[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim less
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 9148831e by Abhijith PA at 2024-04-19T11:58:40+05:30 data/dla-needed.txt: claim less - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -121,7 +121,7 @@ knot-resolver (Markus Koschany) NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- -less +less (Abhijith PA) NOTE: 20240418: Added by Front-Desk (apo) -- libpgjava (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9148831e56b88d1d2a556e2bf0911611b90be9a6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9148831e56b88d1d2a556e2bf0911611b90be9a6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim tiff
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: a8522564 by Abhijith PA at 2024-03-18T10:31:40+05:30 data/dla-needed.txt: claim tiff - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -292,7 +292,7 @@ suricata (Adrian Bunk) thunderbird (Emilio) NOTE: 20240306: Added by Front-Desk (opal) -- -tiff +tiff (Abhijith PA) NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8522564f49a69150f3fcfb173d4b3bd3d452c89 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8522564f49a69150f3fcfb173d4b3bd3d452c89 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3758-1 for tiff
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 7199e99c by Abhijith PA at 2024-03-11T16:48:11+05:30 Reserve DLA-3758-1 for tiff - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -10267,7 +10267,6 @@ CVE-2023-52356 (A segment fault (SEGV) flaw was found in libtiff that could be t - tiff 4.5.1+git230720-4 (bug #1061524) [bookworm] - tiff (Minor issue) [bullseye] - tiff (Minor issue) - [buster] - tiff (Minor issue, DoS) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/622 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/546 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a @@ -30802,7 +30801,6 @@ CVE-2023-3665 (A code injection vulnerability in Trellix ENS 10.7.0 April 2023 r CVE-2023-3576 (A memory leak flaw was found in Libtiff's tiffcrop utility. This issue ...) {DSA-5567-1} - tiff 4.5.1~rc3-1 - [buster] - tiff (Minor issue, memory leak in CLI tool) NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/475 NOTE: Fixed by: https://gitlab.com/libtiff/libtiff/-/commit/1d5b1181c980090a6518f11e61a18b0e268bf31a (v4.5.1rc1) CVE-2023-3512 (Relative path traversal vulnerability in Setelsa Security's ConacWin C ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[11 Mar 2024] DLA-3758-1 tiff - security update + {CVE-2023-3576 CVE-2023-52356} + [buster] - tiff 4.1.0+git191117-2~deb10u9 [10 Mar 2024] DLA-3757-1 nss - security update {CVE-2023-5388 CVE-2024-0743} [buster] - nss 2:3.42.1-1+deb10u8 = data/dla-needed.txt = @@ -250,10 +250,6 @@ suricata (Adrian Bunk) thunderbird (Emilio) NOTE: 20240306: Added by Front-Desk (opal) -- -tiff (Abhijith PA) - NOTE: 20231231: Added by Front-Desk (lamby) - NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point release(s). (lamby) --- tinymce NOTE: 20231123: Added by Front-Desk (ola) NOTE: 20231216: Someone with more XSS experience needed to assess the View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7199e99c42f32f3a2b5eafa4053b4b4d5109e711 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7199e99c42f32f3a2b5eafa4053b4b4d5109e711 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: The PoC given is not reproducible in buster but this CVE is an
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 376c6d8e by Abhijith PA at 2024-03-11T10:41:16+05:30 The PoC given is not reproducible in buster but this CVE is an general issue from an incomplete fix from 4.0.10. But too invasive patch for a minor issue. - - - - - 61509b66 by Abhijith PA at 2024-03-11T10:47:10+05:30 Backporting CVE-2023-6277 can introduce regression in libimager-perl - - - - - ae62c233 by Abhijith PA at 2024-03-11T10:51:24+05:30 Upstream fixed this issue by providing an update to doc. tiff in buster have html docs and upstream in .rst. Not worth converting docs. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10250,7 +10250,7 @@ CVE-2023-52355 (An out-of-memory flaw was found in libtiff that could be trigger - tiff 4.5.1+git230720-4 [bookworm] - tiff (Minor issue) [bullseye] - tiff (Minor issue) - [buster] - tiff (Minor issue, DoS) + [buster] - tiff (Minor issue, DoS) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/621 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/553 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4 @@ -21875,7 +21875,7 @@ CVE-2023-6277 (An out-of-memory flaw was found in libtiff. Passing a crafted tif - tiff 4.5.1+git230720-2 (bug #1056751) [bookworm] - tiff (Minor issue; will cause compatibility issue with libimager-perl, cf #1057270) [bullseye] - tiff (Minor issue; will cause compatibility issue with libimager-perl, cf #1057270) - [buster] - tiff (Minor issue; OOM DoS) + [buster] - tiff (Minor issue; OOM DoS) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/614 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/545 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a @@ -106015,7 +106015,7 @@ CVE-2022-40091 (Online Tours & Travels Management System v1.0 was discovered to CVE-2022-40090 (An issue was discovered in function TIFFReadDirectory libtiff before 4 ...) - tiff 4.5.0-2 [bullseye] - tiff (Minor issue) - [buster] - tiff (Minor issue, DoS) + [buster] - tiff (Minor issue, DoS) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/455 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/386 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/d093eb5d961e21ba51420bc22382c514683a4d91 (v4.5.0rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f95d3ce82bb4c126f1895a4fc26d26e068cd8ccb...ae62c23362ed648db3ff8b56ca0d38aedf975d58 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f95d3ce82bb4c126f1895a4fc26d26e068cd8ccb...ae62c23362ed648db3ff8b56ca0d38aedf975d58 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: reclaim frr
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 383c8d05 by Abhijith PA at 2024-03-01T15:02:07+05:30 data/dla-needed.txt: reclaim frr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -100,9 +100,10 @@ firefox-esr (Emilio) freeimage NOTE: 20240121: Added by Front-Desk (apo) -- -frr +frr (Abhijith PA) NOTE: 20231119: Added by Front-Desk (apo) NOTE: 20240206: Continuing fixing the remaining issues (abhijith) + NOTE: 20240301: continue work (abhijith) -- golang-go.crypto NOTE: 20231219: Added by Front-Desk (ta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/383c8d059501648ee9b923461ff6d85cf3f21de1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/383c8d059501648ee9b923461ff6d85cf3f21de1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim tiff
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: c2f5980f by Abhijith PA at 2024-02-25T14:34:08+05:30 data/dla-needed.txt: claim tiff - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -290,7 +290,7 @@ thunderbird NOTE: 20240222: Added by Front-Desk (pochu) NOTE: 20240222: send DLA after maintainer uploads 115.8.0 -- -tiff +tiff (Abhijith PA) NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point release(s). (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2f5980fe61407b6d95a9febf6a10b2816dc336d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2f5980fe61407b6d95a9febf6a10b2816dc336d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] This CVE is due to a regression introduced in 9.50
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: bb242bbb by Abhijith PA at 2024-02-25T14:24:35+05:30 This CVE is due to a regression introduced in 9.50 https://bugs.ghostscript.com/show_bug.cgi?id=701877 https://git.ghostscript.com/?p=ghostpdl.git;h=da03855bf9ca18eab05d4ac870d73f457758a77f ghostscript in buster not backported this patch. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -4426,6 +4426,7 @@ CVE-2023-52425 (libexpat through 2.5.0 allows a denial of service (resource cons NOTE: Merge commit: https://github.com/libexpat/libexpat/commit/34b598c5f594b015c513c73f06e7ced3323edbf1 CVE-2020-36773 (Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-a ...) - ghostscript 9.53.0~dfsg-1 + [buster] - ghostscript (regression introduced in version 9.50) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=702229 NOTE: Fixed by: http://www.ghostscript.com/cgi-bin/findgit.cgi?8c7bd787defa071c96289b7da9397f673fddb874 (ghostpdl-9.53.0rc1) CVE-2018-25098 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in blockmaso ...) = data/dla-needed.txt = @@ -106,9 +106,6 @@ frr (Abhijith PA) NOTE: 20231119: Added by Front-Desk (apo) NOTE: 20240206: Continuing fixing the remaining issues (abhijith) -- -ghostscript (Abhijith PA) - NOTE: 20240212: Added by Front-Desk (lamby) --- gnutls28 (guilhem) NOTE: 20240122: Added by Front-Desk (Beuc) NOTE: 20240122: Incomplete fix for CVE-2023-5981/DLA-3660-1 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb242bbb9429518387c46f3219a8d190aac64911 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb242bbb9429518387c46f3219a8d190aac64911 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim ghostscript
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: b82481e5 by Abhijith PA at 2024-02-13T12:15:52+05:30 data/dla-needed.txt: claim ghostscript update note on varnish and re-claim - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -92,7 +92,7 @@ frr (Abhijith PA) NOTE: 20231119: Added by Front-Desk (apo) NOTE: 20240206: Continuing fixing the remaining issues (abhijith) -- -ghostscript +ghostscript (Abhijith PA) NOTE: 20240212: Added by Front-Desk (lamby) -- gnutls28 (guilhem) @@ -275,12 +275,13 @@ tinymce tomcat9 (Markus Koschany) NOTE: 20240121: Added by Front-Desk (apo) -- -varnish +varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 NOTE: 20231219: Continuing work NOTE: 20240108: Backported security fixes and related commits. Fixing test failures. (abhijith) NOTE: 20240122: Still fixing tests (abhijith) + NOTE: 20240213: Fixing tests.(abhijith) -- wireshark NOTE: 20231118: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b82481e5fa676099edddbe76d4714956e9b47081 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b82481e5fa676099edddbe76d4714956e9b47081 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: re-claim frr
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 669ac433 by Abhijith PA at 2024-02-06T10:42:00+05:30 data/dla-needed.txt: re-claim frr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -84,8 +84,9 @@ exiftags freeimage NOTE: 20240121: Added by Front-Desk (apo) -- -frr +frr (Abhijith PA) NOTE: 20231119: Added by Front-Desk (apo) + NOTE: 20240206: Continuing fixing the remaining issues (abhijith) -- gnutls28 (guilhem) NOTE: 20240122: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/669ac433941c1057bff09d606e1ed6b937351425 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/669ac433941c1057bff09d606e1ed6b937351425 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3733-1 for rear
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fe981fb by Abhijith PA at 2024-02-03T22:49:44+05:30 Reserve DLA-3733-1 for rear - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[03 Feb 2024] DLA-3733-1 rear - security update + {CVE-2024-23301} + [buster] - rear 2.4+dfsg-1+deb10u1 [03 Feb 2024] DLA-3732-1 sudo - security update {CVE-2023-7090 CVE-2023-28486 CVE-2023-28487} [buster] - sudo 1.8.27-1+deb10u6 = data/dla-needed.txt = @@ -211,9 +211,6 @@ rails NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) NOTE: 20230828: want to rollout ruby-rack first. (utkarsh) -- -rear (Abhijith PA) - NOTE: 20240121: Added by Front-Desk (apo) --- ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fe981fbf9f162b97593ec52d978aa75dc5133b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fe981fbf9f162b97593ec52d978aa75dc5133b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim rear
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: e1dc196f by Abhijith PA at 2024-01-23T16:09:26+05:30 data/dla-needed.txt: Claim rear - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -236,7 +236,7 @@ rails NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) NOTE: 20230828: want to rollout ruby-rack first. (utkarsh) -- -rear +rear (Abhijith PA) NOTE: 20240121: Added by Front-Desk (apo) -- ring View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1dc196f59932d4101b78f88b6a4688b75a8bc9a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1dc196f59932d4101b78f88b6a4688b75a8bc9a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note in dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 9985e4a3 by Abhijith PA at 2024-01-22T21:48:30+05:30 update note in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -304,6 +304,7 @@ varnish (Abhijith PA) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 NOTE: 20231219: Continuing work NOTE: 20240108: Backported security fixes and related commits. Fixing test failures. (abhijith) + NOTE: 20240122: Still fixing tests (abhijith) -- wireshark (Adrian Bunk) NOTE: 20231118: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9985e4a394f1880f3ea8a43a70a44aad14d83a81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9985e4a394f1880f3ea8a43a70a44aad14d83a81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim frr
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 779a6cd7 by Abhijith PA at 2024-01-17T17:46:02+05:30 data/dla-needed.txt: claim frr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -77,7 +77,7 @@ edk2 NOTE: 20231230: Added by Front-Desk (lamby) NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release (lamby) -- -frr +frr (Abhijith PA) NOTE: 20231119: Added by Front-Desk (apo) -- golang-go.crypto View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/779a6cd7cbdc7906a7b3984264ae089b3619fb2e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/779a6cd7cbdc7906a7b3984264ae089b3619fb2e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3712-1 for kodi
