[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim less

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9148831e by Abhijith PA at 2024-04-19T11:58:40+05:30
data/dla-needed.txt: claim less

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -121,7 +121,7 @@ knot-resolver (Markus Koschany)
   NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk)
   NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs 
has been fixed in bullseye. (ola)
 --
-less
+less (Abhijith PA)
   NOTE: 20240418: Added by Front-Desk (apo)
 --
 libpgjava (Markus Koschany)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9148831e56b88d1d2a556e2bf0911611b90be9a6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9148831e56b88d1d2a556e2bf0911611b90be9a6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim tiff

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a8522564 by Abhijith PA at 2024-03-18T10:31:40+05:30
data/dla-needed.txt: claim tiff

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -292,7 +292,7 @@ suricata (Adrian Bunk)
 thunderbird (Emilio)
   NOTE: 20240306: Added by Front-Desk (opal)
 --
-tiff
+tiff (Abhijith PA)
   NOTE: 20240314: Added by coordinator (roberto)
   NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in 
bullseye and
   NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. 
(roberto)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8522564f49a69150f3fcfb173d4b3bd3d452c89

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8522564f49a69150f3fcfb173d4b3bd3d452c89
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3758-1 for tiff

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7199e99c by Abhijith PA at 2024-03-11T16:48:11+05:30
Reserve DLA-3758-1 for tiff

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -10267,7 +10267,6 @@ CVE-2023-52356 (A segment fault (SEGV) flaw was found 
in libtiff that could be t
- tiff 4.5.1+git230720-4 (bug #1061524)
[bookworm] - tiff  (Minor issue)
[bullseye] - tiff  (Minor issue)
-   [buster] - tiff  (Minor issue, DoS)
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/622
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/546
NOTE: 
https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a
@@ -30802,7 +30801,6 @@ CVE-2023-3665 (A code injection vulnerability in 
Trellix ENS 10.7.0 April 2023 r
 CVE-2023-3576 (A memory leak flaw was found in Libtiff's tiffcrop utility. 
This issue ...)
{DSA-5567-1}
- tiff 4.5.1~rc3-1
-   [buster] - tiff  (Minor issue, memory leak in CLI tool)
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/475
NOTE: Fixed by: 
https://gitlab.com/libtiff/libtiff/-/commit/1d5b1181c980090a6518f11e61a18b0e268bf31a
 (v4.5.1rc1)
 CVE-2023-3512 (Relative path traversal vulnerability in Setelsa Security's 
ConacWin C ...)


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[11 Mar 2024] DLA-3758-1 tiff - security update
+   {CVE-2023-3576 CVE-2023-52356}
+   [buster] - tiff 4.1.0+git191117-2~deb10u9
 [10 Mar 2024] DLA-3757-1 nss - security update
{CVE-2023-5388 CVE-2024-0743}
[buster] - nss 2:3.42.1-1+deb10u8


=
data/dla-needed.txt
=
@@ -250,10 +250,6 @@ suricata (Adrian Bunk)
 thunderbird (Emilio)
   NOTE: 20240306: Added by Front-Desk (opal)
 --
-tiff (Abhijith PA)
-  NOTE: 20231231: Added by Front-Desk (lamby)
-  NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point 
release(s). (lamby)
---
 tinymce
   NOTE: 20231123: Added by Front-Desk (ola)
   NOTE: 20231216: Someone with more XSS experience needed to assess the



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7199e99c42f32f3a2b5eafa4053b4b4d5109e711

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7199e99c42f32f3a2b5eafa4053b4b4d5109e711
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 3 commits: The PoC given is not reproducible in buster but this CVE is an

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
376c6d8e by Abhijith PA at 2024-03-11T10:41:16+05:30
The PoC given is not reproducible in buster but this CVE is an
general issue from an incomplete fix from 4.0.10.
But too invasive patch for a minor issue.

- - - - -
61509b66 by Abhijith PA at 2024-03-11T10:47:10+05:30
Backporting CVE-2023-6277 can introduce regression in libimager-perl

- - - - -
ae62c233 by Abhijith PA at 2024-03-11T10:51:24+05:30
Upstream fixed this issue by providing an update to doc.
tiff in buster have html docs and upstream in .rst. Not worth
converting docs.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -10250,7 +10250,7 @@ CVE-2023-52355 (An out-of-memory flaw was found in 
libtiff that could be trigger
- tiff 4.5.1+git230720-4
[bookworm] - tiff  (Minor issue)
[bullseye] - tiff  (Minor issue)
-   [buster] - tiff  (Minor issue, DoS)
+   [buster] - tiff  (Minor issue, DoS)
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/621
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/553
NOTE: 
https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4
@@ -21875,7 +21875,7 @@ CVE-2023-6277 (An out-of-memory flaw was found in 
libtiff. Passing a crafted tif
- tiff 4.5.1+git230720-2 (bug #1056751)
[bookworm] - tiff  (Minor issue; will cause compatibility issue 
with libimager-perl, cf #1057270)
[bullseye] - tiff  (Minor issue; will cause compatibility issue 
with libimager-perl, cf #1057270)
-   [buster] - tiff  (Minor issue; OOM DoS)
+   [buster] - tiff  (Minor issue; OOM DoS)
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/614
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/545
NOTE: 
https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a
@@ -106015,7 +106015,7 @@ CVE-2022-40091 (Online Tours & Travels Management 
System v1.0 was discovered to
 CVE-2022-40090 (An issue was discovered in function TIFFReadDirectory libtiff 
before 4 ...)
- tiff 4.5.0-2
[bullseye] - tiff  (Minor issue)
-   [buster] - tiff  (Minor issue, DoS)
+   [buster] - tiff  (Minor issue, DoS)
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/455
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/386
NOTE: 
https://gitlab.com/libtiff/libtiff/-/commit/d093eb5d961e21ba51420bc22382c514683a4d91
 (v4.5.0rc1)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f95d3ce82bb4c126f1895a4fc26d26e068cd8ccb...ae62c23362ed648db3ff8b56ca0d38aedf975d58

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f95d3ce82bb4c126f1895a4fc26d26e068cd8ccb...ae62c23362ed648db3ff8b56ca0d38aedf975d58
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: reclaim frr

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
383c8d05 by Abhijith PA at 2024-03-01T15:02:07+05:30
data/dla-needed.txt: reclaim frr

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -100,9 +100,10 @@ firefox-esr (Emilio)
 freeimage
   NOTE: 20240121: Added by Front-Desk (apo)
 --
-frr
+frr (Abhijith PA)
   NOTE: 20231119: Added by Front-Desk (apo)
   NOTE: 20240206: Continuing fixing the remaining issues (abhijith)
+  NOTE: 20240301: continue work (abhijith)
 --
 golang-go.crypto
   NOTE: 20231219: Added by Front-Desk (ta)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/383c8d059501648ee9b923461ff6d85cf3f21de1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/383c8d059501648ee9b923461ff6d85cf3f21de1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim tiff

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c2f5980f by Abhijith PA at 2024-02-25T14:34:08+05:30
data/dla-needed.txt: claim tiff

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -290,7 +290,7 @@ thunderbird
   NOTE: 20240222: Added by Front-Desk (pochu)
   NOTE: 20240222: send DLA after maintainer uploads 115.8.0
 --
-tiff
+tiff (Abhijith PA)
   NOTE: 20231231: Added by Front-Desk (lamby)
   NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point 
release(s). (lamby)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2f5980fe61407b6d95a9febf6a10b2816dc336d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2f5980fe61407b6d95a9febf6a10b2816dc336d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] This CVE is due to a regression introduced in 9.50

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bb242bbb by Abhijith PA at 2024-02-25T14:24:35+05:30
This CVE is due to a regression introduced in 9.50
https://bugs.ghostscript.com/show_bug.cgi?id=701877
https://git.ghostscript.com/?p=ghostpdl.git;h=da03855bf9ca18eab05d4ac870d73f457758a77f
ghostscript in buster not backported this patch.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -4426,6 +4426,7 @@ CVE-2023-52425 (libexpat through 2.5.0 allows a denial of 
service (resource cons
NOTE: Merge commit: 
https://github.com/libexpat/libexpat/commit/34b598c5f594b015c513c73f06e7ced3323edbf1
 CVE-2020-36773 (Artifex Ghostscript before 9.53.0 has an out-of-bounds write 
and use-a ...)
- ghostscript 9.53.0~dfsg-1
+   [buster] - ghostscript  (regression introduced in version 
9.50)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=702229
NOTE: Fixed by: 
http://www.ghostscript.com/cgi-bin/findgit.cgi?8c7bd787defa071c96289b7da9397f673fddb874
 (ghostpdl-9.53.0rc1)
 CVE-2018-25098 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in 
blockmaso ...)


=
data/dla-needed.txt
=
@@ -106,9 +106,6 @@ frr (Abhijith PA)
   NOTE: 20231119: Added by Front-Desk (apo)
   NOTE: 20240206: Continuing fixing the remaining issues (abhijith)
 --
-ghostscript (Abhijith PA)
-  NOTE: 20240212: Added by Front-Desk (lamby)
---
 gnutls28 (guilhem)
   NOTE: 20240122: Added by Front-Desk (Beuc)
   NOTE: 20240122: Incomplete fix for CVE-2023-5981/DLA-3660-1 (Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb242bbb9429518387c46f3219a8d190aac64911

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb242bbb9429518387c46f3219a8d190aac64911
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim ghostscript

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b82481e5 by Abhijith PA at 2024-02-13T12:15:52+05:30
data/dla-needed.txt: claim ghostscript
update note on varnish and re-claim

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -92,7 +92,7 @@ frr (Abhijith PA)
   NOTE: 20231119: Added by Front-Desk (apo)
   NOTE: 20240206: Continuing fixing the remaining issues (abhijith)
 --
-ghostscript
+ghostscript (Abhijith PA)
   NOTE: 20240212: Added by Front-Desk (lamby)
 --
 gnutls28 (guilhem)
@@ -275,12 +275,13 @@ tinymce
 tomcat9 (Markus Koschany)
   NOTE: 20240121: Added by Front-Desk (apo)
 --
-varnish
+varnish (Abhijith PA)
   NOTE: 20231117: Added by Front-Desk (apo)
   NOTE: 20231204: Working on pre commits for CVE-2023-44487, 
https://github.com/varnishcache/varnish-cache/pull/4004
   NOTE: 20231219: Continuing work
   NOTE: 20240108: Backported security fixes and related commits. Fixing test 
failures. (abhijith)
   NOTE: 20240122: Still fixing tests (abhijith)
+  NOTE: 20240213: Fixing tests.(abhijith)
 --
 wireshark
   NOTE: 20231118: Added by Front-Desk (apo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b82481e5fa676099edddbe76d4714956e9b47081

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b82481e5fa676099edddbe76d4714956e9b47081
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: re-claim frr

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
669ac433 by Abhijith PA at 2024-02-06T10:42:00+05:30
data/dla-needed.txt: re-claim frr

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -84,8 +84,9 @@ exiftags
 freeimage
   NOTE: 20240121: Added by Front-Desk (apo)
 --
-frr
+frr (Abhijith PA)
   NOTE: 20231119: Added by Front-Desk (apo)
+  NOTE: 20240206: Continuing fixing the remaining issues (abhijith)
 --
 gnutls28 (guilhem)
   NOTE: 20240122: Added by Front-Desk (Beuc)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/669ac433941c1057bff09d606e1ed6b937351425

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/669ac433941c1057bff09d606e1ed6b937351425
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3733-1 for rear

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4fe981fb by Abhijith PA at 2024-02-03T22:49:44+05:30
Reserve DLA-3733-1 for rear

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[03 Feb 2024] DLA-3733-1 rear - security update
+   {CVE-2024-23301}
+   [buster] - rear 2.4+dfsg-1+deb10u1
 [03 Feb 2024] DLA-3732-1 sudo - security update
{CVE-2023-7090 CVE-2023-28486 CVE-2023-28487}
[buster] - sudo 1.8.27-1+deb10u6


=
data/dla-needed.txt
=
@@ -211,9 +211,6 @@ rails
   NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the 
possible path forward. (utkarsh)
   NOTE: 20230828: want to rollout ruby-rack first. (utkarsh)
 --
-rear (Abhijith PA)
-  NOTE: 20240121: Added by Front-Desk (apo)
---
 ring
   NOTE: 20230903: Added by Front-Desk (gladk)
   NOTE: 20230928: will be likely hard to fix see 
https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fe981fbf9f162b97593ec52d978aa75dc5133b3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fe981fbf9f162b97593ec52d978aa75dc5133b3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim rear

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e1dc196f by Abhijith PA at 2024-01-23T16:09:26+05:30
data/dla-needed.txt: Claim rear

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -236,7 +236,7 @@ rails
   NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the 
possible path forward. (utkarsh)
   NOTE: 20230828: want to rollout ruby-rack first. (utkarsh)
 --
-rear
+rear (Abhijith PA)
   NOTE: 20240121: Added by Front-Desk (apo)
 --
 ring



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1dc196f59932d4101b78f88b6a4688b75a8bc9a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1dc196f59932d4101b78f88b6a4688b75a8bc9a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update note in dla-needed.txt

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9985e4a3 by Abhijith PA at 2024-01-22T21:48:30+05:30
update note in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -304,6 +304,7 @@ varnish (Abhijith PA)
   NOTE: 20231204: Working on pre commits for CVE-2023-44487, 
https://github.com/varnishcache/varnish-cache/pull/4004
   NOTE: 20231219: Continuing work
   NOTE: 20240108: Backported security fixes and related commits. Fixing test 
failures. (abhijith)
+  NOTE: 20240122: Still fixing tests (abhijith)
 --
 wireshark (Adrian Bunk)
   NOTE: 20231118: Added by Front-Desk (apo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9985e4a394f1880f3ea8a43a70a44aad14d83a81

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9985e4a394f1880f3ea8a43a70a44aad14d83a81
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim frr

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
779a6cd7 by Abhijith PA at 2024-01-17T17:46:02+05:30
data/dla-needed.txt: claim frr

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -77,7 +77,7 @@ edk2
   NOTE: 20231230: Added by Front-Desk (lamby)
   NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release 
(lamby)
 --
-frr
+frr (Abhijith PA)
   NOTE: 20231119: Added by Front-Desk (apo)
 --
 golang-go.crypto



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/779a6cd7cbdc7906a7b3984264ae089b3619fb2e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/779a6cd7cbdc7906a7b3984264ae089b3619fb2e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3712-1 for kodi

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cc67988d by Abhijith PA at 2024-01-17T15:52:17+05:30
Reserve DLA-3712-1 for kodi

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -41801,7 +41801,6 @@ CVE-2023-30208
 CVE-2023-30207 (A divide by zero issue discovered in Kodi Home Theater 
Software 19.5 a ...)
- kodi 2:20.0~rc2+dfsg-2 (bug #1040593)
[bullseye] - kodi  (Minor issue)
-   [buster] - kodi  (Minor issue)
NOTE: https://github.com/xbmc/xbmc/issues/22378
NOTE: 
https://github.com/xbmc/xbmc/commit/dbc00c500f4c4830049cc040a61c439c580eea73
NOTE: https://github.com/xbmc/xbmc/pull/22391
@@ -63494,7 +63493,6 @@ CVE-2023-23083
 CVE-2023-23082 (A heap buffer overflow vulnerability in Kodi Home Theater 
Software up  ...)
- kodi 2:20.0+dfsg-2 (bug #1031048)
[bullseye] - kodi  (Minor issue)
-   [buster] - kodi  (Minor issue)
NOTE: https://github.com/xbmc/xbmc/issues/22377
NOTE: 
https://github.com/xbmc/xbmc/commit/00fec1dbdd1df827872c7b55ad93059636dfc076
NOTE: 
https://github.com/xbmc/xbmc/commit/7e5f9fbf9aaa3540aab35e7504036855b23dcf60
@@ -159825,7 +159823,6 @@ CVE-2021-42918
 CVE-2021-42917 (Buffer overflow vulnerability in Kodi xbmc up to 19.0, allows 
attacker ...)
- kodi 2:19.3+dfsg1-1 (bug #998419)
[bullseye] - kodi 2:19.1+dfsg2-2+deb11u1
-   [buster] - kodi  (Minor issue)
[stretch] - kodi  (no point in fixing this when the more 
severe CVE-2017-5982 is ignored)
- xbmc 
NOTE: 
https://github.com/xbmc/xbmc/commit/80c8138c09598e88b4ddb6dbb279fa193bbb3237
@@ -448280,7 +448277,6 @@ CVE-2017-5983 (The JIRA Workflow Designer Plugin in 
Atlassian JIRA Server before
NOT-FOR-US: JIRA Workflow Designer Plugin
 CVE-2017-5982 (Directory traversal vulnerability in the Chorus2 2.4.2 add-on 
for Kodi ...)
- kodi 2:18.6+dfsg1-1 (bug #855225)
-   [buster] - kodi  (Minor issue)
[stretch] - kodi  (Minor issue)
[jessie] - kodi  (Minor issue)
- xbmc  (bug #861274)


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[17 Jan 2024] DLA-3712-1 kodi - security update
+   {CVE-2017-5982 CVE-2021-42917 CVE-2023-23082 CVE-2023-30207}
+   [buster] - kodi 2:17.6+dfsg1-4+deb10u1
 [10 Jan 2024] DLA-3711-1 linux-5.10 - security update
{CVE-2021-44879 CVE-2023-5178 CVE-2023-5197 CVE-2023-5717 CVE-2023-6121 
CVE-2023-6531 CVE-2023-6817 CVE-2023-6931 CVE-2023-6932 CVE-2023-25775 
CVE-2023-34324 CVE-2023-35827 CVE-2023-45863 CVE-2023-46813 CVE-2023-46862 
CVE-2023-51780 CVE-2023-51781 CVE-2023-51782}
[buster] - linux-5.10 5.10.205-2~deb10u1


=
data/dla-needed.txt
=
@@ -115,11 +115,6 @@ keystone (rouca)
 knot-resolver (Markus Koschany)
   NOTE: 20231029: Added by Front-Desk (gladk)
 --
-kodi (Abhijith PA)
-  NOTE: 20231228: Added by Front-Desk (lamby)
-  NOTE: 20231228: CVE-2021-42917 was postponed in 2021; fixed in bullseye via 
DSA or point release. (lamby)
-  NOTE: 20240414: Fixed issues. 
https://people.debian.org/~abhijith/upload/kport/update/. Testing (abhijith)
---
 libreswan
   NOTE: 20230817: Added by Front-Desk (ta)
   NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc67988d2ce63a7661ca0091af3876ce01cb50f5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc67988d2ce63a7661ca0091af3876ce01cb50f5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update kodi status

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b0e9b892 by Abhijith PA at 2024-01-14T23:43:57+05:30
update kodi status

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -114,6 +114,7 @@ knot-resolver (Markus Koschany)
 kodi (Abhijith PA)
   NOTE: 20231228: Added by Front-Desk (lamby)
   NOTE: 20231228: CVE-2021-42917 was postponed in 2021; fixed in bullseye via 
DSA or point release. (lamby)
+  NOTE: 20240414: Fixed issues. 
https://people.debian.org/~abhijith/upload/kport/update/. Testing (abhijith)
 --
 libreswan
   NOTE: 20230817: Added by Front-Desk (ta)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0e9b892270eee92ee29f131ebbff224e9558ae4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0e9b892270eee92ee29f131ebbff224e9558ae4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update note in dla-needed.txt

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
01ff9158 by Abhijith PA at 2024-01-08T11:22:32+05:30
update note in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -260,6 +260,7 @@ varnish (Abhijith PA)
   NOTE: 20231117: Added by Front-Desk (apo)
   NOTE: 20231204: Working on pre commits for CVE-2023-44487, 
https://github.com/varnishcache/varnish-cache/pull/4004
   NOTE: 20231219: Continuing work
+  NOTE: 20240108: Backported security fixes and related commits. Fixing test 
failures. (abhijith)
 --
 wireshark (Adrian Bunk)
   NOTE: 20231118: Added by Front-Desk (apo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01ff9158a6031cd686507404be25c72624915d8a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01ff9158a6031cd686507404be25c72624915d8a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim kodi

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fe23cfcc by Abhijith PA at 2024-01-04T17:56:53+05:30
data/dla-needed.txt: claim kodi

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -114,7 +114,7 @@ keystone
 knot-resolver
   NOTE: 20231029: Added by Front-Desk (gladk)
 --
-kodi
+kodi (Abhijith PA)
   NOTE: 20231228: Added by Front-Desk (lamby)
   NOTE: 20231228: CVE-2021-42917 was postponed in 2021; fixed in bullseye via 
DSA or point release. (lamby)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe23cfcc01ca2d2c486c399f208f90cf18c24bc3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe23cfcc01ca2d2c486c399f208f90cf18c24bc3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] reclaim varnish in dla-needed.txt

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6ce4e477 by Abhijith PA at 2023-12-19T10:15:18+05:30
reclaim varnish in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -247,9 +247,10 @@ tomcat9
   NOTE: 20231129: Added by Front-Desk (Beuc)
   NOTE: 20131217: I have made a fix, tests are ok but due to high popcon 
prefer a review by apo (rouca)
 --
-varnish
+varnish (Abhijith PA)
   NOTE: 20231117: Added by Front-Desk (apo)
   NOTE: 20231204: Working on pre commits for CVE-2023-44487, 
https://github.com/varnishcache/varnish-cache/pull/4004
+  NOTE: 20231219: Continuing work
 --
 wireshark (Adrian Bunk)
   NOTE: 20231118: Added by Front-Desk (apo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ce4e4779f60d36b7bf23304a1d073185542a4ac

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ce4e4779f60d36b7bf23304a1d073185542a4ac
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/ela-needed.txt: claim netatalk

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d5352075 by Abhijith PA at 2023-12-05T21:15:34+05:30
data/ela-needed.txt: claim netatalk

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -111,7 +111,7 @@ linux-5.10
 mariadb-10.3
   NOTE: 20231129: Added by Front-Desk (Beuc)
 --
-netatalk
+netatalk (Abhijith PA)
   NOTE: 20231119: Added by Front-Desk (apo)
 --
 node-webpack



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5352075180aa40bea7e929f89143cc131651667

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5352075180aa40bea7e929f89143cc131651667
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update note in dla-needed.txt

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
03aabd00 by Abhijith PA at 2023-12-04T13:46:58+05:30
update note in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -228,6 +228,7 @@ tor
 --
 varnish (Abhijith PA)
   NOTE: 20231117: Added by Front-Desk (apo)
+  NOTE: 20231204: Working on pre commits for CVE-2023-44487, 
https://github.com/varnishcache/varnish-cache/pull/4004
 --
 wireshark (Adrian Bunk)
   NOTE: 20231118: Added by Front-Desk (apo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03aabd00b595a715073f4406bd4c5f0b1a7bac9a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03aabd00b595a715073f4406bd4c5f0b1a7bac9a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/ela-needed.txt: claim varnish

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
74505a75 by Abhijith PA at 2023-11-19T17:15:14+05:30
data/ela-needed.txt: claim varnish

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -246,7 +246,7 @@ suricata (Adrian Bunk)
 symfony
   NOTE: 20231118: Added by Front-Desk (apo)
 --
-varnish
+varnish (Abhijith PA)
   NOTE: 20231117: Added by Front-Desk (apo)
 --
 vlc



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74505a75ee34ccff60c46c0fd48bd61c8316ff97

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74505a75ee34ccff60c46c0fd48bd61c8316ff97
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim h2o

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7370d5f0 by Abhijith PA at 2023-10-15T22:46:35+05:30
data/dla-needed.txt: Claim h2o

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -90,7 +90,7 @@ gst-plugins-bad1.0 (Thorsten Alteholz)
   NOTE: 20230928: Added by Frond-Desk (ola)
   NOTE: 20231013: testing package
 --
-h2o
+h2o (Abhijith PA)
   NOTE: 20231013: Added by Front-Desk (ta)
 --
 i2p



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7370d5f063dbae87df2226d77e50a66d84713db6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7370d5f063dbae87df2226d77e50a66d84713db6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-40175 as ignored for buster

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bc8f1805 by Abhijith PA at 2023-10-09T22:43:31+05:30
Mark CVE-2023-40175 as ignored for buster

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -6991,6 +6991,7 @@ CVE-2023-4427 (Out of bounds memory access in V8 in 
Google Chrome prior to 116.0
[buster] - chromium  (see DSA 5046)
 CVE-2023-40175 (Puma is a Ruby/Rack web server built for parallelism. Prior to 
version ...)
- puma 5.6.7-1 (bug #1050079)
+   [buster] - puma  (invasive to backport)
NOTE: 
https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8
NOTE: 
https://github.com/puma/puma/commit/690155e7d644b80eeef0a6094f9826ee41f1080a 
(master)
NOTE: 
https://github.com/puma/puma/commit/ed0f2f94b56982c687452504b95d5f1fbbe3eed1 
(v6.3.1)


=
data/dla-needed.txt
=
@@ -169,9 +169,6 @@ poppler (Adrian Bunk)
   NOTE: 20230908: as I suspect this is a duplicate of CVE-2020-27778 (which 
has already
   NOTE: 20230908: been fixed). (lamby)
 --
-puma
-  NOTE: 20230925: Added by Front-Desk (apo)
---
 python-django
   NOTE: 20231006: Added by Front-Desk (Beuc)
   NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists 
(Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc8f18058d10cf9c30aa30ef5832f25bf034a603

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc8f18058d10cf9c30aa30ef5832f25bf034a603
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim phppgadmin

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4c2d8361 by Abhijith PA at 2023-09-29T19:51:40+05:30
data/dla-needed.txt: Claim phppgadmin

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -151,7 +151,7 @@ osslsigncode
   NOTE: 20230925: Added by Front-Desk (apo)
   NOTE: 20230925: Maybe a new upstream release should just do the trick here.
 --
-phppgadmin
+phppgadmin (Abhijith PA)
   NOTE: 20230925: Added by Front-Desk (apo)
 --
 poppler



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c2d8361b15f9450c3ddc674369ae3433a43bf10

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c2d8361b15f9450c3ddc674369ae3433a43bf10
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3582-1 for ghostscript

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0fca495d by Abhijith PA at 2023-09-25T18:14:23+05:30
Reserve DLA-3582-1 for ghostscript

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[25 Sep 2023] DLA-3582-1 ghostscript - security update
+   {CVE-2020-21710 CVE-2020-21890}
+   [buster] - ghostscript 9.27~dfsg-2+deb10u9
 [25 Sep 2023] DLA-3581-1 flac - security update
{CVE-2020-22219}
[buster] - flac 1.3.2-3+deb10u3


=
data/dla-needed.txt
=
@@ -86,9 +86,6 @@ gerbv (Adrian Bunk)
   NOTE: 20230903: Added by Front-Desk (gladk)
   NOTE: 20230918: DLA coming soon. (bunk)
 --
-ghostscript (Abhijith PA)
-  NOTE: 20230920: Added by Front-Desk (apo)
---
 glib2.0 (Santiago)
   NOTE: 20230612: Added by Front-Desk (apo)
   NOTE: 20230710: WIP (santiago)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fca495ddc5ef1d84e6ca1e97ece557c39325718

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fca495ddc5ef1d84e6ca1e97ece557c39325718
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim puma

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7efc7680 by Abhijith PA at 2023-09-25T14:37:18+05:30
data/dla-needed.txt: Claim puma

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -178,7 +178,7 @@ prometheus-alertmanager
   NOTE: 20230925: Added by Front-Desk (apo)
   NOTE: 20230925: Vulnerable code is in 
ui/app/src/Views/AlertList/AlertView.elm
 --
-puma
+puma (Abhijith PA)
   NOTE: 20230925: Added by Front-Desk (apo)
 --
 python-git



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7efc768066f077ebcf68aa793dc7192c3f1c76d7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7efc768066f077ebcf68aa793dc7192c3f1c76d7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Upstream have changed and refactored function `finish_copydevice`

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5a34f392 by Abhijith PA at 2023-09-25T14:01:46+05:30
Upstream have changed and refactored function `finish_copydevice`
Backporting to 9.27 is not worth when the IjsServer security risk
is documented.

- - - - -
f325a4b6 by Abhijith PA at 2023-09-25T14:09:07+05:30
Add a commit reference for CVE-2020-21890

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -604,6 +604,7 @@ CVE-2023-43115 (In Artifex Ghostscript through 10.01.2, 
gdevijs.c in GhostPDL ca
- ghostscript 10.02.0~dfsg-1
[bookworm] - ghostscript  (Minor issue; documented risks, can 
be fixed in later update)
[bullseye] - ghostscript  (Minor issue; documented risks, can 
be fixed in later update)
+   [buster] - ghostscript  (Minor issue; documented risks, have 
done refactoring in later versions)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707051
NOTE: 
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5
NOTE: 
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe
 (ghostpdl-10.02.0rc2)
@@ -224469,6 +224470,7 @@ CVE-2020-21891
 CVE-2020-21890 (Buffer Overflow vulnerability in clj_media_size function in 
devices/gd ...)
- ghostscript 9.51~dfsg-1
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701846
+   NOTE: Fixed by: 
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=dbdb5f8527007b482d4e6037b558dbf3e6a06d3a
 (ghostpdl-9.51rc1)
NOTE: Fixed by: 
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=494eeedf73d13fac5710e56f3a8fb2e7e2379d73
 (ghostpdl-9.51rc1)
 CVE-2020-21889
RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/60c7ef977b672cb5dd863a70026cda4046d92ace...f325a4b6afa94467e41112e417846ec9059f1e05

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/60c7ef977b672cb5dd863a70026cda4046d92ace...f325a4b6afa94467e41112e417846ec9059f1e05
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim ghostscript

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
93eb42d8 by Abhijith PA at 2023-09-24T12:30:42+05:30
data/dla-needed.txt: Claim ghostscript

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -80,7 +80,7 @@ gerbv (Adrian Bunk)
   NOTE: 20230903: Added by Front-Desk (gladk)
   NOTE: 20230918: DLA coming soon. (bunk)
 --
-ghostscript
+ghostscript (Abhijith PA)
   NOTE: 20230920: Added by Front-Desk (apo)
 --
 glib2.0 (Santiago)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93eb42d84e480cbf0c309406beb4e8f9b298e4a2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93eb42d84e480cbf0c309406beb4e8f9b298e4a2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim open-vm-tools

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ddd968cf by Abhijith PA at 2023-07-31T19:35:12+05:30
data/dla-needed.txt: claim open-vm-tools

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -107,7 +107,7 @@ nvidia-cuda-toolkit
   NOTE: 20230610: Details: 
https://lists.debian.org/debian-lts/2023/06/msg00032.html
   NOTE: 20230610: my recommendation would be to put the package on the 
"not-supported" list. (tobi)
 --
-open-vm-tools
+open-vm-tools (Abhijith PA)
   NOTE: 20230731: Added by Front-Desk (apo)
 --
 openimageio (Markus Koschany)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddd968cfa0f306986a803b4b22de1644057f84eb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddd968cfa0f306986a803b4b22de1644057f84eb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] re-claim libreoffice and update notes

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b6f4ba4b by Abhijith PA at 2023-07-18T12:06:25+05:30
re-claim libreoffice and update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -88,8 +88,10 @@ libapache2-mod-auth-openidc
   NOTE: 20230620: Added by Front-Desk (Beuc)
   NOTE: 20230620: Follow fix from bullseye 11.7 (CVE-2022-23527) + 1 postponed 
CVE-2021-39191 (Beuc/front-desk)
 --
-libreoffice
+libreoffice (Abhijith PA)
   NOTE: 20230530: Added by Front-Desk (pochu)
+  NOTE: 20230718: http://people.debian.org/~abhijith/upload/lo (abhijith)
+  NOTE: 20230718: CVE-2023-2255.diff fails to build. (abhijith)
 --
 linux (Ben Hutchings)
   NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6f4ba4b6fb0c1af310ad698a36340cae734a07c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6f4ba4b6fb0c1af310ad698a36340cae734a07c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-46165 as ignored

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1202f54b by Abhijith PA at 2023-07-11T10:01:27+05:30
Mark CVE-2022-46165 as ignored
 CVE-2021-21404 as postponed.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -42191,6 +42191,7 @@ CVE-2022-46165 (Syncthing is an open source, continuous 
file synchronization pro
- syncthing  (bug #1037432)
[bookworm] - syncthing  (Minor issue)
[bullseye] - syncthing  (Minor issue)
+   [buster] - syncthing  (Minor issue)
NOTE: 
https://github.com/syncthing/syncthing/security/advisories/GHSA-9rp6-23gf-4c3h
NOTE: 
https://github.com/syncthing/syncthing/commit/73c52eafb6566435dffd979c3c49562b6d5a4238
 (v1.23.5)
 CVE-2022-46164 (NodeBB is an open source Node.js based forum software. Due to 
a plain  ...)
@@ -184242,7 +184243,7 @@ CVE-2021-21405 (Lotus is an Implementation of the 
Filecoin protocol written in G
NOT-FOR-US: Lotus
 CVE-2021-21404 (Syncthing is a continuous file synchronization program. In 
Syncthing b ...)
- syncthing 1.12.1~ds1-3 (bug #986593)
-   [buster] - syncthing  (Minor issue)
+   [buster] - syncthing  (Minor issue; can be fixed in next 
update)
[stretch] - syncthing  (Minor issue; can be fixed in next 
update)
NOTE: 
https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h
NOTE: 
https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97


=
data/dla-needed.txt
=
@@ -215,9 +215,6 @@ symfony (guilhem)
   NOTE: 20230620: Added by Front-Desk (Beuc)
   NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs) + 1 other postponed 
CVE (Beuc/front-desk)
 --
-syncthing (Abhijith PA)
-  NOTE: 20230616: Added by Front-Desk (opal)
---
 thunderbird (pochu)
   NOTE: 20230704: Added by pochu
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1202f54b06eb395094bfe308c37e79c20f129e8a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1202f54b06eb395094bfe308c37e79c20f129e8a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim syncthing

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
06c80770 by Abhijith PA at 2023-06-30T20:42:07+05:30
data/dla-needed.txt: Claim syncthing

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -241,7 +241,7 @@ symfony (guilhem)
   NOTE: 20230620: Added by Front-Desk (Beuc)
   NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs) + 1 other postponed 
CVE (Beuc/front-desk)
 --
-syncthing
+syncthing (Abhijith PA)
   NOTE: 20230616: Added by Front-Desk (opal)
 --
 webkit2gtk (Emilio)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06c807709c75ff6f90d4aaf514e8da7fea7e9e23

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06c807709c75ff6f90d4aaf514e8da7fea7e9e23
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] reclaim fusiondirectory, libreoffice

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
58736b02 by Abhijith PA at 2023-06-27T11:47:50+05:30
reclaim fusiondirectory, libreoffice

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -62,7 +62,7 @@ flatpak
   NOTE: 20230620: Added by Front-Desk (Beuc)
   NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk)
 --
-fusiondirectory
+fusiondirectory (Abhijith PA)
   NOTE: 20221203: Added by Front-Desk (gladk)
   NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk).
   NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk).
@@ -105,7 +105,7 @@ libapache2-mod-auth-openidc (gladk)
   NOTE: 20230620: Added by Front-Desk (Beuc)
   NOTE: 20230620: Follow fix from bullseye 11.7 (CVE-2022-23527) + 1 postponed 
CVE-2021-39191 (Beuc/front-desk)
 --
-libreoffice
+libreoffice (Abhijith PA)
   NOTE: 20230530: Added by Front-Desk (pochu)
 --
 libusrsctp (rouca)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58736b028f326a3f1f1bfa40460c0c68533e6789

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58736b028f326a3f1f1bfa40460c0c68533e6789
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-2602 CVE-2023-2603 as not-affected for strech, jessie

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6e397c72 by Abhijith PA at 2023-06-08T12:22:13+05:30
Mark CVE-2023-2602 CVE-2023-2603 as not-affected for strech, jessie

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2533,6 +2533,8 @@ CVE-2023-2603 (A vulnerability was found in libcap. This 
issue occurs in the _li
- libcap2 1:2.66-4 (bug #1036114)
[bullseye] - libcap2  (Minor issue)
[buster] - libcap2  (Vulnerable code introduced later)
+   [stretch] - libcap2  (Vulnerable code introduced later)
+   [jessie] - libcap2  (Vulnerable code introduced later)
NOTE: 
https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe
NOTE: 
https://www.x41-dsec.de/static/reports/X41-libcap-Code-Review-2023-OSTIF-Final-Report.pdf
NOTE: https://www.openwall.com/lists/oss-security/2023/05/15/4
@@ -2541,6 +2543,8 @@ CVE-2023-2602 (A vulnerability was found in the 
pthread_create() function in lib
- libcap2 1:2.66-4 (bug #1036114)
[bullseye] - libcap2  (Minor issue)
[buster] - libcap2  (Vulnerable code introduced later)
+   [stretch] - libcap2  (Vulnerable code introduced later)
+   [jessie] - libcap2  (Vulnerable code introduced later)
NOTE: 
https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe
NOTE: 
https://www.x41-dsec.de/static/reports/X41-libcap-Code-Review-2023-OSTIF-Final-Report.pdf
NOTE: https://www.openwall.com/lists/oss-security/2023/05/15/4



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e397c722790a000c8a026a77c8846c38f25a736

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e397c722790a000c8a026a77c8846c38f25a736
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/ela-needed.txt: Claim libreoffice

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5f0b1c53 by Abhijith PA at 2023-06-07T23:40:51+05:30
data/ela-needed.txt: Claim libreoffice

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -78,7 +78,7 @@ libfastjson (Thorsten Alteholz)
   NOTE: 20230507: the CVE was fixed in json-c already
   NOTE: 20230605: upload timing could be improved here
 --
-libreoffice
+libreoffice (Abhijith PA)
   NOTE: 20230530: Added by Front-Desk (pochu)
 --
 linux (Ben Hutchings)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f0b1c534ba9fa55a0258cc6195b78dcf91ddec4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f0b1c534ba9fa55a0258cc6195b78dcf91ddec4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] remove libcap2 from dla-needed.txt. [d288b21]

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
be417a23 by Abhijith PA at 2023-06-07T23:37:21+05:30
remove libcap2 from dla-needed.txt. [d288b21]

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -73,9 +73,6 @@ hdf5
   NOTE: 20230520: additionally couldn't convince the build system to build for 
buster, something with the autogenerated .install files,
   NOTE: 20230520: so giving up on the package. (tobi)
 --
-libcap2 (Abhijith PA)
-  NOTE: 20230517: Added by Front-Desk (gladk)
---
 libfastjson (Thorsten Alteholz)
   NOTE: 20230507: Added by Front-Desk (ta)
   NOTE: 20230507: the CVE was fixed in json-c already



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be417a23ee4e819a26394b822d6949d3962230ca

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be417a23ee4e819a26394b822d6949d3962230ca
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-2602 - libpsx is introduced in later versions. Not

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d288b216 by Abhijith PA at 2023-06-07T23:22:33+05:30
CVE-2023-2602 - libpsx is introduced in later versions. Not
affecting 2.25.

CVE-2023-2603 - Code improvement done on
https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=a56162c6900d203c5ac63a2b41b46cb0c45c645f
This is an improved fix over something attempted
in libcap-2.55

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2458,6 +2458,7 @@ CVE-2023-2671 (A vulnerability was found in 
SourceCodester Lost and Found Inform
 CVE-2023-2603 (A vulnerability was found in libcap. This issue occurs in the 
_libcap_ ...)
- libcap2 1:2.66-4 (bug #1036114)
[bullseye] - libcap2  (Minor issue)
+   [buster] - libcap2  (Vulnerable code introduced later)
NOTE: 
https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe
NOTE: 
https://www.x41-dsec.de/static/reports/X41-libcap-Code-Review-2023-OSTIF-Final-Report.pdf
NOTE: https://www.openwall.com/lists/oss-security/2023/05/15/4
@@ -2465,6 +2466,7 @@ CVE-2023-2603 (A vulnerability was found in libcap. This 
issue occurs in the _li
 CVE-2023-2602 (A vulnerability was found in the pthread_create() function in 
libcap.  ...)
- libcap2 1:2.66-4 (bug #1036114)
[bullseye] - libcap2  (Minor issue)
+   [buster] - libcap2  (Vulnerable code introduced later)
NOTE: 
https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe
NOTE: 
https://www.x41-dsec.de/static/reports/X41-libcap-Code-Review-2023-OSTIF-Final-Report.pdf
NOTE: https://www.openwall.com/lists/oss-security/2023/05/15/4



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d288b216c78e80f3b405df19d7a463d14e16e737

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d288b216c78e80f3b405df19d7a463d14e16e737
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/ela-needed.txt: re-claim fusiondirectory

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bc010571 by Abhijith PA at 2023-05-22T23:31:37+05:30
data/ela-needed.txt: re-claim fusiondirectory

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -30,13 +30,14 @@ erlang (Markus Koschany)
   NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang
   NOTE: 20230111: Maintainer notes: Coordinate with maintainer, whether their 
VCS can be used. Mail send to mailing list.
 --
-fusiondirectory
+fusiondirectory (Abhijith PA)
   NOTE: 20221203: Programming language: PHP.
   NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk).
   NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk).
   NOTE: 20221203: Also the package was removed from sid recently (gladk).
   NOTE: 20221203: Feel free to marke both CVEs as , if they are not 
too serious (gladk).
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/fusiondirectory.git
+  NOTE: 20230523: Added upstream commit references to security tracker. 
Patched our version, testing (abhijith)
 --
 golang-go.crypto (Markus Koschany)
   NOTE: 20220915: Programming language: Go.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc010571770e8697332515b1d24c46d8160fe783

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc010571770e8697332515b1d24c46d8160fe783
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add upstream commit refs for CVE-2022-36179, CVE-2022-36180

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5e4d6bf2 by Abhijith PA at 2023-05-19T12:35:28+05:30
Add upstream commit refs for CVE-2022-36179, CVE-2022-36180

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -66363,10 +66363,12 @@ CVE-2022-36180 (Fusiondirectory 1.3 is vulnerable to 
Cross Site Scripting (XSS)
- fusiondirectory 
[bullseye] - fusiondirectory  (Minor issue)
NOTE: 
https://yoroi.company/research/cve-advisory-full-disclosure-multiple-vulnerabilities/
+   NOTE: 
https://github.com/fusiondirectory/fusiondirectory/commit/fadebb79b932a0260bdb8723eb23694a3ae62366
 [1.3.1]
 CVE-2022-36179 (Fusiondirectory 1.3 suffers from Improper Session Handling.)
- fusiondirectory 
[bullseye] - fusiondirectory  (Minor issue)
NOTE: 
https://yoroi.company/research/cve-advisory-full-disclosure-multiple-vulnerabilities/
+   NOTE: 
https://github.com/fusiondirectory/fusiondirectory/commit/d84cf05573b52df98418adf3716daf365e8da745
 [1.3.1]
 CVE-2022-36178
RESERVED
 CVE-2022-36177



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e4d6bf236bdb4e30e50c9830187de21e092bf5e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e4d6bf236bdb4e30e50c9830187de21e092bf5e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim libcap2

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9e232090 by Abhijith PA at 2023-05-18T14:44:14+05:30
data/dla-needed.txt: claim libcap2

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -62,7 +62,7 @@ hdf5 (tobi)
   NOTE: 20230506: tried to triage… seems to be that only sensible way forward 
would be to update to a newer version in the 1.10.x
   NOTE: 20230506: line. Still then, state of CVEs are unknown if they have 
been fixed. 1.10.11 is scheduled for September. (tobi)
 --
-libcap2
+libcap2 (Abhijith PA)
   NOTE: 20230517: Programming language: C.
   NOTE: 20230517: VCS: https://salsa.debian.org/lts-team/packages/libcap2.git
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e2320901fea300d98caa938722c37481fa4fa14

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e2320901fea300d98caa938722c37481fa4fa14
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove consul from dla-needed.txt.

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
eebe9d4c by Abhijith PA at 2023-05-14T15:49:54+05:30
Remove consul from dla-needed.txt.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -85882,6 +85882,7 @@ CVE-2022-29154 (An issue was discovered in rsync before 
3.2.5 that allows malici
NOTE: 
https://git.samba.org/?p=rsync.git;a=commit;h=2f7c583143bc6e80902139c23d9d7283f88fbc6a
 (v3.2.5pre1)
 CVE-2022-29153 (HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, 
and 1.11. ...)
- consul  (bug #1017982)
+   [buster] - consul  (Intrusive to backport)
NOTE: 
https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393
NOTE: 
https://github.com/hashicorp/consul/commit/72e1ce6317d6a4b28c73cd15f3976eb2c362be19
 (v1.9.17)
 CVE-2022-29152 (The Ericom PowerTerm WebConnect 6.0 login portal can unsafely 
write an ...)
@@ -136530,6 +136531,7 @@ CVE-2021-37220 (MuPDF through 1.18.1 has an 
out-of-bounds write because the cach
NOTE: On Stretch, an earlier version of the code exits early instead of 
crashing.
 CVE-2021-37219 (HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer 
allows no ...)
- consul 1.8.7+dfsg1-6 (bug #1015218)
+   [buster] - consul  (Minor issue; intrusive to backport)
NOTE: 
https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024
NOTE: 
https://github.com/hashicorp/consul/commit/ccf8eb1947357434eb6e66303ddab79f4c9d4103
 CVE-2021-37218 (HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows 
non-server  ...)
@@ -197187,7 +197189,7 @@ CVE-2020-25865
RESERVED
 CVE-2020-25864 (HashiCorp Consul and Consul Enterprise up to version 1.9.4 
key-value ( ...)
- consul 1.8.7+dfsg1-2 (bug #987351)
-   [buster] - consul  (Minor issue)
+   [buster] - consul  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1950275
NOTE: https://github.com/hashicorp/consul/pull/10023
 CVE-2020-25863 (In Wireshark 3.2.0 to 3.2.6, 3.0.0 to 3.0.13, and 2.6.0 to 
2.6.20, the ...)
@@ -243630,7 +243632,7 @@ CVE-2020-7220 (HashiCorp Vault Enterprise 0.11.0 
through 1.3.1 fails, in certain
NOT-FOR-US: HashiCorp Vault
 CVE-2020-7219 (HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC 
services a ...)
- consul 1.7.0+dfsg1-1 (bug #950736)
-   [buster] - consul  (Minor issue)
+   [buster] - consul  (Minor issue, intrusive to backport)
NOTE: https://github.com/hashicorp/consul/issues/7159
NOTE: Fixed in 1.6.3.
 CVE-2020-7218 (HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC 
services al ...)
@@ -316114,7 +316116,7 @@ CVE-2018-19654 (An issue was discovered in Sales & 
Company Management System (SC
NOT-FOR-US: Sales & Company Management System (SCMS)
 CVE-2018-19653 (HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext 
agent-to-agent  ...)
- consul 1.4.4~dfsg1-1
-   [buster] - consul  (Minor issue)
+   [buster] - consul  (Minor issue)
NOTE: https://github.com/hashicorp/consul/pull/5069
 CVE-2018-19652
RESERVED


=
data/dla-needed.txt
=
@@ -17,13 +17,6 @@ cairosvg
   NOTE: 20230323: Programming language: Python.
   NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport 
the --unsafe switch, introduced in 1.0.21, might work (dleidert)
 --
-consul
-  NOTE: 20221031: Programming language: Go.
-  NOTE: 20221031: Concluded that the package should be fixed by the CVE 
description. Source code not analyzed in detail.
-  NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git
-  NOTE: 20230423: WIP, Fixed CVE-2018-19653 (abhijith)
-  NOTE: 20230422: Resume work. (abhijith)
---
 docker.io
   NOTE: 20230303: Programming language: Go.
   NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eebe9d4c5e1c30f2c75ff33e5abae4161b83d46d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eebe9d4c5e1c30f2c75ff33e5abae4161b83d46d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim fusiondirectory

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d1d4d1ef by Abhijith PA at 2023-05-04T19:28:00+05:30
data/dla-needed.txt: claim fusiondirectory

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -50,7 +50,7 @@ erlang
   NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang
   NOTE: 20230111: Maintainer notes: Coordinate with maintainer, whether their 
VCS can be used. Mail send to mailing list.
 --
-fusiondirectory
+fusiondirectory (Abhijith PA)
   NOTE: 20221203: Programming language: PHP.
   NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk).
   NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk).



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1d4d1ef32860d0f98ba92ae8a1f998fd30a1014

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1d4d1ef32860d0f98ba92ae8a1f998fd30a1014
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-38698, CVE-2021-41803, CVE-2022-24687 and

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
82bb5580 by Abhijith PA at 2023-05-03T01:44:06+05:30
Mark CVE-2021-38698, CVE-2021-41803, CVE-2022-24687 and
CVE-2022-40716 as not affected.

Add commit reference for CVE-2022-24687 with upstream tag.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -52696,6 +52696,7 @@ CVE-2022-40717 (This vulnerability allows 
network-adjacent attackers to execute
NOT-FOR-US: D-Link
 CVE-2022-40716 (HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, 
and 1.13. ...)
- consul  (bug #1027161)
+   [buster] - consul  (Vulnerable Code not present)
NOTE: 
https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628
NOTE: 
https://github.com/hashicorp/consul/commit/ae822d752ad36007e353249691a0ef318cf55d08
 (v1.11.9)
 CVE-2022-40715 (An issue was discovered in NOKIA 1350OMS R14.2. An Absolute 
Path Trave ...)
@@ -98178,7 +98179,9 @@ CVE-2022-24688 (An issue was discovered in DSK DSKNet 
2.16.136.0 and 2.17.136.5.
NOT-FOR-US: DSK DSKNet
 CVE-2022-24687 (HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 
1.10.7, a ...)
- consul  (bug #1006487)
+   [buster] - consul  (Vulnerable Code not present)
NOTE: 
https://discuss.hashicorp.com/t/hcsec-2022-05-consul-ingress-gateway-panic-can-shutdown-servers/
+   NOTE: 
https://github.com/hashicorp/consul/commit/d35c6a97cbdff252f5238d6b52f49786f896566a
 (1.9.15)
 CVE-2022-24686 (HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 
1.1.11, and ...)
- nomad  (bug #1021273)
NOTE: 
https://discuss.hashicorp.com/t/hcsec-2022-01-nomad-artifact-download-race-condition/35559
@@ -123883,6 +123886,7 @@ CVE-2021-41804
RESERVED
 CVE-2021-41803 (HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not 
properl ...)
- consul  (bug #1034841)
+   [buster] - consul  (Vulnerable Code not present)
NOTE: 
https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627
NOTE: 
https://github.com/hashicorp/consul/commit/34872682e44f6e7e6359c88bf9e333fa1002a99b
 (v1.11.9)
 CVE-2021-41802 (HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 
allowed a ...)
@@ -131684,7 +131688,7 @@ CVE-2021-38699 (TastyIgniter 3.0.7 allows XSS via 
/account, /reservation, /admin
 CVE-2021-38698 (HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply 
endpoint allow ...)
- consul 1.8.7+dfsg1-6 (bug #1015218)
[bullseye] - consul  (Minor issue)
-   [buster] - consul  (Minor issue)
+   [buster] - consul  (Vulnerable code not present)
NOTE: 
https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026
NOTE: 
https://github.com/hashicorp/consul/commit/747844bad6410091f2c6e961216c0c5fc285a44d
 (v1.8.15)
 CVE-2021-38697 (SoftVibe SARABAN for INFOMA 1.1 allows Unauthenticated 
unrestricted Fi ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82bb558032826c53ec6e6272ff0fdc41103bdc06

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82bb558032826c53ec6e6272ff0fdc41103bdc06
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] add upstream commit ref

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d0725e0d by Abhijith PA at 2023-05-03T00:21:26+05:30
add upstream commit ref

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -123858,6 +123858,7 @@ CVE-2021-41804
 CVE-2021-41803 (HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not 
properl ...)
- consul  (bug #1034841)
NOTE: 
https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627
+   NOTE: 
https://github.com/hashicorp/consul/pull/14580/commits/fb3e29ec22ccda61f03da7e8e15e84da64f7fe82
 CVE-2021-41802 (HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 
allowed a ...)
NOT-FOR-US: HashiCorp Vault
 CVE-2021-41801 (The ReplaceText extension through 1.41 for MediaWiki has 
Incorrect Acc ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0725e0dcbeae72ad364d4fa0fcf6983840d440a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0725e0dcbeae72ad364d4fa0fcf6983840d440a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add upstream fix commit for CVE-2022-40716, CVE-2022-29153

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fa087277 by Abhijith PA at 2023-05-01T18:33:01+05:30
Add upstream fix commit for CVE-2022-40716, CVE-2022-29153

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -52649,6 +52649,7 @@ CVE-2022-40717 (This vulnerability allows 
network-adjacent attackers to execute
 CVE-2022-40716 (HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, 
and 1.13. ...)
- consul  (bug #1027161)
NOTE: 
https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628
+   NOTE: 
https://github.com/hashicorp/consul/commit/ae822d752ad36007e353249691a0ef318cf55d08
 (1.11.9)
 CVE-2022-40715 (An issue was discovered in NOKIA 1350OMS R14.2. An Absolute 
Path Trave ...)
NOT-FOR-US: NOKIA
 CVE-2022-40714 (An issue was discovered in NOKIA 1350OMS R14.2. Reflected XSS 
exists u ...)
@@ -84961,6 +84962,7 @@ CVE-2022-29154 (An issue was discovered in rsync before 
3.2.5 that allows malici
 CVE-2022-29153 (HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, 
and 1.11. ...)
- consul  (bug #1017982)
NOTE: 
https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393
+   NOTE: 
https://github.com/hashicorp/consul/commit/72e1ce6317d6a4b28c73cd15f3976eb2c362be19
 (1.9.17)
 CVE-2022-29152 (The Ericom PowerTerm WebConnect 6.0 login portal can unsafely 
write an ...)
NOT-FOR-US: Ericom
 CVE-2022-29151 (Windows Cluster Shared Volume (CSV) Elevation of Privilege 
Vulnerabili ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa087277467cb3ed72e7de42802189c8bcafa364

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa087277467cb3ed72e7de42802189c8bcafa364
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2021-37219: Add upstream commit reference.

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
acfb6606 by Abhijith PA at 2023-04-30T18:41:40+05:30
CVE-2021-37219: Add upstream commit reference.
CVE-2020-7955: Mark as not-affected, func AgentHealthServiceByID
 introduced later.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -135558,6 +135558,7 @@ CVE-2021-37220 (MuPDF through 1.18.1 has an 
out-of-bounds write because the cach
 CVE-2021-37219 (HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer 
allows no ...)
- consul 1.8.7+dfsg1-6 (bug #1015218)
NOTE: 
https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024
+   NOTE: 
https://github.com/hashicorp/consul/commit/ccf8eb1947357434eb6e66303ddab79f4c9d4103
 CVE-2021-37218 (HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows 
non-server  ...)
- nomad  (bug #1021273)
[bullseye] - nomad  (Minor issue)
@@ -240868,7 +240869,7 @@ CVE-2020-7956 (HashiCorp Nomad and Nomad Enterprise 
up to 0.10.2 incorrectly val
NOTE: https://github.com/hashicorp/nomad/issues/7003
 CVE-2020-7955 (HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did 
not uni ...)
- consul 1.7.0+dfsg1-1 (bug #950736)
-   [buster] - consul  (Minor issue)
+   [buster] - consul  (Vulnerable code not present)
NOTE: https://github.com/hashicorp/consul/issues/7160
NOTE: Fixed in 1.6.3.
 CVE-2020-7954 (An issue was discovered in OpServices OpMon 9.3.2. Starting 
from the a ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acfb6606d28dff10d7de228f0e9951c219bc4b37

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acfb6606d28dff10d7de228f0e9951c219bc4b37
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: work on consul

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a4a238aa by Abhijith PA at 2023-04-22T08:28:55+05:30
data/dla-needed.txt: work on consul

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -40,11 +40,12 @@ configobj (Chris Lamb)
   NOTE: 20230416: Special attention: Low priority but high popcon.
   NOTE: 20230421: No upstream-blessed patch yet. (lamby)
 --
-consul
+consul (Abhijith PA)
   NOTE: 20221031: Programming language: Go.
   NOTE: 20221031: Concluded that the package should be fixed by the CVE 
description. Source code not analyzed in detail.
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git
   NOTE: 20230423: WIP, Fixed CVE-2018-19653 (abhijith)
+  NOTE: 20230422: Resume work. (abhijith)
 --
 docker.io (gladk)
   NOTE: 20230303: Programming language: Go.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4a238aae1d839c85b1fef2e2fcec6382d87c817

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4a238aae1d839c85b1fef2e2fcec6382d87c817
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: update consul note

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d8677d76 by Abhijith PA at 2023-04-03T11:28:26+05:30
data/dla-needed.txt: update consul note

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -38,10 +38,11 @@ ceph
   NOTE: 20230102:   [buster] - ceph  (ceph-crash service added 
in Ceph 14) (stefanor)
   NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ceph.git
 --
-consul
+consul (Abhijith PA)
   NOTE: 20221031: Programming language: Go.
   NOTE: 20221031: Concluded that the package should be fixed by the CVE 
description. Source code not analyzed in detail.
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git
+  NOTE: 20230423: WIP, Fixed CVE-2018-19653 (abhijith)
 --
 curl (holger)
   NOTE: 20230321: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8677d763eec99cfb9a2d7f3d75110fa7adeae3b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8677d763eec99cfb9a2d7f3d75110fa7adeae3b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim consul

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
95bc6bb4 by Abhijith PA at 2023-03-18T14:50:50+05:30
data/dla-needed.txt: claim consul

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -33,7 +33,7 @@ ceph
   NOTE: 20230102:   [buster] - ceph  (ceph-crash service added 
in Ceph 14) (stefanor)
   NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ceph.git
 --
-consul
+consul (Abhijith PA)
   NOTE: 20221031: Programming language: Go.
   NOTE: 20221031: Concluded that the package should be fixed by the CVE 
description. Source code not analyzed in detail.
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95bc6bb4b83952fbd90456ae3a1c68595fb93f3c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95bc6bb4b83952fbd90456ae3a1c68595fb93f3c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim nheko

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8700fd3e by Abhijith PA at 2023-01-23T17:31:54+05:30
data/dla-needed.txt: claim nheko

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -179,7 +179,7 @@ nextcloud-desktop
   NOTE: 20221128: VCS: https://salsa.debian.org/owncloud-team/nextcloud-desktop
   NOTE: 20221128: Please coordinate with maintainer the usage of their 
git-repo (gladk).
 --
-nheko
+nheko (Abhijith PA)
   NOTE: 20230101: Programming language: C++.
 --
 node-css-what



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8700fd3e060095a2d309608dacf2bac720f5db33

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8700fd3e060095a2d309608dacf2bac720f5db33
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3279-1 for trafficserver

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2d9f5058 by Abhijith PA at 2023-01-23T16:31:27+05:30
Reserve DLA-3279-1 for trafficserver

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[23 Jan 2023] DLA-3279-1 trafficserver - security update
+   {CVE-2021-37150 CVE-2022-25763 CVE-2022-28129 CVE-2022-31780}
+   [buster] - trafficserver 8.0.2+ds-1+deb10u7
 [20 Jan 2023] DLA-3278-1 tiff - security update
{CVE-2022-1354 CVE-2022-1355 CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 
CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 CVE-2022-3570 CVE-2022-3597 
CVE-2022-3598 CVE-2022-3599 CVE-2022-3626 CVE-2022-3627 CVE-2022-3970 
CVE-2022-34526}
[buster] - tiff 4.1.0+git191117-2~deb10u5


=
data/dla-needed.txt
=
@@ -352,12 +352,6 @@ tor (Thorsten Alteholz)
   NOTE: 20220115: Programming language: C.
   NOTE: 20230116: VCS: https://salsa.debian.org/lts-team/packages/tor.git
 --
-trafficserver
-  NOTE: 20220905: Programming language: C.
-  NOTE: 20221024: WIP, big changeset in security fix (abhijith)
-  NOTE: 20221114: https://people.debian.org/~abhijith/upload/trf/ (abhijith)
-  NOTE: 20221114: Asked upstream regarding CVE-2022-31779 (abhijith)
---
 wireshark
   NOTE: 20230123: Programming language: C.
   NOTE: 20230123: 7 new CVEs + 3 postponed ones. Would be good to not let them 
pile up like last time. (utkarsh).



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d9f50586010d4fb99052eb52c6485b4e2e96820

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d9f50586010d4fb99052eb52c6485b4e2e96820
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] reclaim xrdp

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9a94a930 by Abhijith PA at 2023-01-17T09:53:21+05:30
reclaim xrdp

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -364,9 +364,10 @@ xfig (gladk)
   NOTE: 20230105: Programming language: C.
   NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk)
 --
-xrdp
+xrdp (Abhijith PA)
   NOTE: 20221225: Programming language: C.
   NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git
+  NOTE: 20230117: Fixed 6 out 10 CVEs. Testing (abhijith)
 --
 zabbix
   NOTE: 20220911: At least CVE-2022-23134 was fixed in stretch so it should be 
fixed in buster too.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a94a930da4adc3e180450120680964be53780b9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a94a930da4adc3e180450120680964be53780b9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim xrdp

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0fcf4f9d by Abhijith PA at 2022-12-31T23:52:54+05:30
data/dla-needed.txt: claim xrdp

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -325,7 +325,7 @@ xdg-utils
   NOTE: 20221120: Programming language: C.
   NOTE: 20221120: no real fix yet
 --
-xrdp
+xrdp (Abhijith PA)
   NOTE: 20221225: Programming language: C.
   NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fcf4f9d632cb746e32ca23b9bbff339c0e526e4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fcf4f9d632cb746e32ca23b9bbff339c0e526e4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update note in dla-needed

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4e5e3d80 by Abhijith PA at 2022-11-14T15:47:19+05:30
update note in dla-needed

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -367,6 +367,8 @@ tiff
 trafficserver
   NOTE: 20220905: Programming language: C.
   NOTE: 20221024: WIP, big changeset in security fix (abhijith)
+  NOTE: 20221114: https://people.debian.org/~abhijith/upload/trf/ (abhijith)
+  NOTE: 20221114: Asked upstream regarding CVE-2022-31779 (abhijith)
 --
 twisted
   NOTE: 20221030: Programming language: Python.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e5e3d80d11e1416186c10db10a5ce6bf1dc2a9f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e5e3d80d11e1416186c10db10a5ce6bf1dc2a9f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-31778 as ignored for buster

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
19db2921 by Abhijith PA at 2022-11-01T11:19:16+05:30
Mark CVE-2022-31778 as ignored for buster

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -34853,6 +34853,7 @@ CVE-2022-31779 (Improper Input Validation vulnerability 
in HTTP/2 header parsing
 CVE-2022-31778 (Improper Input Validation vulnerability in handling the 
Transfer-Encod ...)
{DSA-5206-1}
- trafficserver 9.1.3+ds-1
+   [buster] - trafficserver  (Minor issue, intrusive to backport)
NOTE: https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21
 CVE-2022-31777
RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19db2921e8f9c9d1ada3d8318bbd394238c2a11c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19db2921e8f9c9d1ada3d8318bbd394238c2a11c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-24724 as not-affected for buster and bulleye.

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
36d38a8b by Abhijith PA at 2022-10-30T14:11:00+05:30
Mark CVE-2022-24724 as not-affected for buster and bulleye.
ghostwriter dont embed cmark-gfm in those releases.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -55492,7 +55492,8 @@ CVE-2022-24725 (Shescape is a shell escape package for 
JavaScript. An issue in v
 CVE-2022-24724 (cmark-gfm is GitHub's extended version of the C reference 
implementati ...)
- cmark-gfm 0.29.0.gfm.3-3 (bug #1006756)
- ghostwriter  (bug #1006757)
-   [bullseye] - ghostwriter  (Minor issue)
+   [bullseye] - ghostwriter  (Vulnerable code not present)
+   [buster] - ghostwriter  (Vulnerable code not present)
- python-cmarkgfm 0.7.0-1 (bug #1006758)
- ruby-commonmarker  (bug #1006759)
- r-cran-commonmark 1.8.0-1 (bug #1006760)


=
data/dla-needed.txt
=
@@ -49,9 +49,6 @@ fwupd
 gerbv
   NOTE: 20220923: Programming language: C.
 --
-ghostwriter (Abhijith PA)
-  NOTE: 20221009: Programming language: C.
---
 golang-1.11
   NOTE: 20220916: Programming language: Go.
   NOTE: 20220916: Special attention: limited support; requires rebuilding 
reverse build dependencies (though recent bullseye updates didn't)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36d38a8b902703442385a481f13e9b2ffb9a2b82

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36d38a8b902703442385a481f13e9b2ffb9a2b82
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim ghostwriter

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b1442b86 by Abhijith PA at 2022-10-30T13:12:55+05:30
data/dla-needed.txt: claim ghostwriter

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -49,7 +49,7 @@ fwupd
 gerbv
   NOTE: 20220923: Programming language: C.
 --
-ghostwriter
+ghostwriter (Abhijith PA)
   NOTE: 20221009: Programming language: C.
 --
 golang-1.11



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1442b86ce32e2c48c559ffca4f10430a28f0586

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1442b86ce32e2c48c559ffca4f10430a28f0586
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-39835 as no-dsa

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dfbabd55 by Abhijith PA at 2022-10-30T12:55:36+05:30
Mark CVE-2022-39835 as no-dsa
Code refactoring on later version makes very hard to backport

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -12137,6 +12137,7 @@ CVE-2022-39836 (An issue was discovered in Connected 
Vehicle Systems Alliance (C
 CVE-2022-39835 (An issue was discovered in Gajim through 1.4.7. The 
vulnerability allo ...)
- gajim 1.5.0-1
[bullseye] - gajim  (Minor issue)
+   [buster] - gajim  (Minor issue, intrusive to backport)
NOTE: 
https://dev.gajim.org/gajim/gajim/-/commit/af02c6bd53fad4e0065951597bd7ec801c002067
 (1.5.0)
 CVE-2022-39834
RESERVED


=
data/dla-needed.txt
=
@@ -46,9 +46,6 @@ frr
 fwupd
   NOTE: 20221003: Programming language: C++.
 --
-gajim (Abhijith PA)
-  NOTE: 20221006: Programming language: Python.
---
 gerbv
   NOTE: 20220923: Programming language: C.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dfbabd55b857fac1dc2c10da94d08dd0318c5fa8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dfbabd55b857fac1dc2c10da94d08dd0318c5fa8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reclaim packages

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
726e88a5 by Abhijith PA at 2022-10-24T11:18:55+05:30
Reclaim packages

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -153,7 +153,7 @@ r-cran-commonmark
   NOTE: 20221009: Programming language: R.
   NOTE: 20221009: Please synchronize with ghostwriter.
 --
-rails
+rails (Abhijith PA)
   NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
   NOTE: 20220909: Two issues 
https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith)
   NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg4.html 
(abhijith)
@@ -161,6 +161,8 @@ rails
   NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression 
causing patch (abhijith)
   NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith)
   NOTE: 20221003: 
https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith)
+  NOTE: 20221024: Delay upload, see above comment, users have done workaround. 
Not a good idea
+  NOTE: 20221024: to break thrice in less than 2 month.
 --
 rainloop
   NOTE: 20220913: Programming language: PHP, JavaScript.
@@ -197,8 +199,9 @@ sox
   NOTE: 20220818: Requires some investigation; see #1012138 etc.
   NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream 
committer (abhijith)
 --
-trafficserver
+trafficserver (Abhijith PA)
   NOTE: 20220905: Programming language: C.
+  NOTE: 20221024: WIP, big changeset in security fix (abhijith)
 --
 vim
   NOTE: 20220904: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/726e88a594ac5ee20bb21ef9353741d22f6d7f91

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/726e88a594ac5ee20bb21ef9353741d22f6d7f91
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove tinyproxy [bec7770]

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a4d55272 by Abhijith PA at 2022-10-13T13:56:03+05:30
Remove tinyproxy [bec7770]
Claim gajim

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -46,7 +46,7 @@ frr
 fwupd
   NOTE: 20221003: Programming language: C++.
 --
-gajim
+gajim (Abhijith PA)
   NOTE: 20221006: Programming language: Python.
 --
 gerbv
@@ -196,9 +196,6 @@ sox
   NOTE: 20220818: Requires some investigation; see #1012138 etc.
   NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream 
committer (abhijith)
 --
-tinyproxy (Abhijith PA)
-  NOTE: 20221009: Programming language: C.
---
 trafficserver (Abhijith PA)
   NOTE: 20220905: Programming language: C.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4d5527208d4158151c64f1d61ed342891bdbe2e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4d5527208d4158151c64f1d61ed342891bdbe2e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Unless there is modified error pages which contain special

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bec77709 by Abhijith PA at 2022-10-13T13:50:26+05:30
Unless there is modified error pages which contain special
non-standard variables. This is not an issue. tinyproxy mostly
run locally or in trusted small network than a full-fledged
proxy server.

 Mark CVE-2022-40468 as postponed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5840,6 +5840,7 @@ CVE-2022-40469 (iKuai8 v3.6.7 was discovered to contain 
an authenticated remote
 CVE-2022-40468 (Potential leak of left-over heap data if custom error page 
templates c ...)
- tinyproxy 1.11.1-2 (bug #1021015)
[bullseye] - tinyproxy  (Minor issue)
+   [buster] - tinyproxy  (Minor issue)
NOTE: https://github.com/tinyproxy/tinyproxy/issues/457
NOTE: 
https://github.com/tinyproxy/tinyproxy/commit/3764b8551463b900b5b4e3ec0cd9bb9182191cb7
 CVE-2022-40467



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bec77709da1513d103eee3c20fd0e87d35d8e92e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bec77709da1513d103eee3c20fd0e87d35d8e92e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/ela-needed.txt: claim tinyproxy

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7b158703 by Abhijith PA at 2022-10-13T01:26:51+05:30
data/ela-needed.txt: claim tinyproxy

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -196,7 +196,7 @@ sox
   NOTE: 20220818: Requires some investigation; see #1012138 etc.
   NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream 
committer (abhijith)
 --
-tinyproxy
+tinyproxy (Abhijith PA)
   NOTE: 20221009: Programming language: C.
 --
 trafficserver (Abhijith PA)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b15870356da8d3be2538ae37d9ded3d480b5e14

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b15870356da8d3be2538ae37d9ded3d480b5e14
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3151-1 for squid

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f2df475c by Abhijith PA at 2022-10-13T00:58:08+05:30
Reserve DLA-3151-1 for squid

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[13 Oct 2022] DLA-3151-1 squid - security update
+   {CVE-2022-41317 CVE-2022-41318}
+   [buster] - squid 4.6-1+deb10u8
 [12 Oct 2022] DLA-3150-1 rexical - security update
{CVE-2019-5477}
[buster] - rexical 1.0.5-2+deb10u1


=
data/dla-needed.txt
=
@@ -196,10 +196,6 @@ sox
   NOTE: 20220818: Requires some investigation; see #1012138 etc.
   NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream 
committer (abhijith)
 --
-squid (Abhijith PA)
-  NOTE: 20220923: Programming language: C.
-  NOTE: 20220923: CVE-2022-41317 should be not-affected, but CVE-2022-41318 
should be an issue, pleae recheck
---
 tinyproxy
   NOTE: 20221009: Programming language: C.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2df475c89193c6cb7aea25d218e85e496d5c0c5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2df475c89193c6cb7aea25d218e85e496d5c0c5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update note. Claim trafficserver,squid

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c41fd934 by Abhijith PA at 2022-10-03T11:54:28+05:30
update note. Claim trafficserver,squid

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -129,6 +129,7 @@ rails (Abhijith PA)
   NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 
(abhijith)
   NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression 
causing patch (abhijith)
   NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith)
+  NOTE: 20221003: 
https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith)
 --
 rainloop
   NOTE: 20220913: Programming language: PHP, JavaScript.
@@ -164,15 +165,16 @@ samba
 snort
   NOTE: 20220905: Requires further triaging to conclude exactly which CVEs to 
be fixed or ignored.
 --
-sox (Abhijith PA)
+sox
   NOTE: 20220818: Programming language: C.
   NOTE: 20220818: Requires some investigation; see #1012138 etc.
+  NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream 
committer (abhijith)
 --
-squid
+squid (Abhijith PA)
   NOTE: 20220923: Programming language: C.
   NOTE: 20220923: CVE-2022-41317 should be not-affected, but CVE-2022-41318 
should be an issue, pleae recheck
 --
-trafficserver
+trafficserver (Abhijith PA)
   NOTE: 20220905: Programming language: C.
 --
 tzdata (Emilio)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c41fd9342a34670671c0c80e8f1df1b30e462f90

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c41fd9342a34670671c0c80e8f1df1b30e462f90
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update note in dla-needed.txt

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8963bb09 by Abhijith PA at 2022-09-15T13:37:02+05:30
update note in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -131,6 +131,8 @@ rails (Abhijith PA)
   NOTE: 20220909: Two issues 
https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith)
   NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg4.html 
(abhijith)
   NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 
(abhijith)
+  NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression 
causing patch (abhijith)
+  NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith)
 --
 rainloop
   NOTE: 20220913: Programming language: PHP, JavaScript.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8963bb09975d92b0e0b088f15e7206b7c89539da

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8963bb09975d92b0e0b088f15e7206b7c89539da
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] reserve DLA-3093-2 for rails

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
783ec94b by Abhijith PA at 2022-09-15T13:01:01+05:30
reserve DLA-3093-2 for rails

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[15 Sep 2022] DLA-3093-2 rails - regression update
+   [buster] - rails 2:5.2.2.1+dfsg-1+deb10u5
 [15 Sep 2022] DLA-3109-1 nova - security update
{CVE-2019-14433}
[buster] - nova 2:18.1.0-6+deb10u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/783ec94bee911f12b96f652dafe55dfb91e5e07c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/783ec94bee911f12b96f652dafe55dfb91e5e07c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] drop CVE-2022-32224 from DLA-3093-1

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
de0c07b1 by Abhijith PA at 2022-09-14T19:08:39+05:30
drop CVE-2022-32224 from DLA-3093-1

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=
data/CVE/list
=
@@ -21681,7 +21681,6 @@ CVE-2022-32225 (A reflected DOM-Based XSS vulnerability 
has been discovered in t
NOT-FOR-US: Veeam
 CVE-2022-32224
RESERVED
-   {DLA-3093-1}
- rails 2:6.1.6.1+dfsg-1 (bug #1016140)
NOTE: https://github.com/advisories/GHSA-3hhc-qp5v-9p2j
NOTE: Fixed by: 
https://github.com/rails/rails/commit/611990f1a6c137c2d56b1ba06b27e5d2434dcd6a 
(main)


=
data/DLA/list
=
@@ -41,7 +41,7 @@
{CVE-2021-0561}
[buster] - flac 1.3.2-3+deb10u2
 [03 Sep 2022] DLA-3093-1 rails - security update
-   {CVE-2022-21831 CVE-2022-22577 CVE-2022-23633 CVE-2022-2 
CVE-2022-32224}
+   {CVE-2022-21831 CVE-2022-22577 CVE-2022-23633 CVE-2022-2}
[buster] - rails 2:5.2.2.1+dfsg-1+deb10u4
 [02 Sep 2022] DLA-3092-1 dpdk - security update
{CVE-2022-2132}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de0c07b172ab04ca843894f92d959ef044c5a652

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de0c07b172ab04ca843894f92d959ef044c5a652
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reclaim sox

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3c05ffa8 by Abhijith PA at 2022-09-13T11:47:29+05:30
Reclaim sox

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -159,7 +159,7 @@ samba
 snort
   NOTE: 20220905: Requires further triaging to conclude exactly which CVEs to 
be fixed or ignored.
 --
-sox
+sox (Abhijith PA)
   NOTE: 20220818: Programming language: C.
   NOTE: 20220818: Requires some investigation; see #1012138 etc.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c05ffa864d0c8c6176300b74b66f1acf7525aac

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c05ffa864d0c8c6176300b74b66f1acf7525aac
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Re add rails to dla-needed.txt, regression

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
db0b2ebc by Abhijith PA at 2022-09-09T18:11:02+05:30
Re add rails to dla-needed.txt, regression

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -121,6 +121,12 @@ poppler (Markus Koschany)
 python-oslo.utils (Chris Lamb)
   NOTE: 20220904: Programming language: Python.
 --
+rails (Abhijith PA)
+  NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
+  NOTE: 20220909: Two issues 
https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith)
+  NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg4.html 
(abhijith)
+  NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 
(abhijith)
+--
 runc
   NOTE: 20220905: Programming language: Go.
   NOTE: 20220905: Special attention: Sync with Bullseye.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db0b2ebc27c5b2a820d3427dedb2c5db64fd0af4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db0b2ebc27c5b2a820d3427dedb2c5db64fd0af4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3099-1 for qemu

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0e2edf5f by Abhijith PA at 2022-09-05T08:52:16+05:30
Reserve DLA-3099-1 for qemu

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -36969,7 +36969,6 @@ CVE-2022-26355 (Citrix Federated Authentication Service 
(FAS) 7.17 - 10.6 causes
 CVE-2022-26354 (A flaw was found in the vhost-vsock device of QEMU. In case of 
error,  ...)
{DSA-5133-1 DLA-2970-1}
- qemu 1:7.0+dfsg-1
-   [buster] - qemu  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2063257
NOTE: 
https://gitlab.com/qemu-project/qemu/-/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf
NOTE: vulnerable code in buster in vhost_vsock_send_transport_reset
@@ -60930,7 +60929,6 @@ CVE-2021-3930 (An off-by-one error was found in the 
SCSI device emulation in QEM
{DLA-2970-1}
- qemu 1:6.2+dfsg-1
[bullseye] - qemu  (Minor issue)
-   [buster] - qemu  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2020588
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/546
NOTE: Fixed by: 
https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8
 (v6.2.0-rc0)
@@ -73898,7 +73896,6 @@ CVE-2021-39231 (In Apache Ozone versions prior to 
1.2.0, Various internal server
 CVE-2021-3713 (An out-of-bounds write flaw was found in the UAS (USB Attached 
SCSI) d ...)
{DSA-4980-1 DLA-2753-1}
- qemu 1:6.1+dfsg-2 (bug #992727)
-   [buster] - qemu  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1994640
NOTE: 
https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a
 CVE-2021-39230 (Butter is a system usability utility. Due to a kernel error 
the JPNS k ...)
@@ -84736,13 +84733,11 @@ CVE-2021-34827 (This vulnerability allows 
network-adjacent attackers to execute
NOT-FOR-US: D-Link
 CVE-2021-3608 (A flaw was found in the QEMU implementation of VMWare's 
paravirtual RD ...)
- qemu 1:5.2+dfsg-11 (bug #990563)
-   [buster] - qemu  (Minor issue)
[stretch] - qemu  (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973383
NOTE: 
https://git.qemu.org/?p=qemu.git;a=commit;h=66ae37d8cc313f89272e711174a846a229bcdbd3
 CVE-2021-3607 (An integer overflow was found in the QEMU implementation of 
VMWare's p ...)
- qemu 1:5.2+dfsg-11 (bug #990564)
-   [buster] - qemu  (Minor issue)
[stretch] - qemu  (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973349
NOTE: upstream commit: 
https://git.qemu.org/?p=qemu.git;a=commit;h=32e5703cfea07c91e6e84bcb0313f633bb146534
@@ -86893,7 +86888,6 @@ CVE-2021-3587
REJECTED
 CVE-2021-3582 (A flaw was found in the QEMU implementation of VMWare's 
paravirtual RD ...)
- qemu 1:5.2+dfsg-11 (bug #990565)
-   [buster] - qemu  (Minor issue)
[stretch] - qemu  (Vulnerable code introduced later)
NOTE: 
https://lists.nongnu.org/archive/html/qemu-devel/2021-06/msg04148.html
NOTE: Upstream commit: 
https://git.qemu.org/?p=qemu.git;a=commit;h=284f191b4abad213aed04cb0458e1600fd18d7c4
@@ -92138,7 +92132,6 @@ CVE-2021-3528 (A flaw was found in noobaa-operator in 
versions before 5.7.0, whe
 CVE-2021-3527 (A flaw was found in the USB redirector device (usb-redir) of 
QEMU. Sma ...)
{DLA-2753-1}
- qemu 1:5.2+dfsg-11 (bug #988157)
-   [buster] - qemu  (Minor issue)
NOTE: Initial patchset: 
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg00564.html
NOTE: Revisited: 
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01372.html
NOTE: 
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01373.html
@@ -93339,7 +93332,6 @@ CVE-2021-3508 (A flaw was found in PDFResurrect in 
version 0.22b. There is an in
 CVE-2021-3507 (A heap buffer overflow was found in the floppy disk emulator of 
QEMU u ...)
- qemu  (bug #987410)
[bullseye] - qemu  (Minor issue)
-   [buster] - qemu  (Minor issue)
[stretch] - qemu  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1951118
NOTE: 
https://gitlab.com/qemu-project/qemu/-/commit/defac5e2fbddf8423a354ff0454283a2115e1367
@@ -103199,7 +103191,6 @@ CVE-2021-3417 (An internal product security audit of 
LXCO, prior to version 1.2.
 CVE-2021-3416 (A potential stack overflow via infinite loop issue was found in 
variou ...)
{DLA-2623-1}
- qemu 1:5.2+dfsg-9 (bug #984448)
-   [buster] - qemu  (Minor issue)
NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html
NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07484.html

[Git][security-tracker-team/security-tracker][master] Add missing CVE to DLA list

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8a7cb1ff by Abhijith PA at 2022-09-03T19:23:53+05:30
Add missing CVE to DLA list

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -1,5 +1,5 @@
 [03 Sep 2022] DLA-3093-1 rails - security update
-   {CVE-2022-21831 CVE-2022-22577 CVE-2022-23633 CVE-2022-2}
+   {CVE-2022-21831 CVE-2022-22577 CVE-2022-23633 CVE-2022-2 
CVE-2022-32224}
[buster] - rails 2:5.2.2.1+dfsg-1+deb10u4
 [02 Sep 2022] DLA-3092-1 dpdk - security update
{CVE-2022-2132}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a7cb1ff2a6b52c6d6e772b0e7006b61a90d3aa4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a7cb1ff2a6b52c6d6e772b0e7006b61a90d3aa4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3093-1 for rails

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b043d0ef by Abhijith PA at 2022-09-03T16:26:29+05:30
Reserve DLA-3093-1 for rails

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[03 Sep 2022] DLA-3093-1 rails - security update
+   {CVE-2022-21831 CVE-2022-22577 CVE-2022-23633 CVE-2022-2}
+   [buster] - rails 2:5.2.2.1+dfsg-1+deb10u4
 [02 Sep 2022] DLA-3092-1 dpdk - security update
{CVE-2022-2132}
[buster] - dpdk 18.11.11-1~deb10u2


=
data/dla-needed.txt
=
@@ -82,10 +82,6 @@ qemu (Abhijith PA)
   NOTE: 20220808: conflicting pu at 
https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc , 
needs to be merged (Beuc/abhijith)
   NOTE: 20220822: Merged new build at 
https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc 
(abhijith)
 --
-rails (Abhijith PA)
-  NOTE: 20220817: Programming language: Ruby.
-  NOTE: 20220817: Vulnerable to at least CVE-2022-21831.
---
 ruby-rack (Utkarsh)
   NOTE: 20220818: Programming language: Ruby.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b043d0ef9bbcaef6e85b7fe6c6da6d9f978517af

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b043d0ef9bbcaef6e85b7fe6c6da6d9f978517af
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3091-1 for sofia-sip

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
502c21ed by Abhijith PA at 2022-09-02T02:16:46+05:30
Reserve DLA-3091-1 for sofia-sip

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[02 Sep 2022] DLA-3091-1 sofia-sip - security update
+   {CVE-2022-31001 CVE-2022-31002 CVE-2022-31003}
+   [buster] - sofia-sip 1.12.11+20110422.1-2.1+deb10u1
 [31 Aug 2022] DLA-3090-1 php-horde-turba - security update
{CVE-2022-30287}
[buster] - php-horde-turba 4.2.23-1+deb10u1


=
data/dla-needed.txt
=
@@ -90,9 +90,6 @@ salt
   NOTE: 20220814: Also, I am not sure, whether it is possible to fix issues
   NOTE: 20220814: without backporting a newer verion. (Anton)
 --
-sofia-sip (Abhijith PA)
-  NOTE: 20220818: Programming language: C.
---
 sox (Abhijith PA)
   NOTE: 20220818: Programming language: C.
   NOTE: 20220818: Requires some investigation; see #1012138 etc.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/502c21ed0f1a93e7a9374757e9acdab4d1ecb036

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/502c21ed0f1a93e7a9374757e9acdab4d1ecb036
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim sox sofia-sip

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c7846a5c by Abhijith PA at 2022-08-28T01:05:05+05:30
data/dla-needed.txt: claim sox sofia-sip

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -84,7 +84,7 @@ qemu (Abhijith PA)
   NOTE: 20220808: conflicting pu at 
https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc , 
needs to be merged (Beuc/abhijith)
   NOTE: 20220822: Merged new build at 
https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc 
(abhijith)
 --
-rails
+rails (Abhijith PA)
   NOTE: 20220817: Programming language: Ruby.
   NOTE: 20220817: Vulnerable to at least CVE-2022-21831.
 --
@@ -101,10 +101,10 @@ salt
   NOTE: 20220814: Also, I am not sure, whether it is possible to fix issues
   NOTE: 20220814: without backporting a newer verion. (Anton)
 --
-sofia-sip
+sofia-sip (Abhijith PA)
   NOTE: 20220818: Programming language: C.
 --
-sox
+sox (Abhijith PA)
   NOTE: 20220818: Programming language: C.
   NOTE: 20220818: Requires some investigation; see #1012138 etc.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7846a5caabb5f220eaf731561b1e41c8fa3c7cc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7846a5caabb5f220eaf731561b1e41c8fa3c7cc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3083-1 for puma

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
768dca5e by Abhijith PA at 2022-08-28T00:22:19+05:30
Reserve DLA-3083-1 for puma

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[28 Aug 2022] DLA-3083-1 puma - security update
+   {CVE-2021-29509 CVE-2021-41136 CVE-2022-23634 CVE-2022-24790}
+   [buster] - puma 3.12.0-2+deb10u3
 [27 Aug 2022] DLA-3082-1 exim4 - security update
{CVE-2022-37452}
[buster] - exim4 4.92-8+deb10u7


=
data/dla-needed.txt
=
@@ -77,9 +77,6 @@ php-horde-mime-viewer
 php-horde-turba
   NOTE: 20220816: Programming language: PHP.
 --
-puma (Abhijith PA)
-  NOTE: 20220801: Programming language: Ruby.
---
 qemu (Abhijith PA)
   NOTE: 20220802: Programming language: C.
   NOTE: 20220802: debdiff of backported fixes was submitted to 
buster-proposed-updates: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007931 and



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/768dca5e956f78f77dd2f36784c3f6185e00f154

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/768dca5e956f78f77dd2f36784c3f6185e00f154
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3081-1 for open-vm-tools

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
65156c78 by Abhijith PA at 2022-08-25T12:47:43+05:30
Reserve DLA-3081-1 for open-vm-tools

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[25 Aug 2022] DLA-3081-1 open-vm-tools - security update
+   {CVE-2022-31676}
+   [buster] - open-vm-tools 2:10.3.10-1+deb10u3
 [24 Aug 2022] DLA-3080-1 firefox-esr - security update
{CVE-2022-38472 CVE-2022-38473 CVE-2022-38478}
[buster] - firefox-esr 91.13.0esr-1~deb10u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65156c78415bace7957c7ffe0991599f29bd10b6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65156c78415bace7957c7ffe0991599f29bd10b6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update note in dla-needed

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c5fb08ea by Abhijith PA at 2022-08-22T12:06:49+05:30
update note in dla-needed

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -87,6 +87,7 @@ qemu (Abhijith PA)
   NOTE: 20220802: debdiff of backported fixes was submitted to 
buster-proposed-updates: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007931 and
   NOTE: 20220802: wcan now be released as DLA instead. The updated packages 
are/were running fine in a buster ganeti cluster. (jmm)
   NOTE: 20220808: conflicting pu at 
https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc , 
needs to be merged (Beuc/abhijith)
+  NOTE: 20220822: Merged new build at 
https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc 
(abhijith)
 --
 rails
   NOTE: 20220817: Programming language: Ruby.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5fb08ea58c6b01909479b53078a89df7253a21e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5fb08ea58c6b01909479b53078a89df7253a21e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim puma

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
98264ee4 by Abhijith PA at 2022-08-14T12:20:17+05:30
data/dla-needed.txt: claim puma

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -54,7 +54,7 @@ nodejs
   NOTE: 20220801: Programming language: JavaScript.
   NOTE: 20220801: one of the upstream fixes doesn't address the security issue
 --
-puma
+puma (Abhijith PA)
   NOTE: 20220801: Programming language: Ruby.
 --
 schroot



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98264ee48ca26027049e887f8bfdd5d11246df89

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98264ee48ca26027049e887f8bfdd5d11246df89
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Claim qemu from beuc

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
99815548 by Abhijith PA at 2022-08-08T22:42:38+05:30
Claim qemu from beuc

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -38,7 +38,7 @@ nodejs
 --
 puma
 --
-qemu
+qemu (Abhijith PA)
   NOTE: 20220802: debdiff of backported fixes was submitted to 
buster-proposed-updates: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007931 and
   NOTE: 20220802: wcan now be released as DLA instead. The updated packages 
are/were running fine in a buster ganeti cluster. (jmm)
   NOTE: 20220808: conflicting pu at 
https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc , 
needs to be merged (Beuc/abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99815548d65565d854d8d4ce9d6396464883b3b3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99815548d65565d854d8d4ce9d6396464883b3b3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] upstream patch for CVE-2021-3607

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
18bef27b by Abhijith PA at 2022-07-02T14:41:58+05:30
upstream patch for CVE-2021-3607

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -71393,6 +71393,7 @@ CVE-2021-3607 (An integer overflow was found in the 
QEMU implementation of VMWar
[buster] - qemu  (Minor issue)
[stretch] - qemu  (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973349
+   NOTE: upstream commit: 
https://git.qemu.org/?p=qemu.git;a=commit;h=32e5703cfea07c91e6e84bcb0313f633bb146534
 CVE-2021-3606 (OpenVPN before version 2.5.3 on Windows allows local users to 
load arb ...)
- openvpn  (Windows-specific)
 CVE-2021-34826



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18bef27b2df3e46f75916c546dd6de9e8cc733cb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18bef27b2df3e46f75916c546dd6de9e8cc733cb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] upstream patch for CVE-2021-3582

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3bb24844 by Abhijith PA at 2022-07-02T11:44:47+05:30
upstream patch for CVE-2021-3582

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -73510,6 +73510,7 @@ CVE-2021-3582 (A flaw was found in the QEMU 
implementation of VMWare's paravirtu
[buster] - qemu  (Minor issue)
[stretch] - qemu  (Vulnerable code introduced later)
NOTE: 
https://lists.nongnu.org/archive/html/qemu-devel/2021-06/msg04148.html
+   NOTE: Upstream commit: 
https://git.qemu.org/?p=qemu.git;a=commit;h=284f191b4abad213aed04cb0458e1600fd18d7c4
 CVE-2021-33907 (The Zoom Client for Meetings for Windows in all versions 
before 5.3.0  ...)
NOT-FOR-US: Zoom Client for Meetings for Windows
 CVE-2021-33906



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bb24844c71f04f69264336f4e8cf919469df179

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bb24844c71f04f69264336f4e8cf919469df179
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] patch references for CVE-2020-35505

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f2d1d423 by Abhijith PA at 2022-07-02T11:09:49+05:30
patch references for CVE-2020-35505

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -110274,6 +110274,17 @@ CVE-2020-35505 (A NULL pointer dereference flaw was 
found in the am53c974 SCSI h
[stretch] - qemu  (Fix along in future DLA)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
NOTE: https://bugs.launchpad.net/qemu/+bug/1910723 (reproducer)
+   NOTE: 
https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f4857abea605701
+   NOTE: 
https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae4f94e56d7cbc
+   NOTE: 
https://git.qemu.org/?p=qemu.git;a=commit;h=e5455b8c1c6170c788f3c0fd577cc3be53539a99
+   NOTE: 
https://git.qemu.org/?p=qemu.git;a=commit;h=c5fef9112b15c4b5494791cdf8bbb40bc1938dd3
+   NOTE: 
https://git.qemu.org/?p=qemu.git;a=commit;h=7b320a8e67a534925048cbabfa51431e0349dafd
+   NOTE: 
https://git.qemu.org/?p=qemu.git;a=commit;h=99545751734035b76bd372c4e7215bb337428d89
+   NOTE: 
https://git.qemu.org/?p=qemu.git;a=commit;h=fa7505c154d4d00ad89a747be2eda556643ce00e
+   NOTE: 
https://git.qemu.org/?p=qemu.git;a=commit;h=fbc6510e3379fa8f8370bf71198f0ce733bf07f9
+   NOTE: 
https://git.qemu.org/?p=qemu.git;a=commit;h=0ebb5fd80589835153a0c2baa1b8cc7a04e67a93
+   NOTE: 
https://git.qemu.org/?p=qemu.git;a=commit;h=324c8809897c8c53ad05c3a7147d272f1711cd5e
+   NOTE: 
https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba490970a18a76
 CVE-2020-35504 (A NULL pointer dereference flaw was found in the SCSI 
emulation suppor ...)
[experimental] - qemu 1:6.0+dfsg-1~exp0
- qemu 1:6.0+dfsg-3 (bug #979679)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2d1d423a8783bac9ecb87f95268384a5d86f595

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2d1d423a8783bac9ecb87f95268384a5d86f595
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add missing patches for CVE-2021-3507

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fd035a50 by Abhijith PA at 2022-07-02T09:59:48+05:30
Add missing patches for CVE-2021-3507

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -79893,7 +79893,8 @@ CVE-2021-3507 (A heap buffer overflow was found in the 
floppy disk emulator of Q
[buster] - qemu  (Minor issue)
[stretch] - qemu  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1951118
-   NOTE: No upstream patch as of 2022-04-21
+   NOTE: 
https://gitlab.com/qemu-project/qemu/-/commit/defac5e2fbddf8423a354ff0454283a2115e1367
+   NOTE: 
https://gitlab.com/qemu-project/qemu/-/commit/46609b90d9e3a6304def11038a76b58ff43f77bc
 CVE-2021-3506 (An out-of-bounds (OOB) memory access flaw was found in 
fs/f2fs/node.c  ...)
{DLA-2690-1}
- linux 5.10.38-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd035a50451a8b276072015f407f9db7babf20df

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd035a50451a8b276072015f407f9db7babf20df
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: reclaim libmatio, continue work

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dba94d97 by Abhijith PA at 2022-06-24T14:02:56+05:30
data/dla-needed.txt: reclaim libmatio, continue work

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -144,9 +144,10 @@ liblouis
   NOTE: 20220503: CVE-2022-26981 patch applied in salsa lts-team repo,
   NOTE: 20220503: Patch not applied upstream yet.
 --
-libmatio
+libmatio (Abhijith PA)
   NOTE: 20220529: Programming language: C.
   NOTE: 20220528: lots of postponed minor vulnerabilities, no past stretch 
security upload, supported package (Beuc/front-desk)
+  NOTE: 20220622: Continue with remaining work (abhijith)
 --
 libvirt (Thorsten Alteholz)
   NOTE: 20220529: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dba94d976781b125d55ad3fd22b7406b56a6717d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dba94d976781b125d55ad3fd22b7406b56a6717d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: reclaim qemu

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1d5a39f3 by Abhijith PA at 2022-06-14T13:10:36+05:30
data/dla-needed.txt: reclaim qemu

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -240,7 +240,7 @@ pyjwt
   NOTE: 20220610: intention to mark as no-dsa for stretch, and will do so in a 
few days
   NOTE: 20220610: see 
https://lists.debian.org/msgid-search/20220610102343.6o3ak3ehc3jdo...@enricozini.org
 (enrico)
 --
-qemu
+qemu (Abhijith PA)
   NOTE: 20220529: Programming language: C.
   NOTE: 20220527: a few new CVEs since last DLA, and buster got no updates 
since 2 years,
   NOTE: 20220527: so maybe coordinate to start anticipating the next LTS 
(Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d5a39f3ffd03292e24e779abcbbfe637eab55a8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d5a39f3ffd03292e24e779abcbbfe637eab55a8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: reclaim icingaweb2

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c2bb630a by Abhijith PA at 2022-06-07T07:19:33+05:30
data/dla-needed.txt: reclaim icingaweb2

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -99,11 +99,9 @@ horizon
   NOTE: 20220523: Follow buster: harmonize with with DSA-4820-1 (1 CVE) 
(Beuc/front-desk)
   NOTE: 20220523: part of OpenStack (Beuc/front-desk)
 --
-icingaweb2
+icingaweb2 (Abhijith PA)
   NOTE: 20220529: Programming language: PHP.
-  NOTE: 
https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.4.1-1+deb9u2.dsc 
(abhijith)
-  NOTE: 20220522: Pinged upstream for missing patches. Will write an detail
-  NOTE: 20220522: email about situation (abhijith)
+  NOTE: 
https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.6.2-3~bpo9+1+deb9u1.dsc
 (abhijith)
 --
 intel-microcode
   NOTE: 20220529: Programming language: binary blob.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2bb630a0e399e9fac9c078ef76941510512eed6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2bb630a0e399e9fac9c078ef76941510512eed6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim libmatio

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2358bf94 by Abhijith PA at 2022-05-31T14:42:31+05:30
data/dla-needed.txt: claim libmatio

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -152,7 +152,7 @@ liblouis (Andreas Rönnquist)
   NOTE: 20220503: CVE-2022-26981 patch applied in salsa lts-team repo,
   NOTE: 20220503: Patch not applied upstream yet.
 --
-libmatio
+libmatio (Abhijith PA)
   NOTE: 20220529: Programming language: C.
   NOTE: 20220528: lots of postponed minor vulnerabilities, no past stretch 
security upload, supported package (Beuc/front-desk)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2358bf94c3f97bccd1e452669ba03ce8db94641a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2358bf94c3f97bccd1e452669ba03ce8db94641a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3036-1 for pjproject

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
aa6d4125 by Abhijith PA at 2022-05-31T14:15:55+05:30
Reserve DLA-3036-1 for pjproject

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -20779,7 +20779,6 @@ CVE-2022-24763 (PJSIP is a free and open source 
multimedia communication library
- asterisk 
[stretch] - asterisk  (Vulnerable code not present)
- pjproject 
-   [stretch] - pjproject  (Minor issue, infinite loop DoS)
- ring 
NOTE: 
https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4
NOTE: 
https://github.com/pjsip/pjproject/commit/856f87c2e97a27b256482dbe0d748b1194355a21


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[31 May 2022] DLA-3036-1 pjproject - security update
+   {CVE-2022-24763 CVE-2022-24792 CVE-2022-24793}
+   [stretch] - pjproject 2.5.5~dfsg-6+deb9u5
 [30 May 2022] DLA-3035-1 libdbi-perl - security update
{CVE-2014-10402}
[stretch] - libdbi-perl 1.636-1+deb9u2


=
data/dla-needed.txt
=
@@ -233,10 +233,6 @@ pdns
 pidgin (Andreas Rönnquist)
   NOTE: 20220529: Programming language: C.
 --
-pjproject (Abhijith PA)
-  NOTE: 20220529: Programming language: C.
-  NOTE: 20220527: Same CVE asterisk (abhijith)
---
 plinth
   NOTE: 20220529: Programming language: Python.
   NOTE: 20220524: Follow buster: harmonize with with Debian 10.7 and 10.10 (2 
CVEs) (Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa6d4125ae9d9784e5916371f47c21203309df32

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa6d4125ae9d9784e5916371f47c21203309df32
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] RTCP-FB handling is introduced in later versions.

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
72e50a80 by Abhijith PA at 2022-05-29T23:48:10+05:30
RTCP-FB handling is introduced in later versions.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -19886,6 +19886,7 @@ CVE-2022-24786 (PJSIP is a free and open source 
multimedia communication library
- asterisk 
[stretch] - asterisk  (Vulnerable code not present)
- pjproject 
+   [stretch] - pjproject  (Vulnerable code not present)
- ring  (unimportant)
NOTE: code is present in ring but ring only uses the pjsip code, not 
pjmedia
NOTE: 
https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72e50a8035fc2cf48e7a151c019f23c52a89bea0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72e50a8035fc2cf48e7a151c019f23c52a89bea0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim qemu

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
87021e6e by Abhijith PA at 2022-05-28T21:24:32+05:30
data/dla-needed.txt: claim qemu

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -213,7 +213,7 @@ pyjwt
 --
 pypdf2
 --
-qemu
+qemu (Abhijith PA)
   NOTE: 20220527: a few new CVEs since last DLA, and buster got no updates 
since 2 years,
   NOTE: 20220527: so maybe coordinate to start anticipating the next LTS 
(Beuc/front-desk)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87021e6e3f823972f1d004fe2d608d39daddb16e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87021e6e3f823972f1d004fe2d608d39daddb16e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] asterisk uses packaged libpjproject-dev

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cba9b4c7 by Abhijith PA at 2022-05-28T13:44:26+05:30
asterisk uses packaged libpjproject-dev

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -14649,6 +14649,7 @@ CVE-2022-26652 (NATS nats-server before 2.7.4 allows 
Directory Traversal (with w
NOT-FOR-US: nats-server
 CVE-2022-26651 (An issue was discovered in Asterisk through 19.x and Certified 
Asteris ...)
- asterisk 1:18.11.2~dfsg+~cs6.10.40431413-1
+   [stretch] - asterisk  (Fix in next upload)
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-29838
NOTE: https://downloads.asterisk.org/pub/security/AST-2022-003.html
 CVE-2022-25943 (The installer of WPS Office for Windows versions prior to 
v11.2.0.1025 ...)
@@ -19827,12 +19828,14 @@ CVE-2022-24794 (Express OpenID Connect is an Express 
JS middleware implementing
NOT-FOR-US: Express OpenID Connect
 CVE-2022-24793 (PJSIP is a free and open source multimedia communication 
library writt ...)
- asterisk 
+   [stretch] - asterisk  (Vulnerable code not present)
- pjproject 
- ring 
NOTE: 
https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
NOTE: 
https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a
 CVE-2022-24792 (PJSIP is a free and open source multimedia communication 
library writt ...)
- asterisk 
+   [stretch] - asterisk  (Vulnerable code not present)
- pjproject 
- ring  (unimportant)
NOTE: code is present in ring but ring only uses the pjsip code, not 
pjmedia
@@ -19857,6 +19860,7 @@ CVE-2022-24787 (Vyper is a Pythonic Smart Contract 
Language for the Ethereum Vir
NOT-FOR-US: Vyper
 CVE-2022-24786 (PJSIP is a free and open source multimedia communication 
library writt ...)
- asterisk 
+   [stretch] - asterisk  (Vulnerable code not present)
- pjproject 
- ring  (unimportant)
NOTE: code is present in ring but ring only uses the pjsip code, not 
pjmedia
@@ -19946,12 +19950,14 @@ CVE-2022-24765 (Git for Windows is a fork of Git 
containing Windows-specific pat
 CVE-2022-24764 (PJSIP is a free and open source multimedia communication 
library writt ...)
{DLA-2962-1}
- asterisk 
+   [stretch] - asterisk  (Vulnerable code not present)
- pjproject 
- ring 
NOTE: 
https://github.com/pjsip/pjproject/security/advisories/GHSA-f5qg-pqcg-765m
NOTE: 
https://github.com/pjsip/pjproject/commit/560a1346f87aabe126509bb24930106dea292b00
 CVE-2022-24763 (PJSIP is a free and open source multimedia communication 
library writt ...)
- asterisk 
+   [stretch] - asterisk  (Vulnerable code not present)
- pjproject 
[stretch] - pjproject  (Minor issue, infinite loop DoS)
- ring 
@@ -19996,6 +20002,7 @@ CVE-2022-24755 (Bareos is open source software for 
backup, archiving, and recove
 CVE-2022-24754 (PJSIP is a free and open source multimedia communication 
library writt ...)
{DLA-2962-1}
- asterisk 
+   [stretch] - asterisk  (Vulnerable code not present)
- pjproject 
- ring 
NOTE: 
https://github.com/pjsip/pjproject/security/advisories/GHSA-73f7-48m9-w662


=
data/dla-needed.txt
=
@@ -19,9 +19,6 @@ rather than remove/replace existing ones.
 --
 amd64-microcode
 --
-asterisk (Abhijith PA)
-  NOTE: 20220424: programming language C
---
 avahi
   NOTE: 20220523: Follow buster: harmonize with with Debian 10.9 (1 
Debian-specific CVE) (Beuc/front-desk)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cba9b4c7d81d96c6b4faa53e998d20e24684ede3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cba9b4c7d81d96c6b4faa53e998d20e24684ede3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2022-26498, CVE-2022-26499 not affected for stretch

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
400c5735 by Abhijith PA at 2022-05-28T11:54:24+05:30
CVE-2022-26498, CVE-2022-26499 not affected for stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -14945,10 +14945,12 @@ CVE-2022-26500 (Improper limitation of path names in 
Veeam Backup  Replicat
NOT-FOR-US: Veeam
 CVE-2022-26499 (An SSRF issue was discovered in Asterisk through 19.x. When 
using STIR ...)
- asterisk 1:18.11.2~dfsg+~cs6.10.40431413-1
+   [stretch] - asterisk  (Vulnerable code not present)
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-29476
NOTE: https://downloads.asterisk.org/pub/security/AST-2022-002.html
 CVE-2022-26498 (An issue was discovered in Asterisk through 19.x. When using 
STIR/SHAK ...)
- asterisk 1:18.11.2~dfsg+~cs6.10.40431413-1
+   [stretch] - asterisk  (Vulnerable code not present)
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-29872
NOTE: https://downloads.asterisk.org/pub/security/AST-2022-001.html
 CVE-2022-26497



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/400c573520684e48dd2f135f2210778a28017bda

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/400c573520684e48dd2f135f2210778a28017bda
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Claim pjproject

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
28c922fd by Abhijith PA at 2022-05-27T14:53:49+05:30
dla-needed.txt: Claim pjproject

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -181,7 +181,8 @@ pdns
   NOTE: 20220506: package builds but does not run a test suite, and I lack the
   NOTE: 20220506: know-how for testing manually (enrico)
 --
-pjproject
+pjproject (Abhijith PA)
+  NOTE: 20220527: Same CVE asterisk (abhijith)
 --
 plinth
   NOTE: 20220524: Harmonize with Debian 10.7 and 10.10 (2 CVEs) 
(Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28c922fddae42797c640ea2b6689aa77325decee

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28c922fddae42797c640ea2b6689aa77325decee
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla-needed.txt: update note

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9c938a99 by Abhijith PA at 2022-05-26T12:58:47+05:30
dla-needed.txt: update note

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -225,6 +225,7 @@ ring
   NOTE: 20220404: package in archive is faulty. New regs can't be done due 
(abhijith)
   NOTE: 20220404: a network error (abhijith)
   NOTE: 20220506: Pinged maintainer team and maintainer (abhijith)
+  NOTE: 20220526: Re pinged Debian maintainer and Pinged upstream for help. 
(abhijith)
 --
 ros-ros-comm
   NOTE: 20220524: Harmonize with Debian 10.7 and 10.12 (2 CVEs) 
(Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c938a9981038b0be63ace1cef3b8ae40a64dc74

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c938a9981038b0be63ace1cef3b8ae40a64dc74
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] update note in dla-needed

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ce44f8b4 by Abhijith PA at 2022-05-18T16:20:59+05:30
update note in dla-needed

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -85,8 +85,10 @@ gpac
   NOTE: 20220413: New CVEs continue flooding in (roberto)
   NOTE: 20220427: Preparing to work with security team to declare EOL (roberto)
 --
-icingaweb2
+icingaweb2 (Abhijith PA)
   NOTE: 
https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.4.1-1+deb9u2.dsc 
(abhijith)
+  NOTE: 20220522: Pinged upstream for missing patches. Will write an detail
+  NOTE: 20220522: email about situation (abhijith)
 --
 intel-microcode (Stefano Rivera)
   NOTE: 20220213: please recheck



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce44f8b4884adc27f91a28bc7cfa3caf0bcc279c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce44f8b4884adc27f91a28bc7cfa3caf0bcc279c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim asterisk, update not for ring

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
11a7d03d by Abhijith PA at 2022-05-06T13:56:45+05:30
data/dla-needed.txt: claim asterisk, update not for ring

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -26,7 +26,7 @@ ansible
   NOTE: 20220427: Lee Garrett (maintainer) took over the work a while ago. See
   NOTE: 20220427: https://salsa.debian.org/debian/ansible/-/commits/stretch/
 --
-asterisk
+asterisk (Abhijith PA)
   NOTE: 20220424: programming language C
 --
 ark
@@ -136,6 +136,7 @@ ring (Abhijith PA)
   NOTE: 20220314: 
https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc
   NOTE: 20220404: package in archive is faulty. New regs can't be done due 
(abhijith)
   NOTE: 20220404: a network error (abhijith)
+  NOTE: 20220506: Pinged maintainer team and maintainer (abhijith)
 --
 ruby-devise-two-factor
   NOTE: 20220427: Patch does not apply cleanly to LTS version, may be due to 
this being the result



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11a7d03d9e60909349a71f402465ec4fc8d33119

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11a7d03d9e60909349a71f402465ec4fc8d33119
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2996-1 for mruby

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a5729bd6 by Abhijith PA at 2022-05-06T13:43:14+05:30
Reserve DLA-2996-1 for mruby

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -134677,7 +134677,6 @@ CVE-2020-15867 (The git hook feature in Gogs 0.5.5 
through 0.12.2 allows for aut
 CVE-2020-15866 (mruby through 2.1.2-rc has a heap-based buffer overflow in the 
mrb_yie ...)
- mruby 2.1.2-1 (bug #972051)
[buster] - mruby  (Minor issue)
-   [stretch] - mruby  (Minor issue)
NOTE: https://github.com/mruby/mruby/issues/5042
NOTE: 
https://github.com/mruby/mruby/commit/6334949ba69363cb909a57d6871895bd6d98bb6b 
(3.0.0-preview)
NOTE: 
https://github.com/mruby/mruby/commit/63956036e116ef6a33a91e16348c4d1a09f6f72c 
(2.1.2-rc2)
@@ -248862,7 +248861,6 @@ CVE-2018-14338 (samples/geotag.cpp in the example 
code of Exiv2 0.26 misuses the
NOTE: Issue in example code of Exiv2
 CVE-2018-14337 (The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in 
mruby 1.4.1  ...)
- mruby 2.0.0-1 (low; bug #903985)
-   [stretch] - mruby  (Minor issue)
[jessie] - mruby  (Minor issue)
NOTE: https://github.com/mruby/mruby/issues/4062
NOTE: 
https://github.com/mruby/mruby/commit/695f29cd604787f43be1af16e38d13610bf8312b
@@ -254205,7 +254203,6 @@ CVE-2018-12250 (An issue was discovered in Elite CMS 
Pro 2.01. In /admin/add_sid
NOT-FOR-US: Elite CMS
 CVE-2018-12249 (An issue was discovered in mruby 1.4.1. There is a NULL 
pointer derefe ...)
- mruby 1.4.1+20180622+git640fca32-1 (bug #901652)
-   [stretch] - mruby  (Minor issue)
[jessie] - mruby  (Minor issue)
NOTE: 
https://github.com/mruby/mruby/commit/faa4eaf6803bd11669bc324b4c34e7162286bfa3
NOTE: https://github.com/mruby/mruby/issues/4037
@@ -255598,7 +255595,6 @@ CVE-2018-11744 (Cloudera Manager through 5.15 has 
Incorrect Access Control. ...)
NOT-FOR-US: Cloudera
 CVE-2018-11743 (The init_copy function in kernel.c in mruby 1.4.1 makes 
initialize_cop ...)
- mruby 1.4.1+20180622+git640fca32-1 (bug #900845)
-   [stretch] - mruby  (Minor issue)
[jessie] - mruby  (Minor issue)
NOTE: 
https://github.com/mruby/mruby/commit/b64ce17852b180dfeea81cf458660be41a78974d
NOTE: https://github.com/mruby/mruby/issues/4027
@@ -260044,7 +260040,6 @@ CVE-2018-10192 (IPVanish 3.0.11 for macOS suffers 
from a root privilege escalati
NOT-FOR-US: IPVanish for macOS
 CVE-2018-10191 (In versions of mruby up to and including 1.4.0, an integer 
overflow ex ...)
- mruby 1.4.0+20180418+git54905e98-1 (bug #896020)
-   [stretch] - mruby  (Minor issue)
[jessie] - mruby  (Minor issue)
NOTE: https://github.com/mruby/mruby/issues/3995
NOTE: 
https://github.com/mruby/mruby/commit/1905091634a6a2925c911484434448e568330626
@@ -312366,7 +312361,6 @@ CVE-2017-9528 (IrfanView version 4.44 (32bit) with 
FPX Plugin 4.46 allows remote
 CVE-2017-9527 (The mark_context_stack function in gc.c in mruby through 1.2.0 
allows  ...)
[experimental] - mruby 1.2.0+20170601+git51e0e690-1
- mruby 1.3.0-1 (low; bug #865778)
-   [stretch] - mruby  (Minor issue)
[jessie] - mruby  (Minor issue)
NOTE: https://github.com/mruby/mruby/issues/3486
NOTE: Fixed by: 
https://github.com/mruby/mruby/commit/5c114c91d4ff31859fcd84cf8bf349b737b90d99


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[06 May 2022] DLA-2996-1 mruby - security update
+   {CVE-2017-9527 CVE-2018-10191 CVE-2018-11743 CVE-2018-12249 
CVE-2018-14337 CVE-2020-15866}
+   [stretch] - mruby 1.2.0+20161228+git30d5424a-1+deb9u1
 [05 May 2022] DLA-2995-1 smarty3 - security update
{CVE-2021-21408 CVE-2021-29454}
[stretch] - smarty3 3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u5


=
data/dla-needed.txt
=
@@ -111,9 +111,6 @@ mbedtls (Utkarsh)
   NOTE: 20220502: will upload with 1 fix and mark the other one
   NOTE: 20220502: as no-dsa today/tomorrow. (utkarsh)
 --
-mruby (Abhijith PA)
-  NOTE: 
https://people.debian.org/~abhijith/upload/mruby/mruby_1.2.0+20161228+git30d5424a-1+deb9u1.dsc
 (abhijith)
---
 mutt (Utkarsh)
   NOTE: 20220502: update prepared. smoke test pending. (utkarsh)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5729bd6d1e132d10990a4177253a211885771bc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5729bd6d1e132d10990a4177253a211885771bc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security

[Git][security-tracker-team/security-tracker][master] Update note in data/dla-needed.txt

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
83711d9f by Abhijith PA at 2022-05-03T04:31:28+05:30
 Update note in data/dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -70,6 +70,7 @@ gpac (Roberto C. Sánchez)
   NOTE: 20220427: Preparing to work with security team to declare EOL (roberto)
 --
 icingaweb2 (Abhijith PA)
+  NOTE: 
https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.4.1-1+deb9u2.dsc 
(abhijith)
 --
 intel-microcode
   NOTE: 20220213: please recheck



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83711d9f1edbc7410fa9234ab86c341c4a6ff3de

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83711d9f1edbc7410fa9234ab86c341c4a6ff3de
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-24714, CVE-2022-24716 as not affected for stretch

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c55fd09b by Abhijith PA at 2022-05-03T04:05:49+05:30
Mark CVE-2022-24714, CVE-2022-24716 as not affected for stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -14990,6 +14990,7 @@ CVE-2022-24716 (Icinga Web 2 is an open source 
monitoring web interface, framewo
- icingaweb2 2.9.6-1
[bullseye] - icingaweb2  (Vulnerable code not present)
[buster] - icingaweb2  (Vulnerable code not present)
+   [stretch] - icingaweb2  (vulnerable code not present)
NOTE: 
https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frw
NOTE: 
https://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773d
 CVE-2022-24715 (Icinga Web 2 is an open source monitoring web interface, 
framework and ...)
@@ -15002,6 +15003,7 @@ CVE-2022-24714 (Icinga Web 2 is an open source 
monitoring web interface, framewo
- icingaweb2 2.9.6-1
[bullseye] - icingaweb2  (Minor issue)
[buster] - icingaweb2  (Minor issue)
+   [stretch] - icingaweb2  (vulnerable code not present)
NOTE: 
https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf
NOTE: 
https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293
 CVE-2022-24713 (regex is an implementation of regular expressions for the Rust 
languag ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c55fd09ba7f1f95bbcd8de422e2e425afcc52efc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c55fd09ba7f1f95bbcd8de422e2e425afcc52efc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim mruby from Anton

[Abhijith PA (@abhijith)]

Abhijith PA pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c436a582 by Abhijith PA at 2022-05-03T02:12:09+05:30
 data/dla-needed.txt: Claim mruby from Anton

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -103,7 +103,8 @@ mbedtls (Utkarsh)
   NOTE: 20220404: update prepared, needs testing. (utkarsh)
   NOTE: 20220419: waiting for a quick feedback from carnil. (utkarsh)
 --
-mruby (Anton)
+mruby (Abhijith PA)
+  NOTE: 
https://people.debian.org/~abhijith/upload/mruby/mruby_1.2.0+20161228+git30d5424a-1+deb9u1.dsc
 (abhijith)
 --
 mutt (Utkarsh)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c436a582738ccf4de5ec3116bdd24d11e664d298

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c436a582738ccf4de5ec3116bdd24d11e664d298
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits