[Git][security-tracker-team/security-tracker][master] mark CVE-2021-38185 as no-dsa for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 24858374 by Thorsten Alteholz at 2021-08-23T16:15:40+02:00 mark CVE-2021-38185 as no-dsa for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3089,6 +3089,7 @@ CVE-2021-38186 (An issue was discovered in the comrak crate before 0.10.1 for Ru NOT-FOR-US: Rust crate comrak CVE-2021-38185 (GNU cpio through 2.13 allows attackers to execute arbitrary code via a ...) - cpio 2.13+dfsg-5 (bug #992045) + [stretch] - cpio (Minor issue) NOTE: https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b NOTE: https://github.com/fangqyi/cpiopwn NOTE: https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg0.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24858374e7e52a669106e42646b8069e395e2fde -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24858374e7e52a669106e42646b8069e395e2fde You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-18849 will be fixed by next upload
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2351712f by Thorsten Alteholz at 2021-08-23T16:39:17+02:00 CVE-2019-18849 will be fixed by next upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -126924,7 +126924,6 @@ CVE-2019-18849 (In tnef before 1.4.18, an attacker may be able to write to the v {DLA-2005-1} - tnef 1.4.18-1 (bug #944851) [buster] - tnef 1.4.12-1.2+deb10u1 - [stretch] - tnef (Minor issue; can be fixed via point release) NOTE: https://github.com/verdammelt/tnef/pull/40 CVE-2019-18848 (The json-jwt gem before 1.11.0 for Ruby lacks an element count during ...) {DLA-2390-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2351712f86041b18fbb73c332b3b3bc8857819ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2351712f86041b18fbb73c332b3b3bc8857819ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2748-1 for tnef
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f58c5e8 by Thorsten Alteholz at 2021-08-23T16:48:05+02:00 Reserve DLA-2748-1 for tnef - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Aug 2021] DLA-2748-1 tnef - security update + {CVE-2019-18849} + [stretch] - tnef 1.4.12-1.2+deb9u1 [22 Aug 2021] DLA-2742-2 ffmpeg - regression update [stretch] - ffmpeg 7:3.2.15-0+deb9u4 [22 Aug 2021] DLA-2747-1 ircii - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f58c5e83d26a26174081ce7310f4c1c43ba5a65 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f58c5e83d26a26174081ce7310f4c1c43ba5a65 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 6 commits: take openssl
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f9d0529 by Thorsten Alteholz at 2021-08-25T12:42:28+02:00 take openssl - - - - - a4eb23c0 by Thorsten Alteholz at 2021-08-25T12:53:01+02:00 mark CVE-2021-28216 as no-dsa for Stretch - - - - - ad38966b by Thorsten Alteholz at 2021-08-25T12:59:06+02:00 mark CVE-2021-39361 as postponed for Stretch - - - - - cf40aa42 by Thorsten Alteholz at 2021-08-25T13:06:24+02:00 mark CVE-2021-39358 as postponed for Stretch - - - - - eb335917 by Thorsten Alteholz at 2021-08-25T13:16:37+02:00 take grilo - - - - - 15230978 by Thorsten Alteholz at 2021-08-25T13:18:35+02:00 mark CVE-2021-39359 as postponed for Stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1523,6 +1523,7 @@ CVE-2021-39362 (An XSS issue was discovered in ReCaptcha Solver 5.7. A response TODO: check CVE-2021-39361 (In GNOME evolution-rss through 0.3.96, network-soup.c does not enable ...) - evolution-rss + [stretch] - evolution-rss (Minor issue, revisit when/if fixed upstream) NOTE: https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/ NOTE: https://gitlab.gnome.org/GNOME/evolution-rss/-/issues/11 CVE-2021-39360 (In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enable TLS ...) @@ -1531,10 +1532,12 @@ CVE-2021-39360 (In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enabl NOTE: https://gitlab.gnome.org/GNOME/libzapojit/-/issues/4 CVE-2021-39359 (In GNOME libgda through 6.0.0, gda-web-provider.c does not enable TLS ...) - libgda5 + [stretch] - libgda5 (Minor issue, revisit when/if fixed upstream) NOTE: https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/ NOTE: https://gitlab.gnome.org/GNOME/libgda/-/issues/249 CVE-2021-39358 (In GNOME libgfbgraph through 0.2.4, gfbgraph-photo.c does not enable T ...) - gfbgraph + [stretch] - gfbgraph (Minor issue, revisit when/if fixed upstream) NOTE: https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/ NOTE: https://gitlab.gnome.org/GNOME/libgfbgraph/-/issues/17 CVE-2021-3731 (LedgerSMB does not sufficiently guard against being wrapped by other s ...) @@ -28195,6 +28198,7 @@ CVE-2021-3436 RESERVED CVE-2021-28216 (BootPerformanceTable pointer is read from an NVRAM variable in PEI. Re ...) - edk2 + [stretch] - edk2 (Minor issue) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2957 CVE-2021-28215 RESERVED = data/dla-needed.txt = @@ -32,6 +32,9 @@ firmware-nonfree (Anton Gladky) gpac (Thorsten Alteholz) NOTE: 20210815: WIP, almost done, still testing package -- +grilo (Thorsten Alteholz) + NOTE: 20210825: ssl-use-system-ca-file is used in libsoup2.4 since version 2.38 +-- krb5 (Adrian Bunk) -- linux (Ben Hutchings) @@ -52,6 +55,8 @@ nvidia-graphics-drivers NOTE: package is in non-free but also in packages-to-support NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 -- +openssl (Thorsten Alteholz) +-- pjproject (Abhijith PA) NOTE: 20210804: Check notes on CVE (especially re. src:ring). (lamby) NOTE: 20210821: Fix backported (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f0fde7b25c0f0daf90f44fc725b840fd952e3b5...15230978221afae36e4eb0fee9055b4533eeea96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f0fde7b25c0f0daf90f44fc725b840fd952e3b5...15230978221afae36e4eb0fee9055b4533eeea96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2021-36690 as not-affected for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: fd2f77cf by Thorsten Alteholz at 2021-08-25T16:28:11+02:00 mark CVE-2021-36690 as not-affected for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7623,6 +7623,7 @@ CVE-2021-36690 (Segmentation fault vulnerability in SQLite sqlite3 3.36.0 via th - sqlite3 [bullseye] - sqlite3 (Minor issue) [buster] - sqlite3 (Minor issue) + [stretch] - sqlite3 (vulnerable code is not present) NOTE: https://www.sqlite.org/forum/forumpost/718c0a8d17 CVE-2021-36689 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd2f77cf0cb4bcd1f6e8d64d412a1c0bbeb9e46a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd2f77cf0cb4bcd1f6e8d64d412a1c0bbeb9e46a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: add cacti
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: b2138f25 by Thorsten Alteholz at 2021-08-29T18:29:03+02:00 add cacti - - - - - a9ae26f9 by Thorsten Alteholz at 2021-08-29T18:32:11+02:00 follow sec team with no-dsa for CVEs of ckeditor - - - - - e2274a2d by Thorsten Alteholz at 2021-08-29T18:34:17+02:00 mark CVE-2021-38084 as postponed for Stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -4680,6 +4680,7 @@ CVE-2021-38084 (An issue was discovered in the POP3 component of Courier Mail Se - courier (bug #989375) [bullseye] - courier (Minor issue) [buster] - courier (Minor issue) + [stretch] - courier (Minor issue, include in next update) NOTE: https://sourceforge.net/p/courier/mailman/courier-imap/thread/cone.1382574216.483027.8082.1000%40monster.email-scan.com/#msg3183 NOTE: https://sourceforge.net/p/courier/mailman/message/37329216/ NOTE: https://sourceforge.net/p/courier/courier-libs.git/ci/97ed62b17a2616c758d09105b5a14dd1038cff6f/ (1.1.5) @@ -5527,6 +5528,7 @@ CVE-2021-37695 (ckeditor is an open source WYSIWYG HTML editor with rich content - ckeditor 4.16.2+dfsg-1 (bug #992290) [bullseye] - ckeditor (Minor issue) [buster] - ckeditor (Minor issue) + [stretch] - ckeditor (Minor issue) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc NOTE: https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58 CVE-2021-37694 (@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud S ...) @@ -16744,6 +16746,7 @@ CVE-2021-32809 (ckeditor is an open source WYSIWYG HTML editor with rich content - ckeditor 4.16.2+dfsg-1 (bug #992291) [bullseye] - ckeditor (Minor issue) [buster] - ckeditor (Minor issue) + [stretch] - ckeditor (Minor issue) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg NOTE: https://github.com/ckeditor/ckeditor4/commit/f6856decd5992b2b07945292416bb113d5f7ff82 (v4.16.2) NOTE: Introduced by https://github.com/ckeditor/ckeditor4/commit/ca0851c7a14f616a0c4cda905816aa87ca399efb (v4.5.2) = data/dla-needed.txt = @@ -18,6 +18,9 @@ ansible NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- +cacti + NOTE: 20210829: not really sure whether affected, please recheck +-- exiv2 (Utkarsh Gupta) NOTE: 20210801: check further; some no-dsa issues have piled up, too. (utkarsh) NOTE: 20210816: wip, new CVEs added, too. comparing w/ buster. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/33bcbeed823d6e6d0bd9411a6e5ac70239931609...e2274a2d4fe4942c41af7269f32fedd8e31bf021 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/33bcbeed823d6e6d0bd9411a6e5ac70239931609...e2274a2d4fe4942c41af7269f32fedd8e31bf021 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: mark CVE-2021-32740 as no-dsa for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: acfa7990 by Thorsten Alteholz at 2021-08-30T00:22:24+02:00 mark CVE-2021-32740 as no-dsa for Stretch - - - - - 5671cdcf by Thorsten Alteholz at 2021-08-30T00:23:55+02:00 add qtbase-opensource-src - - - - - d8af21e9 by Thorsten Alteholz at 2021-08-30T00:27:38+02:00 add pywps - - - - - 385bd4ef by Thorsten Alteholz at 2021-08-30T00:29:53+02:00 add plib - - - - - f7cc032b by Thorsten Alteholz at 2021-08-30T00:31:15+02:00 mark two CVEs of pluxml as no-dsa for Stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3403,8 +3403,10 @@ CVE-2021-38604 (In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/ NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8 CVE-2021-38603 (PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Informati ...) - pluxml + [stretch] - pluxml (Minor issue) CVE-2021-38602 (PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content ...) - pluxml + [stretch] - pluxml (Minor issue) CVE-2021-38601 RESERVED CVE-2021-38600 @@ -16974,6 +16976,7 @@ CVE-2021-32741 (Nextcloud Server is a Nextcloud package that handles data storag - nextcloud-server (bug #941708) CVE-2021-32740 (Addressable is an alternative implementation to the URI implementation ...) - ruby-addressable 2.7.0-2 (bug #990791) + [stretch] - ruby-addressable (Minor issue) NOTE: https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g NOTE: https://github.com/sporkmonger/addressable/commit/b48ff03347a6d46e8dc674e242ce74c6381962a5#diff-fb36d3dc67e6565ffde17e666a98697f48e76dac38fabf1bb9e97cdf3b583d76 CVE-2021-32739 (Icinga is a monitoring system which checks the availability of network ...) = data/dla-needed.txt = @@ -59,13 +59,20 @@ openssl (Thorsten Alteholz) -- openssl1.0 (Thorsten Alteholz) -- +plib + NOTE: 20210829: no fix yet +-- python-babel NOTE: 20210617: CVE-2021-20095 withdrawn, cf. 251b6e33 and #987824 (abhijith) NOTE: 20210620: http://people.debian.org/~abhijith/backport_of_3a700b5.patch (abhijith) NOTE: 20210620: Revisit when it has an assigned CVE ID (abhijith) -- +pywps +-- qemu (Markus Koschany) -- +qtbase-opensource-src +-- ruby-kaminari NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to NOTE: 20200819: the one upstream or in its many forks. For example, both dthe View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b40db75908ece32c8416ada8e6d09f3d0e4fba96...f7cc032b557afe07ca941d021729127f99174a24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b40db75908ece32c8416ada8e6d09f3d0e4fba96...f7cc032b557afe07ca941d021729127f99174a24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: mark CVE-2020-18976 as unfixed and unimportant for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: b9c68257 by Thorsten Alteholz at 2021-08-30T00:08:03+02:00 mark CVE-2020-18976 as unfixed and unimportant for Stretch - - - - - 0d127be8 by Thorsten Alteholz at 2021-08-30T00:11:44+02:00 add sssd - - - - - cf34b1a0 by Thorsten Alteholz at 2021-08-30T00:12:48+02:00 add btrbk - - - - - 4af4a5c3 by Thorsten Alteholz at 2021-08-30T00:15:03+02:00 mark some CVEs of liblivemedia as no-dsa - - - - - b40db759 by Thorsten Alteholz at 2021-08-30T00:17:14+02:00 mark two CVEs of libpodofo as postponed for Stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3893,14 +3893,17 @@ CVE-2021-38383 (OwnTone (aka owntone-server) through 28.1 has a use-after-free i NOT-FOR-US: OwnTone CVE-2021-38382 (Live555 through 1.08 does not handle Matroska and Ogg files properly. ...) - liblivemedia + [stretch] - liblivemedia (Minor issue) NOTE: http://lists.live555.com/pipermail/live-devel/2021-August/021959.html NOTE: http://www.live555.com/liveMedia/public/changelog.txt#[2021.08.06] CVE-2021-38381 (Live555 through 1.08 does not handle MPEG-1 or 2 files properly. Sendi ...) - liblivemedia + [stretch] - liblivemedia (Minor issue) NOTE: http://lists.live555.com/pipermail/live-devel/2021-August/021961.html NOTE: http://www.live555.com/liveMedia/public/changelog.txt#[2021.08.09] CVE-2021-38380 (Live555 through 1.08 mishandles huge requests for the same MP3 stream, ...) - liblivemedia + [stretch] - liblivemedia (Minor issue) NOTE: http://lists.live555.com/pipermail/live-devel/2021-August/021954.html NOTE: http://www.live555.com/liveMedia/public/changelog.txt#[2021.08.04] CVE-2021-38379 @@ -80163,7 +80166,9 @@ CVE-2020-18977 RESERVED CVE-2020-18976 (Buffer Overflow in Tcpreplay v4.3.2 allows attackers to cause a Denial ...) - tcpreplay 4.3.3-1 + [stretch] - tcpreplay (unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/556 + NOTE: Crash in CLI tool, no security impact CVE-2020-18975 RESERVED CVE-2020-18974 (Buffer Overflow in Netwide Assembler (NASM) v2.15.xx allows attackers ...) @@ -80174,9 +80179,11 @@ CVE-2020-18973 RESERVED CVE-2020-18972 (Exposure of Sensitive Information to an Unauthorized Actor in PoDoFo v ...) - libpodofo + [stretch] - libpodofo (Minor issue; can be fixed in next update) NOTE: https://sourceforge.net/p/podofo/tickets/49/ CVE-2020-18971 (Stack-based Buffer Overflow in PoDoFo v0.9.6 allows attackers to cause ...) - libpodofo + [stretch] - libpodofo (Minor issue; can be fixed in next update) NOTE: https://sourceforge.net/p/podofo/tickets/48/ CVE-2020-18970 RESERVED = data/dla-needed.txt = @@ -18,6 +18,8 @@ ansible NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- +btrbk (Thorsten Alteholz) +-- cacti (Roberto C. Sánchez) NOTE: 20210829: not really sure whether affected, please recheck -- @@ -99,5 +101,7 @@ smarty3 (Abhijith PA) -- squashfs-tools (Thorsten Alteholz) -- +sssd +-- wireshark (Adrian Bunk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8f581df5eb6b841801b57aa2d50c0d092117ca51...b40db75908ece32c8416ada8e6d09f3d0e4fba96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8f581df5eb6b841801b57aa2d50c0d092117ca51...b40db75908ece32c8416ada8e6d09f3d0e4fba96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 8 commits: mark CVE-2021-39272 as no-dsa for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: e4218a6c by Thorsten Alteholz at 2021-08-29T23:30:50+02:00 mark CVE-2021-39272 as no-dsa for Stretch - - - - - e419aedf by Thorsten Alteholz at 2021-08-29T23:32:12+02:00 mark CVE-2021-38559 as no-dsa for Stretch - - - - - f2e56ad1 by Thorsten Alteholz at 2021-08-29T23:38:25+02:00 mark CVE-2021-32798 as no-dsa for Stretch - - - - - 90290d61 by Thorsten Alteholz at 2021-08-29T23:40:42+02:00 follow sec team and mark several CVEs of libelfin as no-dsa - - - - - 15d1e501 by Thorsten Alteholz at 2021-08-29T23:43:11+02:00 follow sec team and mark several CVEs of liblivemedia as ignored - - - - - 6e9fb5d5 by Thorsten Alteholz at 2021-08-29T23:46:32+02:00 mark CVE-2020-21677 as no-dsa for Stretch - - - - - db1b1cf5 by Thorsten Alteholz at 2021-08-29T23:57:16+02:00 mark CVE-2021-32804 and CVE-2021-32803 as not-affected for Stretch - - - - - 8f581df5 by Thorsten Alteholz at 2021-08-29T23:59:08+02:00 mark CVE-2021-3654 as no-dsa for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1916,10 +1916,12 @@ CVE-2021-39284 CVE-2021-39283 (liveMedia/FramedSource.cpp in Live555 through 1.08 allows an assertion ...) - liblivemedia [buster] - liblivemedia (Minor issue) + [stretch] - liblivemedia (Minor issue) NOTE: http://lists.live555.com/pipermail/live-devel/2021-August/021969.html CVE-2021-39282 (Live555 through 1.08 has a memory leak in AC3AudioStreamParser for AC3 ...) - liblivemedia [buster] - liblivemedia (Minor issue) + [stretch] - liblivemedia (Minor issue) NOTE: http://lists.live555.com/pipermail/live-devel/2021-August/021970.html CVE-2021-39281 RESERVED @@ -1947,6 +1949,7 @@ CVE-2021-39272 [TLS bypass vulnerabilities ("NO STARTTLS")] - fetchmail (bug #993163) [bullseye] - fetchmail (Minor issue; safe recommendations exists, implicit TLS, "ssl" mode exist) [buster] - fetchmail (Minor issue; safe recommendations exists, implicit TLS, "ssl" mode exist) + [stretch] - fetchmail (Minor issue; safe recommendations exists, implicit TLS, "ssl" mode exist) NOTE: https://www.fetchmail.info/fetchmail-SA-2021-02.txt CVE-2021-39271 RESERVED @@ -3516,6 +3519,7 @@ CVE-2021-38559 (DigitalDruid HotelDruid 3.0.2 has an XSS vulnerability in prenot - hoteldruid [bullseye] - hoteldruid (Minor issue) [buster] - hoteldruid (Minor issue) + [stretch] - hoteldruid (Minor issue) CVE-2021-38558 RESERVED CVE-2021-38557 (raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as ...) @@ -7065,6 +7069,7 @@ CVE-2021-3654 [novnc allows open redirection] - nova 2:23.0.2-3 (bug #991441) [bullseye] - nova (Minor issue) [buster] - nova (Minor issue) + [stretch] - nova (Minor issue) NOTE: https://bugs.launchpad.net/nova/+bug/1927677 CVE-2021-26263 RESERVED @@ -16772,12 +16777,14 @@ CVE-2021-32804 (The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0. - node-tar 6.1.7+~cs11.3.10-1 (bug #992111) [bullseye] - node-tar (Minor issue) [buster] - node-tar (Minor issue) + [stretch] - node-tar (Vulnerable code introduced later) NOTE: https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9 NOTE: https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4 CVE-2021-32803 (The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4 ...) - node-tar 6.1.7+~cs11.3.10-1 (bug #992110) [bullseye] - node-tar (Minor issue) [buster] - node-tar (Minor issue) + [stretch] - node-tar (Vulnerable code introduced later) NOTE: https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw NOTE: https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20 CVE-2021-32802 @@ -16792,6 +16799,7 @@ CVE-2021-32798 (The Jupyter notebook is a web-based notebook environment for int - jupyter-notebook (bug #992704) [bullseye] - jupyter-notebook (Minor issue) [buster] - jupyter-notebook (Minor issue) + [stretch] - jupyter-notebook (Minor issue) NOTE: https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797 NOTE: https://github.com/jupyter/notebook/commit/79fc76e890a8ec42f73a3d009e44ef84c14ef0d5 CVE-2021-32797 (JupyterLab is a user interface for Project Jupyter which will eventual ...) @@ -67833,42 +67841,49 @@ CVE-2020-24827 (A vulnerability in the dwarf::cursor::skip_form function of Libe - libelfin [bullseye] - libelfin (Minor issue) [buster] - libelfin (Minor issue) + [stretch
[Git][security-tracker-team/security-tracker][master] 2 commits: fix for CVE-2021-29376 postponed until now
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 6729fea1 by Thorsten Alteholz at 2021-08-21T01:25:08+02:00 fix for CVE-2021-29376 postponed until now - - - - - 80c869ef by Thorsten Alteholz at 2021-08-21T01:25:52+02:00 Reserve DLA-2746-1 for scrollz - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -23888,7 +23888,6 @@ CVE-2021-29376 (ircII before 20210314 allows remote attackers to cause a denial [stretch] - ircii (Minor issue; can be fixed in next update) - scrollz 2.2.3-2 (bug #986215) [buster] - scrollz 2.2.3-1+deb10u1 - [stretch] - scrollz (Minor issue; can be fixed in next update) NOTE: https://www.openwall.com/lists/oss-security/2021/03/24/2 NOTE: https://github.com/ScrollZ/ScrollZ/issues/25 CVE-2021-29375 = data/DLA/list = @@ -1,3 +1,6 @@ +[21 Aug 2021] DLA-2746-1 scrollz - security update + {CVE-2021-29376} + [stretch] - scrollz 2.2.3-1+deb9u1 [16 Aug 2021] DLA-2745-1 thunderbird - security update {CVE-2021-29980 CVE-2021-29984 CVE-2021-29985 CVE-2021-29986 CVE-2021-29988 CVE-2021-29989} [stretch] - thunderbird 1:78.13.0-1~deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/467d219bc58adfbc80f926fac5eb21b25b7699bf...80c869ef0709025a0071eb5982b7493de100b59a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/467d219bc58adfbc80f926fac5eb21b25b7699bf...80c869ef0709025a0071eb5982b7493de100b59a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2755-1 for btrbk
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: d89acc85 by Thorsten Alteholz at 2021-09-05T23:43:36+02:00 Reserve DLA-2755-1 for btrbk - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Sep 2021] DLA-2755-1 btrbk - security update + {CVE-2021-38173} + [stretch] - btrbk 0.24.0-1+deb9u1 [04 Sep 2021] DLA-2754-1 pywps - security update {CVE-2021-39371} [stretch] - pywps 4.0.0-3+deb9u1 = data/dla-needed.txt = @@ -23,8 +23,6 @@ ansible NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- -btrbk (Thorsten Alteholz) --- cacti (Roberto C. Sánchez) NOTE: 20210829: not really sure whether affected, please recheck -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d89acc85f59ee22026fe430f3de26f5c09826ff1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d89acc85f59ee22026fe430f3de26f5c09826ff1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 9760c2b8 by Thorsten Alteholz at 2021-09-12T23:30:05+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -38,6 +38,7 @@ gnutls28 (Sylvain Beucler) -- grilo (Thorsten Alteholz) NOTE: 20210825: ssl-use-system-ca-file is used in libsoup2.4 since version 2.38 + NOTE: 20210912: maintainer ok, testing package -- krb5 (Adrian Bunk) NOTE: 20210905: testing fixes @@ -66,8 +67,10 @@ nvidia-graphics-drivers NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 -- openssl (Thorsten Alteholz) + NOTE: 20210912: testing package, upload probably after LE fix -- openssl1.0 (Thorsten Alteholz) + NOTE: 20210912: testing package, upload probably after LE fix -- plib NOTE: 20210829: no fix yet. (thorsten) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9760c2b8fb7e31f701c02800701bf70cec74f44d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9760c2b8fb7e31f701c02800701bf70cec74f44d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2723-1 for linuxptp
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: a254e6f8 by Thorsten Alteholz at 2021-07-31T02:05:08+02:00 Reserve DLA-2723-1 for linuxptp - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Jul 2021] DLA-2723-1 linuxptp - security update + {CVE-2021-3570} + [stretch] - linuxptp 1.8-1+deb9u1 [30 Jul 2021] DLA-2722-1 libsndfile - security update {CVE-2021-3246} [stretch] - libsndfile 1.0.27-3+deb9u2 = data/dla-needed.txt = @@ -65,8 +65,6 @@ linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- -linuxptp (Thorsten Alteholz --- nettle (Emilio) NOTE: 20210719: difficult backport, wip (Emilio) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a254e6f8563d66837f6a30c44edd47ad1fde6e2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a254e6f8563d66837f6a30c44edd47ad1fde6e2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] latest aspell upload to Buster also fixes CVE-2019-17544
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 62137669 by Thorsten Alteholz at 2021-07-31T01:11:31+02:00 latest aspell upload to Buster also fixes CVE-2019-17544 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -128912,7 +128912,6 @@ CVE-2019-17545 (GDAL through 3.0.1 has a poolDestroy double free in OGRExpatReal CVE-2019-17544 (libaspell.a in GNU Aspell before 0.60.8 has a stack-based buffer over- ...) {DLA-2720-1 DLA-1966-1} - aspell 0.60.8-1 (low) - [buster] - aspell (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16109 NOTE: https://github.com/GNUAspell/aspell/commit/80fa26c74279fced8d778351cff19d1d8f44fe4e CVE-2019-17543 (LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (rela ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62137669d531a0096c8a39390a01c4b99407c845 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62137669d531a0096c8a39390a01c4b99407c845 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim embargoed c-ares
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 21ca63ed by Thorsten Alteholz at 2021-08-10T08:31:13+02:00 claim embargoed c-ares - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -24,6 +24,8 @@ ansible asterisk (Chris Lamb) NOTE: 20210807: Double-check it applies; upstream's patch is actually a patch to an embedded code copy. (lamby) -- +c-ares (Thosten Alteholz) +-- commons-io (Markus Koschany) -- exiv2 (Utkarsh Gupta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21ca63ed5069f3490f1aae51c1beb02d1212054e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21ca63ed5069f3490f1aae51c1beb02d1212054e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2738-1 for c-ares
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 1446a71e by Thorsten Alteholz at 2021-08-10T09:14:26+02:00 Reserve DLA-2738-1 for c-ares - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Aug 2021] DLA-2738-1 c-ares - security update + {CVE-2021-3672} + [stretch] - c-ares 1.12.0-1+deb9u2 [09 Aug 2021] DLA-2737-1 openjdk-8 - security update {CVE-2021-2341 CVE-2021-2369 CVE-2021-2388} [stretch] - openjdk-8 8u302-b08-1~deb9u1 = data/dla-needed.txt = @@ -24,8 +24,6 @@ ansible asterisk (Chris Lamb) NOTE: 20210807: Double-check it applies; upstream's patch is actually a patch to an embedded code copy. (lamby) -- -c-ares (Thosten Alteholz) --- commons-io (Markus Koschany) -- exiv2 (Utkarsh Gupta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1446a71ecdd062625913fe1949ab1591c9a9deba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1446a71ecdd062625913fe1949ab1591c9a9deba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2722-1 for libsndfile
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a9e658f by Thorsten Alteholz at 2021-07-30T00:31:29+02:00 Reserve DLA-2722-1 for libsndfile - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Jul 2021] DLA-2722-1 libsndfile - security update + {CVE-2021-3246} + [stretch] - libsndfile 1.0.27-3+deb9u2 [26 Jul 2021] DLA-2721-1 drupal7 - security update {CVE-2021-32610} [stretch] - drupal7 7.52-2+deb9u16 = data/dla-needed.txt = @@ -59,8 +59,6 @@ firmware-nonfree (Anton Gladky) gpac (Thorsten Alteholz) NOTE: 20210719: WIP -- -libsndfile (Thorsten Alteholz) --- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a9e658fefca0f58caec3030790aa99d4929097d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a9e658fefca0f58caec3030790aa99d4929097d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 37e914d2 by Thorsten Alteholz at 2021-08-02T00:19:17+02:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,7 +49,7 @@ firmware-nonfree (Anton Gladky) NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree -- gpac (Thorsten Alteholz) - NOTE: 20210719: WIP + NOTE: 20210801: WIP, almost done, testing package -- linux (Ben Hutchings) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37e914d2a3332b22c063bb4fde4ef0dce809cebf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37e914d2a3332b22c063bb4fde4ef0dce809cebf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2021-41054 as postponed for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 60357035 by Thorsten Alteholz at 2021-09-21T23:55:22+02:00 mark CVE-2021-41054 as postponed for Stretch - - - - - 2a282ba5 by Thorsten Alteholz at 2021-09-22T00:02:00+02:00 mark CVE-2021-21897 as no-dsa for Stretch - - - - - 34355851 by Thorsten Alteholz at 2021-09-22T00:03:28+02:00 Reserve DLA-2762-1 for grilo - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1439,6 +1439,7 @@ CVE-2021-41054 (tftpd_file.c in atftp through 0.7.4 has a buffer overflow becaus - atftp 0.7.git20210915-1 [bullseye] - atftp (Minor issue; can be fixed via point release) [buster] - atftp (Minor issue; can be fixed via point release) + [stretch] - atftp (Minor issue) NOTE: https://sourceforge.net/p/atftp/code/ci/d255bf90834fb45be52decf9bc0b4fb46c90f205/ CVE-2021-3798 [Soft token does not check if an EC key is valid] RESERVED @@ -47079,6 +47080,7 @@ CVE-2021-21897 (A code execution vulnerability exists in the DL_Dxf::handleLWPol - dxflib 3.26.4-1 [bullseye] - dxflib (Minor issue) [buster] - dxflib (Minor issue) + [stretch] - dxflib (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1346 NOTE: https://github.com/qcad/qcad/commit/1eeffc5daf5a06cf6213ffc19e95923cdebb2eb8 TODO: check, horizon-eda, cloudcompare, kicad embedds it, but needs to check if actually used and issue affects those = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Sep 2021] DLA-2762-1 grilo - security update + {CVE-2021-39365} + [stretch] - grilo 0.3.2-2+deb9u1 [18 Sep 2021] DLA-2761-1 openssl1.0 - security update [stretch] - openssl1.0 1.0.2u-1~deb9u5 [18 Sep 2021] DLA-2760-1 nettle - security update = data/dla-needed.txt = @@ -35,10 +35,6 @@ firmware-nonfree NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag -- -grilo (Thorsten Alteholz) - NOTE: 20210825: ssl-use-system-ca-file is used in libsoup2.4 since version 2.38 - NOTE: 20210912: maintainer ok, testing package --- jsoup (Markus Koschany) -- krb5 (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e5674efb404a858ede15524c4b47d1d42eb8c86c...34355851496275fe6611f3d0134f99e758ed6735 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e5674efb404a858ede15524c4b47d1d42eb8c86c...34355851496275fe6611f3d0134f99e758ed6735 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add apache2
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: f1c6f9bb by Thorsten Alteholz at 2021-09-23T12:21:43+02:00 add apache2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,6 +23,8 @@ ansible (Lee Garrett) NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- +apache2 +-- cacti (Roberto C. Sánchez) NOTE: 20210829: not really sure whether affected, please recheck NOTE: 20210914: still assessing whether or not affected (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1c6f9bb7dd11f11d438f7904f9f11b8b480014a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1c6f9bb7dd11f11d438f7904f9f11b8b480014a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 10 commits: mark CVE-2021-3711 as not-affected for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: d20ab257 by Thorsten Alteholz at 2021-09-23T11:05:48+02:00 mark CVE-2021-3711 as not-affected for Stretch - - - - - ed422429 by Thorsten Alteholz at 2021-09-23T11:39:38+02:00 mark CVE-2021-38575 as no-dsa for Stretch - - - - - ef8b13bb by Thorsten Alteholz at 2021-09-23T11:40:55+02:00 mark CVE-2021-32280 as no-dsa for Stretch - - - - - e4dba6cd by Thorsten Alteholz at 2021-09-23T11:42:16+02:00 mark CVE-2021-40812 as no-dsa for Stretch - - - - - 47cc2611 by Thorsten Alteholz at 2021-09-23T11:44:44+02:00 mark CVE-2021-3805 as no-dsa for Stretch - - - - - 6aa32b6a by Thorsten Alteholz at 2021-09-23T11:45:29+02:00 mark CVE-2021-23440 as no-dsa for Stretch - - - - - 7f31d374 by Thorsten Alteholz at 2021-09-23T11:50:12+02:00 mark CVE-2021-3807 as not-affected for Stretch - - - - - 6e88e4b7 by Thorsten Alteholz at 2021-09-23T11:51:42+02:00 mark CVE-2021-40839 as no-dsa for Stretch - - - - - 84036693 by Thorsten Alteholz at 2021-09-23T11:53:35+02:00 mark CVE-2021-39214 as no-dsa for Stretch - - - - - f6bebaed by Thorsten Alteholz at 2021-09-23T11:55:10+02:00 mark CVE-2021-32294 as postponed for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -575,6 +575,7 @@ CVE-2021-3807 (ansi-regex is vulnerable to Inefficient Regular Expression Comple - node-ansi-regex 5.0.1-1 (bug #994568) [bullseye] - node-ansi-regex (Minor issue) [buster] - node-ansi-regex (Minor issue) + [stretch] - node-ansi-regex (Vulnerable code introduced later) NOTE: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994 NOTE: https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9 (v6.0.1) CVE-2021-3806 (A path traversal vulnerability on Pardus Software Center's "extractArc ...) @@ -583,6 +584,7 @@ CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification o - node-object-path 0.11.8-1 [bullseye] - node-object-path (Minor issue) [buster] - node-object-path (Minor issue) + [stretch] - node-object-path (Minor issue) NOTE: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053 NOTE: https://github.com/mariocasciaro/object-path/commit/e6bb638ffdd431176701b3e9024f80050d0ef0a6 CVE-2021-41303 (Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a ...) @@ -1572,6 +1574,7 @@ CVE-2021-40839 (The rencode package through 1.0.6 for Python allows an infinite - python-rencode 1.0.6-2 [bullseye] - python-rencode (Minor issue) [buster] - python-rencode (Minor issue) + [stretch] - python-rencode (Minor issue) NOTE: https://github.com/aresch/rencode/commit/572ff74586d9b1daab904c6f7f7009ce0143bb75 NOTE: https://github.com/aresch/rencode/pull/29 CVE-2021-40838 @@ -1665,6 +1668,7 @@ CVE-2021-40812 (The GD Graphics Library (aka LibGD) through 2.3.2 has an out-of- - libgd2 [bullseye] - libgd2 (Minor issue) [buster] - libgd2 (Minor issue) + [stretch] - libgd2 (Minor issue) NOTE: https://github.com/libgd/libgd/issues/750#issuecomment-914872385 NOTE: https://github.com/libgd/libgd/commit/6f5136821be86e7068fcdf651ae9420b5d42e9a9 CVE-2021-40811 @@ -5410,6 +5414,7 @@ CVE-2021-39214 (mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. - mitmproxy (bug #994570) [bullseye] - mitmproxy (Minor issue) [buster] - mitmproxy (Minor issue) + [stretch] - mitmproxy (Minor issue) NOTE: https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-22gh-3r9q-xf38 CVE-2021-39213 (GLPI is a free Asset and IT management software package. Starting in v ...) - glpi (unimportant) @@ -6199,6 +6204,7 @@ CVE-2021-3712 (ASN.1 strings are represented internally within OpenSSL as an ASN CVE-2021-3711 (In order to decrypt SM2 encrypted data an application is expected to c ...) {DSA-4963-1} - openssl 1.1.1l-1 + [stretch] - openssl (supprt for SM2 decryption added in 1.1.1-pre3) - openssl1.0 (Vulnerability does not affect 1.0.2 series) NOTE: https://www.openssl.org/news/secadv/20210824.txt NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=59f5e75f3bced8fc0e130d72a3f582cf7b480b46 (OpenSSL_1_1_1l) @@ -6820,6 +6826,7 @@ CVE-2021-38575 [edk2: remote buffer overflow in IScsiHexToBin function in Networ - edk2 2021.08-1 [bullseye] - edk2 (Minor issue) [buster] - edk2 (Minor issue) + [stretch] - edk2 (Minor issue) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 NOTE: https://edk2.groups.io/g/devel/message/76198 NOTE: https://github.com/tianocore/edk2/pull/1698 @@ -21645,6 +21652,7 @@ CVE-2021-
[Git][security-tracker-team/security-tracker][master] 4 commits: add wordpress
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f3c34a2 by Thorsten Alteholz at 2021-09-23T11:57:30+02:00 add wordpress - - - - - c1c66ce6 by Thorsten Alteholz at 2021-09-23T11:59:20+02:00 add squashfs-tools - - - - - 864f0882 by Thorsten Alteholz at 2021-09-23T12:02:03+02:00 follow security team and mark some CVEs from gpac as ignored - - - - - d845a7c9 by Thorsten Alteholz at 2021-09-23T12:04:10+02:00 mark several CVEs from ligde265 as postponed until fixed upstream - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -22000,6 +22000,7 @@ CVE-2021-32139 (The gf_isom_vp_config_get function in GPAC 1.0.1 allows attacker - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) - ccextractor 0.93+ds2-1 (bug #994746) [bullseye] - ccextractor (Vulnerable code introduced later) [buster] - ccextractor (Vulnerable code introduced later) @@ -22009,12 +22010,14 @@ CVE-2021-32138 (The DumpTrackInfo function in GPAC 1.0.1 allows attackers to cau - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/289ffce3e0d224d314f5f92a744d5fe35999f20b NOTE: https://github.com/gpac/gpac/issues/1767 CVE-2021-32137 (Heap buffer overflow in the URL_GetProtocolType function in MP4Box in ...) - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) - ccextractor 0.93+ds2-1 (bug #994746) [bullseye] - ccextractor (Minor issue) [buster] - ccextractor (Minor issue) @@ -22024,6 +22027,7 @@ CVE-2021-32136 (Heap buffer overflow in the print_udta function in MP4Box in GPA - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/eb71812fcc10e9c5348a5d1c61bd25b6fa06eaed NOTE: https://github.com/gpac/gpac/issues/1765 CVE-2021-32135 (The trak_box_size function in GPAC 1.0.1 allows attackers to cause a d ...) @@ -22037,6 +22041,7 @@ CVE-2021-32134 (The gf_odf_desc_copy function in GPAC 1.0.1 allows attackers to - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) - ccextractor 0.93+ds2-1 (bug #994746) [bullseye] - ccextractor (Vulnerable code introduced later) [buster] - ccextractor (Vulnerable code introduced later) @@ -78663,66 +78668,79 @@ CVE-2020-21606 (libde265 v1.0.4 contains a heap buffer overflow fault in the put - libde265 [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) + [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/232 CVE-2020-21605 (libde265 v1.0.4 contains a segmentation fault in the apply_sao_interna ...) - libde265 [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) + [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/234 CVE-2020-21604 (libde265 v1.0.4 contains a heap buffer overflow fault in the _mm_loadl ...) - libde265 [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) + [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/231 CVE-2020-21603 (libde265 v1.0.4 contains a heap buffer overflow in the put_qpel_0_0_fa ...) - libde265 [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) + [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/240 CVE-2020-21602 (libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_bi ...) - libde265 [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) + [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/242 CVE-2020-21601 (libde265 v1.0.4 contains a stack buffer overflow in the put_qpel_fallb ...) - libde265 [bullseye] - libde265 (Minor issue, revisit when fixed
[Git][security-tracker-team/security-tracker][master] 3 commits: add fig2dev
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: f1305d96 by Thorsten Alteholz at 2021-09-23T17:26:59+02:00 add fig2dev - - - - - e48462ca by Thorsten Alteholz at 2021-09-23T17:27:00+02:00 follow security team and mark CVEs of libsolv as no-dsa - - - - - 30e5ff86 by Thorsten Alteholz at 2021-09-23T17:27:02+02:00 follow security team and mark CVEs of vim as no-dsa - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1514,6 +1514,7 @@ CVE-2021-3796 (vim is vulnerable to Use After Free ...) - vim (bug #994497) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) + [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/ab60b7f3-6fb1-4ac2-a4fa-4d592e08008d/ NOTE: https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3 (v8.2.3428) CVE-2021-3795 (semver-regex is vulnerable to Inefficient Regular Expression Complexit ...) @@ -1957,6 +1958,7 @@ CVE-2021-3778 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim (bug #994498) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) + [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/d9c17308-2c99-4f9f-a706-f7f72c24c273 NOTE: https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f (v8.2.3409) CVE-2021-3777 (nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity ...) @@ -2347,6 +2349,7 @@ CVE-2021-3770 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim (bug #994076) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) + [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/ NOTE: Fixed by: https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 (v8.2.3402) NOTE: Followup fix for introduced memory leak: https://github.com/vim/vim/commit/2ddb89f8a94425cda1e5491efc80c1b6e08e (v8.2.3403) @@ -17534,6 +17537,7 @@ CVE-2021-33939 CVE-2021-33938 (Buffer overflow vulnerability in function prune_to_recommended in src/ ...) - libsolv 0.7.17-1 [buster] - libsolv (Minor issue) + [stretch] - libsolv (Minor issue) NOTE: https://github.com/openSUSE/libsolv/issues/420 NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) CVE-2021-33937 @@ -17553,16 +17557,19 @@ CVE-2021-33931 CVE-2021-33930 (Buffer overflow vulnerability in function pool_installable_whatprovide ...) - libsolv 0.7.17-1 [buster] - libsolv (Minor issue) + [stretch] - libsolv (Minor issue) NOTE: https://github.com/openSUSE/libsolv/issues/417 NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) CVE-2021-33929 (Buffer overflow vulnerability in function pool_disabled_solvable in sr ...) - libsolv 0.7.17-1 [buster] - libsolv (Minor issue) + [stretch] - libsolv (Minor issue) NOTE: https://github.com/openSUSE/libsolv/issues/417 NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) CVE-2021-33928 (Buffer overflow vulnerability in function pool_installable in src/repo ...) - libsolv 0.7.17-1 [buster] - libsolv (Minor issue) + [stretch] - libsolv (Minor issue) NOTE: https://github.com/openSUSE/libsolv/issues/417 NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) CVE-2021-33927 = data/dla-needed.txt = @@ -33,6 +33,8 @@ debian-archive-keyring (Utkarsh) NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) -- +fig2dev +-- firmware-nonfree NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ef0fe6e5ab9c57627cfbf720a19fa07b76401bff...30e5ff86074d0b1d1a9624c46f4336d6c2d2f43c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ef0fe6e5ab9c57627cfbf720a19fa07b76401bff...30e5ff86074d0b1d1a9624c46f4336d6c2d2f43c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add curl
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c7872af by Thorsten Alteholz at 2021-09-23T17:30:38+02:00 add curl - - - - - f50af7b6 by Thorsten Alteholz at 2021-09-23T17:37:01+02:00 add redis - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,6 +29,8 @@ cacti (Roberto C. Sánchez) NOTE: 20210829: not really sure whether affected, please recheck NOTE: 20210914: still assessing whether or not affected (roberto) -- +curl (Thorsten Alteholz) +-- debian-archive-keyring (Utkarsh) NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) @@ -82,6 +84,8 @@ python-babel qtbase-opensource-src (Utkarsh) NOTE: 20210914: needs further checking for vulnerability. (utkarsh) -- +redis (Chris Lamb) +-- ruby2.3 NOTE: 20210802: Utkarsh already uploaded a fix for sid/bullseye. (utkarsh) NOTE: 20210816: wip, backporting patches; a bit hard. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/30e5ff86074d0b1d1a9624c46f4336d6c2d2f43c...f50af7b6fb69137433480780eb7983eb9d5e2000 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/30e5ff86074d0b1d1a9624c46f4336d6c2d2f43c...f50af7b6fb69137433480780eb7983eb9d5e2000 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add ffmpeg
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 49bfc022 by Thorsten Alteholz at 2021-09-23T17:48:55+02:00 add ffmpeg - - - - - 22a2ee73 by Thorsten Alteholz at 2021-09-23T17:50:01+02:00 follow security team and mark CVE-2021-33362 as ignored for Stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -19017,6 +19017,7 @@ CVE-2021-33362 (Stack buffer overflow in the hevc_parse_vps_extension function i - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) - ccextractor 0.93+ds2-1 (bug #994746) [bullseye] - ccextractor (Minor issue) [buster] - ccextractor (Minor issue) = data/dla-needed.txt = @@ -35,6 +35,9 @@ debian-archive-keyring (Utkarsh) NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) -- +ffmpeg + NOTE: probably wait until stuff is fixed in Buster +-- fig2dev -- firmware-nonfree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f50af7b6fb69137433480780eb7983eb9d5e2000...22a2ee73cccfaf48613c6d161e6f48ce45b19294 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f50af7b6fb69137433480780eb7983eb9d5e2000...22a2ee73cccfaf48613c6d161e6f48ce45b19294 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] follow security team and maintainer and mark two CVEs of gtkpod as for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 8911d82e by Thorsten Alteholz at 2021-09-23T18:35:39+02:00 follow security team and maintainer and mark two CVEs of gtkpod as ignored for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9985,6 +9985,7 @@ CVE-2021-37232 (A stack overflow vulnerability occurs in Atomicparsley 20210124. - gtkpod (bug #993376) [bullseye] - gtkpod (Minor issue) [buster] - gtkpod (Minor issue) + [stretch] - gtkpod (Minor issue) NOTE: https://github.com/wez/atomicparsley/commit/d72ccf06c98259d7261e0f3ac4fd8717778782c1 NOTE: https://github.com/wez/atomicparsley/issues/32 CVE-2021-37231 (A stack-buffer-overflow occurs in Atomicparsley 20210124.204813.840499 ...) @@ -9992,6 +9993,7 @@ CVE-2021-37231 (A stack-buffer-overflow occurs in Atomicparsley 20210124.204813. - gtkpod (bug #993375) [bullseye] - gtkpod (Minor issue) [buster] - gtkpod (Minor issue) + [stretch] - gtkpod (Minor issue) NOTE: https://github.com/wez/atomicparsley/issues/30 NOTE: https://github.com/wez/atomicparsley/pull/31#issue-687280335 CVE-2021-37230 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8911d82e11af24b2cab38dcc3dd8ebdff29831da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8911d82e11af24b2cab38dcc3dd8ebdff29831da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add my hours
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: e3f4ccba by Thorsten Alteholz at 2021-10-11T15:50:16+02:00 add my hours - - - - - 1 changed file: - org/lts-frontdesk.2022.txt Changes: = org/lts-frontdesk.2022.txt = @@ -13,53 +13,53 @@ Who is in charge ? From 03-01 to 09-01:Chris Lamb From 10-01 to 16-01: -From 17-01 to 23-01: +From 17-01 to 23-01:Thorsten Alteholz From 24-01 to 30-01: From 31-01 to 06-02: From 07-02 to 13-02:Chris Lamb From 14-02 to 20-02: -From 21-02 to 27-02: +From 21-02 to 27-02:Thorsten Alteholz From 28-02 to 06-03: From 07-03 to 13-03:Chris Lamb From 14-03 to 20-03: -From 21-03 to 27-03: +From 21-03 to 27-03:Thorsten Alteholz From 28-03 to 03-04: From 04-04 to 10-04:Chris Lamb From 11-04 to 17-04: -From 18-04 to 24-04: +From 18-04 to 24-04:Thorsten Alteholz From 25-04 to 01-05: From 02-05 to 08-05: From 09-05 to 15-05:Chris Lamb From 16-05 to 22-05: -From 23-05 to 29-05: +From 23-05 to 29-05:Thorsten Alteholz From 30-05 to 05-06: From 06-06 to 12-06:Chris Lamb From 13-06 to 19-06: -From 20-06 to 26-06: +From 20-06 to 26-06:Thorsten Alteholz From 27-06 to 03-07: From 04-07 to 10-07: From 11-07 to 17-07:Chris Lamb -From 18-07 to 24-07: +From 18-07 to 24-07:Thorsten Alteholz From 25-07 to 31-07: From 01-08 to 07-08: From 08-08 to 14-08: From 15-08 to 21-08:Chris Lamb -From 22-08 to 28-08: +From 22-08 to 28-08:Thorsten Alteholz From 29-08 to 04-09: From 05-09 to 11-09:Chris Lamb From 12-09 to 18-09: -From 19-09 to 25-09: +From 19-09 to 25-09:Thorsten Alteholz From 26-09 to 02-10: From 03-10 to 09-10: From 10-10 to 16-10: From 17-10 to 23-10:Chris Lamb -From 24-10 to 30-10: +From 24-10 to 30-10:Thorsten Alteholz From 31-10 to 06-11: From 07-11 to 13-11: From 14-11 to 20-11: -From 21-11 to 27-11: +From 21-11 to 27-11:Thorsten Alteholz From 28-11 to 04-12: From 05-12 to 11-12:Chris Lamb -From 12-12 to 18-12: +From 12-12 to 18-12:Thorsten Alteholz From 19-12 to 25-12: From 26-12 to 01-01: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3f4ccbabeb6074ca7ec74bf4ab977930fd9488c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3f4ccbabeb6074ca7ec74bf4ab977930fd9488c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: ec87c80f by Thorsten Alteholz at 2021-10-11T00:14:37+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,8 +31,10 @@ debian-archive-keyring (Utkarsh) NOTE: 20211003: failing. Or at least appears to be. :( (utkarsh) -- exiv2 (Thorsten Alteholz) + NOTE: 20211010: WIP, also taking care of older issues -- faad2 (Thorsten Alteholz) + NOTE: 20211010: WIP, also taking care of older issues -- ffmpeg (Anton Gladky) NOTE: probably wait until stuff is fixed in Buster @@ -111,7 +113,7 @@ smarty3 (Markus Koschany) NOTE: 20210906: prepared a build for testing. Waiting for bug submitter's reply (abhijith) -- squashfs-tools (Thorsten Alteholz) - NOTE: 20210926: coordinate with upload to other releases + NOTE: 20211010: coordinate with upload to other releases -- thunderbird (Emilio) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec87c80f36288b03c7df0c6ad1acea4f6138ba10 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec87c80f36288b03c7df0c6ad1acea4f6138ba10 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2789-1 for squashfs-tools
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 67cce6ac by Thorsten Alteholz at 2021-10-20T23:47:04+02:00 Reserve DLA-2789-1 for squashfs-tools - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Oct 2021] DLA-2789-1 squashfs-tools - security update + {CVE-2021-41072} + [stretch] - squashfs-tools 1:4.3-3+deb9u3 [20 Oct 2021] DLA-2768-2 uwsgi - regression update [stretch] - uwsgi 2.0.14+20161117-3+deb9u5 [20 Oct 2021] DLA-2618-3 smarty3 - regression update = data/dla-needed.txt = @@ -95,8 +95,5 @@ salt (Markus Koschany) NOTE: 20210607: new CVE patch proposed by damien; donfede to provide a debdiff. (utkarsh) NOTE: 20210816: will test the provided debdiff; needs testing as regression spotted. (utkarsh) -- -squashfs-tools (Thorsten Alteholz) - NOTE: 20211010: coordinate with upload to other releases --- thunderbird (Emilio) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67cce6ac5517e713b450b33d0f3c205989592ff5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67cce6ac5517e713b450b33d0f3c205989592ff5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: add gpac
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f0cae72 by Thorsten Alteholz at 2021-10-21T15:00:26+02:00 add gpac - - - - - 267a2047 by Thorsten Alteholz at 2021-10-21T15:02:33+02:00 mark two CVEs of vim as no-dsa for Stretch - - - - - 99dd3f50 by Thorsten Alteholz at 2021-10-21T15:05:04+02:00 mark two CVEs of atomicparsley as no-dsa for Stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2618,6 +2618,7 @@ CVE-2021-3875 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim (bug #996593) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) + [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/5cdbc168-6ba1-4bc2-ba6c-28be12166a53/ NOTE: https://github.com/vim/vim/commit/35a319b77f897744eec1155b736e9372c9c5575f (v8.2.3489) CVE-2021-42133 @@ -2692,6 +2693,7 @@ CVE-2021-42101 RESERVED CVE-2021-3872 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim + [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/c958013b-1c09-4939-92ca-92f50aa169e8 NOTE: https://github.com/vim/vim/commit/826bfe4bbd7594188e3d74d2539d9707b1c6a14b CVE-2021-3871 @@ -14202,6 +14204,7 @@ CVE-2021-37233 RESERVED CVE-2021-37232 (A stack overflow vulnerability occurs in Atomicparsley 20210124.204813 ...) - atomicparsley 20210715.151551.e7ad03a-1 (bug #993366) + [stretch] - atomicparsley (Minor issue) - gtkpod (bug #993376) [bullseye] - gtkpod (Minor issue) [buster] - gtkpod (Minor issue) @@ -14210,6 +14213,7 @@ CVE-2021-37232 (A stack overflow vulnerability occurs in Atomicparsley 20210124. NOTE: https://github.com/wez/atomicparsley/issues/32 CVE-2021-37231 (A stack-buffer-overflow occurs in Atomicparsley 20210124.204813.840499 ...) - atomicparsley 20210715.151551.e7ad03a-1 (bug #993372) + [stretch] - atomicparsley (Minor issue) - gtkpod (bug #993375) [bullseye] - gtkpod (Minor issue) [buster] - gtkpod (Minor issue) = data/dla-needed.txt = @@ -44,6 +44,8 @@ firmware-nonfree NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag -- +gpac +-- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/839cb5b9da7d79aa389d8ccd47f751b93d4a47f7...99dd3f50eebe4cbc2ce32fe41c293b56c13fbc26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/839cb5b9da7d79aa389d8ccd47f751b93d4a47f7...99dd3f50eebe4cbc2ce32fe41c293b56c13fbc26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: mark CVE-2021-41990 as not-affected for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 5fb95468 by Thorsten Alteholz at 2021-10-19T23:35:37+02:00 mark CVE-2021-41990 as not-affected for Stretch - - - - - 0bfe9879 by Thorsten Alteholz at 2021-10-20T00:32:36+02:00 Reserve DLA-2788-1 for strongswan - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -2840,6 +2840,7 @@ CVE-2021-41991 (The in-memory certificate cache in strongSwan before 5.9.4 has a CVE-2021-41990 (The gmp plugin in strongSwan before 5.9.4 has a remote integer overflo ...) {DSA-4989-1} - strongswan + [stretch] - strongswan (The vulnerable code was introduced later in version 5.6.1) NOTE: https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-(cve-2021-41990).html CVE-2021-41989 RESERVED = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Oct 2021] DLA-2788-1 strongswan - security update + {CVE-2021-41991} + [stretch] - strongswan 5.5.1-4+deb9u5 [18 Oct 2021] DLA-2787-1 redmine - security update {CVE-2021-42326} [stretch] - redmine 3.3.1-4+deb9u5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/caa311ef3e719a8aede9469feab18f461b26b4f2...0bfe9879fb9c9808e78cf69a54eb1b8f3eff17fa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/caa311ef3e719a8aede9469feab18f461b26b4f2...0bfe9879fb9c9808e78cf69a54eb1b8f3eff17fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: add exiv2
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: a86b965a by Thorsten Alteholz at 2021-09-26T19:18:32+02:00 add exiv2 - - - - - 9eacc86f by Thorsten Alteholz at 2021-09-26T19:18:59+02:00 add faad2 - - - - - 604a63bf by Thorsten Alteholz at 2021-09-26T19:20:56+02:00 mark some CVEs of libsixel as no-dsa - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -78985,11 +78985,13 @@ CVE-2020-21549 CVE-2020-21548 (Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_enco ...) - libsixel 1.8.6-1 [buster] - libsixel (Minor issue) + [stretch] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/116 NOTE: https://github.com/saitoha/libsixel/commit/9d0a7ff417b66d80a4bff714de1f27b24742f55a (v1.8.4) CVE-2020-21547 (Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_fun ...) - libsixel 1.8.6-1 [buster] - libsixel (Minor issue) + [stretch] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/114 NOTE: https://github.com/saitoha/libsixel/commit/9d0a7ff417b66d80a4bff714de1f27b24742f55a (v1.8.4) CVE-2020-21546 @@ -80016,16 +80018,19 @@ CVE-2020-21051 CVE-2020-21050 (Libsixel prior to v1.8.3 contains a stack buffer overflow in the funct ...) - libsixel 1.8.6-1 [buster] - libsixel (Minor issue) + [stretch] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/commit/7808a06b88c11dbc502318cdd51fa374f8cd47ee (v1.8.3) NOTE: https://github.com/saitoha/libsixel/issues/75 CVE-2020-21049 (An invalid read in the stb_image.h component of libsixel prior to v1.8 ...) - libsixel 1.8.6-1 [buster] - libsixel (Minor issue) + [stretch] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/74 NOTE: https://github.com/saitoha/libsixel/commit/0b1e0b3f7b44233f84e5c9f512f8c90d6bbbe33d (v1.8.5) CVE-2020-21048 (An issue in the dither.c component of libsixel prior to v1.8.4 allows ...) - libsixel 1.8.6-1 [buster] - libsixel (Minor issue) + [stretch] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/73 NOTE: https://github.com/saitoha/libsixel/commit/cb373ab6614c910407c5e5a93ab935144e62b037 (v1.8.4) NOTE: https://github.com/saitoha/libsixel/commit/26ac06f3623279348f0dce2d191a9b6ca0c80226 (v1.8.4) = data/dla-needed.txt = @@ -35,6 +35,10 @@ debian-archive-keyring (Utkarsh) NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) -- +exiv2 (Thorsten Alteholz) +-- +faad2 (Thorsten Alteholz) +-- ffmpeg (Anton Gladky) NOTE: probably wait until stuff is fixed in Buster -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/053ec9792b45cd6331467748878b08c81babe006...604a63bf6b31f49a9207aff66df2d0e32dc09e59 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/053ec9792b45cd6331467748878b08c81babe006...604a63bf6b31f49a9207aff66df2d0e32dc09e59 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: d1d8566b by Thorsten Alteholz at 2021-09-27T00:00:29+02:00 update notes - - - - - 0efbab31 by Thorsten Alteholz at 2021-09-27T00:01:23+02:00 Reserve DLA-2766-1 for openssl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[27 Sep 2021] DLA-2766-1 openssl - security update + {CVE-2021-3712} + [stretch] - openssl 1.1.0l-1~deb9u4 [23 Sep 2021] DLA-2765-1 mupdf - security update {CVE-2016-10246 CVE-2016-10247 CVE-2017-6060 CVE-2018-10289 CVE-2018-136 CVE-2020-19609} [stretch] - mupdf 1.14.0+ds1-4+deb9u1 = data/dla-needed.txt = @@ -30,6 +30,7 @@ cacti (Roberto C. Sánchez) NOTE: 20210914: still assessing whether or not affected (roberto) -- curl (Thorsten Alteholz) + NOTE: 20210926: coordinate with upload to other releases -- debian-archive-keyring (Utkarsh) NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html @@ -72,11 +73,8 @@ nvidia-graphics-drivers NOTE: package is in non-free but also in packages-to-support NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 -- -openssl (Thorsten Alteholz) - NOTE: 20210912: testing package, upload probably after LE fix --- openssl1.0 (Thorsten Alteholz) - NOTE: 20210912: testing package, upload probably after LE fix + NOTE: 20210926: testing package, tests still don't pass -- plib (Anton Gladky) NOTE: 20210829: no fix yet. (thorsten) @@ -115,6 +113,7 @@ smarty3 NOTE: 20210906: prepared a build for testing. Waiting for bug submitter's reply (abhijith) -- squashfs-tools (Thorsten Alteholz) + NOTE: 20210926: coordinate with upload to other releases -- tiff (Utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a8d4c051da9afa49e73ad00b643db2e8079f4f78...0efbab31830c24000a9da20f3d898a91b410ebaf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a8d4c051da9afa49e73ad00b643db2e8079f4f78...0efbab31830c24000a9da20f3d898a91b410ebaf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2021-39212 as no-dsa for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: b2719494 by Thorsten Alteholz at 2021-09-26T19:01:19+02:00 mark CVE-2021-39212 as no-dsa for Stretch - - - - - 1f7229af by Thorsten Alteholz at 2021-09-26T19:08:03+02:00 add nghttp2 - - - - - 053ec979 by Thorsten Alteholz at 2021-09-26T19:15:55+02:00 add weechat - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -5540,6 +5540,7 @@ CVE-2021-39213 (GLPI is a free Asset and IT management software package. Startin NOTE: Only supported behind an authenticated HTTP zone CVE-2021-39212 (ImageMagick is free software delivered as a ready-to-run binary distri ...) - imagemagick + [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr NOTE: https://github.com/ImageMagick/ImageMagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68 NOTE: https://github.com/ImageMagick/ImageMagick/commit/35893e7cad78ce461fcaffa56076c11700ba5e4e = data/dla-needed.txt = @@ -60,6 +60,8 @@ mosquitto NOTE: 20210805: coordinating upload to buster before DLA for Stretch (codehelp) NOTE: 20210806: CVE-2021-34432 ignored in buster and stretch. Vulnerable code not accessible. (codehelp) -- +nghttp2 +-- ntfs-3g (Abhijith PA) -- nvidia-graphics-drivers @@ -114,3 +116,5 @@ tiff (Utkarsh) -- uwsgi (Sylvain Beucler) -- +weechat +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/100a486da6492bacc8122f4e8950290bb9946b87...053ec9792b45cd6331467748878b08c81babe006 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/100a486da6492bacc8122f4e8950290bb9946b87...053ec9792b45cd6331467748878b08c81babe006 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2774-1 for openssl1.0
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: a8633aba by Thorsten Alteholz at 2021-10-01T00:00:06+02:00 Reserve DLA-2774-1 for openssl1.0 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Sep 2021] DLA-2774-1 openssl1.0 - security update + {CVE-2021-3712} + [stretch] - openssl1.0 1.0.2u-1~deb9u6 [30 Sep 2021] DLA-2773-1 curl - security update {CVE-2021-22946 CVE-2021-22947} [stretch] - curl 7.52.1-5+deb9u16 = data/dla-needed.txt = @@ -64,9 +64,6 @@ nvidia-graphics-drivers NOTE: package is in non-free but also in packages-to-support NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 -- -openssl1.0 (Thorsten Alteholz) - NOTE: 20210926: testing package, tests still don't pass --- plib (Anton Gladky) NOTE: 20210829: no fix yet. (thorsten) NOTE: 20210829: upstream bug mentions that it might never get fixed. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8633aba50e683ab90d66cdc6632f9e472498f0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8633aba50e683ab90d66cdc6632f9e472498f0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2773-1 for curl
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 627ed4d8 by Thorsten Alteholz at 2021-09-30T23:55:23+02:00 Reserve DLA-2773-1 for curl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Sep 2021] DLA-2773-1 curl - security update + {CVE-2021-22946 CVE-2021-22947} + [stretch] - curl 7.52.1-5+deb9u16 [30 Sep 2021] DLA-2772-1 taglib - security update {CVE-2017-12678 CVE-2018-11439} [stretch] - taglib 1.11.1+dfsg.1-0.3+deb9u1 = data/dla-needed.txt = @@ -29,9 +29,6 @@ cacti (Roberto C. Sánchez) NOTE: 20210829: not really sure whether affected, please recheck NOTE: 20210914: still assessing whether or not affected (roberto) -- -curl (Thorsten Alteholz) - NOTE: 20210926: coordinate with upload to other releases --- debian-archive-keyring (Utkarsh) NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/627ed4d8e6101c93485d056047b9e9655d6c8cf5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/627ed4d8e6101c93485d056047b9e9655d6c8cf5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVEs from swftools as no-dsa
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 1544e604 by Thorsten Alteholz at 2021-09-22T16:32:38+02:00 mark CVEs from swftools as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4335,53 +4335,69 @@ CVE-2021-39599 (Multiple Cross Site Scripting (XSS) vulnerabilities exists in CX NOT-FOR-US: CXUUCMS CVE-2021-39598 (An issue was discovered in swftools through 20200710. A NULL pointer d ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/145 CVE-2021-39597 (An issue was discovered in swftools through 20200710. A NULL pointer d ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/143 CVE-2021-39596 (An issue was discovered in swftools through 20200710. A NULL pointer d ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/146 CVE-2021-39595 (An issue was discovered in swftools through 20200710. A stack-buffer-o ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/141 CVE-2021-39594 (Other An issue was discovered in swftools through 20200710. A NULL poi ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/142 CVE-2021-39593 (An issue was discovered in swftools through 20200710. A NULL pointer d ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/139 CVE-2021-39592 (An issue was discovered in swftools through 20200710. A NULL pointer d ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/138 CVE-2021-39591 (An issue was discovered in swftools through 20200710. A NULL pointer d ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/135 CVE-2021-39590 (An issue was discovered in swftools through 20200710. A NULL pointer d ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/137 CVE-2021-39589 (An issue was discovered in swftools through 20200710. A NULL pointer d ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/132 CVE-2021-39588 (An issue was discovered in swftools through 20200710. A NULL pointer d ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/131 CVE-2021-39587 (An issue was discovered in swftools through 20200710. A NULL pointer d ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/129 CVE-2021-39586 RESERVED CVE-2021-39585 (An issue was discovered in swftools through 20200710. A NULL pointer d ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/133 CVE-2021-39584 (An issue was discovered in swftools through 20200710. A NULL pointer d ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/130 CVE-2021-39583 (An issue was discovered in swftools through 20200710. A NULL pointer d ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/136 CVE-2021-39582 (An issue was discovered in swftools through 20200710. A heap-buffer-ov ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/122 CVE-2021-39581 RESERVED @@ -4389,19 +4405,23 @@ CVE-2021-39580 RESERVED CVE-2021-39579 (An issue was discovered in swftools through 20200710. A heap-buffer-ov ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/125 CVE-2021-39578 RESERVED CVE-2021-39577 (An issue was discovered in swftools through 20200710. A heap-buffer-ov ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/121 CVE-2021-39576 RESERVED CVE-2021-39575 (An issue was discovered in swftools through 20200710. A NULL pointer d ...) - swftools + [stretch] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/128 CVE-2021-39574 (An issue was discovered in swftools
[Git][security-tracker-team/security-tracker][master] 3 commits: also take openssl1.0
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: c1e48bd3 by Thorsten Alteholz at 2021-08-28T13:46:37+02:00 also take openssl1.0 - - - - - 88e008c5 by Thorsten Alteholz at 2021-08-28T13:50:16+02:00 take squashfs-tools - - - - - d4f5ecbb by Thorsten Alteholz at 2021-08-28T13:58:22+02:00 mark several CVEs for gpac as not-affected and follow sec team with some no-dsa - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -17728,6 +17728,7 @@ CVE-2021-32440 (The Media_RewriteODFrame function in GPAC 1.0.1 allows attackers - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/f0ba83717b6e4d7a15a1676d1fe06152e199b011 NOTE: https://github.com/gpac/gpac/issues/1772 CVE-2021-32439 (Buffer overflow in the stbl_AppendSize function in MP4Box in GPAC 1.0. ...) @@ -17738,12 +17739,14 @@ CVE-2021-32438 (The gf_media_export_filters function in GPAC 1.0.1 allows attack - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Vulnerable code not present) + [stretch] - gpac (Vulnerable code not present) NOTE: https://github.com/gpac/gpac/commit/00194f5fe462123f70b0bae7987317b52898b868 NOTE: https://github.com/gpac/gpac/issues/1769 CVE-2021-32437 (The gf_hinter_finalize function in GPAC 1.0.1 allows attackers to caus ...) - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/1653f31cf874eb6df964bea88d58d8e9b98b485e NOTE: https://github.com/gpac/gpac/issues/1770 CVE-2021-32436 @@ -20772,6 +20775,7 @@ CVE-2021-31261 (The gf_hinter_track_new function in GPAC 1.0.1 allows attackers CVE-2021-31260 (The MergeTrack function in GPAC 1.0.1 allows attackers to cause a deni ...) - gpac 1.0.1+dfsg1-4 (bug #987280) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/df8fffd839fe5ae9acd82d26fd48280a397411d9 NOTE: https://github.com/gpac/gpac/issues/1736 CVE-2021-31259 (The gf_isom_cenc_get_default_info_internal function in GPAC 1.0.1 allo ...) @@ -20782,11 +20786,13 @@ CVE-2021-31259 (The gf_isom_cenc_get_default_info_internal function in GPAC 1.0. CVE-2021-31258 (The gf_isom_set_extraction_slc function in GPAC 1.0.1 allows attackers ...) - gpac 1.0.1+dfsg1-4 (bug #987280) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/ebfa346eff05049718f7b80041093b4c5581c24e NOTE: https://github.com/gpac/gpac/issues/1706 CVE-2021-31257 (The HintFile function in GPAC 1.0.1 allows attackers to cause a denial ...) - gpac 1.0.1+dfsg1-4 (bug #987280) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/87afe070cd6866df7fe80f11b26ef75161de85e0 NOTE: https://github.com/gpac/gpac/issues/1734 CVE-2021-31256 (Memory leak in the stbl_GetSampleInfos function in MP4Box in GPAC 1.0. ...) @@ -23976,6 +23982,7 @@ CVE-2021-30015 (There is a Null Pointer Dereference in function filter_core/filt CVE-2021-30014 (There is a integer overflow in media_tools/av_parsers.c in the hevc_pa ...) - gpac 1.0.1+dfsg1-4 (bug #987323) [buster] - gpac (Minor issue) + [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/51cdb67ff7c5f1242ac58c5aa603ceaf1793b788 NOTE: https://github.com/gpac/gpac/issues/1721 CVE-2021-30013 @@ -43473,30 +43480,35 @@ CVE-2021-21862 (Multiple exploitable integer truncation vulnerabilities exist wi CVE-2021-21861 (An exploitable integer truncation vulnerability exists within the MPEG ...) - gpac [buster] - gpac (Vulnerable code not present) + [stretch] - gpac (Vulnerable code not present) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1298 NOTE: https://github.com/gpac/gpac/commit/8cd33e8977fd5f4215e4b67c309fd403762bfeb7 NOTE: https://github.com/gpac/gpac/issues/1814 CVE-2021-21860 (An exploitable integer truncation vulnerability exists within the MPEG ...) - gpac [buster] - gpac (Vulnerable code not present) + [stretch] - gpac (Vulnerable code not present) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1298 NOTE: https://github.com/gpac/gpac/commit/8cd33e8977fd5f4215e4b67c309fd403762bfeb7 NOTE: https://github.com/gpac/gpac/issues/1814 CVE-2021-21859 (An exploitable integer truncation vulnerability exists within the MPEG ...) - gpac
[Git][security-tracker-team/security-tracker][master] mark CVE-2021-38614 as ignored for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 4885b4e9 by Thorsten Alteholz at 2021-08-28T14:00:00+02:00 mark CVE-2021-38614 as ignored for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3369,6 +3369,7 @@ CVE-2021-3704 CVE-2021-38614 (** UNSUPPORTED WHEN ASSIGNED ** Polipo through 1.1.1, when NDEBUG is u ...) - polipo [buster] - polipo (Minor issue) + [stretch] - polipo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/07/28/2 CVE-2021-38613 (The assets/index.php Image Upload feature of the NASCENT RemKon Device ...) NOT-FOR-US: NASCENT RemKon Device Manager View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4885b4e9ad6a19fce8056c4199c30ad018dafd42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4885b4e9ad6a19fce8056c4199c30ad018dafd42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: mark CVE-2021-38370 as postponed for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 7367d11b by Thorsten Alteholz at 2021-08-26T19:31:38+02:00 mark CVE-2021-38370 as postponed for Stretch - - - - - ecfa33e8 by Thorsten Alteholz at 2021-08-26T19:31:39+02:00 mark CVE-2021-37845 and CVE-2020-29547 as postponed for Stretch - - - - - 4d03af80 by Thorsten Alteholz at 2021-08-26T19:31:41+02:00 mark CVE-2021-38371 as postponed for Stretch - - - - - 7fc9d58d by Thorsten Alteholz at 2021-08-26T19:31:42+02:00 mark CVE-2021-39360 as postponed for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1607,6 +1607,7 @@ CVE-2021-39361 (In GNOME evolution-rss through 0.3.96, network-soup.c does not e NOTE: https://gitlab.gnome.org/GNOME/evolution-rss/-/issues/11 CVE-2021-39360 (In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enable TLS ...) - libzapojit + [stretch] - libzapojit (Minor issue, revisit when/if fixed upstream) NOTE: https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/ NOTE: https://gitlab.gnome.org/GNOME/libzapojit/-/issues/4 CVE-2021-39359 (In GNOME libgda through 6.0.0, gda-web-provider.c does not enable TLS ...) @@ -3805,10 +3806,12 @@ CVE-2021-38372 (In KDE Trojita 0.7, man-in-the-middle attackers can create new f - trojita (bug #795701) CVE-2021-38371 (The STARTTLS feature in Exim through 4.94.2 allows response injection ...) - exim4 (bug #992172) + [stretch] - exim4 (Minor issue, revisit when fixed upstream) NOTE: https://nostarttls.secvuln.info NOTE: https://www.exim.org/static/doc/security/CVE-2021-38371.txt CVE-2021-38370 (In Alpine through 2.24, untagged responses from an IMAP server are acc ...) - alpine (bug #992171) + [stretch] - alpine (Minor issue, revisit when/if fixed upstream) NOTE: https://nostarttls.secvuln.info CVE-2021-38369 RESERVED @@ -5061,6 +5064,7 @@ CVE-2021-37846 CVE-2021-37845 RESERVED - citadel + [stretch] - citadel (Minor issue, revisit when fixed upstream) NOTE: https://uncensored.citadel.org/readfwd?go=Citadel Security?view=0?start_reading_at=2099264259#2099264259 NOTE: https://nostarttls.secvuln.info/ CVE-2021-37844 @@ -52691,6 +52695,7 @@ CVE-2020-29548 (An issue was discovered in SmarterTools SmarterMail through 100. CVE-2020-29547 RESERVED - citadel + [stretch] - citadel (Minor issue, revisit when fixed upstream) NOTE: https://uncensored.citadel.org/readfwd?go=Citadel Security?view=0?start_reading_at=2099264259#2099264259 NOTE: https://nostarttls.secvuln.info/ CVE-2020-29546 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/32e80a4f2e26e407a97fdad47b12317fd2d27e94...7fc9d58d7e3ecc49f1c134a4211c1458b79c3d0e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/32e80a4f2e26e407a97fdad47b12317fd2d27e94...7fc9d58d7e3ecc49f1c134a4211c1458b79c3d0e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: mark CVE-2021-42340 as not-affected for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: da73cc04 by Thorsten Alteholz at 2021-10-24T17:58:34+02:00 mark CVE-2021-42340 as not-affected for Stretch - - - - - 2819b8f6 by Thorsten Alteholz at 2021-10-24T17:59:27+02:00 update note - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2135,6 +2135,7 @@ CVE-2021-3885 CVE-2021-42340 (The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, ...) - tomcat9 9.0.54-1 - tomcat8 + [stretch] - tomcat8 (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2021/10/14/1 NOTE: https://github.com/apache/tomcat/commit/80f1438ec45e77a07b96419808971838d259eb47 (9.0.54) NOTE: https://github.com/apache/tomcat/commit/d27535bdee95d252418201eb21e9d29476aa6b6a (8.5.72) = data/dla-needed.txt = @@ -30,7 +30,7 @@ debian-archive-keyring NOTE: 20211018: with him and upload and publish the DLA. (utkarsh) -- exiv2 (Thorsten Alteholz) - NOTE: 20211010: WIP, also taking care of older issues + NOTE: 20211024: WIP, not yet finished -- ffmpeg (Anton Gladky) NOTE: probably wait until stuff is fixed in Buster View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f2693817d87b649c9a6e492ca0cb181c3e71de5c...2819b8f61b0ba9ab0e67e287e4f92737b8f98d31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f2693817d87b649c9a6e492ca0cb181c3e71de5c...2819b8f61b0ba9ab0e67e287e4f92737b8f98d31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: faad2 issues fixed in recent upload
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2cd6585b by Thorsten Alteholz at 2021-10-24T17:31:59+02:00 faad2 issues fixed in recent upload - - - - - f2693817 by Thorsten Alteholz at 2021-10-24T17:33:05+02:00 Reserve DLA-2792-1 for faad2 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -176633,7 +176633,6 @@ CVE-2019-6956 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAA {DLA-1899-1} - faad2 2.8.8-3.1 (bug #914641) [buster] - faad2 (Minor issue) - [stretch] - faad2 (Minor issue) NOTE: https://sourceforge.net/p/faac/bugs/240/ NOTE: https://github.com/knik0/faad2/issues/39 NOTE: https://github.com/knik0/faad2/commit/6823e6610c9af1b0080cb22b9da03efb208d7d57 @@ -186134,7 +186133,6 @@ CVE-2018-20360 (An invalid memory address dereference was discovered in the sbr_ {DLA-1899-1} - faad2 2.8.8-3.1 (low) [buster] - faad2 (Minor issue) - [stretch] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/32 NOTE: https://github.com/knik0/faad2/commit/3b80a57483a6bc822d3ce3cc640fa81737a87c54 CVE-2018-20359 (An invalid memory address dereference was discovered in the sbrDecodeS ...) @@ -186742,7 +186740,6 @@ CVE-2018-20199 (A NULL pointer dereference was discovered in ifilter_bank of lib {DLA-1899-1} - faad2 2.8.8-3.1 (low) [buster] - faad2 (Minor issue) - [stretch] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/24 NOTE: https://github.com/knik0/faad2/commit/3b80a57483a6bc822d3ce3cc640fa81737a87c54 CVE-2018-20198 (A NULL pointer dereference was discovered in ifilter_bank of libfaad/f ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Oct 2021] DLA-2792-1 faad2 - security update + {CVE-2018-20199 CVE-2018-20360 CVE-2019-6956 CVE-2021-32274 CVE-2021-32276 CVE-2021-32277 CVE-2021-32278} + [stretch] - faad2 2.8.0~cvs20161113-1+deb9u3 [23 Oct 2021] DLA-2791-1 mailman - security update {CVE-2021-42096 CVE-2021-42097} [stretch] - mailman 1:2.1.23-1+deb9u7 = data/dla-needed.txt = @@ -32,9 +32,6 @@ debian-archive-keyring exiv2 (Thorsten Alteholz) NOTE: 20211010: WIP, also taking care of older issues -- -faad2 (Thorsten Alteholz) - NOTE: 20211010: WIP, also taking care of older issues --- ffmpeg (Anton Gladky) NOTE: probably wait until stuff is fixed in Buster NOTE: 20211010: WIP https://salsa.debian.org/lts-team/packages/ffmpeg View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/686fd0989e8e6fb615d2d6e2cbb677562777235c...f2693817d87b649c9a6e492ca0cb181c3e71de5c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/686fd0989e8e6fb615d2d6e2cbb677562777235c...f2693817d87b649c9a6e492ca0cb181c3e71de5c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: add ruby2.3
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2410d43a by Thorsten Alteholz at 2021-12-19T18:05:56+01:00 add ruby2.3 - - - - - b2e6c5cc by Thorsten Alteholz at 2021-12-19T18:10:39+01:00 add lxml - - - - - 961523b2 by Thorsten Alteholz at 2021-12-19T18:11:05+01:00 add libarchive - - - - - bd85ecff by Thorsten Alteholz at 2021-12-19T18:13:13+01:00 add spip - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -45,6 +45,8 @@ gpac (Roberto C. Sánchez) NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto) NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto) -- +libarchive (Thorsten Alteholz) +-- libgit2 (Utkarsh) NOTE: 20211029: CVE-2018-10887/CVE-2018-10888/CVE-2018-15501 were fixed NOTE: 20211029: for jessie in DLA-1477-1 and should also be fixed in stretch @@ -59,6 +61,8 @@ linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- +lxml +-- nvidia-graphics-drivers (Markus Koschany) NOTE: package is in non-free but also in packages-to-support NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 @@ -71,12 +75,17 @@ nvidia-graphics-drivers (Markus Koschany) pgbouncer (Thorsten Alteholz) NOTE: 20211212: sync with maintainer -- +ruby2.3 (Utkarsh) +-- samba (Anton) NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/ NOTE: 20211212: Fix is too large, coordination with ELTS-upload -- sphinxsearch (Thorsten Alteholz) -- +spip + NOTE: probably someone who understands French better can have a look whether Stretch is affected +-- thunderbird (Emilio) NOTE: 20211122: blocked on toolchain backports (pochu) NOTE: 20211206: progressing on the toolchain front (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6a79abd78e0f38ef0d120ff9fd67dc5f1c17e5b...bd85ecff6e16d3fd698544a86024b149cd277264 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6a79abd78e0f38ef0d120ff9fd67dc5f1c17e5b...bd85ecff6e16d3fd698544a86024b149cd277264 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 00649565 by Thorsten Alteholz at 2021-12-20T00:04:38+01:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -72,8 +72,8 @@ nvidia-graphics-drivers (Markus Koschany) NOTE: nvidia-graphics-drivers-legacy-390xx but will ask for more testing on the lts NOTE: mailing list tomorrow (apo) -- -pgbouncer (Thorsten Alteholz) - NOTE: 20211212: sync with maintainer +pgbouncer (Christoph Berg) + NOTE: 20211220: maintainer might want to upload fixed version -- ruby2.3 (Utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00649565985083bf6ce6523f0e1318a292f440c7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00649565985083bf6ce6523f0e1318a292f440c7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: mark CVE-2021-42550 as no-dsa for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 981723ad by Thorsten Alteholz at 2021-12-18T00:38:19+01:00 mark CVE-2021-42550 as no-dsa for Stretch - - - - - d47e3069 by Thorsten Alteholz at 2021-12-18T00:46:37+01:00 mark CVE-2021-44856 as postponed for Stretch - - - - - 2c3fdfe9 by Thorsten Alteholz at 2021-12-18T00:47:52+01:00 mark CVE-2021-42574 as no-dsa for Stretch - - - - - 1e9253c3 by Thorsten Alteholz at 2021-12-18T00:51:57+01:00 mark CVE-2021-45098 as no-dsa for Stretch - - - - - 0d0c7c6d by Thorsten Alteholz at 2021-12-18T00:59:58+01:00 mark CVE-2021-4110 as postponed for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -67,6 +67,7 @@ CVE-2021-45098 (An issue was discovered in Suricata before 6.0.4. It is possible - suricata 1:6.0.4-1 [bullseye] - suricata (Minor issue) [buster] - suricata (Minor issue) + [stretch] - suricata (Minor issue) NOTE: https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942 NOTE: https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df NOTE: https://redmine.openinfosecfoundation.org/issues/4710 @@ -119,6 +120,7 @@ CVE-2021-42550 [JNDI vunerability] - logback 1:1.2.8-1 [bullseye] - logback (Minor issue) [buster] - logback (Minor issue) + [stretch] - logback (Minor issue) NOTE: https://jira.qos.ch/browse/LOGBACK-1591 NOTE: https://github.com/qos-ch/logback/commit/21d772f2bc2ed780b01b4fe108df7e29707763f1 (v_1.2.8) CVE-2021-44771 @@ -449,6 +451,7 @@ CVE-2021-45041 RESERVED CVE-2021-4110 (mruby is vulnerable to NULL Pointer Dereference ...) - mruby (bug #1001768) + [stretch] - mruby (revisit when/if fix is complete) NOTE: https://huntr.dev/bounties/4ce5dc47-2512-4c87-8609-453adc8cad20 NOTE: https://github.com/mruby/mruby/commit/f5e10c5a79a17939af763b1dcf5232ce47e24a34 CVE-2021-4109 @@ -847,6 +850,7 @@ CVE-2021-44856 [Title blocked in AbuseFilter can be created via Special:ChangeCo - mediawiki 1:1.35.5-1 [bullseye] - mediawiki (Minor issue) [buster] - mediawiki (Minor issue) + [stretch] - mediawiki (Minor issue) NOTE: https://phabricator.wikimedia.org/T271037 NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitec...@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/ CVE-2021-44855 [Blind Stored XSS in VisualEditor media dialog] @@ -8801,6 +8805,7 @@ CVE-2021-42574 (An issue was discovered in the Bidirectional Algorithm in the Un - rustc [bullseye] - rustc (Minor issue) [buster] - rustc (Minor issue) + [stretch] - rustc (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/11/01/1 NOTE: https://github.com/rust-lang/rust/commit/dd61274930ec0cd17711fab52d2bc9ad3e9053de (1.56.1) CVE-2021-42573 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6fe0ae1ad63b6660f6ce65cc888e58a1a29bb35c...0d0c7c6df117f9f2e56ee8e0da146ad36460f68f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6fe0ae1ad63b6660f6ce65cc888e58a1a29bb35c...0d0c7c6df117f9f2e56ee8e0da146ad36460f68f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: fix for CVE-2020-18442 postponed until now
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: d71330d3 by Thorsten Alteholz at 2021-12-28T00:47:49+01:00 fix for CVE-2020-18442 postponed until now - - - - - 8c446b4c by Thorsten Alteholz at 2021-12-28T00:48:42+01:00 Reserve DLA-2859-1 for zziplib - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -101632,7 +101632,6 @@ CVE-2020-18442 (Infinite Loop in zziplib v0.13.69 allows remote attackers to cau - zziplib 0.13.72+dfsg.1-1 [bullseye] - zziplib (Minor issue) [buster] - zziplib (Minor issue) - [stretch] - zziplib (Minor issue, fix along with next DLA) NOTE: https://github.com/gdraheim/zziplib/issues/68 NOTE: https://github.com/gdraheim/zziplib/commit/ac9ae39ef419e9f0f83da1e583314d8c7cda34a6 NOTE: https://github.com/gdraheim/zziplib/commit/7e786544084548da7fcfcd9090d3c4e7f5777f7e = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Dec 2021] DLA-2859-1 zziplib - security update + {CVE-2020-18442} + [stretch] - zziplib 0.13.62-3.2~deb9u2 [28 Dec 2021] DLA-2858-1 libzip - security update {CVE-2017-14107} [stretch] - libzip 1.1.2-1.1+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6ec7c5b3be2042fd824d3148cd407bec0def63d...8c446b4cce56b39d20f524265614454e9427708b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6ec7c5b3be2042fd824d3148cd407bec0def63d...8c446b4cce56b39d20f524265614454e9427708b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2017-14107 has been fixed with recent upload
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: f432120d by Thorsten Alteholz at 2021-12-27T23:48:58+01:00 CVE-2017-14107 has been fixed with recent upload - - - - - f6ec7c5b by Thorsten Alteholz at 2021-12-28T00:40:28+01:00 Reserve DLA-2858-1 for libzip - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -271509,7 +271509,6 @@ CVE-2017-14108 (libgedit.a in GNOME gedit through 3.22.1 allows remote attackers CVE-2017-14107 (The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0 mis ...) [experimental] - libzip 1.3.0+dfsg.1-1 - libzip 1.5.1-3 (low; bug #874010) - [stretch] - libzip (Minor issue) [jessie] - libzip (Minor issue) [wheezy] - libzip (Minor issue) - php5 (unimportant) = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Dec 2021] DLA-2858-1 libzip - security update + {CVE-2017-14107} + [stretch] - libzip 1.1.2-1.1+deb9u1 [28 Dec 2021] DLA-2857-1 postgis - security update {CVE-2017-18359} [stretch] - postgis 2.3.1+dfsg-2+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c53e3aa14b05e9a6d0d0de313e8080d55d95da08...f6ec7c5b3be2042fd824d3148cd407bec0def63d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c53e3aa14b05e9a6d0d0de313e8080d55d95da08...f6ec7c5b3be2042fd824d3148cd407bec0def63d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 45d8534d by Thorsten Alteholz at 2022-01-02T23:42:52+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,6 +49,7 @@ gpac (Roberto C. Sánchez) NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto) -- libarchive (Thorsten Alteholz) + NOTE: 20220102: testing package -- libgit2 (Utkarsh) NOTE: 20211029: CVE-2018-10887/CVE-2018-10888/CVE-2018-15501 were fixed @@ -95,6 +96,7 @@ slurm-llnl (Sylvain Beucler) NOTE: 20211229: should also be checked. (bunk) -- sphinxsearch (Thorsten Alteholz) + NOTE: 20220103: waiting for Buster upload -- thunderbird (Emilio) NOTE: 20211122: blocked on toolchain backports (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45d8534dcaee8406eed40565a0cafd771db55eec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45d8534dcaee8406eed40565a0cafd771db55eec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2869-1 for xorg-server
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: da6d88ca by Thorsten Alteholz at 2021-12-29T23:05:27+01:00 Reserve DLA-2869-1 for xorg-server - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Dec 2021] DLA-2869-1 xorg-server - security update + {CVE-2021-4008 CVE-2021-4009 CVE-2021-4011} + [stretch] - xorg-server 2:1.19.2-1+deb9u9 [29 Dec 2021] DLA-2868-1 advancecomp - security update {CVE-2018-1056 CVE-2019-8379 CVE-2019-8383 CVE-2019-9210} [stretch] - advancecomp 1.20-1+deb9u1 = data/dla-needed.txt = @@ -110,5 +110,3 @@ vim (Anton) NOTE: 20211203: Emilio since he's working on it for jessie. (utkarsh) NOTE: 20211220: WIP (Anton) -- -xorg-server (Thorsten Alteholz) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da6d88ca44a50ca8a02a2ec111a7b052779346d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da6d88ca44a50ca8a02a2ec111a7b052779346d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 199f9402 by Thorsten Alteholz at 2022-01-04T11:52:20+01:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -81,8 +81,8 @@ nvidia-graphics-drivers (Markus Koschany) NOTE: 20211108: now fixes all 5 CVEs (bunk) NOTE: 20211229: https://people.debian.org/~apo/lts/nvidia-graphics-drivers/ -- -pgbouncer - NOTE: 20211220: maintainer might want to upload fixed version +pgbouncer (Christoph Berg) + NOTE: 20220104: maintainer might want to upload fixed version -- php-nette (Utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/199f94023b070e623fb5e56086510908b00ff52c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/199f94023b070e623fb5e56086510908b00ff52c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: mark CVE-2021-44038 as postponed for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: e4a7cb6a by Thorsten Alteholz at 2021-12-19T00:49:49+01:00 mark CVE-2021-44038 as postponed for Stretch - - - - - 77704332 by Thorsten Alteholz at 2021-12-19T00:51:24+01:00 mark CVE-2021-3929 as postponed for Stretch - - - - - f7854d9b by Thorsten Alteholz at 2021-12-19T01:06:26+01:00 mark CVE-2021-41055 as not-affected - - - - - e5f1f5ca by Thorsten Alteholz at 2021-12-19T02:18:28+01:00 add sphinxsearch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3251,6 +3251,7 @@ CVE-2021-44039 RESERVED CVE-2021-44038 (An issue was discovered in Quagga through 1.2.4. Unsafe chown/chmod op ...) - quagga + [stretch] - quagga (revisit when/if fixed upstream) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1191890 NOTE: Debian installed systemd unit files install the problematic redhat/*.service NOTE: files with the unsafe chmod/chown calls in the Debian packaging. @@ -5899,6 +5900,7 @@ CVE-2021-3930 [off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c] CVE-2021-3929 [nvme: DMA reentrancy issue leads to use-after-free] RESERVED - qemu + [stretch] - qemu (Fix along with a future DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2020298 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/556 NOTE: Proposed patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html @@ -13750,6 +13752,7 @@ CVE-2021-41056 RESERVED CVE-2021-41055 (Gajim 1.2.x and 1.3.x before 1.3.3 allows remote attackers to cause a ...) - python-nbxmpp 2.0.4-1 + [stretch] - python-nbxmpp (Vulnerable code introduced later (modules added in v1.0.0)) NOTE: https://dev.gajim.org/gajim/gajim/-/issues/10638 NOTE: https://dev.gajim.org/gajim/python-nbxmpp/-/commit/8a626829d7c4b14077f764e61b1d1e867d21413f NOTE: Fix in python-nbxmpp, and gajim 1.3.3 bumps depends on required nbxmpp version. = data/dla-needed.txt = @@ -75,6 +75,8 @@ samba (Anton) NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/ NOTE: 20211212: Fix is too large, coordination with ELTS-upload -- +sphinxsearch (Thorsten Alteholz) +-- thunderbird (Emilio) NOTE: 20211122: blocked on toolchain backports (pochu) NOTE: 20211206: progressing on the toolchain front (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/96bf6e32089e1e3a247493fd0d8189f40162c347...e5f1f5ca67c035e3d3629c91d897faabbc19dd55 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/96bf6e32089e1e3a247493fd0d8189f40162c347...e5f1f5ca67c035e3d3629c91d897faabbc19dd55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add bluez
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e4db735 by Thorsten Alteholz at 2021-11-22T23:50:13+01:00 add bluez - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -18,6 +18,8 @@ ansible NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- +bluez +-- debian-archive-keyring NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e4db73596db8761b95eb8d21115cf89f312935c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e4db73596db8761b95eb8d21115cf89f312935c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: follow security team and mark CVE-2021-37620 as ignored
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: fd58dbe7 by Thorsten Alteholz at 2021-11-21T23:35:07+01:00 follow security team and mark CVE-2021-37620 as ignored - - - - - 0c88fae0 by Thorsten Alteholz at 2021-11-21T23:37:26+01:00 mark CVE-2021-34334 as no-dsa for Stretch - - - - - df8498d3 by Thorsten Alteholz at 2021-11-21T23:41:24+01:00 nothing todo - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -18742,6 +18742,7 @@ CVE-2021-37620 (Exiv2 is a command-line utility and C++ library for reading, wri - exiv2 [bullseye] - exiv2 (Minor issue) [buster] - exiv2 (Minor issue) + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-v5g7-46xf-h728 NOTE: https://github.com/Exiv2/exiv2/pull/1769 CVE-2021-37619 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) @@ -26457,6 +26458,7 @@ CVE-2021-34335 (Exiv2 is a command-line utility and C++ library for reading, wri NOTE: https://github.com/Exiv2/exiv2/pull/1750 CVE-2021-34334 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 (bug #992706) + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-hqjh-hpv8-8r9p NOTE: https://github.com/Exiv2/exiv2/pull/1766 CVE-2021-34333 (A vulnerability has been identified in JT2Go (All versions V13.2) ...) = data/dla-needed.txt = @@ -27,9 +27,6 @@ debian-archive-keyring NOTE: 20211018: Jonathan is prepping the branch; will work NOTE: 20211018: with him and upload and publish the DLA. (utkarsh) -- -exiv2 (Thorsten Alteholz) - NOTE: 20211109: testing package --- firefox-esr (Emilio) NOTE: 2026: blocked on toolchain backports (pochu) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6a5905630de347de72873c2070b8c532e89d5b3d...df8498d3771f53dc94bf2998b2d04fe333d227d3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6a5905630de347de72873c2070b8c532e89d5b3d...df8498d3771f53dc94bf2998b2d04fe333d227d3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: fixed in recent upload
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: f7ddc48d by Thorsten Alteholz at 2021-11-17T11:02:01+01:00 fixed in recent upload - - - - - 2f3a435b by Thorsten Alteholz at 2021-11-17T12:33:49+01:00 Reserve DLA-2821-1 for axis - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -231535,7 +231535,6 @@ CVE-2018-8033 (In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org. NOT-FOR-US: Apache OFBiz CVE-2018-8032 (Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site ...) - axis 1.4-28 (bug #905328) - [stretch] - axis (Minor issue) [jessie] - axis (Minor issue) NOTE: https://issues.apache.org/jira/browse/AXIS-2924 NOTE: https://svn.apache.org/r1831943 = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Nov 2021] DLA-2821-1 axis - security update + {CVE-2018-8032} + [stretch] - axis 1.4-25+deb9u1 [17 Nov 2021] DLA-2820-1 atftp - security update {CVE-2020-6097 CVE-2021-41054} [stretch] - atftp 0.7.git20120829-3.1~deb9u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e89bca100bfde236fd885ca9b93b1e6ff9d31fc0...2f3a435b6b7ac1c7fa7b458ff598ece9e837f727 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e89bca100bfde236fd885ca9b93b1e6ff9d31fc0...2f3a435b6b7ac1c7fa7b458ff598ece9e837f727 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: two netkit-rsh CVEs fixed in recent upload
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: b5feb937 by Thorsten Alteholz at 2021-11-18T23:41:27+01:00 two netkit-rsh CVEs fixed in recent upload - - - - - 8480d0cf by Thorsten Alteholz at 2021-11-19T00:04:55+01:00 Reserve DLA-2822-1 for netkit-rsh - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -181079,11 +181079,9 @@ CVE-2019-7249 (In Keybase before 2.12.6 on macOS, the move RPC to the Helper was NOT-FOR-US: Keybase on MacOS CVE-2019-7283 (An issue was discovered in rcp in NetKit through 0.17. For an rcp oper ...) - netkit-rsh 0.17-20 (bug #920486) - [stretch] - netkit-rsh (Minor issue) [jessie] - netkit-rsh (Minor issue) CVE-2019-7282 (In NetKit through 0.17, rcp.c in the rcp client allows remote rsh serv ...) - netkit-rsh 0.17-20 (bug #920486) - [stretch] - netkit-rsh (Minor issue) [jessie] - netkit-rsh (Minor issue) CVE-2019-7248 RESERVED = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Nov 2021] DLA-2822-1 netkit-rsh - security update + {CVE-2019-7282 CVE-2019-7283} + [stretch] - netkit-rsh 0.17-17+deb9u1 [17 Nov 2021] DLA-2821-1 axis - security update {CVE-2018-8032} [stretch] - axis 1.4-25+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/96ee3793c59e434c68a54f3cfd946aebcc4fc03a...8480d0cfd3ebe44c60db173cfa20c79d9ccd4e0f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/96ee3793c59e434c68a54f3cfd946aebcc4fc03a...8480d0cfd3ebe44c60db173cfa20c79d9ccd4e0f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 8 commits: mark CVE-2021-44225 as no-dsa for Jessie
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: f6889515 by Thorsten Alteholz at 2021-11-28T23:35:52+01:00 mark CVE-2021-44225 as no-dsa for Jessie - - - - - 4e9c0229 by Thorsten Alteholz at 2021-11-28T23:37:36+01:00 add pgbouncer - - - - - 4e41a00c by Thorsten Alteholz at 2021-11-28T23:38:55+01:00 mark CVE-2020-23904 and CVE-2020-23903 as no-dsa for Stretch - - - - - f4ddcd4e by Thorsten Alteholz at 2021-11-28T23:46:29+01:00 mark CVE-2021-41165 and CVE-2021-41164 as no-dsa for Stretch - - - - - 13384b5b by Thorsten Alteholz at 2021-11-28T23:55:05+01:00 mark CVE-2021-3968 as not-affected for Stretch - - - - - 0d1f4a42 by Thorsten Alteholz at 2021-11-28T23:58:13+01:00 mark CVE-2021-3928 as no-dsa for Stretch - - - - - acd30c5f by Thorsten Alteholz at 2021-11-29T00:00:13+01:00 mark CVE-2021-3927 as no-dsa for Stretch - - - - - dd7c1e17 by Thorsten Alteholz at 2021-11-29T00:03:15+01:00 mark CVE-2021-3903 as no-dsa for Stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -133,6 +133,7 @@ CVE-2021-44225 (In Keepalived through 2.2.4, the D-Bus policy does not sufficien - keepalived 1:2.2.4-0.2 [bullseye] - keepalived (Minor issue) [buster] - keepalived (Minor issue) + [stretch] - keepalived (Minor issue) NOTE: https://github.com/acassen/keepalived/pull/2063 NOTE: https://github.com/acassen/keepalived/commit/7977fec0be89ae6fe87405b3f8da2f0b5e415e3d CVE-2021-44224 @@ -833,6 +834,7 @@ CVE-2021-3969 RESERVED CVE-2021-3968 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim + [stretch] - vim (Vulnerable code not present) NOTE: https://huntr.dev/bounties/00d62924-a7b4-4a61-ba29-acab2eaa1528/ NOTE: https://github.com/vim/vim/commit/a062006b9de0b2947ab5fb376c6e67ef92a8cd69 (v8.2.3610) CVE-2022-21741 @@ -3253,10 +3255,12 @@ CVE-2021-43358 RESERVED CVE-2021-3928 (vim is vulnerable to Stack-based Buffer Overflow ...) - vim + [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/29c3ebd2-d601-481c-bf96-76975369d0cd NOTE: Fixed by: https://github.com/vim/vim/commit/15d9890eee53afc61eb0a03b878a19cb5672f732 (v8.2.3582) CVE-2021-3927 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim + [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/9c2b2c82-48bb-4be9-ab8f-a48ea252d1b0 NOTE: Fixed by: https://github.com/vim/vim/commit/0b5b06cb4777d1401fdf83e7d48d287662236e7e (v8.2.3581) CVE-2021-43357 @@ -5099,6 +5103,7 @@ CVE-2021-3904 (grav is vulnerable to Improper Neutralization of Input During Web NOT-FOR-US: Grav CMS CVE-2021-3903 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim 2:8.2.3565-1 + [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/35738a4f-55ce-446c-b836-2fb0b39625f8 NOTE: https://github.com/vim/vim/commit/777e7c21b7627be80961848ac560cb0a9978ff43 NOTE: PoC crashes starting with https://github.com/vim/vim/commit/8a7d6542b33e5d2b352262305c3bfdb2d14e1cf8 (v8.2.0149) @@ -10627,9 +10632,11 @@ CVE-2021-41166 RESERVED CVE-2021-41165 (CKEditor4 is an open source WYSIWYG HTML editor. In affected version a ...) - ckeditor (bug #09) + [stretch] - ckeditor (Minor issue) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2 (v4.17.0) CVE-2021-41164 (CKEditor4 is an open source WYSIWYG HTML editor. In affected versions ...) - ckeditor (bug #09) + [stretch] - ckeditor (Minor issue) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj (v4.17.0) CVE-2021-41163 (Discourse is an open source platform for community discussion. In affe ...) NOT-FOR-US: Discourse @@ -84469,11 +84476,13 @@ CVE-2020-23904 (A stack buffer overflow in speexenc.c of Speex v1.2 allows attac - speex [bullseye] - speex (Minor issue) [buster] - speex (Minor issue) + [stretch] - speex (Minor issue) NOTE: https://github.com/xiph/speex/issues/14 CVE-2020-23903 (A Divide by Zero vulnerability in the function static int read_samples ...) - speex [bullseye] - speex (Minor issue) [buster] - speex (Minor issue) + [stretch] - speex (Minor issue) NOTE: https://github.com/xiph/speex/issues/13 CVE-2020-23902 (A buffer overflow in WildBit Viewer v6.6 allows attackers to cause a d ...) NOT-FOR-US: WildBit Viewer = data/dla-needed.txt = @@ -76,6 +76,9 @@ nvidia-graphics-drivers -- opensc (Adrian Bunk) -- +pgbouncer (Thorsten Alteholz) + NOTE: 20211128: also help with other releases +-- roundcube
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2021-44143 as postponed
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 38eb942b by Thorsten Alteholz at 2021-11-29T00:09:49+01:00 mark CVE-2021-44143 as postponed - - - - - b62b2bc3 by Thorsten Alteholz at 2021-11-29T00:12:16+01:00 mark CVE-2021-42717 as postponed - - - - - 5e2cbecd by Thorsten Alteholz at 2021-11-29T00:17:18+01:00 add puppet - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -363,6 +363,7 @@ CVE-2021-4002 [hugetlbfs: flush TLBs correctly after huge_pmd_unshare] NOTE: https://git.kernel.org/linus/a4a118f2eead1d6c49e00765de89878288d4b890 CVE-2021-44143 (A flaw was found in mbsync in isync 1.4.0 through 1.4.3. Due to an unc ...) - isync (bug #999804) + [stretch] - isync (revisit when/if fixed upstream) CVE-2021-44142 RESERVED CVE-2021-44141 @@ -5773,6 +5774,7 @@ CVE-2021-42717 [ModSecurity DoS Vulnerability in JSON Parsing] RESERVED - modsecurity 3.0.6-1 - modsecurity-apache 2.9.5-1 + [stretch] - modsecurity-apache (revisit when/if fixed upstream) NOTE: https://github.com/SpiderLabs/ModSecurity/issues/2647 NOTE: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717/ CVE-2021-42716 (An issue was discovered in stb stb_image.h 2.27. The PNM loader incorr ...) = data/dla-needed.txt = @@ -79,6 +79,9 @@ opensc (Adrian Bunk) pgbouncer (Thorsten Alteholz) NOTE: 20211128: also help with other releases -- +puppet + NOTE: please recheck whether really affected +-- roundcube (Markus Koschany) -- rustc (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dd7c1e17bc9aa175d39c2ff155b00640c714deb8...5e2cbecd61f7cad36bc7292a0ff71891bca392e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dd7c1e17bc9aa175d39c2ff155b00640c714deb8...5e2cbecd61f7cad36bc7292a0ff71891bca392e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 7 commits: mark CVE-2021-23445 as no-dsa for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 9bd1ee77 by Thorsten Alteholz at 2021-11-27T00:17:04+01:00 mark CVE-2021-23445 as no-dsa for Stretch - - - - - fc9c7d9e by Thorsten Alteholz at 2021-11-27T00:20:14+01:00 mark several CVEs of jqueryui as no-dsa - - - - - 9744b5ee by Thorsten Alteholz at 2021-11-27T00:25:55+01:00 add librecad - - - - - 11ec39dc by Thorsten Alteholz at 2021-11-27T00:29:09+01:00 mark CVE-2020-23884 as no-dsa for Stretch - - - - - 64f392e1 by Thorsten Alteholz at 2021-11-27T00:30:49+01:00 mark CVE-2020-27511 as no-dsa for Stretch - - - - - f0dc9732 by Thorsten Alteholz at 2021-11-27T00:33:10+01:00 mark CVE-2021-41136 as no-dsa for Stretch - - - - - 56a7f2ee by Thorsten Alteholz at 2021-11-27T00:38:55+01:00 mark CVE-2021-3941 as no-dsa - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2755,6 +2755,7 @@ CVE-2021-43557 (The uri-block plugin in Apache APISIX before 2.10.2 uses $reques CVE-2021-3941 RESERVED - openexr + [stretch] - openexr (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2019789 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39084 NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1153 @@ -10552,15 +10553,18 @@ CVE-2021-41185 (Mycodo is an environmental monitoring and regulation system. An NOT-FOR-US: Mycodo CVE-2021-41184 (jQuery-UI is the official jQuery user interface library. Prior to vers ...) - jqueryui 1.13.0+dfsg-1 + [stretch] - jqueryui (Minor issue) NOTE: https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327 NOTE: https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280 CVE-2021-41183 (jQuery-UI is the official jQuery user interface library. Prior to vers ...) - jqueryui 1.13.0+dfsg-1 + [stretch] - jqueryui (Minor issue) NOTE: https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4 NOTE: https://bugs.jqueryui.com/ticket/15284 NOTE: https://github.com/jquery/jquery-ui/pull/1953 CVE-2021-41182 (jQuery-UI is the official jQuery user interface library. Prior to vers ...) - jqueryui 1.13.0+dfsg-1 + [stretch] - jqueryui (Minor issue) NOTE: https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc NOTE: https://github.com/jquery/jquery-ui/commit/32850869d308d5e7c9bf3e3b4d483ea886d373ce CVE-2021-41181 @@ -10674,6 +10678,7 @@ CVE-2021-41137 (Minio is a Kubernetes native application for cloud storage. All NOT-FOR-US: Minio CVE-2021-41136 (Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to version ...) - puma 5.5.2-1 + [stretch] - puma (Minor issue) NOTE: https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx NOTE: https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f CVE-2021-41135 (The Cosmos-SDK is a framework for building blockchain applications in ...) @@ -54081,6 +54086,7 @@ CVE-2021-23446 (The package handsontable before 10.0.0; the package handsontable NOT-FOR-US: Node handsontable CVE-2021-23445 (This affects the package datatables.net before 1.11.3. If an array is ...) - datatables.js 1.10.21+dfsg-3 (bug #995229) + [stretch] - datatables.js (Minor issue) NOTE: https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783bc52bfe88d7c9b (v1.11.3) CVE-2021-23444 (This affects the package jointjs before 3.4.2. A type confusion vulner ...) NOT-FOR-US: Node jointjs @@ -75776,6 +75782,7 @@ CVE-2020-27512 CVE-2020-27511 (An issue was discovered in the stripTags and unescapeHTML components i ...) - prototypejs (bug #991898) [bullseye] - prototypejs (Minor issue) + [stretch] - prototypejs (Minor issue) NOTE: https://github.com/prototypejs/prototype/blame/dee2f7d8611248abce81287e1be4156011953c90/src/prototype/lang/string.js#L283 NOTE: https://github.com/yetingli/PoCs/blob/main/CVE-2020-27511/Prototype.md NOTE: CVE mentions newer version but vulnerable code exists in older versions too @@ -84471,6 +84478,7 @@ CVE-2020-23885 RESERVED CVE-2020-23884 (A buffer overflow in Nomacs v3.15.0 allows attackers to cause a denial ...) - nomacs + [stretch] - nomacs (Minor issue) NOTE: https://github.com/nomacs/nomacs/issues/516 CVE-2020-23883 RESERVED = data/dla-needed.txt = @@ -56,6 +56,9 @@ libgit2 (Utkarsh) NOTE: 20211029: and TAL later next week. (utkarsh) NOTE: 2026: backports prepped; checking build and smoke-testing package. (utkarsh) -- +librecad + NOTE
[Git][security-tracker-team/security-tracker][master] 2 commits: libmodbus issues fixed in recent upload
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: a435329c by Thorsten Alteholz at 2021-11-22T17:05:26+01:00 libmodbus issues fixed in recent upload - - - - - f228ef77 by Thorsten Alteholz at 2021-11-22T17:06:10+01:00 Reserve DLA-2825-1 for libmodbus - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -158650,7 +158650,6 @@ CVE-2019-14464 (XMFile::read in XMFile.cpp in milkyplay in MilkyTracker 1.02.00 CVE-2019-14463 (An issue was discovered in libmodbus before 3.0.7 and 3.1.x before 3.1 ...) - libmodbus 3.1.6-1 (bug #933805) [buster] - libmodbus (Minor issue) - [stretch] - libmodbus (Minor issue) [jessie] - libmodbus (Minor issue) NOTE: https://github.com/stephane/libmodbus/commit/5ccdf5ef79d742640355d1132fa9e2abc7fbaefc (3.1.5) NOTE: https://github.com/stephane/libmodbus/commit/6f915d4215c06be3c719761423d9b5e8aa3cb820 (3.1.5) @@ -158659,7 +158658,6 @@ CVE-2019-14463 (An issue was discovered in libmodbus before 3.0.7 and 3.1.x befo CVE-2019-14462 (An issue was discovered in libmodbus before 3.0.7 and 3.1.x before 3.1 ...) - libmodbus 3.1.6-1 (bug #933805) [buster] - libmodbus (Minor issue) - [stretch] - libmodbus (Minor issue) [jessie] - libmodbus (Minor issue) NOTE: https://github.com/stephane/libmodbus/commit/5ccdf5ef79d742640355d1132fa9e2abc7fbaefc (3.1.5) NOTE: https://github.com/stephane/libmodbus/commit/6f915d4215c06be3c719761423d9b5e8aa3cb820 (3.1.5) = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Nov 2021] DLA-2825-1 libmodbus - security update + {CVE-2019-14462 CVE-2019-14463} + [stretch] - libmodbus 3.0.6-2+deb9u1 [21 Nov 2021] DLA-2823-2 salt - regression update [stretch] - salt 2016.11.2+ds-1+deb9u9 [20 Nov 2021] DLA-2824-1 firebird3.0 - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1137946c9185dc40ecb36cfdecef5bca238bfe7e...f228ef77c64510c7aed68faa1c66b1ebf694ec7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1137946c9185dc40ecb36cfdecef5bca238bfe7e...f228ef77c64510c7aed68faa1c66b1ebf694ec7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVEs of atftp postponed until now
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 20a7383c by Thorsten Alteholz at 2021-11-17T01:25:05+01:00 CVEs of atftp postponed until now - - - - - f130652d by Thorsten Alteholz at 2021-11-17T01:25:46+01:00 Reserve DLA-2820-1 for atftp - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -8031,7 +8031,7 @@ CVE-2021-41655 CVE-2021-41654 RESERVED CVE-2021-41653 (The PING function on the TP-Link TL-WR840N EU v5 router with firmware ...) - NOT-FOR-US: TP-Link + NOT-FOR-US: TP-Link CVE-2021-41652 RESERVED CVE-2021-41651 (A blind SQL injection vulnerability exists in the Raymart DG / Ahmed H ...) @@ -9844,7 +9844,6 @@ CVE-2021-41054 (tftpd_file.c in atftp through 0.7.4 has a buffer overflow becaus - atftp 0.7.git20210915-1 (bug #994895) [bullseye] - atftp 0.7.git20120829-3.3+deb11u1 [buster] - atftp 0.7.git20120829-3.2~deb10u2 - [stretch] - atftp (Minor issue) NOTE: https://sourceforge.net/p/atftp/code/ci/d255bf90834fb45be52decf9bc0b4fb46c90f205/ CVE-2021-3798 [Soft token does not check if an EC key is valid] RESERVED @@ -127472,7 +127471,6 @@ CVE-2020-6098 (An exploitable denial of service vulnerability exists in the free CVE-2020-6097 (An exploitable denial of service vulnerability exists in the atftpd da ...) - atftp 0.7.git20120829-3.2 (bug #970066) [buster] - atftp 0.7.git20120829-3.2~deb10u1 - [stretch] - atftp (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029 NOTE: https://sourceforge.net/u/peterkaestle/atftp/ci/96409ef3b9ca061f9527cfaafa778105cf15d994/ CVE-2020-6096 (An exploitable signed comparison vulnerability exists in the ARMv7 mem ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Nov 2021] DLA-2820-1 atftp - security update + {CVE-2020-6097 CVE-2021-41054} + [stretch] - atftp 0.7.git20120829-3.1~deb9u2 [16 Nov 2021] DLA-2819-1 ntfs-3g - security update {CVE-2021-33285 CVE-2021-33286 CVE-2021-33287 CVE-2021-33289 CVE-2021-35266 CVE-2021-35267 CVE-2021-35268 CVE-2021-35269 CVE-2021-39251 CVE-2021-39252 CVE-2021-39253 CVE-2021-39254 CVE-2021-39255 CVE-2021-39256 CVE-2021-39257 CVE-2021-39258 CVE-2021-39259 CVE-2021-39260 CVE-2021-39261 CVE-2021-39262 CVE-2021-39263} [stretch] - ntfs-3g 1:2016.2.22AR.1+dfsg-1+deb9u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e3ed57c00486c8b681e0765b423c617030b10636...f130652dae0d98b9c640725afa90f47f57a9fab9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e3ed57c00486c8b681e0765b423c617030b10636...f130652dae0d98b9c640725afa90f47f57a9fab9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 6 commits: mark CVE-2020-16154 as no-dsa for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3efbfb89 by Thorsten Alteholz at 2021-11-25T23:23:50+01:00 mark CVE-2020-16154 as no-dsa for Stretch - - - - - 2722ec12 by Thorsten Alteholz at 2021-11-25T23:25:10+01:00 mark CVE-2020-16154 as no-dsa for Stretch - - - - - fd44970d by Thorsten Alteholz at 2021-11-25T23:25:43+01:00 mark CVE-2020-16156 as no-dsa for Stretch - - - - - 4dde7d42 by Thorsten Alteholz at 2021-11-25T23:31:12+01:00 mark CVE-2021-43398 as no-dsa for Stretch - - - - - e8404b05 by Thorsten Alteholz at 2021-11-25T23:32:26+01:00 mark CVE-2021-37592 as no-dsa for Stretch - - - - - f0583f19 by Thorsten Alteholz at 2021-11-25T23:34:21+01:00 mark CVE-2021-44223 as no-dsa for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4,6 +4,7 @@ CVE-2021-44223 (WordPress before 5.8 lacks support for the Update URI plugin hea - wordpress 5.8.1+dfsg1-1 [bullseye] - wordpress (Minor issue; workarounds/mitigation for older versions can be implemented) [buster] - wordpress (Minor issue; workarounds/mitigation for older versions can be implemented) + [stretch] - wordpress (Minor issue; workarounds/mitigation for older versions can be implemented) NOTE: WordPress 5.8 introduces a new "Update URI" plugin header. Further mitigation NOTE: options documented in: NOTE: https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/ @@ -3012,6 +3013,7 @@ CVE-2021-43398 (Crypto++ (aka Cryptopp) 8.6.0 and earlier contains a timing leak - libcrypto++ (bug #1000227) [bullseye] - libcrypto++ (Minor issue) [buster] - libcrypto++ (Minor issue) + [stretch] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1080 CVE-2021-43397 (LiquidFiles before 3.6.3 allows remote attackers to elevate their priv ...) NOT-FOR-US: LiquidFiles @@ -19222,6 +19224,7 @@ CVE-2021-37592 (Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion vi - suricata 1:6.0.4-1 [bullseye] - suricata (Minor issue) [buster] - suricata (Minor issue) + [stretch] - suricata (Minor issue) NOTE: https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942 NOTE: https://redmine.openinfosecfoundation.org/issues/4569 (not public) CVE-2021-37591 @@ -100677,6 +100680,7 @@ CVE-2020-16156 [Signature Verification Bypass] - perl [bullseye] - perl (Minor issue) [buster] - perl (Minor issue) + [stretch] - perl (Minor issue) NOTE: https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/ NOTE: http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html CVE-2020-16155 [does not uniquely define signed data] @@ -100684,6 +100688,7 @@ CVE-2020-16155 [does not uniquely define signed data] - libcpan-checksums-perl [bullseye] - libcpan-checksums-perl (Minor issue) [buster] - libcpan-checksums-perl (Minor issue) + [stretch] - libcpan-checksums-perl (Minor issue) NOTE: https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/ NOTE: http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html CVE-2020-16154 [Signature Verification Bypass] @@ -100691,6 +100696,7 @@ CVE-2020-16154 [Signature Verification Bypass] - cpanminus [bullseye] - cpanminus (Minor issue) [buster] - cpanminus (Minor issue) + [stretch] - cpanminus (Minor issue) NOTE: https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/ NOTE: http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html CVE-2020-16153 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1fe330570bc100033f56bceadbde43e54b0c50d0...f0583f1979575e6e253c07fed80f920611d8574a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1fe330570bc100033f56bceadbde43e54b0c50d0...f0583f1979575e6e253c07fed80f920611d8574a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2021-32272 as not-affected for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 1458892d by Thorsten Alteholz at 2021-10-22T23:48:42+02:00 mark CVE-2021-32272 as not-affected for Stretch - - - - - b7b3e59f by Thorsten Alteholz at 2021-10-22T23:48:43+02:00 mark CVE-2021-32273 as not-affected for Stretch - - - - - 98289123 by Thorsten Alteholz at 2021-10-23T00:13:12+02:00 add mailman - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -26243,10 +26243,12 @@ CVE-2021-32274 (An issue was discovered in faad2 through 2.10.0. A heap-buffer-o NOTE: https://github.com/knik0/faad2/commit/c78251b2b5d41ea840fd61ab9502b3d3036bd747 (2_10_0) CVE-2021-32273 (An issue was discovered in faad2 through 2.10.0. A stack-buffer-overfl ...) - faad2 2.10.0-1 + [stretch] - faad2 (Vulnerable code not present, introduced in 2.8.2) NOTE: https://github.com/knik0/faad2/issues/56 NOTE: https://github.com/knik0/faad2/commit/1073aeef823cafd844704389e9a497c257768e2f (2_10_0) CVE-2021-32272 (An issue was discovered in faad2 before 2.10.0. A heap-buffer-overflow ...) - faad2 2.10.0-1 + [stretch] - faad2 (Vulnerable code not present, introduced in 2.8.2) NOTE: https://github.com/knik0/faad2/issues/57 NOTE: https://github.com/knik0/faad2/commit/1b71a6ba963d131375f5e489b3b25e36f19f3f24 (2_10_0) CVE-2021-32271 (An issue was discovered in gpac through 20200801. A stack-buffer-overf ...) = data/dla-needed.txt = @@ -50,6 +50,8 @@ linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- +mailman +-- mosquitto (Anton Gladky) NOTE: 20210805: coordinating upload to buster before DLA for Stretch (codehelp) NOTE: 20210806: CVE-2021-34432 ignored in buster and stretch. Vulnerable code not accessible. (codehelp) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/beb2ab04d6ef3be0c69446e9e2c552433dfd9369...9828912313f9b8c7fd5822e24bad83edc33574f2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/beb2ab04d6ef3be0c69446e9e2c552433dfd9369...9828912313f9b8c7fd5822e24bad83edc33574f2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: mark two CVEs for freerdp as no-dsa in Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e13f8a3 by Thorsten Alteholz at 2021-10-23T00:29:24+02:00 mark two CVEs for freerdp as no-dsa in Stretch - - - - - 4d45f454 by Thorsten Alteholz at 2021-10-23T00:33:06+02:00 add opnejdk8 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -5029,10 +5029,12 @@ CVE-2021-41161 CVE-2021-41160 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 - freerdp + [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7c9r-6r2q-93qg CVE-2021-41159 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 - freerdp + [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vh34-m9h7-95xq CVE-2021-41158 RESERVED = data/dla-needed.txt = @@ -62,6 +62,8 @@ nvidia-graphics-drivers NOTE: package is in non-free but also in packages-to-support NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 -- +openjdk-8 +-- openssh (Utkarsh) NOTE: 20211003: a backporting error for CVE-2018-15473 was reported in NOTE: 20211003: Ubuntu (and can see the same code differences here); View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9828912313f9b8c7fd5822e24bad83edc33574f2...4d45f4544c469ffc0ea3b4b1bf8c9888397683e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9828912313f9b8c7fd5822e24bad83edc33574f2...4d45f4544c469ffc0ea3b4b1bf8c9888397683e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add botan1.10
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c522242 by Thorsten Alteholz at 2021-10-23T09:38:25+02:00 add botan1.10 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -18,6 +18,8 @@ ansible NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- +botan1.10 +-- debian-archive-keyring NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c522242c337d4bcf5f1211c3ae8652eaad40dc4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c522242c337d4bcf5f1211c3ae8652eaad40dc4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 438c6b4a by Thorsten Alteholz at 2021-11-08T23:52:06+00:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,8 +29,8 @@ debian-archive-keyring NOTE: 20211018: Jonathan is prepping the branch; will work NOTE: 20211018: with him and upload and publish the DLA. (utkarsh) -- -exiv2 - NOTE: 20211024: WIP, not yet finished +exiv2 (Thorsten Alteholz) + NOTE: 20211109: testing package -- ffmpeg (Anton Gladky) NOTE: probably wait until stuff is fixed in Buster View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/438c6b4a0c21bb4001ea3b517530bb13aef456e9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/438c6b4a0c21bb4001ea3b517530bb13aef456e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE has been fixed in recent upload
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 35e2546c by Thorsten Alteholz at 2021-10-30T00:51:25+02:00 CVE has been fixed in recent upload - - - - - 418b1389 by Thorsten Alteholz at 2021-10-30T01:14:17+02:00 Reserve DLA-2800-1 for cups - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -114197,7 +114197,6 @@ CVE-2020-10002 (A logic issue was addressed with improved state management. This CVE-2020-10001 (An input validation issue was addressed with improved memory handling. ...) - cups 2.3.3op2-1 [buster] - cups (Minor issue) - [stretch] - cups (Minor issue) NOTE: https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9 (v2.3.3op2) CVE-2020-1 RESERVED = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Oct 2021] DLA-2800-1 cups - security update + {CVE-2020-10001} + [stretch] - cups 2.2.1-8+deb9u7 [29 Oct 2021] DLA-2799-1 opencv - security update {CVE-2016-1516 CVE-2017-12597 CVE-2017-12598 CVE-2017-12599 CVE-2017-12601 CVE-2017-12603 CVE-2017-12604 CVE-2017-12605 CVE-2017-12606 CVE-2017-12862 CVE-2017-12863 CVE-2017-12864 CVE-2017-17760 CVE-2017-1000450 CVE-2018-5268 CVE-2018-5269 CVE-2019-14493 CVE-2019-15939} [stretch] - opencv 2.4.9.1+dfsg1-2+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/75cd1307eae47c4d93954a3884287cd2f602e08c...418b1389d77a38e2e239984009201cc93c15a264 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/75cd1307eae47c4d93954a3884287cd2f602e08c...418b1389d77a38e2e239984009201cc93c15a264 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 9 commits: mark CVE-2021-32815 as no-dsa for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: e03e4fe1 by Thorsten Alteholz at 2021-10-24T00:38:35+02:00 mark CVE-2021-32815 as no-dsa for Stretch - - - - - 2a2011cc by Thorsten Alteholz at 2021-10-24T00:39:40+02:00 mark CVE-2021-34335 as no-dsa for Stretch - - - - - 3270071f by Thorsten Alteholz at 2021-10-24T00:51:28+02:00 mark CVE-2021-37616 as no-dsa for Stretch - - - - - 8f715389 by Thorsten Alteholz at 2021-10-24T00:51:52+02:00 mark CVE-2021-37615 as no-dsa for Stretch - - - - - 51721ac5 by Thorsten Alteholz at 2021-10-24T00:54:14+02:00 mark CVE-2021-37618 as no-dsa for Stretch - - - - - e7296955 by Thorsten Alteholz at 2021-10-24T00:55:56+02:00 mark CVE-2021-37619 as no-dsa for Stretch - - - - - fbcf6902 by Thorsten Alteholz at 2021-10-24T00:56:31+02:00 mark CVE-2021-37621 as no-dsa for Stretch - - - - - 80cbb58f by Thorsten Alteholz at 2021-10-24T00:58:25+02:00 mark CVE-2021-37622 as no-dsa for Stretch - - - - - a0099de8 by Thorsten Alteholz at 2021-10-24T00:58:47+02:00 mark CVE-2021-37623 as no-dsa for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13560,14 +13560,17 @@ CVE-2021-37624 RESERVED CVE-2021-37623 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-mvc4-g5pv-4qqq NOTE: https://github.com/Exiv2/exiv2/pull/1790 CVE-2021-37622 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jh3-fcc3-g6hv NOTE: https://github.com/Exiv2/exiv2/pull/1788 CVE-2021-37621 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-m479-7frc-gqqg NOTE: https://github.com/Exiv2/exiv2/pull/1778 CVE-2021-37620 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) @@ -13576,12 +13579,14 @@ CVE-2021-37620 (Exiv2 is a command-line utility and C++ library for reading, wri NOTE: https://github.com/Exiv2/exiv2/pull/1769 CVE-2021-37619 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v NOTE: https://github.com/Exiv2/exiv2/pull/1752 CVE-2021-37618 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 [bullseye] - exiv2 (Minor issue) [buster] - exiv2 (Minor issue) + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2 NOTE: https://github.com/Exiv2/exiv2/pull/1759 CVE-2021-37617 (The Nextcloud Desktop Client is a tool to synchronize files from Nextc ...) @@ -13591,12 +13596,14 @@ CVE-2021-37616 (Exiv2 is a command-line utility and C++ library for reading, wri - exiv2 [bullseye] - exiv2 (Minor issue) [buster] - exiv2 (Minor issue) + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-54f7-vvj7-545w NOTE: https://github.com/Exiv2/exiv2/pull/1758 CVE-2021-37615 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 [bullseye] - exiv2 (Minor issue) [buster] - exiv2 (Minor issue) + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-h9x9-4f77-336w NOTE: https://github.com/Exiv2/exiv2/pull/1758 CVE-2021-37614 (In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0 ...) @@ -21241,6 +21248,7 @@ CVE-2021-34336 RESERVED CVE-2021-34335 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 (bug #992707) + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-pvjp-m4f6-q984 NOTE: https://github.com/Exiv2/exiv2/pull/1750 CVE-2021-34334 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) @@ -24864,6 +24872,7 @@ CVE-2021-32816 (ProtonMail Web Client is the official AngularJS web client for t NOT-FOR-US: ProtonMail Web Client CVE-2021-32815 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 (bug #992705) + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-mv9g-fxh2-m49m NOTE: https://github.com/Exiv2/exiv2/pull/1739 CVE-2021-32814 (Skytable
[Git][security-tracker-team/security-tracker][master] 2 commits: two CVEs of jbig2dec fixed in recent upload
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 43fb0cc1 by Thorsten Alteholz at 2021-10-29T01:01:49+02:00 two CVEs of jbig2dec fixed in recent upload - - - - - 1224608d by Thorsten Alteholz at 2021-10-29T01:01:50+02:00 Reserve DLA-2796-1 for jbig2dec - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -106202,7 +106202,6 @@ CVE-2020-12269 CVE-2020-12268 (jbig2_image_compose in jbig2_image.c in Artifex jbig2dec before 0.18 h ...) - jbig2dec 0.18-1 [buster] - jbig2dec (Minor issue) - [stretch] - jbig2dec (Minor issue) [jessie] - jbig2dec (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20332 NOTE: https://github.com/ArtifexSoftware/jbig2dec/commit/0726320a4b55078e9d8deb590e477d598b3da66e @@ -275170,7 +275169,6 @@ CVE-2017-9217 (systemd-resolved through 233 allows remote attackers to cause a d NOTE: https://github.com/systemd/systemd/pull/5998 CVE-2017-9216 (libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscri ...) - jbig2dec 0.13-5 (bug #863279) - [stretch] - jbig2dec (Minor issue) [jessie] - jbig2dec (Minor issue) [wheezy] - jbig2dec (Minor issue, can be fixed in a future update) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697934 = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Oct 2021] DLA-2796-1 jbig2dec - security update + {CVE-2017-9216 CVE-2020-12268} + [stretch] - jbig2dec 0.13-4.1+deb9u1 [29 Oct 2021] DLA-2795-1 gpsd - security update {CVE-2018-17937} [stretch] - gpsd 3.16-4+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3db6c83bc58c675be66d669e000975a07d2211f5...1224608d9fe80774ebf2560832a490dcae1c2178 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3db6c83bc58c675be66d669e000975a07d2211f5...1224608d9fe80774ebf2560832a490dcae1c2178 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f6a07c3 by Thorsten Alteholz at 2021-12-12T23:42:04+01:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -69,7 +69,7 @@ nvidia-graphics-drivers (Markus Koschany) NOTE: mailing list tomorrow (apo) -- pgbouncer (Thorsten Alteholz) - NOTE: 20211128: also help with other releases + NOTE: 20211212: sync with maintainer -- rustc (Roberto C. Sánchez) NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f6a07c3377fabfa5f99c2aaceea0175023ac2ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f6a07c3377fabfa5f99c2aaceea0175023ac2ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add condor
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: f0444ee8 by Thorsten Alteholz at 2021-12-17T00:27:37+01:00 add condor - - - - - 7ff67ad8 by Thorsten Alteholz at 2021-12-17T00:27:37+01:00 mark CVE-2021-4010 as not-affected for Stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2887,6 +2887,7 @@ CVE-2021-4011 [SProcXFixesCreatePointerBarrier out-of-bounds access] CVE-2021-4010 [SProcScreenSaverSuspend out-of-bounds access] RESERVED - xorg-server 2:1.20.13-3 + [stretch] - xorg-server (Vulnerable code introduced later) - xwayland 2:21.1.4-1 NOTE: https://lists.x.org/archives/xorg-announce/2021-December/003122.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c4c53010772e3cb4cb8acd54950c8eec9c00d21 = data/dla-needed.txt = @@ -18,6 +18,9 @@ ansible NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- +condor + NOTE: 20211216: full details embargoed +-- debian-archive-keyring NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/015176076b7b0a445acc309cac23bd0cd7b9fd5d...7ff67ad86ef88fe8f4f06c63a711259c1fcd1dd1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/015176076b7b0a445acc309cac23bd0cd7b9fd5d...7ff67ad86ef88fe8f4f06c63a711259c1fcd1dd1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: mark CVE-2021-4104 as no-dsa
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 10ac00f8 by Thorsten Alteholz at 2021-12-15T00:20:13+01:00 mark CVE-2021-4104 as no-dsa - - - - - a55eb8ba by Thorsten Alteholz at 2021-12-15T00:23:06+01:00 add xorg-server - - - - - fd7d100b by Thorsten Alteholz at 2021-12-15T00:23:49+01:00 mark CVE-2021-33178 as no-dsa - - - - - 197f3608 by Thorsten Alteholz at 2021-12-15T00:24:42+01:00 mark CVE-2021-43797 as no-dsa - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -700,6 +700,7 @@ CVE-2021-4104 (JMSAppender in Log4j 1.2 is vulnerable to deserialization of untr - apache-log4j1.2 [bullseye] - apache-log4j1.2 (Minor issue; JMSAppender not configured to be used by default) [buster] - apache-log4j1.2 (Minor issue; JMSAppender not configured to be used by default) + [stretch] - apache-log4j1.2 (Minor issue; JMSAppender not configured to be used by default) NOTE: https://www.openwall.com/lists/oss-security/2021/12/13/1 NOTE: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 NOTE: Issue for Log4j 1.2 when specifically configured to use JMSAppender (not the default) @@ -3747,6 +3748,7 @@ CVE-2021-43797 (Netty is an asynchronous event-driven network application framew - netty (bug #1001437) [bullseye] - netty (Minor issue) [buster] - netty (Minor issue) + [stretch] - netty (Minor issue) NOTE: https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq NOTE: https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323 (netty-4.1.71.Final) CVE-2021-43796 @@ -32409,6 +32411,7 @@ CVE-2021-33178 (The Manage Backgrounds functionality within Nagvis versions prio - nagvis 1:1.9.29-1 [bullseye] - nagvis (Minor issue) [buster] - nagvis (Minor issue) + [stretch] - nagvis (Minor issue) TODO: check, affects nagvis plugin used in Nagios XI and should be fixed in 2.0.9, https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi/ CVE-2021-33177 (The Bulk Modifications functionality in Nagios XI versions prior to 5. ...) NOT-FOR-US: Nagios XI = data/dla-needed.txt = @@ -88,3 +88,5 @@ wireshark (Adrian Bunk) NOTE: 2029: Check https://salsa.debian.org/security-tracker-team/security-tracker/commit/d55b7eff90db8487e20106c2c09e61293a477e89 (lamby) NOTE: 20211206: DLA coming soon (bunk) -- +xorg-server (Thorsten Alteholz) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3891c020dc0d9fae8d2dcd6ffb6d455724119206...197f3608557e24549839b676cc07591a06dae546 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3891c020dc0d9fae8d2dcd6ffb6d455724119206...197f3608557e24549839b676cc07591a06dae546 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2017-7697 has been fixed in recent upload
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: d3d2a511 by Thorsten Alteholz at 2021-12-13T23:53:20+01:00 CVE-2017-7697 has been fixed in recent upload - - - - - 723a4f8b by Thorsten Alteholz at 2021-12-14T00:12:22+01:00 Reserve DLA-2845-1 for libsamplerate - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -287811,7 +287811,6 @@ CVE-2017-7698 (A Use After Free in the pdf2swf part of swftools 0.9.2 and earlie NOTE: Vulnerable code removed with the 0.9.2+dfs1-2 upload CVE-2017-7697 (In libsamplerate before 0.1.9, a buffer over-read occurs in the calc_o ...) - libsamplerate 0.1.9-1 (bug #860159) - [stretch] - libsamplerate (Minor issue) [jessie] - libsamplerate (Minor issue) [wheezy] - libsamplerate (Minor issue) NOTE: https://github.com/erikd/libsamplerate/issues/11 = data/DLA/list = @@ -1,3 +1,6 @@ +[14 Dec 2021] DLA-2845-1 libsamplerate - security update + {CVE-2017-7697} + [stretch] - libsamplerate 0.1.8-8+deb9u1 [13 Dec 2021] DLA-2844-1 privoxy - security update {CVE-2021-44540 CVE-2021-44543} [stretch] - privoxy 3.0.26-3+deb9u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0f479661bdbbd3ce198d58c17e8bebfdbb4b9dc7...723a4f8bf129943888a97389c5140eae25800fb1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0f479661bdbbd3ce198d58c17e8bebfdbb4b9dc7...723a4f8bf129943888a97389c5140eae25800fb1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2020-25713 has been postponed until now
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 48650812 by Thorsten Alteholz at 2021-12-14T00:25:16+01:00 CVE-2020-25713 has been postponed until now - - - - - e5334a8a by Thorsten Alteholz at 2021-12-14T00:25:58+01:00 Reserve DLA-2846-1 for raptor2 - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -82527,7 +82527,6 @@ CVE-2020-25713 (A malformed input file can lead to a segfault due to an out of b - raptor - raptor2 2.0.14-1.2 (bug #974664) [buster] - raptor2 (Minor issue) - [stretch] - raptor2 (Minor issue; reconsider when fixed upstream.) NOTE: https://bugs.librdf.org/mantis/view.php?id=650 CVE-2020-25712 (A flaw was found in xorg-x11-server before 1.20.10. A heap-buffer over ...) {DSA-4803-1 DLA-2486-1} = data/DLA/list = @@ -1,3 +1,6 @@ +[14 Dec 2021] DLA-2846-1 raptor2 - security update + {CVE-2020-25713} + [stretch] - raptor2 2.0.14-1+deb9u2 [14 Dec 2021] DLA-2845-1 libsamplerate - security update {CVE-2017-7697} [stretch] - libsamplerate 0.1.8-8+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/723a4f8bf129943888a97389c5140eae25800fb1...e5334a8afcd3b65d236d5f7496aa0d32572352c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/723a4f8bf129943888a97389c5140eae25800fb1...e5334a8afcd3b65d236d5f7496aa0d32572352c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] still WIP
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: fe19d23f by Thorsten Alteholz at 2021-07-19T00:15:02+02:00 still WIP - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -53,7 +53,7 @@ golang-1.7 (Sylvain Beucler) NOTE: 20210624: Need further checks whether any issues are important to solve or not. -- gpac (Thorsten Alteholz) - NOTE: 20210704: WIP + NOTE: 20210719: WIP -- icu (Utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe19d23f2f214e8e51fb1bb0b40da54118a9c43b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe19d23f2f214e8e51fb1bb0b40da54118a9c43b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: mark CVE-2021-36377 as no-dsa for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: eefb3132 by Thorsten Alteholz at 2021-07-23T11:58:41+02:00 mark CVE-2021-36377 as no-dsa for Stretch - - - - - ba3b7722 by Thorsten Alteholz at 2021-07-23T11:58:43+02:00 mark CVE-2021-32746 as no-dsa for Stretch - - - - - 74d74e4f by Thorsten Alteholz at 2021-07-23T11:58:44+02:00 mark CVE-2021-32747 as no-dsa for Stretch - - - - - f24658bd by Thorsten Alteholz at 2021-07-23T11:58:45+02:00 mark CVE-2021-3618 as no-dsa for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2200,6 +2200,7 @@ CVE-2021-36378 CVE-2021-36377 (Fossil before 2.14.2 and 2.15.x before 2.15.2 often skips the hostname ...) - fossil 1:2.15.2-1 [buster] - fossil (Minor issue) + [stretch] - fossil (Minor issue) NOTE: https://fossil-scm.org/forum/forumpost/8d367e16f53d93c789d70bd3bf2c9587227bbd5c6a7b8e512cccd79007536036 CVE-2021-36376 (dandavison delta before 0.8.3 on Windows resolves an executable's path ...) NOT-FOR-US: dandavison delta @@ -4269,13 +4270,16 @@ CVE-2021-3618 - nginx (bug #991328) [bullseye] - nginx (Minor issue) [buster] - nginx (Minor issue) + [stretch] - nginx (Minor issue) - vsftpd (bug #991329) [bullseye] - vsftpd (Minor issue) [buster] - vsftpd (Minor issue) + [stretch] - vsftpd (Minor issue) [experimental] - sendmail 8.16.1-1 - sendmail (bug #991331) [bullseye] - sendmail (Minor issue) [buster] - sendmail (Minor issue) + [stretch] - sendmail (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975623 NOTE: https://alpaca-attack.com/ NOTE: Generic TLS protocol issue, some applications have released mitigations: @@ -10510,12 +10514,14 @@ CVE-2021-32747 (Icinga Web 2 is an open source monitoring web interface, framewo [experimental] - icingaweb2 2.8.3-1~exp1 - icingaweb2 (bug #991116) [buster] - icingaweb2 (Minor issue) + [stretch] - icingaweb2 (Minor issue) NOTE: https://github.com/Icinga/icingaweb2/security/advisories/GHSA-2xv9-886q-p7xx NOTE: https://github.com/Icinga/icingaweb2/commit/ffe8741c66af6ea085514a35ec878093b991875c (v2.8.3) CVE-2021-32746 (Icinga Web 2 is an open source monitoring web interface, framework and ...) [experimental] - icingaweb2 2.8.3-1~exp1 - icingaweb2 (bug #991116) [buster] - icingaweb2 (Minor issue) + [stretch] - icingaweb2 (Minor issue) NOTE: https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43 NOTE: https://github.com/Icinga/icingaweb2/commit/80875d91bbfa52553fe7bb2c1a32a9814880d9c1 (v2.8.3) CVE-2021-32745 (Collabora Online is a collaborative online office suite. A reflected X ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/85f266758683d334c98eec762039363b55d77a68...f24658bd6554e7408df3464078c7dfbdd4ce2053 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/85f266758683d334c98eec762039363b55d77a68...f24658bd6554e7408df3464078c7dfbdd4ce2053 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVEs for nvidia-graphics-drivers-legacy-340xx as no-dsa
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 48d5d04a by Thorsten Alteholz at 2021-07-23T12:04:50+02:00 mark CVEs for nvidia-graphics-drivers-legacy-340xx as no-dsa - - - - - d992f1a2 by Thorsten Alteholz at 2021-07-23T12:07:14+02:00 mark CVE-2021-32773 as no-dsa for Stretch - - - - - f0d31aa8 by Thorsten Alteholz at 2021-07-23T12:09:50+02:00 mark CVE-2021-35063 as no-dsa for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5161,6 +5161,7 @@ CVE-2021-35063 (Suricata before 5.0.7 and 6.x before 6.0.3 has a "critical evasi [experimental] - suricata 1:6.0.3-1~exp1 - suricata 1:6.0.1-3 (bug #990835) [buster] - suricata (Minor issue) + [stretch] - suricata (Minor issue) NOTE: https://forum.suricata.io/t/suricata-6-0-3-and-5-0-7-released/1489 CVE-2021-35062 RESERVED @@ -10451,6 +10452,7 @@ CVE-2021-32773 (Racket is a general-purpose programming language and an ecosyste [experimental] - racket 8.2+dfsg1-1 - racket (bug #991327) [buster] - racket (Minor issue) + [stretch] - racket (Minor issue) NOTE: https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c CVE-2021-32772 RESERVED @@ -49428,6 +49430,7 @@ CVE-2021-1095 (NVIDIA GPU Display Driver for Windows and Linux contains a vulner [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #991352) [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) + [stretch] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) - nvidia-graphics-drivers-tesla-460 (bug #991357) - nvidia-graphics-drivers-tesla-450 (bug #991356) - nvidia-graphics-drivers-tesla-440 (bug #991355) @@ -49440,6 +49443,7 @@ CVE-2021-1094 (NVIDIA GPU Display Driver for Windows and Linux contains a vulner [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #991352) [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) + [stretch] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) - nvidia-graphics-drivers-tesla-460 (bug #991357) - nvidia-graphics-drivers-tesla-450 (bug #991356) - nvidia-graphics-drivers-tesla-440 (bug #991355) @@ -49452,6 +49456,7 @@ CVE-2021-1093 (NVIDIA GPU Display Driver for Windows and Linux contains a vulner [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #991352) [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) + [stretch] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) - nvidia-graphics-drivers-tesla-460 (bug #991357) - nvidia-graphics-drivers-tesla-450 (bug #991356) - nvidia-graphics-drivers-tesla-440 (bug #991355) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f24658bd6554e7408df3464078c7dfbdd4ce2053...f0d31aa8039e18c254cb2e9506d3138c7633d8b1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f24658bd6554e7408df3464078c7dfbdd4ce2053...f0d31aa8039e18c254cb2e9506d3138c7633d8b1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2021-36222 as not-affected for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b838a45 by Thorsten Alteholz at 2021-07-23T16:08:25+02:00 mark CVE-2021-36222 as not-affected for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2540,6 +2540,7 @@ CVE-2021-36223 RESERVED CVE-2021-36222 (ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) ...) - krb5 1.18.3-6 (bug #991365) + [stretch] - krb5 (Vulnerable code (k5memdup0()) introduced later) NOTE: https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562 CVE-2021-36221 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b838a458bb3cd9cc366a2b8ac9fb8a516d34e26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b838a458bb3cd9cc366a2b8ac9fb8a516d34e26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: add aspell
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: dc86c99f by Thorsten Alteholz at 2021-07-25T00:35:18+02:00 add aspell - - - - - c9eba0cf by Thorsten Alteholz at 2021-07-25T00:35:18+02:00 add linuxptp - - - - - f5d0516c by Thorsten Alteholz at 2021-07-25T00:57:06+02:00 mark CVE-2019-11098 as no-dsa for Stretch - - - - - f3f98255 by Thorsten Alteholz at 2021-07-25T00:58:48+02:00 mark CVE-2021-32749 as no-dsa for Stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -10578,6 +10578,7 @@ CVE-2021-32750 (MuWire is a file publishing and networking tool that protects th CVE-2021-32749 (fail2ban is a daemon to ban hosts that cause multiple authentication e ...) - fail2ban 0.11.2-2 [buster] - fail2ban (Minor issue, can be fixed in point release) + [stretch] - fail2ban (Minor issue, can be fixed after fix of regression) NOTE: https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm NOTE: https://github.com/fail2ban/fail2ban/commit/2ed414ed09b3bb4c478abc9366a1ff22024a33c9 (0.9) NOTE: https://github.com/fail2ban/fail2ban/commit/410a6ce5c80dd981c22752da034f2529b5eee844 (0.10, 0.11, 1.0) @@ -148326,6 +148327,7 @@ CVE-2019-11099 CVE-2019-11098 (Insufficient input validation in MdeModulePkg in EDKII may allow an un ...) - edk2 [buster] - edk2 (Minor issue) + [stretch] - edk2 (Minor issue) NOTE: https://edk2-docs.gitbook.io/security-advisory/bootguard-toctou-vulnerability NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1614 NOTE: https://bugzilla.tianocore.org/attachment.cgi?id=316 = data/dla-needed.txt = @@ -18,6 +18,8 @@ ansible NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- +aspell (Thorsten Alteholz) +-- ceph (Markus Koschany) NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby) NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby) @@ -59,6 +61,8 @@ linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- +linuxptp (Thorsten Alteholz +-- nettle (Emilio) NOTE: 20210719: difficult backport, wip (Emilio) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f864a8e87ef2d10efb06b36036c4421aa6504ecf...f3f98255fafed3e4fc41269c2a19d39fe7b01733 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f864a8e87ef2d10efb06b36036c4421aa6504ecf...f3f98255fafed3e4fc41269c2a19d39fe7b01733 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: mark several CVEs for libpdfbox-java as no-dsa in Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 389f368e by Thorsten Alteholz at 2021-07-25T19:47:12+02:00 mark several CVEs for libpdfbox-java as no-dsa in Stretch - - - - - 17ac81a6 by Thorsten Alteholz at 2021-07-25T19:50:09+02:00 mark CVE-2021-36978 as no-dsa in Stretch - - - - - 80ef366c by Thorsten Alteholz at 2021-07-25T19:51:49+02:00 mark CVE-2021-27847 as no-dsa in Stretch - - - - - c20dfd14 by Thorsten Alteholz at 2021-07-25T19:52:53+02:00 mark CVE-2021-22235 as postoned for Stretch - - - - - b33dee63 by Thorsten Alteholz at 2021-07-25T19:54:20+02:00 mark CVE-2021-36773 as no-dsa for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -959,6 +959,7 @@ CVE-2021-36979 (Unicorn Engine 1.0.2 has an out-of-bounds write in tb_flush_arme CVE-2021-36978 (QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer ...) - qpdf 10.1.0-1 [buster] - qpdf (Minor issue) + [stretch] - qpdf (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28262 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qpdf/OSV-2020-2245.yaml NOTE: Fixed by: https://github.com/qpdf/qpdf/commit/dc92574c10f3e2516ec6445b88c5d584f40df4e5 (release-qpdf-10.1.0) @@ -1428,6 +1429,7 @@ CVE-2021-36774 CVE-2021-36773 (uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitr ...) - ublock-origin (bug #991386) [buster] - ublock-origin (Minor issue) + [stretch] - ublock-origin (Minor issue) - umatrix (bug #991344) [buster] - umatrix (Minor issue) NOTE: https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc @@ -13042,6 +13044,7 @@ CVE-2021-31812 (In Apache PDFBox, a carefully crafted PDF file can trigger an in - libpdfbox-java [bullseye] - libpdfbox-java (Minor issue) [buster] - libpdfbox-java (Minor issue) + [stretch] - libpdfbox-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/06/12/1 NOTE: https://github.com/apache/pdfbox/commit/cd17a19e9ab1028dc662e972dd8dbb3fa68b4a33 CVE-2021-31811 (In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMem ...) @@ -13051,6 +13054,7 @@ CVE-2021-31811 (In Apache PDFBox, a carefully crafted PDF file can trigger an Ou - libpdfbox-java [bullseye] - libpdfbox-java (Minor issue) [buster] - libpdfbox-java (Minor issue) + [stretch] - libpdfbox-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/06/12/2 NOTE: https://github.com/apache/pdfbox/commit/cd17a19e9ab1028dc662e972dd8dbb3fa68b4a33 CVE-2021-31810 (An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, an ...) @@ -22912,6 +22916,7 @@ CVE-2021-27848 CVE-2021-27847 (Division-By-Zero vulnerability in Libvips 8.10.5 in the function vips_ ...) - vips 8.8.3-1 [buster] - vips (Minor issue) + [stretch] - vips (Minor issue) NOTE: https://github.com/libvips/libvips/issues/1236 NOTE: https://github.com/libvips/libvips/commit/2fb81b8ed6a4a6b2385f3efbb0412f24f80163c4 (v8.8.0-rc1) NOTE: https://github.com/libvips/libvips/commit/65a259a0258b2036b168cdeff6e9db434471225a (v8.8.0-rc1) @@ -36059,6 +36064,7 @@ CVE-2021-22235 (Crash in DNP dissector in Wireshark 3.4.0 to 3.4.6 and 3.2.0 to - wireshark [bullseye] - wireshark (Minor issue, can be fixed along in future update) [buster] - wireshark (Minor issue, can be fixed along in future update) + [stretch] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-06.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17462 CVE-2021-22234 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8eab5399cc80d013f3579569826c7e72055f25b3...b33dee6305f7059b7022c39251a738f95f71b6bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8eab5399cc80d013f3579569826c7e72055f25b3...b33dee6305f7059b7022c39251a738f95f71b6bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add libsndfile
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 27c91445 by Thorsten Alteholz at 2021-07-26T00:10:14+02:00 add libsndfile - - - - - 542f69e6 by Thorsten Alteholz at 2021-07-26T00:13:00+02:00 add curl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -36,6 +36,8 @@ condor (Markus Koschany) NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) NOTE: 20210205: Some patches seems to be available but not clear if it solves the whole issue or not. (ola) -- +curl +-- ffmpeg (Anton Gladky) NOTE: 20210607: stretch was following the 3.2.x release line, but 3.2.15 NOTE: 20210607: (released 2020-07-02) was the last on this branch. There are @@ -53,6 +55,8 @@ firmware-nonfree (Anton Gladky) gpac (Thorsten Alteholz) NOTE: 20210719: WIP -- +libsndfile (Thorsten Alteholz) +-- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d1faa52d5f900eb5dad55c990212e9c4dbad8bd0...542f69e6d363713bef5bd363684c90875e00a55a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d1faa52d5f900eb5dad55c990212e9c4dbad8bd0...542f69e6d363713bef5bd363684c90875e00a55a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2019-17544 fixed in recent upload to Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 06de4ba4 by Thorsten Alteholz at 2021-07-26T00:00:25+02:00 CVE-2019-17544 fixed in recent upload to Stretch - - - - - d1faa52d by Thorsten Alteholz at 2021-07-26T00:00:46+02:00 Reserve DLA-2720-1 for aspell - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -127978,7 +127978,6 @@ CVE-2019-17544 (libaspell.a in GNU Aspell before 0.60.8 has a stack-based buffer {DLA-1966-1} - aspell 0.60.8-1 (low) [buster] - aspell (Minor issue) - [stretch] - aspell (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16109 NOTE: https://github.com/GNUAspell/aspell/commit/80fa26c74279fced8d778351cff19d1d8f44fe4e CVE-2019-17543 (LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (rela ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Jul 2021] DLA-2720-1 aspell - security update + {CVE-2019-17544 CVE-2019-25051} + [stretch] - aspell 0.60.7~20110707-3+deb9u1 [25 Jul 2021] DLA-2710-2 rabbitmq-server - regression update [stretch] - rabbitmq-server 3.6.6-1+deb9u2 [23 Jul 2021] DLA-2719-1 ruby-actionpack-page-caching - security update = data/dla-needed.txt = @@ -18,8 +18,6 @@ ansible NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- -aspell (Thorsten Alteholz) --- ceph (Markus Koschany) NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby) NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7baa47c5b2affe01e38cb219703e4e3dd6a61f73...d1faa52d5f900eb5dad55c990212e9c4dbad8bd0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7baa47c5b2affe01e38cb219703e4e3dd6a61f73...d1faa52d5f900eb5dad55c990212e9c4dbad8bd0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add openexr
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 857a5a5f by Thorsten Alteholz at 2021-07-26T00:23:03+02:00 add openexr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -70,6 +70,8 @@ nvidia-graphics-drivers NOTE: package is in non-free but also in packages-to-support NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 -- +openexr +-- openjdk-8 (Emilio) -- pillow (codehelp) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/857a5a5fb12da63f7740603a835617cb40a6e49d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/857a5a5fb12da63f7740603a835617cb40a6e49d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2021-36976 as not-affected for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: b427d65e by Thorsten Alteholz at 2021-07-25T19:03:14+02:00 mark CVE-2021-36976 as not-affected for Stretch - - - - - f2f8a18e by Thorsten Alteholz at 2021-07-25T19:39:09+02:00 mark CVE-2020-36430 as not-affected - - - - - 8eab5399 by Thorsten Alteholz at 2021-07-25T19:42:43+02:00 mark several CVEs for libcommons-compress-java as no-dsa in Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -969,6 +969,7 @@ CVE-2021-36976 (libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_stri - libarchive (bug #991442) [bullseye] - libarchive (Minor issue) [buster] - libarchive (Minor issue) + [stretch] - libarchive (Vulnerable code introduced by 47bb818 in version 3.4.1) NOTE: https://github.com/libarchive/libarchive/issues/1554 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32375 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libarchive/OSV-2021-557.yaml @@ -1316,6 +1317,7 @@ CVE-2020-36431 (Unicorn Engine 1.0.2 has an out-of-bounds write in helper_wfe_ar NOT-FOR-US: Unicorn Engine CVE-2020-36430 (libass 0.15.x before 0.15.1 has a heap-based buffer overflow in decode ...) - libass 1:0.15.0-2 + [stretch] - libass (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26674 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libass/OSV-2020-2099.yaml NOTE: Introduced by: https://github.com/libass/libass/commit/910211f1c0078e37546f73e95306724358b89be2 (0.15.0) @@ -2907,6 +2909,7 @@ CVE-2021-36090 (When reading a specially crafted ZIP archive, Compress can be ma - libcommons-compress-java (bug #991041) [bullseye] - libcommons-compress-java (Minor issue) [buster] - libcommons-compress-java (Minor issue) + [stretch] - libcommons-compress-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/4 CVE-2020-36416 (A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 ...) NOT-FOR-US: CMS Made Simple @@ -4244,16 +4247,19 @@ CVE-2021-35517 (When reading a specially crafted TAR archive, Compress can be ma - libcommons-compress-java (bug #991041) [bullseye] - libcommons-compress-java (Minor issue) [buster] - libcommons-compress-java (Minor issue) + [stretch] - libcommons-compress-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/3 CVE-2021-35516 (When reading a specially crafted 7Z archive, Compress can be made to a ...) - libcommons-compress-java (bug #991041) [bullseye] - libcommons-compress-java (Minor issue) [buster] - libcommons-compress-java (Minor issue) + [stretch] - libcommons-compress-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/2 CVE-2021-35515 (When reading a specially crafted 7Z archive, the construction of the l ...) - libcommons-compress-java (bug #991041) [bullseye] - libcommons-compress-java (Minor issue) [buster] - libcommons-compress-java (Minor issue) + [stretch] - libcommons-compress-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/1 CVE-2021-35514 (Narou (aka Narou.rb) before 3.8.0 allows Ruby Code Injection via the t ...) NOT-FOR-US: Narou View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/da17668693c6435bfe809d112efd79f7f3daa851...8eab5399cc80d013f3579569826c7e72055f25b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/da17668693c6435bfe809d112efd79f7f3daa851...8eab5399cc80d013f3579569826c7e72055f25b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark several CVEs from gpac as not-affected
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: f2528f1b by Thorsten Alteholz at 2021-07-28T16:50:25+02:00 mark several CVEs from gpac as not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14791,6 +14791,7 @@ CVE-2021-31263 CVE-2021-31262 (The AV1_DuplicateConfig function in GPAC 1.0.1 allows attackers to cau ...) - gpac 1.0.1+dfsg1-4 (bug #987280) [buster] - gpac (Vulnerable code not present) + [stretch] - gpac (Vulnerable code not present) NOTE: https://github.com/gpac/gpac/commit/b2eab95e07cb5819375a50358d4806a8813b6e50 NOTE: https://github.com/gpac/gpac/issues/1738 CVE-2021-31261 (The gf_hinter_track_new function in GPAC 1.0.1 allows attackers to rea ...) @@ -14826,6 +14827,7 @@ CVE-2021-31256 (Memory leak in the stbl_GetSampleInfos function in MP4Box in GPA CVE-2021-31255 (Buffer overflow in the abst_box_read function in MP4Box in GPAC 1.0.1 ...) - gpac 1.0.1+dfsg1-4 (bug #987280) [buster] - gpac (Vulnerable code not present) + [stretch] - gpac (Vulnerable code not present) NOTE: https://github.com/gpac/gpac/commit/758135e91e623d7dfe7f6aaad7aeb3f791b7a4e5 NOTE: https://github.com/gpac/gpac/issues/1733 CVE-2021-31254 (Buffer overflow in the tenc_box_read function in MP4Box in GPAC 1.0.1 ...) @@ -17444,6 +17446,7 @@ CVE-2021-30200 CVE-2021-30199 (In filters/reframe_latm.c in GPAC 1.0.1 there is a Null Pointer Derefe ...) - gpac 1.0.1+dfsg1-4 (bug #987323) [buster] - gpac (Vulnerable code not present) + [stretch] - gpac (Vulnerable code not present) NOTE: https://github.com/gpac/gpac/commit/b2db2f99b4c30f96e17b9a14537c776da6cb5dca NOTE: https://github.com/gpac/gpac/issues/1728 CVE-2021-30198 @@ -17969,6 +17972,7 @@ CVE-2021-30023 CVE-2021-30022 (There is a integer overflow in media_tools/av_parsers.c in the gf_avc_ ...) - gpac 1.0.1+dfsg1-4 (bug #987323) [buster] - gpac (Vulnerable code not present) + [stretch] - gpac (Vulnerable code not present) NOTE: https://github.com/gpac/gpac/commit/51cdb67ff7c5f1242ac58c5aa603ceaf1793b788 NOTE: https://github.com/gpac/gpac/issues/1720 CVE-2021-30021 @@ -17976,11 +17980,13 @@ CVE-2021-30021 CVE-2021-30020 (In the function gf_hevc_read_pps_bs_internal function in media_tools/a ...) - gpac 1.0.1+dfsg1-4 (bug #987323) [buster] - gpac (Vulnerable code not present) + [stretch] - gpac (Vulnerable code not present) NOTE: https://github.com/gpac/gpac/commit/51cdb67ff7c5f1242ac58c5aa603ceaf1793b788 NOTE: https://github.com/gpac/gpac/issues/1722 CVE-2021-30019 (In the adts_dmx_process function in filters/reframe_adts.c in GPAC 1.0 ...) - gpac 1.0.1+dfsg1-4 (bug #987323) [buster] - gpac (Vulnerable code not present) + [stretch] - gpac (Vulnerable code not present) NOTE: https://github.com/gpac/gpac/commit/22774aa9e62f586319c8f107f5bae950fed900bc NOTE: https://github.com/gpac/gpac/issues/1723 CVE-2021-30018 @@ -17992,6 +17998,7 @@ CVE-2021-30016 CVE-2021-30015 (There is a Null Pointer Dereference in function filter_core/filter_pck ...) - gpac 1.0.1+dfsg1-4 (bug #987323) [buster] - gpac (Vulnerable code not present) + [stretch] - gpac (Vulnerable code not present) NOTE: https://github.com/gpac/gpac/commit/13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec NOTE: https://github.com/gpac/gpac/issues/1719 CVE-2021-30014 (There is a integer overflow in media_tools/av_parsers.c in the hevc_pa ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2528f1b590723491575bc936c14c913fcb2ba67 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2528f1b590723491575bc936c14c913fcb2ba67 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 9 commits: add zsh
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 851b7685 by Thorsten Alteholz at 2022-02-14T01:58:33+01:00 add zsh - - - - - 3b5d32ea by Thorsten Alteholz at 2022-02-14T01:58:33+01:00 mark CVE-2022-24976 as postponed for Stretch - - - - - e3d03ba5 by Thorsten Alteholz at 2022-02-14T01:58:34+01:00 update note - - - - - 28778f86 by Thorsten Alteholz at 2022-02-14T01:58:34+01:00 add intel-microcode - - - - - e810200b by Thorsten Alteholz at 2022-02-14T01:58:34+01:00 mark CVE-2022-0497 and CVE-2022-0496 as no-dsa for Stretch - - - - - ffc9aa43 by Thorsten Alteholz at 2022-02-14T01:58:34+01:00 add h2database - - - - - c9703061 by Thorsten Alteholz at 2022-02-14T01:58:34+01:00 add libxstream-java - - - - - 81199839 by Thorsten Alteholz at 2022-02-14T01:58:34+01:00 mark CVE-2022-23437 as postponed for Stretch - - - - - 23ffd3fb by Thorsten Alteholz at 2022-02-14T01:58:34+01:00 add htmldoc - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -14,6 +14,7 @@ CVE-2022-24976 (Atheme IRC Services before 7.2.12, when used in conjunction with - atheme-services [bullseye] - atheme-services (Minor issue; can be fixed via point release) [buster] - atheme-services (Minor issue; can be fixed via point release) + [stretch] - atheme-services (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/4 NOTE: https://github.com/atheme/atheme/commit/4e664c75d0b280a052eb8b5e81aa41944e593c52 CVE-2022-0577 @@ -1374,10 +1375,12 @@ CVE-2022-0498 CVE-2022-0497 RESERVED - openscad 2021.01-4 (bug #1005641) + [stretch] - openscad (Minor issue) NOTE: https://github.com/openscad/openscad/issues/4043 CVE-2022-0496 RESERVED - openscad 2021.01-4 (bug #1005641) + [stretch] - openscad (Minor issue) NOTE: https://github.com/openscad/openscad/issues/4037 CVE-2022-0495 RESERVED @@ -4725,6 +4728,7 @@ CVE-2022-23438 RESERVED CVE-2022-23437 (There's a vulnerability within the Apache Xerces Java (XercesJ) XML pa ...) - libxerces2-java + [stretch] - libxerces2-java (revisit when/if fix is complete) NOTE: https://www.openwall.com/lists/oss-security/2022/01/24/3 CVE-2022-0311 (Heap buffer overflow in Task Manager in Google Chrome prior to 97.0.46 ...) {DSA-5054-1} = data/dla-needed.txt = @@ -41,13 +41,21 @@ gpac NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto) NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto) -- +h2database +-- +htmldoc (Thorsten Alteholz) +-- +intel-microcode + NOTE: 20220213: please recheck +-- libarchive (Thorsten Alteholz) - NOTE: 20220116: waiting for upload in higher releases - NOTE: 20220130: new CVEs arrived + NOTE: 20220213: testing package -- libgit2 (Utkarsh) NOTE: 20220208: got clearance. will upload this week. (utkarsh) -- +libxstream-java +-- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) @@ -82,3 +90,5 @@ ujson (Anton) -- vim (Markus Koschany) -- +zsh +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1d295402a5226ae389b85be31d1c63bd77561ec1...23ffd3fb79b62d32e02be0446610c24b673fa274 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1d295402a5226ae389b85be31d1c63bd77561ec1...23ffd3fb79b62d32e02be0446610c24b673fa274 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reclaim libarchive
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a3540d9 by Thorsten Alteholz at 2022-03-15T13:08:56+01:00 reclaim libarchive - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -41,7 +41,7 @@ intel-microcode -- kicad -- -libarchive +libarchive (Thorsten Alteholz) NOTE: 20220225: fix seems to be incomplete -- libreoffice (Anton) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a3540d9d20702d8b4f4effbaad30fe224baeda3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a3540d9d20702d8b4f4effbaad30fe224baeda3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2931-1 for cyrus-sasl2
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 9cbf6547 by Thorsten Alteholz at 2022-03-06T18:13:49+01:00 Reserve DLA-2931-1 for cyrus-sasl2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Mar 2022] DLA-2931-1 cyrus-sasl2 - security update + {CVE-2022-24407} + [stretch] - cyrus-sasl2 2.1.27~101-g0780600+dfsg-3+deb9u2 [01 Mar 2022] DLA-2930-1 thunderbird - security update {CVE-2022-0566} [stretch] - thunderbird 1:91.6.1-1~deb9u1 = data/dla-needed.txt = @@ -20,9 +20,6 @@ ansible -- asterisk (Abhijith PA) -- -cyrus-sasl2 (Thorsten Alteholz) - NOTE: 20220225: Please wait for DSA and take if C-knowledge are sufficient. (Anton) --- debian-archive-keyring (Anton) NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9cbf654737380b69a32d866012b885f7cb50abca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9cbf654737380b69a32d866012b885f7cb50abca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2932-1 for tiff
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: d8a50b9f by Thorsten Alteholz at 2022-03-06T18:16:56+01:00 Reserve DLA-2932-1 for tiff - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -11348,7 +11348,6 @@ CVE-2022-22844 (LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_un - tiff 4.3.0-3 [bullseye] - tiff (Minor issue) [buster] - tiff (Minor issue) - [stretch] - tiff (Minor issue; read overflow in CLI utility) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/355 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/287 NOTE: Fixed by: https://gitlab.com/libtiff/libtiff/-/commit/03047a26952a82daaa0792957ce211e0aa51bc64 = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Mar 2022] DLA-2932-1 tiff - security update + {CVE-2022-0561 CVE-2022-0562 CVE-2022-22844} + [stretch] - tiff 4.0.8-2+deb9u8 [06 Mar 2022] DLA-2931-1 cyrus-sasl2 - security update {CVE-2022-24407} [stretch] - cyrus-sasl2 2.1.27~101-g0780600+dfsg-3+deb9u2 = data/dla-needed.txt = @@ -90,9 +90,6 @@ samba NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh) NOTE: 20220125: ftbfs, wip. (utkarsh) -- -tiff (Thorsten Alteholz) - NOTE: 20220302: package ready, salsa was broken --- vim (Markus) -- wireshark (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8a50b9f1c1fe674889a158b2fafdf6bb999df7e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8a50b9f1c1fe674889a158b2fafdf6bb999df7e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 86386d76 by Thorsten Alteholz at 2022-02-25T16:37:38+01:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,12 +54,13 @@ gpac (Roberto C. Sánchez) NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto) -- htmldoc (Thorsten Alteholz) + NOTE: 20220225: testing package -- intel-microcode NOTE: 20220213: please recheck -- libarchive (Thorsten Alteholz) - NOTE: 20220213: testing package + NOTE: 20220225: fix seems to be incomplete -- libgit2 (Utkarsh) NOTE: 20220208: got clearance. will upload this week. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86386d764c50fedb3ba1989744dd74d3a79d1ed2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86386d764c50fedb3ba1989744dd74d3a79d1ed2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] take cyrus-sasl2
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: a280cc86 by Thorsten Alteholz at 2022-02-26T17:10:20+01:00 take cyrus-sasl2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -20,7 +20,7 @@ ansible -- asterisk (Abhijith PA) -- -cyrus-sasl2 +cyrus-sasl2 (Thorsten Alteholz) NOTE: 20220225: Please wait for DSA and take if C-knowledge are sufficient. (Anton) -- debian-archive-keyring (Anton) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a280cc869023e18a8506258531f96a7dff4ca74e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a280cc869023e18a8506258531f96a7dff4ca74e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2928-1 for htmldoc
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: a1d5955b by Thorsten Alteholz at 2022-02-26T12:19:00+01:00 Reserve DLA-2928-1 for htmldoc - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Feb 2022] DLA-2928-1 htmldoc - security update + {CVE-2021-40985 CVE-2021-43579 CVE-2022-0534} + [stretch] - htmldoc 1.8.27-8+deb9u2 [19 Feb 2022] DLA-2927-1 twisted - security update {CVE-2020-10108 CVE-2020-10109 CVE-2022-21712} [stretch] - twisted 16.6.0-2+deb9u1 = data/dla-needed.txt = @@ -53,9 +53,6 @@ gpac (Roberto C. Sánchez) NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto) NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto) -- -htmldoc (Thorsten Alteholz) - NOTE: 20220225: testing package --- intel-microcode NOTE: 20220213: please recheck -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1d5955bad9f2461e0a613fa39ca1dd626a7218c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1d5955bad9f2461e0a613fa39ca1dd626a7218c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reclaim tiff
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: f7da83c9 by Thorsten Alteholz at 2022-03-02T09:14:25+01:00 reclaim tiff - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -92,7 +92,8 @@ samba NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh) NOTE: 20220125: ftbfs, wip. (utkarsh) -- -tiff +tiff (Thorsten Alteholz) + NOTE: 20220302: package ready, salsa was broken -- vim (Markus) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7da83c9f3f26a071864d62d9fdc6d3bfd013ea7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7da83c9f3f26a071864d62d9fdc6d3bfd013ea7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: mark CVE-2021-45387 and CVE-2021-45386 as no-dsa for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: a262ca76 by Thorsten Alteholz at 2022-02-12T01:42:08+01:00 mark CVE-2021-45387 and CVE-2021-45386 as no-dsa for Stretch - - - - - 99fdff73 by Thorsten Alteholz at 2022-02-12T01:43:59+01:00 add tiff - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -11361,10 +11361,12 @@ CVE-2021-45388 REJECTED CVE-2021-45387 (tcpreplay 4.3.4 has a Reachable Assertion in add_tree_ipv4() at tree.c ...) - tcpreplay 4.4.0-1 + [stretch] - tcpreplay (Minor issue) NOTE: https://github.com/appneta/tcpreplay/issues/687 NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/46cf964a7db636da76abeebf10482acf6f682a87 (v4.4.0) CVE-2021-45386 (tcpreplay 4.3.4 has a Reachable Assertion in add_tree_ipv6() at tree.c ...) - tcpreplay 4.4.0-1 + [stretch] - tcpreplay (Minor issue) NOTE: https://github.com/appneta/tcpreplay/issues/687 NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/46cf964a7db636da76abeebf10482acf6f682a87 (v4.4.0) CVE-2021-45385 (A Null Pointer Dereference vulnerability exits in ffjpeg d5cfd49 (2021 ...) = data/dla-needed.txt = @@ -76,6 +76,8 @@ samba -- thunderbird (Emilio) -- +tiff (Thorsten Alteholz) +-- twisted (Sylvain Beucler) -- ujson (Anton) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/817094ac83f2b3c61bf5a2cabfb624bdce0dbb02...99fdff73d678358feba77127eaf3c7cde789a55f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/817094ac83f2b3c61bf5a2cabfb624bdce0dbb02...99fdff73d678358feba77127eaf3c7cde789a55f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add zlib
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: cc4e421a by Thorsten Alteholz at 2022-03-26T00:40:03+01:00 add zlib - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -129,3 +129,5 @@ wireshark (Markus Koschany) -- zabbix -- +zlib +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc4e421a27b125c3f8d3e70ca40bcbe3a4ffdb6b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc4e421a27b125c3f8d3e70ca40bcbe3a4ffdb6b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add sox
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c3dc986 by Thorsten Alteholz at 2022-03-26T00:42:33+01:00 add sox - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -108,6 +108,8 @@ snapd NOTE: 20220308: seems vulnerable at least to setup_private_mount, NOTE: 20220308: but double check (pochu) -- +sox +-- tiff (Utkarsh) -- tzdata (Emilio) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c3dc986786be1f6dd24da273e8f22d68e48e9ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c3dc986786be1f6dd24da273e8f22d68e48e9ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f0a152c by Thorsten Alteholz at 2022-03-27T23:14:52+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -58,7 +58,7 @@ jackson-databind kicad -- libarchive (Thorsten Alteholz) - NOTE: 20220225: fix seems to be incomplete + NOTE: 20220327: next round of testing -- libdatetime-timezone-perl (Emilio) -- @@ -82,6 +82,7 @@ mariadb-10.1 mbedtls (Utkarsh) -- minidlna (Thorsten Alteholz) + NOTE: 20220327: update other releases first -- nvidia-graphics-drivers NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f0a152c5f11b7c79ecf0b03de3e2651e143b21d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f0a152c5f11b7c79ecf0b03de3e2651e143b21d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE has been fixed in recent upload to Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f63df30 by Thorsten Alteholz at 2022-03-30T23:17:44+02:00 CVE has been fixed in recent upload to Stretch - - - - - fa0f946a by Thorsten Alteholz at 2022-03-30T23:17:44+02:00 Reserve DLA-2966-1 for libgc - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -334054,7 +334054,6 @@ CVE-2016-9427 (Integer overflow vulnerability in bdwgc before 2016-09-27 allows {DLA-721-1} [experimental] - libgc 1:7.4.4-1 - libgc 1:7.6.4-0.3 (bug #844771) - [stretch] - libgc (Minor issue) [jessie] - libgc (Minor issue) NOTE: https://github.com/ivmai/bdwgc/issues/135 NOTE: Fixed by https://github.com/ivmai/bdwgc/commit/4e1a6f9d8f2a49403bbd00b8c8e5324048fb84d4 = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Mar 2022] DLA-2966-1 libgc - security update + {CVE-2016-9427} + [stretch] - libgc 1:7.4.2-8+deb9u1 [29 Mar 2022] DLA-2965-1 cacti - security update {CVE-2018-10060 CVE-2018-10061 CVE-2019-11025 CVE-2020-7106 CVE-2020-13230 CVE-2020-23226 CVE-2021-23225 CVE-2022-0730} [stretch] - cacti 0.8.8h+ds1-10+deb9u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/85746825e66c7e4d734d8061588d665cdb2d87c5...fa0f946aab99aac4b0788cb2be931f2e730b8d68 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/85746825e66c7e4d734d8061588d665cdb2d87c5...fa0f946aab99aac4b0788cb2be931f2e730b8d68 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim minidlna
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 285a5ba5 by Thorsten Alteholz at 2022-03-21T01:30:38+01:00 claim minidlna - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,7 +79,7 @@ mariadb-10.1 -- mbedtls (Utkarsh) -- -minidlna +minidlna (Thorsten Alteholz) -- nvidia-graphics-drivers NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/285a5ba5754b32002499b0a10b319146a0a959fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/285a5ba5754b32002499b0a10b319146a0a959fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark temporary weechat CVE as not-affected for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ec91425 by Thorsten Alteholz at 2022-03-27T11:36:12+02:00 mark temporary weechat CVE as not-affected for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -728,6 +728,7 @@ CVE-2022-1056 RESERVED CVE-2022- [Possible man-in-the-middle attack in TLS connection to servers] - weechat 3.4.1-1 + [stretch] - weechat (Vulnerable code introduced later) NOTE: https://weechat.org/doc/security/WSA-2022-1/ NOTE: https://github.com/weechat/weechat/issues/1763 NOTE: Fixed by: https://github.com/weechat/weechat/commit/710247891cdfd4e66ee6d1715e93626def6871f1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ec914250f01f12bca260fe3ad4776a37504071e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ec914250f01f12bca260fe3ad4776a37504071e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim libvirt
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ac2ec3b by Thorsten Alteholz at 2022-03-27T11:52:40+02:00 claim libvirt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -68,6 +68,8 @@ liblouis -- libpgjava -- +libvirt (Thorsten Alteholz) +-- libxml2 (Anton) -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ac2ec3b43b1c8480818845b487264111ad5e3d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ac2ec3b43b1c8480818845b487264111ad5e3d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits