Processing 7e2e12cdb8607190114c1fe276aee94901332723 failed
The error message was: data/CVE/list:185512: ITPed package xrootd is in the archive make: *** [Makefile:19: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gpac: Seveal CVEs previously fixed in experimental fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e1908dba by Salvatore Bonaccorso at 2020-11-22T08:48:25+01:00 gpac: Seveal CVEs previously fixed in experimental fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43639,8 +43639,7 @@ CVE-2020-11560 (NCH Express Invoice 7.25 allows local users to discover the clea CVE-2020-11559 RESERVED CVE-2020-11558 (An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by ...) - [experimental] - gpac 1.0.1+dfsg1-1 - - gpac (bug #972053) + - gpac 1.0.1+dfsg1-2 (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Vulnerable code not present and not reproducible) @@ -45446,40 +45445,35 @@ CVE-2020-10882 (This vulnerability allows network-adjacent attackers to execute CVE-2020-10881 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: TP-Link CVE-2019-20632 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) - [experimental] - gpac 1.0.1+dfsg1-1 - - gpac (bug #972053) + - gpac 1.0.1+dfsg1-2 (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090 NOTE: https://github.com/gpac/gpac/issues/1271 CVE-2019-20631 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) - [experimental] - gpac 1.0.1+dfsg1-1 - - gpac (bug #972053) + - gpac 1.0.1+dfsg1-2 (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090 NOTE: https://github.com/gpac/gpac/issues/1270 CVE-2019-20630 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) - [experimental] - gpac 1.0.1+dfsg1-1 - - gpac (bug #972053) + - gpac 1.0.1+dfsg1-2 (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090 NOTE: https://github.com/gpac/gpac/issues/1268 CVE-2019-20629 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) - [experimental] - gpac 1.0.1+dfsg1-1 - - gpac (bug #972053) + - gpac 1.0.1+dfsg1-2 (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/2320eb73afba753b39b7147be91f7be7afc0eeb7 NOTE: https://github.com/gpac/gpac/issues/1264 CVE-2019-20628 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) - [experimental] - gpac 1.0.1+dfsg1-1 - - gpac (bug #972053) + - gpac 1.0.1+dfsg1-2 (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue) @@ -56267,8 +56261,7 @@ CVE-2020-6633 CVE-2020-6632 (In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a Q ...) NOT-FOR-US: PrestaShop CVE-2020-6631 (An issue was discovered in GPAC version 0.8.0. There is a NULL pointer ...) - [experimental] - gpac 1.0.1+dfsg1-1 - - gpac (bug #972053) + - gpac 1.0.1+dfsg1-2 (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue, clean crash, MP42TS not shipped, incomplete patch) @@ -56276,8 +56269,7 @@ CVE-2020-6631 (An issue was discovered in GPAC version 0.8.0. There is a NULL po NOTE: https://github.com/gpac/gpac/commit/c7e46e948ebe2d4a532539c7e714cdf655b84521 NOTE: fix considered "ugly" by upstream and introduces abort(3)-based DoS CVE-2020-6630 (An issue was discovered in GPAC version 0.8.0. There is a NULL pointer ...) - [experimental] - gpac 1.0.1+dfsg1-1 - - gpac (bug #972053) + - gpac 1.0.1+dfsg1-2 (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue, clean crash, MP42TS not shipped, incomplete patch) @@ -60227,8 +60219,7 @@ CVE-2019-20209 (The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and E NOT-FOR-US: themes for WordPress CVE-2019-20208 (dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a stack-based ...) {DLA-2072-1} - [experimental] - gpac 1.0.1+dfsg1-1 - - gpac (bug #972053) + - gpac 1.0.1+dfsg1-2 (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac
Processing 7e2e12cdb8607190114c1fe276aee94901332723 failed
The error message was: data/CVE/list:185512: ITPed package xrootd is in the archive make: *** [Makefile:19: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Processing 7e2e12cdb8607190114c1fe276aee94901332723 failed
The error message was: data/CVE/list:185512: ITPed package xrootd is in the archive make: *** [Makefile:19: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Processing 7e2e12cdb8607190114c1fe276aee94901332723 failed
The error message was: data/CVE/list:185512: ITPed package xrootd is in the archive make: *** [Makefile:19: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process three NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e2e12cd by Salvatore Bonaccorso at 2020-11-21T21:18:12+01:00 Process three NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35378,7 +35378,7 @@ CVE-2020-14260 CVE-2020-14259 RESERVED CVE-2020-14258 (HCL Notes is susceptible to a Denial of Service vulnerability caused b ...) - TODO: check + NOT-FOR-US: HCL CVE-2020-14257 RESERVED CVE-2020-14256 @@ -35426,7 +35426,7 @@ CVE-2020-14236 CVE-2020-14235 RESERVED CVE-2020-14234 (HCL Domino is susceptible to a Denial of Service vulnerability due to ...) - TODO: check + NOT-FOR-US: HCL CVE-2020-14233 RESERVED CVE-2020-14232 @@ -35434,7 +35434,7 @@ CVE-2020-14232 CVE-2020-14231 RESERVED CVE-2020-14230 (HCL Domino is susceptible to a Denial of Service vulnerability caused ...) - TODO: check + NOT-FOR-US: HCL CVE-2020-14229 RESERVED CVE-2020-14228 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e2e12cdb8607190114c1fe276aee94901332723 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e2e12cdb8607190114c1fe276aee94901332723 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c90b4af6 by security tracker role at 2020-11-21T20:10:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2424,6 +2424,7 @@ CVE-2020-28368 (Xen through 4.14.x allows guest OS administrators to obtain sens [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-351.html CVE-2020-28367 (Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection. ...) + {DLA-2460-1} - golang-1.15 1.15.5-1 - golang-1.11 - golang-1.8 @@ -4309,7 +4310,7 @@ CVE-2020-28198 CVE-2020-28197 RESERVED CVE-2020-28196 (MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allow ...) - {DLA-2437-1} + {DSA-4795-1 DLA-2437-1} [experimental] - krb5 1.18.2-1 - krb5 1.18.3-1 (bug #973880) NOTE: https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd @@ -7527,7 +7528,7 @@ CVE-2020-26969 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26969 CVE-2020-26968 RESERVED - {DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7548,7 +7549,7 @@ CVE-2020-26966 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/#CVE-2020-26966 CVE-2020-26965 RESERVED - {DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7569,7 +7570,7 @@ CVE-2020-26962 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26962 CVE-2020-26961 RESERVED - {DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7578,7 +7579,7 @@ CVE-2020-26961 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/#CVE-2020-26961 CVE-2020-26960 RESERVED - {DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7587,7 +7588,7 @@ CVE-2020-26960 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/#CVE-2020-26960 CVE-2020-26959 RESERVED - {DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7596,7 +7597,7 @@ CVE-2020-26959 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/#CVE-2020-26959 CVE-2020-26958 RESERVED - {DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7609,7 +7610,7 @@ CVE-2020-26957 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26957 CVE-2020-26956 RESERVED - {DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7626,7 +7627,7 @@ CVE-2020-26954 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26954 CVE-2020-26953 RESERVED - {DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7639,7 +7640,7 @@ CVE-2020-26952 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26952 CVE-2020-26951 RESERVED - {DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -8588,6 +8589,7 @@ CVE-2020-26521 (The JWT library in NATS nats-server before 2.1.9 allows a denial CVE-2020-26520 RESERVED CVE-2020-26519 (Artifex MuPDF before 1.18.0 has a heap based buffer over-write when pa ...) + {DSA-4794-1} - mupdf 1.17.0+ds1-1.1 (bug #971595) [stretch] - mupdf (Minor issue, can be fixed along in next DLA) NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commit;h=af1e390a2c7abceb32676ec684cd1dbb92907ce8 @@ -11692,8 +11694,8 @@ CVE-2020-25191 RESERVED CVE-2020-25190 RESERVED -CVE-2020-25189 - RESERVED +CVE-2020-25189 (The affected product is vulnerable to three stack-based buffer overflo ...) + TODO: check CVE-2020-25188 (An attacker who convinces a valid user to open a specially crafted pro ...) NOT-FOR-US: LAquis SCADA CVE-2020-25187 @@ -28643,6 +28645,7 @@ CVE-2020-16846 (An issue was
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-20739/vips as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8411d43a by Salvatore Bonaccorso at 2020-11-21T20:46:28+01:00 Mark CVE-2020-20739/vips as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20793,6 +20793,7 @@ CVE-2020-20740 (PDFResurrect before 0.20 lack of header validation checks causes NOTE: https://github.com/enferex/pdfresurrect/issues/14 CVE-2020-20739 (im_vips2dz in /libvips/libvips/deprecated/im_vips2dz.c in libvips befo ...) - vips 8.9.0-1 + [buster] - vips (Minor issue) NOTE: https://github.com/libvips/libvips/commit/2ab5aa7bf515135c2b02d42e9a72e4c98e17031a (v8.9.0-alpha1) NOTE: https://github.com/libvips/libvips/issues/1419 CVE-2020-20738 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8411d43a78b4fa6435348699a623e96d5acd023f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8411d43a78b4fa6435348699a623e96d5acd023f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove no-dsa tagged entry which got an update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 77d8d477 by Salvatore Bonaccorso at 2020-11-21T20:31:18+01:00 Remove no-dsa tagged entry which got an update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -107414,7 +107414,6 @@ CVE-2018-20782 (The GloBee plugin before 1.1.2 for WooCommerce mishandles IPN me CVE-2016-10742 (Zabbix before 2.2.21rc1, 3.x before 3.0.13rc1, 3.1.x and 3.2.x before ...) {DLA-1708-1} - zabbix 1:3.0.17+dfsg-1 (low) - [stretch] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-10272 NOTE: https://support.zabbix.com/browse/ZBX-13133 NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/2b340b8128af6c00469ef4066de16d4b1e81c841 (3.0.13rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77d8d477d36a0c94393d7fe34862651ed5050cbf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77d8d477d36a0c94393d7fe34862651ed5050cbf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ac625642 by Moritz Mühlenhoff at 2020-11-21T19:24:53+01:00 thunderbird DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[21 Nov 2020] DSA-4796-1 thunderbird - security update + {CVE-2020-16012 CVE-2020-26951 CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959 CVE-2020-26960 CVE-2020-26961 CVE-2020-26965 CVE-2020-26968} + [buster] - thunderbird 1:78.5.0-1~deb10u1 [21 Nov 2020] DSA-4795-1 krb5 - security update {CVE-2020-28196} [buster] - krb5 1.17-3+deb10u1 = data/dsa-needed.txt = @@ -31,8 +31,6 @@ pdns-recursor -- salt -- -thunderbird (jmm) --- xcftools Hugo proposed to work on this update -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac625642d68d2fe32a83cf15e81a666f284b5ea3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac625642d68d2fe32a83cf15e81a666f284b5ea3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] krb5 DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a7ef0ea by Moritz Mühlenhoff at 2020-11-21T19:16:57+01:00 krb5 DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[21 Nov 2020] DSA-4795-1 krb5 - security update + {CVE-2020-28196} + [buster] - krb5 1.17-3+deb10u1 [21 Nov 2020] DSA-4794-1 mupdf - security update {CVE-2020-26519} [buster] - mupdf 1.14.0+ds1-4+deb10u2 = data/dsa-needed.txt = @@ -19,8 +19,6 @@ chromium knot-resolver Santiago Ruano Rincón proposed a debdiff for review -- -krb5 (jmm) --- libproxy -- linux (carnil) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a7ef0eafb7f873983c0b534359da91d36dacff3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a7ef0eafb7f873983c0b534359da91d36dacff3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note for xdg-utils
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ead72b8 by Utkarsh Gupta at 2020-11-21T22:26:53+05:30 Add note for xdg-utils - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -197,6 +197,7 @@ xcftools NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk) -- xdg-utils + NOTE: 20201122: wait for a while to get the fix exposed in other suites. (utkarsh) -- zsh (Markus Koschany) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ead72b8f7a7a6b5b627633656d769666f95cf80 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ead72b8f7a7a6b5b627633656d769666f95cf80 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lua5.4 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: acf2ae4f by Moritz Muehlenhoff at 2020-11-21T17:49:22+01:00 lua5.4 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13464,20 +13464,20 @@ CVE-2020-24372 (LuaJIT through 2.1.0-beta3 has an out-of-bounds read in lj_err_r NOTE: https://github.com/LuaJIT/LuaJIT/issues/603 NOTE: No security impact, only "exploitable" with untrusted Lua code CVE-2020-24371 (lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the ...) - - lua5.4 (bug #971010) + - lua5.4 5.4.1-1 (bug #971010) - lua5.3 (Vulnerable code introduced in 5.4.0) NOTE: https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110 NOTE: https://www.lua.org/bugs.html#5.4.0-10 CVE-2020-24370 (ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation faul ...) {DLA-2381-1} - - lua5.4 (bug #971613) + - lua5.4 5.4.1-1 (bug #971613) - lua5.3 [buster] - lua5.3 (Minor issue) NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00324.html NOTE: (lua5.4) https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b NOTE: (lua5.3) https://github.com/lua/lua/commit/b5bc89846721375fe30772eb8c5ab2786f362bf9 CVE-2020-24369 (ldebug.c in Lua 5.4.0 attempts to access debug information via the lin ...) - - lua5.4 (bug #971013) + - lua5.4 5.4.1-1 (bug #971013) NOTE: https://github.com/lua/lua/commit/ae5b5ba529753c7a653901ffc29b5ea24c3fdf3a NOTE: https://www.lua.org/bugs.html#5.4.0-12 CVE-2020-24368 (Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Director ...) @@ -13546,7 +13546,7 @@ CVE-2020-24344 (JerryScript through 2.3.0 has a (function({a=arguments}){const a CVE-2020-24343 (Artifex MuJS through 1.0.7 has a use-after-free in jsrun.c because of ...) NOT-FOR-US: MuJS CVE-2020-24342 (Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring be ...) - - lua5.4 (bug #971012) + - lua5.4 5.4.1-1 (bug #971012) NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00052.html NOTE: https://github.com/lua/lua/commit/34affe7a63fc5d842580a9f23616d057e17dfe27 CVE-2020-24341 @@ -30855,7 +30855,7 @@ CVE-2020-15889 (Lua through 5.4.0 has a getobjname heap-based buffer over-read b NOTE: https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312 NOTE: Introduced in 5.4 CVE-2020-15888 (Lua through 5.4.0 mishandles the interaction between stack resizes and ...) - - lua5.4 (bug #972101) + - lua5.4 5.4.1-1 (bug #972101) NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00053.html NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00054.html NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00071.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acf2ae4f457009d5df943d5fac07b513f6401b04 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acf2ae4f457009d5df943d5fac07b513f6401b04 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2461-1 for zabbix
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5724dd02 by Sylvain Beucler at 2020-11-21T17:42:57+01:00 Reserve DLA-2461-1 for zabbix - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[21 Nov 2020] DLA-2461-1 zabbix - security update + {CVE-2016-10742 CVE-2020-11800} + [stretch] - zabbix 1:3.0.31+dfsg-0+deb9u1 [21 Nov 2020] DLA-2460-1 golang-1.8 - security update {CVE-2020-15586 CVE-2020-16845 CVE-2020-28367} [stretch] - golang-1.8 1.8.1-1+deb9u2 = data/dla-needed.txt = @@ -198,7 +198,5 @@ xcftools -- xdg-utils -- -zabbix (Sylvain Beucler) --- zsh (Markus Koschany) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5724dd02e375cd03e742c6998475e131dee5ba0e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5724dd02e375cd03e742c6998475e131dee5ba0e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2460-1 for golang-1.8
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2631a0b5 by Thorsten Alteholz at 2020-11-21T17:39:26+01:00 Reserve DLA-2460-1 for golang-1.8 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[21 Nov 2020] DLA-2460-1 golang-1.8 - security update + {CVE-2020-15586 CVE-2020-16845 CVE-2020-28367} + [stretch] - golang-1.8 1.8.1-1+deb9u2 [21 Nov 2020] DLA-2459-1 golang-1.7 - security update {CVE-2020-15586 CVE-2020-16845} [stretch] - golang-1.7 1.7.4-2+deb9u2 = data/dla-needed.txt = @@ -54,9 +54,6 @@ firmware-nonfree (Emilio) -- freerdp (Abhijith PA) -- -golang-1.8 (Thorsten Alteholz) - NOTE: 20201115: also taking care of old no-dsa --- golang-github-dgrijalva-jwt-go -- golang-golang-x-net-dev View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2631a0b54a749eb2dc39603f761faf7a0153982b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2631a0b54a749eb2dc39603f761faf7a0153982b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] remove postponed-tag due to recent upload
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2301 by Thorsten Alteholz at 2020-11-21T17:14:13+01:00 remove postponed-tag due to recent upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28647,9 +28647,7 @@ CVE-2020-16845 (Go before 1.13.15 and 14.x before 1.14.7 can have an infinite re - golang-1.11 [buster] - golang-1.11 (Minor issue) - golang-1.8 - [stretch] - golang-1.8 (Minor issue) - golang-1.7 - [stretch] - golang-1.7 (Minor issue) NOTE: https://groups.google.com/forum/#!topic/golang-announce/NyPIaucMgXo NOTE: https://github.com/golang/go/issues/40618 NOTE: Fixed in 1.15~rc2, 1.14.7, 1.13.15 @@ -31744,9 +31742,7 @@ CVE-2020-15586 (Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in so - golang-1.11 [buster] - golang-1.11 (Minor issue, can be fixed along in next DSA) - golang-1.8 - [stretch] - golang-1.8 (Minor issue) - golang-1.7 - [stretch] - golang-1.7 (Minor issue) - golang NOTE: https://github.com/golang/go/issues/34902 NOTE: https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w/m/E6gHDs32AQAJ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2301858d7009ea32ad48605c206a1093b921 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2301858d7009ea32ad48605c206a1093b921 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2459-1 for golang-1.7
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e423f9d by Thorsten Alteholz at 2020-11-21T17:11:48+01:00 Reserve DLA-2459-1 for golang-1.7 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[21 Nov 2020] DLA-2459-1 golang-1.7 - security update + {CVE-2020-15586 CVE-2020-16845} + [stretch] - golang-1.7 1.7.4-2+deb9u2 [21 Nov 2020] DLA-2379-3 mediawiki - regression update [stretch] - mediawiki 1:1.27.7-1~deb9u6 [19 Nov 2020] DLA-2458-1 drupal7 - security update = data/dla-needed.txt = @@ -54,9 +54,6 @@ firmware-nonfree (Emilio) -- freerdp (Abhijith PA) -- -golang-1.7 (Thorsten Alteholz) - NOTE: 20201115: also taking care of old no-dsa --- golang-1.8 (Thorsten Alteholz) NOTE: 20201115: also taking care of old no-dsa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e423f9dca9858963ba53656af4e4fa16d04f675 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e423f9dca9858963ba53656af4e4fa16d04f675 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] tracker_data.py: Use explicitly octal mode on mkdir call
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4108d88d by Salvatore Bonaccorso at 2020-11-21T16:45:47+01:00 tracker_data.py: Use explicitly octal mode on mkdir call Although this is probably subject to personal preference, switch to octal representation directly instead of specifying the mode in decimal variant. Reading 0o700 makes it immediately clear what is meant. - - - - - 1 changed file: - bin/tracker_data.py Changes: = bin/tracker_data.py = @@ -76,9 +76,9 @@ class TrackerData(object): self.DATA_URL)) response = requests.get(self.DATA_URL, allow_redirects=True) response.raise_for_status() -# if ~/.cache does not exist, then open() will fail; dec 448 -> octal 0700 +# if ~/.cache does not exist, then open() will fail if not os.path.exists(self.cached_data_dir): -os.mkdir(self.cached_data_dir, mode=448) +os.mkdir(self.cached_data_dir, mode=0o700) with open(self.cached_data_path, 'w') as cache_file: cache_file.write(response.text) with open(self.cached_revision_path, 'w') as rev_file: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4108d88d2aa8b95c08f346f8c27e0aed8e0d3b14 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4108d88d2aa8b95c08f346f8c27e0aed8e0d3b14 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: distributions.json: Add trixie
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f9c533af by Salvatore Bonaccorso at 2020-11-21T15:15:37+01:00 distributions.json: Add trixie - - - - - 17caa617 by Salvatore Bonaccorso at 2020-11-21T15:18:04+01:00 data/config.json: Add codename entries for trixie - - - - - d0a10b7d by Salvatore Bonaccorso at 2020-11-21T15:45:06+01:00 Merge branch initial-trixie-support - - - - - 2 changed files: - data/config.json - static/distributions.json Changes: = data/config.json = @@ -110,6 +110,17 @@ ] } }, +"trixie": { + "members": { +"supported": [ + "trixie", + "trixie-security" +], +"optional": [ + "trixie-proposed-updates" +] + } +}, "sid": { "members": { "supported": [ = static/distributions.json = @@ -28,5 +28,10 @@ "major-version": "12", "support": "none", "contact": "" + }, + "trixie": { +"major-version": "13", +"support": "none", +"contact": "" } } View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/991d422320baca990ed6aa912b6b8e104ab71687...d0a10b7d551d7699b3627baf3d01446fc150831c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/991d422320baca990ed6aa912b6b8e104ab71687...d0a10b7d551d7699b3627baf3d01446fc150831c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: Ensure ~/.cache exists before writing out tracker data cache
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 04703997 by Roberto C. Sánchez at 2020-11-21T09:10:24-05:00 LTS: Ensure ~/.cache exists before writing out tracker data cache If ~/.cache does not already exist, then this happens: $ ./bin/lts-cve-triage.py Updating ~/.cache/debian_security_tracker.json from https://security-tracker.debian.org/tracker/data/json ... Traceback (most recent call last): File ./bin/lts-cve-triage.py, line 94, in module tracker = TrackerData(update_cache=not args.skip_cache_update) File /home/roberto/src/freexian/security-tracker.git/bin/tracker_data.py, line 40, in __init__ self.update_cache() File /home/roberto/src/freexian/security-tracker.git/bin/tracker_data.py, line 77, in update_cache with open(self.cached_data_path, w) as cache_file: FileNotFoundError: [Errno 2] No such file or directory: /home/roberto/.cache/debian_security_tracker.json - - - - - 991d4223 by Roberto C. Sánchez at 2020-11-21T09:14:02-05:00 LTS: triage, add xdg-utils and imagemagick to dla-needed.txt - - - - - 2 changed files: - bin/tracker_data.py - data/dla-needed.txt Changes: = bin/tracker_data.py = @@ -25,6 +25,7 @@ import six class TrackerData(object): DATA_URL = "https://security-tracker.debian.org/tracker/data/json; GIT_URL = "https://salsa.debian.org/security-tracker-team/security-tracker.git; +CACHED_DATA_DIR = "~/.cache" CACHED_DATA_PATH = "~/.cache/debian_security_tracker.json" CACHED_REVISION_PATH = "~/.cache/debian_security_tracker.rev" GET_REVISION_COMMAND = \ @@ -33,6 +34,7 @@ class TrackerData(object): def __init__(self, update_cache=True): self._latest_revision = None +self.cached_data_dir = os.path.expanduser(self.CACHED_DATA_DIR) self.cached_data_path = os.path.expanduser(self.CACHED_DATA_PATH) self.cached_revision_path = os.path.expanduser( self.CACHED_REVISION_PATH) @@ -74,6 +76,9 @@ class TrackerData(object): self.DATA_URL)) response = requests.get(self.DATA_URL, allow_redirects=True) response.raise_for_status() +# if ~/.cache does not exist, then open() will fail; dec 448 -> octal 0700 +if not os.path.exists(self.cached_data_dir): +os.mkdir(self.cached_data_dir, mode=448) with open(self.cached_data_path, 'w') as cache_file: cache_file.write(response.text) with open(self.cached_revision_path, 'w') as rev_file: = data/dla-needed.txt = @@ -64,6 +64,8 @@ golang-github-dgrijalva-jwt-go -- golang-golang-x-net-dev -- +imagemagick (Roberto C. Sánchez) +-- influxdb -- intel-microcode (Utkarsh) @@ -200,6 +202,8 @@ xcftools NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk) NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk) -- +xdg-utils +-- zabbix (Sylvain Beucler) -- zsh (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d8ea8764ff0293c041e40f71bd430094582dc6b3...991d422320baca990ed6aa912b6b8e104ab71687 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d8ea8764ff0293c041e40f71bd430094582dc6b3...991d422320baca990ed6aa912b6b8e104ab71687 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for mupdf update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d8ea8764 by Salvatore Bonaccorso at 2020-11-21T14:33:29+01:00 Reserve DSA number for mupdf update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[21 Nov 2020] DSA-4794-1 mupdf - security update + {CVE-2020-26519} + [buster] - mupdf 1.14.0+ds1-4+deb10u2 [18 Nov 2020] DSA-4793-1 firefox-esr - security update {CVE-2020-16012 CVE-2020-26951 CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959 CVE-2020-26960 CVE-2020-26961 CVE-2020-26965 CVE-2020-26968} [buster] - firefox-esr 78.5.0esr-1~deb10u1 = data/dsa-needed.txt = @@ -27,8 +27,6 @@ linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. -- -mupdf (carnil) --- netty -- pdns-recursor View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8ea8764ff0293c041e40f71bd430094582dc6b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8ea8764ff0293c041e40f71bd430094582dc6b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes via experimental for various gpac affecting CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b6022c7d by Salvatore Bonaccorso at 2020-11-21T11:51:27+01:00 Track fixes via experimental for various gpac affecting CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43637,6 +43637,7 @@ CVE-2020-11560 (NCH Express Invoice 7.25 allows local users to discover the clea CVE-2020-11559 RESERVED CVE-2020-11558 (An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by ...) + [experimental] - gpac 1.0.1+dfsg1-1 - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) @@ -45443,6 +45444,7 @@ CVE-2020-10882 (This vulnerability allows network-adjacent attackers to execute CVE-2020-10881 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: TP-Link CVE-2019-20632 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) + [experimental] - gpac 1.0.1+dfsg1-1 - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) @@ -45450,6 +45452,7 @@ CVE-2019-20632 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as de NOTE: https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090 NOTE: https://github.com/gpac/gpac/issues/1271 CVE-2019-20631 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) + [experimental] - gpac 1.0.1+dfsg1-1 - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) @@ -45457,6 +45460,7 @@ CVE-2019-20631 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as de NOTE: https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090 NOTE: https://github.com/gpac/gpac/issues/1270 CVE-2019-20630 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) + [experimental] - gpac 1.0.1+dfsg1-1 - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) @@ -45464,6 +45468,7 @@ CVE-2019-20630 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as de NOTE: https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090 NOTE: https://github.com/gpac/gpac/issues/1268 CVE-2019-20629 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) + [experimental] - gpac 1.0.1+dfsg1-1 - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) @@ -45471,6 +45476,7 @@ CVE-2019-20629 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as de NOTE: https://github.com/gpac/gpac/commit/2320eb73afba753b39b7147be91f7be7afc0eeb7 NOTE: https://github.com/gpac/gpac/issues/1264 CVE-2019-20628 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) + [experimental] - gpac 1.0.1+dfsg1-1 - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) @@ -56259,6 +56265,7 @@ CVE-2020-6633 CVE-2020-6632 (In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a Q ...) NOT-FOR-US: PrestaShop CVE-2020-6631 (An issue was discovered in GPAC version 0.8.0. There is a NULL pointer ...) + [experimental] - gpac 1.0.1+dfsg1-1 - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) @@ -56267,6 +56274,7 @@ CVE-2020-6631 (An issue was discovered in GPAC version 0.8.0. There is a NULL po NOTE: https://github.com/gpac/gpac/commit/c7e46e948ebe2d4a532539c7e714cdf655b84521 NOTE: fix considered "ugly" by upstream and introduces abort(3)-based DoS CVE-2020-6630 (An issue was discovered in GPAC version 0.8.0. There is a NULL pointer ...) + [experimental] - gpac 1.0.1+dfsg1-1 - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) @@ -60217,6 +60225,7 @@ CVE-2019-20209 (The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and E NOT-FOR-US: themes for WordPress CVE-2019-20208 (dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a stack-based ...) {DLA-2072-1} + [experimental] - gpac 1.0.1+dfsg1-1 - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) @@ -60423,6 +60432,7 @@ CVE-2019-20171 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm NOTE: https://github.com/gpac/gpac/commit/2bcca3f1d4605100bb27d3ed7be25b53cddbc75c CVE-2019-20170 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) {DLA-2072-1} + [experimental] - gpac 1.0.1+dfsg1-1 - gpac (bug #972053) [buster] - gpac
[Git][security-tracker-team/security-tracker][master] Track fixed version for two fontforge issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe537f23 by Salvatore Bonaccorso at 2020-11-21T11:48:29+01:00 Track fixed version for two fontforge issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -59130,7 +59130,7 @@ CVE-2020-5498 CVE-2020-5497 (The OpenID Connect reference implementation for MITREid Connect throug ...) NOT-FOR-US: MITREid Connect CVE-2020-5496 (FontForge 20190801 has a heap-based buffer overflow in the Type2NotDef ...) - - fontforge (bug #948231) + - fontforge 1:20201107~dfsg-1 (bug #948231) [buster] - fontforge (Minor issue) [stretch] - fontforge (Minor issue) [jessie] - fontforge (Minor issue) @@ -59348,7 +59348,7 @@ CVE-2020-5397 (Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CVE-2020-5396 (VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, and ...) NOT-FOR-US: VMware CVE-2020-5395 (FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd. ...) - - fontforge (bug #948231) + - fontforge 1:20201107~dfsg-1 (bug #948231) [buster] - fontforge (Minor issue) [stretch] - fontforge (Minor issue) [jessie] - fontforge (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe537f23a4bca8895159cded9f21811ad9bdc177 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe537f23a4bca8895159cded9f21811ad9bdc177 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-27748/xdg-utils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d37d186 by Salvatore Bonaccorso at 2020-11-21T10:31:01+01:00 Add Debian bug reference for CVE-2020-27748/xdg-utils - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5461,7 +5461,7 @@ CVE-2020-27749 RESERVED CVE-2020-27748 [local file inclusion vulnerability] RESERVED - - xdg-utils + - xdg-utils (bug #975370) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1899769 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1613425 NOTE: https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d37d1865de8a73dd9c364ec68de79bcc347e6c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d37d1865de8a73dd9c364ec68de79bcc347e6c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 002d7587 by security tracker role at 2020-11-21T08:10:24+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2455,7 +2455,7 @@ CVE-2020-28362 (Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Serv [stretch] - golang-1.7 (Vulnerable code introduced later) NOTE: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ NOTE: https://github.com/golang/go/issues/42552 -CVE-2020-28974 [slab-out-of-bounds Read in fbcon] +CVE-2020-28974 (A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 co ...) - linux 5.9.9-1 NOTE: https://git.kernel.org/linus/3c4e0dff2095c579b142d5a0693257f1c58b4804 NOTE: https://www.openwall.com/lists/oss-security/2020/11/09/2 @@ -10330,8 +10330,7 @@ CVE-2020-25727 (The Reset Password add-on before 1.2.0 for Alfresco suffers from NOT-FOR-US: Reset Password add-on for Alfresco CVE-2020-25726 REJECTED -CVE-2020-25725 - RESERVED +CVE-2020-25725 (In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state) SplashOut ...) - xpdf (Debian uses poppler, which is not affected) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3=41915 CVE-2020-25724 @@ -11701,8 +11700,8 @@ CVE-2020-25187 RESERVED CVE-2020-25186 (An XXE vulnerability exists within LeviStudioU Release Build 2019-09-2 ...) NOT-FOR-US: LeviStudioU Release -CVE-2020-25185 - RESERVED +CVE-2020-25185 (The affected product is vulnerable to five post-authentication buffer ...) + TODO: check CVE-2020-25184 RESERVED CVE-2020-25183 @@ -50792,7 +50791,7 @@ CVE-2020-8825 (index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows NOT-FOR-US: Vanilla Forums CVE-2020-8824 (Hitron CODA-4582U 7.1.1.30 devices allow XSS via a Managed Device name ...) NOT-FOR-US: Hitron devices -CVE-2020-8823 (htmlfile in lib/transport/htmlfile.js in SockJS before 3.0 is vulnerab ...) +CVE-2020-8823 (htmlfile in lib/transport/htmlfile.js in SockJS before 0.3.0 is vulner ...) NOT-FOR-US: SockJS CVE-2020-8822 (Digi TransPort WR21 5.2.2.3, WR44 5.1.6.4, and WR44v2 5.1.6.9 devices ...) NOT-FOR-US: Digi TransPort @@ -58472,8 +58471,8 @@ CVE-2020-5799 RESERVED CVE-2020-5798 RESERVED -CVE-2020-5797 - RESERVED +CVE-2020-5797 (UNIX Symbolic Link (Symlink) Following in TP-Link Archer C9(US)_V1_180 ...) + TODO: check CVE-2020-5796 (Improper preservation of permissions in Nagios XI 5.7.4 allows a local ...) NOT-FOR-US: Nagios XI CVE-2020-5795 (UNIX Symbolic Link (Symlink) Following in TP-Link Archer A7(US)_V5_200 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/002d7587967b8b8c888ec4da9422b581e7bd64f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/002d7587967b8b8c888ec4da9422b581e7bd64f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits