[Git][security-tracker-team/security-tracker][master] Add libxstream-java as DSA candidate
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1254955f by Salvatore Bonaccorso at 2020-12-03T07:45:38+01:00 Add libxstream-java as DSA candidate - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -19,6 +19,9 @@ chromium knot-resolver Santiago Ruano Rincón proposed a debdiff for review -- +libxstream-java + Markus Koschany proposed an update to be reviewed +-- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1254955f37df537ad3d937258c9fdd7efedaf946 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1254955f37df537ad3d937258c9fdd7efedaf946 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-27786/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0002a008 by Salvatore Bonaccorso at 2020-12-03T07:42:26+01:00 Add CVE-2020-27786/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6513,6 +6513,10 @@ CVE-2020-27787 RESERVED CVE-2020-27786 RESERVED + - linux 5.6.14-1 + [buster] - linux 4.19.131-1 + [stretch] - linux 4.9.228-1 + NOTE: https://git.kernel.org/linus/c1f6e3c818dd734c30f6a7eeebf232ba2cf3181d CVE-2020-27785 RESERVED CVE-2020-27784 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0002a008d30665434b6c5a5d1c37c13fd99937a6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0002a008d30665434b6c5a5d1c37c13fd99937a6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-27818/pngcheck
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 09415fa5 by Salvatore Bonaccorso at 2020-12-03T07:35:51+01:00 Add CVE-2020-27818/pngcheck - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6439,6 +6439,9 @@ CVE-2020-27819 [NULL pointer dereference via crafted xls file] NOTE: https://github.com/libxls/libxls/issues/84 CVE-2020-27818 RESERVED + - pngcheck + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1902011 + NOTE: Patch applied in Fedora: https://src.fedoraproject.org/rpms/pngcheck/blob/cc48791e34201caf7b686084b735d06cef66c974/f/pngcheck-2.4.0-overflow-bz1897485.patch CVE-2020-27817 RESERVED CVE-2020-27816 (The elasticsearch-operator does not validate the namespace where kiban ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09415fa5d540dac9c9bda2547fc0270e2849031f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09415fa5d540dac9c9bda2547fc0270e2849031f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: cdb2b86c by Emilio Pozuelo Monfort at 2020-12-03T00:16:39+01:00 dla: take thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -163,7 +163,7 @@ spice-vdagent (Abhijith PA) spip NOTE: Low priority for us. sec team did DSA-4798-1 (abhijith) -- -thunderbird +thunderbird (Emilio) -- webcit (Markus Koschany) NOTE: 20201130: Requested more information from upstream. Currently patches View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdb2b86cffae6ff37e758635e9f10bab595f7edc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdb2b86cffae6ff37e758635e9f10bab595f7edc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: add openjpeg2
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 4171fe1b by Thorsten Alteholz at 2020-12-02T22:26:44+01:00 add openjpeg2 - - - - - 68eb309e by Thorsten Alteholz at 2020-12-02T22:26:45+01:00 mark CVE-2020-27218 as no-dsa for Stretch - - - - - 6a5ed616 by Thorsten Alteholz at 2020-12-02T22:26:46+01:00 add minidlna - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -8294,6 +8294,7 @@ CVE-2020-27219 RESERVED CVE-2020-27218 (In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 ...) - jetty9 (bug #976211) + [stretch] - jetty9 (Minor issue) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=568892 NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm-8wh8 CVE-2020-27217 (In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does ...) = data/dla-needed.txt = @@ -76,6 +76,8 @@ linux-4.19 (Ben Hutchings) -- mariadb-10.1 (Adrian Bunk) -- +minidlna (Thorsten Alteholz) +-- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) @@ -91,6 +93,8 @@ open-build-service opendmarc NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten) -- +openjpeg2 (Thorsten Alteholz) +-- openldap (Utkarsh) NOTE: 2020: re-add openldap. two new slapd issues, CVEs are yet to be assigned. (utkarsh) NOTE: 20201130: couldn't complete the update, will process the upload after getting an ack from maintainer (if needed). (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/99ff2359e59683f3dcd7a6260ebd0cd64d41ba7f...6a5ed61662b3dcd3bc5acbc2a13be3d80ac22f3b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/99ff2359e59683f3dcd7a6260ebd0cd64d41ba7f...6a5ed61662b3dcd3bc5acbc2a13be3d80ac22f3b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark golang-github-dgrijalva-jwt-go not-affected in buster and stretch
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 99ff2359 by Brian May at 2020-12-03T08:22:40+11:00 Mark golang-github-dgrijalva-jwt-go not-affected in buster and stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -10654,6 +10654,8 @@ CVE-2020-26161 (In Octopus Deploy through 2020.4.2, an attacker could redirect u NOT-FOR-US: Octopus Deploy CVE-2020-26160 (jwt-go before 4.0.0-preview1 allows attackers to bypass intended acces ...) - golang-github-dgrijalva-jwt-go 3.2.0-3 (bug #971556) + [buster] - golang-github-dgrijalva-jwt-go (vulnerable code not present until version 3.0.0) + [stretch] - golang-github-dgrijalva-jwt-go (vulnerable code not present until version 3.0.0) NOTE: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515 NOTE: https://github.com/dgrijalva/jwt-go/issues/422 NOTE: https://github.com/dgrijalva/jwt-go/pull/286 = data/dla-needed.txt = @@ -49,8 +49,6 @@ f2fs-tools -- firmware-nonfree (Emilio) -- -golang-github-dgrijalva-jwt-go (Brian May) --- golang-golang-x-net-dev -- influxdb View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99ff2359e59683f3dcd7a6260ebd0cd64d41ba7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99ff2359e59683f3dcd7a6260ebd0cd64d41ba7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: add thunderbird
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e2da3f3 by Thorsten Alteholz at 2020-12-02T22:15:46+01:00 add thunderbird - - - - - 02cf139f by Thorsten Alteholz at 2020-12-02T22:16:30+01:00 mark CVE-2020-28916 as postponed for Stretch - - - - - e42d36b1 by Thorsten Alteholz at 2020-12-02T22:18:33+01:00 mark CVE-2020-25665 as ignored for Stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1245,6 +1245,7 @@ CVE-2020-28916 [e1000e: infinite loop scenario in case of null packet descriptor RESERVED - qemu [buster] - qemu (Fix along in future DSA) + [stretch] - qemu (Fix along in future DLA) NOTE: https://www.openwall.com/lists/oss-security/2020/12/01/2 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-11/msg03185.html CVE-2020-28915 (A buffer over-read (at the framebuffer layer) in the fbcon code in the ...) @@ -11874,6 +11875,7 @@ CVE-2020-25665 RESERVED - imagemagick 8:6.9.11.24+dfsg-1 [buster] - imagemagick (Minor issue) + [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1714 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/cfd829bd3581b092e0a267b3deba46fa90b9bc88 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/ca80e93cc887fb8971ceba2eead2c74e2b927df4 = data/dla-needed.txt = @@ -161,6 +161,8 @@ spice-vdagent (Abhijith PA) spip NOTE: Low priority for us. sec team did DSA-4798-1 (abhijith) -- +thunderbird +-- webcit (Markus Koschany) NOTE: 20201130: Requested more information from upstream. Currently patches NOTE: or workarounds are not available. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9ea502232b2e4fb12e1936c262739e1bb50406c8...e42d36b179794bf5c01cd12c60d592ea618951f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9ea502232b2e4fb12e1936c262739e1bb50406c8...e42d36b179794bf5c01cd12c60d592ea618951f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2017-2910/r-cran-readxl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ea50223 by Salvatore Bonaccorso at 2020-12-02T21:27:09+01:00 Add CVE-2017-2910/r-cran-readxl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -230253,6 +230253,8 @@ CVE-2017-2912 (An exploitable vulnerability exists in the remote control functio CVE-2017-2911 (An exploitable vulnerability exists in the remote control functionalit ...) NOT-FOR-US: Circle with Disney CVE-2017-2910 (An exploitable Out-of-bounds Write vulnerability exists in the xls_add ...) + - r-cran-readxl + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0417 TODO: check CVE-2017-2909 (An infinite loop programming error exists in the DNS server functional ...) - smplayer 18.5.0~ds1-1 (bug #898943) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ea502232b2e4fb12e1936c262739e1bb50406c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ea502232b2e4fb12e1936c262739e1bb50406c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track (ancient) software-properties issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ade96364 by Salvatore Bonaccorso at 2020-12-02T21:26:16+01:00 Track (ancient) software-properties issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -352574,7 +352574,8 @@ CVE-2012-0957 (The override_release function in kernel/sys.c in the Linux kernel CVE-2012-0956 (ubiquity-slideshow-ubuntu before 58.2, during installation, allows rem ...) NOT-FOR-US: ubiquity-slideshow-ubuntu CVE-2012-0955 (software-properties was vulnerable to a person-in-the-middle attack du ...) - TODO: check + - software-properties 0.92.25debian1 + NOTE: https://launchpad.net/bugs/1036839 CVE-2012-0954 (APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-ke ...) - apt 0.7.25 (unimportant) NOTE: net-update is not enabled by default in Debian View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ade963647e3243b2fe46f299743607a2fd905b8f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ade963647e3243b2fe46f299743607a2fd905b8f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e32b1e30 by Salvatore Bonaccorso at 2020-12-02T21:25:48+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -57,11 +57,11 @@ CVE-2020-29460 CVE-2020-29459 RESERVED CVE-2020-29458 (Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem. ...) - TODO: check + NOT-FOR-US: Textpattern CMS CVE-2020-29457 RESERVED CVE-2020-29456 (Multiple cross-site scripting (XSS) vulnerabilities in Papermerge befo ...) - TODO: check + NOT-FOR-US: Papermerge CVE-2020-29455 RESERVED CVE-2020-29454 (Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user ...) @@ -199,7 +199,7 @@ CVE-2020-29391 CVE-2020-29390 (Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi ...) NOT-FOR-US: Zeroshell CVE-2020-29389 (The official Crux Linux Docker images 3.0 through 3.4 contain a blank ...) - TODO: check + NOT-FOR-US: Crux Linux Docker images CVE-2020-29388 RESERVED CVE-2020-29387 @@ -529,9 +529,9 @@ CVE-2020-29242 CVE-2020-29241 RESERVED CVE-2020-29240 (Lepton-CMS 4.7.0 is affected by cross-site scripting (XSS). An attacke ...) - TODO: check + NOT-FOR-US: Lepton-CMS CVE-2020-29239 (Online Birth Certificate System Project V 1.0 is affected by cross-sit ...) - TODO: check + NOT-FOR-US: Online Birth Certificate System Project CVE-2020-29238 RESERVED CVE-2020-29237 @@ -38840,17 +38840,17 @@ CVE-2020-13500 (SQL injection vulnerability exists in the CHaD.asmx web service CVE-2020-13499 (An SQL injection vulnerability exists in the CHaD.asmx web service fun ...) NOT-FOR-US: CHaD.asmx CVE-2020-13498 (An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 han ...) - TODO: check + NOT-FOR-US: Pixar OpenUSD CVE-2020-13497 (An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 han ...) - TODO: check + NOT-FOR-US: Pixar OpenUSD CVE-2020-13496 (An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 han ...) - TODO: check + NOT-FOR-US: Pixar OpenUSD CVE-2020-13495 RESERVED CVE-2020-13494 (A heap overflow vulnerability exists in the Pixar OpenUSD 20.05 parsin ...) - TODO: check + NOT-FOR-US: Pixar OpenUSD CVE-2020-13493 (A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the s ...) - TODO: check + NOT-FOR-US: Pixar OpenUSD CVE-2020-13492 RESERVED CVE-2020-13491 @@ -41274,7 +41274,7 @@ CVE-2020-12526 CVE-2020-12525 RESERVED CVE-2020-12524 (Uncontrolled Resource Consumption can be exploited to cause the Phoeni ...) - TODO: check + NOT-FOR-US: Phoenix Contact HMIs BTP CVE-2020-12523 RESERVED CVE-2020-12522 @@ -55492,7 +55492,7 @@ CVE-2020-7535 CVE-2020-7534 RESERVED CVE-2020-7533 (A CWE-255: Credentials Management vulnerability exists in Web Server o ...) - TODO: check + NOT-FOR-US: Modicon CVE-2020-7532 (A CWE-502 Deserialization of Untrusted Data vulnerability exists in SC ...) NOT-FOR-US: SCADAPack x70 Security Administrator CVE-2020-7531 (A CWE-284 Improper Access Control vulnerability exists in SCADAPack 7x ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e32b1e30b057458dc1c366e56b84e2e5f3b5075a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e32b1e30b057458dc1c366e56b84e2e5f3b5075a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track information for CVE-2020-27752 according to discussion in upstream issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a2fad8f9 by Salvatore Bonaccorso at 2020-12-02T21:18:11+01:00 Track information for CVE-2020-27752 according to discussion in upstream issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6729,9 +6729,10 @@ CVE-2020-27753 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/6f5d3d2cd94eb8361e07546c4bf72cb60681b984 CVE-2020-27752 RESERVED - - imagemagick + - imagemagick 8:6.9.11.24+dfsg-1 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1752 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/a9d563d3d73874312080d30dc4ba07cecad56192 + NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/27d3ddedb73f63fa984ff5b4d66e07eef654070f CVE-2020-27751 RESERVED - imagemagick 8:6.9.11.24+dfsg-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2fad8f9e16c0c7c974d8482df44fb34515055be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2fad8f9e16c0c7c974d8482df44fb34515055be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f06acab by security tracker role at 2020-12-02T20:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,67 @@ +CVE-2021-1635 + RESERVED +CVE-2021-1634 + RESERVED +CVE-2021-1633 + RESERVED +CVE-2021-1632 + RESERVED +CVE-2021-1631 + RESERVED +CVE-2021-1630 + RESERVED +CVE-2021-1629 + RESERVED +CVE-2021-1628 + RESERVED +CVE-2021-1627 + RESERVED +CVE-2021-1626 + RESERVED +CVE-2020-29477 + RESERVED +CVE-2020-29476 + RESERVED +CVE-2020-29475 + RESERVED +CVE-2020-29474 + RESERVED +CVE-2020-29473 + RESERVED +CVE-2020-29472 + RESERVED +CVE-2020-29471 + RESERVED +CVE-2020-29470 + RESERVED +CVE-2020-29469 + RESERVED +CVE-2020-29468 + RESERVED +CVE-2020-29467 + RESERVED +CVE-2020-29466 + RESERVED +CVE-2020-29465 + RESERVED +CVE-2020-29464 + RESERVED +CVE-2020-29463 + RESERVED +CVE-2020-29462 + RESERVED +CVE-2020-29461 + RESERVED +CVE-2020-29460 + RESERVED +CVE-2020-29459 + RESERVED +CVE-2020-29458 (Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem. ...) + TODO: check +CVE-2020-29457 + RESERVED +CVE-2020-29456 (Multiple cross-site scripting (XSS) vulnerabilities in Papermerge befo ...) + TODO: check CVE-2020-29455 RESERVED CVE-2020-29454 (Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user ...) @@ -134,8 +198,8 @@ CVE-2020-29391 RESERVED CVE-2020-29390 (Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi ...) NOT-FOR-US: Zeroshell -CVE-2020-29389 - RESERVED +CVE-2020-29389 (The official Crux Linux Docker images 3.0 through 3.4 contain a blank ...) + TODO: check CVE-2020-29388 RESERVED CVE-2020-29387 @@ -464,10 +528,10 @@ CVE-2020-29242 RESERVED CVE-2020-29241 RESERVED -CVE-2020-29240 - RESERVED -CVE-2020-29239 - RESERVED +CVE-2020-29240 (Lepton-CMS 4.7.0 is affected by cross-site scripting (XSS). An attacke ...) + TODO: check +CVE-2020-29239 (Online Birth Certificate System Project V 1.0 is affected by cross-sit ...) + TODO: check CVE-2020-29238 RESERVED CVE-2020-29237 @@ -5188,10 +5252,10 @@ CVE-2020-28275 RESERVED CVE-2020-28274 RESERVED -CVE-2020-28273 - RESERVED -CVE-2020-28272 - RESERVED +CVE-2020-28273 (Prototype pollution vulnerability in 'set-in' versions 1.0.0 through 2 ...) + TODO: check +CVE-2020-28272 (Prototype pollution vulnerability in 'keyget' versions 1.0.0 through 2 ...) + TODO: check CVE-2020-28271 (Prototype pollution vulnerability in 'deephas' versions 1.0.0 through ...) NOT-FOR-US: Node deephas CVE-2020-28270 (Overview:Prototype pollution vulnerability in object-hierarchy- ...) @@ -10460,6 +10524,7 @@ CVE-2020-26217 (XStream before version 1.4.14 is vulnerable to Remote Code Execu CVE-2020-26216 (TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 ...) NOT-FOR-US: TYPO3 Fluid CVE-2020-26215 (Jupyter Notebook before version 6.1.5 has an Open redirect vulnerabili ...) + {DLA-2477-1} - jupyter-notebook 6.1.5-1 NOTE: https://github.com/jupyter/notebook/security/advisories/GHSA-c7vm-f5p4-8fqh NOTE: https://github.com/jupyter/notebook/commit/2e1c56b0c4a903606d4a2eb13e32409296b9799d @@ -11678,6 +11743,7 @@ CVE-2020-25697 NOTE: Long-standing design limitation in X11, unlikely to get fixed until the world moves to Wayland NOTE: https://www.openwall.com/lists/oss-security/2020/11/09/3 CVE-2020-25696 (A flaw was found in the psql interactive terminal of PostgreSQL in ver ...) + {DLA-2478-1} - postgresql-13 13.1-1 - postgresql-12 - postgresql-11 @@ -11685,6 +11751,7 @@ CVE-2020-25696 (A flaw was found in the psql interactive terminal of PostgreSQL - postgresql-9.6 NOTE: https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/ CVE-2020-25695 (A flaw was found in PostgreSQL versions before 13.1, before 12.5, befo ...) + {DLA-2478-1} - postgresql-13 13.1-1 - postgresql-12 - postgresql-11 @@ -11692,6 +11759,7 @@ CVE-2020-25695 (A flaw was found in PostgreSQL versions before 13.1, before 12.5 - postgresql-9.6 NOTE: https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/ CVE-2020-25694 (A flaw was found in PostgreSQL versions before 13.1, before 12.5, befo ...) + {DLA-2478-1} - postgresql-13 13.1-1 - postgresql-12 - postgresql-11 @@ -11934,8 +12002,7 @@ CVE-2020-25639 [NULL pointer
[Git][security-tracker-team/security-tracker][master] Reference partial mitigation for CVE-2020-14145
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d2ced27a by Salvatore Bonaccorso at 2020-12-02T21:09:00+01:00 Reference partial mitigation for CVE-2020-14145 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37004,6 +37004,7 @@ CVE-2020-14145 (The client side in OpenSSH 5.7 through 8.3 has an Observable Dis NOTE: https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf NOTE: The OpenSSH project is not planning to change the behaviour of OpenSSH regarding NOTE: the issue, details in "3.1 OpenSSH" in the publication. + NOTE: Partial mitigation: https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d (V_8_4_P1) CVE-2020-14144 (** DISPUTED ** The git hook feature in Gitea 1.1.0 through 1.12.5 migh ...) - gitea CVE-2020-14143 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2ced27a29e7d0670f361c1d0b28b0c04b78d742 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2ced27a29e7d0670f361c1d0b28b0c04b78d742 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2020-27766
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 70215985 by Salvatore Bonaccorso at 2020-12-02T20:57:30+01:00 Update information for CVE-2020-27766 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6557,9 +6557,12 @@ CVE-2020-27767 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/c2f66e7fc9189a652f77a021bd047c4146d634d1 CVE-2020-27766 RESERVED - - imagemagick + - imagemagick 8:6.9.11.24+dfsg-1 + [buster] - imagemagick (Minor issue) [stretch] - imagemagick (Minor issue, UBSAN outside range warning) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1734 + NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/29cee9152d1b5487cfd19443ca48935eea0cabe2 + NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/052175e4b190598141fbcc64641cd5ee4db3602d NOTE: Same fix as CVE-2020-27774 CVE-2020-27765 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/702159851bedfe47b84282ee11e52b1ec31ce470 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/702159851bedfe47b84282ee11e52b1ec31ce470 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cbb05856 by Moritz Muehlenhoff at 2020-12-02T19:37:20+01:00 buster triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -122,6 +122,7 @@ CVE-2020-29395 (The EventON plugin through 3.0.5 for WordPress allows addons/?q= NOT-FOR-US: EventON plugin for WordPress CVE-2020-29394 (A buffer overflow in the dlt_filter_load function in dlt_common.c in d ...) - dlt-daemon 2.18.5-0.3 (bug #976228) + [buster] - dlt-daemon (Minor issue) NOTE: https://github.com/GENIVI/dlt-daemon/issues/274 NOTE: https://github.com/GENIVI/dlt-daemon/pull/275 NOTE: https://github.com/GENIVI/dlt-daemon/commit/ff4f44c159df6f44b48bd38c9d2f104eb360be11 @@ -686,12 +687,14 @@ CVE-2020-29131 CVE-2020-29130 (slirp.c in libslirp through 4.3.1 has a buffer over-read because it tr ...) - libslirp - qemu 1:4.1-2 + [buster] - qemu (Fix along in future DSA) [stretch] - qemu (Fix along in future DLA, when fixed upstream) NOTE: https://lists.freedesktop.org/archives/slirp/2020-November/000115.html NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. CVE-2020-29129 (ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tri ...) - libslirp - qemu 1:4.1-2 + [buster] - qemu (Fix along in future DSA) [stretch] - qemu (Fix along in future DLA, when fixed upstream) NOTE: https://lists.freedesktop.org/archives/slirp/2020-November/000115.html NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. @@ -1117,6 +1120,7 @@ CVE-2020-28936 CVE-2020-28935 RESERVED - unbound + [buster] - unbound (Minor issue) [stretch] - unbound (DSA 4694-1) NOTE: https://github.com/NLnetLabs/unbound/issues/303 NOTE: Fixed by: https://github.com/NLnetLabs/unbound/commit/ad387832979b6ce4c93f64fe706301cd7d034e87 (release-1.13.0rc1) @@ -1176,6 +1180,7 @@ CVE-2020-28917 (An issue was discovered in the view_statistics (aka View fronten CVE-2020-28916 [e1000e: infinite loop scenario in case of null packet descriptor] RESERVED - qemu + [buster] - qemu (Fix along in future DSA) NOTE: https://www.openwall.com/lists/oss-security/2020/12/01/2 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-11/msg03185.html CVE-2020-28915 (A buffer over-read (at the framebuffer layer) in the fbcon code in the ...) @@ -11317,6 +11322,7 @@ CVE-2020-25830 (An issue was discovered in MantisBT before 2.24.3. Improper esca - mantis CVE-2020-25829 (An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x befo ...) - pdns-recursor 4.3.5-1 (bug #972159) + [buster] - pdns-recursor (Minor issue) NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html CVE-2020-25828 (An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through ...) {DSA-4767-1 DLA-2379-1} = data/dsa-needed.txt = @@ -25,11 +25,9 @@ linux (carnil) -- netty -- -pdns-recursor --- salt -- -thunderbird +thunderbird (jmm) -- xcftools Hugo proposed to work on this update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbb058566811673796cb5ddf0164309bede0c82b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbb058566811673796cb5ddf0164309bede0c82b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2020-27766/imagemagick: reference fix, stretch triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5af268f0 by Sylvain Beucler at 2020-12-02T18:02:22+01:00 CVE-2020-27766/imagemagick: reference fix, stretch triage - - - - - 4df4e396 by Sylvain Beucler at 2020-12-02T18:03:26+01:00 imagemagick: stretch triage CVE-2020-27774 CVE-2020-27770 CVE-2020-27751 clarifications marked div0 issues as postponed rather than ignored - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6481,7 +6481,7 @@ CVE-2020-27775 RESERVED - imagemagick 8:6.9.11.24+dfsg-1 [buster] - imagemagick (Minor issue) - [stretch] - imagemagick (Minor issue, UBSAN outside range) + [stretch] - imagemagick (Minor issue, UBSAN outside range warning) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1737 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/a2166bfb1049bac4c0f7b8b5d3ef86a1f48470b2 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/78d9987ae80a95865c9f139afde0dcf3fd832ddc @@ -6489,6 +6489,7 @@ CVE-2020-27774 RESERVED - imagemagick 8:6.9.11.24+dfsg-1 [buster] - imagemagick (Minor issue) + [stretch] - imagemagick (Minor issue, UBSAN shift exponent warning) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1743 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/29cee9152d1b5487cfd19443ca48935eea0cabe2 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/052175e4b190598141fbcc64641cd5ee4db3602d @@ -6496,7 +6497,7 @@ CVE-2020-27773 RESERVED - imagemagick 8:6.9.11.24+dfsg-1 [buster] - imagemagick (Minor issue) - [stretch] - imagemagick (Minor issue, DoS/div0 while package is mainly CLI) + [stretch] - imagemagick (Minor issue, DoS/div0 while package is mainly CLI) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1739 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/3d71aa8265ffaaf686021a6fbd54c037f71ee3a2 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/be6ffd9f283c2681d74469db8b000701665cf034 @@ -6504,7 +6505,7 @@ CVE-2020-27772 RESERVED - imagemagick 8:6.9.11.24+dfsg-1 [buster] - imagemagick (Minor issue) - [stretch] - imagemagick (Minor issue, UBSAN outside range) + [stretch] - imagemagick (Minor issue, UBSAN outside range warning) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1749 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/a1142af44f61c038ad3eccc099c5b9548b507846 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/7f819ef8855608d9cb1ded5e4f30cdfff1da7c11 @@ -6512,7 +6513,7 @@ CVE-2020-27771 RESERVED - imagemagick 8:6.9.11.24+dfsg-1 [buster] - imagemagick (Minor issue) - [stretch] - imagemagick (Minor issue, UBSAN outside range) + [stretch] - imagemagick (Minor issue, UBSAN outside range warning) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1753 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/872ffe6d0131beec8b47568a4874ffaca91a872e NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/9dd1c7e1f8f6c137bfd3293be2554f59456c7b62 @@ -6521,6 +6522,7 @@ CVE-2020-27770 RESERVED - imagemagick 8:6.9.11.24+dfsg-1 [buster] - imagemagick (Minor issue) + [stretch] - imagemagick (Minor issue, UBSAN offset overflowed warning) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1721 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/be90a5395695f0d19479a5d46b06c678be7f7927 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/c01495f91ac71c5205f52713430b68e80d851149 @@ -6528,7 +6530,7 @@ CVE-2020-27769 RESERVED - imagemagick 8:6.9.11.24+dfsg-1 [buster] - imagemagick (Minor issue) - [stretch] - imagemagick (Minor issue, UBSAN outside range) + [stretch] - imagemagick (Minor issue, UBSAN outside range warning) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1740 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/7b058696133c6d36e0b48a454e357482db71982e NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/7661113a654c9c822c23a8fb8aa1b021fc7fbe9d @@ -6536,7 +6538,7 @@ CVE-2020-27768 RESERVED - imagemagick 8:6.9.11.24+dfsg-1 [buster] - imagemagick (Minor issue) - [stretch] - imagemagick (Minor issue, UBSAN outside range) + [stretch] - imagemagick (Minor issue, UBSAN outside range warning) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1751 NOTE:
[Git][security-tracker-team/security-tracker][master] Move note down in listing
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 95905150 by Salvatore Bonaccorso at 2020-12-02T17:09:15+01:00 Move note down in listing - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6365,8 +6365,8 @@ CVE-2020-27820 RESERVED CVE-2020-27819 [NULL pointer dereference via crafted xls file] RESERVED - NOTE: https://github.com/libxls/libxls/issues/84 - r-cran-readxl (Embeds libxls, but not affected) + NOTE: https://github.com/libxls/libxls/issues/84 CVE-2020-27818 RESERVED CVE-2020-27817 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95905150fe261a0fe539453640cc81a04cc7d931 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95905150fe261a0fe539453640cc81a04cc7d931 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mongodb: stretch triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 420483ee by Sylvain Beucler at 2020-12-02T16:46:08+01:00 mongodb: stretch triage CVE-2018-20803 CVE-2019-2392 CVE-2019-2393 CVE-2020-7926 CVE-2020-7928 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9679,7 +9679,7 @@ CVE-2019-20925 (An unauthenticated client can trigger denial of service by issui [stretch] - mongodb (Vulnerable code introduced later) NOTE: https://jira.mongodb.org/browse/SERVER-43751 NOTE: https://github.com/mongodb/mongo/commit/c1a956e084d39e6da75cd347e63d0064ed9151a8 (3.4.24, AGPL) - NOTE: Introduced by: 91800fc61913358350b658406065c5d893d2ba2c (v3.3.11) + NOTE: Introduced by: https://github.com/mongodb/mongo/commit/91800fc61913358350b658406065c5d893d2ba2c (v3.3.11) CVE-2019-20924 (A user authorized to perform database queries may trigger denial of se ...) - mongodb [stretch] - mongodb (Vulnerable code introduced later) @@ -54423,12 +54423,17 @@ CVE-2020-7929 RESERVED CVE-2020-7928 (A user authorized to perform database queries may trigger a read overr ...) - mongodb + [stretch] - mongodb (Vulnerable code introduced later) NOTE: https://jira.mongodb.org/browse/SERVER-49404 + NOTE: https://github.com/mongodb/mongo/commit/e10ce2e779cd17c9ba217c49740cffd2bef72694 (v3.6.20, SSPL) + NOTE: Introduced by: https://github.com/mongodb/mongo/commit/5b8b1ca6364342d5a1bf21ec6c707edfae0f3555 (v3.5.5) CVE-2020-7927 (Specially crafted API calls may allow an authenticated user who holds ...) NOT-FOR-US: MongoDB Ops Manager CVE-2020-7926 (A user authorized to perform database queries may cause denial of serv ...) - mongodb + [stretch] - mongodb (Minor issue, authenticated DoS) NOTE: https://jira.mongodb.org/browse/SERVER-50170 + NOTE: https://github.com/mongodb/mongo/commit/859ec65c84f201e7aa687865633a2fa34e318174 (v4.4.1, SSPL) CVE-2020-7925 (Incorrect validation of user input in the role name parser may lead to ...) - mongodb [stretch] - mongodb (Vulnerable code introduced later) @@ -104536,6 +104541,7 @@ CVE-2018-20804 (A user authorized to perform database queries may trigger denial NOTE: Introduced by: https://github.com/mongodb/mongo/commit/a69ae445303fc4821c6745866b3902623a385c1c (v3.5.10) CVE-2018-20803 (A user authorized to perform database queries may trigger denial of se ...) - mongodb + [stretch] - mongodb (Minor issue, authenticated DoS) NOTE: https://jira.mongodb.org/browse/SERVER-38070 NOTE: https://github.com/mongodb/mongo/commit/a2d97db8fe449d15eb8e275bbf318491781472bf (v3.4.19, AGPL) NOTE: Introduced by: https://github.com/mongodb/mongo/commit/a8176cf1da9fdbcc48334bfb3c71fedf37e77879 (v3.1.7) @@ -125311,10 +125317,14 @@ CVE-2019-2394 RESERVED CVE-2019-2393 (A user authorized to perform database queries may trigger denial of se ...) - mongodb + [stretch] - mongodb (Minor issue, authenticated DoS) NOTE: https://jira.mongodb.org/browse/SERVER-43350 + NOTE: https://github.com/mongodb/mongo/commit/785b41740a216429573a89a5df82f96064965559 (v3.6.15, SSPL) CVE-2019-2392 (A user authorized to perform database queries may trigger denial of se ...) - mongodb + [stretch] - mongodb (Minor issue, authenticated DoS) NOTE: https://jira.mongodb.org/browse/SERVER-43699 + NOTE: https://github.com/mongodb/mongo/commit/b5ff43f92c0e562121477e8253a56b2d83825571 (v3.4.24, AGPL) CVE-2019-2391 (Incorrect parsing of certain JSON input may result in js-bson not corr ...) [experimental] - node-mongodb 3.5.5+~cs11.12.19-1 - node-mongodb 3.5.6+~cs11.12.19-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/420483eef4cbaeaf6fad6a9a92960c93b4aeb383 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/420483eef4cbaeaf6fad6a9a92960c93b4aeb383 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e6e3183 by Moritz Muehlenhoff at 2020-12-02T14:37:02+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2020-29455 RESERVED CVE-2020-29454 (Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user ...) - TODO: check + NOT-FOR-US: Umbraco CMS CVE-2020-29453 RESERVED CVE-2020-29452 @@ -6366,7 +6366,7 @@ CVE-2020-27820 CVE-2020-27819 [NULL pointer dereference via crafted xls file] RESERVED NOTE: https://github.com/libxls/libxls/issues/84 - TODO: check, while r-cran-readxl, this particular issue seems not to affect the embedded copy and their usage + - r-cran-readxl (Embeds libxls, but not affected) CVE-2020-27818 RESERVED CVE-2020-27817 @@ -10376,7 +10376,7 @@ CVE-2020-26247 CVE-2020-26246 RESERVED CVE-2020-26245 (npm package systeminformation before version 4.30.5 is vulnerable to P ...) - TODO: check + NOT-FOR-US: Node systeminformation CVE-2020-26244 RESERVED CVE-2020-26243 (Nanopb is a small code-size Protocol Buffers implementation. In Nanopb ...) @@ -36854,7 +36854,7 @@ CVE-2020-14195 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the in CVE-2020-14194 (Zulip Server before 2.1.5 allows reverse tabnapping via a topic header ...) - zulip-server (bug #800052) CVE-2020-14193 (Affected versions of Automation for Jira - Server allowed remote attac ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2020-14192 RESERVED CVE-2020-14191 (Affected versions of Atlassian Fisheye/Crucible allow remote attackers ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e6e3183749cc2c95c3467e4d796e1ae953d52f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e6e3183749cc2c95c3467e4d796e1ae953d52f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for postgresql-11 via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eb6793ea by Salvatore Bonaccorso at 2020-12-02T14:19:12+01:00 Track proposed update for postgresql-11 via buster-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -139,6 +139,12 @@ CVE-2020-26575 [buster] - wireshark 2.6.20-0+deb10u1 CVE-2020-28030 [buster] - wireshark 2.6.20-0+deb10u1 +CVE-2020-25694 + [buster] - postgresql-11 11.10-0+deb10u1 +CVE-2020-25695 + [buster] - postgresql-11 11.10-0+deb10u1 +CVE-2020-25696 + [buster] - postgresql-11 11.10-0+deb10u1 CVE-2019-19039 [buster] - linux 4.19.160-1 CVE-2019-19377 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb6793eadbd2bd2dc8024914950adcf46b64d492 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb6793eadbd2bd2dc8024914950adcf46b64d492 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark older php entry als removed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 66fa54eb by Salvatore Bonaccorso at 2020-12-02T14:14:12+01:00 Mark older php entry als removed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -388765,7 +388765,7 @@ CVE-2009-2779 (SQL injection vulnerability in index.php in AJ Matrix DNA allows CVE-2008-7003 (Multiple SQL injection vulnerabilities in login.php in The Rat CMS Alp ...) NOT-FOR-US: The Rat CMS CVE-2008-7002 (PHP 5.2.5 does not enforce (a) open_basedir and (b) safe_mode_exec_dir ...) - - php5 (unimportant) + - php5 (unimportant) NOTE: safe-mode and basedir violations not treated as security issues CVE-2008-7001 (Unrestricted file upload vulnerability in the file manager in Creative ...) NOT-FOR-US: Creative Mind Creator CMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66fa54eb1fe223c0868719a56c608c874c3a8da4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66fa54eb1fe223c0868719a56c608c874c3a8da4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add patch refs for CVE-2020-16846 CVE-2020-17490 CVE-2020-25592
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e0a6d03 by Abhijith PA at 2020-12-02T18:29:47+05:30 Add patch refs for CVE-2020-16846 CVE-2020-17490 CVE-2020-25592 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12087,6 +12087,8 @@ CVE-2020-25593 CVE-2020-25592 (In SaltStack Salt through 3002, salt-netapi improperly validates eauth ...) - salt 3002.1+dfsg1-1 NOTE: https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/ + NOTE: https://gitlab.com/saltstack/open/salt-patches/-/blob/master/patches/2020/09/25/2018.3.5.patch (2018.3.5) + NOTE: https://gitlab.com/saltstack/open/salt-patches/-/raw/master/patches/2020/09/25/2016.11.3.patch (2016.11.3) CVE-2020-25591 RESERVED CVE-2020-25590 @@ -28608,6 +28610,8 @@ CVE-2020-17491 CVE-2020-17490 (The TLS module within SaltStack Salt through 3002 creates certificates ...) - salt 3002.1+dfsg1-1 NOTE: https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/ + NOTE: https://gitlab.com/saltstack/open/salt-patches/-/raw/master/patches/2020/09/02/2018.3.x.patch (2018.3.x) + NOTE: https://gitlab.com/saltstack/open/salt-patches/-/raw/master/patches/2020/09/02/2016.11.x.patch (2016.11.x) CVE-2020-17489 (An issue was discovered in certain configurations of GNOME gnome-shell ...) {DLA-2374-1} - gnome-shell 3.36.5-1 (bug #968311) @@ -29928,6 +29932,8 @@ CVE-2020-16847 (Extreme Analytics in Extreme Management Center before 8.5.0.169 CVE-2020-16846 (An issue was discovered in SaltStack Salt through 3002. Sending crafte ...) - salt 3002.1+dfsg1-1 NOTE: https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/ + NOTE: https://gitlab.com/saltstack/open/salt-patches/-/raw/master/patches/2020/09/02/2018.3.x.patch (2018.3.x) + NOTE: https://gitlab.com/saltstack/open/salt-patches/-/raw/master/patches/2020/09/02/2016.11.x.patch (2016.11.x) CVE-2020-16845 (Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loo ...) {DLA-2460-1 DLA-2459-1} - golang-1.15 1.15~rc2-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e0a6d03245c9860f739d0b97f522b3dfb7a09b0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e0a6d03245c9860f739d0b97f522b3dfb7a09b0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2020-14360 and CVE-2020-25712
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c108943 by Salvatore Bonaccorso at 2020-12-02T12:24:15+01:00 Track fixed version via unstable for CVE-2020-14360 and CVE-2020-25712 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11617,7 +11617,7 @@ CVE-2020-25713 [Out of bounds read leads to segfault in raptor_xml_writer_start_ NOTE: https://bugs.librdf.org/mantis/view.php?id=650 CVE-2020-25712 [Fix XkbSetDeviceInfo() and SetDeviceIndicators() heap overflows] RESERVED - - xorg-server (bug #976216) + - xorg-server 2:1.20.10-1 (bug #976216) NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9 CVE-2020-25711 RESERVED @@ -36336,7 +36336,7 @@ CVE-2020-14361 (A flaw was found in X.Org Server before xorg-x11-server 1.20.9. NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787 CVE-2020-14360 [Check SetMap request length carefully] RESERVED - - xorg-server (bug #976216) + - xorg-server 2:1.20.10-1 (bug #976216) NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/446ff2d3177087b8173fa779fa5b77a2a128988b CVE-2020-14359 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c10894366ddc3049ce18ee1b64cbb29683edaa3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c10894366ddc3049ce18ee1b64cbb29683edaa3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take xorg-server
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d53ed20 by Emilio Pozuelo Monfort at 2020-12-02T12:12:54+01:00 lts: take xorg-server - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -187,3 +187,5 @@ xcftools xdg-utils (Emilio) NOTE: 20201122: wait for a while to get the fix exposed in other suites. (utkarsh) -- +xorg-server (Emilio) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d53ed2002ebb3421d4b4aadb782dabde1dcc563 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d53ed2002ebb3421d4b4aadb782dabde1dcc563 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove no-dsa tags for issues fixed in DLA-2478-1
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: b8d230a5 by Emilio Pozuelo Monfort at 2020-12-02T11:41:15+01:00 Remove no-dsa tags for issues fixed in DLA-2478-1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11669,7 +11669,6 @@ CVE-2020-25696 (A flaw was found in the psql interactive terminal of PostgreSQL - postgresql-11 [buster] - postgresql-11 (Minor issue) - postgresql-9.6 - [stretch] - postgresql-9.6 (Minor issue) NOTE: https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/ CVE-2020-25695 (A flaw was found in PostgreSQL versions before 13.1, before 12.5, befo ...) - postgresql-13 13.1-1 @@ -11677,7 +11676,6 @@ CVE-2020-25695 (A flaw was found in PostgreSQL versions before 13.1, before 12.5 - postgresql-11 [buster] - postgresql-11 (Minor issue) - postgresql-9.6 - [stretch] - postgresql-9.6 (Minor issue) NOTE: https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/ CVE-2020-25694 (A flaw was found in PostgreSQL versions before 13.1, before 12.5, befo ...) - postgresql-13 13.1-1 @@ -11685,7 +11683,6 @@ CVE-2020-25694 (A flaw was found in PostgreSQL versions before 13.1, before 12.5 - postgresql-11 [buster] - postgresql-11 (Minor issue) - postgresql-9.6 - [stretch] - postgresql-9.6 (Minor issue) NOTE: https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/ CVE-2020-25693 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8d230a577ac78af88aee3f60d799c8cc144b8c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8d230a577ac78af88aee3f60d799c8cc144b8c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix package name
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c03509e by Emilio Pozuelo Monfort at 2020-12-02T11:38:40+01:00 Fix package name - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,6 +1,6 @@ -[02 Dec 2020] DLA-2478-1 posgresql-9.6 - security update +[02 Dec 2020] DLA-2478-1 postgresql-9.6 - security update {CVE-2020-25694 CVE-2020-25695 CVE-2020-25696} - [stretch] - posgresql-9.6 9.6.20-0+deb9u1 + [stretch] - postgresql-9.6 9.6.20-0+deb9u1 [02 Dec 2020] DLA-2477-1 jupyter-notebook - security update {CVE-2020-26215} [stretch] - jupyter-notebook 4.2.3-4+deb9u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c03509e48bcf1668ddae555400444ce51f1e58b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c03509e48bcf1668ddae555400444ce51f1e58b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2478-1 for posgresql-9.6
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: dc3a5ab6 by Emilio Pozuelo Monfort at 2020-12-02T11:37:13+01:00 Reserve DLA-2478-1 for posgresql-9.6 - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[02 Dec 2020] DLA-2478-1 posgresql-9.6 - security update + {CVE-2020-25694 CVE-2020-25695 CVE-2020-25696} + [stretch] - posgresql-9.6 9.6.20-0+deb9u1 [02 Dec 2020] DLA-2477-1 jupyter-notebook - security update {CVE-2020-26215} [stretch] - jupyter-notebook 4.2.3-4+deb9u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc3a5ab6176ebbb6dc47a60f389592c6a8d440ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc3a5ab6176ebbb6dc47a60f389592c6a8d440ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2477-1 for jupyter-notebook
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: fbb98826 by Chris Lamb at 2020-12-02T10:18:45+00:00 Reserve DLA-2477-1 for jupyter-notebook - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[02 Dec 2020] DLA-2477-1 jupyter-notebook - security update + {CVE-2020-26215} + [stretch] - jupyter-notebook 4.2.3-4+deb9u2 [01 Dec 2020] DLA-2476-1 brotli - security update {CVE-2020-8927} [stretch] - brotli 0.5.2+dfsg-2+deb9u1 = data/dla-needed.txt = @@ -63,9 +63,6 @@ intel-microcode NOTE: 20201122: Utkarsh will upload once its confirmed that there is no regression NOTE: 20201122: and is actively tracking it. (utkarsh) -- -jupyter-notebook (Chris Lamb) - NOTE: 20201120: Defer upload for a week or so. Last DLA release was less than a month (abhijith) --- lemonldap-ng (Utkarsh) NOTE: 20200910: Released a DLA for CVE-2020-24660 a few days ago, so could defer. (lamby) NOTE: 20201122: still waiting to hear from upstream. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbb98826c8db60577239a079a09143b3654f92f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbb98826c8db60577239a079a09143b3654f92f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7285aed3 by Salvatore Bonaccorso at 2020-12-02T09:18:40+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36686,7 +36686,7 @@ CVE-2020-14262 CVE-2020-14261 RESERVED CVE-2020-14260 (HCL Domino is susceptible to a Buffer Overflow vulnerability in DXL du ...) - TODO: check + NOT-FOR-US: HCL Domino CVE-2020-14259 RESERVED CVE-2020-14258 (HCL Notes is susceptible to a Denial of Service vulnerability caused b ...) @@ -42630,7 +42630,7 @@ CVE-2020-11992 CVE-2020-11991 (When using the StreamGenerator, the code parse a user-provided XML. A ...) - cocoon CVE-2020-11990 (We have resolved a security issue in the camera plugin that could have ...) - TODO: check + NOT-FOR-US: Apache Cordova CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic ...) {DLA-2273-1} - shiro @@ -56157,7 +56157,7 @@ CVE-2020-7201 CVE-2020-7200 RESERVED CVE-2020-7199 (A security vulnerability has been identified in the HPE Edgeline Infra ...) - TODO: check + NOT-FOR-US: HPE CVE-2020-7198 (There is a remote escalation of privilege possible for a malicious use ...) NOT-FOR-US: HPE CVE-2020-7197 (SSMC3.7.0.0 is vulnerable to remote authentication bypass. HPE StoreSe ...) @@ -63915,7 +63915,7 @@ CVE-2020-4104 (HCL BigFix WebUI is vulnerable to stored cross-site scripting (XS CVE-2020-4103 RESERVED CVE-2020-4102 (HCL Notes is susceptible to a Buffer Overflow vulnerability in DXL due ...) - TODO: check + NOT-FOR-US: HCL Notes CVE-2020-4101 ("HCL Digital Experience is susceptible to Server Side Request Forgery. ...) NOT-FOR-US: HCL Digital Experience CVE-2020-4100 ("HCL Verse for Android was found to employ dynamic code loading. This ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7285aed331e86f5ab54ca34d83d40dac1946913e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7285aed331e86f5ab54ca34d83d40dac1946913e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6eab4821 by security tracker role at 2020-12-02T08:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2020-29455 + RESERVED +CVE-2020-29454 (Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user ...) + TODO: check CVE-2020-29453 RESERVED CVE-2020-29452 @@ -6367,8 +6371,7 @@ CVE-2020-27818 RESERVED CVE-2020-27817 RESERVED -CVE-2020-27816 - RESERVED +CVE-2020-27816 (The elasticsearch-operator does not validate the namespace where kiban ...) NOT-FOR-US: OpenShift Elasticsearch operator CVE-2020-27815 RESERVED @@ -6378,8 +6381,7 @@ CVE-2020-27814 RESERVED - openjpeg2 NOTE: https://github.com/uclouvain/openjpeg/issues/1283 -CVE-2020-27813 - RESERVED +CVE-2020-27813 (An integer overflow vulnerability exists with the length of websocket ...) - golang-github-gorilla-websocket (Fixed with first upload to Debian with renamed source package) - golang-websocket NOTE: https://github.com/gorilla/websocket/security/advisories/GHSA-jf24-p9p9-4rjh @@ -10363,8 +10365,8 @@ CVE-2020-26252 RESERVED CVE-2020-26251 RESERVED -CVE-2020-26250 - RESERVED +CVE-2020-26250 (OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthent ...) + TODO: check CVE-2020-26249 RESERVED CVE-2020-26248 @@ -11582,8 +11584,7 @@ CVE-2020-25724 - resteasy - resteasy3.0 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1899354 (lacks details ATM) -CVE-2020-25723 [assertion failure through usb_packet_unmap() in hw/usb/hcd-ehci.c] - RESERVED +CVE-2020-25723 (A reachable assertion issue was found in the USB EHCI emulation code o ...) {DLA-2469-1} - qemu (bug #975276) [buster] - qemu (Fix along in future DSA) @@ -11643,8 +11644,7 @@ CVE-2020-25705 (A flaw in the way reply ICMP packets are limited in the Linux ke - linux 5.9.6-1 NOTE: https://git.kernel.org/linus/b38e7819cae946e2edf869e604af1e65a5d241c5 NOTE: https://www.saddns.net/ -CVE-2020-25704 - RESERVED +CVE-2020-25704 (A flaw memory leak in the Linux kernel performance monitoring subsyste ...) - linux 5.9.6-1 NOTE: https://git.kernel.org/linus/7bdb157cdebbf95a1cd94ed2e01b338714075d00 CVE-2020-25703 (The participants table download in Moodle always included user emails, ...) @@ -11848,13 +11848,12 @@ CVE-2020-25657 [stretch] - m2crypto (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1889823 NOTE: https://gitlab.com/m2crypto/m2crypto/-/issues/285 -CVE-2020-25656 - RESERVED +CVE-2020-25656 (A flaw was found in the Linux kernel. A use-after-free was found in th ...) - linux 5.9.6-1 NOTE: https://www.openwall.com/lists/oss-security/2020/10/16/1 CVE-2020-25655 (An issue was discovered in ManagedClusterView API, that could allow se ...) NOT-FOR-US: Red Hat open-cluster-management -CVE-2020-25654 (An ACL bypass flaw was found in pacemaker before 1.1.24-rc1 and 2.0.5- ...) +CVE-2020-25654 (An ACL bypass flaw was found in pacemaker. An attacker having a local ...) {DSA-4791-1} - pacemaker 2.0.5~rc2-1 (bug #973254) NOTE: https://www.openwall.com/lists/oss-security/2020/10/27/1 @@ -36229,8 +36228,7 @@ CVE-2020-14385 (A flaw was found in the Linux kernel before 5.9-rc4. A failure o NOTE: https://git.kernel.org/linus/f4020438fab05364018c91f7e02ebdd192085933 CVE-2020-14384 (A flaw was found in JBossWeb in versions before 7.5.31.Final-redhat-3. ...) NOT-FOR-US: JBossWeb -CVE-2020-14383 [An authenticated user can crash the DCE/RPC DNS with easily crafted records] - RESERVED +CVE-2020-14383 (A flaw was found in samba's DNS server. An authenticated user could us ...) {DLA-2463-1} [experimental] - samba 2:4.13.2+dfsg-1 - samba 2:4.13.2+dfsg-2 (bug #973398) @@ -36581,8 +36579,7 @@ CVE-2020-14307 (A vulnerability was found in Wildfly's Enterprise Java Beans (EJ - wildfly (bug #752018) CVE-2020-14306 (An incorrect access control flaw was found in the operator, openshift- ...) NOT-FOR-US: OpenShift -CVE-2020-14305 [memory corruption in Voice over IP nf_conntrack_h323 module] - RESERVED +CVE-2020-14305 (An out-of-bounds memory write flaw was found in how the Linux