961 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/#CVE-2020-26961 CVE-2020-26960 RESERVED - {DSA-4793-1} + {DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7485,7 +7505,7 @@ CVE-2020-26960 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/#CVE-2020-26960 CVE-2020-26959 RESERVED - {DSA-4793-1} + {DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7494,7 +7514,7 @@ CVE-2020-26959 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/#CVE-2020-26959 CVE-2020-26958 RESERVED - {DSA-4793-1} + {DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7507,7 +7527,7 @@ CVE-2020-26957 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26957 CVE-2020-26956 RESERVED - {DSA-4793-1} + {DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7524,7 +7544,7 @@ CVE-2020-26954 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26954 CVE-2020-26953 RESERVED - {DSA-4793-1} + {DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7537,7 +7557,7 @@ CVE-2020-26952 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26952 CVE-2020-26951 RESERVED - {DSA-4793-1} + {DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -10294,18 +10314,18 @@ CVE-2020-25704 RESERVED - linux 5.9.6-1 NOTE: https://git.kernel.org/linus/7bdb157cdebbf95a1cd94ed2e01b338714075d00 -CVE-2020-25703 - RESERVED -CVE-2020-25702 - RESERVED -CVE-2020-25701 - RESERVED -CVE-2020-25700 - RESERVED -CVE-2020-25699 - RESERVED -CVE-2020-25698 - RESERVED +CVE-2020-25703 (The participants table download in Moodle always included user emails, ...) + TODO: check +CVE-2020-25702 (In Moodle, it was possible to include
[Git][security-tracker-team/security-tracker][master] CVE-2020-26271,libxstream-java: Fixed in unstable.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ceeb1f37 by Markus Koschany at 2020-11-19T20:53:22+01:00 CVE-2020-26271,libxstream-java: Fixed in unstable. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9094,7 +9094,7 @@ CVE-2020-26219 (touchbase.ai before version 2.0 is vulnerable to Open Redirect. CVE-2020-26218 (touchbase.ai before version 2.0 is vulnerable to Cross-Site Scripting. ...) NOT-FOR-US: touchbase.ai CVE-2020-26217 (XStream before version 1.4.14 is vulnerable to Remote Code Execution.T ...) - - libxstream-java + - libxstream-java 1.4.14-1 [stretch] - libxstream-java (Minor issue) NOTE: https://x-stream.github.io/CVE-2020-26217.html NOTE: https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceeb1f37fdd9c8497fb6a7f06a70b9d13cd75227 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceeb1f37fdd9c8497fb6a7f06a70b9d13cd75227 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-27616
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f58f558 by Salvatore Bonaccorso at 2020-11-19T20:37:12+01:00 Add Debian bug reference for CVE-2020-27616 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6067,7 +6067,7 @@ CVE-2020-27617 (eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS user [stretch] - qemu (Minor issue, fix along in future DLA) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-10/msg06023.html CVE-2020-27616 (ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outsi ...) - - qemu + - qemu (bug #975265) [buster] - qemu (Vulnerable code introduced in ATI VGA device emulation added later) [stretch] - qemu (Vulnerable code introduced in ATI VGA device emulation added later) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-10/msg06080.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f58f55838d4dae97e8fc6acfc34243d9d034a6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f58f55838d4dae97e8fc6acfc34243d9d034a6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] qemu postponed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 23d96d0c by Moritz Mühlenhoff at 2020-11-19T19:55:00+01:00 qemu postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10236,6 +10236,7 @@ CVE-2020-25724 CVE-2020-25723 [assertion failure through usb_packet_unmap() in hw/usb/hcd-ehci.c] RESERVED - qemu + [buster] - qemu (Fix along in future DSA) NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6 CVE-2020-25722 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23d96d0cf38ffbbb6f6b24a226a10c28aac3b2b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23d96d0cf38ffbbb6f6b24a226a10c28aac3b2b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-28941/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e9c4503b by Salvatore Bonaccorso at 2020-11-19T17:58:40+01:00 Add CVE-2020-28941/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2020-28941 + - linux + NOTE: https://www.openwall.com/lists/oss-security/2020/11/19/3 CVE-2020-28940 RESERVED CVE-2020-28939 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9c4503b81c31dbf9e604a1c094551c08619f900 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9c4503b81c31dbf9e604a1c094551c08619f900 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add libxstream-java to dla-needed.txt and claim it.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 9848545f by Markus Koschany at 2020-11-19T17:43:25+01:00 Add libxstream-java to dla-needed.txt and claim it. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,6 +74,8 @@ lemonldap-ng (Utkarsh) libhibernate3-java NOTE: 20201115: No patch yet; unsure if version in LTS is vulnerable. (lamby) -- +libxstream-java (Markus Koschany) +-- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9848545f4c21b5be1921b73d3bf5d0e9789b07c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9848545f4c21b5be1921b73d3bf5d0e9789b07c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim zsh in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 888e24b1 by Markus Koschany at 2020-11-19T17:29:17+01:00 Claim zsh in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -192,3 +192,5 @@ xcftools -- zabbix (Sylvain Beucler) -- +zsh (Markus Koschany) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/888e24b19d747c14e09c042081927a34ba5a6e56 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/888e24b19d747c14e09c042081927a34ba5a6e56 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes for three CVEs for libmatio's unstable upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 922e8faa by Salvatore Bonaccorso at 2020-11-19T16:49:06+01:00 Track fixes for three CVEs for libmatios unstable upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -63133,7 +63133,7 @@ CVE-2019-20021 (A heap-based buffer over-read was discovered in canUnpack in p_m NOTE: https://github.com/upx/upx/commit/819c33fee2b2c33b96bef27a13cb20f2589819aa CVE-2019-20020 (A stack-based buffer over-read was discovered in ReadNextStructField i ...) [experimental] - libmatio 1.5.18-1 - - libmatio + - libmatio 1.5.19-2 [buster] - libmatio (Minor issue) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue) @@ -63146,14 +63146,14 @@ CVE-2019-20019 (An attempted excessive memory allocation was discovered in Mat_V NOTE: https://github.com/tbeu/matio/issues/130 CVE-2019-20018 (A stack-based buffer over-read was discovered in ReadNextCell in mat5. ...) [experimental] - libmatio 1.5.18-1 - - libmatio + - libmatio 1.5.19-2 [buster] - libmatio (Minor issue) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue) NOTE: https://github.com/tbeu/matio/issues/129 CVE-2019-20017 (A stack-based buffer over-read was discovered in Mat_VarReadNextInfo5 ...) [experimental] - libmatio 1.5.18-1 - - libmatio + - libmatio 1.5.19-2 [buster] - libmatio (Minor issue) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/922e8faad1703348a0aa9973d492f6572ce08de1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/922e8faad1703348a0aa9973d492f6572ce08de1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2458-1 for drupal7
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 72d53148 by Emilio Pozuelo Monfort at 2020-11-19T12:31:39+01:00 Reserve DLA-2458-1 for drupal7 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Nov 2020] DLA-2458-1 drupal7 - security update + {CVE-2020-13666 CVE-2020-13671} + [stretch] - drupal7 7.52-2+deb9u12 [19 Nov 2020] DLA-2457-1 firefox-esr - security update {CVE-2020-16012 CVE-2020-26951 CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959 CVE-2020-26960 CVE-2020-26961 CVE-2020-26965 CVE-2020-26968} [stretch] - firefox-esr 78.5.0esr-1~deb9u1 = data/dla-needed.txt = @@ -46,10 +46,6 @@ condor NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto) NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) -- -drupal7 - NOTE: 20201119: Upstream advisory for CVE-2020-13666 mentions potential for jQuery regression; may need to include a related note in the DLA. (roberto) - NOTE: 20201119: The maintainer has already uploaded the package: https://lists.debian.org/debian-lts-changes/2020/11/msg00032.html --- f2fs-tools NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72d53148d3c20f98588b8ee42eca65f07a23bfc2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72d53148d3c20f98588b8ee42eca65f07a23bfc2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2457-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: e11bb2ac by Emilio Pozuelo Monfort at 2020-11-19T11:05:50+01:00 Reserve DLA-2457-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Nov 2020] DLA-2457-1 firefox-esr - security update + {CVE-2020-16012 CVE-2020-26951 CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959 CVE-2020-26960 CVE-2020-26961 CVE-2020-26965 CVE-2020-26968} + [stretch] - firefox-esr 78.5.0esr-1~deb9u1 [18 Nov 2020] DLA-2456-1 python3.5 - security update {CVE-2019-20907 CVE-2020-26116} [stretch] - python3.5 3.5.3-1+deb9u3 = data/dla-needed.txt = @@ -54,8 +54,6 @@ f2fs-tools NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver) -- -firefox-esr (Emilio) --- firmware-nonfree (Emilio) -- freerdp (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e11bb2acb78a759a3e0e9692adf67028c022d80d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e11bb2acb78a759a3e0e9692adf67028c022d80d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-20933/influxdb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 83a68584 by Salvatore Bonaccorso at 2020-11-19T09:29:09+01:00 Add CVE-2019-20933/influxdb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,9 @@ CVE-2020-28936 CVE-2020-28935 RESERVED CVE-2019-20933 (InfluxDB before 1.7.6 has an authentication bypass vulnerability in th ...) - TODO: check + - influxdb + NOTE: https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0 + NOTE: https://github.com/influxdata/influxdb/issues/12927 CVE-2020-28934 RESERVED CVE-2020-28933 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83a68584a4fe29ee2f40932c61c94f68fe089341 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83a68584a4fe29ee2f40932c61c94f68fe089341 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dacba148 by Salvatore Bonaccorso at 2020-11-19T09:28:30+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4423,7 +4423,7 @@ CVE-2020-28093 CVE-2020-28092 (PESCMS Team 2.3.2 has multiple reflected XSS via the id parameter:?g=T ...) NOT-FOR-US: PESCMS Team CVE-2020-28091 (cxuucms v3 has a SQL injection vulnerability, which can lead to the le ...) - TODO: check + NOT-FOR-US: cxuucms CVE-2020-28090 RESERVED CVE-2020-28089 @@ -32315,9 +32315,9 @@ CVE-2020-15303 CVE-2020-15302 (In Argent RecoveryManager before 0xdc350d09f71c48c5D22fBE2741e4d6A0397 ...) NOT-FOR-US: Argent RecoveryManager CVE-2020-15301 (SuiteCRM through 7.11.13 allows CSV Injection via registration fields ...) - TODO: check + NOT-FOR-US: SuiteCRM CVE-2020-15300 (SuiteCRM through 7.11.13 has an Open Redirect in the Documents module ...) - TODO: check + NOT-FOR-US: SuiteCRM CVE-2020-15299 (A reflected Cross-Site Scripting (XSS) Vulnerability in the KingCompos ...) NOT-FOR-US: KingComposer plugin for WordPress CVE-2020-15298 @@ -35373,7 +35373,7 @@ CVE-2020-14210 (MONITORAPP AIWAF-VE and AIWAF-4000 through 2020-06-16 allow refl CVE-2020-14209 (Dolibarr before 11.0.5 allows low-privilege users to upload files of d ...) - dolibarr CVE-2020-14208 (SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in t ...) - TODO: check + NOT-FOR-US: SuiteCRM CVE-2020-14207 RESERVED CVE-2020-14206 @@ -36470,7 +36470,7 @@ CVE-2020-13802 (Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS comm CVE-2020-13801 RESERVED CVE-2020-13799 (Western Digital iNAND devices through 2020-06-03 allow Authentication ...) - TODO: check + NOT-FOR-US: Western Digital iNAND devices CVE-2020-13798 (An issue was discovered in Navigate CMS through 2.8.7. It allows XSS b ...) NOT-FOR-US: Navigate CMS CVE-2020-13797 (An issue was discovered in Navigate CMS through 2.8.7. It allows XSS b ...) @@ -39599,7 +39599,7 @@ CVE-2020-12595 CVE-2020-12594 RESERVED CVE-2020-12593 (Symantec Endpoint Detection Response, prior to 4.5, may be susce ...) - TODO: check + NOT-FOR-US: Symantec CVE-2020-12592 RESERVED CVE-2020-12591 @@ -58044,7 +58044,7 @@ CVE-2020-5949 CVE-2020-5948 RESERVED CVE-2020-5947 (In versions 16.0.0-16.0.0.1 and 15.1.0-15.1.1, on specific BIG-IP plat ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2020-5946 (In BIG-IP Advanced WAF and FPS versions 16.0.0-16.0.0.1, 15.1.0-15.1.0 ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5945 (In BIG-IP versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dacba148845b246441bb3b91359050f13edfdeab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dacba148845b246441bb3b91359050f13edfdeab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b0372c1d by security tracker role at 2020-11-19T08:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2020-28940 + RESERVED +CVE-2020-28939 + RESERVED +CVE-2020-28938 + RESERVED +CVE-2020-28937 + RESERVED +CVE-2020-28936 + RESERVED +CVE-2020-28935 + RESERVED +CVE-2019-20933 (InfluxDB before 1.7.6 has an authentication bypass vulnerability in th ...) + TODO: check CVE-2020-28934 RESERVED CVE-2020-28933 @@ -9056,8 +9070,8 @@ CVE-2020-26228 RESERVED CVE-2020-26227 RESERVED -CVE-2020-26226 - RESERVED +CVE-2020-26226 (In the npm package semantic-release before version 17.2.3, secrets tha ...) + TODO: check CVE-2020-26225 (In PrestaShop Product Comments before version 4.2.0, an attacker could ...) NOT-FOR-US: PrestaShop CVE-2020-26224 (In PrestaShop before version 1.7.6.9 an attacker is able to list all t ...) @@ -9082,8 +9096,8 @@ CVE-2020-26217 (XStream before version 1.4.14 is vulnerable to Remote Code Execu NOTE: https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a CVE-2020-26216 (TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 ...) TODO: check -CVE-2020-26215 - RESERVED +CVE-2020-26215 (Jupyter Notebook before version 6.1.5 has an Open redirect vulnerabili ...) + TODO: check CVE-2020-26214 (In Alerta before version 8.1.0, users may be able to bypass LDAP authe ...) NOT-FOR-US: Alerta CVE-2020-26213 (In teler before version 0.0.1, if you run teler inside a Docker contai ...) @@ -9336,6 +9350,7 @@ CVE-2020-26117 (In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC be NOTE: https://github.com/TigerVNC/tigervnc/commit/b30f10c681ec87720cff85d490f67098568a9cba (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/f029745f63ac7d22fb91639b2cb5b3ab56134d6e (master) CVE-2020-26116 (http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x be ...) + {DLA-2456-1} - python3.9 3.9.0~b5-1 - python3.8 3.8.5-1 - python3.7 @@ -10944,8 +10959,8 @@ CVE-2020-25456 RESERVED CVE-2020-25455 RESERVED -CVE-2020-25454 - RESERVED +CVE-2020-25454 (Cross-site Scripting (XSS) vulnerability in grocy 2.7.1 via the add re ...) + TODO: check CVE-2020-25453 (An issue was discovered in BlackCat CMS v.1.3.6. There is a CSRF vulne ...) NOT-FOR-US: BlackCat CMS CVE-2020-25452 @@ -16682,8 +16697,8 @@ CVE-2020-22725 RESERVED CVE-2020-22724 RESERVED -CVE-2020-22723 - RESERVED +CVE-2020-22723 (A cross-site scripting (XSS) vulnerability in Beijing Liangjing Zhiche ...) + TODO: check CVE-2020-22722 (Rapid Software LLC Rapid SCADA 5.8.0 is affected by a local privilege ...) NOT-FOR-US: Rapid Software LLC Rapid SCADA CVE-2020-22721 (A File Upload Vulnerability in PNotes - Andrey Gruber PNotes.NET v3.8. ...) @@ -31163,8 +31178,7 @@ CVE-2020-15712 (rConfig 3.9.5 could allow a remote authenticated attacker to tra NOT-FOR-US: rConfig CVE-2020-15711 (In MISP before 2.4.129, setting a favourite homepage was not CSRF prot ...) NOT-FOR-US: MISP -CVE-2020-15710 - RESERVED +CVE-2020-15710 (Potential double free in Bluez 5 module of PulseAudio could allow a lo ...) - pulseaudio (Issue in Ubuntu-specific patch) NOTE: https://bugs.launchpad.net/ubuntu/%2Bsource/pulseaudio/%2Bbug/1884738 CVE-2020-15709 (Versions of add-apt-repository before 0.98.9.2, 0.96.24.32.14, 0.96.20 ...) @@ -31252,7 +31266,7 @@ CVE-2019-20908 (An issue was discovered in drivers/firmware/efi/efi.c in the Lin NOTE: https://www.openwall.com/lists/oss-security/2020/06/14/1 NOTE: Fixed by: https://git.kernel.org/linus/1957a85b0032a81e6482ca4aab883643b8dae06e CVE-2019-20907 (In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craf ...) - {DLA-2337-1} + {DLA-2456-1 DLA-2337-1} - python3.9 3.9.0~b5-1 (low) - python3.8 3.8.5-1 (low) - python3.7 (low) @@ -32300,10 +32314,10 @@ CVE-2020-15303 RESERVED CVE-2020-15302 (In Argent RecoveryManager before 0xdc350d09f71c48c5D22fBE2741e4d6A0397 ...) NOT-FOR-US: Argent RecoveryManager -CVE-2020-15301 - RESERVED -CVE-2020-15300 - RESERVED +CVE-2020-15301 (SuiteCRM through 7.11.13 allows CSV Injection via registration fields ...) + TODO: check +CVE-2020-15300 (SuiteCRM through 7.11.13 has an Open Redirect in the Documents module ...) + TODO: check CVE-2020-15299 (A reflected Cross-Site Scripting (XSS) Vulnerability in the KingCompos ...) NOT-FOR-US: KingComposer plugin for WordPress