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: cc67988d by Abhijith PA at 2024-01-17T15:52:17+05:30 Reserve DLA-3712-1 for kodi - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -41801,7 +41801,6 @@ CVE-2023-30208 CVE-2023-30207 (A divide by zero issue discovered in Kodi Home Theater Software 19.5 a ...) - kodi 2:20.0~rc2+dfsg-2 (bug #1040593) [bullseye] - kodi (Minor issue) - [buster] - kodi (Minor issue) NOTE: https://github.com/xbmc/xbmc/issues/22378 NOTE: https://github.com/xbmc/xbmc/commit/dbc00c500f4c4830049cc040a61c439c580eea73 NOTE: https://github.com/xbmc/xbmc/pull/22391 @@ -63494,7 +63493,6 @@ CVE-2023-23083 CVE-2023-23082 (A heap buffer overflow vulnerability in Kodi Home Theater Software up ...) - kodi 2:20.0+dfsg-2 (bug #1031048) [bullseye] - kodi (Minor issue) - [buster] - kodi (Minor issue) NOTE: https://github.com/xbmc/xbmc/issues/22377 NOTE: https://github.com/xbmc/xbmc/commit/00fec1dbdd1df827872c7b55ad93059636dfc076 NOTE: https://github.com/xbmc/xbmc/commit/7e5f9fbf9aaa3540aab35e7504036855b23dcf60 @@ -159825,7 +159823,6 @@ CVE-2021-42918 CVE-2021-42917 (Buffer overflow vulnerability in Kodi xbmc up to 19.0, allows attacker ...) - kodi 2:19.3+dfsg1-1 (bug #998419) [bullseye] - kodi 2:19.1+dfsg2-2+deb11u1 - [buster] - kodi (Minor issue) [stretch] - kodi (no point in fixing this when the more severe CVE-2017-5982 is ignored) - xbmc NOTE: https://github.com/xbmc/xbmc/commit/80c8138c09598e88b4ddb6dbb279fa193bbb3237 @@ -448280,7 +448277,6 @@ CVE-2017-5983 (The JIRA Workflow Designer Plugin in Atlassian JIRA Server before NOT-FOR-US: JIRA Workflow Designer Plugin CVE-2017-5982 (Directory traversal vulnerability in the Chorus2 2.4.2 add-on for Kodi ...) - kodi 2:18.6+dfsg1-1 (bug #855225) - [buster] - kodi (Minor issue) [stretch] - kodi (Minor issue) [jessie] - kodi (Minor issue) - xbmc (bug #861274) = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Jan 2024] DLA-3712-1 kodi - security update + {CVE-2017-5982 CVE-2021-42917 CVE-2023-23082 CVE-2023-30207} + [buster] - kodi 2:17.6+dfsg1-4+deb10u1 [10 Jan 2024] DLA-3711-1 linux-5.10 - security update {CVE-2021-44879 CVE-2023-5178 CVE-2023-5197 CVE-2023-5717 CVE-2023-6121 CVE-2023-6531 CVE-2023-6817 CVE-2023-6931 CVE-2023-6932 CVE-2023-25775 CVE-2023-34324 CVE-2023-35827 CVE-2023-45863 CVE-2023-46813 CVE-2023-46862 CVE-2023-51780 CVE-2023-51781 CVE-2023-51782} [buster] - linux-5.10 5.10.205-2~deb10u1 = data/dla-needed.txt = @@ -115,11 +115,6 @@ keystone (rouca) knot-resolver (Markus Koschany) NOTE: 20231029: Added by Front-Desk (gladk) -- -kodi (Abhijith PA) - NOTE: 20231228: Added by Front-Desk (lamby) - NOTE: 20231228: CVE-2021-42917 was postponed in 2021; fixed in bullseye via DSA or point release. (lamby) - NOTE: 20240414: Fixed issues. https://people.debian.org/~abhijith/upload/kport/update/. Testing (abhijith) --- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc67988d2ce63a7661ca0091af3876ce01cb50f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc67988d2ce63a7661ca0091af3876ce01cb50f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update kodi status
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: b0e9b892 by Abhijith PA at 2024-01-14T23:43:57+05:30 update kodi status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -114,6 +114,7 @@ knot-resolver (Markus Koschany) kodi (Abhijith PA) NOTE: 20231228: Added by Front-Desk (lamby) NOTE: 20231228: CVE-2021-42917 was postponed in 2021; fixed in bullseye via DSA or point release. (lamby) + NOTE: 20240414: Fixed issues. https://people.debian.org/~abhijith/upload/kport/update/. Testing (abhijith) -- libreswan NOTE: 20230817: Added by Front-Desk (ta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0e9b892270eee92ee29f131ebbff224e9558ae4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0e9b892270eee92ee29f131ebbff224e9558ae4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note in dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 01ff9158 by Abhijith PA at 2024-01-08T11:22:32+05:30 update note in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -260,6 +260,7 @@ varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 NOTE: 20231219: Continuing work + NOTE: 20240108: Backported security fixes and related commits. Fixing test failures. (abhijith) -- wireshark (Adrian Bunk) NOTE: 20231118: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01ff9158a6031cd686507404be25c72624915d8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01ff9158a6031cd686507404be25c72624915d8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim kodi
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: fe23cfcc by Abhijith PA at 2024-01-04T17:56:53+05:30 data/dla-needed.txt: claim kodi - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -114,7 +114,7 @@ keystone knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- -kodi +kodi (Abhijith PA) NOTE: 20231228: Added by Front-Desk (lamby) NOTE: 20231228: CVE-2021-42917 was postponed in 2021; fixed in bullseye via DSA or point release. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe23cfcc01ca2d2c486c399f208f90cf18c24bc3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe23cfcc01ca2d2c486c399f208f90cf18c24bc3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reclaim varnish in dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ce4e477 by Abhijith PA at 2023-12-19T10:15:18+05:30 reclaim varnish in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -247,9 +247,10 @@ tomcat9 NOTE: 20231129: Added by Front-Desk (Beuc) NOTE: 20131217: I have made a fix, tests are ok but due to high popcon prefer a review by apo (rouca) -- -varnish +varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 + NOTE: 20231219: Continuing work -- wireshark (Adrian Bunk) NOTE: 20231118: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ce4e4779f60d36b7bf23304a1d073185542a4ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ce4e4779f60d36b7bf23304a1d073185542a4ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/ela-needed.txt: claim netatalk
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: d5352075 by Abhijith PA at 2023-12-05T21:15:34+05:30 data/ela-needed.txt: claim netatalk - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -111,7 +111,7 @@ linux-5.10 mariadb-10.3 NOTE: 20231129: Added by Front-Desk (Beuc) -- -netatalk +netatalk (Abhijith PA) NOTE: 20231119: Added by Front-Desk (apo) -- node-webpack View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5352075180aa40bea7e929f89143cc131651667 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5352075180aa40bea7e929f89143cc131651667 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note in dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 03aabd00 by Abhijith PA at 2023-12-04T13:46:58+05:30 update note in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -228,6 +228,7 @@ tor -- varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) + NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 -- wireshark (Adrian Bunk) NOTE: 20231118: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03aabd00b595a715073f4406bd4c5f0b1a7bac9a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03aabd00b595a715073f4406bd4c5f0b1a7bac9a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/ela-needed.txt: claim varnish
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 74505a75 by Abhijith PA at 2023-11-19T17:15:14+05:30 data/ela-needed.txt: claim varnish - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -246,7 +246,7 @@ suricata (Adrian Bunk) symfony NOTE: 20231118: Added by Front-Desk (apo) -- -varnish +varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) -- vlc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74505a75ee34ccff60c46c0fd48bd61c8316ff97 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74505a75ee34ccff60c46c0fd48bd61c8316ff97 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim h2o
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 7370d5f0 by Abhijith PA at 2023-10-15T22:46:35+05:30 data/dla-needed.txt: Claim h2o - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -90,7 +90,7 @@ gst-plugins-bad1.0 (Thorsten Alteholz) NOTE: 20230928: Added by Frond-Desk (ola) NOTE: 20231013: testing package -- -h2o +h2o (Abhijith PA) NOTE: 20231013: Added by Front-Desk (ta) -- i2p View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7370d5f063dbae87df2226d77e50a66d84713db6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7370d5f063dbae87df2226d77e50a66d84713db6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-40175 as ignored for buster
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: bc8f1805 by Abhijith PA at 2023-10-09T22:43:31+05:30 Mark CVE-2023-40175 as ignored for buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -6991,6 +6991,7 @@ CVE-2023-4427 (Out of bounds memory access in V8 in Google Chrome prior to 116.0 [buster] - chromium (see DSA 5046) CVE-2023-40175 (Puma is a Ruby/Rack web server built for parallelism. Prior to version ...) - puma 5.6.7-1 (bug #1050079) + [buster] - puma (invasive to backport) NOTE: https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8 NOTE: https://github.com/puma/puma/commit/690155e7d644b80eeef0a6094f9826ee41f1080a (master) NOTE: https://github.com/puma/puma/commit/ed0f2f94b56982c687452504b95d5f1fbbe3eed1 (v6.3.1) = data/dla-needed.txt = @@ -169,9 +169,6 @@ poppler (Adrian Bunk) NOTE: 20230908: as I suspect this is a duplicate of CVE-2020-27778 (which has already NOTE: 20230908: been fixed). (lamby) -- -puma - NOTE: 20230925: Added by Front-Desk (apo) --- python-django NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc8f18058d10cf9c30aa30ef5832f25bf034a603 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc8f18058d10cf9c30aa30ef5832f25bf034a603 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim phppgadmin
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c2d8361 by Abhijith PA at 2023-09-29T19:51:40+05:30 data/dla-needed.txt: Claim phppgadmin - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -151,7 +151,7 @@ osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. -- -phppgadmin +phppgadmin (Abhijith PA) NOTE: 20230925: Added by Front-Desk (apo) -- poppler View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c2d8361b15f9450c3ddc674369ae3433a43bf10 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c2d8361b15f9450c3ddc674369ae3433a43bf10 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3582-1 for ghostscript
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 0fca495d by Abhijith PA at 2023-09-25T18:14:23+05:30 Reserve DLA-3582-1 for ghostscript - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Sep 2023] DLA-3582-1 ghostscript - security update + {CVE-2020-21710 CVE-2020-21890} + [buster] - ghostscript 9.27~dfsg-2+deb10u9 [25 Sep 2023] DLA-3581-1 flac - security update {CVE-2020-22219} [buster] - flac 1.3.2-3+deb10u3 = data/dla-needed.txt = @@ -86,9 +86,6 @@ gerbv (Adrian Bunk) NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230918: DLA coming soon. (bunk) -- -ghostscript (Abhijith PA) - NOTE: 20230920: Added by Front-Desk (apo) --- glib2.0 (Santiago) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230710: WIP (santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fca495ddc5ef1d84e6ca1e97ece557c39325718 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fca495ddc5ef1d84e6ca1e97ece557c39325718 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim puma
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 7efc7680 by Abhijith PA at 2023-09-25T14:37:18+05:30 data/dla-needed.txt: Claim puma - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -178,7 +178,7 @@ prometheus-alertmanager NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Vulnerable code is in ui/app/src/Views/AlertList/AlertView.elm -- -puma +puma (Abhijith PA) NOTE: 20230925: Added by Front-Desk (apo) -- python-git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7efc768066f077ebcf68aa793dc7192c3f1c76d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7efc768066f077ebcf68aa793dc7192c3f1c76d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Upstream have changed and refactored function `finish_copydevice`
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a34f392 by Abhijith PA at 2023-09-25T14:01:46+05:30 Upstream have changed and refactored function `finish_copydevice` Backporting to 9.27 is not worth when the IjsServer security risk is documented. - - - - - f325a4b6 by Abhijith PA at 2023-09-25T14:09:07+05:30 Add a commit reference for CVE-2020-21890 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -604,6 +604,7 @@ CVE-2023-43115 (In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL ca - ghostscript 10.02.0~dfsg-1 [bookworm] - ghostscript (Minor issue; documented risks, can be fixed in later update) [bullseye] - ghostscript (Minor issue; documented risks, can be fixed in later update) + [buster] - ghostscript (Minor issue; documented risks, have done refactoring in later versions) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707051 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe (ghostpdl-10.02.0rc2) @@ -224469,6 +224470,7 @@ CVE-2020-21891 CVE-2020-21890 (Buffer Overflow vulnerability in clj_media_size function in devices/gd ...) - ghostscript 9.51~dfsg-1 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701846 + NOTE: Fixed by: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=dbdb5f8527007b482d4e6037b558dbf3e6a06d3a (ghostpdl-9.51rc1) NOTE: Fixed by: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=494eeedf73d13fac5710e56f3a8fb2e7e2379d73 (ghostpdl-9.51rc1) CVE-2020-21889 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/60c7ef977b672cb5dd863a70026cda4046d92ace...f325a4b6afa94467e41112e417846ec9059f1e05 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/60c7ef977b672cb5dd863a70026cda4046d92ace...f325a4b6afa94467e41112e417846ec9059f1e05 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim ghostscript
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 93eb42d8 by Abhijith PA at 2023-09-24T12:30:42+05:30 data/dla-needed.txt: Claim ghostscript - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -80,7 +80,7 @@ gerbv (Adrian Bunk) NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230918: DLA coming soon. (bunk) -- -ghostscript +ghostscript (Abhijith PA) NOTE: 20230920: Added by Front-Desk (apo) -- glib2.0 (Santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93eb42d84e480cbf0c309406beb4e8f9b298e4a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93eb42d84e480cbf0c309406beb4e8f9b298e4a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim open-vm-tools
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: ddd968cf by Abhijith PA at 2023-07-31T19:35:12+05:30 data/dla-needed.txt: claim open-vm-tools - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -107,7 +107,7 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -open-vm-tools +open-vm-tools (Abhijith PA) NOTE: 20230731: Added by Front-Desk (apo) -- openimageio (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddd968cfa0f306986a803b4b22de1644057f84eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddd968cfa0f306986a803b4b22de1644057f84eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] re-claim libreoffice and update notes
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: b6f4ba4b by Abhijith PA at 2023-07-18T12:06:25+05:30 re-claim libreoffice and update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -88,8 +88,10 @@ libapache2-mod-auth-openidc NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fix from bullseye 11.7 (CVE-2022-23527) + 1 postponed CVE-2021-39191 (Beuc/front-desk) -- -libreoffice +libreoffice (Abhijith PA) NOTE: 20230530: Added by Front-Desk (pochu) + NOTE: 20230718: http://people.debian.org/~abhijith/upload/lo (abhijith) + NOTE: 20230718: CVE-2023-2255.diff fails to build. (abhijith) -- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6f4ba4b6fb0c1af310ad698a36340cae734a07c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6f4ba4b6fb0c1af310ad698a36340cae734a07c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-46165 as ignored
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 1202f54b by Abhijith PA at 2023-07-11T10:01:27+05:30 Mark CVE-2022-46165 as ignored CVE-2021-21404 as postponed. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -42191,6 +42191,7 @@ CVE-2022-46165 (Syncthing is an open source, continuous file synchronization pro - syncthing (bug #1037432) [bookworm] - syncthing (Minor issue) [bullseye] - syncthing (Minor issue) + [buster] - syncthing (Minor issue) NOTE: https://github.com/syncthing/syncthing/security/advisories/GHSA-9rp6-23gf-4c3h NOTE: https://github.com/syncthing/syncthing/commit/73c52eafb6566435dffd979c3c49562b6d5a4238 (v1.23.5) CVE-2022-46164 (NodeBB is an open source Node.js based forum software. Due to a plain ...) @@ -184242,7 +184243,7 @@ CVE-2021-21405 (Lotus is an Implementation of the Filecoin protocol written in G NOT-FOR-US: Lotus CVE-2021-21404 (Syncthing is a continuous file synchronization program. In Syncthing b ...) - syncthing 1.12.1~ds1-3 (bug #986593) - [buster] - syncthing (Minor issue) + [buster] - syncthing (Minor issue; can be fixed in next update) [stretch] - syncthing (Minor issue; can be fixed in next update) NOTE: https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h NOTE: https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97 = data/dla-needed.txt = @@ -215,9 +215,6 @@ symfony (guilhem) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs) + 1 other postponed CVE (Beuc/front-desk) -- -syncthing (Abhijith PA) - NOTE: 20230616: Added by Front-Desk (opal) --- thunderbird (pochu) NOTE: 20230704: Added by pochu -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1202f54b06eb395094bfe308c37e79c20f129e8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1202f54b06eb395094bfe308c37e79c20f129e8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim syncthing
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 06c80770 by Abhijith PA at 2023-06-30T20:42:07+05:30 data/dla-needed.txt: Claim syncthing - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -241,7 +241,7 @@ symfony (guilhem) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs) + 1 other postponed CVE (Beuc/front-desk) -- -syncthing +syncthing (Abhijith PA) NOTE: 20230616: Added by Front-Desk (opal) -- webkit2gtk (Emilio) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06c807709c75ff6f90d4aaf514e8da7fea7e9e23 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06c807709c75ff6f90d4aaf514e8da7fea7e9e23 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reclaim fusiondirectory, libreoffice
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 58736b02 by Abhijith PA at 2023-06-27T11:47:50+05:30 reclaim fusiondirectory, libreoffice - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -62,7 +62,7 @@ flatpak NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) -- -fusiondirectory +fusiondirectory (Abhijith PA) NOTE: 20221203: Added by Front-Desk (gladk) NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk). NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk). @@ -105,7 +105,7 @@ libapache2-mod-auth-openidc (gladk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fix from bullseye 11.7 (CVE-2022-23527) + 1 postponed CVE-2021-39191 (Beuc/front-desk) -- -libreoffice +libreoffice (Abhijith PA) NOTE: 20230530: Added by Front-Desk (pochu) -- libusrsctp (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58736b028f326a3f1f1bfa40460c0c68533e6789 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58736b028f326a3f1f1bfa40460c0c68533e6789 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-2602 CVE-2023-2603 as not-affected for strech, jessie
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e397c72 by Abhijith PA at 2023-06-08T12:22:13+05:30 Mark CVE-2023-2602 CVE-2023-2603 as not-affected for strech, jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2533,6 +2533,8 @@ CVE-2023-2603 (A vulnerability was found in libcap. This issue occurs in the _li - libcap2 1:2.66-4 (bug #1036114) [bullseye] - libcap2 (Minor issue) [buster] - libcap2 (Vulnerable code introduced later) + [stretch] - libcap2 (Vulnerable code introduced later) + [jessie] - libcap2 (Vulnerable code introduced later) NOTE: https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe NOTE: https://www.x41-dsec.de/static/reports/X41-libcap-Code-Review-2023-OSTIF-Final-Report.pdf NOTE: https://www.openwall.com/lists/oss-security/2023/05/15/4 @@ -2541,6 +2543,8 @@ CVE-2023-2602 (A vulnerability was found in the pthread_create() function in lib - libcap2 1:2.66-4 (bug #1036114) [bullseye] - libcap2 (Minor issue) [buster] - libcap2 (Vulnerable code introduced later) + [stretch] - libcap2 (Vulnerable code introduced later) + [jessie] - libcap2 (Vulnerable code introduced later) NOTE: https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe NOTE: https://www.x41-dsec.de/static/reports/X41-libcap-Code-Review-2023-OSTIF-Final-Report.pdf NOTE: https://www.openwall.com/lists/oss-security/2023/05/15/4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e397c722790a000c8a026a77c8846c38f25a736 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e397c722790a000c8a026a77c8846c38f25a736 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/ela-needed.txt: Claim libreoffice
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f0b1c53 by Abhijith PA at 2023-06-07T23:40:51+05:30 data/ela-needed.txt: Claim libreoffice - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -78,7 +78,7 @@ libfastjson (Thorsten Alteholz) NOTE: 20230507: the CVE was fixed in json-c already NOTE: 20230605: upload timing could be improved here -- -libreoffice +libreoffice (Abhijith PA) NOTE: 20230530: Added by Front-Desk (pochu) -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f0b1c534ba9fa55a0258cc6195b78dcf91ddec4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f0b1c534ba9fa55a0258cc6195b78dcf91ddec4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] remove libcap2 from dla-needed.txt. [d288b21]
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: be417a23 by Abhijith PA at 2023-06-07T23:37:21+05:30 remove libcap2 from dla-needed.txt. [d288b21] - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -73,9 +73,6 @@ hdf5 NOTE: 20230520: additionally couldn't convince the build system to build for buster, something with the autogenerated .install files, NOTE: 20230520: so giving up on the package. (tobi) -- -libcap2 (Abhijith PA) - NOTE: 20230517: Added by Front-Desk (gladk) --- libfastjson (Thorsten Alteholz) NOTE: 20230507: Added by Front-Desk (ta) NOTE: 20230507: the CVE was fixed in json-c already View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be417a23ee4e819a26394b822d6949d3962230ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be417a23ee4e819a26394b822d6949d3962230ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-2602 - libpsx is introduced in later versions. Not
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: d288b216 by Abhijith PA at 2023-06-07T23:22:33+05:30 CVE-2023-2602 - libpsx is introduced in later versions. Not affecting 2.25. CVE-2023-2603 - Code improvement done on https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=a56162c6900d203c5ac63a2b41b46cb0c45c645f This is an improved fix over something attempted in libcap-2.55 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2458,6 +2458,7 @@ CVE-2023-2671 (A vulnerability was found in SourceCodester Lost and Found Inform CVE-2023-2603 (A vulnerability was found in libcap. This issue occurs in the _libcap_ ...) - libcap2 1:2.66-4 (bug #1036114) [bullseye] - libcap2 (Minor issue) + [buster] - libcap2 (Vulnerable code introduced later) NOTE: https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe NOTE: https://www.x41-dsec.de/static/reports/X41-libcap-Code-Review-2023-OSTIF-Final-Report.pdf NOTE: https://www.openwall.com/lists/oss-security/2023/05/15/4 @@ -2465,6 +2466,7 @@ CVE-2023-2603 (A vulnerability was found in libcap. This issue occurs in the _li CVE-2023-2602 (A vulnerability was found in the pthread_create() function in libcap. ...) - libcap2 1:2.66-4 (bug #1036114) [bullseye] - libcap2 (Minor issue) + [buster] - libcap2 (Vulnerable code introduced later) NOTE: https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe NOTE: https://www.x41-dsec.de/static/reports/X41-libcap-Code-Review-2023-OSTIF-Final-Report.pdf NOTE: https://www.openwall.com/lists/oss-security/2023/05/15/4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d288b216c78e80f3b405df19d7a463d14e16e737 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d288b216c78e80f3b405df19d7a463d14e16e737 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/ela-needed.txt: re-claim fusiondirectory
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: bc010571 by Abhijith PA at 2023-05-22T23:31:37+05:30 data/ela-needed.txt: re-claim fusiondirectory - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -30,13 +30,14 @@ erlang (Markus Koschany) NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang NOTE: 20230111: Maintainer notes: Coordinate with maintainer, whether their VCS can be used. Mail send to mailing list. -- -fusiondirectory +fusiondirectory (Abhijith PA) NOTE: 20221203: Programming language: PHP. NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk). NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk). NOTE: 20221203: Also the package was removed from sid recently (gladk). NOTE: 20221203: Feel free to marke both CVEs as , if they are not too serious (gladk). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/fusiondirectory.git + NOTE: 20230523: Added upstream commit references to security tracker. Patched our version, testing (abhijith) -- golang-go.crypto (Markus Koschany) NOTE: 20220915: Programming language: Go. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc010571770e8697332515b1d24c46d8160fe783 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc010571770e8697332515b1d24c46d8160fe783 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream commit refs for CVE-2022-36179, CVE-2022-36180
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e4d6bf2 by Abhijith PA at 2023-05-19T12:35:28+05:30 Add upstream commit refs for CVE-2022-36179, CVE-2022-36180 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66363,10 +66363,12 @@ CVE-2022-36180 (Fusiondirectory 1.3 is vulnerable to Cross Site Scripting (XSS) - fusiondirectory [bullseye] - fusiondirectory (Minor issue) NOTE: https://yoroi.company/research/cve-advisory-full-disclosure-multiple-vulnerabilities/ + NOTE: https://github.com/fusiondirectory/fusiondirectory/commit/fadebb79b932a0260bdb8723eb23694a3ae62366 [1.3.1] CVE-2022-36179 (Fusiondirectory 1.3 suffers from Improper Session Handling.) - fusiondirectory [bullseye] - fusiondirectory (Minor issue) NOTE: https://yoroi.company/research/cve-advisory-full-disclosure-multiple-vulnerabilities/ + NOTE: https://github.com/fusiondirectory/fusiondirectory/commit/d84cf05573b52df98418adf3716daf365e8da745 [1.3.1] CVE-2022-36178 RESERVED CVE-2022-36177 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e4d6bf236bdb4e30e50c9830187de21e092bf5e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e4d6bf236bdb4e30e50c9830187de21e092bf5e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim libcap2
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e232090 by Abhijith PA at 2023-05-18T14:44:14+05:30 data/dla-needed.txt: claim libcap2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -62,7 +62,7 @@ hdf5 (tobi) NOTE: 20230506: tried to triage… seems to be that only sensible way forward would be to update to a newer version in the 1.10.x NOTE: 20230506: line. Still then, state of CVEs are unknown if they have been fixed. 1.10.11 is scheduled for September. (tobi) -- -libcap2 +libcap2 (Abhijith PA) NOTE: 20230517: Programming language: C. NOTE: 20230517: VCS: https://salsa.debian.org/lts-team/packages/libcap2.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e2320901fea300d98caa938722c37481fa4fa14 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e2320901fea300d98caa938722c37481fa4fa14 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove consul from dla-needed.txt.
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: eebe9d4c by Abhijith PA at 2023-05-14T15:49:54+05:30 Remove consul from dla-needed.txt. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -85882,6 +85882,7 @@ CVE-2022-29154 (An issue was discovered in rsync before 3.2.5 that allows malici NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=2f7c583143bc6e80902139c23d9d7283f88fbc6a (v3.2.5pre1) CVE-2022-29153 (HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11. ...) - consul (bug #1017982) + [buster] - consul (Intrusive to backport) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393 NOTE: https://github.com/hashicorp/consul/commit/72e1ce6317d6a4b28c73cd15f3976eb2c362be19 (v1.9.17) CVE-2022-29152 (The Ericom PowerTerm WebConnect 6.0 login portal can unsafely write an ...) @@ -136530,6 +136531,7 @@ CVE-2021-37220 (MuPDF through 1.18.1 has an out-of-bounds write because the cach NOTE: On Stretch, an earlier version of the code exits early instead of crashing. CVE-2021-37219 (HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows no ...) - consul 1.8.7+dfsg1-6 (bug #1015218) + [buster] - consul (Minor issue; intrusive to backport) NOTE: https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024 NOTE: https://github.com/hashicorp/consul/commit/ccf8eb1947357434eb6e66303ddab79f4c9d4103 CVE-2021-37218 (HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows non-server ...) @@ -197187,7 +197189,7 @@ CVE-2020-25865 RESERVED CVE-2020-25864 (HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value ( ...) - consul 1.8.7+dfsg1-2 (bug #987351) - [buster] - consul (Minor issue) + [buster] - consul (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1950275 NOTE: https://github.com/hashicorp/consul/pull/10023 CVE-2020-25863 (In Wireshark 3.2.0 to 3.2.6, 3.0.0 to 3.0.13, and 2.6.0 to 2.6.20, the ...) @@ -243630,7 +243632,7 @@ CVE-2020-7220 (HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain NOT-FOR-US: HashiCorp Vault CVE-2020-7219 (HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services a ...) - consul 1.7.0+dfsg1-1 (bug #950736) - [buster] - consul (Minor issue) + [buster] - consul (Minor issue, intrusive to backport) NOTE: https://github.com/hashicorp/consul/issues/7159 NOTE: Fixed in 1.6.3. CVE-2020-7218 (HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services al ...) @@ -316114,7 +316116,7 @@ CVE-2018-19654 (An issue was discovered in Sales & Company Management System (SC NOT-FOR-US: Sales & Company Management System (SCMS) CVE-2018-19653 (HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent ...) - consul 1.4.4~dfsg1-1 - [buster] - consul (Minor issue) + [buster] - consul (Minor issue) NOTE: https://github.com/hashicorp/consul/pull/5069 CVE-2018-19652 RESERVED = data/dla-needed.txt = @@ -17,13 +17,6 @@ cairosvg NOTE: 20230323: Programming language: Python. NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert) -- -consul - NOTE: 20221031: Programming language: Go. - NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git - NOTE: 20230423: WIP, Fixed CVE-2018-19653 (abhijith) - NOTE: 20230422: Resume work. (abhijith) --- docker.io NOTE: 20230303: Programming language: Go. NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eebe9d4c5e1c30f2c75ff33e5abae4161b83d46d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eebe9d4c5e1c30f2c75ff33e5abae4161b83d46d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim fusiondirectory
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: d1d4d1ef by Abhijith PA at 2023-05-04T19:28:00+05:30 data/dla-needed.txt: claim fusiondirectory - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -50,7 +50,7 @@ erlang NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang NOTE: 20230111: Maintainer notes: Coordinate with maintainer, whether their VCS can be used. Mail send to mailing list. -- -fusiondirectory +fusiondirectory (Abhijith PA) NOTE: 20221203: Programming language: PHP. NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk). NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk). View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1d4d1ef32860d0f98ba92ae8a1f998fd30a1014 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1d4d1ef32860d0f98ba92ae8a1f998fd30a1014 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-38698, CVE-2021-41803, CVE-2022-24687 and
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 82bb5580 by Abhijith PA at 2023-05-03T01:44:06+05:30 Mark CVE-2021-38698, CVE-2021-41803, CVE-2022-24687 and CVE-2022-40716 as not affected. Add commit reference for CVE-2022-24687 with upstream tag. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52696,6 +52696,7 @@ CVE-2022-40717 (This vulnerability allows network-adjacent attackers to execute NOT-FOR-US: D-Link CVE-2022-40716 (HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13. ...) - consul (bug #1027161) + [buster] - consul (Vulnerable Code not present) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628 NOTE: https://github.com/hashicorp/consul/commit/ae822d752ad36007e353249691a0ef318cf55d08 (v1.11.9) CVE-2022-40715 (An issue was discovered in NOKIA 1350OMS R14.2. An Absolute Path Trave ...) @@ -98178,7 +98179,9 @@ CVE-2022-24688 (An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. NOT-FOR-US: DSK DSKNet CVE-2022-24687 (HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, a ...) - consul (bug #1006487) + [buster] - consul (Vulnerable Code not present) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-05-consul-ingress-gateway-panic-can-shutdown-servers/ + NOTE: https://github.com/hashicorp/consul/commit/d35c6a97cbdff252f5238d6b52f49786f896566a (1.9.15) CVE-2022-24686 (HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and ...) - nomad (bug #1021273) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-01-nomad-artifact-download-race-condition/35559 @@ -123883,6 +123886,7 @@ CVE-2021-41804 RESERVED CVE-2021-41803 (HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properl ...) - consul (bug #1034841) + [buster] - consul (Vulnerable Code not present) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627 NOTE: https://github.com/hashicorp/consul/commit/34872682e44f6e7e6359c88bf9e333fa1002a99b (v1.11.9) CVE-2021-41802 (HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a ...) @@ -131684,7 +131688,7 @@ CVE-2021-38699 (TastyIgniter 3.0.7 allows XSS via /account, /reservation, /admin CVE-2021-38698 (HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allow ...) - consul 1.8.7+dfsg1-6 (bug #1015218) [bullseye] - consul (Minor issue) - [buster] - consul (Minor issue) + [buster] - consul (Vulnerable code not present) NOTE: https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026 NOTE: https://github.com/hashicorp/consul/commit/747844bad6410091f2c6e961216c0c5fc285a44d (v1.8.15) CVE-2021-38697 (SoftVibe SARABAN for INFOMA 1.1 allows Unauthenticated unrestricted Fi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82bb558032826c53ec6e6272ff0fdc41103bdc06 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82bb558032826c53ec6e6272ff0fdc41103bdc06 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add upstream commit ref
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: d0725e0d by Abhijith PA at 2023-05-03T00:21:26+05:30 add upstream commit ref - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -123858,6 +123858,7 @@ CVE-2021-41804 CVE-2021-41803 (HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properl ...) - consul (bug #1034841) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627 + NOTE: https://github.com/hashicorp/consul/pull/14580/commits/fb3e29ec22ccda61f03da7e8e15e84da64f7fe82 CVE-2021-41802 (HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a ...) NOT-FOR-US: HashiCorp Vault CVE-2021-41801 (The ReplaceText extension through 1.41 for MediaWiki has Incorrect Acc ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0725e0dcbeae72ad364d4fa0fcf6983840d440a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0725e0dcbeae72ad364d4fa0fcf6983840d440a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream fix commit for CVE-2022-40716, CVE-2022-29153
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: fa087277 by Abhijith PA at 2023-05-01T18:33:01+05:30 Add upstream fix commit for CVE-2022-40716, CVE-2022-29153 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52649,6 +52649,7 @@ CVE-2022-40717 (This vulnerability allows network-adjacent attackers to execute CVE-2022-40716 (HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13. ...) - consul (bug #1027161) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628 + NOTE: https://github.com/hashicorp/consul/commit/ae822d752ad36007e353249691a0ef318cf55d08 (1.11.9) CVE-2022-40715 (An issue was discovered in NOKIA 1350OMS R14.2. An Absolute Path Trave ...) NOT-FOR-US: NOKIA CVE-2022-40714 (An issue was discovered in NOKIA 1350OMS R14.2. Reflected XSS exists u ...) @@ -84961,6 +84962,7 @@ CVE-2022-29154 (An issue was discovered in rsync before 3.2.5 that allows malici CVE-2022-29153 (HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11. ...) - consul (bug #1017982) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393 + NOTE: https://github.com/hashicorp/consul/commit/72e1ce6317d6a4b28c73cd15f3976eb2c362be19 (1.9.17) CVE-2022-29152 (The Ericom PowerTerm WebConnect 6.0 login portal can unsafely write an ...) NOT-FOR-US: Ericom CVE-2022-29151 (Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerabili ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa087277467cb3ed72e7de42802189c8bcafa364 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa087277467cb3ed72e7de42802189c8bcafa364 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-37219: Add upstream commit reference.
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: acfb6606 by Abhijith PA at 2023-04-30T18:41:40+05:30 CVE-2021-37219: Add upstream commit reference. CVE-2020-7955: Mark as not-affected, func AgentHealthServiceByID introduced later. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -135558,6 +135558,7 @@ CVE-2021-37220 (MuPDF through 1.18.1 has an out-of-bounds write because the cach CVE-2021-37219 (HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows no ...) - consul 1.8.7+dfsg1-6 (bug #1015218) NOTE: https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024 + NOTE: https://github.com/hashicorp/consul/commit/ccf8eb1947357434eb6e66303ddab79f4c9d4103 CVE-2021-37218 (HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows non-server ...) - nomad (bug #1021273) [bullseye] - nomad (Minor issue) @@ -240868,7 +240869,7 @@ CVE-2020-7956 (HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly val NOTE: https://github.com/hashicorp/nomad/issues/7003 CVE-2020-7955 (HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uni ...) - consul 1.7.0+dfsg1-1 (bug #950736) - [buster] - consul (Minor issue) + [buster] - consul (Vulnerable code not present) NOTE: https://github.com/hashicorp/consul/issues/7160 NOTE: Fixed in 1.6.3. CVE-2020-7954 (An issue was discovered in OpServices OpMon 9.3.2. Starting from the a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acfb6606d28dff10d7de228f0e9951c219bc4b37 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acfb6606d28dff10d7de228f0e9951c219bc4b37 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: work on consul
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: a4a238aa by Abhijith PA at 2023-04-22T08:28:55+05:30 data/dla-needed.txt: work on consul - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,11 +40,12 @@ configobj (Chris Lamb) NOTE: 20230416: Special attention: Low priority but high popcon. NOTE: 20230421: No upstream-blessed patch yet. (lamby) -- -consul +consul (Abhijith PA) NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git NOTE: 20230423: WIP, Fixed CVE-2018-19653 (abhijith) + NOTE: 20230422: Resume work. (abhijith) -- docker.io (gladk) NOTE: 20230303: Programming language: Go. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4a238aae1d839c85b1fef2e2fcec6382d87c817 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4a238aae1d839c85b1fef2e2fcec6382d87c817 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: update consul note
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: d8677d76 by Abhijith PA at 2023-04-03T11:28:26+05:30 data/dla-needed.txt: update consul note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -38,10 +38,11 @@ ceph NOTE: 20230102: [buster] - ceph (ceph-crash service added in Ceph 14) (stefanor) NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ceph.git -- -consul +consul (Abhijith PA) NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git + NOTE: 20230423: WIP, Fixed CVE-2018-19653 (abhijith) -- curl (holger) NOTE: 20230321: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8677d763eec99cfb9a2d7f3d75110fa7adeae3b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8677d763eec99cfb9a2d7f3d75110fa7adeae3b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim consul
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 95bc6bb4 by Abhijith PA at 2023-03-18T14:50:50+05:30 data/dla-needed.txt: claim consul - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -33,7 +33,7 @@ ceph NOTE: 20230102: [buster] - ceph (ceph-crash service added in Ceph 14) (stefanor) NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ceph.git -- -consul +consul (Abhijith PA) NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95bc6bb4b83952fbd90456ae3a1c68595fb93f3c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95bc6bb4b83952fbd90456ae3a1c68595fb93f3c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim nheko
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 8700fd3e by Abhijith PA at 2023-01-23T17:31:54+05:30 data/dla-needed.txt: claim nheko - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -179,7 +179,7 @@ nextcloud-desktop NOTE: 20221128: VCS: https://salsa.debian.org/owncloud-team/nextcloud-desktop NOTE: 20221128: Please coordinate with maintainer the usage of their git-repo (gladk). -- -nheko +nheko (Abhijith PA) NOTE: 20230101: Programming language: C++. -- node-css-what View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8700fd3e060095a2d309608dacf2bac720f5db33 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8700fd3e060095a2d309608dacf2bac720f5db33 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3279-1 for trafficserver
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d9f5058 by Abhijith PA at 2023-01-23T16:31:27+05:30 Reserve DLA-3279-1 for trafficserver - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Jan 2023] DLA-3279-1 trafficserver - security update + {CVE-2021-37150 CVE-2022-25763 CVE-2022-28129 CVE-2022-31780} + [buster] - trafficserver 8.0.2+ds-1+deb10u7 [20 Jan 2023] DLA-3278-1 tiff - security update {CVE-2022-1354 CVE-2022-1355 CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 CVE-2022-3570 CVE-2022-3597 CVE-2022-3598 CVE-2022-3599 CVE-2022-3626 CVE-2022-3627 CVE-2022-3970 CVE-2022-34526} [buster] - tiff 4.1.0+git191117-2~deb10u5 = data/dla-needed.txt = @@ -352,12 +352,6 @@ tor (Thorsten Alteholz) NOTE: 20220115: Programming language: C. NOTE: 20230116: VCS: https://salsa.debian.org/lts-team/packages/tor.git -- -trafficserver - NOTE: 20220905: Programming language: C. - NOTE: 20221024: WIP, big changeset in security fix (abhijith) - NOTE: 20221114: https://people.debian.org/~abhijith/upload/trf/ (abhijith) - NOTE: 20221114: Asked upstream regarding CVE-2022-31779 (abhijith) --- wireshark NOTE: 20230123: Programming language: C. NOTE: 20230123: 7 new CVEs + 3 postponed ones. Would be good to not let them pile up like last time. (utkarsh). View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d9f50586010d4fb99052eb52c6485b4e2e96820 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d9f50586010d4fb99052eb52c6485b4e2e96820 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reclaim xrdp
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a94a930 by Abhijith PA at 2023-01-17T09:53:21+05:30 reclaim xrdp - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -364,9 +364,10 @@ xfig (gladk) NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- -xrdp +xrdp (Abhijith PA) NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git + NOTE: 20230117: Fixed 6 out 10 CVEs. Testing (abhijith) -- zabbix NOTE: 20220911: At least CVE-2022-23134 was fixed in stretch so it should be fixed in buster too. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a94a930da4adc3e180450120680964be53780b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a94a930da4adc3e180450120680964be53780b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim xrdp
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 0fcf4f9d by Abhijith PA at 2022-12-31T23:52:54+05:30 data/dla-needed.txt: claim xrdp - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -325,7 +325,7 @@ xdg-utils NOTE: 20221120: Programming language: C. NOTE: 20221120: no real fix yet -- -xrdp +xrdp (Abhijith PA) NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fcf4f9d632cb746e32ca23b9bbff339c0e526e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fcf4f9d632cb746e32ca23b9bbff339c0e526e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note in dla-needed
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e5e3d80 by Abhijith PA at 2022-11-14T15:47:19+05:30 update note in dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -367,6 +367,8 @@ tiff trafficserver NOTE: 20220905: Programming language: C. NOTE: 20221024: WIP, big changeset in security fix (abhijith) + NOTE: 20221114: https://people.debian.org/~abhijith/upload/trf/ (abhijith) + NOTE: 20221114: Asked upstream regarding CVE-2022-31779 (abhijith) -- twisted NOTE: 20221030: Programming language: Python. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e5e3d80d11e1416186c10db10a5ce6bf1dc2a9f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e5e3d80d11e1416186c10db10a5ce6bf1dc2a9f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-31778 as ignored for buster
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 19db2921 by Abhijith PA at 2022-11-01T11:19:16+05:30 Mark CVE-2022-31778 as ignored for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34853,6 +34853,7 @@ CVE-2022-31779 (Improper Input Validation vulnerability in HTTP/2 header parsing CVE-2022-31778 (Improper Input Validation vulnerability in handling the Transfer-Encod ...) {DSA-5206-1} - trafficserver 9.1.3+ds-1 + [buster] - trafficserver (Minor issue, intrusive to backport) NOTE: https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21 CVE-2022-31777 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19db2921e8f9c9d1ada3d8318bbd394238c2a11c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19db2921e8f9c9d1ada3d8318bbd394238c2a11c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-24724 as not-affected for buster and bulleye.
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 36d38a8b by Abhijith PA at 2022-10-30T14:11:00+05:30 Mark CVE-2022-24724 as not-affected for buster and bulleye. ghostwriter dont embed cmark-gfm in those releases. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -55492,7 +55492,8 @@ CVE-2022-24725 (Shescape is a shell escape package for JavaScript. An issue in v CVE-2022-24724 (cmark-gfm is GitHub's extended version of the C reference implementati ...) - cmark-gfm 0.29.0.gfm.3-3 (bug #1006756) - ghostwriter (bug #1006757) - [bullseye] - ghostwriter (Minor issue) + [bullseye] - ghostwriter (Vulnerable code not present) + [buster] - ghostwriter (Vulnerable code not present) - python-cmarkgfm 0.7.0-1 (bug #1006758) - ruby-commonmarker (bug #1006759) - r-cran-commonmark 1.8.0-1 (bug #1006760) = data/dla-needed.txt = @@ -49,9 +49,6 @@ fwupd gerbv NOTE: 20220923: Programming language: C. -- -ghostwriter (Abhijith PA) - NOTE: 20221009: Programming language: C. --- golang-1.11 NOTE: 20220916: Programming language: Go. NOTE: 20220916: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36d38a8b902703442385a481f13e9b2ffb9a2b82 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36d38a8b902703442385a481f13e9b2ffb9a2b82 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim ghostwriter
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: b1442b86 by Abhijith PA at 2022-10-30T13:12:55+05:30 data/dla-needed.txt: claim ghostwriter - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,7 +49,7 @@ fwupd gerbv NOTE: 20220923: Programming language: C. -- -ghostwriter +ghostwriter (Abhijith PA) NOTE: 20221009: Programming language: C. -- golang-1.11 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1442b86ce32e2c48c559ffca4f10430a28f0586 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1442b86ce32e2c48c559ffca4f10430a28f0586 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-39835 as no-dsa
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: dfbabd55 by Abhijith PA at 2022-10-30T12:55:36+05:30 Mark CVE-2022-39835 as no-dsa Code refactoring on later version makes very hard to backport - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -12137,6 +12137,7 @@ CVE-2022-39836 (An issue was discovered in Connected Vehicle Systems Alliance (C CVE-2022-39835 (An issue was discovered in Gajim through 1.4.7. The vulnerability allo ...) - gajim 1.5.0-1 [bullseye] - gajim (Minor issue) + [buster] - gajim (Minor issue, intrusive to backport) NOTE: https://dev.gajim.org/gajim/gajim/-/commit/af02c6bd53fad4e0065951597bd7ec801c002067 (1.5.0) CVE-2022-39834 RESERVED = data/dla-needed.txt = @@ -46,9 +46,6 @@ frr fwupd NOTE: 20221003: Programming language: C++. -- -gajim (Abhijith PA) - NOTE: 20221006: Programming language: Python. --- gerbv NOTE: 20220923: Programming language: C. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dfbabd55b857fac1dc2c10da94d08dd0318c5fa8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dfbabd55b857fac1dc2c10da94d08dd0318c5fa8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reclaim packages
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 726e88a5 by Abhijith PA at 2022-10-24T11:18:55+05:30 Reclaim packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -153,7 +153,7 @@ r-cran-commonmark NOTE: 20221009: Programming language: R. NOTE: 20221009: Please synchronize with ghostwriter. -- -rails +rails (Abhijith PA) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith) NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg4.html (abhijith) @@ -161,6 +161,8 @@ rails NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression causing patch (abhijith) NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith) NOTE: 20221003: https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith) + NOTE: 20221024: Delay upload, see above comment, users have done workaround. Not a good idea + NOTE: 20221024: to break thrice in less than 2 month. -- rainloop NOTE: 20220913: Programming language: PHP, JavaScript. @@ -197,8 +199,9 @@ sox NOTE: 20220818: Requires some investigation; see #1012138 etc. NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) -- -trafficserver +trafficserver (Abhijith PA) NOTE: 20220905: Programming language: C. + NOTE: 20221024: WIP, big changeset in security fix (abhijith) -- vim NOTE: 20220904: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/726e88a594ac5ee20bb21ef9353741d22f6d7f91 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/726e88a594ac5ee20bb21ef9353741d22f6d7f91 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove tinyproxy [bec7770]
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: a4d55272 by Abhijith PA at 2022-10-13T13:56:03+05:30 Remove tinyproxy [bec7770] Claim gajim - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -46,7 +46,7 @@ frr fwupd NOTE: 20221003: Programming language: C++. -- -gajim +gajim (Abhijith PA) NOTE: 20221006: Programming language: Python. -- gerbv @@ -196,9 +196,6 @@ sox NOTE: 20220818: Requires some investigation; see #1012138 etc. NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) -- -tinyproxy (Abhijith PA) - NOTE: 20221009: Programming language: C. --- trafficserver (Abhijith PA) NOTE: 20220905: Programming language: C. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4d5527208d4158151c64f1d61ed342891bdbe2e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4d5527208d4158151c64f1d61ed342891bdbe2e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Unless there is modified error pages which contain special
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: bec77709 by Abhijith PA at 2022-10-13T13:50:26+05:30 Unless there is modified error pages which contain special non-standard variables. This is not an issue. tinyproxy mostly run locally or in trusted small network than a full-fledged proxy server. Mark CVE-2022-40468 as postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5840,6 +5840,7 @@ CVE-2022-40469 (iKuai8 v3.6.7 was discovered to contain an authenticated remote CVE-2022-40468 (Potential leak of left-over heap data if custom error page templates c ...) - tinyproxy 1.11.1-2 (bug #1021015) [bullseye] - tinyproxy (Minor issue) + [buster] - tinyproxy (Minor issue) NOTE: https://github.com/tinyproxy/tinyproxy/issues/457 NOTE: https://github.com/tinyproxy/tinyproxy/commit/3764b8551463b900b5b4e3ec0cd9bb9182191cb7 CVE-2022-40467 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bec77709da1513d103eee3c20fd0e87d35d8e92e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bec77709da1513d103eee3c20fd0e87d35d8e92e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/ela-needed.txt: claim tinyproxy
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 7b158703 by Abhijith PA at 2022-10-13T01:26:51+05:30 data/ela-needed.txt: claim tinyproxy - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -196,7 +196,7 @@ sox NOTE: 20220818: Requires some investigation; see #1012138 etc. NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) -- -tinyproxy +tinyproxy (Abhijith PA) NOTE: 20221009: Programming language: C. -- trafficserver (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b15870356da8d3be2538ae37d9ded3d480b5e14 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b15870356da8d3be2538ae37d9ded3d480b5e14 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3151-1 for squid
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: f2df475c by Abhijith PA at 2022-10-13T00:58:08+05:30 Reserve DLA-3151-1 for squid - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[13 Oct 2022] DLA-3151-1 squid - security update + {CVE-2022-41317 CVE-2022-41318} + [buster] - squid 4.6-1+deb10u8 [12 Oct 2022] DLA-3150-1 rexical - security update {CVE-2019-5477} [buster] - rexical 1.0.5-2+deb10u1 = data/dla-needed.txt = @@ -196,10 +196,6 @@ sox NOTE: 20220818: Requires some investigation; see #1012138 etc. NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) -- -squid (Abhijith PA) - NOTE: 20220923: Programming language: C. - NOTE: 20220923: CVE-2022-41317 should be not-affected, but CVE-2022-41318 should be an issue, pleae recheck --- tinyproxy NOTE: 20221009: Programming language: C. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2df475c89193c6cb7aea25d218e85e496d5c0c5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2df475c89193c6cb7aea25d218e85e496d5c0c5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note. Claim trafficserver,squid
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: c41fd934 by Abhijith PA at 2022-10-03T11:54:28+05:30 update note. Claim trafficserver,squid - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -129,6 +129,7 @@ rails (Abhijith PA) NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith) NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression causing patch (abhijith) NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith) + NOTE: 20221003: https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith) -- rainloop NOTE: 20220913: Programming language: PHP, JavaScript. @@ -164,15 +165,16 @@ samba snort NOTE: 20220905: Requires further triaging to conclude exactly which CVEs to be fixed or ignored. -- -sox (Abhijith PA) +sox NOTE: 20220818: Programming language: C. NOTE: 20220818: Requires some investigation; see #1012138 etc. + NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) -- -squid +squid (Abhijith PA) NOTE: 20220923: Programming language: C. NOTE: 20220923: CVE-2022-41317 should be not-affected, but CVE-2022-41318 should be an issue, pleae recheck -- -trafficserver +trafficserver (Abhijith PA) NOTE: 20220905: Programming language: C. -- tzdata (Emilio) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c41fd9342a34670671c0c80e8f1df1b30e462f90 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c41fd9342a34670671c0c80e8f1df1b30e462f90 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note in dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 8963bb09 by Abhijith PA at 2022-09-15T13:37:02+05:30 update note in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -131,6 +131,8 @@ rails (Abhijith PA) NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith) NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg4.html (abhijith) NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith) + NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression causing patch (abhijith) + NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith) -- rainloop NOTE: 20220913: Programming language: PHP, JavaScript. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8963bb09975d92b0e0b088f15e7206b7c89539da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8963bb09975d92b0e0b088f15e7206b7c89539da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] reserve DLA-3093-2 for rails
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 783ec94b by Abhijith PA at 2022-09-15T13:01:01+05:30 reserve DLA-3093-2 for rails - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[15 Sep 2022] DLA-3093-2 rails - regression update + [buster] - rails 2:5.2.2.1+dfsg-1+deb10u5 [15 Sep 2022] DLA-3109-1 nova - security update {CVE-2019-14433} [buster] - nova 2:18.1.0-6+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/783ec94bee911f12b96f652dafe55dfb91e5e07c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/783ec94bee911f12b96f652dafe55dfb91e5e07c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] drop CVE-2022-32224 from DLA-3093-1
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: de0c07b1 by Abhijith PA at 2022-09-14T19:08:39+05:30 drop CVE-2022-32224 from DLA-3093-1 - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -21681,7 +21681,6 @@ CVE-2022-32225 (A reflected DOM-Based XSS vulnerability has been discovered in t NOT-FOR-US: Veeam CVE-2022-32224 RESERVED - {DLA-3093-1} - rails 2:6.1.6.1+dfsg-1 (bug #1016140) NOTE: https://github.com/advisories/GHSA-3hhc-qp5v-9p2j NOTE: Fixed by: https://github.com/rails/rails/commit/611990f1a6c137c2d56b1ba06b27e5d2434dcd6a (main) = data/DLA/list = @@ -41,7 +41,7 @@ {CVE-2021-0561} [buster] - flac 1.3.2-3+deb10u2 [03 Sep 2022] DLA-3093-1 rails - security update - {CVE-2022-21831 CVE-2022-22577 CVE-2022-23633 CVE-2022-2 CVE-2022-32224} + {CVE-2022-21831 CVE-2022-22577 CVE-2022-23633 CVE-2022-2} [buster] - rails 2:5.2.2.1+dfsg-1+deb10u4 [02 Sep 2022] DLA-3092-1 dpdk - security update {CVE-2022-2132} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de0c07b172ab04ca843894f92d959ef044c5a652 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de0c07b172ab04ca843894f92d959ef044c5a652 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reclaim sox
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c05ffa8 by Abhijith PA at 2022-09-13T11:47:29+05:30 Reclaim sox - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -159,7 +159,7 @@ samba snort NOTE: 20220905: Requires further triaging to conclude exactly which CVEs to be fixed or ignored. -- -sox +sox (Abhijith PA) NOTE: 20220818: Programming language: C. NOTE: 20220818: Requires some investigation; see #1012138 etc. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c05ffa864d0c8c6176300b74b66f1acf7525aac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c05ffa864d0c8c6176300b74b66f1acf7525aac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Re add rails to dla-needed.txt, regression
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: db0b2ebc by Abhijith PA at 2022-09-09T18:11:02+05:30 Re add rails to dla-needed.txt, regression - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -121,6 +121,12 @@ poppler (Markus Koschany) python-oslo.utils (Chris Lamb) NOTE: 20220904: Programming language: Python. -- +rails (Abhijith PA) + NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) + NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith) + NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg4.html (abhijith) + NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith) +-- runc NOTE: 20220905: Programming language: Go. NOTE: 20220905: Special attention: Sync with Bullseye. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db0b2ebc27c5b2a820d3427dedb2c5db64fd0af4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db0b2ebc27c5b2a820d3427dedb2c5db64fd0af4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3099-1 for qemu
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e2edf5f by Abhijith PA at 2022-09-05T08:52:16+05:30 Reserve DLA-3099-1 for qemu - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -36969,7 +36969,6 @@ CVE-2022-26355 (Citrix Federated Authentication Service (FAS) 7.17 - 10.6 causes CVE-2022-26354 (A flaw was found in the vhost-vsock device of QEMU. In case of error, ...) {DSA-5133-1 DLA-2970-1} - qemu 1:7.0+dfsg-1 - [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2063257 NOTE: https://gitlab.com/qemu-project/qemu/-/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf NOTE: vulnerable code in buster in vhost_vsock_send_transport_reset @@ -60930,7 +60929,6 @@ CVE-2021-3930 (An off-by-one error was found in the SCSI device emulation in QEM {DLA-2970-1} - qemu 1:6.2+dfsg-1 [bullseye] - qemu (Minor issue) - [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2020588 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/546 NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 (v6.2.0-rc0) @@ -73898,7 +73896,6 @@ CVE-2021-39231 (In Apache Ozone versions prior to 1.2.0, Various internal server CVE-2021-3713 (An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) d ...) {DSA-4980-1 DLA-2753-1} - qemu 1:6.1+dfsg-2 (bug #992727) - [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1994640 NOTE: https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a CVE-2021-39230 (Butter is a system usability utility. Due to a kernel error the JPNS k ...) @@ -84736,13 +84733,11 @@ CVE-2021-34827 (This vulnerability allows network-adjacent attackers to execute NOT-FOR-US: D-Link CVE-2021-3608 (A flaw was found in the QEMU implementation of VMWare's paravirtual RD ...) - qemu 1:5.2+dfsg-11 (bug #990563) - [buster] - qemu (Minor issue) [stretch] - qemu (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973383 NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=66ae37d8cc313f89272e711174a846a229bcdbd3 CVE-2021-3607 (An integer overflow was found in the QEMU implementation of VMWare's p ...) - qemu 1:5.2+dfsg-11 (bug #990564) - [buster] - qemu (Minor issue) [stretch] - qemu (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973349 NOTE: upstream commit: https://git.qemu.org/?p=qemu.git;a=commit;h=32e5703cfea07c91e6e84bcb0313f633bb146534 @@ -86893,7 +86888,6 @@ CVE-2021-3587 REJECTED CVE-2021-3582 (A flaw was found in the QEMU implementation of VMWare's paravirtual RD ...) - qemu 1:5.2+dfsg-11 (bug #990565) - [buster] - qemu (Minor issue) [stretch] - qemu (Vulnerable code introduced later) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-06/msg04148.html NOTE: Upstream commit: https://git.qemu.org/?p=qemu.git;a=commit;h=284f191b4abad213aed04cb0458e1600fd18d7c4 @@ -92138,7 +92132,6 @@ CVE-2021-3528 (A flaw was found in noobaa-operator in versions before 5.7.0, whe CVE-2021-3527 (A flaw was found in the USB redirector device (usb-redir) of QEMU. Sma ...) {DLA-2753-1} - qemu 1:5.2+dfsg-11 (bug #988157) - [buster] - qemu (Minor issue) NOTE: Initial patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg00564.html NOTE: Revisited: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01372.html NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01373.html @@ -93339,7 +93332,6 @@ CVE-2021-3508 (A flaw was found in PDFResurrect in version 0.22b. There is an in CVE-2021-3507 (A heap buffer overflow was found in the floppy disk emulator of QEMU u ...) - qemu (bug #987410) [bullseye] - qemu (Minor issue) - [buster] - qemu (Minor issue) [stretch] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1951118 NOTE: https://gitlab.com/qemu-project/qemu/-/commit/defac5e2fbddf8423a354ff0454283a2115e1367 @@ -103199,7 +103191,6 @@ CVE-2021-3417 (An internal product security audit of LXCO, prior to version 1.2. CVE-2021-3416 (A potential stack overflow via infinite loop issue was found in variou ...) {DLA-2623-1} - qemu 1:5.2+dfsg-9 (bug #984448) - [buster] - qemu (Minor issue) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07484.html
[Git][security-tracker-team/security-tracker][master] Add missing CVE to DLA list
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a7cb1ff by Abhijith PA at 2022-09-03T19:23:53+05:30 Add missing CVE to DLA list - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,5 +1,5 @@ [03 Sep 2022] DLA-3093-1 rails - security update - {CVE-2022-21831 CVE-2022-22577 CVE-2022-23633 CVE-2022-2} + {CVE-2022-21831 CVE-2022-22577 CVE-2022-23633 CVE-2022-2 CVE-2022-32224} [buster] - rails 2:5.2.2.1+dfsg-1+deb10u4 [02 Sep 2022] DLA-3092-1 dpdk - security update {CVE-2022-2132} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a7cb1ff2a6b52c6d6e772b0e7006b61a90d3aa4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a7cb1ff2a6b52c6d6e772b0e7006b61a90d3aa4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3093-1 for rails
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: b043d0ef by Abhijith PA at 2022-09-03T16:26:29+05:30 Reserve DLA-3093-1 for rails - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[03 Sep 2022] DLA-3093-1 rails - security update + {CVE-2022-21831 CVE-2022-22577 CVE-2022-23633 CVE-2022-2} + [buster] - rails 2:5.2.2.1+dfsg-1+deb10u4 [02 Sep 2022] DLA-3092-1 dpdk - security update {CVE-2022-2132} [buster] - dpdk 18.11.11-1~deb10u2 = data/dla-needed.txt = @@ -82,10 +82,6 @@ qemu (Abhijith PA) NOTE: 20220808: conflicting pu at https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc , needs to be merged (Beuc/abhijith) NOTE: 20220822: Merged new build at https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc (abhijith) -- -rails (Abhijith PA) - NOTE: 20220817: Programming language: Ruby. - NOTE: 20220817: Vulnerable to at least CVE-2022-21831. --- ruby-rack (Utkarsh) NOTE: 20220818: Programming language: Ruby. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b043d0ef9bbcaef6e85b7fe6c6da6d9f978517af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b043d0ef9bbcaef6e85b7fe6c6da6d9f978517af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3091-1 for sofia-sip
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 502c21ed by Abhijith PA at 2022-09-02T02:16:46+05:30 Reserve DLA-3091-1 for sofia-sip - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[02 Sep 2022] DLA-3091-1 sofia-sip - security update + {CVE-2022-31001 CVE-2022-31002 CVE-2022-31003} + [buster] - sofia-sip 1.12.11+20110422.1-2.1+deb10u1 [31 Aug 2022] DLA-3090-1 php-horde-turba - security update {CVE-2022-30287} [buster] - php-horde-turba 4.2.23-1+deb10u1 = data/dla-needed.txt = @@ -90,9 +90,6 @@ salt NOTE: 20220814: Also, I am not sure, whether it is possible to fix issues NOTE: 20220814: without backporting a newer verion. (Anton) -- -sofia-sip (Abhijith PA) - NOTE: 20220818: Programming language: C. --- sox (Abhijith PA) NOTE: 20220818: Programming language: C. NOTE: 20220818: Requires some investigation; see #1012138 etc. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/502c21ed0f1a93e7a9374757e9acdab4d1ecb036 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/502c21ed0f1a93e7a9374757e9acdab4d1ecb036 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim sox sofia-sip
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: c7846a5c by Abhijith PA at 2022-08-28T01:05:05+05:30 data/dla-needed.txt: claim sox sofia-sip - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -84,7 +84,7 @@ qemu (Abhijith PA) NOTE: 20220808: conflicting pu at https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc , needs to be merged (Beuc/abhijith) NOTE: 20220822: Merged new build at https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc (abhijith) -- -rails +rails (Abhijith PA) NOTE: 20220817: Programming language: Ruby. NOTE: 20220817: Vulnerable to at least CVE-2022-21831. -- @@ -101,10 +101,10 @@ salt NOTE: 20220814: Also, I am not sure, whether it is possible to fix issues NOTE: 20220814: without backporting a newer verion. (Anton) -- -sofia-sip +sofia-sip (Abhijith PA) NOTE: 20220818: Programming language: C. -- -sox +sox (Abhijith PA) NOTE: 20220818: Programming language: C. NOTE: 20220818: Requires some investigation; see #1012138 etc. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7846a5caabb5f220eaf731561b1e41c8fa3c7cc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7846a5caabb5f220eaf731561b1e41c8fa3c7cc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3083-1 for puma
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 768dca5e by Abhijith PA at 2022-08-28T00:22:19+05:30 Reserve DLA-3083-1 for puma - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Aug 2022] DLA-3083-1 puma - security update + {CVE-2021-29509 CVE-2021-41136 CVE-2022-23634 CVE-2022-24790} + [buster] - puma 3.12.0-2+deb10u3 [27 Aug 2022] DLA-3082-1 exim4 - security update {CVE-2022-37452} [buster] - exim4 4.92-8+deb10u7 = data/dla-needed.txt = @@ -77,9 +77,6 @@ php-horde-mime-viewer php-horde-turba NOTE: 20220816: Programming language: PHP. -- -puma (Abhijith PA) - NOTE: 20220801: Programming language: Ruby. --- qemu (Abhijith PA) NOTE: 20220802: Programming language: C. NOTE: 20220802: debdiff of backported fixes was submitted to buster-proposed-updates: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007931 and View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/768dca5e956f78f77dd2f36784c3f6185e00f154 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/768dca5e956f78f77dd2f36784c3f6185e00f154 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3081-1 for open-vm-tools
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 65156c78 by Abhijith PA at 2022-08-25T12:47:43+05:30 Reserve DLA-3081-1 for open-vm-tools - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Aug 2022] DLA-3081-1 open-vm-tools - security update + {CVE-2022-31676} + [buster] - open-vm-tools 2:10.3.10-1+deb10u3 [24 Aug 2022] DLA-3080-1 firefox-esr - security update {CVE-2022-38472 CVE-2022-38473 CVE-2022-38478} [buster] - firefox-esr 91.13.0esr-1~deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65156c78415bace7957c7ffe0991599f29bd10b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65156c78415bace7957c7ffe0991599f29bd10b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note in dla-needed
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: c5fb08ea by Abhijith PA at 2022-08-22T12:06:49+05:30 update note in dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -87,6 +87,7 @@ qemu (Abhijith PA) NOTE: 20220802: debdiff of backported fixes was submitted to buster-proposed-updates: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007931 and NOTE: 20220802: wcan now be released as DLA instead. The updated packages are/were running fine in a buster ganeti cluster. (jmm) NOTE: 20220808: conflicting pu at https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc , needs to be merged (Beuc/abhijith) + NOTE: 20220822: Merged new build at https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc (abhijith) -- rails NOTE: 20220817: Programming language: Ruby. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5fb08ea58c6b01909479b53078a89df7253a21e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5fb08ea58c6b01909479b53078a89df7253a21e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim puma
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 98264ee4 by Abhijith PA at 2022-08-14T12:20:17+05:30 data/dla-needed.txt: claim puma - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,7 +54,7 @@ nodejs NOTE: 20220801: Programming language: JavaScript. NOTE: 20220801: one of the upstream fixes doesn't address the security issue -- -puma +puma (Abhijith PA) NOTE: 20220801: Programming language: Ruby. -- schroot View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98264ee48ca26027049e887f8bfdd5d11246df89 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98264ee48ca26027049e887f8bfdd5d11246df89 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim qemu from beuc
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 99815548 by Abhijith PA at 2022-08-08T22:42:38+05:30 Claim qemu from beuc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -38,7 +38,7 @@ nodejs -- puma -- -qemu +qemu (Abhijith PA) NOTE: 20220802: debdiff of backported fixes was submitted to buster-proposed-updates: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007931 and NOTE: 20220802: wcan now be released as DLA instead. The updated packages are/were running fine in a buster ganeti cluster. (jmm) NOTE: 20220808: conflicting pu at https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc , needs to be merged (Beuc/abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99815548d65565d854d8d4ce9d6396464883b3b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99815548d65565d854d8d4ce9d6396464883b3b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] upstream patch for CVE-2021-3607
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 18bef27b by Abhijith PA at 2022-07-02T14:41:58+05:30 upstream patch for CVE-2021-3607 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71393,6 +71393,7 @@ CVE-2021-3607 (An integer overflow was found in the QEMU implementation of VMWar [buster] - qemu (Minor issue) [stretch] - qemu (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973349 + NOTE: upstream commit: https://git.qemu.org/?p=qemu.git;a=commit;h=32e5703cfea07c91e6e84bcb0313f633bb146534 CVE-2021-3606 (OpenVPN before version 2.5.3 on Windows allows local users to load arb ...) - openvpn (Windows-specific) CVE-2021-34826 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18bef27b2df3e46f75916c546dd6de9e8cc733cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18bef27b2df3e46f75916c546dd6de9e8cc733cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] upstream patch for CVE-2021-3582
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 3bb24844 by Abhijith PA at 2022-07-02T11:44:47+05:30 upstream patch for CVE-2021-3582 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -73510,6 +73510,7 @@ CVE-2021-3582 (A flaw was found in the QEMU implementation of VMWare's paravirtu [buster] - qemu (Minor issue) [stretch] - qemu (Vulnerable code introduced later) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-06/msg04148.html + NOTE: Upstream commit: https://git.qemu.org/?p=qemu.git;a=commit;h=284f191b4abad213aed04cb0458e1600fd18d7c4 CVE-2021-33907 (The Zoom Client for Meetings for Windows in all versions before 5.3.0 ...) NOT-FOR-US: Zoom Client for Meetings for Windows CVE-2021-33906 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bb24844c71f04f69264336f4e8cf919469df179 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bb24844c71f04f69264336f4e8cf919469df179 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] patch references for CVE-2020-35505
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: f2d1d423 by Abhijith PA at 2022-07-02T11:09:49+05:30 patch references for CVE-2020-35505 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -110274,6 +110274,17 @@ CVE-2020-35505 (A NULL pointer dereference flaw was found in the am53c974 SCSI h [stretch] - qemu (Fix along in future DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909769 NOTE: https://bugs.launchpad.net/qemu/+bug/1910723 (reproducer) + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f4857abea605701 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae4f94e56d7cbc + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=e5455b8c1c6170c788f3c0fd577cc3be53539a99 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=c5fef9112b15c4b5494791cdf8bbb40bc1938dd3 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=7b320a8e67a534925048cbabfa51431e0349dafd + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=99545751734035b76bd372c4e7215bb337428d89 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=fa7505c154d4d00ad89a747be2eda556643ce00e + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=fbc6510e3379fa8f8370bf71198f0ce733bf07f9 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=0ebb5fd80589835153a0c2baa1b8cc7a04e67a93 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=324c8809897c8c53ad05c3a7147d272f1711cd5e + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba490970a18a76 CVE-2020-35504 (A NULL pointer dereference flaw was found in the SCSI emulation suppor ...) [experimental] - qemu 1:6.0+dfsg-1~exp0 - qemu 1:6.0+dfsg-3 (bug #979679) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2d1d423a8783bac9ecb87f95268384a5d86f595 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2d1d423a8783bac9ecb87f95268384a5d86f595 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add missing patches for CVE-2021-3507
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: fd035a50 by Abhijith PA at 2022-07-02T09:59:48+05:30 Add missing patches for CVE-2021-3507 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -79893,7 +79893,8 @@ CVE-2021-3507 (A heap buffer overflow was found in the floppy disk emulator of Q [buster] - qemu (Minor issue) [stretch] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1951118 - NOTE: No upstream patch as of 2022-04-21 + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/defac5e2fbddf8423a354ff0454283a2115e1367 + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/46609b90d9e3a6304def11038a76b58ff43f77bc CVE-2021-3506 (An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c ...) {DLA-2690-1} - linux 5.10.38-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd035a50451a8b276072015f407f9db7babf20df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd035a50451a8b276072015f407f9db7babf20df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: reclaim libmatio, continue work
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: dba94d97 by Abhijith PA at 2022-06-24T14:02:56+05:30 data/dla-needed.txt: reclaim libmatio, continue work - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -144,9 +144,10 @@ liblouis NOTE: 20220503: CVE-2022-26981 patch applied in salsa lts-team repo, NOTE: 20220503: Patch not applied upstream yet. -- -libmatio +libmatio (Abhijith PA) NOTE: 20220529: Programming language: C. NOTE: 20220528: lots of postponed minor vulnerabilities, no past stretch security upload, supported package (Beuc/front-desk) + NOTE: 20220622: Continue with remaining work (abhijith) -- libvirt (Thorsten Alteholz) NOTE: 20220529: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dba94d976781b125d55ad3fd22b7406b56a6717d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dba94d976781b125d55ad3fd22b7406b56a6717d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: reclaim qemu
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d5a39f3 by Abhijith PA at 2022-06-14T13:10:36+05:30 data/dla-needed.txt: reclaim qemu - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -240,7 +240,7 @@ pyjwt NOTE: 20220610: intention to mark as no-dsa for stretch, and will do so in a few days NOTE: 20220610: see https://lists.debian.org/msgid-search/20220610102343.6o3ak3ehc3jdo...@enricozini.org (enrico) -- -qemu +qemu (Abhijith PA) NOTE: 20220529: Programming language: C. NOTE: 20220527: a few new CVEs since last DLA, and buster got no updates since 2 years, NOTE: 20220527: so maybe coordinate to start anticipating the next LTS (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d5a39f3ffd03292e24e779abcbbfe637eab55a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d5a39f3ffd03292e24e779abcbbfe637eab55a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: reclaim icingaweb2
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: c2bb630a by Abhijith PA at 2022-06-07T07:19:33+05:30 data/dla-needed.txt: reclaim icingaweb2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -99,11 +99,9 @@ horizon NOTE: 20220523: Follow buster: harmonize with with DSA-4820-1 (1 CVE) (Beuc/front-desk) NOTE: 20220523: part of OpenStack (Beuc/front-desk) -- -icingaweb2 +icingaweb2 (Abhijith PA) NOTE: 20220529: Programming language: PHP. - NOTE: https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.4.1-1+deb9u2.dsc (abhijith) - NOTE: 20220522: Pinged upstream for missing patches. Will write an detail - NOTE: 20220522: email about situation (abhijith) + NOTE: https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.6.2-3~bpo9+1+deb9u1.dsc (abhijith) -- intel-microcode NOTE: 20220529: Programming language: binary blob. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2bb630a0e399e9fac9c078ef76941510512eed6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2bb630a0e399e9fac9c078ef76941510512eed6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim libmatio
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 2358bf94 by Abhijith PA at 2022-05-31T14:42:31+05:30 data/dla-needed.txt: claim libmatio - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -152,7 +152,7 @@ liblouis (Andreas Rönnquist) NOTE: 20220503: CVE-2022-26981 patch applied in salsa lts-team repo, NOTE: 20220503: Patch not applied upstream yet. -- -libmatio +libmatio (Abhijith PA) NOTE: 20220529: Programming language: C. NOTE: 20220528: lots of postponed minor vulnerabilities, no past stretch security upload, supported package (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2358bf94c3f97bccd1e452669ba03ce8db94641a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2358bf94c3f97bccd1e452669ba03ce8db94641a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3036-1 for pjproject
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: aa6d4125 by Abhijith PA at 2022-05-31T14:15:55+05:30 Reserve DLA-3036-1 for pjproject - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -20779,7 +20779,6 @@ CVE-2022-24763 (PJSIP is a free and open source multimedia communication library - asterisk [stretch] - asterisk (Vulnerable code not present) - pjproject - [stretch] - pjproject (Minor issue, infinite loop DoS) - ring NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4 NOTE: https://github.com/pjsip/pjproject/commit/856f87c2e97a27b256482dbe0d748b1194355a21 = data/DLA/list = @@ -1,3 +1,6 @@ +[31 May 2022] DLA-3036-1 pjproject - security update + {CVE-2022-24763 CVE-2022-24792 CVE-2022-24793} + [stretch] - pjproject 2.5.5~dfsg-6+deb9u5 [30 May 2022] DLA-3035-1 libdbi-perl - security update {CVE-2014-10402} [stretch] - libdbi-perl 1.636-1+deb9u2 = data/dla-needed.txt = @@ -233,10 +233,6 @@ pdns pidgin (Andreas Rönnquist) NOTE: 20220529: Programming language: C. -- -pjproject (Abhijith PA) - NOTE: 20220529: Programming language: C. - NOTE: 20220527: Same CVE asterisk (abhijith) --- plinth NOTE: 20220529: Programming language: Python. NOTE: 20220524: Follow buster: harmonize with with Debian 10.7 and 10.10 (2 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa6d4125ae9d9784e5916371f47c21203309df32 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa6d4125ae9d9784e5916371f47c21203309df32 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] RTCP-FB handling is introduced in later versions.
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 72e50a80 by Abhijith PA at 2022-05-29T23:48:10+05:30 RTCP-FB handling is introduced in later versions. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19886,6 +19886,7 @@ CVE-2022-24786 (PJSIP is a free and open source multimedia communication library - asterisk [stretch] - asterisk (Vulnerable code not present) - pjproject + [stretch] - pjproject (Vulnerable code not present) - ring (unimportant) NOTE: code is present in ring but ring only uses the pjsip code, not pjmedia NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72e50a8035fc2cf48e7a151c019f23c52a89bea0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72e50a8035fc2cf48e7a151c019f23c52a89bea0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim qemu
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 87021e6e by Abhijith PA at 2022-05-28T21:24:32+05:30 data/dla-needed.txt: claim qemu - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -213,7 +213,7 @@ pyjwt -- pypdf2 -- -qemu +qemu (Abhijith PA) NOTE: 20220527: a few new CVEs since last DLA, and buster got no updates since 2 years, NOTE: 20220527: so maybe coordinate to start anticipating the next LTS (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87021e6e3f823972f1d004fe2d608d39daddb16e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87021e6e3f823972f1d004fe2d608d39daddb16e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] asterisk uses packaged libpjproject-dev
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: cba9b4c7 by Abhijith PA at 2022-05-28T13:44:26+05:30 asterisk uses packaged libpjproject-dev - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -14649,6 +14649,7 @@ CVE-2022-26652 (NATS nats-server before 2.7.4 allows Directory Traversal (with w NOT-FOR-US: nats-server CVE-2022-26651 (An issue was discovered in Asterisk through 19.x and Certified Asteris ...) - asterisk 1:18.11.2~dfsg+~cs6.10.40431413-1 + [stretch] - asterisk (Fix in next upload) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-29838 NOTE: https://downloads.asterisk.org/pub/security/AST-2022-003.html CVE-2022-25943 (The installer of WPS Office for Windows versions prior to v11.2.0.1025 ...) @@ -19827,12 +19828,14 @@ CVE-2022-24794 (Express OpenID Connect is an Express JS middleware implementing NOT-FOR-US: Express OpenID Connect CVE-2022-24793 (PJSIP is a free and open source multimedia communication library writt ...) - asterisk + [stretch] - asterisk (Vulnerable code not present) - pjproject - ring NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4 NOTE: https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a CVE-2022-24792 (PJSIP is a free and open source multimedia communication library writt ...) - asterisk + [stretch] - asterisk (Vulnerable code not present) - pjproject - ring (unimportant) NOTE: code is present in ring but ring only uses the pjsip code, not pjmedia @@ -19857,6 +19860,7 @@ CVE-2022-24787 (Vyper is a Pythonic Smart Contract Language for the Ethereum Vir NOT-FOR-US: Vyper CVE-2022-24786 (PJSIP is a free and open source multimedia communication library writt ...) - asterisk + [stretch] - asterisk (Vulnerable code not present) - pjproject - ring (unimportant) NOTE: code is present in ring but ring only uses the pjsip code, not pjmedia @@ -19946,12 +19950,14 @@ CVE-2022-24765 (Git for Windows is a fork of Git containing Windows-specific pat CVE-2022-24764 (PJSIP is a free and open source multimedia communication library writt ...) {DLA-2962-1} - asterisk + [stretch] - asterisk (Vulnerable code not present) - pjproject - ring NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-f5qg-pqcg-765m NOTE: https://github.com/pjsip/pjproject/commit/560a1346f87aabe126509bb24930106dea292b00 CVE-2022-24763 (PJSIP is a free and open source multimedia communication library writt ...) - asterisk + [stretch] - asterisk (Vulnerable code not present) - pjproject [stretch] - pjproject (Minor issue, infinite loop DoS) - ring @@ -19996,6 +20002,7 @@ CVE-2022-24755 (Bareos is open source software for backup, archiving, and recove CVE-2022-24754 (PJSIP is a free and open source multimedia communication library writt ...) {DLA-2962-1} - asterisk + [stretch] - asterisk (Vulnerable code not present) - pjproject - ring NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-73f7-48m9-w662 = data/dla-needed.txt = @@ -19,9 +19,6 @@ rather than remove/replace existing ones. -- amd64-microcode -- -asterisk (Abhijith PA) - NOTE: 20220424: programming language C --- avahi NOTE: 20220523: Follow buster: harmonize with with Debian 10.9 (1 Debian-specific CVE) (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cba9b4c7d81d96c6b4faa53e998d20e24684ede3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cba9b4c7d81d96c6b4faa53e998d20e24684ede3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-26498, CVE-2022-26499 not affected for stretch
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 400c5735 by Abhijith PA at 2022-05-28T11:54:24+05:30 CVE-2022-26498, CVE-2022-26499 not affected for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14945,10 +14945,12 @@ CVE-2022-26500 (Improper limitation of path names in Veeam Backup Replicat NOT-FOR-US: Veeam CVE-2022-26499 (An SSRF issue was discovered in Asterisk through 19.x. When using STIR ...) - asterisk 1:18.11.2~dfsg+~cs6.10.40431413-1 + [stretch] - asterisk (Vulnerable code not present) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-29476 NOTE: https://downloads.asterisk.org/pub/security/AST-2022-002.html CVE-2022-26498 (An issue was discovered in Asterisk through 19.x. When using STIR/SHAK ...) - asterisk 1:18.11.2~dfsg+~cs6.10.40431413-1 + [stretch] - asterisk (Vulnerable code not present) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-29872 NOTE: https://downloads.asterisk.org/pub/security/AST-2022-001.html CVE-2022-26497 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/400c573520684e48dd2f135f2210778a28017bda -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/400c573520684e48dd2f135f2210778a28017bda You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Claim pjproject
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 28c922fd by Abhijith PA at 2022-05-27T14:53:49+05:30 dla-needed.txt: Claim pjproject - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -181,7 +181,8 @@ pdns NOTE: 20220506: package builds but does not run a test suite, and I lack the NOTE: 20220506: know-how for testing manually (enrico) -- -pjproject +pjproject (Abhijith PA) + NOTE: 20220527: Same CVE asterisk (abhijith) -- plinth NOTE: 20220524: Harmonize with Debian 10.7 and 10.10 (2 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28c922fddae42797c640ea2b6689aa77325decee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28c922fddae42797c640ea2b6689aa77325decee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: update note
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c938a99 by Abhijith PA at 2022-05-26T12:58:47+05:30 dla-needed.txt: update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -225,6 +225,7 @@ ring NOTE: 20220404: package in archive is faulty. New regs can't be done due (abhijith) NOTE: 20220404: a network error (abhijith) NOTE: 20220506: Pinged maintainer team and maintainer (abhijith) + NOTE: 20220526: Re pinged Debian maintainer and Pinged upstream for help. (abhijith) -- ros-ros-comm NOTE: 20220524: Harmonize with Debian 10.7 and 10.12 (2 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c938a9981038b0be63ace1cef3b8ae40a64dc74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c938a9981038b0be63ace1cef3b8ae40a64dc74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note in dla-needed
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: ce44f8b4 by Abhijith PA at 2022-05-18T16:20:59+05:30 update note in dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -85,8 +85,10 @@ gpac NOTE: 20220413: New CVEs continue flooding in (roberto) NOTE: 20220427: Preparing to work with security team to declare EOL (roberto) -- -icingaweb2 +icingaweb2 (Abhijith PA) NOTE: https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.4.1-1+deb9u2.dsc (abhijith) + NOTE: 20220522: Pinged upstream for missing patches. Will write an detail + NOTE: 20220522: email about situation (abhijith) -- intel-microcode (Stefano Rivera) NOTE: 20220213: please recheck View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce44f8b4884adc27f91a28bc7cfa3caf0bcc279c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce44f8b4884adc27f91a28bc7cfa3caf0bcc279c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim asterisk, update not for ring
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 11a7d03d by Abhijith PA at 2022-05-06T13:56:45+05:30 data/dla-needed.txt: claim asterisk, update not for ring - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,7 +26,7 @@ ansible NOTE: 20220427: Lee Garrett (maintainer) took over the work a while ago. See NOTE: 20220427: https://salsa.debian.org/debian/ansible/-/commits/stretch/ -- -asterisk +asterisk (Abhijith PA) NOTE: 20220424: programming language C -- ark @@ -136,6 +136,7 @@ ring (Abhijith PA) NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc NOTE: 20220404: package in archive is faulty. New regs can't be done due (abhijith) NOTE: 20220404: a network error (abhijith) + NOTE: 20220506: Pinged maintainer team and maintainer (abhijith) -- ruby-devise-two-factor NOTE: 20220427: Patch does not apply cleanly to LTS version, may be due to this being the result View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11a7d03d9e60909349a71f402465ec4fc8d33119 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11a7d03d9e60909349a71f402465ec4fc8d33119 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2996-1 for mruby
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: a5729bd6 by Abhijith PA at 2022-05-06T13:43:14+05:30 Reserve DLA-2996-1 for mruby - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -134677,7 +134677,6 @@ CVE-2020-15867 (The git hook feature in Gogs 0.5.5 through 0.12.2 allows for aut CVE-2020-15866 (mruby through 2.1.2-rc has a heap-based buffer overflow in the mrb_yie ...) - mruby 2.1.2-1 (bug #972051) [buster] - mruby (Minor issue) - [stretch] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/issues/5042 NOTE: https://github.com/mruby/mruby/commit/6334949ba69363cb909a57d6871895bd6d98bb6b (3.0.0-preview) NOTE: https://github.com/mruby/mruby/commit/63956036e116ef6a33a91e16348c4d1a09f6f72c (2.1.2-rc2) @@ -248862,7 +248861,6 @@ CVE-2018-14338 (samples/geotag.cpp in the example code of Exiv2 0.26 misuses the NOTE: Issue in example code of Exiv2 CVE-2018-14337 (The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 ...) - mruby 2.0.0-1 (low; bug #903985) - [stretch] - mruby (Minor issue) [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/issues/4062 NOTE: https://github.com/mruby/mruby/commit/695f29cd604787f43be1af16e38d13610bf8312b @@ -254205,7 +254203,6 @@ CVE-2018-12250 (An issue was discovered in Elite CMS Pro 2.01. In /admin/add_sid NOT-FOR-US: Elite CMS CVE-2018-12249 (An issue was discovered in mruby 1.4.1. There is a NULL pointer derefe ...) - mruby 1.4.1+20180622+git640fca32-1 (bug #901652) - [stretch] - mruby (Minor issue) [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/commit/faa4eaf6803bd11669bc324b4c34e7162286bfa3 NOTE: https://github.com/mruby/mruby/issues/4037 @@ -255598,7 +255595,6 @@ CVE-2018-11744 (Cloudera Manager through 5.15 has Incorrect Access Control. ...) NOT-FOR-US: Cloudera CVE-2018-11743 (The init_copy function in kernel.c in mruby 1.4.1 makes initialize_cop ...) - mruby 1.4.1+20180622+git640fca32-1 (bug #900845) - [stretch] - mruby (Minor issue) [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/commit/b64ce17852b180dfeea81cf458660be41a78974d NOTE: https://github.com/mruby/mruby/issues/4027 @@ -260044,7 +260040,6 @@ CVE-2018-10192 (IPVanish 3.0.11 for macOS suffers from a root privilege escalati NOT-FOR-US: IPVanish for macOS CVE-2018-10191 (In versions of mruby up to and including 1.4.0, an integer overflow ex ...) - mruby 1.4.0+20180418+git54905e98-1 (bug #896020) - [stretch] - mruby (Minor issue) [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/issues/3995 NOTE: https://github.com/mruby/mruby/commit/1905091634a6a2925c911484434448e568330626 @@ -312366,7 +312361,6 @@ CVE-2017-9528 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows remote CVE-2017-9527 (The mark_context_stack function in gc.c in mruby through 1.2.0 allows ...) [experimental] - mruby 1.2.0+20170601+git51e0e690-1 - mruby 1.3.0-1 (low; bug #865778) - [stretch] - mruby (Minor issue) [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/issues/3486 NOTE: Fixed by: https://github.com/mruby/mruby/commit/5c114c91d4ff31859fcd84cf8bf349b737b90d99 = data/DLA/list = @@ -1,3 +1,6 @@ +[06 May 2022] DLA-2996-1 mruby - security update + {CVE-2017-9527 CVE-2018-10191 CVE-2018-11743 CVE-2018-12249 CVE-2018-14337 CVE-2020-15866} + [stretch] - mruby 1.2.0+20161228+git30d5424a-1+deb9u1 [05 May 2022] DLA-2995-1 smarty3 - security update {CVE-2021-21408 CVE-2021-29454} [stretch] - smarty3 3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u5 = data/dla-needed.txt = @@ -111,9 +111,6 @@ mbedtls (Utkarsh) NOTE: 20220502: will upload with 1 fix and mark the other one NOTE: 20220502: as no-dsa today/tomorrow. (utkarsh) -- -mruby (Abhijith PA) - NOTE: https://people.debian.org/~abhijith/upload/mruby/mruby_1.2.0+20161228+git30d5424a-1+deb9u1.dsc (abhijith) --- mutt (Utkarsh) NOTE: 20220502: update prepared. smoke test pending. (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5729bd6d1e132d10990a4177253a211885771bc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5729bd6d1e132d10990a4177253a211885771bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security
[Git][security-tracker-team/security-tracker][master] Update note in data/dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 83711d9f by Abhijith PA at 2022-05-03T04:31:28+05:30 Update note in data/dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -70,6 +70,7 @@ gpac (Roberto C. Sánchez) NOTE: 20220427: Preparing to work with security team to declare EOL (roberto) -- icingaweb2 (Abhijith PA) + NOTE: https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.4.1-1+deb9u2.dsc (abhijith) -- intel-microcode NOTE: 20220213: please recheck View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83711d9f1edbc7410fa9234ab86c341c4a6ff3de -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83711d9f1edbc7410fa9234ab86c341c4a6ff3de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-24714, CVE-2022-24716 as not affected for stretch
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: c55fd09b by Abhijith PA at 2022-05-03T04:05:49+05:30 Mark CVE-2022-24714, CVE-2022-24716 as not affected for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14990,6 +14990,7 @@ CVE-2022-24716 (Icinga Web 2 is an open source monitoring web interface, framewo - icingaweb2 2.9.6-1 [bullseye] - icingaweb2 (Vulnerable code not present) [buster] - icingaweb2 (Vulnerable code not present) + [stretch] - icingaweb2 (vulnerable code not present) NOTE: https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frw NOTE: https://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773d CVE-2022-24715 (Icinga Web 2 is an open source monitoring web interface, framework and ...) @@ -15002,6 +15003,7 @@ CVE-2022-24714 (Icinga Web 2 is an open source monitoring web interface, framewo - icingaweb2 2.9.6-1 [bullseye] - icingaweb2 (Minor issue) [buster] - icingaweb2 (Minor issue) + [stretch] - icingaweb2 (vulnerable code not present) NOTE: https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf NOTE: https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293 CVE-2022-24713 (regex is an implementation of regular expressions for the Rust languag ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c55fd09ba7f1f95bbcd8de422e2e425afcc52efc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c55fd09ba7f1f95bbcd8de422e2e425afcc52efc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim mruby from Anton
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: c436a582 by Abhijith PA at 2022-05-03T02:12:09+05:30 data/dla-needed.txt: Claim mruby from Anton - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -103,7 +103,8 @@ mbedtls (Utkarsh) NOTE: 20220404: update prepared, needs testing. (utkarsh) NOTE: 20220419: waiting for a quick feedback from carnil. (utkarsh) -- -mruby (Anton) +mruby (Abhijith PA) + NOTE: https://people.debian.org/~abhijith/upload/mruby/mruby_1.2.0+20161228+git30d5424a-1+deb9u1.dsc (abhijith) -- mutt (Utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c436a582738ccf4de5ec3116bdd24d11e664d298 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c436a582738ccf4de5ec3116bdd24d11e664d298 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits