[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 5554e2df by Thorsten Alteholz at 2021-01-04T08:39:47+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -95,6 +95,7 @@ opendmarc (Abhijith PA) -- openjpeg2 (Thorsten Alteholz) NOTE: 20201220: more CVEs appeared + NOTE: 20210104: testing package -- pacemaker (Markus Koschany) NOTE: 20201228: See #974563 for further information. @@ -142,11 +143,12 @@ shiro (Roberto C. Sánchez) NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) NOTE: 20201220: Upstream has responded. Working with them to backport fixes. (roberto) -- -slirp (Thorsten Alteholz) +slirp (pu-Thorsten Alteholz) NOTE: Upstream patch for CVE-2020-8608 requires patches for NOTE: CVE-2020-7039 to be applied patched first, as they both patch NOTE: the same lines of code in tcp_subr.c (bam). NOTE: update has to done in sid->buster->stretch + NOTE: 20200401: waiting for pu -- snapd (Brian May) NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5554e2dfa73a693ad4a74ba74c29138c6ab7d7f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5554e2dfa73a693ad4a74ba74c29138c6ab7d7f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-28052/bouncycastle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d0259612 by Salvatore Bonaccorso at 2021-01-04T06:43:05+01:00 Track fixed version for CVE-2020-28052/bouncycastle - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12949,7 +12949,7 @@ CVE-2020-28053 (HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed NOTE: https://github.com/hashicorp/consul/issues/9240 NOTE: https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#186-november-19-2020 CVE-2020-28052 (An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 an ...) - - bouncycastle (bug #977683) + - bouncycastle 1.65-2 (bug #977683) [buster] - bouncycastle (Vulnerability introduced later) [stretch] - bouncycastle (Vulnerability introduced later) NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2020-28052 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d025961284b8261727227666aadb4b988117b15f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d025961284b8261727227666aadb4b988117b15f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note in dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: b6619e38 by Abhijith PA at 2021-01-04T10:07:36+05:30 Add note in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -91,6 +91,7 @@ open-build-service opendmarc (Abhijith PA) NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten) NOTE: 20201217: patch for CVE-2020-12460 has become available (roberto) + NOTE: 20210104: wait for other CVEs (abhijith) -- openjpeg2 (Thorsten Alteholz) NOTE: 20201220: more CVEs appeared @@ -154,6 +155,7 @@ snapd (Brian May) spice-vdagent (Abhijith PA) NOTE: code base seems largely changed. Pinged upstream for help (abhijith) NOTE: 20201215: Yet to hear from current maintainer and old maintainer after initial mail (abhijith) + NOTE: 20210104: Pinged old maintainer again (abhijith) -- spotweb NOTE: 20201220: The affected code (PHP!) uses string concatenation to construct a SQL query. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6619e3893a3410180138bee4c50dc7ffe2bee0f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6619e3893a3410180138bee4c50dc7ffe2bee0f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2017-6888: Remove no-dsa for stretch
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 49e74afc by Adrian Bunk at 2021-01-04T02:30:57+02:00 CVE-2017-6888: Remove no-dsa for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -225802,7 +225802,6 @@ CVE-2017-6889 (An integer overflow error within the "foveon_load_camf()" functio NOT-FOR-US: libraw demosaic extension (not packaged in Debian) CVE-2017-6888 (An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC ...) - flac 1.3.2-2 (low; bug #897015) - [stretch] - flac (Minor issue) [jessie] - flac (Minor issue) [wheezy] - flac (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-7/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49e74afcbefd5654641905ec6454409a2731b46a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49e74afcbefd5654641905ec6454409a2731b46a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2514-1 for flac
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ee759138 by Adrian Bunk at 2021-01-04T02:29:19+02:00 Reserve DLA-2514-1 for flac - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Jan 2021] DLA-2514-1 flac - security update + {CVE-2017-6888 CVE-2020-0499} + [stretch] - flac 1.3.2-2+deb9u1 [04 Jan 2021] DLA-2513-1 p11-kit - security update {CVE-2020-29361 CVE-2020-29362} [stretch] - p11-kit 0.23.3-2+deb9u1 = data/dla-needed.txt = @@ -48,10 +48,6 @@ f2fs-tools firmware-nonfree NOTE: 20201207: wait for the update in buster and backport that (Emilio) -- -flac (Adrian Bunk) - NOTE: 20201215: when preparing fix/advisory note that the same code change fixes both CVE-2020-0487 and CVE-2017-6888 (roberto) - NOTE: 20201215: stretch and buster versions are very close; perhaps consider coordinating with security team and helping them by preparing an update for buster (roberto) --- golang-1.7 NOTE: 20201219: new CVEs may not be getting fixed, might need to ignore (roberto) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee7591388275c537447796d8cf86e51c202c919b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee7591388275c537447796d8cf86e51c202c919b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2513-1 for p11-kit
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 9383c85b by Adrian Bunk at 2021-01-04T01:04:04+02:00 Reserve DLA-2513-1 for p11-kit - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Jan 2021] DLA-2513-1 p11-kit - security update + {CVE-2020-29361 CVE-2020-29362} + [stretch] - p11-kit 0.23.3-2+deb9u1 [03 Jan 2021] DLA-2512-1 libhibernate3-java - security update {CVE-2020-25638} [stretch] - libhibernate3-java 3.6.10.Final-6+deb9u1 = data/dla-needed.txt = @@ -99,8 +99,6 @@ opendmarc (Abhijith PA) openjpeg2 (Thorsten Alteholz) NOTE: 20201220: more CVEs appeared -- -p11-kit (Adrian Bunk) --- pacemaker (Markus Koschany) NOTE: 20201228: See #974563 for further information. NOTE: 20201228: https://people.debian.org/~apo/lts/pacemaker/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9383c85b9d931e7cae04b71b28a53d18140e81ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9383c85b9d931e7cae04b71b28a53d18140e81ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla: update note
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 52cfafb4 by Adrian Bunk at 2021-01-04T00:11:36+02:00 dla: update note - - - - - 46cd3a18 by Adrian Bunk at 2021-01-04T00:13:12+02:00 CVE-2020-29363 was introduced after the version in stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -7462,6 +7462,7 @@ CVE-2020-29364 (In NetArt News Lister 1.0.0, the news headlines vulnerable to st CVE-2020-29363 (An issue was discovered in p11-kit 0.23.6 through 0.23.21. A heap-base ...) {DSA-4822-1} - p11-kit 0.23.22-1 + [stretch] - p11-kit (Vulnerable code introduced later) NOTE: https://lists.freedesktop.org/archives/p11-glue/2020-December/000712.html NOTE: https://github.com/p11-glue/p11-kit/security/advisories/GHSA-5j67-fw89-fp6x NOTE: https://github.com/p11-glue/p11-kit/commit/2617f3ef888e103324a28811886b99ed0a56346d (0.23.22) = data/dla-needed.txt = @@ -78,8 +78,7 @@ linux (Ben Hutchings) linux-4.19 (Ben Hutchings) -- mariadb-10.1 (Adrian Bunk) - NOTE: 20201207: still ongoing (bunk) - NOTE: 20201220: debugging test failure in local build (bunk) + NOTE: 20210104: testing fixed package (bunk) -- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/20b622662cd737dc7771837a833cb869f3a0f909...46cd3a18497d2f1fb05c6e89f6233c6efb688209 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/20b622662cd737dc7771837a833cb869f3a0f909...46cd3a18497d2f1fb05c6e89f6233c6efb688209 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim snapd
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 20b62266 by Brian May at 2021-01-04T09:04:03+11:00 Claim snapd - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -154,7 +154,7 @@ slirp (Thorsten Alteholz) NOTE: the same lines of code in tcp_subr.c (bam). NOTE: update has to done in sid->buster->stretch -- -snapd +snapd (Brian May) NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. NOTE: Problems with upload. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20b622662cd737dc7771837a833cb869f3a0f909 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20b622662cd737dc7771837a833cb869f3a0f909 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2020-25638,libhibernate3-java: Fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f05056ed by Markus Koschany at 2021-01-03T21:45:43+01:00 CVE-2020-25638,libhibernate3-java: Fixed in unstable - - - - - 025649c3 by Markus Koschany at 2021-01-03T21:46:43+01:00 Reserve DLA-2512-1 for libhibernate3-java - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -19380,7 +19380,7 @@ CVE-2020-25639 [NULL pointer dereference via nouveau ioctl can lead to DoS] [stretch] - linux (Vulnerable code introduced later) NOTE: https://lists.freedesktop.org/archives/nouveau/2020-August/036682.html CVE-2020-25638 (A flaw was found in hibernate-core in versions prior to and including ...) - - libhibernate3-java + - libhibernate3-java 3.6.10.Final-11 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1881353 NOTE: Fixed by https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78 CVE-2020-25637 (A double free memory issue was found to occur in the libvirt API, in v ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[03 Jan 2021] DLA-2512-1 libhibernate3-java - security update + {CVE-2020-25638} + [stretch] - libhibernate3-java 3.6.10.Final-6+deb9u1 [30 Dec 2020] DLA-2511-1 highlight.js - security update {CVE-2020-26237} [stretch] - highlight.js 8.2+ds-5+deb9u1 = data/dla-needed.txt = @@ -73,9 +73,6 @@ intel-microcode NOTE: 20201122: Utkarsh will upload once its confirmed that there is no regression NOTE: 20201122: and is actively tracking it. (utkarsh) -- -libhibernate3-java (Markus Koschany) - NOTE: 20201115: No patch yet; unsure if version in LTS is vulnerable. (lamby) --- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/aefa9b1ddc628526f19e14870474d9863e29c915...025649c3b08ee912161a0297a7002ba1676fb94a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/aefa9b1ddc628526f19e14870474d9863e29c915...025649c3b08ee912161a0297a7002ba1676fb94a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add libxstream-java for review
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aefa9b1d by Salvatore Bonaccorso at 2021-01-03T21:31:26+01:00 Add libxstream-java for review - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -17,6 +17,9 @@ ansible knot-resolver Santiago Ruano Rincón proposed a debdiff for review -- +libxstream-java + Check for DSA; Markus Koschany proposed an update for review +-- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aefa9b1ddc628526f19e14870474d9863e29c915 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aefa9b1ddc628526f19e14870474d9863e29c915 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-26939/bouncycastle as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61c6339f by Salvatore Bonaccorso at 2021-01-03T21:28:32+01:00 Mark CVE-2020-26939/bouncycastle as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16297,6 +16297,7 @@ CVE-2020-26940 CVE-2020-26939 (In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1. ...) {DLA-2433-1} - bouncycastle 1.61-1 + [buster] - bouncycastle (Minor issue) NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2020-26939 NOTE: https://github.com/bcgit/bc-java/commit/930f8b274c4f1f3a46e68b5441f1e7fadb57e8c1 (r1rv61) CVE-2020-26938 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61c6339fbff8c2d59f87d21e4b4e68d10f4fa9cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61c6339fbff8c2d59f87d21e4b4e68d10f4fa9cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-35964/ffmpeg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a925c36 by Salvatore Bonaccorso at 2021-01-03T21:21:09+01:00 Add CVE-2020-35964/ffmpeg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,7 @@ CVE-2020-35964 (track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bo ...) - TODO: check + - ffmpeg + NOTE: https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26622 CVE-2020-35963 (flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out- ...) TODO: check CVE-2021-3006 (The breed function in the smart contract implementation for Farm in Se ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a925c36a172b6d87c941ba83ed7025f258c2346 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a925c36a172b6d87c941ba83ed7025f258c2346 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 828bbb7f by security tracker role at 2021-01-03T20:10:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2020-35964 (track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bo ...) + TODO: check +CVE-2020-35963 (flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out- ...) + TODO: check CVE-2021-3006 (The breed function in the smart contract implementation for Farm in Se ...) NOT-FOR-US: Farm in Seal Finance (Seal) Ethereum token CVE-2021-3005 (MK-AUTH through 19.01 K4.9 allows remote attackers to obtain sensitive ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/828bbb7f631e9f1c40b39e671025aefa53aa78fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/828bbb7f631e9f1c40b39e671025aefa53aa78fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b9bb351 by Moritz Muehlenhoff at 2021-01-03T19:55:33+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -224,7 +224,7 @@ CVE-2020-35867 (An issue was discovered in the rusqlite crate before 0.23.0 for CVE-2020-35866 (An issue was discovered in the rusqlite crate before 0.23.0 for Rust. ...) NOT-FOR-US: rusqlite rust crate CVE-2020-35865 (An issue was discovered in the os_str_bytes crate before 2.0.0 for Rus ...) - TODO: check + NOT-FOR-US: Rust os_str_bytes CVE-2020-35864 (An issue was discovered in the flatbuffers crate through 2020-04-11 fo ...) NOT-FOR-US: flatbuffers rust crate CVE-2020-35863 (An issue was discovered in the hyper crate before 0.12.34 for Rust. HT ...) @@ -240,7 +240,7 @@ CVE-2020-35859 (An issue was discovered in the lucet-runtime-internals crate bef CVE-2020-35858 (An issue was discovered in the prost crate before 0.6.1 for Rust. Ther ...) NOT-FOR-US: prost rust crate CVE-2020-35857 (An issue was discovered in the trust-dns-server crate before 0.18.1 fo ...) - TODO: check + NOT-FOR-US: Rust trust-dns-server CVE-2019-25011 (NetBox through 2.6.2 allows an Authenticated User to conduct an XSS at ...) NOT-FOR-US: NetBox CVE-2019-25010 (An issue was discovered in the failure crate through 2019-11-13 for Ru ...) @@ -257,7 +257,7 @@ CVE-2019-25007 (An issue was discovered in the streebog crate before 0.8.0 for R CVE-2019-25006 (An issue was discovered in the streebog crate before 0.8.0 for Rust. T ...) NOT-FOR-US: streebog rust crate CVE-2019-25005 (An issue was discovered in the chacha20 crate before 0.2.3 for Rust. A ...) - TODO: check + NOT-FOR-US: Rust chacha20 CVE-2019-25004 (An issue was discovered in the flatbuffers crate before 0.6.1 for Rust ...) NOT-FOR-US: flatbuffers rust crate CVE-2019-25003 (An issue was discovered in the libsecp256k1 crate before 0.3.1 for Rus ...) @@ -4350,7 +4350,8 @@ CVE-2020-35378 (SQL Injection in the login page in Online Bus Ticket Reservation CVE-2020-35377 RESERVED CVE-2020-35376 (Xpdf 4.02 allows stack consumption because of an incorrect subroutine ...) - TODO: check + - xpdf (Debian uses poppler, which is not affected) + NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3=42066 CVE-2020-35375 RESERVED CVE-2020-35374 @@ -7788,7 +7789,7 @@ CVE-2020-29205 CVE-2020-29204 (XXL-JOB 2.2.0 allows Stored XSS (in Add User) to bypass the 20-charact ...) NOT-FOR-US: XXL-JOB CVE-2020-29203 (struct2json before 2020-11-18 is affected by a Buffer Overflow because ...) - TODO: check + NOT-FOR-US: struct2json CVE-2020-29202 RESERVED CVE-2020-29201 @@ -12454,21 +12455,21 @@ CVE-2020-28285 CVE-2020-28284 RESERVED CVE-2020-28283 (Prototype pollution vulnerability in 'libnested' versions 0.0.0 throug ...) - TODO: check + NOT-FOR-US: libnested CVE-2020-28282 (Prototype pollution vulnerability in 'getobject' version 0.1.0 allows ...) - TODO: check + NOT-FOR-US: Node getobject CVE-2020-28281 (Prototype pollution vulnerability in 'set-object-value' versions 0.0.0 ...) - TODO: check + NOT-FOR-US: react-atomic-organism CVE-2020-28280 (Prototype pollution vulnerability in 'predefine' versions 0.0.0 throug ...) - TODO: check + NOT-FOR-US: Node predefine CVE-2020-28279 (Prototype pollution vulnerability in 'flattenizer' versions 0.0.5 thro ...) - TODO: check + NOT-FOR-US: flattenizer CVE-2020-28278 (Prototype pollution vulnerability in 'shvl' versions 1.0.0 through 2.0 ...) - TODO: check + NOT-FOR-US: Node shvl CVE-2020-28277 (Prototype pollution vulnerability in 'dset' versions 1.0.0 through 2.0 ...) - TODO: check + NOT-FOR-US: Node dset CVE-2020-28276 (Prototype pollution vulnerability in 'deep-set' versions 1.0.0 through ...) - TODO: check + NOT-FOR-US: Node deep-set CVE-2020-28275 REJECTED CVE-2020-28274 (Prototype pollution vulnerability in 'deepref' versions 1.1.1 through ...) @@ -13662,7 +13663,7 @@ CVE-2020-27834 [attacker can send the same request over and over again without c - zabbix NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1907497 NOTE: http://almorabea.net/cves/zabbix.txt - TODO: check for details, very scarce/incomplete CVE request from http://almorabea.net/cves/zabbix.txt + NOTE: very scarce/incomplete CVE request from http://almorabea.net/cves/zabbix.txt CVE-2020-27833 RESERVED NOT-FOR-US: OpenShift @@ -17697,7 +17698,7 @@ CVE-2020-26298 CVE-2020-26297 RESERVED CVE-2020-26296 (Vega is a visualization grammar, a declarative format for creating, sa ...) -
[Git][security-tracker-team/security-tracker][master] Mark f2fs-tools issues as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9295662d by Salvatore Bonaccorso at 2021-01-03T18:01:48+01:00 Mark f2fs-tools issues as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66867,18 +66867,23 @@ CVE-2020-6109 (An exploitable path traversal vulnerability exists in the Zoom cl NOT-FOR-US: Zoom CVE-2020-6108 (An exploitable code execution vulnerability exists in the fsck_chk_orp ...) - f2fs-tools 1.14.0-1 (bug #973380) + [buster] - f2fs-tools (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1050 CVE-2020-6107 (An exploitable information disclosure vulnerability exists in the dev_ ...) - f2fs-tools 1.14.0-1 (bug #973380) + [buster] - f2fs-tools (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1049 CVE-2020-6106 (An exploitable information disclosure vulnerability exists in the init ...) - f2fs-tools 1.14.0-1 (bug #973380) + [buster] - f2fs-tools (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1048 CVE-2020-6105 (An exploitable code execution vulnerability exists in the multiple dev ...) - f2fs-tools 1.14.0-1 (bug #973380) + [buster] - f2fs-tools (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1047 CVE-2020-6104 (An exploitable information disclosure vulnerability exists in the get_ ...) - f2fs-tools 1.14.0-1 (bug #973380) + [buster] - f2fs-tools (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1046 CVE-2020-6103 (An exploitable code execution vulnerability exists in the Shader funct ...) NOT-FOR-US: AMD Radeon DirectX 11 Driver atidxx64.dll View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9295662dd1061d4379986e694f4e25198cdd6ac2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9295662dd1061d4379986e694f4e25198cdd6ac2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed versions for f2fs-tools issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d8092b0 by Salvatore Bonaccorso at 2021-01-03T17:58:31+01:00 Track fixed versions for f2fs-tools issues via unstable Unfortuantely queries to upstream were not successful to identify the fixes. So for now track just the unstable version fixing all those trusting the maintainer. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66866,19 +66866,19 @@ CVE-2020-6110 (An exploitable partial path traversal vulnerability exists in the CVE-2020-6109 (An exploitable path traversal vulnerability exists in the Zoom client, ...) NOT-FOR-US: Zoom CVE-2020-6108 (An exploitable code execution vulnerability exists in the fsck_chk_orp ...) - - f2fs-tools (bug #973380) + - f2fs-tools 1.14.0-1 (bug #973380) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1050 CVE-2020-6107 (An exploitable information disclosure vulnerability exists in the dev_ ...) - - f2fs-tools (bug #973380) + - f2fs-tools 1.14.0-1 (bug #973380) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1049 CVE-2020-6106 (An exploitable information disclosure vulnerability exists in the init ...) - - f2fs-tools (bug #973380) + - f2fs-tools 1.14.0-1 (bug #973380) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1048 CVE-2020-6105 (An exploitable code execution vulnerability exists in the multiple dev ...) - - f2fs-tools (bug #973380) + - f2fs-tools 1.14.0-1 (bug #973380) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1047 CVE-2020-6104 (An exploitable information disclosure vulnerability exists in the get_ ...) - - f2fs-tools (bug #973380) + - f2fs-tools 1.14.0-1 (bug #973380) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1046 CVE-2020-6103 (An exploitable code execution vulnerability exists in the Shader funct ...) NOT-FOR-US: AMD Radeon DirectX 11 Driver atidxx64.dll @@ -66999,7 +66999,7 @@ CVE-2020-6071 (An exploitable denial-of-service vulnerability exists in the reso NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0994 NOTE: These were addressed on the source level in 3.0.9, but 3.0.8-4 disables the plugin CVE-2020-6070 (An exploitable code execution vulnerability exists in the file system ...) - - f2fs-tools (bug #970941) + - f2fs-tools 1.14.0-1 (bug #970941) [buster] - f2fs-tools (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0988 CVE-2020-6069 (An exploitable out-of-bounds write vulnerability exists in the igcore1 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d8092b0f9b0c71e23f472f20003c712a234ffb6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d8092b0f9b0c71e23f472f20003c712a234ffb6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f6d4380 by Moritz Muehlenhoff at 2021-01-03T17:33:21+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30193,7 +30193,7 @@ CVE-2020-20414 CVE-2020-20413 RESERVED CVE-2020-20412 (lib/codebook.c in libvorbis before 1.3.6, as used in StepMania 5.0.12 ...) - TODO: check + NOT-FOR-US: StepMania integration of libvorbis CVE-2020-20411 RESERVED CVE-2020-20410 @@ -61109,9 +61109,9 @@ CVE-2020-8292 CVE-2020-8291 RESERVED CVE-2020-8290 (Backblaze for Windows and Backblaze for macOS before 7.0.0.439 suffer ...) - TODO: check + NOT-FOR-US: Backblaze CVE-2020-8289 (Backblaze for Windows before 7.0.1.433 and Backblaze for macOS before ...) - TODO: check + NOT-FOR-US: Backblaze CVE-2020-8288 RESERVED CVE-2020-8287 @@ -67571,7 +67571,7 @@ CVE-2020-5809 (A stored XSS vulnerability exists in Umbraco CMS = 8.9.1 or c CVE-2020-5808 (In certain scenarios in Tenable.sc prior to 5.17.0, a scanner could po ...) NOT-FOR-US: Tenable CVE-2020-5807 (An unauthenticated remote attacker can send data to RsvcHost.exe liste ...) - TODO: check + NOT-FOR-US: FactoryTalk Diagnostics CVE-2020-5806 (An attacker-controlled memory allocation size can be passed to the C++ ...) TODO: check CVE-2020-5805 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f6d4380ad97232158e52d8226a72982fed57adc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f6d4380ad97232158e52d8226a72982fed57adc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-29562/glibc via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ed9bd3a0 by Salvatore Bonaccorso at 2021-01-03T17:25:29+01:00 Track fixed version for CVE-2020-29562/glibc via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6740,7 +6740,7 @@ CVE-2020-29564 (The official Consul Docker images 0.7.1 through 1.4.2 contain a CVE-2020-29563 (An issue was discovered on Western Digital My Cloud OS 5 devices befor ...) NOT-FOR-US: Western Digital My Cloud OS CVE-2020-29562 (The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2 ...) - - glibc (bug #976391) + - glibc 2.31-7 (bug #976391) [buster] - glibc (Vulnerability introduced later in 2.30) [stretch] - glibc (Vulnerability introduced later in 2.30) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=26923 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed9bd3a0923a57af7174eb6088497f1205bc9eb0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed9bd3a0923a57af7174eb6088497f1205bc9eb0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some new NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 54d238dd by Salvatore Bonaccorso at 2021-01-03T09:24:15+01:00 Process some new NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,11 @@ CVE-2021-3006 (The breed function in the smart contract implementation for Farm in Se ...) - TODO: check + NOT-FOR-US: Farm in Seal Finance (Seal) Ethereum token CVE-2021-3005 (MK-AUTH through 19.01 K4.9 allows remote attackers to obtain sensitive ...) - TODO: check + NOT-FOR-US: MK-AUTH CVE-2021-3004 (The _deposit function in the smart contract implementation for Stable ...) - TODO: check + NOT-FOR-US: Stable Yield Credit (yCREDIT) Ethereum token CVE-2020-35962 (The sellTokenForLRC function in the vault protocol in the smart contra ...) - TODO: check + NOT-FOR-US: Loopring (LRC) Ethereum token CVE-2020-35961 RESERVED CVE-2020-35960 @@ -25,7 +25,7 @@ CVE-2020-35954 CVE-2020-35953 RESERVED CVE-2020-35952 (login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-3 ...) - TODO: check + NOT-FOR-US: PHP-Fusion CVE-2021-3003 RESERVED CVE-2021-3002 (Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?se ...) @@ -8623,7 +8623,7 @@ CVE-2020-28843 CVE-2020-28842 RESERVED CVE-2020-28841 (MyDrivers64.sys in DriverGenius 9.61.3708.3054 allows attackers to cau ...) - TODO: check + NOT-FOR-US: DriverGenius CVE-2020-28840 RESERVED CVE-2020-28839 @@ -94796,11 +94796,11 @@ CVE-2019-15082 (The 360-product-rotation plugin before 1.4.8 for WordPress has r CVE-2019-15081 (OpenCart 3.x, when the attacker has login access to the admin panel, a ...) NOT-FOR-US: OpenCart CVE-2019-15080 (An issue was discovered in a smart contract implementation for MORPH T ...) - TODO: check + NOT-FOR-US: MORPH Token Ethereum token CVE-2019-15079 (A typo exists in the constructor of a smart contract implementation fo ...) - TODO: check + NOT-FOR-US: EAI Ethereum token CVE-2019-15078 (An issue was discovered in a smart contract implementation for AIRDROP ...) - TODO: check + NOT-FOR-US: AIRDROPX BORN Ethereum token CVE-2019-15077 RESERVED CVE-2019-15076 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54d238dd842a0b1d0a18142fde72ef504e285baf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54d238dd842a0b1d0a18142fde72ef504e285baf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 727074b5 by security tracker role at 2021-01-03T08:10:14+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,31 @@ +CVE-2021-3006 (The breed function in the smart contract implementation for Farm in Se ...) + TODO: check +CVE-2021-3005 (MK-AUTH through 19.01 K4.9 allows remote attackers to obtain sensitive ...) + TODO: check +CVE-2021-3004 (The _deposit function in the smart contract implementation for Stable ...) + TODO: check +CVE-2020-35962 (The sellTokenForLRC function in the vault protocol in the smart contra ...) + TODO: check +CVE-2020-35961 + RESERVED +CVE-2020-35960 + RESERVED +CVE-2020-35959 + RESERVED +CVE-2020-35958 + RESERVED +CVE-2020-35957 + RESERVED +CVE-2020-35956 + RESERVED +CVE-2020-35955 + RESERVED +CVE-2020-35954 + RESERVED +CVE-2020-35953 + RESERVED +CVE-2020-35952 (login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-3 ...) + TODO: check CVE-2021-3003 RESERVED CVE-2021-3002 (Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?se ...) @@ -8594,8 +8622,8 @@ CVE-2020-28843 RESERVED CVE-2020-28842 RESERVED -CVE-2020-28841 - RESERVED +CVE-2020-28841 (MyDrivers64.sys in DriverGenius 9.61.3708.3054 allows attackers to cau ...) + TODO: check CVE-2020-28840 RESERVED CVE-2020-28839 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/727074b5fee9a5334bf80d4b750433815ce95b07 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/727074b5fee9a5334bf80d4b750433815ce95b07 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits