[Git][security-tracker-team/security-tracker][master] stable triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ace03d7 by Moritz Muehlenhoff at 2021-01-07T08:11:52+01:00 stable triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -2673,10 +2673,12 @@ CVE-2020-36068 RESERVED CVE-2020-36067 (GJSON =v1.6.5 allows attackers to cause a denial of service (panic ...) - golang-github-tidwall-gjson + [buster] - golang-github-tidwall-gjson (Minor issue) NOTE: https://github.com/tidwall/gjson/issues/196 NOTE: https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b CVE-2020-36066 (GJSON 1.6.5 allows attackers to cause a denial of service (remote) ...) - golang-github-tidwall-gjson + [buster] - golang-github-tidwall-gjson (Minor issue) NOTE: https://github.com/tidwall/gjson/issues/195 NOTE: https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc CVE-2020-36065 @@ -6719,6 +6721,7 @@ CVE-2020-35546 RESERVED CVE-2020-35545 (Time-based SQL injection exists in Spotweb 1.4.9 via the query string. ...) - spotweb (bug #977719) + [buster] - spotweb (Minor issue) NOTE: https://github.com/spotweb/spotweb/issues/629 NOTE: https://github.com/spotweb/spotweb/commit/fefb39ad143caad021ad496427617db79c42aff2 CVE-2020-35544 @@ -6876,6 +6879,7 @@ CVE-2020-35492 [cairo: libreoffice slideshow aborts with stack smashing in cairo RESERVED {DLA-2518-1} - cairo 1.16.0-5 (bug #978658) + [buster] - cairo (Minor issue) NOTE: https://gitlab.freedesktop.org/cairo/cairo/-/issues/437 NOTE: Introduced by: https://gitlab.freedesktop.org/cairo/cairo/-/commit/c986a7310bb06582b7d8a566d5f007ba4e5e75bf (1.12.12) NOTE: Fixed by: https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be @@ -8919,6 +8923,7 @@ CVE-2020-29658 RESERVED CVE-2020-29657 (In JerryScript 2.3.0, there is an out-of-bounds read in main_print_unh ...) - iotjs (bug #977736) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4244 CVE-2020-29656 (An information disclosure vulnerability exists in RT-AC88U Download Ma ...) NOT-FOR-US: RT-AC88U Download Master @@ -20724,7 +20729,8 @@ CVE-2020-26265 (Go Ethereum, or "Geth", is the official Golang implementation of CVE-2020-26264 (Go Ethereum, or "Geth", is the official Golang implementation of the E ...) - golang-github-go-ethereum (bug #890541) CVE-2020-26263 (tlslite-ng is an open source python library that implements SSL and TL ...) - - tlslite-ng + - tlslite-ng + [buster] - tlslite-ng (Minor issue) NOTE: https://github.com/tlsfuzzer/tlslite-ng/security/advisories/GHSA-wvcv-832q-fjg7 NOTE: https://github.com/tlsfuzzer/tlslite-ng/commit/c28d6d387bba59d8bd5cb3ba15edc42edf54b368 NOTE: https://github.com/tlsfuzzer/tlslite-ng/pull/438 @@ -25253,6 +25259,7 @@ CVE-2020-24345 (** DISPUTED ** JerryScript through 2.3.0 allows stack consumptio NOTE: Disputed JerryScript issue CVE-2020-24344 (JerryScript through 2.3.0 has a (function({a=arguments}){const argumen ...) - iotjs + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/3976 NOTE: https://github.com/jerryscript-project/jerryscript/commit/841d536fce1ce29267cdf0ea12be4026e1c35d3a CVE-2020-24343 (Artifex MuJS through 1.0.7 has a use-after-free in jsrun.c because of ...) @@ -49002,6 +49009,7 @@ CVE-2020-13650 (An issue was discovered in DigDash 2018R2 before p20200210 and 2 NOT-FOR-US: DigDash CVE-2020-13649 (parser/js/js-scanner.c in JerryScript 2.2.0 mishandles errors during c ...) - iotjs 1.0+715-1 + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/commit/69f8e78c2f8d562bd6d8002b5488f1662ac30d24 NOTE: https://github.com/jerryscript-project/jerryscript/issues/3786 NOTE: https://github.com/jerryscript-project/jerryscript/issues/3788 @@ -114779,6 +114787,7 @@ CVE-2019-1010177 (Jsish 2.4.70 2.047 is affected by: Use After Free. The impact NOT-FOR-US: Jsish CVE-2019-1010176 (JerryScript commit 4e58ccf68070671e1fff5cd6673f0c1d5b80b166 is affecte ...) - iotjs 1.0+715-1 + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/2476 NOTE: https://github.com/jerryscript-project/jerryscript/commit/505dace719aebb3308a3af223cfaa985159efae0 CVE-2019-1010175 @@ -153144,6 +153153,7 @@ CVE-2018-1000638 (MiniCMS version 1.1 contains a Cross Site Scripting (XSS) vuln NOT-FOR-US: MiniCMS CVE-2018-1000636 (JerryScript
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-35512/dbus
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3fc480d1 by Salvatore Bonaccorso at 2021-01-07T07:42:22+01:00 Add CVE-2020-35512/dbus - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6787,6 +6787,14 @@ CVE-2020-35513 RESERVED CVE-2020-35512 RESERVED + - dbus 1.12.20-1 + [buster] - dbus 1.12.20-0+deb10u1 + [stretch] - dbus 1.10.32-0+deb9u1 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909101 + NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/issues/305 + NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/commit/2b7948ef907669e844b52c4fa2268d6e3162a70c (dbus-1.13.18) + NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/commit/f3b2574f0c9faa32a59efec905921f7ef4438a60 (dbus-1.12.20) + NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/commit/dc94fe3d31adf72259adc31f343537151a6c0bdd (dbus-1.10.32) CVE-2020-35511 RESERVED CVE-2020-35510 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fc480d1ea286ac77d64d3fdb3bb5ffb656fbc06 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fc480d1ea286ac77d64d3fdb3bb5ffb656fbc06 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-35509, NFU (Keycloak)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fd68fce by Salvatore Bonaccorso at 2021-01-07T07:27:24+01:00 Add CVE-2020-35509, NFU (Keycloak) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6794,6 +6794,7 @@ CVE-2020-35510 - libjboss-remoting-java CVE-2020-35509 RESERVED + NOT-FOR-US: Keycloak CVE-2020-35508 RESERVED - linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fd68fcec8ba6c16eea67a8f0d64051b1242b07a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fd68fcec8ba6c16eea67a8f0d64051b1242b07a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fix for CVE-2019-18900/libzypp via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fa4573a0 by Salvatore Bonaccorso at 2021-01-07T06:44:48+01:00 Track fix for CVE-2019-18900/libzypp via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -83648,7 +83648,7 @@ CVE-2019-18901 (A UNIX Symbolic Link (Symlink) Following vulnerability in the my CVE-2019-18900 (: Incorrect Default Permissions vulnerability in libzypp of SUSE CaaS ...) {DLA-2132-1} [experimental] - libzypp 17.25.5-1 - - libzypp (bug #953362) + - libzypp 17.25.5-2 (bug #953362) [buster] - libzypp (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1158763 NOTE: https://github.com/openSUSE/libzypp/pull/196 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa4573a03bd6201ecd720833519e72f903570e9b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa4573a03bd6201ecd720833519e72f903570e9b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new chromium CVEs from January 6, 2021 advisory (fixed in 87.0.4280.141)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 516225d1 by Salvatore Bonaccorso at 2021-01-07T06:41:16+01:00 Add new chromium CVEs from January 6, 2021 advisory (fixed in 87.0.4280.141) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4427,26 +4427,48 @@ CVE-2021-21117 RESERVED CVE-2021-21116 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-21115 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-21114 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-21113 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-21112 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-2 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-21110 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-21109 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-21108 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-21107 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-21106 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-35626 (An issue was discovered in the PushToWatch extension for MediaWiki thr ...) NOT-FOR-US: PushToWatch MediaWiki extension CVE-2020-35625 (An issue was discovered in the Widgets extension for MediaWiki through ...) @@ -42154,6 +42176,8 @@ CVE-2020-16044 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/#CVE-2020-16044 CVE-2020-16043 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-16042 RESERVED {DSA-4824-1 DSA-4815-1 DSA-4813-1 DLA-2497-1 DLA-2496-1} @@ -42380,7 +42404,8 @@ CVE-2020-15997 (Use after free in Mojo in Google Chrome prior to 86.0.4240.99 al CVE-2020-15996 (Use after free in passwords in Google Chrome prior to 86.0.4240.99 all ...) - chromium (Chrome on Android) CVE-2020-15995 (Out of bounds write in V8 in Google Chrome prior to 86.0.4240.99 allow ...) - - chromium (Chrome on Android) + - chromium + [stretch] - chromium (see DSA 4562) CVE-2020-15994 (Use after free in V8 in Google Chrome prior to 86.0.4240.99 allowed a ...) - chromium (Chrome on Android) CVE-2020-15993 (Use after free in printing in Google Chrome prior to 86.0.4240.99 allo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/516225d14bbfdd6769f300368233094d89c2a360 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/516225d14bbfdd6769f300368233094d89c2a360 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2020-16044/firefox-esr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c7f1d24 by Salvatore Bonaccorso at 2021-01-07T06:36:16+01:00 Add fixed version via unstable for CVE-2020-16044/firefox-esr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42150,7 +42150,7 @@ CVE-2020-16045 CVE-2020-16044 RESERVED - firefox 84.0.2-1 - - firefox-esr + - firefox-esr 78.6.1esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/#CVE-2020-16044 CVE-2020-16043 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c7f1d24eab25bcd1885ff2c95010654495e0994 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c7f1d24eab25bcd1885ff2c95010654495e0994 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-16044/firefox via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d1a9672 by Salvatore Bonaccorso at 2021-01-07T06:35:11+01:00 Track fixed version for CVE-2020-16044/firefox via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42149,7 +42149,7 @@ CVE-2020-16045 RESERVED CVE-2020-16044 RESERVED - - firefox + - firefox 84.0.2-1 - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/#CVE-2020-16044 CVE-2020-16043 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d1a9672685f8cb7d4426e878fed8ff8bb07797b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d1a9672685f8cb7d4426e878fed8ff8bb07797b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2520-1 for golang-websocket
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: d8b7b1f0 by Brian May at 2021-01-07T10:03:08+11:00 Reserve DLA-2520-1 for golang-websocket - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Jan 2021] DLA-2520-1 golang-websocket - security update + {CVE-2020-27813} + [stretch] - golang-websocket 1.1.0-1+deb9u1 [06 Jan 2021] DLA-2519-1 pacemaker - security update {CVE-2018-16877 CVE-2018-16878 CVE-2020-25654} [stretch] - pacemaker 1.1.24-0+deb9u1 = data/dla-needed.txt = @@ -58,8 +58,6 @@ golang-1.8 NOTE: 20210103: Clarification CVE-2020-29509, ...10 and ...11 is definitely not going to be fixed in 1.8. NOTE: 20210103: golang at all. Follow up a little more before it is ignored (ola) -- -golang-websocket (Brian May) --- imagemagick (Sylvain Beucler) NOTE: 20201207: requested CVE-2020-29599 (Beuc) NOTE: 20201212: batch of vulnerabilities triaged, the only important vulnerability is not reproducible, ongoing (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8b7b1f02560055b765c47a80e7deb51f5b21b7e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8b7b1f02560055b765c47a80e7deb51f5b21b7e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim golang-websocket
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: ac8a67f5 by Brian May at 2021-01-07T09:07:19+11:00 Claim golang-websocket - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -58,7 +58,7 @@ golang-1.8 NOTE: 20210103: Clarification CVE-2020-29509, ...10 and ...11 is definitely not going to be fixed in 1.8. NOTE: 20210103: golang at all. Follow up a little more before it is ignored (ola) -- -golang-websocket +golang-websocket (Brian May) -- imagemagick (Sylvain Beucler) NOTE: 20201207: requested CVE-2020-29599 (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac8a67f5d40e20e2949129b8b342e5913a649ac9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac8a67f5d40e20e2949129b8b342e5913a649ac9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nodejs security update
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b9c67685 by Moritz Mühlenhoff at 2021-01-06T22:54:22+01:00 nodejs security update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[06 Jan 2021] DSA-4826-1 nodejs - security update + {CVE-2020-8265 CVE-2020-8287} + [buster] - nodejs 10.23.1~dfsg-1~deb10u1 [05 Jan 2021] DSA-4806-2 minidlna - regression update [buster] - minidlna 1.2.1+dfsg-2+deb10u2 [04 Jan 2021] DSA-4825-1 dovecot - security update = data/dsa-needed.txt = @@ -28,8 +28,6 @@ linux (carnil) -- netty -- -nodejs --- salt (carnil) -- slurm-llnl (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9c67685ca8b5a334c36572965a51bbc8b97ccf9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9c67685ca8b5a334c36572965a51bbc8b97ccf9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a83eb9cc by Salvatore Bonaccorso at 2021-01-06T21:23:16+01:00 Process several NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18375,11 +18375,11 @@ CVE-2020-27287 CVE-2020-27286 RESERVED CVE-2020-27285 (The default configuration of Crimson 3.1 (Build versions prior to 3119 ...) - TODO: check + NOT-FOR-US: Crimson CVE-2020-27284 RESERVED CVE-2020-27283 (An attacker could send a specially crafted message to Crimson 3.1 (Bui ...) - TODO: check + NOT-FOR-US: Crimson CVE-2020-27282 RESERVED CVE-2020-27281 @@ -18387,7 +18387,7 @@ CVE-2020-27281 CVE-2020-27280 RESERVED CVE-2020-27279 (A NULL pointer deference vulnerability has been identified in the prot ...) - TODO: check + NOT-FOR-US: Crimson CVE-2020-27278 RESERVED CVE-2020-27277 @@ -58420,13 +58420,13 @@ CVE-2019-20511 (ERPNext 11.1.47 allows blog?blog_category= Frame Injection. ...) CVE-2020-10659 (Entrust Entelligence Security Provider (ESP) before 10.0.60 on Windows ...) NOT-FOR-US: Entrust Entelligence Security Provider (ESP) CVE-2020-10658 (The Proofpoint Insider Threat Management Server (formerly ObserveIT Se ...) - TODO: check + NOT-FOR-US: Proofpoint Insider Threat Management Server CVE-2020-10657 (The Proofpoint Insider Threat Management Server (formerly ObserveIT Se ...) - TODO: check + NOT-FOR-US: Proofpoint Insider Threat Management Server CVE-2020-10656 (The Proofpoint Insider Threat Management Server (formerly ObserveIT Se ...) - TODO: check + NOT-FOR-US: Proofpoint Insider Threat Management Server CVE-2020-10655 (The Proofpoint Insider Threat Management Server (formerly ObserveIT Se ...) - TODO: check + NOT-FOR-US: Proofpoint Insider Threat Management Server CVE-2020-10654 (Ping Identity PingID SSH before 4.0.14 contains a heap buffer overflow ...) NOT-FOR-US: Ping Identity PingID CVE-2020-10653 @@ -62603,7 +62603,7 @@ CVE-2012-6721 (Multiple cross-site request forgery (CSRF) vulnerabilities in the CVE-2012-6720 (Multiple cross-site scripting (XSS) vulnerabilities in SocialEngine be ...) NOT-FOR-US: SocialEngine CVE-2020-8884 (rcdsvc in the Proofpoint Insider Threat Management Windows Agent (form ...) - TODO: check + NOT-FOR-US: Proofpoint Insider Threat Management Windows Agent CVE-2020-8883 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Studio Photo CVE-2020-8882 (This vulnerability allows remote attackers to execute arbitrary code o ...) @@ -64462,7 +64462,7 @@ CVE-2020-8161 (A directory traversal vulnerability exists in rack 2.2.0 tha NOTE: Required followup: https://github.com/rack/rack/commit/e7ba1b0557d3ad97af1ef113bbeb5f27417983fa NOTE: Test: https://github.com/rack/rack/commit/775c836bdd25b63340399fea739532d746860a94 CVE-2020-8160 (MendixSSO = 2.1.1 contains endpoints that make use of the openid h ...) - TODO: check + NOT-FOR-US: MendixSSO CVE-2020-8159 (There is a vulnerability in actionpack_page-caching gem v1.2.1 th ...) - ruby-actionpack-page-caching 1.2.2-1 (bug #960680) [buster] - ruby-actionpack-page-caching (Minor issue) @@ -92079,7 +92079,7 @@ CVE-2019-16964 (app/call_centers/cmd.php in the Call Center Queue Module in Fusi CVE-2019-16963 RESERVED CVE-2019-16962 (Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2019-16961 RESERVED CVE-2019-16960 (SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file wit ...) @@ -92095,7 +92095,7 @@ CVE-2019-16956 (SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type CVE-2019-16955 (SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG documen ...) NOT-FOR-US: SolarWinds CVE-2019-16954 (SolarWinds Web Help Desk 12.7.0 allows HTML injection via a Comment in ...) - TODO: check + NOT-FOR-US: SolarWinds CVE-2019-16953 RESERVED CVE-2019-16952 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a83eb9cc47d9df55c60856a1bdfa1a30509ef4c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a83eb9cc47d9df55c60856a1bdfa1a30509ef4c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-36177/wolfssl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3fd17a5c by Salvatore Bonaccorso at 2021-01-06T21:20:20+01:00 Add CVE-2020-36177/wolfssl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,11 @@ CVE-2021-3028 CVE-2021-22696 RESERVED CVE-2020-36177 (RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-o ...) - TODO: check + - wolfssl + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26567 + NOTE: https://github.com/wolfSSL/wolfssl/commit/63bf5dc56ccbfc12a73b06327361687091a4c6f7 + NOTE: https://github.com/wolfSSL/wolfssl/commit/fb2288c46dd4c864b78f00a47a364b96a09a5c0f + NOTE: https://github.com/wolfSSL/wolfssl/pull/3426 CVE-2020-36176 (The iThemes Security (formerly Better WP Security) plugin before 7.7.0 ...) NOT-FOR-US: iThemes Security (formerly Better WP Security) plugin for WordPress CVE-2020-36175 (The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fd17a5ca572517b1e3712756312b588ef660d12 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fd17a5ca572517b1e3712756312b588ef660d12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 97a25c68 by Salvatore Bonaccorso at 2021-01-06T21:18:01+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,21 +7,21 @@ CVE-2021-22696 CVE-2020-36177 (RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-o ...) TODO: check CVE-2020-36176 (The iThemes Security (formerly Better WP Security) plugin before 7.7.0 ...) - TODO: check + NOT-FOR-US: iThemes Security (formerly Better WP Security) plugin for WordPress CVE-2020-36175 (The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers ...) - TODO: check + NOT-FOR-US: Ninja Forms plugin for WordPress CVE-2020-36174 (The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via s ...) - TODO: check + NOT-FOR-US: Ninja Forms plugin for WordPress CVE-2020-36173 (The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for ...) - TODO: check + NOT-FOR-US: Ninja Forms plugin for WordPress CVE-2020-36172 (The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandl ...) - TODO: check + NOT-FOR-US: Advanced Custom Fields plugin for WordPress CVE-2020-36171 (The Elementor Website Builder plugin before 3.0.14 for WordPress does ...) - TODO: check + NOT-FOR-US: Elementor Website Builder plugin for WordPress CVE-2020-36170 (The Ultimate Member plugin before 2.1.13 for WordPress mishandles hidd ...) - TODO: check + NOT-FOR-US: Ultimate Member plugin for WordPress CVE-2012-10001 (The Limit Login Attempts plugin before 1.7.1 for WordPress does not cl ...) - TODO: check + NOT-FOR-US: Limit Login Attempts plugin for WordPress CVE-2021-3027 RESERVED CVE-2021-3026 (Invision Community IPS Community Suite before 4.5.4.2 allows XSS durin ...) @@ -74188,7 +74188,7 @@ CVE-2020-4338 (IBM MQ 9.1.4 could allow a local attacker to obtain sensitive inf CVE-2020-4337 (IBM API Connect 2018.4.1.0 through 2018.4.1.12 could allow an attacker ...) NOT-FOR-US: IBM CVE-2020-4336 (IBM WebSphere eXtreme Scale 8.6.1 stores sensitive information in URL ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4335 RESERVED CVE-2020-4334 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97a25c68b944a96917c0eba438fb90bb1341385c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97a25c68b944a96917c0eba438fb90bb1341385c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e1da3684 by security tracker role at 2021-01-06T20:17:10+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,27 @@ +CVE-2021-3029 + RESERVED +CVE-2021-3028 + RESERVED +CVE-2021-22696 + RESERVED +CVE-2020-36177 (RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-o ...) + TODO: check +CVE-2020-36176 (The iThemes Security (formerly Better WP Security) plugin before 7.7.0 ...) + TODO: check +CVE-2020-36175 (The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers ...) + TODO: check +CVE-2020-36174 (The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via s ...) + TODO: check +CVE-2020-36173 (The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for ...) + TODO: check +CVE-2020-36172 (The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandl ...) + TODO: check +CVE-2020-36171 (The Elementor Website Builder plugin before 3.0.14 for WordPress does ...) + TODO: check +CVE-2020-36170 (The Ultimate Member plugin before 2.1.13 for WordPress mishandles hidd ...) + TODO: check +CVE-2012-10001 (The Limit Login Attempts plugin before 1.7.1 for WordPress does not cl ...) + TODO: check CVE-2021-3027 RESERVED CVE-2021-3026 (Invision Community IPS Community Suite before 4.5.4.2 allows XSS durin ...) @@ -3557,7 +3581,7 @@ CVE-2020-35719 RESERVED CVE-2020-35718 RESERVED -CVE-2020-35717 (zonote =0.4.0 allows XSS via crafted note, with resultant Remote C ...) +CVE-2020-35717 (zonote through 0.4.0 allows XSS via a crafted note, with resultant Rem ...) NOT-FOR-US: zonote CVE-2020-35716 (Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attacker ...) NOT-FOR-US: Belkin LINKSYS RE6500 devices @@ -4154,8 +4178,8 @@ CVE-2021-21238 RESERVED CVE-2021-21237 RESERVED -CVE-2021-21236 - RESERVED +CVE-2021-21236 (CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter base ...) + TODO: check CVE-2021-21235 (kamadak-exif is an exif parsing library written in pure Rust. In kamad ...) - rust-kamadak-exif NOTE: https://github.com/kamadak/exif-rs/security/advisories/GHSA-px9g-8hgv-jvg2 @@ -18346,20 +18370,20 @@ CVE-2020-27287 RESERVED CVE-2020-27286 RESERVED -CVE-2020-27285 - RESERVED +CVE-2020-27285 (The default configuration of Crimson 3.1 (Build versions prior to 3119 ...) + TODO: check CVE-2020-27284 RESERVED -CVE-2020-27283 - RESERVED +CVE-2020-27283 (An attacker could send a specially crafted message to Crimson 3.1 (Bui ...) + TODO: check CVE-2020-27282 RESERVED CVE-2020-27281 RESERVED CVE-2020-27280 RESERVED -CVE-2020-27279 - RESERVED +CVE-2020-27279 (A NULL pointer deference vulnerability has been identified in the prot ...) + TODO: check CVE-2020-27278 RESERVED CVE-2020-27277 @@ -19569,8 +19593,8 @@ CVE-2020-26761 RESERVED CVE-2020-26760 RESERVED -CVE-2020-26759 - RESERVED +CVE-2020-26759 (clickhouse-driver before 0.1.5 allows a malicious clickhouse server to ...) + TODO: check CVE-2020-26758 RESERVED CVE-2020-26757 @@ -22204,7 +8,7 @@ CVE-2020-25656 (A flaw was found in the Linux kernel. A use-after-free was found CVE-2020-25655 (An issue was discovered in ManagedClusterView API, that could allow se ...) NOT-FOR-US: Red Hat open-cluster-management CVE-2020-25654 (An ACL bypass flaw was found in pacemaker. An attacker having a local ...) - {DSA-4791-1} + {DSA-4791-1 DLA-2519-1} - pacemaker 2.0.5~rc2-1 (bug #973254) NOTE: https://www.openwall.com/lists/oss-security/2020/10/27/1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1888191 @@ -49211,10 +49235,10 @@ CVE-2020-13547 (A type confusion vulnerability exists in the JavaScript engine o NOT-FOR-US: Foxit CVE-2020-13546 RESERVED -CVE-2020-13545 - RESERVED -CVE-2020-13544 - RESERVED +CVE-2020-13545 (An exploitable signed conversion vulnerability exists in the TextMaker ...) + TODO: check +CVE-2020-13544 (An exploitable sign extension vulnerability exists in the TextMaker do ...) + TODO: check CVE-2020-13543 (A code execution vulnerability exists in the WebSocket functionality o ...) {DSA-4797-1} - webkit2gtk 2.30.3-1 @@ -58391,14 +58415,14 @@ CVE-2019-20511 (ERPNext 11.1.47 allows blog?blog_category= Frame Injection. ...) NOT-FOR-US: ERPNext CVE-2020-10659 (Entrust Entelligence Security Provider (ESP) before 10.0.60 on Windows ...) NOT-FOR-US: Entrust Entelligence Security Provider (ESP) -CVE-2020-10658 -
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove no-dsa tags from pacemaker/stretch.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c51dc6c by Markus Koschany at 2021-01-06T21:08:18+01:00 Remove no-dsa tags from pacemaker/stretch. - - - - - 723cd446 by Markus Koschany at 2021-01-06T21:09:59+01:00 Reserve DLA-2519-1 for pacemaker - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -149495,14 +149495,12 @@ CVE-2018-16879 (Ansible Tower before version 3.3.3 does not set a secure channel NOT-FOR-US: Ansible Tower CVE-2018-16878 (A flaw was found in pacemaker up to and including version 2.0.1. An in ...) - pacemaker 2.0.1-3 (bug #927714) - [stretch] - pacemaker (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1 NOTE: https://github.com/ClusterLabs/pacemaker/pull/1749 (master) NOTE: https://github.com/ClusterLabs/pacemaker/pull/1750 (1.1) NOTE: https://lists.clusterlabs.org/pipermail/users/2019-May/025822.html CVE-2018-16877 (A flaw was found in the way pacemaker's client-server authentication w ...) - pacemaker 2.0.1-3 (bug #927714) - [stretch] - pacemaker (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1 NOTE: https://github.com/ClusterLabs/pacemaker/pull/1749 (master) NOTE: https://github.com/ClusterLabs/pacemaker/pull/1750 (1.1) = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Jan 2021] DLA-2519-1 pacemaker - security update + {CVE-2018-16877 CVE-2018-16878 CVE-2020-25654} + [stretch] - pacemaker 1.1.24-0+deb9u1 [06 Jan 2021] DLA-2518-1 cairo - security update {CVE-2020-35492} [stretch] - cairo 1.14.8-1+deb9u1 = data/dla-needed.txt = @@ -102,12 +102,6 @@ openjpeg2 (Thorsten Alteholz) NOTE: 20201220: more CVEs appeared NOTE: 20210104: testing package -- -pacemaker (Markus Koschany) - NOTE: 20201228: See #974563 for further information. - NOTE: 20201228: https://people.debian.org/~apo/lts/pacemaker/ - NOTE: 20201228: The new upstream version works as intended. One user - NOTE: 20201228: reported no regressions. Will release on 06.01.2021. --- php-horde-trean NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bf635dec5420522f0b82b9b91bc3305fb1f8542c...723cd4466c9c580c43d195f05a095b63a3061d6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bf635dec5420522f0b82b9b91bc3305fb1f8542c...723cd4466c9c580c43d195f05a095b63a3061d6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove "check" item for libxstream-java, acked
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a90abcd0 by Salvatore Bonaccorso at 2021-01-06T20:57:18+01:00 Remove check item for libxstream-java, acked - - - - - bf635dec by Salvatore Bonaccorso at 2021-01-06T20:57:46+01:00 Add firefox-esr to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -14,11 +14,13 @@ If needed, specify the release by adding a slash after the name of the source pa -- ansible -- +firefox-esr +-- knot-resolver Santiago Ruano Rincón proposed a debdiff for review -- libxstream-java - Check for DSA; Markus Koschany proposed an update for review + Markus Koschany proposed an update for review -- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6b2eb7b504bb2e571ba8429d41921f7847d8d9fa...bf635dec5420522f0b82b9b91bc3305fb1f8542c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6b2eb7b504bb2e571ba8429d41921f7847d8d9fa...bf635dec5420522f0b82b9b91bc3305fb1f8542c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-16044/firefox{,-esr}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b2eb7b5 by Salvatore Bonaccorso at 2021-01-06T20:56:19+01:00 Add CVE-2020-16044/firefox{,-esr} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42121,6 +42121,9 @@ CVE-2020-16045 RESERVED CVE-2020-16044 RESERVED + - firefox + - firefox-esr + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/#CVE-2020-16044 CVE-2020-16043 RESERVED CVE-2020-16042 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b2eb7b504bb2e571ba8429d41921f7847d8d9fa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b2eb7b504bb2e571ba8429d41921f7847d8d9fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fix via experimental for CVE-2019-18900/libzypp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ae56b7a by Salvatore Bonaccorso at 2021-01-06T14:39:38+01:00 Track fix via experimental for CVE-2019-18900/libzypp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -83591,6 +83591,7 @@ CVE-2019-18901 (A UNIX Symbolic Link (Symlink) Following vulnerability in the my NOT-FOR-US: SuSE-specific mysqld-systemd-helper CVE-2019-18900 (: Incorrect Default Permissions vulnerability in libzypp of SUSE CaaS ...) {DLA-2132-1} + [experimental] - libzypp 17.25.5-1 - libzypp (bug #953362) [buster] - libzypp (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1158763 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ae56b7a63a47a084b58f03a2aed108636985e32 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ae56b7a63a47a084b58f03a2aed108636985e32 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new rust-kamadak-exif (might not affect stale Debian versions)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 28f804c1 by Moritz Muehlenhoff at 2021-01-06T11:49:58+01:00 new rust-kamadak-exif (might not affect stale Debian versions) new golang-github-tidwall-gjson issues NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1109,7 +1109,7 @@ CVE-2021-22160 CVE-2020-36159 (Veritas Desktop and Laptop Option (DLO) before 9.5 disclosed operation ...) NOT-FOR-US: Veritas CVE-2021-3019 (ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.p ...) - TODO: check + NOT-FOR-US: ffay lanproxy CVE-2021-3018 (ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3.5 is vulnerable to an un ...) NOT-FOR-US: ipeak Infosystems ibexwebCMS (aka IPeakCMS) CVE-2021-3017 @@ -2644,9 +2644,13 @@ CVE-2020-36069 CVE-2020-36068 RESERVED CVE-2020-36067 (GJSON =v1.6.5 allows attackers to cause a denial of service (panic ...) - TODO: check + - golang-github-tidwall-gjson + NOTE: https://github.com/tidwall/gjson/issues/196 + NOTE: https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b CVE-2020-36066 (GJSON 1.6.5 allows attackers to cause a denial of service (remote) ...) - TODO: check + - golang-github-tidwall-gjson + NOTE: https://github.com/tidwall/gjson/issues/195 + NOTE: https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc CVE-2020-36065 RESERVED CVE-2020-36064 @@ -2674,9 +2678,9 @@ CVE-2020-36054 CVE-2020-36053 RESERVED CVE-2020-36052 (Directory traversal vulnerability in post-edit.php in MiniCMS V1.10 al ...) - TODO: check + NOT-FOR-US: MiniCMS CVE-2020-36051 (Directory traversal vulnerability in page_edit.php in MiniCMS V1.10 al ...) - TODO: check + NOT-FOR-US: MiniCMS CVE-2020-36050 RESERVED CVE-2020-36049 @@ -2848,7 +2852,7 @@ CVE-2020-35967 CVE-2020-35966 RESERVED CVE-2021-3007 (** DISPUTED ** Laminas Project laminas-http before 2.14.2, and Zend Fr ...) - TODO: check + NOT-FOR-US: laminas-http CVE-2021-21495 (MK-AUTH through 19.01 K4.9 allows CSRF for password changes via the ce ...) NOT-FOR-US: MK-AUTH CVE-2021-21494 (MK-AUTH through 19.01 K4.9 allows XSS via the admin/logs_ajax.php tipo ...) @@ -2863,7 +2867,7 @@ CVE-2020-35964 (track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out NOTE: https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26622 CVE-2020-35963 (flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out- ...) - TODO: check + NOT-FOR-US: Fluent Bit CVE-2021-3006 (The breed function in the smart contract implementation for Farm in Se ...) NOT-FOR-US: Farm in Seal Finance (Seal) Ethereum token CVE-2021-3005 (MK-AUTH through 19.01 K4.9 allows remote attackers to obtain sensitive ...) @@ -4153,9 +4157,10 @@ CVE-2021-21237 CVE-2021-21236 RESERVED CVE-2021-21235 (kamadak-exif is an exif parsing library written in pure Rust. In kamad ...) - TODO: check + - rust-kamadak-exif + NOTE: https://github.com/kamadak/exif-rs/security/advisories/GHSA-px9g-8hgv-jvg2 CVE-2021-21234 (spring-boot-actuator-logview in a library that adds a simple logfile v ...) - TODO: check + NOT-FOR-US: Spring actuator logview CVE-2020-35627 (Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vul ...) NOT-FOR-US: Ultimate WooCommerce Gift Cards CVE-2021-21233 @@ -6965,7 +6970,7 @@ CVE-2021-20002 CVE-2021-20001 RESERVED CVE-2020-35488 (The fileop module of the NXLog service in NXLog Community Edition 2.10 ...) - TODO: check + NOT-FOR-US: NXLog CVE-2020-35487 RESERVED CVE-2020-35486 @@ -10142,7 +10147,7 @@ CVE-2020-29439 (Tesla Model X vehicles before 2020-11-23 have key fobs that rely CVE-2020-29438 (Tesla Model X vehicles before 2020-11-23 have key fobs that accept fir ...) NOT-FOR-US: Tesla Model X vehicles CVE-2020-29437 (SQL injection in the Buzz module of OrangeHRM through 4.6 allows remot ...) - TODO: check + NOT-FOR-US: OrangeHRM CVE-2020-29436 (Sonatype Nexus Repository Manager 3.x before 3.29.0 allows a user with ...) NOT-FOR-US: Sonatype Nexus Repository Manager CVE-2020-29435 @@ -13420,7 +13425,7 @@ CVE-2020-28466 CVE-2020-28465 RESERVED CVE-2020-28464 (This affects the package djv before 2.1.4. By controlling the schema f ...) - TODO: check + NOT-FOR-US: Node djv CVE-2020-28463 RESERVED CVE-2020-28462 @@ -20590,17 +20595,17 @@ CVE-2020-26299 CVE-2020-26298 RESERVED CVE-2020-26297 (mdBook is a utility to create modern online books from Markdown files ...) -
[Git][security-tracker-team/security-tracker][master] Triage CVE-2020-35680 in opensmtpd for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 1758dfd3 by Chris Lamb at 2021-01-06T10:04:57+00:00 Triage CVE-2020-35680 in opensmtpd for stretch LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3637,6 +3637,7 @@ CVE-2020-35681 [Potential leakage of session identifiers using legacy AsgiHandle NOTE: https://github.com/django/channels/commit/e85874d9630474986a6937430eac52db79a2a022 (3.0.3) CVE-2020-35680 (smtpd/lka_filter.c in OpenSMTPD before 6.8.0p1, in certain configurati ...) - opensmtpd 6.8.0p2-1 (bug #978039) + [stretch] - opensmtpd (new filter grammar support added in ec69ed85b6c) NOTE: https://github.com/openbsd/src/commit/6c3220444ed06b5796dedfd53a0f4becd903c0d1 NOTE: https://www.mail-archive.com/misc@opensmtpd.org/msg05188.html CVE-2020-35679 (smtpd/table.c in OpenSMTPD before 6.8.0p1 lacks a certain regfree, whi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1758dfd37b2ff14f70909f144af5575a95b95a51 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1758dfd37b2ff14f70909f144af5575a95b95a51 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2020-35679 in opensmtpd for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: feffeaba by Chris Lamb at 2021-01-06T09:51:27+00:00 Triage CVE-2020-35679 in opensmtpd for stretch LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3641,6 +3641,7 @@ CVE-2020-35680 (smtpd/lka_filter.c in OpenSMTPD before 6.8.0p1, in certain confi NOTE: https://www.mail-archive.com/misc@opensmtpd.org/msg05188.html CVE-2020-35679 (smtpd/table.c in OpenSMTPD before 6.8.0p1 lacks a certain regfree, whi ...) - opensmtpd 6.8.0p2-1 (bug #978038) + [stretch] - opensmtpd (regex table supported added > 6.4.0 according to CHANGES.md) NOTE: https://github.com/openbsd/src/commit/79a034b4aed29e965f45a13409268290c9910043 NOTE: https://www.mail-archive.com/misc@opensmtpd.org/msg05188.html CVE-2020-35678 (Autobahn|Python before 20.12.3 allows redirect header injection. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/feffeaba6246867cd5be4df082449aa55943407e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/feffeaba6246867cd5be4df082449aa55943407e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new libjboss-remoting-java (removed), concludes external check
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 897e0cc2 by Moritz Muehlenhoff at 2021-01-06T10:29:50+01:00 new libjboss-remoting-java (removed), concludes external check - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6734,6 +6734,7 @@ CVE-2020-35511 RESERVED CVE-2020-35510 RESERVED + - libjboss-remoting-java CVE-2020-35509 RESERVED CVE-2020-35508 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/897e0cc20412ab87d6a7852563c185995d58d5a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/897e0cc20412ab87d6a7852563c185995d58d5a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ead70c40 by Salvatore Bonaccorso at 2021-01-06T09:38:47+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2021-3027 RESERVED CVE-2021-3026 (Invision Community IPS Community Suite before 4.5.4.2 allows XSS durin ...) - TODO: check + NOT-FOR-US: Invision Community IPS Community Suite CVE-2021-3025 RESERVED CVE-2021-22695 @@ -25,25 +25,25 @@ CVE-2021-22687 CVE-2021-22686 RESERVED CVE-2020-36169 (An issue was discovered in Veritas NetBackup through 8.3.0.1 and OpsCe ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36168 (An issue was discovered in Veritas Resiliency Platform 3.4 and 3.5. It ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36167 (An issue was discovered in the server in Veritas Backup Exec through 1 ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36166 (An issue was discovered in Veritas InfoScale 7.x through 7.4.2 on Wind ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36165 (An issue was discovered in Veritas Desktop and Laptop Option (DLO) bef ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36164 (An issue was discovered in Veritas Enterprise Vault through 14.0. On s ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36163 (An issue was discovered in Veritas NetBackup and OpsCenter through 8.3 ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36162 (An issue was discovered in Veritas CloudPoint before 8.3.0.1+hotfix. T ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36161 (An issue was discovered in Veritas APTARE 10.4 before 10.4P9 and 10.5 ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36160 (An issue was discovered in Veritas System Recovery before 21.2. On sta ...) - TODO: check + NOT-FOR-US: Veritas CVE-2021-3024 RESERVED CVE-2021-3023 @@ -7641,7 +7641,7 @@ CVE-2020-35172 CVE-2020-35171 RESERVED CVE-2020-35170 (Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Un ...) - TODO: check + NOT-FOR-US: Dell EMC Unisphere for PowerMax CVE-2020-35169 RESERVED CVE-2020-35168 @@ -9765,11 +9765,11 @@ CVE-2020-29504 CVE-2020-29503 RESERVED CVE-2020-29502 (Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Te ...) - TODO: check + NOT-FOR-US: EMC PowerStore CVE-2020-29501 (Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Te ...) - TODO: check + NOT-FOR-US: EMC PowerStore CVE-2020-29500 (Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Te ...) - TODO: check + NOT-FOR-US: EMC PowerStore CVE-2020-29499 RESERVED CVE-2020-29498 (Dell Wyse Management Suite versions prior to 3.1 contain an open redir ...) @@ -9789,9 +9789,9 @@ CVE-2020-29492 (Dell Wyse ThinOS 8.6 and prior versions contain an insecure defa CVE-2020-29491 (Dell Wyse ThinOS 8.6 and prior versions contain an insecure default co ...) NOT-FOR-US: Dell Wyse ThinOS CVE-2020-29490 (Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 ...) - TODO: check + NOT-FOR-US: EMC CVE-2020-29489 (Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 ...) - TODO: check + NOT-FOR-US: EMC CVE-2021-1735 RESERVED CVE-2021-1734 @@ -20816,7 +20816,7 @@ CVE-2020-26201 (Askey AP5100W_Dual_SIG_1.01.097 and all prior versions use a wea CVE-2020-26200 RESERVED CVE-2020-26199 (Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 ...) - TODO: check + NOT-FOR-US: EMC CVE-2020-26198 (Dell EMC iDRAC9 versions prior to 4.32.10.00 and 4.40.00.00 contain a ...) NOT-FOR-US: EMC CVE-2020-26197 @@ -20852,7 +20852,7 @@ CVE-2020-26183 (Dell EMC NetWorker versions prior to 19.3.0.2 contain an imprope CVE-2020-26182 (Dell EMC NetWorker versions prior to 19.3.0.2 contain an incorrect pri ...) NOT-FOR-US: EMC CVE-2020-26181 (Dell EMC Isilon OneFS versions 8.1 and later and Dell EMC PowerScale O ...) - TODO: check + NOT-FOR-US: EMC CVE-2020-26180 RESERVED CVE-2020-26179 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ead70c40a9898bec55ed9989d2b5fc5ef2265514 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ead70c40a9898bec55ed9989d2b5fc5ef2265514 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net
[Git][security-tracker-team/security-tracker][master] Remove note from CVE-2020-1674
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fddff61 by Salvatore Bonaccorso at 2021-01-06T09:14:31+01:00 Remove note from CVE-2020-1674 Apparently further investigation showed that it was not a security issue and the Juniper CNA withdrawn the CVE. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -84000,7 +84000,6 @@ CVE-2020-1675 (When Security Assertion Markup Language (SAML) authentication is NOT-FOR-US: Juniper CVE-2020-1674 REJECTED - NOT-FOR-US: Juniper CVE-2020-1673 (Insufficient Cross-Site Scripting (XSS) protection in Juniper Networks ...) NOT-FOR-US: Juniper CVE-2020-1672 (On Juniper Networks Junos OS devices configured with DHCPv6 relay enab ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fddff616d6ae75b6763c82b0021b0cc7ea8fc13 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fddff616d6ae75b6763c82b0021b0cc7ea8fc13 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d2aa1522 by security tracker role at 2021-01-06T08:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,49 @@ +CVE-2021-3027 + RESERVED +CVE-2021-3026 (Invision Community IPS Community Suite before 4.5.4.2 allows XSS durin ...) + TODO: check +CVE-2021-3025 + RESERVED +CVE-2021-22695 + RESERVED +CVE-2021-22694 + RESERVED +CVE-2021-22693 + RESERVED +CVE-2021-22692 + RESERVED +CVE-2021-22691 + RESERVED +CVE-2021-22690 + RESERVED +CVE-2021-22689 + RESERVED +CVE-2021-22688 + RESERVED +CVE-2021-22687 + RESERVED +CVE-2021-22686 + RESERVED +CVE-2020-36169 (An issue was discovered in Veritas NetBackup through 8.3.0.1 and OpsCe ...) + TODO: check +CVE-2020-36168 (An issue was discovered in Veritas Resiliency Platform 3.4 and 3.5. It ...) + TODO: check +CVE-2020-36167 (An issue was discovered in the server in Veritas Backup Exec through 1 ...) + TODO: check +CVE-2020-36166 (An issue was discovered in Veritas InfoScale 7.x through 7.4.2 on Wind ...) + TODO: check +CVE-2020-36165 (An issue was discovered in Veritas Desktop and Laptop Option (DLO) bef ...) + TODO: check +CVE-2020-36164 (An issue was discovered in Veritas Enterprise Vault through 14.0. On s ...) + TODO: check +CVE-2020-36163 (An issue was discovered in Veritas NetBackup and OpsCenter through 8.3 ...) + TODO: check +CVE-2020-36162 (An issue was discovered in Veritas CloudPoint before 8.3.0.1+hotfix. T ...) + TODO: check +CVE-2020-36161 (An issue was discovered in Veritas APTARE 10.4 before 10.4P9 and 10.5 ...) + TODO: check +CVE-2020-36160 (An issue was discovered in Veritas System Recovery before 21.2. On sta ...) + TODO: check CVE-2021-3024 RESERVED CVE-2021-3023 @@ -2597,10 +2643,10 @@ CVE-2020-36069 RESERVED CVE-2020-36068 RESERVED -CVE-2020-36067 - RESERVED -CVE-2020-36066 - RESERVED +CVE-2020-36067 (GJSON =v1.6.5 allows attackers to cause a denial of service (panic ...) + TODO: check +CVE-2020-36066 (GJSON 1.6.5 allows attackers to cause a denial of service (remote) ...) + TODO: check CVE-2020-36065 RESERVED CVE-2020-36064 @@ -2627,10 +2673,10 @@ CVE-2020-36054 RESERVED CVE-2020-36053 RESERVED -CVE-2020-36052 - RESERVED -CVE-2020-36051 - RESERVED +CVE-2020-36052 (Directory traversal vulnerability in post-edit.php in MiniCMS V1.10 al ...) + TODO: check +CVE-2020-36051 (Directory traversal vulnerability in page_edit.php in MiniCMS V1.10 al ...) + TODO: check CVE-2020-36050 RESERVED CVE-2020-36049 @@ -4104,8 +4150,8 @@ CVE-2021-21237 RESERVED CVE-2021-21236 RESERVED -CVE-2021-21235 - RESERVED +CVE-2021-21235 (kamadak-exif is an exif parsing library written in pure Rust. In kamad ...) + TODO: check CVE-2021-21234 (spring-boot-actuator-logview in a library that adds a simple logfile v ...) TODO: check CVE-2020-35627 (Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vul ...) @@ -7392,7 +7438,7 @@ CVE-2020-35271 RESERVED CVE-2020-35270 RESERVED -CVE-2020-35269 (There is a Cross Site Request Forgery (CSRF) vulnerability in Nagios C ...) +CVE-2020-35269 (Nagios Core application version 4.2.4 is vulnerable to Site-Wide Cross ...) - nagios4 NOTE: https://gist.github.com/MoSalah20/d1d40b43eafba0bd22ee4cddecad3cbc NOTE: https://github.com/NagiosEnterprises/nagioscore/issues/809 @@ -7594,8 +7640,8 @@ CVE-2020-35172 RESERVED CVE-2020-35171 RESERVED -CVE-2020-35170 - RESERVED +CVE-2020-35170 (Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Un ...) + TODO: check CVE-2020-35169 RESERVED CVE-2020-35168 @@ -9718,12 +9764,12 @@ CVE-2020-29504 RESERVED CVE-2020-29503 RESERVED -CVE-2020-29502 - RESERVED -CVE-2020-29501 - RESERVED -CVE-2020-29500 - RESERVED +CVE-2020-29502 (Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Te ...) + TODO: check +CVE-2020-29501 (Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Te ...) + TODO: check +CVE-2020-29500 (Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Te ...) + TODO: check CVE-2020-29499 RESERVED CVE-2020-29498 (Dell Wyse Management Suite versions prior to 3.1 contain an open redir ...) @@ -9742,10 +9788,10 @@ CVE-2020-29492 (Dell Wyse ThinOS 8.6 and prior versions contain an insecure defa NOT-FOR-US: Dell Wyse ThinOS CVE-2020-29491 (Dell Wyse ThinOS 8.6 and prior versions contain an insecure default co ...) NOT-FOR-US: Dell Wyse