Processing 7e2e12cdb8607190114c1fe276aee94901332723 failed
The error message was: data/CVE/list:185512: ITPed package xrootd is in the archive make: *** [Makefile:19: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gpac: Seveal CVEs previously fixed in experimental fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e1908dba by Salvatore Bonaccorso at 2020-11-22T08:48:25+01:00
gpac: Seveal CVEs previously fixed in experimental fixed in unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -43639,8 +43639,7 @@ CVE-2020-11560 (NCH Express Invoice 7.25 allows local
users to discover the clea
CVE-2020-11559
RESERVED
CVE-2020-11558 (An issue was discovered in libgpac.a in GPAC 0.8.0, as
demonstrated by ...)
- [experimental] - gpac 1.0.1+dfsg1-1
- - gpac (bug #972053)
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
[jessie] - gpac (Vulnerable code not present and not
reproducible)
@@ -45446,40 +45445,35 @@ CVE-2020-10882 (This vulnerability allows
network-adjacent attackers to execute
CVE-2020-10881 (This vulnerability allows remote attackers to execute
arbitrary code o ...)
NOT-FOR-US: TP-Link
CVE-2019-20632 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as
demonstr ...)
- [experimental] - gpac 1.0.1+dfsg1-1
- - gpac (bug #972053)
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
[jessie] - gpac (Minor issue)
NOTE:
https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090
NOTE: https://github.com/gpac/gpac/issues/1271
CVE-2019-20631 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as
demonstr ...)
- [experimental] - gpac 1.0.1+dfsg1-1
- - gpac (bug #972053)
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
[jessie] - gpac (Minor issue)
NOTE:
https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090
NOTE: https://github.com/gpac/gpac/issues/1270
CVE-2019-20630 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as
demonstr ...)
- [experimental] - gpac 1.0.1+dfsg1-1
- - gpac (bug #972053)
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
[jessie] - gpac (Minor issue)
NOTE:
https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090
NOTE: https://github.com/gpac/gpac/issues/1268
CVE-2019-20629 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as
demonstr ...)
- [experimental] - gpac 1.0.1+dfsg1-1
- - gpac (bug #972053)
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
[jessie] - gpac (Minor issue)
NOTE:
https://github.com/gpac/gpac/commit/2320eb73afba753b39b7147be91f7be7afc0eeb7
NOTE: https://github.com/gpac/gpac/issues/1264
CVE-2019-20628 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as
demonstr ...)
- [experimental] - gpac 1.0.1+dfsg1-1
- - gpac (bug #972053)
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
[jessie] - gpac (Minor issue)
@@ -56267,8 +56261,7 @@ CVE-2020-6633
CVE-2020-6632 (In PrestaShop 1.7.6.2, XSS can occur during addition or removal
of a Q ...)
NOT-FOR-US: PrestaShop
CVE-2020-6631 (An issue was discovered in GPAC version 0.8.0. There is a NULL
pointer ...)
- [experimental] - gpac 1.0.1+dfsg1-1
- - gpac (bug #972053)
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
[jessie] - gpac (Minor issue, clean crash, MP42TS not
shipped, incomplete patch)
@@ -56276,8 +56269,7 @@ CVE-2020-6631 (An issue was discovered in GPAC version
0.8.0. There is a NULL po
NOTE:
https://github.com/gpac/gpac/commit/c7e46e948ebe2d4a532539c7e714cdf655b84521
NOTE: fix considered "ugly" by upstream and introduces abort(3)-based
DoS
CVE-2020-6630 (An issue was discovered in GPAC version 0.8.0. There is a NULL
pointer ...)
- [experimental] - gpac 1.0.1+dfsg1-1
- - gpac (bug #972053)
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
[jessie] - gpac (Minor issue, clean crash, MP42TS not
shipped, incomplete patch)
@@ -60227,8 +60219,7 @@ CVE-2019-20209 (The CTHthemes CityBook before 2.3.4,
TownHub before 1.0.6, and E
NOT-FOR-US: themes for WordPress
CVE-2019-20208 (dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a
stack-based ...)
{DLA-2072-1}
- [experimental] - gpac 1.0.1+dfsg1-1
- - gpac (bug #972053)
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac
Processing 7e2e12cdb8607190114c1fe276aee94901332723 failed
The error message was: data/CVE/list:185512: ITPed package xrootd is in the archive make: *** [Makefile:19: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Processing 7e2e12cdb8607190114c1fe276aee94901332723 failed
The error message was: data/CVE/list:185512: ITPed package xrootd is in the archive make: *** [Makefile:19: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Processing 7e2e12cdb8607190114c1fe276aee94901332723 failed
The error message was: data/CVE/list:185512: ITPed package xrootd is in the archive make: *** [Makefile:19: all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process three NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e2e12cd by Salvatore Bonaccorso at 2020-11-21T21:18:12+01:00 Process three NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35378,7 +35378,7 @@ CVE-2020-14260 CVE-2020-14259 RESERVED CVE-2020-14258 (HCL Notes is susceptible to a Denial of Service vulnerability caused b ...) - TODO: check + NOT-FOR-US: HCL CVE-2020-14257 RESERVED CVE-2020-14256 @@ -35426,7 +35426,7 @@ CVE-2020-14236 CVE-2020-14235 RESERVED CVE-2020-14234 (HCL Domino is susceptible to a Denial of Service vulnerability due to ...) - TODO: check + NOT-FOR-US: HCL CVE-2020-14233 RESERVED CVE-2020-14232 @@ -35434,7 +35434,7 @@ CVE-2020-14232 CVE-2020-14231 RESERVED CVE-2020-14230 (HCL Domino is susceptible to a Denial of Service vulnerability caused ...) - TODO: check + NOT-FOR-US: HCL CVE-2020-14229 RESERVED CVE-2020-14228 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e2e12cdb8607190114c1fe276aee94901332723 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e2e12cdb8607190114c1fe276aee94901332723 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c90b4af6 by security tracker role at 2020-11-21T20:10:23+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -2424,6 +2424,7 @@ CVE-2020-28368 (Xen through 4.14.x allows guest OS
administrators to obtain sens
[stretch] - xen (DSA 4602-1)
NOTE: https://xenbits.xen.org/xsa/advisory-351.html
CVE-2020-28367 (Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument
Injection. ...)
+ {DLA-2460-1}
- golang-1.15 1.15.5-1
- golang-1.11
- golang-1.8
@@ -4309,7 +4310,7 @@ CVE-2020-28198
CVE-2020-28197
RESERVED
CVE-2020-28196 (MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before
1.18.3 allow ...)
- {DLA-2437-1}
+ {DSA-4795-1 DLA-2437-1}
[experimental] - krb5 1.18.2-1
- krb5 1.18.3-1 (bug #973880)
NOTE:
https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd
@@ -7527,7 +7528,7 @@ CVE-2020-26969
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26969
CVE-2020-26968
RESERVED
- {DSA-4793-1 DLA-2457-1}
+ {DSA-4796-1 DSA-4793-1 DLA-2457-1}
- firefox 83.0-1
- firefox-esr 78.5.0esr-1
- thunderbird 1:78.5.0-1
@@ -7548,7 +7549,7 @@ CVE-2020-26966
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/#CVE-2020-26966
CVE-2020-26965
RESERVED
- {DSA-4793-1 DLA-2457-1}
+ {DSA-4796-1 DSA-4793-1 DLA-2457-1}
- firefox 83.0-1
- firefox-esr 78.5.0esr-1
- thunderbird 1:78.5.0-1
@@ -7569,7 +7570,7 @@ CVE-2020-26962
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26962
CVE-2020-26961
RESERVED
- {DSA-4793-1 DLA-2457-1}
+ {DSA-4796-1 DSA-4793-1 DLA-2457-1}
- firefox 83.0-1
- firefox-esr 78.5.0esr-1
- thunderbird 1:78.5.0-1
@@ -7578,7 +7579,7 @@ CVE-2020-26961
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/#CVE-2020-26961
CVE-2020-26960
RESERVED
- {DSA-4793-1 DLA-2457-1}
+ {DSA-4796-1 DSA-4793-1 DLA-2457-1}
- firefox 83.0-1
- firefox-esr 78.5.0esr-1
- thunderbird 1:78.5.0-1
@@ -7587,7 +7588,7 @@ CVE-2020-26960
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/#CVE-2020-26960
CVE-2020-26959
RESERVED
- {DSA-4793-1 DLA-2457-1}
+ {DSA-4796-1 DSA-4793-1 DLA-2457-1}
- firefox 83.0-1
- firefox-esr 78.5.0esr-1
- thunderbird 1:78.5.0-1
@@ -7596,7 +7597,7 @@ CVE-2020-26959
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/#CVE-2020-26959
CVE-2020-26958
RESERVED
- {DSA-4793-1 DLA-2457-1}
+ {DSA-4796-1 DSA-4793-1 DLA-2457-1}
- firefox 83.0-1
- firefox-esr 78.5.0esr-1
- thunderbird 1:78.5.0-1
@@ -7609,7 +7610,7 @@ CVE-2020-26957
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26957
CVE-2020-26956
RESERVED
- {DSA-4793-1 DLA-2457-1}
+ {DSA-4796-1 DSA-4793-1 DLA-2457-1}
- firefox 83.0-1
- firefox-esr 78.5.0esr-1
- thunderbird 1:78.5.0-1
@@ -7626,7 +7627,7 @@ CVE-2020-26954
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26954
CVE-2020-26953
RESERVED
- {DSA-4793-1 DLA-2457-1}
+ {DSA-4796-1 DSA-4793-1 DLA-2457-1}
- firefox 83.0-1
- firefox-esr 78.5.0esr-1
- thunderbird 1:78.5.0-1
@@ -7639,7 +7640,7 @@ CVE-2020-26952
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26952
CVE-2020-26951
RESERVED
- {DSA-4793-1 DLA-2457-1}
+ {DSA-4796-1 DSA-4793-1 DLA-2457-1}
- firefox 83.0-1
- firefox-esr 78.5.0esr-1
- thunderbird 1:78.5.0-1
@@ -8588,6 +8589,7 @@ CVE-2020-26521 (The JWT library in NATS nats-server
before 2.1.9 allows a denial
CVE-2020-26520
RESERVED
CVE-2020-26519 (Artifex MuPDF before 1.18.0 has a heap based buffer over-write
when pa ...)
+ {DSA-4794-1}
- mupdf 1.17.0+ds1-1.1 (bug #971595)
[stretch] - mupdf (Minor issue, can be fixed along in next
DLA)
NOTE:
http://git.ghostscript.com/?p=mupdf.git;a=commit;h=af1e390a2c7abceb32676ec684cd1dbb92907ce8
@@ -11692,8 +11694,8 @@ CVE-2020-25191
RESERVED
CVE-2020-25190
RESERVED
-CVE-2020-25189
- RESERVED
+CVE-2020-25189 (The affected product is vulnerable to three stack-based buffer
overflo ...)
+ TODO: check
CVE-2020-25188 (An attacker who convinces a valid user to open a specially
crafted pro ...)
NOT-FOR-US: LAquis SCADA
CVE-2020-25187
@@ -28643,6 +28645,7 @@ CVE-2020-16846 (An issue was
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-20739/vips as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8411d43a by Salvatore Bonaccorso at 2020-11-21T20:46:28+01:00 Mark CVE-2020-20739/vips as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20793,6 +20793,7 @@ CVE-2020-20740 (PDFResurrect before 0.20 lack of header validation checks causes NOTE: https://github.com/enferex/pdfresurrect/issues/14 CVE-2020-20739 (im_vips2dz in /libvips/libvips/deprecated/im_vips2dz.c in libvips befo ...) - vips 8.9.0-1 + [buster] - vips (Minor issue) NOTE: https://github.com/libvips/libvips/commit/2ab5aa7bf515135c2b02d42e9a72e4c98e17031a (v8.9.0-alpha1) NOTE: https://github.com/libvips/libvips/issues/1419 CVE-2020-20738 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8411d43a78b4fa6435348699a623e96d5acd023f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8411d43a78b4fa6435348699a623e96d5acd023f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove no-dsa tagged entry which got an update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
77d8d477 by Salvatore Bonaccorso at 2020-11-21T20:31:18+01:00
Remove no-dsa tagged entry which got an update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -107414,7 +107414,6 @@ CVE-2018-20782 (The GloBee plugin before 1.1.2 for
WooCommerce mishandles IPN me
CVE-2016-10742 (Zabbix before 2.2.21rc1, 3.x before 3.0.13rc1, 3.1.x and 3.2.x
before ...)
{DLA-1708-1}
- zabbix 1:3.0.17+dfsg-1 (low)
- [stretch] - zabbix (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-10272
NOTE: https://support.zabbix.com/browse/ZBX-13133
NOTE:
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/2b340b8128af6c00469ef4066de16d4b1e81c841
(3.0.13rc1)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77d8d477d36a0c94393d7fe34862651ed5050cbf
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77d8d477d36a0c94393d7fe34862651ed5050cbf
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ac625642 by Moritz Mühlenhoff at 2020-11-21T19:24:53+01:00
thunderbird DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[21 Nov 2020] DSA-4796-1 thunderbird - security update
+ {CVE-2020-16012 CVE-2020-26951 CVE-2020-26953 CVE-2020-26956
CVE-2020-26958 CVE-2020-26959 CVE-2020-26960 CVE-2020-26961 CVE-2020-26965
CVE-2020-26968}
+ [buster] - thunderbird 1:78.5.0-1~deb10u1
[21 Nov 2020] DSA-4795-1 krb5 - security update
{CVE-2020-28196}
[buster] - krb5 1.17-3+deb10u1
=
data/dsa-needed.txt
=
@@ -31,8 +31,6 @@ pdns-recursor
--
salt
--
-thunderbird (jmm)
---
xcftools
Hugo proposed to work on this update
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac625642d68d2fe32a83cf15e81a666f284b5ea3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac625642d68d2fe32a83cf15e81a666f284b5ea3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] krb5 DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6a7ef0ea by Moritz Mühlenhoff at 2020-11-21T19:16:57+01:00
krb5 DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[21 Nov 2020] DSA-4795-1 krb5 - security update
+ {CVE-2020-28196}
+ [buster] - krb5 1.17-3+deb10u1
[21 Nov 2020] DSA-4794-1 mupdf - security update
{CVE-2020-26519}
[buster] - mupdf 1.14.0+ds1-4+deb10u2
=
data/dsa-needed.txt
=
@@ -19,8 +19,6 @@ chromium
knot-resolver
Santiago Ruano Rincón proposed a debdiff for review
--
-krb5 (jmm)
---
libproxy
--
linux (carnil)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a7ef0eafb7f873983c0b534359da91d36dacff3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a7ef0eafb7f873983c0b534359da91d36dacff3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note for xdg-utils
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ead72b8 by Utkarsh Gupta at 2020-11-21T22:26:53+05:30 Add note for xdg-utils - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -197,6 +197,7 @@ xcftools NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk) -- xdg-utils + NOTE: 20201122: wait for a while to get the fix exposed in other suites. (utkarsh) -- zsh (Markus Koschany) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ead72b8f7a7a6b5b627633656d769666f95cf80 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ead72b8f7a7a6b5b627633656d769666f95cf80 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lua5.4 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
acf2ae4f by Moritz Muehlenhoff at 2020-11-21T17:49:22+01:00
lua5.4 fixed in sid
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -13464,20 +13464,20 @@ CVE-2020-24372 (LuaJIT through 2.1.0-beta3 has an
out-of-bounds read in lj_err_r
NOTE: https://github.com/LuaJIT/LuaJIT/issues/603
NOTE: No security impact, only "exploitable" with untrusted Lua code
CVE-2020-24371 (lgc.c in Lua 5.4.0 mishandles the interaction between barriers
and the ...)
- - lua5.4 (bug #971010)
+ - lua5.4 5.4.1-1 (bug #971010)
- lua5.3 (Vulnerable code introduced in 5.4.0)
NOTE:
https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110
NOTE: https://www.lua.org/bugs.html#5.4.0-10
CVE-2020-24370 (ldebug.c in Lua 5.4.0 allows a negation overflow and
segmentation faul ...)
{DLA-2381-1}
- - lua5.4 (bug #971613)
+ - lua5.4 5.4.1-1 (bug #971613)
- lua5.3
[buster] - lua5.3 (Minor issue)
NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00324.html
NOTE: (lua5.4)
https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b
NOTE: (lua5.3)
https://github.com/lua/lua/commit/b5bc89846721375fe30772eb8c5ab2786f362bf9
CVE-2020-24369 (ldebug.c in Lua 5.4.0 attempts to access debug information via
the lin ...)
- - lua5.4 (bug #971013)
+ - lua5.4 5.4.1-1 (bug #971013)
NOTE:
https://github.com/lua/lua/commit/ae5b5ba529753c7a653901ffc29b5ea24c3fdf3a
NOTE: https://www.lua.org/bugs.html#5.4.0-12
CVE-2020-24368 (Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a
Director ...)
@@ -13546,7 +13546,7 @@ CVE-2020-24344 (JerryScript through 2.3.0 has a
(function({a=arguments}){const a
CVE-2020-24343 (Artifex MuJS through 1.0.7 has a use-after-free in jsrun.c
because of ...)
NOT-FOR-US: MuJS
CVE-2020-24342 (Lua through 5.4.0 allows a stack redzone cross in
luaO_pushvfstring be ...)
- - lua5.4 (bug #971012)
+ - lua5.4 5.4.1-1 (bug #971012)
NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00052.html
NOTE:
https://github.com/lua/lua/commit/34affe7a63fc5d842580a9f23616d057e17dfe27
CVE-2020-24341
@@ -30855,7 +30855,7 @@ CVE-2020-15889 (Lua through 5.4.0 has a getobjname
heap-based buffer over-read b
NOTE:
https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312
NOTE: Introduced in 5.4
CVE-2020-15888 (Lua through 5.4.0 mishandles the interaction between stack
resizes and ...)
- - lua5.4 (bug #972101)
+ - lua5.4 5.4.1-1 (bug #972101)
NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00053.html
NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00054.html
NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00071.html
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acf2ae4f457009d5df943d5fac07b513f6401b04
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acf2ae4f457009d5df943d5fac07b513f6401b04
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2461-1 for zabbix
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5724dd02 by Sylvain Beucler at 2020-11-21T17:42:57+01:00
Reserve DLA-2461-1 for zabbix
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[21 Nov 2020] DLA-2461-1 zabbix - security update
+ {CVE-2016-10742 CVE-2020-11800}
+ [stretch] - zabbix 1:3.0.31+dfsg-0+deb9u1
[21 Nov 2020] DLA-2460-1 golang-1.8 - security update
{CVE-2020-15586 CVE-2020-16845 CVE-2020-28367}
[stretch] - golang-1.8 1.8.1-1+deb9u2
=
data/dla-needed.txt
=
@@ -198,7 +198,5 @@ xcftools
--
xdg-utils
--
-zabbix (Sylvain Beucler)
---
zsh (Markus Koschany)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5724dd02e375cd03e742c6998475e131dee5ba0e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5724dd02e375cd03e742c6998475e131dee5ba0e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2460-1 for golang-1.8
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2631a0b5 by Thorsten Alteholz at 2020-11-21T17:39:26+01:00
Reserve DLA-2460-1 for golang-1.8
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[21 Nov 2020] DLA-2460-1 golang-1.8 - security update
+ {CVE-2020-15586 CVE-2020-16845 CVE-2020-28367}
+ [stretch] - golang-1.8 1.8.1-1+deb9u2
[21 Nov 2020] DLA-2459-1 golang-1.7 - security update
{CVE-2020-15586 CVE-2020-16845}
[stretch] - golang-1.7 1.7.4-2+deb9u2
=
data/dla-needed.txt
=
@@ -54,9 +54,6 @@ firmware-nonfree (Emilio)
--
freerdp (Abhijith PA)
--
-golang-1.8 (Thorsten Alteholz)
- NOTE: 20201115: also taking care of old no-dsa
---
golang-github-dgrijalva-jwt-go
--
golang-golang-x-net-dev
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2631a0b54a749eb2dc39603f761faf7a0153982b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2631a0b54a749eb2dc39603f761faf7a0153982b
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] remove postponed-tag due to recent upload
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2301 by Thorsten Alteholz at 2020-11-21T17:14:13+01:00 remove postponed-tag due to recent upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28647,9 +28647,7 @@ CVE-2020-16845 (Go before 1.13.15 and 14.x before 1.14.7 can have an infinite re - golang-1.11 [buster] - golang-1.11 (Minor issue) - golang-1.8 - [stretch] - golang-1.8 (Minor issue) - golang-1.7 - [stretch] - golang-1.7 (Minor issue) NOTE: https://groups.google.com/forum/#!topic/golang-announce/NyPIaucMgXo NOTE: https://github.com/golang/go/issues/40618 NOTE: Fixed in 1.15~rc2, 1.14.7, 1.13.15 @@ -31744,9 +31742,7 @@ CVE-2020-15586 (Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in so - golang-1.11 [buster] - golang-1.11 (Minor issue, can be fixed along in next DSA) - golang-1.8 - [stretch] - golang-1.8 (Minor issue) - golang-1.7 - [stretch] - golang-1.7 (Minor issue) - golang NOTE: https://github.com/golang/go/issues/34902 NOTE: https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w/m/E6gHDs32AQAJ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2301858d7009ea32ad48605c206a1093b921 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2301858d7009ea32ad48605c206a1093b921 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2459-1 for golang-1.7
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6e423f9d by Thorsten Alteholz at 2020-11-21T17:11:48+01:00
Reserve DLA-2459-1 for golang-1.7
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[21 Nov 2020] DLA-2459-1 golang-1.7 - security update
+ {CVE-2020-15586 CVE-2020-16845}
+ [stretch] - golang-1.7 1.7.4-2+deb9u2
[21 Nov 2020] DLA-2379-3 mediawiki - regression update
[stretch] - mediawiki 1:1.27.7-1~deb9u6
[19 Nov 2020] DLA-2458-1 drupal7 - security update
=
data/dla-needed.txt
=
@@ -54,9 +54,6 @@ firmware-nonfree (Emilio)
--
freerdp (Abhijith PA)
--
-golang-1.7 (Thorsten Alteholz)
- NOTE: 20201115: also taking care of old no-dsa
---
golang-1.8 (Thorsten Alteholz)
NOTE: 20201115: also taking care of old no-dsa
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e423f9dca9858963ba53656af4e4fa16d04f675
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e423f9dca9858963ba53656af4e4fa16d04f675
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] tracker_data.py: Use explicitly octal mode on mkdir call
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4108d88d by Salvatore Bonaccorso at 2020-11-21T16:45:47+01:00 tracker_data.py: Use explicitly octal mode on mkdir call Although this is probably subject to personal preference, switch to octal representation directly instead of specifying the mode in decimal variant. Reading 0o700 makes it immediately clear what is meant. - - - - - 1 changed file: - bin/tracker_data.py Changes: = bin/tracker_data.py = @@ -76,9 +76,9 @@ class TrackerData(object): self.DATA_URL)) response = requests.get(self.DATA_URL, allow_redirects=True) response.raise_for_status() -# if ~/.cache does not exist, then open() will fail; dec 448 -> octal 0700 +# if ~/.cache does not exist, then open() will fail if not os.path.exists(self.cached_data_dir): -os.mkdir(self.cached_data_dir, mode=448) +os.mkdir(self.cached_data_dir, mode=0o700) with open(self.cached_data_path, 'w') as cache_file: cache_file.write(response.text) with open(self.cached_revision_path, 'w') as rev_file: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4108d88d2aa8b95c08f346f8c27e0aed8e0d3b14 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4108d88d2aa8b95c08f346f8c27e0aed8e0d3b14 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: distributions.json: Add trixie
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f9c533af by Salvatore Bonaccorso at 2020-11-21T15:15:37+01:00
distributions.json: Add trixie
- - - - -
17caa617 by Salvatore Bonaccorso at 2020-11-21T15:18:04+01:00
data/config.json: Add codename entries for trixie
- - - - -
d0a10b7d by Salvatore Bonaccorso at 2020-11-21T15:45:06+01:00
Merge branch initial-trixie-support
- - - - -
2 changed files:
- data/config.json
- static/distributions.json
Changes:
=
data/config.json
=
@@ -110,6 +110,17 @@
]
}
},
+"trixie": {
+ "members": {
+"supported": [
+ "trixie",
+ "trixie-security"
+],
+"optional": [
+ "trixie-proposed-updates"
+]
+ }
+},
"sid": {
"members": {
"supported": [
=
static/distributions.json
=
@@ -28,5 +28,10 @@
"major-version": "12",
"support": "none",
"contact": ""
+ },
+ "trixie": {
+"major-version": "13",
+"support": "none",
+"contact": ""
}
}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/991d422320baca990ed6aa912b6b8e104ab71687...d0a10b7d551d7699b3627baf3d01446fc150831c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/991d422320baca990ed6aa912b6b8e104ab71687...d0a10b7d551d7699b3627baf3d01446fc150831c
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: Ensure ~/.cache exists before writing out tracker data cache
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 04703997 by Roberto C. Sánchez at 2020-11-21T09:10:24-05:00 LTS: Ensure ~/.cache exists before writing out tracker data cache If ~/.cache does not already exist, then this happens: $ ./bin/lts-cve-triage.py Updating ~/.cache/debian_security_tracker.json from https://security-tracker.debian.org/tracker/data/json ... Traceback (most recent call last): File ./bin/lts-cve-triage.py, line 94, in module tracker = TrackerData(update_cache=not args.skip_cache_update) File /home/roberto/src/freexian/security-tracker.git/bin/tracker_data.py, line 40, in __init__ self.update_cache() File /home/roberto/src/freexian/security-tracker.git/bin/tracker_data.py, line 77, in update_cache with open(self.cached_data_path, w) as cache_file: FileNotFoundError: [Errno 2] No such file or directory: /home/roberto/.cache/debian_security_tracker.json - - - - - 991d4223 by Roberto C. Sánchez at 2020-11-21T09:14:02-05:00 LTS: triage, add xdg-utils and imagemagick to dla-needed.txt - - - - - 2 changed files: - bin/tracker_data.py - data/dla-needed.txt Changes: = bin/tracker_data.py = @@ -25,6 +25,7 @@ import six class TrackerData(object): DATA_URL = "https://security-tracker.debian.org/tracker/data/json; GIT_URL = "https://salsa.debian.org/security-tracker-team/security-tracker.git; +CACHED_DATA_DIR = "~/.cache" CACHED_DATA_PATH = "~/.cache/debian_security_tracker.json" CACHED_REVISION_PATH = "~/.cache/debian_security_tracker.rev" GET_REVISION_COMMAND = \ @@ -33,6 +34,7 @@ class TrackerData(object): def __init__(self, update_cache=True): self._latest_revision = None +self.cached_data_dir = os.path.expanduser(self.CACHED_DATA_DIR) self.cached_data_path = os.path.expanduser(self.CACHED_DATA_PATH) self.cached_revision_path = os.path.expanduser( self.CACHED_REVISION_PATH) @@ -74,6 +76,9 @@ class TrackerData(object): self.DATA_URL)) response = requests.get(self.DATA_URL, allow_redirects=True) response.raise_for_status() +# if ~/.cache does not exist, then open() will fail; dec 448 -> octal 0700 +if not os.path.exists(self.cached_data_dir): +os.mkdir(self.cached_data_dir, mode=448) with open(self.cached_data_path, 'w') as cache_file: cache_file.write(response.text) with open(self.cached_revision_path, 'w') as rev_file: = data/dla-needed.txt = @@ -64,6 +64,8 @@ golang-github-dgrijalva-jwt-go -- golang-golang-x-net-dev -- +imagemagick (Roberto C. Sánchez) +-- influxdb -- intel-microcode (Utkarsh) @@ -200,6 +202,8 @@ xcftools NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk) NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk) -- +xdg-utils +-- zabbix (Sylvain Beucler) -- zsh (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d8ea8764ff0293c041e40f71bd430094582dc6b3...991d422320baca990ed6aa912b6b8e104ab71687 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d8ea8764ff0293c041e40f71bd430094582dc6b3...991d422320baca990ed6aa912b6b8e104ab71687 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for mupdf update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d8ea8764 by Salvatore Bonaccorso at 2020-11-21T14:33:29+01:00
Reserve DSA number for mupdf update
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[21 Nov 2020] DSA-4794-1 mupdf - security update
+ {CVE-2020-26519}
+ [buster] - mupdf 1.14.0+ds1-4+deb10u2
[18 Nov 2020] DSA-4793-1 firefox-esr - security update
{CVE-2020-16012 CVE-2020-26951 CVE-2020-26953 CVE-2020-26956
CVE-2020-26958 CVE-2020-26959 CVE-2020-26960 CVE-2020-26961 CVE-2020-26965
CVE-2020-26968}
[buster] - firefox-esr 78.5.0esr-1~deb10u1
=
data/dsa-needed.txt
=
@@ -27,8 +27,6 @@ linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more recent v4.19.y versions.
--
-mupdf (carnil)
---
netty
--
pdns-recursor
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8ea8764ff0293c041e40f71bd430094582dc6b3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8ea8764ff0293c041e40f71bd430094582dc6b3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes via experimental for various gpac affecting CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b6022c7d by Salvatore Bonaccorso at 2020-11-21T11:51:27+01:00
Track fixes via experimental for various gpac affecting CVEs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -43637,6 +43637,7 @@ CVE-2020-11560 (NCH Express Invoice 7.25 allows local
users to discover the clea
CVE-2020-11559
RESERVED
CVE-2020-11558 (An issue was discovered in libgpac.a in GPAC 0.8.0, as
demonstrated by ...)
+ [experimental] - gpac 1.0.1+dfsg1-1
- gpac (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
@@ -45443,6 +45444,7 @@ CVE-2020-10882 (This vulnerability allows
network-adjacent attackers to execute
CVE-2020-10881 (This vulnerability allows remote attackers to execute
arbitrary code o ...)
NOT-FOR-US: TP-Link
CVE-2019-20632 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as
demonstr ...)
+ [experimental] - gpac 1.0.1+dfsg1-1
- gpac (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
@@ -45450,6 +45452,7 @@ CVE-2019-20632 (An issue was discovered in libgpac.a in
GPAC before 0.8.0, as de
NOTE:
https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090
NOTE: https://github.com/gpac/gpac/issues/1271
CVE-2019-20631 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as
demonstr ...)
+ [experimental] - gpac 1.0.1+dfsg1-1
- gpac (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
@@ -45457,6 +45460,7 @@ CVE-2019-20631 (An issue was discovered in libgpac.a in
GPAC before 0.8.0, as de
NOTE:
https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090
NOTE: https://github.com/gpac/gpac/issues/1270
CVE-2019-20630 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as
demonstr ...)
+ [experimental] - gpac 1.0.1+dfsg1-1
- gpac (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
@@ -45464,6 +45468,7 @@ CVE-2019-20630 (An issue was discovered in libgpac.a in
GPAC before 0.8.0, as de
NOTE:
https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090
NOTE: https://github.com/gpac/gpac/issues/1268
CVE-2019-20629 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as
demonstr ...)
+ [experimental] - gpac 1.0.1+dfsg1-1
- gpac (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
@@ -45471,6 +45476,7 @@ CVE-2019-20629 (An issue was discovered in libgpac.a in
GPAC before 0.8.0, as de
NOTE:
https://github.com/gpac/gpac/commit/2320eb73afba753b39b7147be91f7be7afc0eeb7
NOTE: https://github.com/gpac/gpac/issues/1264
CVE-2019-20628 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as
demonstr ...)
+ [experimental] - gpac 1.0.1+dfsg1-1
- gpac (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
@@ -56259,6 +56265,7 @@ CVE-2020-6633
CVE-2020-6632 (In PrestaShop 1.7.6.2, XSS can occur during addition or removal
of a Q ...)
NOT-FOR-US: PrestaShop
CVE-2020-6631 (An issue was discovered in GPAC version 0.8.0. There is a NULL
pointer ...)
+ [experimental] - gpac 1.0.1+dfsg1-1
- gpac (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
@@ -56267,6 +56274,7 @@ CVE-2020-6631 (An issue was discovered in GPAC version
0.8.0. There is a NULL po
NOTE:
https://github.com/gpac/gpac/commit/c7e46e948ebe2d4a532539c7e714cdf655b84521
NOTE: fix considered "ugly" by upstream and introduces abort(3)-based
DoS
CVE-2020-6630 (An issue was discovered in GPAC version 0.8.0. There is a NULL
pointer ...)
+ [experimental] - gpac 1.0.1+dfsg1-1
- gpac (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
@@ -60217,6 +60225,7 @@ CVE-2019-20209 (The CTHthemes CityBook before 2.3.4,
TownHub before 1.0.6, and E
NOT-FOR-US: themes for WordPress
CVE-2019-20208 (dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a
stack-based ...)
{DLA-2072-1}
+ [experimental] - gpac 1.0.1+dfsg1-1
- gpac (bug #972053)
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
@@ -60423,6 +60432,7 @@ CVE-2019-20171 (An issue was discovered in GPAC version
0.8.0 and 0.9.0-developm
NOTE:
https://github.com/gpac/gpac/commit/2bcca3f1d4605100bb27d3ed7be25b53cddbc75c
CVE-2019-20170 (An issue was discovered in GPAC version 0.8.0 and
0.9.0-development-20 ...)
{DLA-2072-1}
+ [experimental] - gpac 1.0.1+dfsg1-1
- gpac (bug #972053)
[buster] - gpac
[Git][security-tracker-team/security-tracker][master] Track fixed version for two fontforge issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe537f23 by Salvatore Bonaccorso at 2020-11-21T11:48:29+01:00 Track fixed version for two fontforge issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -59130,7 +59130,7 @@ CVE-2020-5498 CVE-2020-5497 (The OpenID Connect reference implementation for MITREid Connect throug ...) NOT-FOR-US: MITREid Connect CVE-2020-5496 (FontForge 20190801 has a heap-based buffer overflow in the Type2NotDef ...) - - fontforge (bug #948231) + - fontforge 1:20201107~dfsg-1 (bug #948231) [buster] - fontforge (Minor issue) [stretch] - fontforge (Minor issue) [jessie] - fontforge (Minor issue) @@ -59348,7 +59348,7 @@ CVE-2020-5397 (Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CVE-2020-5396 (VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, and ...) NOT-FOR-US: VMware CVE-2020-5395 (FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd. ...) - - fontforge (bug #948231) + - fontforge 1:20201107~dfsg-1 (bug #948231) [buster] - fontforge (Minor issue) [stretch] - fontforge (Minor issue) [jessie] - fontforge (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe537f23a4bca8895159cded9f21811ad9bdc177 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe537f23a4bca8895159cded9f21811ad9bdc177 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-27748/xdg-utils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d37d186 by Salvatore Bonaccorso at 2020-11-21T10:31:01+01:00 Add Debian bug reference for CVE-2020-27748/xdg-utils - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5461,7 +5461,7 @@ CVE-2020-27749 RESERVED CVE-2020-27748 [local file inclusion vulnerability] RESERVED - - xdg-utils + - xdg-utils (bug #975370) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1899769 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1613425 NOTE: https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d37d1865de8a73dd9c364ec68de79bcc347e6c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d37d1865de8a73dd9c364ec68de79bcc347e6c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 002d7587 by security tracker role at 2020-11-21T08:10:24+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2455,7 +2455,7 @@ CVE-2020-28362 (Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Serv [stretch] - golang-1.7 (Vulnerable code introduced later) NOTE: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ NOTE: https://github.com/golang/go/issues/42552 -CVE-2020-28974 [slab-out-of-bounds Read in fbcon] +CVE-2020-28974 (A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 co ...) - linux 5.9.9-1 NOTE: https://git.kernel.org/linus/3c4e0dff2095c579b142d5a0693257f1c58b4804 NOTE: https://www.openwall.com/lists/oss-security/2020/11/09/2 @@ -10330,8 +10330,7 @@ CVE-2020-25727 (The Reset Password add-on before 1.2.0 for Alfresco suffers from NOT-FOR-US: Reset Password add-on for Alfresco CVE-2020-25726 REJECTED -CVE-2020-25725 - RESERVED +CVE-2020-25725 (In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state) SplashOut ...) - xpdf (Debian uses poppler, which is not affected) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3=41915 CVE-2020-25724 @@ -11701,8 +11700,8 @@ CVE-2020-25187 RESERVED CVE-2020-25186 (An XXE vulnerability exists within LeviStudioU Release Build 2019-09-2 ...) NOT-FOR-US: LeviStudioU Release -CVE-2020-25185 - RESERVED +CVE-2020-25185 (The affected product is vulnerable to five post-authentication buffer ...) + TODO: check CVE-2020-25184 RESERVED CVE-2020-25183 @@ -50792,7 +50791,7 @@ CVE-2020-8825 (index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows NOT-FOR-US: Vanilla Forums CVE-2020-8824 (Hitron CODA-4582U 7.1.1.30 devices allow XSS via a Managed Device name ...) NOT-FOR-US: Hitron devices -CVE-2020-8823 (htmlfile in lib/transport/htmlfile.js in SockJS before 3.0 is vulnerab ...) +CVE-2020-8823 (htmlfile in lib/transport/htmlfile.js in SockJS before 0.3.0 is vulner ...) NOT-FOR-US: SockJS CVE-2020-8822 (Digi TransPort WR21 5.2.2.3, WR44 5.1.6.4, and WR44v2 5.1.6.9 devices ...) NOT-FOR-US: Digi TransPort @@ -58472,8 +58471,8 @@ CVE-2020-5799 RESERVED CVE-2020-5798 RESERVED -CVE-2020-5797 - RESERVED +CVE-2020-5797 (UNIX Symbolic Link (Symlink) Following in TP-Link Archer C9(US)_V1_180 ...) + TODO: check CVE-2020-5796 (Improper preservation of permissions in Nagios XI 5.7.4 allows a local ...) NOT-FOR-US: Nagios XI CVE-2020-5795 (UNIX Symbolic Link (Symlink) Following in TP-Link Archer A7(US)_V5_200 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/002d7587967b8b8c888ec4da9422b581e7bd64f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/002d7587967b8b8c888ec4da9422b581e7bd64f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
