[Git][security-tracker-team/security-tracker][master] 5 commits: update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: f6324da2 by Thorsten Alteholz at 2024-04-28T23:17:41+02:00 update notes - - - - - 3b1c9517 by Thorsten Alteholz at 2024-04-28T23:23:19+02:00 mark CVE-2024-32879 as postponed for buster - - - - - 953f4cab by Thorsten Alteholz at 2024-04-28T23:25:03+02:00 mark two CVEs of sngrep as postponed - - - - - 4d4b408d by Thorsten Alteholz at 2024-04-28T23:29:59+02:00 mark CVE-2024-29156 as ignored for Buster - - - - - 5b7a5ec7 by Thorsten Alteholz at 2024-04-28T23:33:36+02:00 add dcmtk - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -847,6 +847,7 @@ CVE-2024-32879 (Python Social Auth is a social authentication/registration mecha - social-auth-app-django [bookworm] - social-auth-app-django (Minor issue) [bullseye] - social-auth-app-django (Minor issue) + [buster] - social-auth-app-django (Minor issue) - python-social-auth NOTE: https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3 NOTE: https://github.com/python-social-auth/social-app-django/commit/31c3e0c7edb187004d8abbde7e9c4f7ef9098138 (5.4.1) @@ -5081,11 +5082,13 @@ CVE-2024-3120 (A stack-buffer overflow vulnerability exists in all versions of s - sngrep 1.8.1-1 (bug #1068818) [bookworm] - sngrep (Minor issue) [bullseye] - sngrep (Minor issue) + [buster] - sngrep (Minor issue) NOTE: https://github.com/irontec/sngrep/commit/f3f8ed8ef38748e6d61044b39b0dabd7e37c6809 (v1.8.1) CVE-2024-3119 (A buffer overflow vulnerability exists in all versions of sngrep since ...) - sngrep 1.8.1-1 (bug #1068818) [bookworm] - sngrep (Minor issue) [bullseye] - sngrep (Minor issue) + [buster] - sngrep (Minor issue) NOTE: https://github.com/irontec/sngrep/commit/dd5fec92730562af6f96891291cd4e102b80bfcc (v1.8.1) CVE-2024-3020 (The plugin is vulnerable to PHP Object Injection in versions up to and ...) NOT-FOR-US: WordPress plugin @@ -12723,6 +12726,7 @@ CVE-2024-29156 (In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is us - murano (bug #1068459) [bookworm] - murano (To be removed in point release) [bullseye] - murano (To be removed in point release) + [buster] - murano (unmaintained upstream) NOTE: https://bugs.launchpad.net/murano/+bug/2048114 NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0093 NOTE: No fix in Murano, but a change in src:yaql renders this unexploitable: = data/dla-needed.txt = @@ -49,6 +49,9 @@ bind9 (Santiago) NOTE: 20240418: https://salsa.debian.org/lts-team/packages/bind9/-/commit/135e46d2e43b6e499454385c2228338c6a72ba96 NOTE: 20240418: All testing activities remains. -- +dcmtk + NOTE: 20240428: Added by Front-Desk (ta) +-- dnsmasq NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240325: Automatically unassigned (lamby) @@ -298,6 +301,7 @@ tiff (Thorsten Alteholz) NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. (roberto) + NOTE: 20240428: testing package -- tinymce NOTE: 20231123: Added by Front-Desk (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dca4d5635318336e67b292f148f00abb54dc4c87...5b7a5ec724b1aa7c97eb298e08184c9c85dca0c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dca4d5635318336e67b292f148f00abb54dc4c87...5b7a5ec724b1aa7c97eb298e08184c9c85dca0c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 7 commits: mark CVE-2023-51792 as postponed for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 8808bbf1 by Thorsten Alteholz at 2024-04-28T19:01:26+02:00 mark CVE-2023-51792 as postponed for Buster - - - - - 6f4f2a9d by Thorsten Alteholz at 2024-04-28T19:05:01+02:00 mark CVE-2024-30171 as postponed for Buster - - - - - 38f7045f by Thorsten Alteholz at 2024-04-28T19:06:22+02:00 mark CVE-2022-48682 as postponed for Buster - - - - - b83b555a by Thorsten Alteholz at 2024-04-28T19:17:25+02:00 mark several CVEs of ffmpeg as postponed for Buster - - - - - 7dda4acc by Thorsten Alteholz at 2024-04-28T19:18:01+02:00 fix typo - - - - - 62b23395 by Thorsten Alteholz at 2024-04-28T19:18:56+02:00 mark CVE-2023-36308 as postponed for Buster - - - - - f0d578a9 by Thorsten Alteholz at 2024-04-28T19:21:15+02:00 mark some CVEs of iotjs as ignored for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -335,18 +335,22 @@ CVE-2024-33263 (QuickJS commit 3b45d15 was discovered to contain an Assertion Fa CVE-2024-33260 (Jerryscript commit cefd391 was discovered to contain a segmentation vi ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5133 CVE-2024-33259 (Jerryscript commit cefd391 was discovered to contain a segmentation vi ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5132 CVE-2024-33258 (Jerryscript commit ff9ff8f was discovered to contain a segmentation vi ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5114 CVE-2024-33255 (Jerryscript commit cefd391 was discovered to contain an Assertion Fail ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5135 CVE-2024-32957 (Missing Authorization vulnerability in Live Composer Team Page Builder ...) NOT-FOR-US: WordPress plugin @@ -541,6 +545,7 @@ CVE-2023-47252 (An issue was discovered in PnpSmm in Insyde InsydeH2O with kerne CVE-2022-48682 (In deletefiles in FDUPES before 2.2.0, a TOCTOU race condition allows ...) - fdupes 1:2.2.1-1 [bullseye] - fdupes (Minor issue) + [buster] - fdupes (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1200381 NOTE: https://github.com/adrianlopezroche/fdupes/commit/85680897148f1ac33b55418e00334116e419717f (v2.2.0) CVE-2024-27282 [Arbitrary memory address read vulnerability with Regex search] @@ -1033,6 +1038,7 @@ CVE-2024-30171 - bouncycastle [bookworm] - bouncycastle (Minor issue) [bullseye] - bouncycastle (Minor issue) + [buster] - bouncycastle (Minor issue) NOTE: https://github.com/bcgit/bc-java/issues/1528 CVE-2024-4065 (A vulnerability was found in Tenda AC8 16.03.34.09. It has been rated ...) NOT-FOR-US: Tenda @@ -1588,6 +1594,7 @@ CVE-2023-51798 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 al - ffmpeg [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + [buster] - ffmpeg (Pick up when fixed in most related branch) NOTE: https://trac.ffmpeg.org/ticket/10758 NOTE: Fixed in https://github.com/ffmpeg/FFmpeg/commit/68146f06f852078866b3ef1564556e3a272920c7 (n7.0) CVE-2023-51797 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a ...) @@ -1595,6 +1602,7 @@ CVE-2023-51797 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 al - ffmpeg [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + [buster] - ffmpeg (Pick up when fixed in most related branch) NOTE: https://trac.ffmpeg.org/ticket/10756 NOTE: Fixed in https://github.com/ffmpeg/FFmpeg/commit/08bd2cbfeb34717d60ec62bcbaeb7996206df906 (n7.0) CVE-2023-51796 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a ...) @@ -1620,12 +1628,14 @@ CVE-2023-51793 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 al - ffmpeg [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + [buster] - ffmpeg (Pick up when fixed in most related branch) NOTE: Fixed in https://github.com/FFmpeg/FFmpeg/commit/0ecc1f0e48930723d7a467761b66850811c23e62 (n7.0) NOTE: https://trac.ffmpeg.org/ticket/10743 CVE-2023-51792 (Buffer Overflow vulnerability in libde265 v1.0.12 allows a local attac
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2023-3758 as postponed for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 81d2b97f by Thorsten Alteholz at 2024-04-24T23:21:44+02:00 mark CVE-2023-3758 as postponed for Buster - - - - - b4103553 by Thorsten Alteholz at 2024-04-24T23:27:02+02:00 mark CVE-2024-3019 as not-affected for Buster - - - - - d4e5c70a by Thorsten Alteholz at 2024-04-24T23:34:30+02:00 mark CVE-2024-31031 as not-affected for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1148,6 +1148,7 @@ CVE-2023-3758 (A race condition flaw was found in sssd where the GPO policy is n - sssd [bookworm] - sssd (Minor issue) [bullseye] - sssd (Minor issue) + [buster] - sssd (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2223762 NOTE: https://github.com/SSSD/sssd/pull/7302 NOTE: https://github.com/SSSD/sssd/commit/d7db7971682da2dbf7642ac94940d6b0577ec35a (master) @@ -1429,6 +1430,7 @@ CVE-2024-31031 (An issue in `coap_pdu.c` in libcoap 4.3.4 allows attackers to ca - libcoap - libcoap2 [bullseye] - libcoap2 (Minor issue) + [buster] - libcoap2 (Vulnerable code not present) - libcoap3 [bookworm] - libcoap3 (Minor issue) NOTE: https://github.com/obgm/libcoap/issues/1351 @@ -8407,6 +8409,7 @@ CVE-2024-3019 (A flaw was found in PCP. The default pmproxy configuration expose - pcp (bug #1068112) [bookworm] - pcp (Minor issue) [bullseye] - pcp (Minor issue) + [buster] - pcp (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2271898 NOTE: Fixed by: https://github.com/performancecopilot/pcp/commit/3bde240a2acc85e63e2f7813330713dd9b59386e CVE-2024-31140 (In JetBrains TeamCity before 2024.03 server administrators could remov ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/89dea12856acad42ac395f682dff06d416afb1fd...d4e5c70a07e0da92059f960aca1dd7a864238167 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/89dea12856acad42ac395f682dff06d416afb1fd...d4e5c70a07e0da92059f960aca1dd7a864238167 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim tiff
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 86186d77 by Thorsten Alteholz at 2024-04-10T23:14:50+02:00 claim tiff - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -264,7 +264,7 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -tiff +tiff (Thorsten Alteholz) NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86186d77c378aa6782dd4a42248b59d1293291eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86186d77c378aa6782dd4a42248b59d1293291eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3784-1 for libcaca
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 55b52a6c by Thorsten Alteholz at 2024-04-07T10:40:39+02:00 Reserve DLA-3784-1 for libcaca - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -213284,14 +213284,12 @@ CVE-2021-30500 (Null pointer dereference was found in upx PackLinuxElf::canUnpac CVE-2021-30499 (A flaw was found in libcaca. A buffer overflow of export.c in function ...) - libcaca 0.99.beta19-3 (bug #987278) [bullseye] - libcaca (Minor issue) - [buster] - libcaca (Minor issue) [stretch] - libcaca (Minor issue; can be fixed in next update) NOTE: https://github.com/cacalabs/libcaca/issues/54 NOTE: Fixed by: https://github.com/cacalabs/libcaca/commit/ab04483ee1a846d6b74b2e6248e980152baec3f6 (v0.99.beta20) CVE-2021-30498 (A flaw was found in libcaca. A heap buffer overflow in export.c in fun ...) - libcaca 0.99.beta19-3 (bug #987278) [bullseye] - libcaca (Minor issue) - [buster] - libcaca (Minor issue) [stretch] - libcaca (Minor issue; can be fixed in next update) NOTE: https://github.com/cacalabs/libcaca/issues/53 NOTE: Fixed by: https://github.com/cacalabs/libcaca/commit/ab04483ee1a846d6b74b2e6248e980152baec3f6 (v0.99.beta20) = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Apr 2024] DLA-3784-1 libcaca - security update + {CVE-2021-30498 CVE-2021-30499} + [buster] - libcaca 0.99.beta19-2.1+deb10u1 [07 Apr 2024] DLA-3783-1 expat - security update {CVE-2023-52425} [buster] - expat 2.2.6-2+deb10u7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55b52a6ca2ba0f482ef73a93f5faf9733d393953 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55b52a6ca2ba0f482ef73a93f5faf9733d393953 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3781-1 for libgd2
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 76d4a8c9 by Thorsten Alteholz at 2024-04-07T01:22:01+02:00 Reserve DLA-3781-1 for libgd2 - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -186661,7 +186661,6 @@ CVE-2021-40813 (A cross-site scripting (XSS) vulnerability in the "Zip content" CVE-2021-40812 (The GD Graphics Library (aka LibGD) through 2.3.2 has an out-of-bounds ...) - libgd2 2.3.3-1 [bullseye] - libgd2 (Minor issue) - [buster] - libgd2 (Minor issue) [stretch] - libgd2 (Minor issue) NOTE: https://github.com/libgd/libgd/issues/750#issuecomment-914872385 NOTE: https://github.com/libgd/libgd/commit/6f5136821be86e7068fcdf651ae9420b5d42e9a9 @@ -193578,7 +193577,6 @@ CVE-2021-38116 CVE-2021-38115 (read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) thr ...) - libgd2 2.3.3-1 (bug #991912) [bullseye] - libgd2 (Minor issue) - [buster] - libgd2 (Minor issue) [stretch] - libgd2 (Minor issue) NOTE: https://github.com/libgd/libgd/issues/697 NOTE: https://github.com/libgd/libgd/commit/8b111b2b4a4842179be66db68d84dda91a246032 (gd-2.3.3~1) @@ -392700,7 +392698,6 @@ CVE-2018-14554 CVE-2018-14553 (gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL point ...) {DLA-2106-1} - libgd2 2.3.0-1 (low; bug #951287) - [buster] - libgd2 (Minor issue) [stretch] - libgd2 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1599032 NOTE: https://github.com/libgd/libgd/commit/a93eac0e843148dc2d631c3ba80af17e9c8c860f = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Apr 2024] DLA-3781-1 libgd2 - security update + {CVE-2018-14553 CVE-2021-38115 CVE-2021-40812} + [buster] - libgd2 2.2.5-5.2+deb10u1 [06 Apr 2024] DLA-3780-1 jetty9 - security update {CVE-2024-22201} [buster] - jetty9 9.4.50-4+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76d4a8c99d0fc8ac68e6445b1ecea5a7573d43e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76d4a8c99d0fc8ac68e6445b1ecea5a7573d43e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add commits to fix CVE-2024-23944
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: cde2e16d by Thorsten Alteholz at 2024-03-24T18:40:46+01:00 add commits to fix CVE-2024-23944 - - - - - f8ad0fa1 by Thorsten Alteholz at 2024-03-24T18:41:35+01:00 add zookeeper - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2198,6 +2198,8 @@ CVE-2024-28752 (A SSRF vulnerability using the Aegis DataBinding in versions of CVE-2024-23944 (Information disclosure in persistent watchers handling in Apache ZooKe ...) - zookeeper (bug #1066947) NOTE: https://www.openwall.com/lists/oss-security/2024/03/14/2 + NOTE: fixed by: https://github.com/apache/zookeeper/commit/65b91d2d9a56157285c2a86b106e67c26520b01d (v3.8.x) + NOTE: fixed by: https://github.com/apache/zookeeper/commit/daf7cfd04005cff1a4f7cab5ab13d41db88d0cd8 (v3.9.x) CVE-2024-1930 NOT-FOR-US: dnf5daemon-server CVE-2024-1929 = data/dla-needed.txt = @@ -313,3 +313,6 @@ wordpress zabbix (utkarsh) NOTE: 20240212: Added by Front-Desk (utkarsh) -- +zookeeper + NOTE: 20240324: Added by Front-Desk (ta) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4734816754d286e8198e442b3e182bdfd2047a14...f8ad0fa1faaeb144ce9d02cf39543698cddf73f3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4734816754d286e8198e442b3e182bdfd2047a14...f8ad0fa1faaeb144ce9d02cf39543698cddf73f3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add clamav
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: c11ddb43 by Thorsten Alteholz at 2024-03-24T18:19:02+01:00 add clamav - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,6 +40,10 @@ bind9 (Sean Whitton) NOTE: 20240218: Added by Front-Desk (lamby) NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby) -- +clamav + NOTE: 20240324: Added by Front-Desk (ta) + NOTE: 20240324: there is no CVE for clamav but CVE-2023-40477 affects the embedded version of unrar +-- composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) NOTE: 20240304: Need to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c11ddb43e3fc927379e0f6ef08fced0c5fba05e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c11ddb43e3fc927379e0f6ef08fced0c5fba05e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2021-47155 as postponed for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: b4942ee5 by Thorsten Alteholz at 2024-03-23T18:51:14+01:00 mark CVE-2021-47155 as postponed for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1628,6 +1628,7 @@ CVE-2021-47155 (The Net::IPV4Addr module 0.10 for Perl does not properly conside - libnetwork-ipv4addr-perl [bookworm] - libnetwork-ipv4addr-perl (Minor issue) [bullseye] - libnetwork-ipv4addr-perl (Minor issue) + [buster] - libnetwork-ipv4addr-perl (Minor issue, revisit when fix is available) NOTE: https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/#net-ipv4addrhttpsmetacpanorgreleasenet-ipv4addr CVE-2021-47154 (The Net::CIDR::Lite module before 0.22 for Perl does not properly cons ...) - libnet-cidr-lite-perl 0.22-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4942ee56d237278e8cf524c72d326e461a02c26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4942ee56d237278e8cf524c72d326e461a02c26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3770-1 for libnet-cidr-lite-perl
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: c7935d36 by Thorsten Alteholz at 2024-03-23T17:20:20+01:00 Reserve DLA-3770-1 for libnet-cidr-lite-perl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Mar 2024] DLA-3770-1 libnet-cidr-lite-perl - security update + {CVE-2021-47154} + [buster] - libnet-cidr-lite-perl 0.21-2+debu10u1 [23 Mar 2024] DLA-3769-1 thunderbird - security update {CVE-2023-5388 CVE-2024-0743 CVE-2024-1936 CVE-2024-2607 CVE-2024-2608 CVE-2024-2610 CVE-2024-2611 CVE-2024-2612 CVE-2024-2614 CVE-2024-2616} [buster] - thunderbird 1:115.9.0-1~deb10u1 = data/dla-needed.txt = @@ -124,9 +124,6 @@ knot-resolver NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- -libnet-cidr-lite-perl (Thorsten Alteholz) - NOTE: 20240323: Added by Front-Desk (ta) --- libpgjava NOTE: 20240308: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7935d36aac4b10d3420bae890394cf844c6dc2f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7935d36aac4b10d3420bae890394cf844c6dc2f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add libnet-cidr-lite-perl
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 51771390 by Thorsten Alteholz at 2024-03-23T13:16:33+01:00 add libnet-cidr-lite-perl - - - - - dab1d994 by Thorsten Alteholz at 2024-03-23T13:16:35+01:00 mark CVE-2023-7250 as no-dsa for Buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -45377,6 +45377,7 @@ CVE-2023-7250 (A flaw was found in iperf, a utility for testing network performa - iperf3 3.15-1 [bookworm] - iperf3 (Minor issue) [bullseye] - iperf3 (Minor issue) + [buster] - iperf3 (Minor issue) NOTE: https://downloads.es.net/pub/iperf/esnet-secadv-2023-0002.txt.asc NOTE: https://github.com/esnet/iperf/commit/5e3704dd850a5df2fb2b3eafd117963d017d07b4 (3.15) CVE-2023-38403 (iperf3 before 3.14 allows peers to cause an integer overflow and heap ...) = data/dla-needed.txt = @@ -124,6 +124,9 @@ knot-resolver NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- +libnet-cidr-lite-perl (Thorsten Alteholz) + NOTE: 20240323: Added by Front-Desk (ta) +-- libpgjava NOTE: 20240308: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/062ad09de1adc5a5ed07a49e266678be5aa6ff09...dab1d9944261ef4dd12ee4e63f0700112c0fb8d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/062ad09de1adc5a5ed07a49e266678be5aa6ff09...dab1d9944261ef4dd12ee4e63f0700112c0fb8d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add gnutls28
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: bfca9784 by Thorsten Alteholz at 2024-03-23T00:52:59+01:00 add gnutls28 - - - - - dd9b7770 by Thorsten Alteholz at 2024-03-23T00:56:08+01:00 add python3.7 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -90,6 +90,9 @@ frr NOTE: 20240206: Continuing fixing the remaining issues (abhijith) NOTE: 20240301: continue work (abhijith) -- +gnutls28 + NOTE: 20240323: Added by Front-Desk (ta) +-- gross (Adrian Bunk) NOTE: 20240320: Added by Front-Desk (ta) -- @@ -222,6 +225,9 @@ python-asyncssh python2.7 NOTE: 20240323: Added by Front-Desk (ta) -- +python3.7 + NOTE: 20240323: Added by Front-Desk (ta) +-- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f31ee091fe491891fc1bf5e06bc67cfc16ddb941...dd9b7770363fc93dea122a8bfb4b0066b2c88a7c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f31ee091fe491891fc1bf5e06bc67cfc16ddb941...dd9b7770363fc93dea122a8bfb4b0066b2c88a7c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2024-29131 as no-dsa for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c94ce76 by Thorsten Alteholz at 2024-03-23T00:15:36+01:00 mark CVE-2024-29131 as no-dsa for Buster - - - - - e8340133 by Thorsten Alteholz at 2024-03-23T00:27:46+01:00 mark CVE-2024-29133 as no-dsa for Buster - - - - - f31ee091 by Thorsten Alteholz at 2024-03-23T00:45:54+01:00 add python2.7 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -360,6 +360,7 @@ CVE-2024-29131 (Out-of-bounds Write vulnerability in Apache Commons Configuratio - commons-configuration2 (bug #1067513) [bookworm] - commons-configuration2 (Minor issue) [bullseye] - commons-configuration2 (Minor issue) + [buster] - commons-configuration2 (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/03/20/4 NOTE: https://issues.apache.org/jira/browse/CONFIGURATION-840 NOTE: Fixed by: https://github.com/apache/commons-configuration/commit/56b5c4dcdffbde27870df5a3105d6a5f9b22f554 (commons-configuration-2.10.1-RC1) @@ -369,6 +370,7 @@ CVE-2024-29133 (Out-of-bounds Write vulnerability in Apache Commons Configuratio - commons-configuration2 (bug #1067514) [bookworm] - commons-configuration2 (Minor issue) [bullseye] - commons-configuration2 (Minor issue) + [buster] - commons-configuration2 (Minor issue) NOTE: https://issues.apache.org/jira/browse/CONFIGURATION-841 NOTE: https://github.com/apache/commons-configuration/commit/43f4dab021e9acb8db390db2ae80aa0cee4f9ee4 (commons-configuration-2.10.1-RC1) NOTE: https://www.openwall.com/lists/oss-security/2024/03/20/3 = data/dla-needed.txt = @@ -219,6 +219,9 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- +python2.7 + NOTE: 20240323: Added by Front-Desk (ta) +-- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ece81fa880c88927b8646486f0a3f1fc3113732a...f31ee091fe491891fc1bf5e06bc67cfc16ddb941 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ece81fa880c88927b8646486f0a3f1fc3113732a...f31ee091fe491891fc1bf5e06bc67cfc16ddb941 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add pillow
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: dde4dc9d by Thorsten Alteholz at 2024-03-21T09:55:30+01:00 add pillow - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -211,6 +211,10 @@ pdns-recursor (dleidert) NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240319: Upload postponed due to #1067124 (dleidert) -- +pillow (Sean) + NOTE: 20240321: Added by Front-Desk (ta) + NOTE: 20240321: follow-up fix to CVE-2022-22817 discussed in ELA-1059-1 +-- putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dde4dc9d02e796c5ac09fcd7af00b3e2e65cf05b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dde4dc9d02e796c5ac09fcd7af00b3e2e65cf05b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: add firefox-esr
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: c2f1556b by Thorsten Alteholz at 2024-03-20T23:21:47+01:00 add firefox-esr - - - - - 8f1996c9 by Thorsten Alteholz at 2024-03-20T23:26:46+01:00 add gross - - - - - b5211001 by Thorsten Alteholz at 2024-03-20T23:29:16+01:00 add freeimage - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -75,6 +75,13 @@ edk2 expat (tobi) NOTE: 20240306: Added by Front-Desk (opal) -- +firefox-esr + NOTE: 20240320: Added by Front-Desk (ta) +-- +freeimage + NOTE: 20240320: Added by Front-Desk (ta) + NOTE: 20240320: lots of postponed issue could be fixed as well +-- freeipa (Chris Lamb) NOTE: 20240307: Added by Front-Desk (opal) -- @@ -83,6 +90,9 @@ frr NOTE: 20240206: Continuing fixing the remaining issues (abhijith) NOTE: 20240301: continue work (abhijith) -- +gross + NOTE: 20240320: Added by Front-Desk (ta) +-- gtkwave (Adrian Bunk) NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240116: For CVE-2023-32650 etc. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/18da47a24aa96784fc540377d827928981a80121...b521100130154d77583ed4c80c8aadfb1aa095af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/18da47a24aa96784fc540377d827928981a80121...b521100130154d77583ed4c80c8aadfb1aa095af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3741-1 for engrampa
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 584dd09f by Thorsten Alteholz at 2024-02-26T18:55:03+01:00 Reserve DLA-3741-1 for engrampa - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Feb 2024] DLA-3741-1 engrampa - security update + {CVE-2023-52138} + [buster] - engrampa 1.20.2-1+deb10u1 [26 Feb 2024] DLA-3740-1 gnutls28 - security update {CVE-2024-0553} [buster] - gnutls28 3.6.7-4+deb10u12 = data/dla-needed.txt = @@ -90,9 +90,6 @@ edk2 NOTE: 20231230: Added by Front-Desk (lamby) NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release (lamby) -- -engrampa (Thorsten Alteholz) - NOTE: 20240213: Added by Front-Desk (lamby) --- exiftags NOTE: 20240121: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/584dd09ff36c94cddffe32a76335f4049660a427 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/584dd09ff36c94cddffe32a76335f4049660a427 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] take engrampa
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: a94a00f8 by Thorsten Alteholz at 2024-02-24T19:40:25+01:00 take engrampa - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -90,7 +90,7 @@ edk2 NOTE: 20231230: Added by Front-Desk (lamby) NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release (lamby) -- -engrampa +engrampa (Thorsten Alteholz) NOTE: 20240213: Added by Front-Desk (lamby) -- exiftags View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a94a00f81d80fe6e88f7edcc5a44c2487da75fab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a94a00f81d80fe6e88f7edcc5a44c2487da75fab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3739-1 for libjwt
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: ade0e63a by Thorsten Alteholz at 2024-02-24T11:54:54+01:00 Reserve DLA-3739-1 for libjwt - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -3347,7 +3347,6 @@ CVE-2024-25189 (libjwt 1.15.3 uses strcmp (which is not constant time) to verify - libjwt 1.17.0-2 (bug #1063534) [bookworm] - libjwt (Minor issue) [bullseye] - libjwt (Minor issue) - [buster] - libjwt (Minor issue) NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/benmcollins%3Alibjwt.md NOTE: https://github.com/benmcollins/libjwt/commit/f73bac57c5bece16ac24f1a70022aa34355fc1bf (v1.17.0) NOTE: https://github.com/benmcollins/libjwt/commit/a5d61ef4f1b383876e0a78534383f38159471fd6 (v1.17.0) = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Feb 2024] DLA-3739-1 libjwt - security update + {CVE-2024-25189} + [buster] - libjwt 1.10.1-1+deb10u1 [22 Feb 2024] DLA-3738-1 iwd - security update {CVE-2023-52161} [buster] - iwd 0.14-2+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ade0e63af545190fd113e5ef0e40010902805764 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ade0e63af545190fd113e5ef0e40010902805764 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add NOTEs for commits to fix CVE-2024-25189
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 8bc01791 by Thorsten Alteholz at 2024-02-09T16:40:38+01:00 add NOTEs for commits to fix CVE-2024-25189 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -117,6 +117,8 @@ CVE-2024-25190 (l8w8jwt 2.2.1 uses memcmp (which is not constant time) to verify CVE-2024-25189 (libjwt 1.15.3 uses strcmp (which is not constant time) to verify authe ...) - libjwt NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/benmcollins%3Alibjwt.md + NOTE: https://github.com/benmcollins/libjwt/commit/f73bac57c5bece16ac24f1a70022aa34355fc1bf + NOTE: https://github.com/benmcollins/libjwt/commit/a5d61ef4f1b383876e0a78534383f38159471fd6 CVE-2024-24886 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: WordPress plugin CVE-2024-24885 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bc01791a6894ae7920a249112646587eb7c701e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bc01791a6894ae7920a249112646587eb7c701e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: add runc
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 807d258b by Thorsten Alteholz at 2024-02-04T13:48:27+01:00 add runc - - - - - c8c4cf0d by Thorsten Alteholz at 2024-02-04T13:48:27+01:00 mark CVE-2024-23170 and CVE-2024-23775 as no-dsa for Buster - - - - - dbebde73 by Thorsten Alteholz at 2024-02-04T13:48:27+01:00 mark CVE-2023-5992 as no-dsa for Buster - - - - - 4451aac6 by Thorsten Alteholz at 2024-02-04T13:48:27+01:00 mark CVE-2024-23831 as no-dsa for Buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -74,6 +74,7 @@ CVE-2024-23895 (A vulnerability has been reported in Cups Easy (Purchase & Inven NOT-FOR-US: Cups Easy (Purchase & Inventory) CVE-2024-23831 (LedgerSMB is a free web-based double-entry accounting system. When a L ...) - ledgersmb (bug #1062845) + [buster] - ledgersmb (Minor issue) NOTE: https://github.com/ledgersmb/LedgerSMB/security/advisories/GHSA-98ff-f638-qxjm NOTE: https://github.com/ledgersmb/LedgerSMB/commit/8c2ae5be68a782d62cb9c0e17c0127bf30ef4165 CVE-2024-23824 (mailcow is a dockerized email package, with multiple containers linked ...) @@ -741,6 +742,7 @@ CVE-2023-5992 (A vulnerability was found in OpenSC where PKCS#1 encryption paddi - opensc [bookworm] - opensc (Minor issue) [bullseye] - opensc (Minor issue) + [buster] - opensc (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2248685 NOTE: https://github.com/OpenSC/OpenSC/wiki/CVE-2023-5992 NOTE: https://github.com/OpenSC/OpenSC/pull/2948 @@ -1188,11 +1190,13 @@ CVE-2024-23775 (Integer Overflow vulnerability in Mbed TLS 2.x before 2.28.7 and - mbedtls 2.28.7-1 [bookworm] - mbedtls (Minor issue) [bullseye] - mbedtls (Minor issue) + [buster] - mbedtls (Minor issue) NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/ CVE-2024-23170 (An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3 ...) - mbedtls 2.28.7-1 [bookworm] - mbedtls (Minor issue) [bullseye] - mbedtls (Minor issue) + [buster] - mbedtls (Minor issue) NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/ CVE-2024-23506 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) NOT-FOR-US: WordPress plugin = data/dla-needed.txt = @@ -215,6 +215,9 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- +runc + NOTE: 20240204: Added by Front-Desk (ta) +-- samba NOTE: 20230918: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e643f07164a4f2ddd60d3f729c078424acbb2e68...4451aac6477d437cf2190097a5701e789f6367b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e643f07164a4f2ddd60d3f729c078424acbb2e68...4451aac6477d437cf2190097a5701e789f6367b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark salt CVEs as EOL in Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f96d344 by Thorsten Alteholz at 2024-01-31T18:11:02+01:00 mark salt CVEs as EOL in Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16585,6 +16585,7 @@ CVE-2015-20110 (JHipster generator-jhipster before 2.23.0 allows a timing attack NOT-FOR-US: JHipster generator-jhipster CVE-2023-34049 [allows an attacker to force Salt-SSH to run their script] - salt (bug #1055179) + [buster] - salt (EOL in buster LTS) NOTE: https://saltproject.io/security-announcements/2023-10-27-advisory/index.html CVE-2023-5844 (Unverified Password Change in GitHub repository pimcore/admin-ui-class ...) NOT-FOR-US: Pimcore admin-ui-classic-bundle @@ -38886,6 +38887,7 @@ CVE-2023-28370 (Open redirect vulnerability in Tornado versions 6.3.1 and earlie [bullseye] - python-tornado (Minor issue) [buster] - python-tornado (Minor issue) - salt (bug #1059297) + [buster] - salt (EOL in buster LTS) NOTE: https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f (v6.3.2) CVE-2023-27529 (Wacom Tablet Driver installer prior to 6.4.2-1 (for macOS) contains an ...) NOT-FOR-US: Wacom Tablet Driver installer @@ -82399,9 +82401,11 @@ CVE-2023-20899 (VMware SD-WAN (Edge) contains a bypass authentication vulnerabil NOT-FOR-US: VMware CVE-2023-20898 (Git Providers can read from the wrong environment because they get the ...) - salt (bug #1051504) + [buster] - salt (EOL in buster LTS) NOTE: https://saltproject.io/security-announcements/2023-08-10-advisory/ CVE-2023-20897 (Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. ...) - salt (bug #1051504) + [buster] - salt (EOL in buster LTS) NOTE: https://saltproject.io/security-announcements/2023-08-10-advisory/ NOTE: https://github.com/saltstack/salt/issues/64061 CVE-2023-20896 (The VMware vCenter Server contains an out-of-bounds read vulnerability ...) @@ -147000,6 +147004,7 @@ CVE-2022-22968 (In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and NOTE: Only supported for building applications shipped in Debian, see README.Debian.security CVE-2022-22967 (An issue was discovered in SaltStack Salt in versions before 3002.9, 3 ...) - salt (bug #1013872) + [buster] - salt (EOL in buster LTS) NOTE: https://saltproject.io/security_announcements/salt-security-advisory-release-june-21st-2022/ NOTE: Fixed by: https://github.com/saltstack/salt/commit/e068a34ccb2e17ae7224f8016a24b727f726d4c8 (v3004.2) CVE-2022-22966 (An authenticated, high privileged malicious actor with network access ...) @@ -147066,6 +147071,7 @@ CVE-2022-22942 (The vmwgfx driver contains a local privilege escalation vulnerab NOTE: https://github.com/opensrcsec/same_type_object_reuse_exploits/blob/main/cve-2022-22942.c CVE-2022-22941 (An issue was discovered in SaltStack Salt in versions before 3002.8, 3 ...) - salt 3004.1+dfsg-1 (bug #1008945) + [buster] - salt (EOL in buster LTS) NOTE: https://saltproject.io/security_announcements/salt-security-advisory-release/ CVE-2022-22940 RESERVED @@ -147077,12 +147083,15 @@ CVE-2022-22937 RESERVED CVE-2022-22936 (An issue was discovered in SaltStack Salt in versions before 3002.8, 3 ...) - salt 3004.1+dfsg-1 (bug #1008945) + [buster] - salt (EOL in buster LTS) NOTE: https://saltproject.io/security_announcements/salt-security-advisory-release/ CVE-2022-22935 (An issue was discovered in SaltStack Salt in versions before 3002.8, 3 ...) - salt 3004.1+dfsg-1 (bug #1008945) + [buster] - salt (EOL in buster LTS) NOTE: https://saltproject.io/security_announcements/salt-security-advisory-release/ CVE-2022-22934 (An issue was discovered in SaltStack Salt in versions before 3002.8, 3 ...) - salt 3004.1+dfsg-1 (bug #1008945) + [buster] - salt (EOL in buster LTS) NOTE: https://saltproject.io/security_announcements/salt-security-advisory-release/ CVE-2022-22933 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f96d34453fa4332920f6e98dad250086ad9eb6b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f96d34453fa4332920f6e98dad250086ad9eb6b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3726-1 for bind9
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a262f05 by Thorsten Alteholz at 2024-01-30T19:48:41+01:00 Reserve DLA-3726-1 for bind9 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Jan 2024] DLA-3726-1 bind9 - security update + {CVE-2023-3341} + [buster] - bind9 1:9.11.5.P4+dfsg-5.1+deb10u10 [30 Jan 2024] DLA-3725-1 postfix - security update {CVE-2023-51764} [buster] - postfix 3.4.23-0+deb10u2 = data/dla-needed.txt = @@ -34,10 +34,6 @@ atril NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead. -- -bind9 (Thorsten Alteholz) - NOTE: 20230921: Added by Front-Desk (apo) - NOTE: 20240128: was distracted and need another few days for upload --- cacti (Sylvain Beucler) NOTE: 20230906: Added by Front-Desk (lamby) NOTE: 20231205: Triaging CVEs backlog (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a262f05670c04ed97c404dfef13c04df1bc669a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a262f05670c04ed97c404dfef13c04df1bc669a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2022-48622 as postponed for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c5bd71b by Thorsten Alteholz at 2024-01-30T15:54:50+01:00 mark CVE-2022-48622 as postponed for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -504,6 +504,7 @@ CVE-2024-0918 (A vulnerability was found in TRENDnet TEW-800MB 1.0.1.0 and class NOT-FOR-US: TRENDnet CVE-2022-48622 (In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows ...) - gdk-pixbuf + [buster] - gdk-pixbuf (Minor issue, recheck when fixed upstream) NOTE: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/202 CVE-2024-24399 (An arbitrary file upload vulnerability in LeptonCMS v7.0.0 allows auth ...) NOT-FOR-US: LeptonCMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c5bd71b6ff0e82d43b2a3058911806d7f2e186c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c5bd71b6ff0e82d43b2a3058911806d7f2e186c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: mark CVE-2023-52389 as no-dsa for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 344bb7d1 by Thorsten Alteholz at 2024-01-29T19:36:41+01:00 mark CVE-2023-52389 as no-dsa for Buster - - - - - 8f2eabfa by Thorsten Alteholz at 2024-01-29T19:43:43+01:00 mark temporary CVE for rust-shlex as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -123,6 +123,7 @@ CVE-2023-52389 (UTF32Encoding.cpp in POCO has a Poco::UTF32Encoding integer over - poco [bookworm] - poco (Minor issue) [bullseye] - poco (Minor issue) + [buster] - poco (Minor issue) NOTE: https://pocoproject.org/blog/?p=1226 NOTE: https://github.com/pocoproject/poco/issues/4320 NOTE: https://github.com/pocoproject/poco/commit/62f875dfe1298041289f926a6a1a39cb765b13ee @@ -718,6 +719,7 @@ CVE-2024- [RUSTSEC-2024-0006] - rust-shlex 1.3.0-1 [bookworm] - rust-shlex (Minor issue) [bullseye] - rust-shlex (Minor issue) + [buster] - rust-shlex (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0006.html NOTE: https://github.com/comex/rust-shlex/security/advisories/GHSA-r7qv-8r2h-pg27 CVE-2024-23638 (Squid is a caching proxy for the Web. Due to an expired pointer refere ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8f6906825796de45354b8bc51e80e00d215b7ede...8f2eabfaec57a211c052dd32ec1d9880aa8abb9b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8f6906825796de45354b8bc51e80e00d215b7ede...8f2eabfaec57a211c052dd32ec1d9880aa8abb9b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add postfix
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 603b51c7 by Thorsten Alteholz at 2024-01-29T19:26:22+01:00 add postfix - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -181,6 +181,9 @@ openjdk-11 (Emilio) pillow (Chris Lamb) NOTE: 20240121: Added by Front-Desk (apo) -- +postfix + NOTE: 20240129: Added by Front-Desk (ta) +-- putty (santiago) NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/603b51c77896e1fa1943368f8a854135ec2ce5e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/603b51c77896e1fa1943368f8a854135ec2ce5e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 9070cc46 by Thorsten Alteholz at 2024-01-28T23:33:55+01:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -36,6 +36,7 @@ atril -- bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) + NOTE: 20240128: was distracted and need another few days for upload -- cacti (Sylvain Beucler) NOTE: 20230906: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9070cc460087ff176db3aa2f35cdf4830435bd65 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9070cc460087ff176db3aa2f35cdf4830435bd65 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] relcaim bind9; second try
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 9941f06f by Thorsten Alteholz at 2024-01-08T23:45:31+01:00 relcaim bind9; second try - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -30,7 +30,7 @@ ansible NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca) NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee -- -bind9 +bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) -- cacti (Sylvain Beucler) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9941f06f701a488c08899afe3164e382e02f9769 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9941f06f701a488c08899afe3164e382e02f9769 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] giving up
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: f317fb8f by Thorsten Alteholz at 2024-01-07T23:58:32+01:00 giving up - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -32,8 +32,6 @@ ansible -- bind9 NOTE: 20230921: Added by Front-Desk (apo) - NOTE: 20231008: backporting patches - NOTE: 20231217: almost done with testing -- cacti (Sylvain Beucler) NOTE: 20230906: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f317fb8f8ed40c8bd85e1be2d69c8fe75ba91d31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f317fb8f8ed40c8bd85e1be2d69c8fe75ba91d31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3700-1 for cjson
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 631403dd by Thorsten Alteholz at 2023-12-30T19:33:42+01:00 Reserve DLA-3700-1 for cjson - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Dec 2023] DLA-3700-1 cjson - security update + {CVE-2023-50471} + [buster] - cjson 1.7.10-1.1+deb10u2 [30 Dec 2023] DLA-3699-1 libde265 - security update {CVE-2023-49465 CVE-2023-49467 CVE-2023-49468} [buster] - libde265 1.0.11-0+deb10u6 = data/dla-needed.txt = @@ -48,9 +48,6 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -cjson (Thorsten Alteholz) - NOTE: 20231225: Added by Front-Desk (ta) --- curl NOTE: 20231229: Added by Front-Desk (lamby) NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/631403dd9ad314ad4743a04be3b951991bcc9e08 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/631403dd9ad314ad4743a04be3b951991bcc9e08 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3699-1 for libde265
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 0af6b042 by Thorsten Alteholz at 2023-12-30T19:27:58+01:00 Reserve DLA-3699-1 for libde265 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Dec 2023] DLA-3699-1 libde265 - security update + {CVE-2023-49465 CVE-2023-49467 CVE-2023-49468} + [buster] - libde265 1.0.11-0+deb10u6 [29 Dec 2023] DLA-3698-1 thunderbird - security update {CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859 CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6864 CVE-2023-6873 CVE-2023-50761 CVE-2023-50762} [buster] - thunderbird 1:115.6.0-1~deb10u1 = data/dla-needed.txt = @@ -112,9 +112,6 @@ kodi NOTE: 20231228: Added by Front-Desk (lamby) NOTE: 20231228: CVE-2021-42917 was postponed in 2021; fixed in bullseye via DSA or point release. (lamby) -- -libde265 (Thorsten Alteholz) - NOTE: 20231224: Added by Front-Desk (ta) --- libreoffice (rouca) NOTE: 20231217: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0af6b042c236241ce4dd4bb2afb9d7718435aa0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0af6b042c236241ce4dd4bb2afb9d7718435aa0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2023-50472 as not-affected for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: c295bb8b by Thorsten Alteholz at 2023-12-30T16:56:49+01:00 mark CVE-2023-50472 as not-affected for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2842,6 +2842,7 @@ CVE-2023-50563 (Semcms v4.8 was discovered to contain a SQL injection vulnerabil NOT-FOR-US: Semcms CVE-2023-50472 (cJSON v1.7.16 was discovered to contain a segmentation violation via t ...) - cjson 1.7.17-1 (unimportant; bug #1059287) + [buster] - cjson (Vulnerable code introduced later) NOTE: https://github.com/DaveGamble/cJSON/issues/803 NOTE: Fixed by: https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8 NOTE: Seems bogus, this isn't a DoS but only a broken use of an API View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c295bb8b96a40d74418953a073635baf22c856e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c295bb8b96a40d74418953a073635baf22c856e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add cjson
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a1db8af by Thorsten Alteholz at 2023-12-25T00:41:12+01:00 add cjson - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -50,6 +50,9 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +cjson (Thorsten Alteholz) + NOTE: 20231225: Added by Front-Desk (ta) +-- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a1db8afb754256000753d0af6076ac5d077050b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a1db8afb754256000753d0af6076ac5d077050b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add paramiko
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 56163617 by Thorsten Alteholz at 2023-12-25T00:26:23+01:00 add paramiko - - - - - bfe75ee5 by Thorsten Alteholz at 2023-12-25T00:37:16+01:00 add xerces-c - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -161,6 +161,9 @@ nvidia-cuda-toolkit openssh (santiago) NOTE: 20231219: Added by Front-Desk (ta) -- +paramiko + NOTE: 20231225: Added by Front-Desk (ta) +-- postfix NOTE: 20231224: Added by Front-Desk (ta) -- @@ -269,6 +272,9 @@ wireshark (Adrian Bunk) NOTE: 20231204: DLA pending (bunk) NOTE: 20231218: Debugging a problem with the update. (bunk) -- +xerces-c + NOTE: 20231225: Added by Front-Desk (ta) +-- zabbix NOTE: 20231015: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2b4f9d1076a9bd345a5fde287e383c81f8e61b2b...bfe75ee5701189cc7705b2bb7eb6aa755413654c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2b4f9d1076a9bd345a5fde287e383c81f8e61b2b...bfe75ee5701189cc7705b2bb7eb6aa755413654c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add libde265
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 286379cb by Thorsten Alteholz at 2023-12-24T15:00:47+01:00 add libde265 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -98,6 +98,9 @@ keystone knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- +libde265 (Thorsten Alteholz) + NOTE: 20231224: Added by Front-Desk (ta) +-- libreoffice NOTE: 20231217: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/286379cbcb9345542d590eeb358700d62a36d64f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/286379cbcb9345542d590eeb358700d62a36d64f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add tinyxml
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fc56e66 by Thorsten Alteholz at 2023-12-24T14:58:50+01:00 add tinyxml - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -248,6 +248,9 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- +tinyxml + NOTE: 20231224: Added by Front-Desk (ta) +-- tomcat9 (rouca) NOTE: 20231129: Added by Front-Desk (Beuc) NOTE: 20131217: I have made a fix, tests are ok but due to high popcon prefer a review by apo (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fc56e66efb0506156b8302e5e7dc18fb755d052 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fc56e66efb0506156b8302e5e7dc18fb755d052 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add putty
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 20f7b49c by Thorsten Alteholz at 2023-12-24T14:29:45+01:00 add putty - - - - - 69bdfbc8 by Thorsten Alteholz at 2023-12-24T14:29:45+01:00 add postfix - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -158,6 +158,12 @@ nvidia-cuda-toolkit openssh (santiago) NOTE: 20231219: Added by Front-Desk (ta) -- +postfix + NOTE: 20231224: Added by Front-Desk (ta) +-- +putty + NOTE: 20231224: Added by Front-Desk (ta) +-- python-django (Chris Lamb) NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) @@ -211,6 +217,9 @@ salt samba NOTE: 20230918: Added by Front-Desk (apo) -- +sendmail + NOTE: 20231224: Added by Front-Desk (ta) +-- squid (Markus Koschany) NOTE: 20231102: Added by Front-Desk (lamby) NOTE: 20231218: Investigating new CVE. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/38f3a802bfe99cf2b0cf57603608011c7fa289a6...69bdfbc816ff229e0263b2dd738ad9510bcd3449 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/38f3a802bfe99cf2b0cf57603608011c7fa289a6...69bdfbc816ff229e0263b2dd738ad9510bcd3449 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add sudo
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ed6a4fb by Thorsten Alteholz at 2023-12-24T01:10:08+01:00 add sudo - - - - - 7ed32026 by Thorsten Alteholz at 2023-12-24T01:11:17+01:00 add exim4 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -67,6 +67,9 @@ dogecoin dropbear (guilhem) NOTE: 20231219: Added by Front-Desk (ta) -- +exim4 + NOTE: 20231224: Added by Front-Desk (ta) +-- firefox-esr (Emilio) NOTE: 20231221: Added by pochu -- @@ -213,6 +216,9 @@ squid (Markus Koschany) NOTE: 20231218: Investigating new CVE. (apo) NOTE: 20231223: The update requires a few more tests. Intend to release after the holidays. -- +sudo + NOTE: 20231224: Added by Front-Desk (ta) +-- suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e6a8ae29b8ddd7e6187c4f307ce8c56f376d6b4c...7ed320261645c9937035c31a8a37f2adb9f7989e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e6a8ae29b8ddd7e6187c4f307ce8c56f376d6b4c...7ed320261645c9937035c31a8a37f2adb9f7989e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: mark CVE-2023-48795 as no-dsa for proftpd-dfsg in Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 9883cbe5 by Thorsten Alteholz at 2023-12-24T01:04:13+01:00 mark CVE-2023-48795 as no-dsa for proftpd-dfsg in Buster - - - - - dc1a125e by Thorsten Alteholz at 2023-12-24T01:04:15+01:00 mark CVE-2023-48795 as no-dsa for erlang in Buster - - - - - fe68ad6c by Thorsten Alteholz at 2023-12-24T01:04:16+01:00 mark CVE-2023-51704 as postponed - - - - - f90c2ea0 by Thorsten Alteholz at 2023-12-24T01:04:18+01:00 mark temporary entry as no-dsa for spip in Buster - - - - - e6a8ae29 by Thorsten Alteholz at 2023-12-24T01:04:20+01:00 mark CVE-2023-4255 as no-dsa for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -179,6 +179,7 @@ CVE-2023- [XSS issue fixed in 4.1.13 upstream] - spip 4.1.13+dfsg-1 (bug #1059331) [bookworm] - spip (Minor issue) [bullseye] - spip (Minor issue) + [buster] - spip (Minor issue) CVE-2023-7059 (A vulnerability was found in SourceCodester School Visitor Log e-Book ...) NOT-FOR-US: SourceCodester School Visitor Log e-Book CVE-2023-7058 (A vulnerability was found in SourceCodester Simple Student Attendance ...) @@ -224,6 +225,7 @@ CVE-2023-51704 (An issue was discovered in MediaWiki before 1.35.14, 1.36.x thro - mediawiki [bookworm] - mediawiki (Minor issue, fix along in next update) [bullseye] - mediawiki (Minor issue, fix along in next update) + [buster] - mediawiki (Minor issue, fix along in next update) NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitec...@lists.wikimedia.org/thread/TDBUBCCOQJUT4SCHJNPHKQNPBUUETY52/ NOTE: https://phabricator.wikimedia.org/T347726 CVE-2023-51380 (An incorrect authorization vulnerability was identified in GitHub Ente ...) @@ -415,6 +417,7 @@ CVE-2023-4256 (Within tcpreplay's tcprewrite, a double free vulnerability has be NOTE: Crash in CLI tool, no security impact CVE-2023-4255 (An out-of-bounds write issue has been discovered in the backspace hand ...) - w3m (bug #1059265) + [buster] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/commit/edc602651c506aeeb60544b55534dd1722a340d3 NOTE: https://github.com/tats/w3m/issues/268 NOTE: https://github.com/tats/w3m/pull/273 @@ -1228,6 +1231,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - erlang 1:25.3.2.8+dfsg-1 (bug #1059002) [bookworm] - erlang (Minor issue) [bullseye] - erlang (Minor issue) + [buster] - erlang (Minor issue) - filezilla 3.66.4-1 - golang-go.crypto (bug #1059003) - jsch (ChaCha20-Poly1305 support introduced in 0.1.61; *-EtM support introduced in 0.1.58) @@ -1241,6 +1245,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - proftpd-dfsg 1.3.8.b+dfsg-1 (bug #1059144) [bookworm] - proftpd-dfsg (Minor issue) [bullseye] - proftpd-dfsg (Minor issue) + [buster] - proftpd-dfsg (Minor issue) - proftpd-mod-proxy 0.9.3-1 (bug #1059290) [bookworm] - proftpd-mod-proxy (Minor issue) [bullseye] - proftpd-mod-proxy (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e4968a1025a798e289cbd35cb50cd7267fe92f09...e6a8ae29b8ddd7e6187c4f307ce8c56f376d6b4c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e4968a1025a798e289cbd35cb50cd7267fe92f09...e6a8ae29b8ddd7e6187c4f307ce8c56f376d6b4c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2023-7008 as postponed
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 37ac1784 by Thorsten Alteholz at 2023-12-22T01:02:02+01:00 mark CVE-2023-7008 as postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -243,6 +243,7 @@ CVE-2023-7008 [Unsigned name response in signed zone is not refused when DNSSEC= - systemd [bookworm] - systemd (Minor issue) [bullseye] - systemd (Minor issue) + [buster] - systemd (Minor issue, should be fixed after newer releases are done) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=672 CVE-2023-6912 (Lack of protection against brute force attacks in M-Files Server befor ...) NOT-FOR-US: M-Files Server View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37ac1784e5dcf5c90265d20cf5ec33c17dfb5884 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37ac1784e5dcf5c90265d20cf5ec33c17dfb5884 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: add openssh
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: cb7a1cf7 by Thorsten Alteholz at 2023-12-19T00:20:24+01:00 add openssh - - - - - ef35183e by Thorsten Alteholz at 2023-12-19T00:24:29+01:00 add dropbear - - - - - bf93abcd by Thorsten Alteholz at 2023-12-19T00:25:14+01:00 add golang-go.crypto - - - - - 19316c27 by Thorsten Alteholz at 2023-12-19T00:26:00+01:00 add libssh - - - - - a5d1da40 by Thorsten Alteholz at 2023-12-19T00:26:49+01:00 add libssh2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,9 +74,15 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- +dropbear + NOTE: 20231219: Added by Front-Desk (ta) +-- frr NOTE: 20231119: Added by Front-Desk (apo) -- +golang-go.crypto + NOTE: 20231219: Added by Front-Desk (ta) +-- haproxy NOTE: 20231217: Added by Front-Desk (utkarsh) -- @@ -107,6 +113,12 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- +libssh + NOTE: 20231219: Added by Front-Desk (ta) +-- +libssh2 + NOTE: 20231219: Added by Front-Desk (ta) +-- libstb NOTE: 20231029: Added by Front-Desk (gladk) NOTE: 20231029: A lot of open CVEs. Maybe duplicates. @@ -150,6 +162,9 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- +openssh + NOTE: 20231219: Added by Front-Desk (ta) +-- osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e88892d15d8255a2c3b4f96ce9fbe8be4a265d1b...a5d1da409d4da3fa6bb19318c046e59ce220e144 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e88892d15d8255a2c3b4f96ce9fbe8be4a265d1b...a5d1da409d4da3fa6bb19318c046e59ce220e144 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ff7fadf by Thorsten Alteholz at 2023-12-18T00:13:53+01:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -35,7 +35,7 @@ asterisk bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) NOTE: 20231008: backporting patches - NOTE: 20231203: almost done with testing + NOTE: 20231217: almost done with testing -- bouncycastle (Markus Koschany) NOTE: 20231127: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ff7fadf48cc619fa2febb786ea877b7f2a90bc0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ff7fadf48cc619fa2febb786ea877b7f2a90bc0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3686-2 for xorg-server
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b08f3ec by Thorsten Alteholz at 2023-12-17T14:59:09+01:00 Reserve DLA-3686-2 for xorg-server - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Dec 2023] DLA-3686-2 xorg-server - security update + {CVE-2023-6377} + [buster] - xorg-server 2:1.20.4-1+deb10u12 [16 Dec 2023] DLA-3690-1 intel-microcode - security update {CVE-2023-23583} [buster] - intel-microcode 3.20231114.1~deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b08f3ec98db91fb9da80e1b838f892ab800b266 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b08f3ec98db91fb9da80e1b838f892ab800b266 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3686-1 for xorg-server
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 35bc411e by Thorsten Alteholz at 2023-12-13T08:27:01+01:00 Reserve DLA-3686-1 for xorg-server - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[13 Dec 2023] DLA-3686-1 xorg-server - security update + {CVE-2023-6377 CVE-2023-6478} + [buster] - xorg-server 2:1.20.4-1+deb10u11 [13 Dec 2023] DLA-3685-1 debian-security-support - security update [buster] - debian-security-support 1:10+2023.13.12 [07 Dec 2023] DLA-3684-1 tzdata - new timezone database View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35bc411ef873742afdcf4810d3dee262355ebd43 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35bc411ef873742afdcf4810d3dee262355ebd43 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: add curl
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: fe08ee5c by Thorsten Alteholz at 2023-12-10T19:42:33+01:00 add curl - - - - - bf5df810 by Thorsten Alteholz at 2023-12-10T19:45:39+01:00 add asterisk - - - - - 15ef4e77 by Thorsten Alteholz at 2023-12-10T19:47:30+01:00 add note for curl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -27,11 +27,17 @@ ansible NOTE: 20231202: (neither in LTS nor in stable/oldstable), so this is an opportunity to NOTE: 20231202: assess/fix the situation. -- +asterisk + NOTE: 20231210: Added by Front-Desk (ta) +-- bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) NOTE: 20231008: backporting patches NOTE: 20231203: almost done with testing -- +bluez + NOTE: 20231210: Added by Front-Desk (ta) +-- bouncycastle (Markus Koschany) NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 was fixed in stretch-lts (Beuc/front-desk) @@ -49,6 +55,10 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +curl + NOTE: 20231210: Added by Front-Desk (ta) + NOTE: 20231210: maybe also take care of https://lists.debian.org/debian-lts/2023/12/msg00020.html +-- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5cdebbfed5708f1e615fa0bdcb381a37de8c2295...15ef4e776da1fb2d916b4e95b2380bca6b4b44d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5cdebbfed5708f1e615fa0bdcb381a37de8c2295...15ef4e776da1fb2d916b4e95b2380bca6b4b44d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVEs for gpac as EOL in Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: dff9ed60 by Thorsten Alteholz at 2023-12-10T00:25:45+01:00 mark CVEs for gpac as EOL in Buster - - - - - 52c1cae8 by Thorsten Alteholz at 2023-12-10T00:27:32+01:00 mark CVE-2023-49284 as no-dsa for Buster - - - - - 917a5171 by Thorsten Alteholz at 2023-12-10T00:38:00+01:00 mark CVE-2023-49464 CVE-2023-49463 CVE-2023-49462 CVE-2023-49460 as not-affected for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24,6 +24,7 @@ CVE-2023-47722 (IBM API Connect V10.0.5.3 and V10.0.6.0 stores user credentials NOT-FOR-US: IBM CVE-2023-47465 (An issue in GPAC v.2.2.1 and before allows a local attacker to cause a ...) - gpac + [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2652 NOTE: https://github.com/gpac/gpac/commit/a40a3b7ef7420c8df0a7d9411ab1fc267ca86c49 NOTE: https://github.com/gpac/gpac/commit/613dbc5702b09063b101cfc3d6ad74b45ad87521 @@ -31,6 +32,7 @@ CVE-2023-47254 (An OS Command Injection in the CLI interface on DrayTek Vigor167 NOT-FOR-US: DrayTek Vigor167 CVE-2023-46932 (Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671 ...) - gpac + [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2669 NOTE: https://github.com/gpac/gpac/commit/dfdf1681aae2f7b6265e58e97f8461a89825a74b CVE-2023-6622 (A null pointer dereference vulnerability was found in nft_dynset_init( ...) @@ -269,6 +271,7 @@ CVE-2023-49464 (libheif v1.17.5 was discovered to contain a segmentation violati - libheif [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) + [buster] - libheif (Vulnerable code not present) NOTE: https://github.com/strukturag/libheif/issues/1044 NOTE: https://github.com/strukturag/libheif/pull/1049 NOTE: https://github.com/strukturag/libheif/commit/2bf226a300951e6897ee7267d0dd379ba5ad7287 @@ -276,16 +279,19 @@ CVE-2023-49463 (libheif v1.17.5 was discovered to contain a segmentation violati - libheif [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) + [buster] - libheif (Vulnerable code not present) NOTE: https://github.com/strukturag/libheif/issues/1042 CVE-2023-49462 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - libheif [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) + [buster] - libheif (Vulnerable code not present) NOTE: https://github.com/strukturag/libheif/issues/1043 CVE-2023-49460 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - libheif [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) + [buster] - libheif (Vulnerable code not present) NOTE: https://github.com/strukturag/libheif/issues/1046 CVE-2023-49437 (Tenda AX12 V22.03.01.46 has been discovered to contain a command injec ...) NOT-FOR-US: Tenda @@ -798,6 +804,7 @@ CVE-2023-49284 (fish is a smart and user-friendly command line shell for macOS, - fish (bug #1057455) [bookworm] - fish (Minor issue) [bullseye] - fish (Minor issue) + [buster] - fish (Minor issue) NOTE: https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f NOTE: https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14 (3.6.2) CVE-2023-49280 (XWiki Change Request is an XWiki application allowing to request chang ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/68e140b27ee90086aed7c0a2f35d998587eb27b0...917a51719f847fc8d75dfdd0a210f43d636af528 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/68e140b27ee90086aed7c0a2f35d998587eb27b0...917a51719f847fc8d75dfdd0a210f43d636af528 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark busybox CVEs as no-dsa
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: c3afd9bc by Thorsten Alteholz at 2023-12-09T00:35:00+01:00 mark busybox CVEs as no-dsa - - - - - 50d9705b by Thorsten Alteholz at 2023-12-09T00:41:33+01:00 mark CVE-2023-5332 as no-dsa for Buster - - - - - 9011e30f by Thorsten Alteholz at 2023-12-09T00:46:15+01:00 mark CVE-2023-49083 as not-affected for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1034,6 +1034,7 @@ CVE-2023-32804 (Out-of-bounds Write vulnerability in Arm Ltd Midgard GPU Userspa CVE-2023-5332 (Patch in third party library Consul requires 'enable-script-checks' to ...) - consul [bullseye] - consul (Minor issue) + [buster] - consul (Minor issue) NOTE: https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8171 NOTE: https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations CVE-2023-49287 (TinyDir is a lightweight C directory and file reader. Buffer overflows ...) @@ -1909,6 +1910,7 @@ CVE-2023-49083 (cryptography is a package designed to expose cryptographic primi - python-cryptography (bug #1057108) [bookworm] - python-cryptography (Minor issue) [bullseye] - python-cryptography (Minor issue) + [buster] - python-cryptography (Vulnerable code introduced later) NOTE: https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97 NOTE: https://github.com/pyca/cryptography/pull/9926 NOTE: https://github.com/pyca/cryptography/commit/1e7b4d074e14c4e694d3ce69ad6754a6039fd6ff (main) @@ -2122,21 +2124,25 @@ CVE-2023-42366 (A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the - busybox [bookworm] - busybox (Minor issue) [bullseye] - busybox (Minor issue) + [buster] - busybox (Minor issue) NOTE: https://bugs.busybox.net/show_bug.cgi?id=15874 CVE-2023-42365 (A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via ...) - busybox [bookworm] - busybox (Minor issue) [bullseye] - busybox (Minor issue) + [buster] - busybox (Minor issue) NOTE: https://bugs.busybox.net/show_bug.cgi?id=15871 CVE-2023-42364 (A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to ...) - busybox [bookworm] - busybox (Minor issue) [bullseye] - busybox (Minor issue) + [buster] - busybox (Minor issue) NOTE: https://bugs.busybox.net/show_bug.cgi?id=15868 CVE-2023-42363 (A use-after-free vulnerability was discovered in xasprintf function in ...) - busybox [bookworm] - busybox (Minor issue) [bullseye] - busybox (Minor issue) + [buster] - busybox (Minor issue) NOTE: https://bugs.busybox.net/show_bug.cgi?id=15865 CVE-2023-3545 (Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo ...) NOT-FOR-US: Chamilo LMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/01c38db3c923db34e3f9769de76eb0caa5d599f4...9011e30f8f086a7302c46ccb67c60a9ccafe85a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/01c38db3c923db34e3f9769de76eb0caa5d599f4...9011e30f8f086a7302c46ccb67c60a9ccafe85a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE of gpac as EOL in Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: e8ab4b0c by Thorsten Alteholz at 2023-12-07T23:38:18+01:00 mark CVE of gpac as EOL in Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -108,6 +108,7 @@ CVE-2023-49402 (Tenda W30E V16.01.0.12(4843) was discovered to contain a stack o NOT-FOR-US: Tenda CVE-2023-48958 (gpac 2.3-DEV-rev617-g671976fcc-master contains memory leaks in gf_mpd_ ...) - gpac + [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2689 NOTE: Fixed by: https://github.com/gpac/gpac/commit/249c9fc18704e6d3cb6a4b173034a41aa570e7e4 CVE-2023-48325 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability in P ...) @@ -122,6 +123,7 @@ CVE-2023-46974 (Cross Site Scripting vulnerability in Best Courier Management Sy NOT-FOR-US: Best Courier Management System CVE-2023-46871 (GPAC version 2.3-DEV-rev602-ged8424300-master in MP4Box contains a mem ...) - gpac + [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2658 NOTE: Fixed by: https://github.com/gpac/gpac/commit/03760e34d32e502a0078b20d15ea83ecaf453a5c CVE-2023-46641 (Server-Side Request Forgery (SSRF) vulnerability in Code for Recovery ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8ab4b0c1ff3407f01305d852574170f58bbed4e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8ab4b0c1ff3407f01305d852574170f58bbed4e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add haproxy
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: de01f33d by Thorsten Alteholz at 2023-12-06T23:39:28+01:00 add haproxy - - - - - f3f4bfd8 by Thorsten Alteholz at 2023-12-06T23:41:21+01:00 mark CVE-2023-43628 as no-dsa for Buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -221,6 +221,7 @@ CVE-2023-43628 (An integer underflow vulnerability exists in the NTRIP Stream Pa - gpsd (bug #1057667) [bookworm] - gpsd (Minor issue) [bullseye] - gpsd (Minor issue) + [buster] - gpsd (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1860 NOTE: https://gitlab.com/gpsd/gpsd/-/commit/3e5c6c28c422102dd453e31912e1e79d1f7ff7f2 CVE-2023-43608 (A data integrity vulnerability exists in the BR_NO_CHECK_HASH_FOR func ...) = data/dla-needed.txt = @@ -66,6 +66,9 @@ dogecoin frr NOTE: 20231119: Added by Front-Desk (apo) -- +haproxy + NOTE: 20231206: Added by Front-Desk (ta) +-- i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3b772737cd9687dac0fce23cf9e89127d54536b6...f3f4bfd83e5879ae2b6a53913d68ca9b793e274f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3b772737cd9687dac0fce23cf9e89127d54536b6...f3f4bfd83e5879ae2b6a53913d68ca9b793e274f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 835b6930 by Thorsten Alteholz at 2023-12-03T23:56:54+01:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -30,7 +30,7 @@ ansible bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) NOTE: 20231008: backporting patches - NOTE: 20231119: almost done with testing + NOTE: 20231203: almost done with testing -- bouncycastle (Markus Koschany) NOTE: 20231127: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/835b69306324f93828087a2dc3e34e373aadc1ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/835b69306324f93828087a2dc3e34e373aadc1ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3673-1 for gst-plugins-bad1.0
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: c8dae185 by Thorsten Alteholz at 2023-11-28T23:46:00+01:00 Reserve DLA-3673-1 for gst-plugins-bad1.0 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Nov 2023] DLA-3673-1 gst-plugins-bad1.0 - security update + {CVE-2023-6} + [buster] - gst-plugins-bad1.0 1.14.4-1+deb10u5 [28 Nov 2023] DLA-3672-1 postgresql-multicorn - security update [buster] - postgresql-multicorn 1.3.4-4+deb10u1 [28 Nov 2023] DLA-3671-1 mediawiki - security update = data/dla-needed.txt = @@ -69,9 +69,6 @@ frr gimp-dds NOTE: 20231127: Added by Front-Desk (Beuc) -- -gst-plugins-bad1.0 (Thorsten Alteholz) - NOTE: 20231118: Added by Front-Desk (apo) --- horizon NOTE: 20231101: Added by Front-Desk (lamby) NOTE: 20231101: Sync with bullseye (CVE-2022-45582). (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8dae1851184b8cbf0ac3c82ef343799f04510c7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8dae1851184b8cbf0ac3c82ef343799f04510c7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3670-1 for minizip
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 72ec5d16 by Thorsten Alteholz at 2023-11-28T00:03:01+01:00 Reserve DLA-3670-1 for minizip - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Nov 2023] DLA-3670-1 minizip - security update + {CVE-2023-45853} + [buster] - minizip 1.1-8+deb10u1 [27 Nov 2023] DLA-3669-1 cryptojs - security update {CVE-2023-46233} [buster] - cryptojs 3.1.2+dfsg-2+deb10u1 = data/dla-needed.txt = @@ -120,9 +120,6 @@ linux-5.10 mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- -minizip (Thorsten Alteholz) - NOTE: 20231117: Added by Front-Desk (apo) --- netatalk (gladk) NOTE: 20231119: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72ec5d16fe9ef63249c0f4241b957568c05603be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72ec5d16fe9ef63249c0f4241b957568c05603be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add notes for CVE-2023-43887
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: cb873ce7 by Thorsten Alteholz at 2023-11-21T18:47:58+01:00 add notes for CVE-2023-43887 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -662,7 +662,9 @@ CVE-2023-47638 REJECTED CVE-2023-43887 - libde265 1.0.13-1 - TODO: check references + TODO: check references, suggestion below + NOTE: https://github.com/strukturag/libde265/issues/418 + NOTE: https://github.com/strukturag/libde265/commit/63b596c915977f038eafd7647d1db25488a8c133 (v1.0.13) CVE-2023-47471 (Buffer Overflow vulnerability in strukturag libde265 v1.10.12 allows a ...) - libde265 1.0.13-1 (bug #1056187) [bookworm] - libde265 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb873ce7aad912324f59c12495841d0fa8f49823 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb873ce7aad912324f59c12495841d0fa8f49823 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim gst-plugins-bad1.0
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 1f843bf6 by Thorsten Alteholz at 2023-11-20T13:46:42+01:00 claim gst-plugins-bad1.0 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -84,7 +84,7 @@ gimp (Adrian Bunk) gnutls28 NOTE: 20231117: Added by Front-Desk (apo) -- -gst-plugins-bad1.0 +gst-plugins-bad1.0 (Thorsten Alteholz) NOTE: 20231118: Added by Front-Desk (apo) -- horizon View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f843bf6558f64f8e2f79612264a7d019277c15f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f843bf6558f64f8e2f79612264a7d019277c15f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: follow sec team with ignoring CVE-2023-45853 for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: cf4d3ed5 by Thorsten Alteholz at 2023-11-20T08:51:54+01:00 follow sec team with ignoring CVE-2023-45853 for Buster - - - - - d80384de by Thorsten Alteholz at 2023-11-20T08:52:32+01:00 nothing todo for zlib - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -6089,6 +6089,7 @@ CVE-2023-45853 (MiniZip in zlib through 1.3 has an integer overflow and resultan - zlib 1:1.3.dfsg-2 (bug #1054290) [bookworm] - zlib (contrib/minizip not built and producing binary packages) [bullseye] - zlib (contrib/minizip not built and producing binary packages) + [buster] - zlib (contrib/minizip not built and producing binary packages) - minizip NOTE: https://github.com/madler/zlib/pull/843 NOTE: https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c = data/dla-needed.txt = @@ -285,6 +285,3 @@ zabbix zbar NOTE: 20231119: Added by Front-Desk (apo) -- -zlib (Thorsten Alteholz) - NOTE: 20231117: Added by Front-Desk (apo) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/665a6defddf4f1bf62e41c34eb1a2801af82c9a0...d80384dec6db2adbbc8c96cfbd36c39ab3dfac5d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/665a6defddf4f1bf62e41c34eb1a2801af82c9a0...d80384dec6db2adbbc8c96cfbd36c39ab3dfac5d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 1f3e1f05 by Thorsten Alteholz at 2023-11-19T12:30:17+01:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -27,7 +27,7 @@ amanda bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) NOTE: 20231008: backporting patches - NOTE: 20231105: still testing package + NOTE: 20231119: almost done with testing -- cacti NOTE: 20230906: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f3e1f05d46bbc698b4afd76fb80132253286e92 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f3e1f05d46bbc698b4afd76fb80132253286e92 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: mark CVE-2023-42118 as postponed for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: bbdc482f by Thorsten Alteholz at 2023-11-19T12:25:47+01:00 mark CVE-2023-42118 as postponed for Buster - - - - - 5e55e16e by Thorsten Alteholz at 2023-11-19T12:26:57+01:00 mark CVE for libspf2 as postponed and remove entry from dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -8906,6 +8906,7 @@ CVE-2023-42118 [Exim libspf2 Integer Underflow Remote Code Execution Vulnerabili - libspf2 (bug #1053870) [bookworm] - libspf2 (Revisit once upstream and ZDI status is clarfied) [bullseye] - libspf2 (Revisit once upstream and ZDI status is clarfied) + [buster] - libspf2 (Revisit once upstream and ZDI status is clarfied) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1472/ NOTE: https://bugs.exim.org/show_bug.cgi?id=3032 NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5 = data/dla-needed.txt = @@ -110,10 +110,6 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libspf2 (Thorsten Alteholz) - NOTE: 20231016: Added by Front-Desk (ta) - NOTE: 20231105: upstream does not know yet, whether available patch is enough (ta) --- libstb (Adrian Bunk) NOTE: 20231029: Added by Front-Desk (gladk) NOTE: 20231029: A lot of open CVEs. Maybe duplicates. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/937b8b8eb6080ec483c17a1f397419ea0ea8bc65...5e55e16e5064fa8a8d6d1253fcf65fe9e98fd4d3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/937b8b8eb6080ec483c17a1f397419ea0ea8bc65...5e55e16e5064fa8a8d6d1253fcf65fe9e98fd4d3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim zlib and minizip
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: b8245134 by Thorsten Alteholz at 2023-11-18T13:13:07+01:00 claim zlib and minizip - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -132,7 +132,7 @@ lwip (tobi) mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- -minizip +minizip (Thorsten Alteholz) NOTE: 20231117: Added by Front-Desk (apo) -- netty (Markus Koschany) @@ -267,6 +267,6 @@ wireshark zabbix NOTE: 20231015: Added by Front-Desk (ta) -- -zlib +zlib (Thorsten Alteholz) NOTE: 20231117: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8245134b2e11fca0e08e83ac51551fce1953365 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8245134b2e11fca0e08e83ac51551fce1953365 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: f6897319 by Thorsten Alteholz at 2023-11-05T23:30:19+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,7 +31,7 @@ audiofile bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) NOTE: 20231008: backporting patches - NOTE: 20231023: testing package + NOTE: 20231105: still testing package -- cacti (guilhem) NOTE: 20230906: Added by Front-Desk (lamby) @@ -112,7 +112,7 @@ libreswan -- libspf2 (Thorsten Alteholz) NOTE: 20231016: Added by Front-Desk (ta) - NOTE: 20231029: upstream does not know yet, whether available patch is enough (ta) + NOTE: 20231105: upstream does not know yet, whether available patch is enough (ta) -- libstb (Adrian Bunk) NOTE: 20231029: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6897319f6fbce7eaa243477211f3a32c40b2531 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6897319f6fbce7eaa243477211f3a32c40b2531 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3084970d by Thorsten Alteholz at 2023-10-29T23:26:44+01:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -103,6 +103,7 @@ libreswan -- libspf2 (Thorsten Alteholz) NOTE: 20231016: Added by Front-Desk (ta) + NOTE: 20231029: upstream does not know yet, whether available patch is enough (ta) -- libstb NOTE: 20231029: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3084970d457e06315b65ad7ef42146fd85861787 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3084970d457e06315b65ad7ef42146fd85861787 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3633-1 for gst-plugins-bad1.0
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 9063422b by Thorsten Alteholz at 2023-10-28T14:05:58+02:00 Reserve DLA-3633-1 for gst-plugins-bad1.0 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Oct 2023] DLA-3633-1 gst-plugins-bad1.0 - security update + {CVE-2023-40474 CVE-2023-40475 CVE-2023-40476} + [buster] - gst-plugins-bad1.0 1.14.4-1+deb10u4 [27 Oct 2023] DLA-3632-1 firefox-esr - security update {CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728 CVE-2023-5730 CVE-2023-5732} [buster] - firefox-esr 115.4.0esr-1~deb10u1 = data/dla-needed.txt = @@ -74,10 +74,6 @@ freerdp2 (tobi) NOTE: 20231007: First round done, unfortunatly missed a few CVES while updating, will do an follow up. NOTE: 20231023: Will continue working on package next weekend. (tobi) -- -gst-plugins-bad1.0 (Thorsten Alteholz) - NOTE: 20230928: Added by Frond-Desk (ola) - NOTE: 20231013: testing package --- h2o (gladk) NOTE: 20231013: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9063422bad228a191c06ecf59b664177ad6ce8b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9063422bad228a191c06ecf59b664177ad6ce8b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3631-1 for xorg-server
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: eb61f367 by Thorsten Alteholz at 2023-10-25T17:27:42+02:00 Reserve DLA-3631-1 for xorg-server - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Oct 2023] DLA-3631-1 xorg-server - security update + {CVE-2023-5367 CVE-2023-5380} + [buster] - xorg-server 2:1.20.4-1+deb10u10 [24 Oct 2023] DLA-3630-1 roundcube - security update {CVE-2023-5631} [buster] - roundcube 1.3.17+dfsg.1-1~deb10u4 = data/dla-needed.txt = @@ -239,9 +239,6 @@ thunderbird (Emilio) trafficserver (Adrian Bunk) NOTE: 20231011: Added by Front-Desk (ta) -- -xorg-server (Thorsten Alteholz) - NOTE: 20231025: Added embargoed issue (ta) --- zabbix NOTE: 20231015: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb61f367f5d8779d90b9d9327c233c472a3c7d9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb61f367f5d8779d90b9d9327c233c472a3c7d9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add xorg-server
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 87e5bdd4 by Thorsten Alteholz at 2023-10-25T11:08:43+02:00 add xorg-server - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -235,6 +235,9 @@ suricata (Adrian Bunk) trafficserver (Adrian Bunk) NOTE: 20231011: Added by Front-Desk (ta) -- +xorg-server (Thorsten Alteholz) + NOTE: 20231025: Added embargoed issue (ta) +-- zabbix NOTE: 20231015: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87e5bdd46c9445c565b86c6cb6b4eab523f148bc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87e5bdd46c9445c565b86c6cb6b4eab523f148bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] free amanda
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 4758928f by Thorsten Alteholz at 2023-10-23T16:36:15+02:00 free amanda - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,9 +21,8 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -amanda (Thorsten Alteholz) +amanda NOTE: 20230730: Added by Front-Desk (apo) - NOTE: 20231023: still testing package (ta) -- audiofile NOTE: 20230918: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4758928fab6ce6a5bdc4a89c1c1b947d15f06c83 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4758928fab6ce6a5bdc4a89c1c1b947d15f06c83 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 337a1513 by Thorsten Alteholz at 2023-10-23T16:18:11+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ rather than remove/replace existing ones. -- amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) - NOTE: 20231008: still testing package (ta) + NOTE: 20231023: still testing package (ta) -- audiofile NOTE: 20230918: Added by Front-Desk (apo) @@ -32,6 +32,7 @@ audiofile bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) NOTE: 20231008: backporting patches + NOTE: 20231023: testing package -- cacti (guilhem) NOTE: 20230906: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/337a15137d3e938077c0525ca653a1de279af71b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/337a15137d3e938077c0525ca653a1de279af71b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: add nss
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: ddcfe06e by Thorsten Alteholz at 2023-10-15T23:45:11+02:00 add nss - - - - - 499d634b by Thorsten Alteholz at 2023-10-15T23:51:27+02:00 mark CVE-2023-32724 as not-affected for Buster - - - - - 86489cea by Thorsten Alteholz at 2023-10-15T23:53:58+02:00 mark CVE-2023-32722 as not-affected for Buster - - - - - 5ef916c9 by Thorsten Alteholz at 2023-10-16T00:06:49+02:00 add libspf2 - - - - - 90379fe3 by Thorsten Alteholz at 2023-10-16T00:12:05+02:00 mark CVE-2023-5371 as no-dsa for Buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -357,12 +357,14 @@ CVE-2023-3781 (there is a possible use-after-free write due to improper locking. NOT-FOR-US: Android CVE-2023-32724 (Memory pointer is in a property of the Ducktape object. This leads to ...) - zabbix (bug #1053877) + [buster] - zabbix (vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-23391 CVE-2023-32723 (Request to LDAP is sent before user permissions are checked.) - zabbix (bug #1053877) NOTE: https://support.zabbix.com/browse/ZBX-23230 CVE-2023-32722 (The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow ...) - zabbix (bug #1053877) + [buster] - zabbix (vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-23390 CVE-2023-32721 (A stored XSS has been found in the Zabbix web application in the Maps ...) - zabbix (bug #1053877) @@ -1732,6 +1734,7 @@ CVE-2023-5373 (A vulnerability classified as critical has been found in SourceCo NOT-FOR-US: SourceCodester Online Computer and Laptop Store CVE-2023-5371 (RTPS dissector memory leak in Wireshark 4.0.0 to 4.0.8 and 3.6.0 to 3. ...) - wireshark 4.0.10-1 + [buster] - wireshark (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19322 NOTE: https://www.wireshark.org/security/wnpa-sec-2023-27.html CVE-2023-5113 (Certain HP Enterprise LaserJet and HP LaserJet Managed Printers are po ...) = data/dla-needed.txt = @@ -117,6 +117,9 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- +libspf2 (Thorsten Alteholz) + NOTE: 20231016: Added by Front-Desk (ta) +-- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- @@ -149,6 +152,9 @@ nova NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby) -- +nss + NOTE: 20231015: Added by Front-Desk (ta) +-- nvidia-cuda-toolkit NOTE: 20230514: Added by Front-Desk (utkarsh) NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have @@ -238,6 +244,9 @@ suricata (Adrian Bunk) trafficserver NOTE: 20231011: Added by Front-Desk (ta) -- +zabbix + NOTE: 20231015: Added by Front-Desk (ta) +-- zookeeper NOTE: 20231014: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/abcc50cf5611995a272b0b2e064f85011b0f89f0...90379fe3ef6eda70fabcf6009e58c372c434f686 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/abcc50cf5611995a272b0b2e064f85011b0f89f0...90379fe3ef6eda70fabcf6009e58c372c434f686 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add zookeeper
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: fa51326b by Thorsten Alteholz at 2023-10-14T00:09:04+02:00 add zookeeper - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -241,3 +241,6 @@ suricata (Adrian Bunk) trafficserver NOTE: 20231011: Added by Front-Desk (ta) -- +zookeeper + NOTE: 20231014: Added by Front-Desk (ta) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa51326b9fdddf1c00d023f68bea7887731bb053 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa51326b9fdddf1c00d023f68bea7887731bb053 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 07d55dab by Thorsten Alteholz at 2023-10-13T23:06:58+02:00 update note - - - - - 23027e79 by Thorsten Alteholz at 2023-10-13T23:10:08+02:00 mark issues for gpac as EOL - - - - - e74c539a by Thorsten Alteholz at 2023-10-13T23:23:54+02:00 add ceph - - - - - 7d18fc32 by Thorsten Alteholz at 2023-10-13T23:59:58+02:00 add h2o - - - - - b20658ac by Thorsten Alteholz at 2023-10-14T00:02:02+02:00 add nghttp - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -290,6 +290,7 @@ CVE-2023-44187 (An Exposure of Sensitive Information vulnerability in the 'file NOT-FOR-US: Juniper CVE-2023-42298 (An issue in GPAC GPAC v.2.2.1 and before allows a local attacker to ca ...) - gpac (bug #1053878) + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2567 NOTE: https://github.com/gpac/gpac/commit/16c4fafc2881112eba7051cac48f922eb2b94e06 CVE-2023-40833 (An issue in Thecosy IceCMS v.1.0.0 allows a remote attacker to gain pr ...) @@ -319,6 +320,7 @@ CVE-2023-5521 (Incorrect Authorization in GitHub repository tiann/kernelsu prior NOT-FOR-US: KernelSU CVE-2023-5520 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2.) - gpac (bug #1053878) + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/681e42d0-18d4-4ebc-aba0-c5b0f77ac74a NOTE: https://github.com/gpac/gpac/commit/5692dc729491805e0e5f55c21d50ba1e6b19e88e CVE-2023-4957 (A vulnerability of authentication bypass has been found on a Zebra Tec ...) = data/dla-needed.txt = @@ -50,6 +50,9 @@ cairosvg NOTE: 20230323: Added by Front-Desk (gladk) NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive) -- +ceph + NOTE: 20231013: Added by Front-Desk (ta) +-- cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. @@ -89,6 +92,10 @@ freerdp2 (tobi) -- gst-plugins-bad1.0 (Thorsten Alteholz) NOTE: 20230928: Added by Frond-Desk (ola) + NOTE: 20231013: testing package +-- +h2o + NOTE: 20231013: Added by Front-Desk (ta) -- i2p NOTE: 20230809: Added by Front-Desk (Beuc) @@ -126,6 +133,9 @@ mosquitto (Markus Koschany) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20231009: Waiting for upstream clarification how to proceed with open CVE. (apo) -- +nghttp2 + NOTE: 20231014: Added by Front-Desk (ta) +-- node-webpack NOTE: 20231005: Added by Front-Desk (Beuc) NOTE: 20231005: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4a47ba1251cdf9515d90a78f8123be8029e0de43...b20658ac2409e932b918b063ceaac71395c73e1a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4a47ba1251cdf9515d90a78f8123be8029e0de43...b20658ac2409e932b918b063ceaac71395c73e1a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: mark CVE-2023-38473 CVE-2023-38472 CVE-2023-38471 CVE-2023-38470...
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d45a939 by Thorsten Alteholz at 2023-10-12T23:25:19+02:00 mark CVE-2023-38473 CVE-2023-38472 CVE-2023-38471 CVE-2023-38470 CVE-2023-38469 as postponed minor issue for Buster - - - - - 3cfa0e18 by Thorsten Alteholz at 2023-10-12T23:31:27+02:00 mark CVE-2023-43643 as no-dsa for Buster - - - - - 3a46a423 by Thorsten Alteholz at 2023-10-12T23:35:33+02:00 mark CVE-2023-3430 as no-dsa for Buster - - - - - 3f7ebff2 by Thorsten Alteholz at 2023-10-12T23:40:05+02:00 mark CVE-2023-42822 as no-dsa for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1061,6 +1061,7 @@ CVE-2023-43643 (AntiSamy is a library for performing fast, configurable cleansin - libowasp-antisamy-java [bookworm] - libowasp-antisamy-java (Minor issue) [bullseye] - libowasp-antisamy-java (Minor issue) + [buster] - libowasp-antisamy-java (Minor issue) NOTE: https://github.com/nahsra/antisamy/security/advisories/GHSA-pcf2-gh6g-h5r2 NOTE: https://github.com/nahsra/antisamy/commit/05c52b98bb845b8175b8406bd2f391ce334a05d6 (v1.7.4) CVE-2023-42455 (Wazuh is a security detection, visibility, and compliance open source ...) @@ -1445,6 +1446,7 @@ CVE-2023-3430 - openimageio 2.4.13.0+dfsg-1 [bookworm] - openimageio (Minor issue) [bullseye] - openimageio (Minor issue) + [buster] - openimageio (Minor issue) NOTE: https://github.com/OpenImageIO/oiio/issues/3840 NOTE: https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/3841 NOTE: https://github.com/OpenImageIO/oiio/commit/5ff2c56dd28e96f67ed8f80d8a3d1235e51f9957 (v2.4.12.0) @@ -1452,24 +1454,28 @@ CVE-2023-38473 - avahi [bookworm] - avahi (Minor issue) [bullseye] - avahi (Minor issue) + [buster] - avahi (Minor issue; re-evaluate when fixed upstream) NOTE: https://github.com/lathiat/avahi/issues/451 NOTE: https://www.openwall.com/lists/oss-security/2023/10/06/4 CVE-2023-38472 - avahi [bookworm] - avahi (Minor issue) [bullseye] - avahi (Minor issue) + [buster] - avahi (Minor issue; re-evaluate when fixed upstream) NOTE: https://github.com/lathiat/avahi/issues/452 NOTE: https://www.openwall.com/lists/oss-security/2023/10/06/4 CVE-2023-38471 - avahi [bookworm] - avahi (Minor issue) [bullseye] - avahi (Minor issue) + [buster] - avahi (Minor issue; re-evaluate when fixed upstream) NOTE: https://github.com/lathiat/avahi/issues/453 NOTE: https://www.openwall.com/lists/oss-security/2023/10/06/4 CVE-2023-38470 - avahi [bookworm] - avahi (Minor issue) [bullseye] - avahi (Minor issue) + [buster] - avahi (Minor issue; re-evaluate when fixed upstream) NOTE: https://github.com/lathiat/avahi/issues/454 NOTE: https://github.com/lathiat/avahi/pull/457 NOTE: https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c @@ -2762,6 +2768,7 @@ CVE-2023-42822 (xrdp is an open source remote desktop protocol server. Access to - xrdp (bug #1053284) [bookworm] - xrdp (Minor issue) [bullseye] - xrdp (Minor issue) + [buster] - xrdp (Minor issue) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2hjx-rm4f-r9hw NOTE: https://github.com/neutrinolabs/xrdp/commit/73acbe1f7957c65122b00de4d6f57a8d0d257c40 CVE-2023-42657 (In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traver ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9f3250a15b606a2885c8c9a4832248fb2b5ca0c9...3f7ebff2301fccdae2bdc202e3767c221f4e3388 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9f3250a15b606a2885c8c9a4832248fb2b5ca0c9...3f7ebff2301fccdae2bdc202e3767c221f4e3388 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3615-1 for libcue
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c9ff3a0 by Thorsten Alteholz at 2023-10-12T00:25:28+02:00 Reserve DLA-3615-1 for libcue - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[12 Oct 2023] DLA-3615-1 libcue - security update + {CVE-2023-43641} + [buster] - libcue 2.2.1-2+deb10u1 [11 Oct 2023] DLA-3614-1 python3.7 - security update {CVE-2022-48560 CVE-2022-48564 CVE-2022-48565 CVE-2022-48566 CVE-2023-40217} [buster] - python3.7 3.7.3-2+deb10u6 = data/dla-needed.txt = @@ -105,9 +105,6 @@ krb5 (Adrian Bunk) NOTE: 20231007: Added by Front-Desk (Beuc) NOTE: 20231007: Follow fixes from bullseye 11.8 (1 CVE) (Beuc/front-desk) -- -libcue (Thorsten Alteholz) - NOTE: 20231011: Added by Front-Desk (ta) --- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c9ff3a0169e9d5230c042216a7edbb63fa0a457 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c9ff3a0169e9d5230c042216a7edbb63fa0a457 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: add jetty9
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: e8087b3a by Thorsten Alteholz at 2023-10-11T23:38:06+02:00 add jetty9 - - - - - ebf5fd36 by Thorsten Alteholz at 2023-10-11T23:38:06+02:00 add trafficserver - - - - - c48b93a9 by Thorsten Alteholz at 2023-10-11T23:38:07+02:00 add mediawiki - - - - - d8dad72c by Thorsten Alteholz at 2023-10-11T23:38:07+02:00 add libcue - - - - - dc115cde by Thorsten Alteholz at 2023-10-11T23:38:07+02:00 claim libcue - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -98,10 +98,16 @@ imagemagick NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- +jetty9 + NOTE: 20231011: Added by Front-Desk (ta) +-- krb5 (Adrian Bunk) NOTE: 20231007: Added by Front-Desk (Beuc) NOTE: 20231007: Follow fixes from bullseye 11.8 (1 CVE) (Beuc/front-desk) -- +libcue (Thorsten Alteholz) + NOTE: 20231011: Added by Front-Desk (ta) +-- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to @@ -116,6 +122,9 @@ linux (Ben Hutchings) linux-5.10 (Ben Hutchings) NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- +mediawiki + NOTE: 20231011: Added by Front-Desk (ta) +-- mosquitto (Markus Koschany) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20231009: Waiting for upstream clarification how to proceed with open CVE. (apo) @@ -229,3 +238,6 @@ suricata (Adrian Bunk) tomcat9 (apo) NOTE: 20231010: Added by Front-Desk (ta) -- +trafficserver + NOTE: 20231011: Added by Front-Desk (ta) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c4f17f75b86744af94da9cd598172fc740742f1a...dc115cdeece89cea660862b02e945c61d7c29639 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c4f17f75b86744af94da9cd598172fc740742f1a...dc115cdeece89cea660862b02e945c61d7c29639 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add tomcat9
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: ed92bd2c by Thorsten Alteholz at 2023-10-10T23:36:15+02:00 add tomcat9 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -234,3 +234,6 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- +tomcat9 (apo) + NOTE: 20231010: Added by Front-Desk (ta) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed92bd2cc0de793e5371e0633ba149a2d2a5e366 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed92bd2cc0de793e5371e0633ba149a2d2a5e366 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 64d8c820 by Thorsten Alteholz at 2023-10-08T19:51:12+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ rather than remove/replace existing ones. -- amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) - NOTE: 20230924: still testing package (ta) + NOTE: 20231008: still testing package (ta) -- audiofile NOTE: 20230918: Added by Front-Desk (apo) @@ -38,6 +38,7 @@ batik (rouca) -- bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) + NOTE: 20231008: backporting patches -- cacti NOTE: 20230906: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64d8c820333be8e1c0506529c8446dcaa2bce266 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64d8c820333be8e1c0506529c8446dcaa2bce266 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3594-1 for cups
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 34484616 by Thorsten Alteholz at 2023-09-30T18:55:39+02:00 Reserve DLA-3594-1 for cups - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Sep 2023] DLA-3594-1 cups - security update + {CVE-2023-4504 CVE-2023-32360} + [buster] - cups 2.2.10-6+deb10u9 [30 Sep 2023] DLA-3593-1 gerbv - security update {CVE-2021-40393 CVE-2021-40394 CVE-2023-4508} [buster] - gerbv 2.7.0-1+deb10u3 = data/dla-needed.txt = @@ -46,9 +46,6 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -cups (Thorsten Alteholz) - NOTE: 20230924: Added by Front-Desk (apo) --- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/344846164136cf1686d2f123e3da2facaac419af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/344846164136cf1686d2f123e3da2facaac419af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim gst-plugins-bad1.0
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: efc93ebb by Thorsten Alteholz at 2023-09-28T23:48:00+02:00 claim gst-plugins-bad1.0 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -90,7 +90,7 @@ gerbv (Adrian Bunk) NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230918: DLA coming soon. (bunk) -- -gst-plugins-bad1.0 +gst-plugins-bad1.0 (Thorsten Alteholz) NOTE: 20230928: Added by Frond-Desk (ola) -- i2p View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/efc93ebb44fe05c2d662a14fb9fabffed3ba7b51 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/efc93ebb44fe05c2d662a14fb9fabffed3ba7b51 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim cups
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 5dfc4380 by Thorsten Alteholz at 2023-09-24T19:50:51+02:00 claim cups - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -43,7 +43,7 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -cups +cups (Thorsten Alteholz) NOTE: 20230924: Added by Front-Desk (apo) -- docker.io (rouca/santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dfc438023b040638d11a53e088265e3768ef716 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dfc438023b040638d11a53e088265e3768ef716 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b36b257 by Thorsten Alteholz at 2023-09-24T19:25:48+02:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ rather than remove/replace existing ones. -- amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) - NOTE: 20230910: still testing package (ta) + NOTE: 20230924: still testing package (ta) -- audiofile NOTE: 20230918: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b36b257ba22f040cbbddcd289f00184834e43e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b36b257ba22f040cbbddcd289f00184834e43e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim bind9
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: cb9048d4 by Thorsten Alteholz at 2023-09-23T19:22:02+02:00 claim bind9 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,7 +29,7 @@ audiofile NOTE: 20230918: Added by Front-Desk (apo) NOTE: 20230919: unfixed upstream (apo) -- -bind9 +bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) -- cacti View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb9048d44b21d291c0db0b39be29095b166a7c67 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb9048d44b21d291c0db0b39be29095b166a7c67 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3579-1 for elfutils
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 43ea3aa5 by Thorsten Alteholz at 2023-09-23T19:04:10+02:00 Reserve DLA-3579-1 for elfutils - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Sep 2023] DLA-3579-1 elfutils - security update + {CVE-2020-21047} + [buster] - elfutils 0.176-1.1+deb10u1 [22 Sep 2023] DLA-3578-1 lldpd - security update {CVE-2023-41910} [buster] - lldpd 1.0.3-1+deb10u2 = data/dla-needed.txt = @@ -57,10 +57,6 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -elfutils (Thorsten Alteholz) - NOTE: 20230903: Added by Front-Desk (gladk) - NOTE: 20230917: testing package --- exempi NOTE: 20230907: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43ea3aa5452f19c87ca7dd37e78ec456e287ac8e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43ea3aa5452f19c87ca7dd37e78ec456e287ac8e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] file ist not-affected
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: afb8ac10 by Thorsten Alteholz at 2023-09-21T00:02:47+02:00 file ist not-affected - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -4072,6 +4072,7 @@ CVE-2022-48560 (A use-after-free exists in Python through 3.9 via heappushpop in CVE-2022-48554 (File before 5.43 has an stack-based buffer over-read in file_copystr i ...) {DSA-5489-1} - file 1:5.44-1 + [buster] - file (vulnerable code introduced later) NOTE: https://bugs.astron.com/view.php?id=310 NOTE: Fixed by: https://github.com/file/file/commit/497aabb29cd08d2a5aeb63e45798d65fcbe03502 (FILE5_42) CVE-2022-48547 (A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g a ...) = data/dla-needed.txt = @@ -64,10 +64,6 @@ exempi exiv2 NOTE: 20230906: Added by Front-Desk (lamby) -- -file (Thorsten Alteholz) - NOTE: 20230901: Added by Front-Desk (gladk) - NOTE: 20230917: testing package --- firmware-nonfree NOTE: 20230820: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afb8ac1073e0bf635965999a2dbf3e5d67a929a3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afb8ac1073e0bf635965999a2dbf3e5d67a929a3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: a09a96cc by Thorsten Alteholz at 2023-09-17T19:39:24+02:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,6 +52,7 @@ dogecoin -- elfutils (Thorsten Alteholz) NOTE: 20230903: Added by Front-Desk (gladk) + NOTE: 20230917: testing package -- exempi NOTE: 20230907: Added by Front-Desk (lamby) @@ -61,6 +62,7 @@ exiv2 -- file (Thorsten Alteholz) NOTE: 20230901: Added by Front-Desk (gladk) + NOTE: 20230917: testing package -- firmware-nonfree NOTE: 20230820: Added by Front-Desk (ta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a09a96cc32d49e72d0a2158b58788e8965b3e44a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a09a96cc32d49e72d0a2158b58788e8965b3e44a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: b32d1ea0 by Thorsten Alteholz at 2023-09-10T23:41:20+02:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ rather than remove/replace existing ones. -- amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) - NOTE: 20230827: still testing package (ta) + NOTE: 20230910: still testing package (ta) -- c-ares (Utkarsh) NOTE: 20230826: Added by Front-Desk (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b32d1ea00e48fc4b3eb3dfad182b49af2f4876bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b32d1ea00e48fc4b3eb3dfad182b49af2f4876bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: claim elfutils
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 35903ee2 by Thorsten Alteholz at 2023-09-03T23:06:50+02:00 claim elfutils - - - - - 174dfdd8 by Thorsten Alteholz at 2023-09-03T23:08:42+02:00 claim file - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,10 +54,10 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -elfutils +elfutils (Thorsten Alteholz) NOTE: 20230903: Added by Front-Desk (gladk) -- -file +file (Thorsten Alteholz) NOTE: 20230901: Added by Front-Desk (gladk) -- firmware-nonfree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b234121994c2f7f2312b963fbfbfac8cd470bed1...174dfdd851f6c57988873bb959b6eeeabba7274e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b234121994c2f7f2312b963fbfbfac8cd470bed1...174dfdd851f6c57988873bb959b6eeeabba7274e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3549-1 for ring
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c016457 by Thorsten Alteholz at 2023-08-29T23:09:48+02:00 Reserve DLA-3549-1 for ring - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Aug 2023] DLA-3549-1 ring - security update + {CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845 CVE-2022-21722 CVE-2022-21723 CVE-2022-23537 CVE-2022-23547 CVE-2022-23608 CVE-2022-24754 CVE-2022-24763 CVE-2022-24764 CVE-2022-24793 CVE-2022-31031 CVE-2022-39244 CVE-2023-27585} + [buster] - ring 20190215.1.f152c98~ds1-1+deb10u2 [29 Aug 2023] DLA-3548-1 qpdf - security update {CVE-2018-18020 CVE-2021-25786 CVE-2021-36978} [buster] - qpdf 8.4.0-2+deb10u1 = data/dla-needed.txt = @@ -178,10 +178,6 @@ rails (utkarsh) NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) NOTE: 20230828: want to rollout ruby-rack first. (utkarsh) -- -ring (Thorsten Alteholz) - NOTE: 20221120: Added by Front-Desk (ta) - NOTE: 20230827: testing package, almost done --- ruby-loofah NOTE: 20221231: Added by Front-Desk (ola) NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c016457521eb531b0510858181ad2fe8cc81312 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c016457521eb531b0510858181ad2fe8cc81312 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3548-1 for qpdf
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ffdf337 by Thorsten Alteholz at 2023-08-29T23:00:36+02:00 Reserve DLA-3548-1 for qpdf - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -151410,7 +151410,6 @@ CVE-2021-36979 (Unicorn Engine 1.0.2 has an out-of-bounds write in tb_flush_arme NOT-FOR-US: Unicorn Engine CVE-2021-36978 (QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer ...) - qpdf 10.1.0-1 - [buster] - qpdf (Minor issue) [stretch] - qpdf (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28262 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qpdf/OSV-2020-2245.yaml @@ -338377,7 +338376,6 @@ CVE-2012-6710 (ext_find_user in eXtplorer through 2.1.2 allows remote attackers - extplorer CVE-2018-18020 (In QPDF 8.2.1, in libqpdf/QPDFWriter.cc, QPDFWriter::unparseObject and ...) - qpdf 9.0.0-1 - [buster] - qpdf (Minor issue) [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/issues/243 = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Aug 2023] DLA-3548-1 qpdf - security update + {CVE-2018-18020 CVE-2021-25786 CVE-2021-36978} + [buster] - qpdf 8.4.0-2+deb10u1 [29 Aug 2023] DLA-3547-1 tryton-server - security update [buster] - tryton-server 5.0.4-2+deb10u2 [28 Aug 2023] DLA-3546-1 opendmarc - security update = data/dla-needed.txt = @@ -160,9 +160,6 @@ python2.7 NOTE: 20230826: and wasn't fixed in Debian, but the extra patch is now available and can be fixed now. (utkarsh) NOTE: 20230826: contact Utkarsh in case you're unable to find the supplementary patch. (utkarsh) -- -qpdf (Thorsten Alteholz) - NOTE: 20230820: Added by Front-Desk (ta) --- qt4-x11 NOTE: 20230822: Re-added for one remaining open CVE (roberto) NOTE: 20230822: CVE-2021-28025 maybe a dup of CVE-2021-3481; once resolved, fix or remove entry from this file (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ffdf33738fbbee2ad47c0774e58cc1609cdc4ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ffdf33738fbbee2ad47c0774e58cc1609cdc4ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 5cf84920 by Thorsten Alteholz at 2023-08-27T19:41:19+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ rather than remove/replace existing ones. -- amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) - NOTE: 20230813: testing packages (ta) + NOTE: 20230827: still testing package (ta) -- aom (Markus Koschany) NOTE: 20230823: Added by Front-Desk (apo) @@ -169,8 +169,7 @@ rails (utkarsh) -- ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) - NOTE: 20230507: testing package - NOTE: 20230813: testing package, not all tests pass yet + NOTE: 20230827: testing package, almost done -- ruby-loofah NOTE: 20221231: Added by Front-Desk (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cf84920c5e395b3ebe4a04dae823724d0c650fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cf84920c5e395b3ebe4a04dae823724d0c650fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add clamav
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 47550f3b by Thorsten Alteholz at 2023-08-21T01:15:58+02:00 add clamav - - - - - 55e8d263 by Thorsten Alteholz at 2023-08-21T01:24:23+02:00 add opendkim - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -33,6 +33,9 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +clamav + NOTE: 20230821: Added by Front-Desk (ta) +-- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) @@ -118,6 +121,9 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- +opendkim + NOTE: 20230821: Added by Front-Desk (ta) +-- opendmarc (Chris Lamb) NOTE: 20230811: Added by Front-Desk (Beuc) NOTE: 20230810: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/34 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/80b3736fe03f8d2d487bc0999c448c66d09de5ec...55e8d263411ecf305c5a3a7b6c35ab1ea14b5087 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/80b3736fe03f8d2d487bc0999c448c66d09de5ec...55e8d263411ecf305c5a3a7b6c35ab1ea14b5087 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add qpdf
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: db1f9da0 by Thorsten Alteholz at 2023-08-21T00:27:55+02:00 add qpdf - - - - - 80b3736f by Thorsten Alteholz at 2023-08-21T00:27:55+02:00 claim qpdf - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -157,6 +157,9 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +qpdf (Thorsten Alteholz) + NOTE: 20230820: Added by Front-Desk (ta) +-- qt4-x11 (Roberto C. Sánchez) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230615: VCS: https://salsa.debian.org/qt-kde-team/qt/qt4-x11 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/adc1be4109f5103f54c4d1cd0b22e7c4b8a78478...80b3736fe03f8d2d487bc0999c448c66d09de5ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/adc1be4109f5103f54c4d1cd0b22e7c4b8a78478...80b3736fe03f8d2d487bc0999c448c66d09de5ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add php7.3
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 589fd541 by Thorsten Alteholz at 2023-08-20T01:03:43+02:00 add php7.3 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -145,6 +145,9 @@ otrs2 (guilhem) NOTE: 20230811: Lots of CVEs have been marked no-dsa or ignored (Non-free not supported), NOTE: 20230811: but this is a sponsored package, so they need to be fixed. (Beuc/front-desk) -- +php7.3 + NOTE: 20230820: Added by Front-Desk (ta) +-- python-glance-store NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/589fd541ed0ed35e4bdf2901b4537220beb62a88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/589fd541ed0ed35e4bdf2901b4537220beb62a88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: mark CVE-2023-33953 as postponed for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: d4cf9587 by Thorsten Alteholz at 2023-08-20T00:12:49+02:00 mark CVE-2023-33953 as postponed for Buster - - - - - 1d2c4770 by Thorsten Alteholz at 2023-08-20T00:18:35+02:00 add firmware-nonfree - - - - - e609abc6 by Thorsten Alteholz at 2023-08-20T00:30:27+02:00 mark CVE-2023-40303 as no-dsa for Buster - - - - - 2bc0891c by Thorsten Alteholz at 2023-08-20T00:33:27+02:00 mark CVE-2023-38857 and CVE-2023-38858 as postponed for Buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -554,11 +554,13 @@ CVE-2023-38858 (Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote a - faad2 (bug #1050095) [bookworm] - faad2 (Minor issue) [bullseye] - faad2 (Minor issue) + [buster] - faad2 (recheck when fixed upstream) NOTE: https://github.com/knik0/faad2/issues/173 CVE-2023-38857 (Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacke ...) - faad2 (bug #1050094) [bookworm] - faad2 (Minor issue) [bullseye] - faad2 (Minor issue) + [buster] - faad2 (recheck when fixed upstream) NOTE: https://github.com/knik0/faad2/issues/171 CVE-2023-38856 (Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacke ...) - r-cran-readxl (unimportant) @@ -703,6 +705,7 @@ CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because - inetutils (bug #1049365) [bookworm] - inetutils (Minor issue) [bullseye] - inetutils (Minor issue) + [buster] - inetutils (Minor issue) NOTE: https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 NOTE: https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg0.html CVE-2023-40296 (async-sockets-cpp through 0.3.1 has a stack-based buffer overflow in R ...) @@ -1259,6 +1262,7 @@ CVE-2023-34545 (A SQL injection vulnerability in CSZCMS 1.3.0 allows remote atta NOT-FOR-US: CSZCMS CVE-2023-33953 (gRPC contains a vulnerability that allows hpack table accounting error ...) - grpc + [buster] - grpc (recheck when upstream patch is available/published) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2230890 NOTE: https://cloud.google.com/support/bulletins#gcp-2023-022 CVE-2023-33469 (In instances where the screen is visible and remote mouse connection i ...) = data/dla-needed.txt = @@ -47,6 +47,9 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- +firmware-nonfree + NOTE: 20230820: Added by Front-Desk (ta) +-- flask (Sean Whitton) NOTE: 20230811: Added by Front-Desk (Beuc) NOTE: 20230811: Check DSA-5442-1 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a2906605c03b2deeff3b845c825356e2835148f0...2bc0891c47c21b59ebbaf61a6ffe841ccc906836 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a2906605c03b2deeff3b845c825356e2835148f0...2bc0891c47c21b59ebbaf61a6ffe841ccc906836 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2023-40305 as no-dsa for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: a2906605 by Thorsten Alteholz at 2023-08-19T20:21:01+02:00 mark CVE-2023-40305 as no-dsa for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -697,6 +697,7 @@ CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_bra - indent (bug #1049366) [bookworm] - indent (Minor issue) [bullseye] - indent (Minor issue) + [buster] - indent (Minor issue) NOTE: https://savannah.gnu.org/bugs/index.php?64503 CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because of un ...) - inetutils (bug #1049365) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2906605c03b2deeff3b845c825356e2835148f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2906605c03b2deeff3b845c825356e2835148f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: mark CVE-2023-40359 as no-dsa for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 228f3630 by Thorsten Alteholz at 2023-08-19T00:35:25+02:00 mark CVE-2023-40359 as no-dsa for Buster - - - - - 5754ac62 by Thorsten Alteholz at 2023-08-19T00:40:23+02:00 mark CVE-2023-4413 as no-dsa for Buster - - - - - 22b8191c by Thorsten Alteholz at 2023-08-19T00:46:49+02:00 add python-mechanicalsoup - - - - - fd067cd0 by Thorsten Alteholz at 2023-08-19T01:00:22+02:00 mark CVE-2023-39976 as not-addected for Buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -8,6 +8,7 @@ CVE-2023-4413 (A vulnerability was found in rkhunter Rootkit Hunter 1.4.4/1.4.6. - rkhunter [bookworm] - rkhunter (Minor issue) [bullseye] - rkhunter (Minor issue) + [buster] - rkhunter (Minor issue) NOTE: https://gist.github.com/MatheuZSecurity/16ef0219db8f85f49f945a25d5eb42d7 CVE-2023-4412 (A vulnerability was found in TOTOLINK EX1200L EN_V9.3.5u.6146_B2020102 ...) NOT-FOR-US: TOTOLINK @@ -612,6 +613,7 @@ CVE-2023-40359 (xterm before 380 supports ReGIS reporting for character-set name - xterm 382-2 [bookworm] - xterm (Minor issue) [bullseye] - xterm (Minor issue) + [buster] - xterm (Minor issue) NOTE: https://invisible-island.net/xterm/xterm.log.html#xterm_380 CVE-2023-40354 (An issue was discovered in MariaDB MaxScale before 23.02.3. A user ent ...) NOT-FOR-US: Maxscale @@ -1721,6 +1723,7 @@ CVE-2023-39976 (log_blackbox.c in libqb before 2.0.8 allows a buffer overflow vi - libqb 2.0.8-1 [bookworm] - libqb (Minor issue) [bullseye] - libqb (Minor issue) + [buster] - libqb (Vulnerable code introduced later) NOTE: https://github.com/ClusterLabs/libqb/commit/1bbaa929b77113532785c408dd1b41cd0521ffc8 (v2.0.8) NOTE: https://github.com/ClusterLabs/libqb/pull/490 CVE-2023-39530 (PrestaShop is an open source e-commerce web application. Prior to vers ...) = data/dla-needed.txt = @@ -148,6 +148,9 @@ python-glance-store NOTE: 20230705: pushed a patched version to: https://salsa.debian.org/lts-team/packages/python-glance-store (jspricke) NOTE: 20230705: upstream patch looks fine to me but should probably be tested and released together with the other affected packages. (jspricke) -- +python-mechanicalsoup + NOTE: 20230819: Added by Front-Desk (ta) +-- python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/82507747f4977d38a8e817192a856370ee8973f7...fd067cd0c991ccea80b9d433beed4c56f717c902 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/82507747f4977d38a8e817192a856370ee8973f7...fd067cd0c991ccea80b9d433beed4c56f717c902 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: add libreswan
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: dd3396f4 by Thorsten Alteholz at 2023-08-17T23:19:24+02:00 add libreswan - - - - - d89edf09 by Thorsten Alteholz at 2023-08-17T23:27:57+02:00 mark CVE-2023-37543 as no-dsa for Buster - - - - - 6bda3cd2 by Thorsten Alteholz at 2023-08-17T23:35:57+02:00 mark CVE-2023-40225 as not-affected for Buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -832,6 +832,7 @@ CVE-2023-40225 (HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x an - haproxy 2.6.15-1 (bug #1043502) [bookworm] - haproxy (Minor issue, fix along with future DSA) [bullseye] - haproxy (Minor issue, fix along with future DSA) + [buster] - haproxy (Vulnerable code not present) NOTE: https://github.com/haproxy/haproxy/issues/2237 NOTE: https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856 CVE-2023-4283 (The EmbedPress plugin for WordPress is vulnerable to Stored Cross-Site ...) @@ -955,6 +956,7 @@ CVE-2023-37543 (Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference - cacti [bookworm] - cacti (Minor issue) [bullseye] - cacti (Minor issue) + [buster] - cacti (Minor issue) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-4x82-8w8m-w8hj NOTE: https://medium.com/%40hussainfathy99/exciting-news-my-first-cve-discovery-cve-2023-37543-idor-vulnerability-in-cacti-bbb6c386afed TODO: check details once GHSA-4x82-8w8m-w8hj accessible, 1.2.6 does not seem correct, reporter claims 1.2.25 wich is not released = data/dla-needed.txt = @@ -89,6 +89,9 @@ intel-microcode (utkarsh) NOTE: 20230815: https://salsa.debian.org/lts-team/packages/intel-microcode/-/commits/releases/buster NOTE: 20230815: waiting for hmh to review. (utkarsh) -- +libreswan + NOTE: 20230817: Added by Front-Desk (ta) +-- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ca787868baa231e16c7683eb8060e9df63cca89...6bda3cd25a83f41bea12b0ae259366c82cff5e42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ca787868baa231e16c7683eb8060e9df63cca89...6bda3cd25a83f41bea12b0ae259366c82cff5e42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add openssh
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: b6f1ca69 by Thorsten Alteholz at 2023-08-14T20:16:06+02:00 add openssh - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -138,6 +138,9 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- +openssh + NOTE: 20230814: Added by Front-Desk (ta) +-- openssl (gladk) NOTE: 20230731: Added by Front-Desk (apo) NOTE: 20230814: ready to be uploaded View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6f1ca69dd92dd7a2a9fbc7cfe5477f4773fc9bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6f1ca69dd92dd7a2a9fbc7cfe5477f4773fc9bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: e47056c8 by Thorsten Alteholz at 2023-08-13T20:44:44+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,6 +23,7 @@ rather than remove/replace existing ones. -- amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) + NOTE: 20230813: testing packages (ta) -- cairosvg (gladk) NOTE: 20230323: Added by Front-Desk (gladk) @@ -197,7 +198,7 @@ rar (Markus Koschany) ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) NOTE: 20230507: testing package - NOTE: 20230730: testing package, not all tests pass yet + NOTE: 20230813: testing package, not all tests pass yet -- ruby-loofah NOTE: 20221231: Added by Front-Desk (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e47056c8c5814246254f5fb5ce4fcd7713f03527 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e47056c8c5814246254f5fb5ce4fcd7713f03527 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 7776373b by Thorsten Alteholz at 2023-07-30T23:33:39+02:00 update note - - - - - 36c7fadb by Thorsten Alteholz at 2023-07-30T23:33:39+02:00 claim amanda - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,7 +21,7 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -amanda +amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) -- cairosvg (gladk) @@ -141,7 +141,7 @@ rails ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) NOTE: 20230507: testing package - NOTE: 20230716: testing package, not all tests pass yet + NOTE: 20230730: testing package, not all tests pass yet -- ruby-loofah NOTE: 20221231: Added by Front-Desk (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0bdc959b6a1ec130ec9970e70826f1b35d2383fc...36c7fadb74d6b19bcac9f89bb1167e782368efe6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0bdc959b6a1ec130ec9970e70826f1b35d2383fc...36c7fadb74d6b19bcac9f89bb1167e782368efe6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3505-1 for gst-plugins-good1.0
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: e8cc2ef9 by Thorsten Alteholz at 2023-07-25T19:11:16+02:00 Reserve DLA-3505-1 for gst-plugins-good1.0 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Jul 2023] DLA-3505-1 gst-plugins-good1.0 - security update + {CVE-2023-37327} + [buster] - gst-plugins-good1.0 1.14.4-1+deb10u3 [25 Jul 2023] DLA-3504-1 gst-plugins-base1.0 - security update {CVE-2023-37328} [buster] - gst-plugins-base1.0 1.14.4-2+deb10u2 = data/dla-needed.txt = @@ -52,10 +52,6 @@ grpc (Sylvain Beucler) NOTE: 20230614: Added by Front-Desk (opal) NOTE: 20230618: CVE-2023-32731 fix will need a massive rewrite (rouca) -- -gst-plugins-good1.0 (Thorsten Alteholz) - NOTE: 20230702: Added by Front-Desk (ta) - NOTE: 20230716: still backporting patches --- hdf5 NOTE: 20230318: Added by Front-Desk (utkarsh) NOTE: 20230318: Consider fixing all the no-dsa and postponed issues as well. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8cc2ef973d68836700e1a486e3ec35e267c139d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8cc2ef973d68836700e1a486e3ec35e267c139d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3504-1 for gst-plugins-base1.0
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 1331610c by Thorsten Alteholz at 2023-07-25T19:08:42+02:00 Reserve DLA-3504-1 for gst-plugins-base1.0 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Jul 2023] DLA-3504-1 gst-plugins-base1.0 - security update + {CVE-2023-37328} + [buster] - gst-plugins-base1.0 1.14.4-2+deb10u2 [25 Jul 2023] DLA-3503-1 gst-plugins-bad1.0 - security update {CVE-2023-37329} [buster] - gst-plugins-bad1.0 1.14.4-1+deb10u3 = data/dla-needed.txt = @@ -52,10 +52,6 @@ grpc (Sylvain Beucler) NOTE: 20230614: Added by Front-Desk (opal) NOTE: 20230618: CVE-2023-32731 fix will need a massive rewrite (rouca) -- -gst-plugins-base1.0 (Thorsten Alteholz) - NOTE: 20230702: Added by Front-Desk (ta) - NOTE: 20230716: still backporting patches --- gst-plugins-good1.0 (Thorsten Alteholz) NOTE: 20230702: Added by Front-Desk (ta) NOTE: 20230716: still backporting patches View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1331610c0bae534f8ecabb902368e9f52d214dba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1331610c0bae534f8ecabb902368e9f52d214dba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3503-1 for gst-plugins-bad1.0
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: bf30134a by Thorsten Alteholz at 2023-07-25T19:05:26+02:00 Reserve DLA-3503-1 for gst-plugins-bad1.0 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Jul 2023] DLA-3503-1 gst-plugins-bad1.0 - security update + {CVE-2023-37329} + [buster] - gst-plugins-bad1.0 1.14.4-1+deb10u3 [25 Jul 2023] DLA-3502-1 python-git - security update {CVE-2022-24439} [buster] - python-git 2.1.11-1+deb10u1 = data/dla-needed.txt = @@ -52,10 +52,6 @@ grpc (Sylvain Beucler) NOTE: 20230614: Added by Front-Desk (opal) NOTE: 20230618: CVE-2023-32731 fix will need a massive rewrite (rouca) -- -gst-plugins-bad1.0 (Thorsten Alteholz) - NOTE: 20230702: Added by Front-Desk (ta) - NOTE: 20230716: still backporting patches --- gst-plugins-base1.0 (Thorsten Alteholz) NOTE: 20230702: Added by Front-Desk (ta) NOTE: 20230716: still backporting patches View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf30134aefa843a859307764ee13ac6ede5dbd27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf30134aefa843a859307764ee13ac6ede5dbd27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: d21adee2 by Thorsten Alteholz at 2023-07-16T23:46:42+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -56,12 +56,15 @@ grpc -- gst-plugins-bad1.0 (Thorsten Alteholz) NOTE: 20230702: Added by Front-Desk (ta) + NOTE: 20230716: still backporting patches -- gst-plugins-base1.0 (Thorsten Alteholz) NOTE: 20230702: Added by Front-Desk (ta) + NOTE: 20230716: still backporting patches -- gst-plugins-good1.0 (Thorsten Alteholz) NOTE: 20230702: Added by Front-Desk (ta) + NOTE: 20230716: still backporting patches -- hdf5 NOTE: 20230318: Added by Front-Desk (utkarsh) @@ -164,7 +167,7 @@ renderdoc (tobi) ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) NOTE: 20230507: testing package - NOTE: 20230701: testing package, not all tests pass yet + NOTE: 20230716: testing package, not all tests pass yet -- ruby-loofah NOTE: 20221231: Added by Front-Desk (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d21adee29f966870b4226f1f37b51b0290013e20 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d21adee29f966870b4226f1f37b51b0290013e20 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: add yajl
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: fcb78095 by Thorsten Alteholz at 2023-07-03T00:07:40+02:00 add yajl - - - - - fd0c9bcc by Thorsten Alteholz at 2023-07-03T00:07:41+02:00 mark CVE-2023-2861 as no-dsa for Buster - - - - - 430ae682 by Thorsten Alteholz at 2023-07-03T00:07:42+02:00 mark CVE-2023-3354 as no-dsa for Buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -445,6 +445,7 @@ CVE-2023-3354 [VNC: improper I/O watch removal in TLS handshake can lead to remo - qemu [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) + [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2216478 TODO: check, no details in RHBZ#2216478 on upstream status CVE-2023-3432 (Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plant ...) @@ -497,6 +498,7 @@ CVE-2023-2996 (The Jetpack WordPress plugin before 12.1.1 does not validate uplo NOT-FOR-US: WordPress plugin CVE-2023-2861 [9pfs: prevent opening special files] - qemu + [buster] - qemu (Minor issue) NOTE: https://gitlab.com/qemu-project/qemu/-/commit/f6b0de53fb87ddefed348a39284c8e2f28dc4eda CVE-2023-2860 [ipv6: sr: fix out-of-bounds read when setting HMAC data.] - linux 5.19.11-1 = data/dla-needed.txt = @@ -263,3 +263,6 @@ webkit2gtk (Emilio) NOTE: 20230606: https://lists.debian.org/debian-lts/2023/06/msg5.html (pochu) NOTE: 20230627: will likely hold the update and mark as not-supported due to feedback (pochu) -- +yajl (tobi) + NOTE: 20230702: Added by Front-Desk (ta) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ab48cb7e37aa9475bb69485eab889d5f8f70bb5d...430ae6821506cd4290eacaa2d66eb4b328c866e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ab48cb7e37aa9475bb69485eab889d5f8f70bb5d...430ae6821506cd4290eacaa2d66eb4b328c866e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits