[Git][security-tracker-team/security-tracker][master] Reserve DLA-2550-1 for openjpeg2
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: d4b14995 by Brian May at 2021-02-09T08:53:37+11:00 Reserve DLA-2550-1 for openjpeg2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Feb 2021] DLA-2550-1 openjpeg2 - security update + {CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27844 CVE-2020-27845} + [stretch] - openjpeg2 2.1.2-1.1+deb9u6 [08 Feb 2021] DLA-2549-1 gdisk - security update {CVE-2020-0256 CVE-2021-0308} [stretch] - gdisk 1.0.1-1+deb9u1 = data/dla-needed.txt = @@ -53,8 +53,6 @@ opendmarc NOTE: 20201217: patch for CVE-2020-12460 has become available (roberto) NOTE: 20210104: wait for other CVEs (abhijith) -- -openjpeg2 (Brian May) --- python-pysaml2 (Abhijith PA) -- qemu (Sylvain Beucler) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4b14995665cb202074c6fab5a94825ab8db1c3a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4b14995665cb202074c6fab5a94825ab8db1c3a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim openjpeg2
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: d2331228 by Brian May at 2021-02-04T08:20:50+11:00 Claim openjpeg2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -61,7 +61,7 @@ opendmarc NOTE: 20201217: patch for CVE-2020-12460 has become available (roberto) NOTE: 20210104: wait for other CVEs (abhijith) -- -openjpeg2 +openjpeg2 (Brian May) -- python-pysaml2 (Abhijith PA) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d23312287dcce7f451e0c84961e6554950c9d496 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d23312287dcce7f451e0c84961e6554950c9d496 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2527-1 for snapd
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 17c1f2b5 by Brian May at 2021-01-18T08:17:41+11:00 Reserve DLA-2527-1 for snapd - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Jan 2021] DLA-2527-1 snapd - security update + {CVE-2019-11840} + [stretch] - snapd 2.21-2+deb9u1 [15 Jan 2021] DLA-2526-1 ruby-redcarpet - security update {CVE-2020-26298} [stretch] - ruby-redcarpet 3.3.4-2+deb9u1 = data/dla-needed.txt = @@ -124,11 +124,6 @@ slirp (pu-Thorsten Alteholz) NOTE: update has to done in sid->buster->stretch NOTE: 20200401: waiting for pu -- -snapd (Brian May) - NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. - NOTE: Problems with upload. - NOTE: 2020-01-13 Still waiting for response from ftp-master. --- spotweb NOTE: 20201220: The affected code (PHP!) uses string concatenation to construct a SQL query. NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17c1f2b550eb4e91ddea88edaab75c55f2d5ecd5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17c1f2b550eb4e91ddea88edaab75c55f2d5ecd5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim ruby-actionpack-page-caching
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 59558baa by Brian May at 2021-01-13T09:02:21+11:00 Claim ruby-actionpack-page-caching - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -96,7 +96,7 @@ reel NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh) NOTE: 20201226: Should be declared unsupported since we just have 5 users in total according to popcon (ola) -- -ruby-actionpack-page-caching +ruby-actionpack-page-caching (Brian May) NOTE: 20200819: Upstream's patch on does not apply due to subsequent NOTE: 20200819: refactoring. However, a quick look at the private NOTE: 20200819: page_cache_file method suggests that the issue exists, as it View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59558baaed89f2d772536bf7aa0afe64adead4c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59558baaed89f2d772536bf7aa0afe64adead4c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update snapd status
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ec8aa7d by Brian May at 2021-01-13T08:20:11+11:00 Update snapd status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -138,6 +138,7 @@ slirp (pu-Thorsten Alteholz) snapd (Brian May) NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. NOTE: Problems with upload. + NOTE: 2020-01-13 Still waiting for response from ftp-master. -- spice-vdagent (Abhijith PA) NOTE: code base seems largely changed. Pinged upstream for help (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ec8aa7d58633c55e39480d1e06702829dc124d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ec8aa7d58633c55e39480d1e06702829dc124d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2520-1 for golang-websocket
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: d8b7b1f0 by Brian May at 2021-01-07T10:03:08+11:00 Reserve DLA-2520-1 for golang-websocket - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Jan 2021] DLA-2520-1 golang-websocket - security update + {CVE-2020-27813} + [stretch] - golang-websocket 1.1.0-1+deb9u1 [06 Jan 2021] DLA-2519-1 pacemaker - security update {CVE-2018-16877 CVE-2018-16878 CVE-2020-25654} [stretch] - pacemaker 1.1.24-0+deb9u1 = data/dla-needed.txt = @@ -58,8 +58,6 @@ golang-1.8 NOTE: 20210103: Clarification CVE-2020-29509, ...10 and ...11 is definitely not going to be fixed in 1.8. NOTE: 20210103: golang at all. Follow up a little more before it is ignored (ola) -- -golang-websocket (Brian May) --- imagemagick (Sylvain Beucler) NOTE: 20201207: requested CVE-2020-29599 (Beuc) NOTE: 20201212: batch of vulnerabilities triaged, the only important vulnerability is not reproducible, ongoing (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8b7b1f02560055b765c47a80e7deb51f5b21b7e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8b7b1f02560055b765c47a80e7deb51f5b21b7e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim golang-websocket
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: ac8a67f5 by Brian May at 2021-01-07T09:07:19+11:00 Claim golang-websocket - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -58,7 +58,7 @@ golang-1.8 NOTE: 20210103: Clarification CVE-2020-29509, ...10 and ...11 is definitely not going to be fixed in 1.8. NOTE: 20210103: golang at all. Follow up a little more before it is ignored (ola) -- -golang-websocket +golang-websocket (Brian May) -- imagemagick (Sylvain Beucler) NOTE: 20201207: requested CVE-2020-29599 (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac8a67f5d40e20e2949129b8b342e5913a649ac9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac8a67f5d40e20e2949129b8b342e5913a649ac9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim snapd
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 20b62266 by Brian May at 2021-01-04T09:04:03+11:00 Claim snapd - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -154,7 +154,7 @@ slirp (Thorsten Alteholz) NOTE: the same lines of code in tcp_subr.c (bam). NOTE: update has to done in sid->buster->stretch -- -snapd +snapd (Brian May) NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. NOTE: Problems with upload. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20b622662cd737dc7771837a833cb869f3a0f909 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20b622662cd737dc7771837a833cb869f3a0f909 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2485-1 for golang-golang-x-net-dev
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: f90c3c07 by Brian May at 2020-12-09T08:24:51+11:00 Reserve DLA-2485-1 for golang-golang-x-net-dev - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Dec 2020] DLA-2485-1 golang-golang-x-net-dev - security update + {CVE-2019-9512 CVE-2019-9514} + [stretch] - golang-golang-x-net-dev 1:0.0+git20161013.8b4af36+dfsg-3+deb9u1 [07 Dec 2020] DLA-2484-1 python-certbot - switch to ACMEv2 API [stretch] - python-certbot 0.28.0-1~deb9u3 [05 Dec 2020] DLA-2483-1 linux-4.19 - security update = data/dla-needed.txt = @@ -52,8 +52,6 @@ f2fs-tools firmware-nonfree NOTE: 20201207: wait for the update in buster and backport that (Emilio) -- -golang-golang-x-net-dev (Brian May) --- golang-websocket -- imagemagick (Sylvain Beucler) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f90c3c07f5613a433b4067389c727fb475f218bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f90c3c07f5613a433b4067389c727fb475f218bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim golang-golang-x-net-dev
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 77291e9f by Brian May at 2020-12-07T08:21:28+11:00 Claim golang-golang-x-net-dev - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,7 +49,7 @@ f2fs-tools -- firmware-nonfree (Emilio) -- -golang-golang-x-net-dev +golang-golang-x-net-dev (Brian May) -- golang-websocket -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77291e9ff8a5019eb4ea4cc26442814fb763d320 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77291e9ff8a5019eb4ea4cc26442814fb763d320 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark golang-github-dgrijalva-jwt-go not-affected in buster and stretch
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 99ff2359 by Brian May at 2020-12-03T08:22:40+11:00 Mark golang-github-dgrijalva-jwt-go not-affected in buster and stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -10654,6 +10654,8 @@ CVE-2020-26161 (In Octopus Deploy through 2020.4.2, an attacker could redirect u NOT-FOR-US: Octopus Deploy CVE-2020-26160 (jwt-go before 4.0.0-preview1 allows attackers to bypass intended acces ...) - golang-github-dgrijalva-jwt-go 3.2.0-3 (bug #971556) + [buster] - golang-github-dgrijalva-jwt-go (vulnerable code not present until version 3.0.0) + [stretch] - golang-github-dgrijalva-jwt-go (vulnerable code not present until version 3.0.0) NOTE: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515 NOTE: https://github.com/dgrijalva/jwt-go/issues/422 NOTE: https://github.com/dgrijalva/jwt-go/pull/286 = data/dla-needed.txt = @@ -49,8 +49,6 @@ f2fs-tools -- firmware-nonfree (Emilio) -- -golang-github-dgrijalva-jwt-go (Brian May) --- golang-golang-x-net-dev -- influxdb View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99ff2359e59683f3dcd7a6260ebd0cd64d41ba7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99ff2359e59683f3dcd7a6260ebd0cd64d41ba7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update referenced PR for CVE-2020-26160
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 53105eb4 by Brian May at 2020-12-01T08:38:26+11:00 Update referenced PR for CVE-2020-26160 PR #286 is much cleaner then PR #426 and is what the unstable package used. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10444,7 +10444,7 @@ CVE-2020-26160 (jwt-go before 4.0.0-preview1 allows attackers to bypass intended - golang-github-dgrijalva-jwt-go 3.2.0-3 (bug #971556) NOTE: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515 NOTE: https://github.com/dgrijalva/jwt-go/issues/422 - NOTE: https://github.com/dgrijalva/jwt-go/pull/426 + NOTE: https://github.com/dgrijalva/jwt-go/pull/286 CVE-2020-26159 (In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expressi ...) {DLA-2431-1} - libonig (bug #972113) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53105eb4e097fa1671260432af330e1f6289c63f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53105eb4e097fa1671260432af330e1f6289c63f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim golang-github-dgrijalva-jwt-go
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 2350f914 by Brian May at 2020-12-01T08:27:09+11:00 Claim golang-github-dgrijalva-jwt-go - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -53,7 +53,7 @@ f2fs-tools -- firmware-nonfree (Emilio) -- -golang-github-dgrijalva-jwt-go +golang-github-dgrijalva-jwt-go (Brian May) -- golang-golang-x-net-dev -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2350f914b83cc08894e643db8debcc94cbdf359c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2350f914b83cc08894e643db8debcc94cbdf359c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2455-1 for packer
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 373571e9 by Brian May at 2020-11-19T07:57:46+11:00 Reserve DLA-2455-1 for packer - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Nov 2020] DLA-2455-1 packer - security update + {CVE-2020-9283} + [stretch] - packer 0.10.2+dfsg-6+deb9u1 [19 Nov 2020] DLA-2454-1 rclone - security update {CVE-2019-11840} [stretch] - rclone 1.35-1+deb8u1 = data/dla-needed.txt = @@ -102,10 +102,6 @@ opendmarc openldap (Utkarsh) NOTE: 2020: re-add openldap. two new slapd issues, CVEs are yet to be assigned. (utkarsh) -- -packer (Brian May) - NOTE: Needs rebuild for CVE-2020-92830 in golang-go.crypto. - NOTE: Problems with upload, see https://bugs.debian.org/975011 --- pacemaker (Markus Koschany) NOTE: 20201117: See #974563 for further information. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/373571e946fe1dd7056c839390f4372a53f1ec4a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/373571e946fe1dd7056c839390f4372a53f1ec4a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2454-1 for rclone
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: febaf600 by Brian May at 2020-11-19T07:57:10+11:00 Reserve DLA-2454-1 for rclone - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Nov 2020] DLA-2454-1 rclone - security update + {CVE-2019-11840} + [stretch] - rclone 1.35-1+deb8u1 [17 Nov 2020] DLA-2447-2 pacemaker - regression update [stretch] - pacemaker 1.1.16-1+deb9u2 [17 Nov 2020] DLA-2453-1 restic - security update = data/dla-needed.txt = @@ -122,10 +122,6 @@ qemu (Thorsten Alteholz) -- raptor2 (Utkarsh) -- -rclone (Brian May) - NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. - NOTE: Problems with upload, see https://bugs.debian.org/974877 --- reel NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/febaf600bb995802f4950f7b8fdd578dd33508fa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/febaf600bb995802f4950f7b8fdd578dd33508fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference to bug report for packer upload issue
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: db2f6798 by Brian May at 2020-11-18T08:21:18+11:00 Add reference to bug report for packer upload issue - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -101,7 +101,7 @@ openldap (Utkarsh) -- packer (Brian May) NOTE: Needs rebuild for CVE-2020-92830 in golang-go.crypto. - NOTE: Problems with upload + NOTE: Problems with upload, see https://bugs.debian.org/975011 -- pacemaker (Markus Koschany) NOTE: 20201117: See #974563 for further information. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db2f67988e8b2cba2fc23f9b5e01a48e159db737 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db2f67988e8b2cba2fc23f9b5e01a48e159db737 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2453-1 for restic
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 290be746 by Brian May at 2020-11-17T08:24:57+11:00 Reserve DLA-2453-1 for restic - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Nov 2020] DLA-2453-1 restic - security update + {CVE-2020-9283} + [stretch] - restic 0.3.3-1+deb9u1 [16 Nov 2020] DLA-2452-1 libdatetime-timezone-perl - new upstream version [stretch] - libdatetime-timezone-perl 1:2.09-1+2020d [15 Nov 2020] DLA-2451-1 libvncserver - security update = data/dla-needed.txt = @@ -115,9 +115,6 @@ rclone (Brian May) reel NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh) -- -restic (Brian May) - NOTE: Needs rebuild for CVE-2020-92830 in golang-go.crypto. --- ruby-actionpack-page-caching NOTE: 20200819: Upstream's patch on does not apply due to subsequent NOTE: 20200819: refactoring. However, a quick look at the private View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/290be74606ed6fe88e581315ff5426d84a5c98f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/290be74606ed6fe88e581315ff5426d84a5c98f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update packages claimed for golang-go.crypto rebuild.
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e90c1bc by Brian May at 2020-11-17T08:18:46+11:00 Update packages claimed for golang-go.crypto rebuild. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -93,6 +93,10 @@ opendmarc openldap (Utkarsh) NOTE: 2020: re-add openldap. two new slapd issues, CVEs are yet to be assigned. (utkarsh) -- +packer (Brian May) + NOTE: Needs rebuild for CVE-2020-92830 in golang-go.crypto. + NOTE: Problems with upload +-- php-horde-trean NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver) @@ -106,10 +110,14 @@ qemu (Thorsten Alteholz) -- rclone (Brian May) NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. + NOTE: Problems with upload, see https://bugs.debian.org/974877 -- reel NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh) -- +restic (Brian May) + NOTE: Needs rebuild for CVE-2020-92830 in golang-go.crypto. +-- ruby-actionpack-page-caching NOTE: 20200819: Upstream's patch on does not apply due to subsequent NOTE: 20200819: refactoring. However, a quick look at the private @@ -160,6 +168,7 @@ slirp -- snapd (Brian May) NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. + NOTE: Problems with upload. -- spice-vdagent (Abhijith PA) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e90c1bc16d9bcc60968c09cec47b829734d400e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e90c1bc16d9bcc60968c09cec47b829734d400e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Reserve DLA-2443-1 for rclone"
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fd1ee86 by Brian May at 2020-11-10T09:17:37+11:00 Revert Reserve DLA-2443-1 for rclone This reverts commit ed6f576768c3bae275adbbe8f95003cff174ef46. Upload failed. More work required. - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,6 +1,3 @@ -[10 Nov 2020] DLA-2443-1 rclone - security update - {CVE-2019-11840} - [stretch] - rclone 1.35-1+deb8u1 [10 Nov 2020] DLA-2442-1 obfs4proxy - security update {CVE-2019-11840} [stretch] - obfs4proxy 0.0.7-1+deb8u1 = data/dla-needed.txt = @@ -105,6 +105,9 @@ pluxml python3.5 (Thorsten Alteholz) NOTE: 20201102: testing package -- +rclone (Brian May) + NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. +-- reel NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fd1ee862a2a62be4421687256fd67ff59c38dda -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fd1ee862a2a62be4421687256fd67ff59c38dda You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Resolved test failures
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: cca03329 by Brian May at 2020-11-10T08:52:29+11:00 Resolved test failures - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -151,7 +151,6 @@ slirp -- snapd (Brian May) NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. - NOTE: Has test failures. -- spice-vdagent -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cca03329efd1596601731a3572652d0a8cb915f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cca03329efd1596601731a3572652d0a8cb915f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2443-1 for rclone
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: ed6f5767 by Brian May at 2020-11-10T08:30:32+11:00 Reserve DLA-2443-1 for rclone - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Nov 2020] DLA-2443-1 rclone - security update + {CVE-2019-11840} + [stretch] - rclone 1.35-1+deb8u1 [10 Nov 2020] DLA-2442-1 obfs4proxy - security update {CVE-2019-11840} [stretch] - obfs4proxy 0.0.7-1+deb8u1 = data/dla-needed.txt = @@ -101,9 +101,6 @@ pluxml python3.5 (Thorsten Alteholz) NOTE: 20201102: testing package -- -rclone (Brian May) - NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. --- reel NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed6f576768c3bae275adbbe8f95003cff174ef46 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed6f576768c3bae275adbbe8f95003cff174ef46 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2442-1 for obfs4proxy
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: df25f635 by Brian May at 2020-11-10T08:25:57+11:00 Reserve DLA-2442-1 for obfs4proxy - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Nov 2020] DLA-2442-1 obfs4proxy - security update + {CVE-2019-11840} + [stretch] - obfs4proxy 0.0.7-1+deb8u1 [09 Nov 2020] DLA-2441-1 sympa - security update {CVE-2018-1000671} [stretch] - sympa 6.2.16~dfsg-3+deb9u4 = data/dla-needed.txt = @@ -82,9 +82,6 @@ mumble NOTE: 20200504: discussion going on with t...@security.debian.org and mumble maintainer (abhijith) NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg8.html (abhijith) -- -obfs4proxy (Brian May) - NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. --- open-build-service (Utkarsh) NOTE: 20201001: upstream is yet to work on CVE-2020-8021. Pinged them. NOTE: 20201001: cf: https://bugzilla.suse.com/show_bug.cgi?id=1171649 (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df25f635e85b86a61736c5065766edf0fc984cee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df25f635e85b86a61736c5065766edf0fc984cee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim packages that need to be rebuilt due to CVE-2019-11840
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: b75dff79 by Brian May at 2020-11-10T08:20:25+11:00 Claim packages that need to be rebuilt due to CVE-2019-11840 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -82,6 +82,9 @@ mumble NOTE: 20200504: discussion going on with t...@security.debian.org and mumble maintainer (abhijith) NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg8.html (abhijith) -- +obfs4proxy (Brian May) + NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. +-- open-build-service (Utkarsh) NOTE: 20201001: upstream is yet to work on CVE-2020-8021. Pinged them. NOTE: 20201001: cf: https://bugzilla.suse.com/show_bug.cgi?id=1171649 (utkarsh) @@ -101,6 +104,9 @@ pluxml python3.5 (Thorsten Alteholz) NOTE: 20201102: testing package -- +rclone (Brian May) + NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. +-- reel NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh) -- @@ -149,6 +155,10 @@ slirp NOTE: CVE-2020-7039 to be applied patched first, as they both patch NOTE: the same lines of code in tcp_subr.c (bam). -- +snapd (Brian May) + NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. + NOTE: Has test failures. +-- spice-vdagent -- tcpdump (Utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b75dff7924271bb99ad118c8698855dcc0fe677e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b75dff7924271bb99ad118c8698855dcc0fe677e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2402-1 for golang-go.crypto
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 21d5df45 by Brian May at 2020-10-08T08:36:57+11:00 Reserve DLA-2402-1 for golang-go.crypto - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[08 Oct 2020] DLA-2402-1 golang-go.crypto - security update + {CVE-2019-11840 CVE-2019-11841 CVE-2020-9283} + [stretch] - golang-go.crypto 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1 [07 Oct 2020] DLA-2401-1 sympa - security update {CVE-2020-10936} [stretch] - sympa 6.2.16~dfsg-3+deb9u3 = data/dla-needed.txt = @@ -76,8 +76,6 @@ golang-1.7 -- golang-1.8 -- -golang-go.crypto (Brian May) --- golang-golang-x-net-dev -- guacamole-client View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21d5df45fbe285f1a155d09cd7a232cd386062bc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21d5df45fbe285f1a155d09cd7a232cd386062bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim golang-go.crypto
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 3592375e by Brian May at 2020-10-05T08:03:25+11:00 Claim golang-go.crypto - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -77,7 +77,7 @@ golang-1.7 -- golang-1.8 -- -golang-go.crypto +golang-go.crypto (Brian May) -- golang-golang-x-net-dev -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3592375e329160fae550f794c472823d4358e182 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3592375e329160fae550f794c472823d4358e182 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove excessive notes for slirp dla-needed entry
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: bd78d7ae by Brian May at 2020-09-08T08:35:01+10:00 Remove excessive notes for slirp dla-needed entry - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -176,8 +176,8 @@ samba (Mike Gabriel) shiro (Roberto C. Sánchez) -- slirp - NOTE: Upstream patch for CVE-2020-8608 requires patches for NOTE: - NOTE: CVE-2020-7039 to be applied patched first, as they both patch NOTE: + NOTE: Upstream patch for CVE-2020-8608 requires patches for + NOTE: CVE-2020-7039 to be applied patched first, as they both patch NOTE: the same lines of code in tcp_subr.c (bam). -- snmptt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd78d7ae755f39758438d2841c32ff01074128cc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd78d7ae755f39758438d2841c32ff01074128cc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-11841 add reference to upstream bug report
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: a0e3fd8c by Brian May at 2020-09-07T08:06:51+10:00 CVE-2019-11841 add reference to upstream bug report - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -84115,6 +84115,7 @@ CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsi NOTE: Patch fixes the second part of the CVE ("prepend arbitrary text") NOTE: but not the first ("ignores the value of [the Hash] header"), as hinted at reporter's 2019-05-09 note: NOTE: https://packetstormsecurity.com/files/152840/Go-Cryptography-Libraries-Cleartext-Message-Spoofing.html + NOTE: Upstream feels that this is not a security issue. See https://github.com/golang/go/issues/41200. CVE-2019-11840 (An issue was discovered in supplementary Go cryptography libraries, ak ...) {DLA-1840-1} - golang-go.crypto 1:0.0~git20200221.2aa609c-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0e3fd8c6c7b46edf519d32554723fa9e99b46bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0e3fd8c6c7b46edf519d32554723fa9e99b46bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Clarify slirm comment in dla-needed.txt
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: c9ce0e7f by Brian May at 2020-09-01T08:05:10+10:00 Clarify slirm comment in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -177,7 +177,9 @@ samba (Ola Lundqvist) shiro -- slirp - NOTE: 20200724: Version in stretch also requires backport of patch from CVE-2020-7039 (lamby) + NOTE: Upstream patch for CVE-2020-8608 requires patches for NOTE: + NOTE: CVE-2020-7039 to be applied patched first, as they both patch NOTE: + NOTE: the same lines of code in tcp_subr.c (bam). -- snmptt -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9ce0e7f9e4177122e468a54475a8fe2e8c9bce1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9ce0e7f9e4177122e468a54475a8fe2e8c9bce1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove http-parser from dla-needed.txt
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: a99a08b3 by Brian May at 2020-07-13T07:36:26+10:00 Remove http-parser from dla-needed.txt According to the information we have for CVE-2019-15605, http-parser is not supported in Jessie or Stretch: [stretch] - nodejs ignored (Nodejs in stretch not covered by security support) [jessie] - nodejs end-of-life (Nodejs in jessie not covered by security support) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -67,8 +67,6 @@ golang-github-seccomp-libseccomp-golang (Adrian Bunk) -- gupnp -- -http-parser --- imagemagick (Markus Koschany) NOTE: 20200622: Ongoing work -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a99a08b3fe08962a7971344f55d9bfb8d924a334 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a99a08b3fe08962a7971344f55d9bfb8d924a334 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove unbound from dla-needed.txt
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 13af42c9 by Brian May at 2020-07-13T07:30:19+10:00 Remove unbound from dla-needed.txt unbound not supported anymore in Jessie or Stretch - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -172,11 +172,6 @@ sympa -- transmission (Utkarsh Gupta) -- -unbound - NOTE: 20200616: Package unsupported. - NOTE: 20200616: Not possible to update debian-security-support package in Jessie. - NOTE: 20200616: https://lists.debian.org/debian-lts/2020/06/msg00038.html (bam) --- wordpress NOTE: 20200710: Vulnerable to at least CVE-2020-4046. (lamby) NOTE: 20200710: During triage noticed that CVE-2020-4046 was marked as fixed View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13af42c95bb7967170e007b7118ffa7ed8fff188 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13af42c95bb7967170e007b7118ffa7ed8fff188 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add notes to dla-needed.txt about unbound
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 32016fc7 by Brian May at 2020-06-16T07:15:50+10:00 Add notes to dla-needed.txt about unbound - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -125,6 +125,9 @@ tzdata NOTE: 20200514: LTS update must wait on oldstable update first (via point release) to prevent newer version in LTS (roberto) -- unbound + NOTE: 20200616: Package unsupported. + NOTE: 20200616: Not possible to update debian-security-support package in Jessie. + NOTE: 20200616: https://lists.debian.org/debian-lts/2020/06/msg00038.html -- wordpress (Utkarsh Gupta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32016fc7b6b2e864919bc98074d3b8b018a49ee5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32016fc7b6b2e864919bc98074d3b8b018a49ee5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Link to upstream fix for drupal7/CVE-2020-13662
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a055381 by Brian May at 2020-06-15T07:20:16+10:00 Link to upstream fix for drupal7/CVE-2020-13662 - - - - - 63d58a3a by Brian May at 2020-06-15T07:21:28+10:00 Claim drupal7 in LTS - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1186,6 +1186,7 @@ CVE-2020-13662 [Drupal SA 2020-003] {DSA-4693-1} - drupal7 NOTE: https://www.drupal.org/sa-core-2020-003 + NOTE: https://git.drupalcode.org/project/drupal/-/commit/905ff00a44160adee3f266cdcc87d3350a64a072 CVE-2020-13592 RESERVED CVE-2020-13591 = data/dla-needed.txt = @@ -37,7 +37,7 @@ condor NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh) NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk) -- -drupal7 +drupal7 (Brian May) -- freerdp (Mike Gabriel) NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b8e6d2e3d253496cacd90e910c6276887f95e04e...63d58a3a675261d3056a162e3c88f9ff895c85be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b8e6d2e3d253496cacd90e910c6276887f95e04e...63d58a3a675261d3056a162e3c88f9ff895c85be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update dla-needed.txt notes for bluez
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 42382c38 by Brian May at 2020-05-13T07:33:13+10:00 Update dla-needed.txt notes for bluez - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -27,13 +27,13 @@ apache2 (Utkarsh Gupta) NOTE: 20200510: Asking upstream for CVE assignment. (utkarsh) -- bluez - NOTE: 20200330: wip (Emilio) NOTE: 20200420: Many upstream refactorings make this hard to see where the NOTE: 20200420: check for bonded connections should go. (eg. 7d9718cfc, NOTE: 20200420: 718bad60d, etc.) (lamby) - NOTE: 20200503: Looking at the four patches included in the stretch update it looks like it - NOTE: 20200503: can be applied as is. What will fail is hog.c but that file do not seem to - NOTE: 20200503: need an update. (Ola) + NOTE: 20200513: The hog_connect function doesn't exist in Jessie (bam). + NOTE: 20200513: See: https://lists.debian.org/debian-lts/2020/05/msg00030.html + NOTE: 20200513: See: https://lists.debian.org/debian-lts/2020/05/msg00038.html (untested patch) + NOTE: 20200513: Another alternative would be to backport the fixed version in Stretch. -- condor NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/42382c38102044d17b6ad1819f59d490b95d7c94 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/42382c38102044d17b6ad1819f59d490b95d7c94 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for ansible
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 30d7d0ff by Brian May at 2020-05-08T07:31:43+10:00 Update notes for ansible - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -11,12 +11,15 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- ansible - NOTE: 20200506: DLA-2202-1 from (20200505) covers CVE-2019-14846, - NOTE: 20200506: CVE-2020-1733, CVE-2020-1739 and CVE-2020-1740 but not - NOTE: 20200506: CVE-2020-1736. The version in jessie does not use the - NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0777 and 0666 + NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the + NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666 NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable. NOTE: 20200506: (lamby) + NOTE: 20200508: bam: Problem exists with new files only. Existing files + NOTE: 20200508: bam: code resets permissions to same value, should be fine. + NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970 + NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983 + NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794 -- apache-log4j2 (Abhijith PA) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30d7d0ff2ca51867e1917a180573e6597f940118 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30d7d0ff2ca51867e1917a180573e6597f940118 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lua-cgi - code is broken and cannot be exploited
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: ce8d060f by Brian May at 2020-04-01T07:34:56+11:00 lua-cgi - code is broken and cannot be exploited As per bug #954300, the session.close function is broken. This means it is not possible to save session data. This in turn means it there are no concerns if the session id is made public because there is no sensitive data associated with the session. So it doesnt matter if somebody attempts to guess the session id because it doesnt reveal anything useful. This bug is trivial to resolve, however the fact that nobody is complaining about this bug or trying to fix the bug would strongly suggest that nobody is using session management with lua-cgi. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -263081,8 +263081,10 @@ CVE-2014-2877 CVE-2014-2876 RESERVED CVE-2014-2875 (The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses wea ...) - - lua-cgi (bug #953037) + - lua-cgi (code is broken and cannot be exploited) NOTE: https://github.com/keplerproject/cgilua/issues/17 + NOTE: https://bugs.debian.org/953037 + NOTE: https://bugs.debian.org/954300 CVE-2013-7369 (SQL injection vulnerability in an unspecified DLL in the FSDBCom Activ ...) NOT-FOR-US: F-Secure Anti-Virus CVE-2012-6647 (The futex_wait_requeue_pi function in kernel/futex.c in the Linux kern ...) = data/dla-needed.txt = @@ -47,10 +47,6 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- -lua-cgi - NOTE: 20200227: The package do not seem to be used much, but the popcon data in this case - NOTE: 20200227: may not be entirely reliable. One possibility is to declare it unsupported. (Ola) --- mumble (Abhijith PA) NOTE:20200325: Regression in last upload, forgot to follow up. NOTE:20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce8d060f5fcc344889020a797a665b911b62ccf4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce8d060f5fcc344889020a797a665b911b62ccf4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2096-1 for ruby-rack-cors
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 851f6b40 by Brian May at 2020-02-06T17:41:07+11:00 Reserve DLA-2096-1 for ruby-rack-cors - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Feb 2020] DLA-2096-1 ruby-rack-cors - security update + {CVE-2019-18978} + [jessie] - ruby-rack-cors 0.2.9-1+deb8u1 [05 Feb 2020] DLA-2095-1 storebackup - security update {CVE-2020-7040} [jessie] - storebackup 3.2.1-1+deb8u1 = data/dla-needed.txt = @@ -95,8 +95,6 @@ ruby-rack NOTE: 20191219: The security update causes a regression and also, there's a NOTE: slight possibility of this patch inducing a backdoor on its own. (utkarsh2102) -- -ruby-rack-cors (Brian May) --- salt (Mike Gabriel) NOTE: 20200118: about CVE-2019-17361... Compared to the upstream fix, there is a NOTE: 20200118: very similar code passage in salt/jessie's salt/client/api.py file. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/851f6b40600dcea5b635d6d83cad8500d77909fa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/851f6b40600dcea5b635d6d83cad8500d77909fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim ruby-rack-cors
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f5bc33c by Brian May at 2020-02-06T17:23:15+11:00 Claim ruby-rack-cors - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -95,7 +95,7 @@ ruby-rack NOTE: 20191219: The security update causes a regression and also, there's a NOTE: slight possibility of this patch inducing a backdoor on its own. (utkarsh2102) -- -ruby-rack-cors +ruby-rack-cors (Brian May) -- salt (Mike Gabriel) NOTE: 20200118: about CVE-2019-17361... Compared to the upstream fix, there is a View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f5bc33ca6a109c98ee0be62a8c1a98c3c16d7c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f5bc33ca6a109c98ee0be62a8c1a98c3c16d7c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for ibus
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 2bde5a62 by Brian May at 2019-12-09T06:44:30Z Update notes for ibus - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,7 +26,9 @@ freeimage (hle) NOTE: 20191123: upstream appears to have merged a modified version of my patch -- ibus - NOTE: 20191020: Fix for regression in KDE apps still not available (apo) + NOTE: 20191210: Requires glib2.0 to be patched also. + NOTE: 20191210: See https://bugs.debian.org/941018 + NOTE: 20191210: See https://gitlab.gnome.org/GNOME/glib/merge_requests/1176 -- intel-microcode NOTE: 20191113: Waiting for DSA-4565-2 first View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2bde5a628d806700db91d89962d8b99cbca1553e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2bde5a628d806700db91d89962d8b99cbca1553e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Fix references to DLA regression updates on website"
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e79d2c2 by Brian May at 2019-12-04T06:21:13Z Revert Fix references to DLA regression updates on website This reverts commit 7177c0e348acbd70b76de7fc36116d02201bc9bf. I accidentally pushed this to the wrong branch. - - - - - 1 changed file: - bin/tracker_service.py Changes: = bin/tracker_service.py = @@ -1570,20 +1570,16 @@ Debian bug number.'''), % (int(y), int(number))) return None -def url_dla(self, url, dla, re_dla=re.compile(r'^DLA-(\d+)(-\d+)?$')): +def url_dla(self, url, dla, re_dla=re.compile(r'^DLA-(\d+)(?:-\d+)?$')): match = re_dla.match(dla) if match: -(number,revision) = match.groups() -if revision == "-1": -link = "dla-%d" % int(number) -else: -link = dla.lower() # We must determine the year because there is no generic URL. +(number,) = match.groups() for (date,) in self.db.cursor().execute( "SELECT release_date FROM bugs WHERE name = ?", (dla,)): (y, m, d) = date.split('-') -return url.absolute("https://www.debian.org/lts/security/%d/%s; -% (int(y), link)) +return url.absolute("https://www.debian.org/lts/security/%d/dla-%d; +% (int(y), int(number))) return None def url_debian_bug(self, url, debian): View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e79d2c2c5f77358b41b6bdbc14b00e6b5cd55a3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e79d2c2c5f77358b41b6bdbc14b00e6b5cd55a3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix references to DLA regression updates on website
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 7177c0e3 by Brian May at 2019-12-04T06:12:50Z Fix references to DLA regression updates on website The first revision on the website doesnt have a postfix. The second revision has a postfix of -2. I was going to do something similar for DSA too, but found regression update advisories are not available on the website for DSAs. - - - - - 1 changed file: - bin/tracker_service.py Changes: = bin/tracker_service.py = @@ -1570,16 +1570,20 @@ Debian bug number.'''), % (int(y), int(number))) return None -def url_dla(self, url, dla, re_dla=re.compile(r'^DLA-(\d+)(?:-\d+)?$')): +def url_dla(self, url, dla, re_dla=re.compile(r'^DLA-(\d+)(-\d+)?$')): match = re_dla.match(dla) if match: +(number,revision) = match.groups() +if revision == "-1": +link = "dla-%d" % int(number) +else: +link = dla.lower() # We must determine the year because there is no generic URL. -(number,) = match.groups() for (date,) in self.db.cursor().execute( "SELECT release_date FROM bugs WHERE name = ?", (dla,)): (y, m, d) = date.split('-') -return url.absolute("https://www.debian.org/lts/security/%d/dla-%d; -% (int(y), int(number))) +return url.absolute("https://www.debian.org/lts/security/%d/%s; +% (int(y), link)) return None def url_debian_bug(self, url, debian): View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7177c0e348acbd70b76de7fc36116d02201bc9bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7177c0e348acbd70b76de7fc36116d02201bc9bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1995-1 for angular.js
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 43a4d70c by Brian May at 2019-11-18T06:20:38Z Reserve DLA-1995-1 for angular.js - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Nov 2019] DLA-1995-1 angular.js - security update + {CVE-2019-14863} + [jessie] - angular.js 1.2.26-1+deb8u1 [15 Nov 2019] DLA-1994-1 postgresql-common - security update {CVE-2019-3466} [jessie] - postgresql-common 165+deb8u4 = data/dla-needed.txt = @@ -14,8 +14,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues NOTE: 20191109: Contacted upstream for relevant commits. Will ping here or claim it once they reply back. (utkarsh2102) NOTE: 20191114: Conversation going on; got a patch. (utkarsh2102) -- -angular.js (Brian May) --- ansible NOTE: 20191011: Code appears to be in lib/ansible/callbacks.py in jessie's version. (lamby) NOTE: CVE-2019-14846 should be an easy fix. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/43a4d70c85761d10d4b475d3977e2bfb4a36240e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/43a4d70c85761d10d4b475d3977e2bfb4a36240e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Unclaim ansible
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 906b03ba by Brian May at 2019-11-11T06:36:02Z Unclaim ansible CVE-2019-14846: Easy to fix CVE-2019-14858: Cant find required code to patch CVE-2019-14864: Cant find required code to patch Leaving for hopefully somebody who has a better idea how ansible internals work. - - - - - 12de6011 by Brian May at 2019-11-11T06:36:43Z Claiming angular.js - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -18,9 +18,9 @@ ampache (Roberto C. Sánchez) NOTE: 20191103: Upstream has provided a patch which does not apply to the version in jessie. NOTE: 20191109: Adapted upstream-provided patch to apply to Debian version. Waiting on feedback from upstream. (roberto) -- -angular.js +angular.js (Brian May) -- -ansible (Brian May) +ansible NOTE: 20191011: Code appears to be in lib/ansible/callbacks.py in jessie's version. (lamby) NOTE: CVE-2019-14846 should be an easy fix. NOTE: CVE-2019-14858's upstream patch is too big; fails to work properly. (utkarsh2102) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d1d837e9eb5e56cf8ab6ec403910ed262ac85f0d...12de60117c2672412210e33c2c386a20eadcc91c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d1d837e9eb5e56cf8ab6ec403910ed262ac85f0d...12de60117c2672412210e33c2c386a20eadcc91c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim ansible
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 236a0f07 by Brian May at 2019-11-08T05:58:03Z Claim ansible - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -19,7 +19,7 @@ ampache (Roberto C. Sánchez) -- angular.js (Thorsten Alteholz) -- -ansible +ansible (Brian May) NOTE: 20191011: Code appears to be in lib/ansible/callbacks.py in jessie's version. (lamby) NOTE: CVE-2019-14846 should be an easy fix. NOTE: CVE-2019-14858's upstream patch is too big; fails to work properly. (utkarsh2102) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/236a0f07cc5c5ecc2b5ad173f9bee2a467d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/236a0f07cc5c5ecc2b5ad173f9bee2a467d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1963-2 for poppler
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: de912d48 by Brian May at 2019-10-18T06:06:16Z Reserve DLA-1963-2 for poppler - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[18 Oct 2019] DLA-1963-2 poppler - regression update + [jessie] - poppler 0.26.5-2+deb8u13 [17 Oct 2019] DLA-1964-1 sudo - security update {CVE-2019-14287} [jessie] - sudo 1.8.10p3-1+deb8u6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/de912d48bb44a1711306fb1ab93a7a9bfcb60e33 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/de912d48bb44a1711306fb1ab93a7a9bfcb60e33 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1963-1 for poppler
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: f8389aa1 by Brian May at 2019-10-17T06:12:23Z Reserve DLA-1963-1 for poppler - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Oct 2019] DLA-1963-1 poppler - security update + {CVE-2019-9959 CVE-2019-10871} + [jessie] - poppler 0.26.5-2+deb8u12 [17 Oct 2019] DLA-1962-1 graphite-web - security update {CVE-2017-18638} [jessie] - graphite-web 0.9.12+debian-6+deb8u1 = data/dla-needed.txt = @@ -115,8 +115,6 @@ pam-python (Hugo Lefeuvre) -- polarssl -- -poppler (Brian May) --- radare2 NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in NOTE: libr/core/bin.c. Many no-dsa issues in Jessie and Stretch. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f8389aa190e4453c602274c5381459af469bee49 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f8389aa190e4453c602274c5381459af469bee49 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim poppler
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: b8944b86 by Brian May at 2019-10-14T06:22:40Z Claim poppler - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -130,7 +130,7 @@ pam-python -- polarssl -- -poppler +poppler (Brian May) -- radare2 NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b8944b868eecbb7834dd6767bbe56d784baaea2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b8944b868eecbb7834dd6767bbe56d784baaea2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1956-1 for ruby-openid
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 8995e649 by Brian May at 2019-10-11T04:30:11Z Reserve DLA-1956-1 for ruby-openid - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[11 Oct 2019] DLA-1956-1 ruby-openid - security update + {CVE-2019-11027} + [jessie] - ruby-openid 2.5.0debian-1+deb8u1 [10 Oct 2019] DLA-1955-1 tcpdump - security update {CVE-2018-10103 CVE-2018-10105 CVE-2018-14461 CVE-2018-14462 CVE-2018-14463 CVE-2018-14464 CVE-2018-14465 CVE-2018-14466 CVE-2018-14467 CVE-2018-14468 CVE-2018-14469 CVE-2018-14470 CVE-2018-14879 CVE-2018-14880 CVE-2018-14881 CVE-2018-14882 CVE-2018-16227 CVE-2018-16228 CVE-2018-16229 CVE-2018-16230 CVE-2018-16300 CVE-2018-16451 CVE-2018-16452 CVE-2019-15166} [jessie] - tcpdump 4.9.3-1~deb8u1 = data/dla-needed.txt = @@ -125,14 +125,6 @@ radare2 NOTE: Support status is being discussed at: NOTE: https://lists.debian.org/debian-lts/2019/08/msg00064.html -- -ruby-openid (Brian May) - NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding what the issue actually *is*. (lamby) - NOTE: 20190701: Pinged bug (lamby) - NOTE: 20190705: Pinged bug (lamby) - NOTE: 20190710: I'm at a loss to how to continue persuing this issue (see https://github.com/openid/ruby-openid/issues/122) so returning to the pool. (lamby) - NOTE: 20190726: Still unknown how to fix (see aforementioned github issue) (lamby) - NOTE: 20190812: Details: https://github.com/openid/ruby-openid/issues/122#issuecomment-520304211 --- slurm-llnl NOTE: 20190814: Contacted security of slurm-llnl for relevant commits (abhijith) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8995e6498cce606c11dbceae84cc764a2ca6900e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8995e6498cce606c11dbceae84cc764a2ca6900e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark golang CVE-2019-16276 as ignored for version 1.3.3 in Jessie
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: eb723cff by Brian May at 2019-10-10T06:26:16Z Mark golang CVE-2019-16276 as ignored for version 1.3.3 in Jessie - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2761,6 +2761,7 @@ CVE-2019-16276 (Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Sm - golang-1.7 [stretch] - golang-1.7 (Minor issue) - golang + [jessie] - golang (Minor issue) NOTE: https://groups.google.com/forum/m/#!topic/golang-announce/cszieYyuL9Q NOTE: https://golang.org/issue/34540 NOTE: https://github.com/golang/go/commit/5a6ab1ec3e678640befebeb3318b746a64ad986c (golang-1.13) = data/dla-needed.txt = @@ -29,8 +29,6 @@ freeimage NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html NOTE: 20190707: maintainer is waiting for upstream https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929597 -- -golang --- hdf5 NOTE: 20190825: Upstream is aware of currently open issues. Progress is slow, NOTE: wait for the next HDF5 point release and either do full package upgrade View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eb723cff6b1019b2780bf69f62d4a7243b6b0a31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eb723cff6b1019b2780bf69f62d4a7243b6b0a31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim ruby-openid
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f28baec by Brian May at 2019-10-09T06:07:26Z Claim ruby-openid - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -126,7 +126,7 @@ radare2 NOTE: Support status is being discussed at: NOTE: https://lists.debian.org/debian-lts/2019/08/msg00064.html -- -ruby-openid +ruby-openid (Brian May) NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding what the issue actually *is*. (lamby) NOTE: 20190701: Pinged bug (lamby) NOTE: 20190705: Pinged bug (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f28baec8c015e852e03be89bb2c44c754f53a94 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f28baec8c015e852e03be89bb2c44c754f53a94 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1933-1 for ruby-nokogiri
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 86ef5b9c by Brian May at 2019-09-26T00:54:43Z Reserve DLA-1933-1 for ruby-nokogiri - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Sep 2019] DLA-1933-1 ruby-nokogiri - security update + {CVE-2019-5477} + [jessie] - ruby-nokogiri 1.6.3.1+ds-1+deb8u1 [25 Sep 2019] DLA-1932-1 openssl - security update {CVE-2019-1547 CVE-2019-1563} [jessie] - openssl 1.0.1t-1+deb8u12 = data/dla-needed.txt = @@ -121,9 +121,6 @@ radare2 ruby-mini-magick NOTE: 20190818: backporting patch -- -ruby-nokogiri (Brian May) - NOTE: 20190830: https://lists.debian.org/debian-lts/2019/08/msg00076.html (sunweaver) --- ruby-openid NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding what the issue actually *is*. (lamby) NOTE: 20190701: Pinged bug (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/86ef5b9c4aeca36bd44a5ef25d441bbb7d44f2bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/86ef5b9c4aeca36bd44a5ef25d441bbb7d44f2bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim ruby-nokogiri
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: a26cc7aa by Brian May at 2019-09-24T06:55:57Z Claim ruby-nokogiri - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -116,7 +116,7 @@ radare2 ruby-mini-magick NOTE: 20190818: backporting patch -- -ruby-nokogiri +ruby-nokogiri (Brian May) NOTE: 20190830: https://lists.debian.org/debian-lts/2019/08/msg00076.html (sunweaver) -- ruby-openid View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a26cc7aa497d327d7ded594b36dd5e01a0e67ff9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a26cc7aa497d327d7ded594b36dd5e01a0e67ff9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1920-1 for golang-go.crypto
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: a996d3c8 by Brian May at 2019-09-13T05:58:14Z Reserve DLA-1920-1 for golang-go.crypto - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[13 Sep 2019] DLA-1920-1 golang-go.crypto - security update + {CVE-2019-11841} + [jessie] - golang-go.crypto 0.0~hg190-1+deb8u2 [12 Sep 2019] DLA-1919-1 linux-4.9 - security update {CVE-2019-0136 CVE-2019-9506 CVE-2019-11487 CVE-2019-15211 CVE-2019-15212 CVE-2019-15215 CVE-2019-15216 CVE-2019-15218 CVE-2019-15219 CVE-2019-15220 CVE-2019-15221 CVE-2019-15292 CVE-2019-15538 CVE-2019-15666 CVE-2019-15807 CVE-2019-15924 CVE-2019-15926} [jessie] - linux-4.9 4.9.189-3~deb8u1 = data/dla-needed.txt = @@ -35,11 +35,6 @@ freeimage NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html NOTE: 20190707: maintainer is waiting for upstream https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929597 -- -golang-go.crypto (Brian May) - NOTE: 20190707: Check that an upload of this will not require reverse build-deps to also be recompiled (see previous golang uploads?). (lamby) - NOTE: Looks this this patch should be applied also to prevent infinite loop (bam): - NOTE: https://go.googlesource.com/crypto/+/1bae088edb428672a48c02abd9ef6d889afe0af6%5E!/ --- hdf5 NOTE: 20190825: Upstream is aware of currently open issues. Progress is slow, NOTE: wait for the next HDF5 point release and either do full package upgrade View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a996d3c8d548a86d1b9cb4c051c3de0279421daa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a996d3c8d548a86d1b9cb4c051c3de0279421daa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim golang-go.crypto
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 24161e55 by Brian May at 2019-09-11T21:12:17Z Claim golang-go.crypto - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -35,8 +35,10 @@ freeimage NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html NOTE: 20190707: maintainer is waiting for upstream https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929597 -- -golang-go.crypto +golang-go.crypto (Brian May) NOTE: 20190707: Check that an upload of this will not require reverse build-deps to also be recompiled (see previous golang uploads?). (lamby) + NOTE: Looks this this patch should be applied also to prevent infinite loop (bam): + NOTE: https://go.googlesource.com/crypto/+/1bae088edb428672a48c02abd9ef6d889afe0af6%5E!/ -- hdf5 NOTE: 20190825: Upstream is aware of currently open issues. Progress is slow, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/24161e55d87ce0144721869c5340c1c2052d2eb2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/24161e55d87ce0144721869c5340c1c2052d2eb2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Details of ruby-openid security vulnerability published
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 4192bab2 by Brian May at 2019-08-12T07:34:16Z Details of ruby-openid security vulnerability published the source of the weakness can be traced back to the Final OpenID 2.0 spec As such, am concerned this could affect other openid 2.0 implementations. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -11466,7 +11466,7 @@ CVE-2015-9284 (The request phase of the OmniAuth Ruby gem is vulnerable to Cross CVE-2019-11027 (Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable ...) - ruby-openid (bug #930388) NOTE: https://github.com/openid/ruby-openid/issues/122 - NOTE: Even upstream doesn't know what this is about at this point + NOTE: https://github.com/openid/ruby-openid/issues/122#issuecomment-520304211 CVE-2019-11026 (FontInfoScanner::scanFonts in FontInfo.cc in Poppler 0.75.0 has infini ...) - poppler (low; bug #926721) [buster] - poppler (Minor issue) = data/dla-needed.txt = @@ -110,6 +110,7 @@ ruby-openid NOTE: 20190705: Pinged bug (lamby) NOTE: 20190710: I'm at a loss to how to continue persuing this issue (see https://github.com/openid/ruby-openid/issues/122) so returning to the pool. (lamby) NOTE: 20190726: Still unknown how to fix (see aforementioned github issue) (lamby) + NOTE: 20190812: Details: https://github.com/openid/ruby-openid/issues/122#issuecomment-520304211 -- slurm-llnl -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4192bab22beef21fa48e16c0897aea4bbda75885 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4192bab22beef21fa48e16c0897aea4bbda75885 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark yara not-affected in Jessie and Stretch
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c99 by Brian May at 2019-08-09T07:30:01Z Mark yara not-affected in Jessie and Stretch First version of yara to include the dex module was version 3.8.0: https://github.com/VirusTotal/yara/commit/e6e436008b7776a736960c2e53408e24c4323ddb As this bug is specific to the dex module, earlier versions are not affected. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -27189,6 +27189,8 @@ CVE-2019-5021 (Versions of the Official Alpine Linux Docker images (since v3.3) NOT-FOR-US: Official Alpine Linux Docker images CVE-2019-5020 (An exploitable denial of service vulnerability exists in the object lo ...) - yara 3.9.0-1 + [stretch] - yara (dex module introduced in 3.8.0) + [jessie] - yara (dex module introduced in 3.8.0) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0781 NOTE: https://github.com/VirusTotal/yara/issues/1023 NOTE: https://github.com/VirusTotal/yara/commit/1ecb0e66431bf5c5b4c2fdf622be969eb5f4a7cc = data/dla-needed.txt = @@ -146,5 +146,3 @@ xen -- xymon (Thorsten alteholz) -- -yara --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c992db7f95d89c7ebe65752ef79d39506b4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c992db7f95d89c7ebe65752ef79d39506b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-1010142 not-affected in Jessie
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 6423a849 by Brian May at 2019-07-31T07:25:27Z Mark CVE-2019-1010142 not-affected in Jessie The test case from upstream works without error (after minor modification), and the affected code does not appear to be present in Jessie. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -12967,6 +12967,7 @@ CVE-2019-1010143 RESERVED CVE-2019-1010142 (scapy 2.4.0 is affected by: Denial of Service. The impact is: infinite ...) - scapy 2.4.2-1 + [jessie] - scapy (Vulnerable code not present) NOTE: https://github.com/secdev/scapy/pull/1409 NOTE: https://github.com/secdev/scapy/commit/0d7ae2b039f650a40e511d09eb961c782da025d9 (v2.4.1) NOTE: https://github.com/secdev/scapy/pull/1409/files#diff-441eff981e466959968111fc6314fe93L1058 = data/dla-needed.txt = @@ -104,8 +104,6 @@ ruby-openid NOTE: 20190710: I'm at a loss to how to continue persuing this issue (see https://github.com/openid/ruby-openid/issues/122) so returning to the pool. (lamby) NOTE: 20190726: Still unknown how to fix (see aforementioned github issue) (lamby) -- -scapy --- slurm-llnl -- sox View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6423a849b37961d05c841e762a763cd5037e5347 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6423a849b37961d05c841e762a763cd5037e5347 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2017-7189/php5 ignore in Jessie
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 52d782f4 by Brian May at 2019-07-30T07:26:49Z Mark CVE-2017-7189/php5 ignore in Jessie This security issue occurs because php ignores invalid trailing data in the URL. However it is not possible to fix this because some applications rely on the (broken) behaviour and will break if the API is fixed. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -124644,6 +124644,7 @@ CVE-2017-7189 (main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses f - php7.0 [stretch] - php7.0 (Upstream patch breaks existing applications, was reverted again, revisit if a new approach has been identified) - php5 + [jessie] - php5 (Upstream patch breaks existing applications, was reverted again, revisit if a new approach has been identified) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74192 NOTE: https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a NOTE: The commit was later on reverted again because of breaking some features. = data/dla-needed.txt = @@ -79,8 +79,6 @@ openjdk-7 (Markus Koschany) -- otrs2 (Abhijith PA) -- -php5 --- proftpd-dfsg (Markus Koschany) -- python2.7 (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/52d782f499f0eaaa6c085809b3ecd502a53871c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/52d782f499f0eaaa6c085809b3ecd502a53871c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update details for tomcat8
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 92039fea by Brian May at 2019-07-30T06:57:43Z Update details for tomcat8 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -129,6 +129,7 @@ thunderbird (Emilio) tomcat8 NOTE: 20190522: FTBFS NOTE: Test SSL certificate expired, see https://bz.apache.org/bugzilla/show_bug.cgi?id=57655 + NOTE: Attempt to solve this by using certificates from latest tomcat8 package failed (Brian). NOTE: 20190701: New CVE just piled up. -- vim View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/92039fea75020a53efd09dfb725ba982b0e8cccd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/92039fea75020a53efd09dfb725ba982b0e8cccd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add link to bug report on why tomcat8 FTBS in Jessie
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: fe932dd3 by Brian May at 2019-07-26T06:49:45Z Add link to bug report on why tomcat8 FTBS in Jessie - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -134,6 +134,7 @@ thunderbird (Emilio) -- tomcat8 NOTE: 20190522: FTBFS + NOTE: Test SSL certificate expired, see https://bz.apache.org/bugzilla/show_bug.cgi?id=57655 NOTE: 20190701: New CVE just piled up. -- vim View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fe932dd39dacadbef53b45ad43f142078e0d72e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fe932dd39dacadbef53b45ad43f142078e0d72e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark wavpack as no-dsa in Jessie
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: b4d78410 by Brian May at 2019-07-23T07:29:19Z Mark wavpack as no-dsa in Jessie - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -11917,6 +11917,7 @@ CVE-2019-1010319 (WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Unin - wavpack 5.1.0-7 (low; bug #932061) [buster] - wavpack (Minor issue) [stretch] - wavpack (Minor issue) + [jessie] - wavpack (Minor issue) NOTE: https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe NOTE: https://github.com/dbry/WavPack/issues/68 CVE-2019-1010318 @@ -11925,6 +11926,7 @@ CVE-2019-1010317 (WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Unin - wavpack 5.1.0-7 (low; bug #932060) [buster] - wavpack (Minor issue) [stretch] - wavpack (Minor issue) + [jessie] - wavpack (Minor issue) NOTE: https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b NOTE: https://github.com/dbry/WavPack/issues/66 CVE-2019-1010316 (pyxtrlock 0.3 and earlier is affected by: Incorrect Access Control. Th ...) @@ -11932,6 +11934,7 @@ CVE-2019-1010316 (pyxtrlock 0.3 and earlier is affected by: Incorrect Access Con CVE-2019-1010315 (WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The i ...) - wavpack 5.1.0-6 (low) [stretch] - wavpack (Minor issue) + [jessie] - wavpack (Minor issue) NOTE: https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc NOTE: https://github.com/dbry/WavPack/issues/65 CVE-2019-1010314 (Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The imp ...) = data/dla-needed.txt = @@ -139,8 +139,6 @@ tomcat8 vim NOTE: 20190618: maintainer is preparing the updates (Emilio) -- -wavpack --- wordpress NOTE: 20190614: No upstream fix yet. (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b4d784101588c66d1654b88ddf18a4f4a52841b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b4d784101588c66d1654b88ddf18a4f4a52841b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add link to my mailing list post on libqb
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c828635 by Brian May at 2019-06-19T10:19:59Z Add link to my mailing list post on libqb - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -77,6 +77,7 @@ libqb NOTE: 20190616: Upstream patch does not apply at all, but it appears that NOTE: 20190616: package is still vulnerable in ipc_posix_mq.c etc. or NOTE: 20190616: wherever it uses c->pid w/NAME_MAX. (lamby) + NOTE: 20190619: See https://lists.debian.org/debian-lts/2019/06/msg00015.html -- linux (Ben Hutchings) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c828635e3e9a10fecb711443a3fb081bbf60e5a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c828635e3e9a10fecb711443a3fb081bbf60e5a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1777-2 for jquery
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 339f2abd by Brian May at 2019-05-17T06:54:33Z Reserve DLA-1777-2 for jquery - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[17 May 2019] DLA-1777-2 jquery - regression update + [jessie] - jquery 1.7.2+dfsg-3.2+deb8u7 [16 May 2019] DLA-1790-1 lemonldap-ng - security update {CVE-2019-12046} [jessie] - lemonldap-ng 1.3.3-1+deb8u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/339f2abd4f4c92c41eac48c1ae4d02cf53dbdb92 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/339f2abd4f4c92c41eac48c1ae4d02cf53dbdb92 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add links with information concerning CVE-2017-1000600 in wordpress
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 860b8b06 by Brian May at 2019-05-08T07:23:58Z Add links with information concerning CVE-2017-1000600 in wordpress - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38997,6 +38997,10 @@ CVE-2018-1000658 (LimeSurvey version prior to 3.14.4 contains a file upload vuln - limesurvey (bug #472802) CVE-2017-1000600 (WordPress version 4.9 contains a CWE-20 Input Validation vulnerabi ...) - wordpress + NOTE: https://www.securityfocus.com/bid/105305/references + NOTE: https://www.theregister.co.uk/2018/08/20/php_unserialisation_wordpress_vuln/ + NOTE: https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-pdf + NOTE: https://twitter.com/_s_n_t/status/1030573635617124353 CVE-2018-16553 RESERVED CVE-2018-16552 (MicroPyramid Django-CRM 0.2 allows CSRF for /users/create/, /users/##/ ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/860b8b065b44582d8dda1421d7915a8af126ca17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/860b8b065b44582d8dda1421d7915a8af126ca17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark gradle no-dsa for Jessie
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: f24e4c55 by Brian May at 2019-05-08T06:54:36Z Mark gradle no-dsa for Jessie - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1762,6 +1762,7 @@ CVE-2019-11065 (Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to do - gradle (bug #926923) [buster] - gradle (Minor issue) [stretch] - gradle (Minor issue) + [jessie] - gradle (Minor issue) NOTE: https://github.com/gradle/gradle/pull/8927 CVE-2019-11071 (SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visit ...) {DSA-4429-1} = data/dla-needed.txt = @@ -32,10 +32,6 @@ filezilla (Markus Koschany) -- ghostscript (Roberto C. Sánchez) -- -gradle - NOTE: 20190412: unless you believe http->https would cause significant breakage; - NOTE: 20190412: ajax.googleapis.com's SSL cert appears well supported in jessie --- graphicsmagick (Hugo Lefeuvre) -- hdf5 (Hugo Lefeuvre) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f24e4c55bd37646af548c1be83891ee6d4b9e538 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f24e4c55bd37646af548c1be83891ee6d4b9e538 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1777-1 for jquery
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 1a725576 by Brian May at 2019-05-06T07:13:35Z Reserve DLA-1777-1 for jquery - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 May 2019] DLA-1777-1 jquery - security update + {CVE-2019-11358} + [jessie] - jquery 1.7.2+dfsg-3.2+deb8u6 [05 May 2019] DLA-1776-1 librecad - security update {CVE-2018-19105} [jessie] - librecad 2.0.4-1+deb8u1 = data/dla-needed.txt = @@ -54,9 +54,6 @@ imagemagick (Hugo Lefeuvre) NOTE: Stretch. (apo) NOTE: 20190408: Still waiting on security team response to inquiries from (apo) and (roberto) -- -jquery (Brian May) - NOTE: 20190425: probably embedded versions need to be checked as well --- jruby -- kdepim View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1a7255768546c44390734a30966a745a254a7256 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1a7255768546c44390734a30966a745a254a7256 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim jquery
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e146bb9 by Brian May at 2019-05-01T07:27:14Z Claim jquery - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -55,7 +55,7 @@ imagemagick jinja2 (Hugo Lefeuvre) NOTE: 20190430: should probably be no-dsa https://lists.debian.org/debian-lts/2019/04/msg00107.html -- -jquery +jquery (Brian May) NOTE: 20190425: probably embedded versions need to be checked as well -- jruby View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e146bb9a048412ee5882050d4a16489ca008365 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e146bb9a048412ee5882050d4a16489ca008365 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1772-1 for libvirt
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d62c713 by Brian May at 2019-04-30T07:47:03Z Reserve DLA-1772-1 for libvirt - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Apr 2019] DLA-1772-1 libvirt - security update + {CVE-2016-10746} + [jessie] - libvirt 1.2.9-9+deb8u6 [29 Apr 2019] DLA-1771-1 linux-4.9 - security update {CVE-2018-14625 CVE-2018-16884 CVE-2018-19824 CVE-2018-19985 CVE-2018-20169 CVE-2018-126 CVE-2019-3459 CVE-2019-3460 CVE-2019-3701 CVE-2019-3819 CVE-2019-6974 CVE-2019-7221 CVE-2019-7222 CVE-2019-8980 CVE-2019-9213 CVE-2019-10124} [jessie] - linux-4.9 4.9.168-1~deb8u1 = data/dla-needed.txt = @@ -87,11 +87,6 @@ libmatio (Adrian Bunk) -- libspring-security-2.0-java -- -libvirt (Brian May) - NOTE: 20190416: CVE-2019-3886 is for virDomainGetHostname. Jessie is OK. - NOTE: 20190429: CVE-2016-10746 is for virDomainGetTime. Jessie vulnerable. - NOTE: See thread https://lists.debian.org/debian-lts/2019/04/msg00061.html --- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1d62c713cec9f2c469450e4300a7628c0e8a12ea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1d62c713cec9f2c469450e4300a7628c0e8a12ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update details for libvirt in dla-needed.txt
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 54507bc7 by Brian May at 2019-04-29T07:15:46Z Update details for libvirt in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -89,7 +89,7 @@ libspring-security-2.0-java -- libvirt (Brian May) NOTE: 20190416: CVE-2019-3886 is for virDomainGetHostname. Jessie is OK. - NOTE: 20190416: Attempting to get new CVE for issue with virDomainGetTime. + NOTE: 20190429: CVE-2016-10746 is for virDomainGetTime. Jessie vulnerable. NOTE: See thread https://lists.debian.org/debian-lts/2019/04/msg00061.html -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/54507bc71866b59c14f68bf882fdf577e3b48082 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/54507bc71866b59c14f68bf882fdf577e3b48082 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for libvirt
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: c0361612 by Brian May at 2019-04-16T07:24:57Z Update status for libvirt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -86,7 +86,9 @@ libmatio (Adrian Bunk) libspring-security-2.0-java -- libvirt (Brian May) - NOTE: check CVE-2019-3886, might deserve a dla + NOTE: 20190416: CVE-2019-3886 is for virDomainGetHostname. Jessie is OK. + NOTE: 20190416: Attempting to get new CVE for issue with virDomainGetTime. + NOTE: See thread https://lists.debian.org/debian-lts/2019/04/msg00061.html -- linux (Ben Hutchings) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c0361612020e99b191964818f46c864b4957c2bc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c0361612020e99b191964818f46c864b4957c2bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim libvirt
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 1375e199 by Brian May at 2019-04-08T07:32:52Z Claim libvirt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -63,7 +63,7 @@ libmatio (Adrian Bunk) NOTE: triage work needed, help security team for fixes if needed. NOTE: 20190331: work ongoing -- -libvirt +libvirt (Brian May) NOTE: check CVE-2019-3886, might deserve a dla -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1375e199eef0372351574ae2ac8d1ecf50b2f891 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1375e199eef0372351574ae2ac8d1ecf50b2f891 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1717-1 for rdflib
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e378133 by Brian May at 2019-03-18T06:28:08Z Reserve DLA-1717-1 for rdflib - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Mar 2019] DLA-1717-1 rdflib - security update + {CVE-2019-7653} + [jessie] - rdflib 4.1.2-3+deb8u1 [18 Mar 2019] DLA-1716-1 ikiwiki - security update {CVE-2019-9187} [jessie] - ikiwiki 3.20141016.4+deb8u1 = data/dla-needed.txt = @@ -92,9 +92,6 @@ python-urllib3 (Roberto C. Sánchez) qemu NOTE: CVE-2018-19665: wait for final patch -- -rdflib (Brian May) - NOTE: Maintainer not contacted. Follow the debian bug about status. This should probably be fixed. --- rsync (Thorsten Alteholz) -- sox View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e3781333d62f5d824eb896d4a9144fcd176bd97 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e3781333d62f5d824eb896d4a9144fcd176bd97 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1716-1 for ikiwiki
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 82f47bdc by Brian May at 2019-03-18T06:20:08Z Reserve DLA-1716-1 for ikiwiki - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Mar 2019] DLA-1716-1 ikiwiki - security update + {CVE-2019-9187} + [jessie] - ikiwiki 3.20141016.4+deb8u1 [14 Mar 2019] DLA-1715-1 linux-4.9 - security update {CVE-2017-18249 CVE-2018-1128 CVE-2018-1129 CVE-2018-3639 CVE-2018-5391 CVE-2018-5848 CVE-2018-6554 CVE-2018-12896 CVE-2018-13053 CVE-2018-13096 CVE-2018-13097 CVE-2018-13100 CVE-2018-13406 CVE-2018-14610 CVE-2018-14611 CVE-2018-14612 CVE-2018-14613 CVE-2018-14614 CVE-2018-14616 CVE-2018-15471 CVE-2018-16862 CVE-2018-17972 CVE-2018-18021 CVE-2018-18281 CVE-2018-18690 CVE-2018-18710 CVE-2018-19407} [jessie] - linux-4.9 4.9.144-3.1~deb8u1 = data/dla-needed.txt = @@ -24,8 +24,6 @@ firmware-nonfree (Emilio) -- glib2.0 -- -ikiwiki (Brian May) --- imagemagick (Roberto C. Sánchez) NOTE: 20181227: We should address the many open issues in imagemagick either NOTE: by patching them separetely as we did in Wheezy or by updating to a View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/82f47bdcc018cb5495b049ef343c688015a30de8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/82f47bdcc018cb5495b049ef343c688015a30de8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim rdflib
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a17f499 by Brian May at 2019-03-08T02:45:16Z Claim rdflib - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -87,7 +87,7 @@ poppler (Markus Koschany) qemu NOTE: CVE-2018-19665: wait for final patch -- -rdflib +rdflib (Brian May) NOTE: Maintainer not contacted. Follow the debian bug about status. This should probably be fixed. -- sox View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9a17f499a7a3ea35f6ffd3c127cf266fafa02832 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9a17f499a7a3ea35f6ffd3c127cf266fafa02832 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim ikikiwiki
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: d961cef8 by Brian May at 2019-03-07T06:29:58Z Claim ikikiwiki - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -22,7 +22,7 @@ firmware-nonfree (Emilio) -- gnutls28 -- -ikiwiki +ikiwiki (Brian May) -- imagemagick (Roberto C. Sánchez) NOTE: 20181227: We should address the many open issues in imagemagick either View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d961cef8d1ed72f63fb69c9f3f7de00683f45023 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d961cef8d1ed72f63fb69c9f3f7de00683f45023 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1680-1 for tiff
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d296da5 by Brian May at 2019-02-18T06:20:47Z Reserve DLA-1680-1 for tiff - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Feb 2019] DLA-1680-1 tiff - security update + {CVE-2018-17000 CVE-2018-19210 CVE-2019-7663} + [jessie] - tiff 4.0.3-12.3+deb8u8 [16 Feb 2019] DLA-1679-1 php5 - security update [jessie] - php5 5.6.40+dfsg-0+deb8u1 [16 Feb 2019] DLA-1678-1 thunderbird - security update = data/dla-needed.txt = @@ -133,14 +133,6 @@ symfony (Roberto C. Sánchez) systemd NOTE: 20181119: tmpfiles.d issues remain, fix invasive, consider backporting all of tmpfiles.c (anarcat) -- -tiff (Brian May) - NOTE: CVE-2018-19210: https://gitlab.com/libtiff/libtiff/commit/d0a842c5dbad2609aed43c701a12ed12461d3405 - NOTE: CVE-2018-19210: https://gitlab.com/libtiff/libtiff/commit/38ede78b13810ff0fa8e61f86ef9aa0ab2964668 - NOTE: CVE-2018-5360: 20181219: asked for cve update as duplicate of CVE-2014-8127 (hle) - NOTE: CVE-2018-18661: Easy to patch, but unable to reproduce the error. (bam) - NOTE: CVE-2018-18661: Not possible to prove it fixes the specified vulnerability. (bam) - NOTE: CVE-2018-18661: See thread starting at https://lists.debian.org/debian-lts/2018/11/msg00033.html (bam) --- uriparser (Thorsten Alteholz) NOTE: 20190210: looking for testsuite package -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d296da5ed80bbe0b17c6ece33a454895b20c846 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d296da5ed80bbe0b17c6ece33a454895b20c846 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim tiff
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 8bfa1c03 by Brian May at 2019-02-08T04:42:55Z Claim tiff - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -125,7 +125,7 @@ systemd (Antoine Beaupre) -- thunderbird (Emilio) -- -tiff +tiff (Brian May) NOTE: CVE-2018-19210: https://gitlab.com/libtiff/libtiff/commit/d0a842c5dbad2609aed43c701a12ed12461d3405 NOTE: CVE-2018-19210: https://gitlab.com/libtiff/libtiff/commit/38ede78b13810ff0fa8e61f86ef9aa0ab2964668 NOTE: CVE-2018-5360: 20181219: asked for cve update as duplicate of CVE-2014-8127 (hle) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8bfa1c03768f3965dedf4a301fc4d82dfe8fd7d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8bfa1c03768f3965dedf4a301fc4d82dfe8fd7d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Replace merge request URL with merged commits
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 528d4cd9 by Brian May at 2019-02-07T21:10:04Z Replace merge request URL with merged commits - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -126,8 +126,8 @@ systemd (Antoine Beaupre) thunderbird (Emilio) -- tiff - NOTE: CVE-2018-19210: patch proposal: https://gitlab.com/libtiff/libtiff/merge_requests/47 - NOTE: CVE-2018-19210: 20190122: upstream silent (hle) + NOTE: CVE-2018-19210: https://gitlab.com/libtiff/libtiff/commit/d0a842c5dbad2609aed43c701a12ed12461d3405 + NOTE: CVE-2018-19210: https://gitlab.com/libtiff/libtiff/commit/38ede78b13810ff0fa8e61f86ef9aa0ab2964668 NOTE: CVE-2018-5360: 20181219: asked for cve update as duplicate of CVE-2014-8127 (hle) NOTE: CVE-2018-18661: Easy to patch, but unable to reproduce the error. (bam) NOTE: CVE-2018-18661: Not possible to prove it fixes the specified vulnerability. (bam) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/528d4cd943899deaaae71b49d25cfae6cd5bb8d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/528d4cd943899deaaae71b49d25cfae6cd5bb8d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add my id to my entries
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: f7a67237 by Brian May at 2019-02-07T20:53:22Z Add my id to my entries - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -129,9 +129,9 @@ tiff NOTE: CVE-2018-19210: patch proposal: https://gitlab.com/libtiff/libtiff/merge_requests/47 NOTE: CVE-2018-19210: 20190122: upstream silent (hle) NOTE: CVE-2018-5360: 20181219: asked for cve update as duplicate of CVE-2014-8127 (hle) - NOTE: CVE-2018-18661: Easy to patch, but unable to reproduce the error. - NOTE: CVE-2018-18661: Not possible to prove it fixes the specified vulnerability. - NOTE: CVE-2018-18661: See thread starting at https://lists.debian.org/debian-lts/2018/11/msg00033.html + NOTE: CVE-2018-18661: Easy to patch, but unable to reproduce the error. (bam) + NOTE: CVE-2018-18661: Not possible to prove it fixes the specified vulnerability. (bam) + NOTE: CVE-2018-18661: See thread starting at https://lists.debian.org/debian-lts/2018/11/msg00033.html (bam) -- uriparser (Thorsten Alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f7a67237430cf8d8df6ffc1dd5dba23a121f8405 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f7a67237430cf8d8df6ffc1dd5dba23a121f8405 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1663-1 for python3.4
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 335f63e1 by Brian May at 2019-02-06T20:49:49Z Reserve DLA-1663-1 for python3.4 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Feb 2019] DLA-1663-1 python3.4 - security update + {CVE-2016-0772 CVE-2016-5636 CVE-2016-5699 CVE-2018-20406 CVE-2019-5010} + [jessie] - python3.4 3.4.2-1+deb8u2 [06 Feb 2019] DLA-1662-1 libthrift-java - security update {CVE-2018-1320} [jessie] - libthrift-java 0.9.1-2+deb8u1 = data/dla-needed.txt = @@ -135,11 +135,6 @@ python-gnupg NOTE: python-gnupg. Reproducer will not work in Jessie environment because of NOTE: older python version. (apo) -- -python3.4 (Brian May) - NOTE: 20181225: The update should include also the postponed and no-dsa - NOTE: issues which were already fixed by us in Wheezy. (apo) - NOTE: 20190120: Have patched all known vulnerabilies, now testing. --- qemu (Hugo Lefeuvre) NOTE: CVE-2018-19665: working on a highly trimmed down version of upstream patch NOTE: CVE-2018-19665: also, current patch will not be merged by upstream, wait for updated version View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/335f63e165814a75a11ab227a346d36a638ce49f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/335f63e165814a75a11ab227a346d36a638ce49f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reclaim Python3.4
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 1737845e by Brian May at 2019-02-05T06:35:45Z Reclaim Python3.4 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -119,7 +119,7 @@ php-pear polarssl NOTE: 20121207: Not 100% sure if vulnerable. Upstream would prefer us to move to latest version, etc. (!). (lamby) -- -python3.4 +python3.4 (Brian May) NOTE: 20181225: The update should include also the postponed and no-dsa NOTE: issues which were already fixed by us in Wheezy. (apo) NOTE: 20190120: Have patched all known vulnerabilies, now testing. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1737845edde8d9b0dd280d81a63ec81b362720d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1737845edde8d9b0dd280d81a63ec81b362720d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update Python3.4 DLA status
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: e8ccb3ce by Brian May at 2019-01-19T23:08:03Z Update Python3.4 DLA status Progress slower then expected due to unexpected cold. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -102,6 +102,7 @@ policykit-1 (Emilio) python3.4 (Brian May) NOTE: 20181225: The update should include also the postponed and no-dsa NOTE: issues which were already fixed by us in Wheezy. (apo) + NOTE: 20190120: Have patched all known vulnerabilies, now testing. -- qemu (Hugo Lefeuvre) NOTE: CVE-2018-19665: no practical exploit at the moment + patch quite big (but easy to review, though) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e8ccb3cec041d0d3a1ad1ef1060e082fdee8e50f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e8ccb3cec041d0d3a1ad1ef1060e082fdee8e50f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim Python 3.4
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 93e30c40 by Brian May at 2019-01-10T06:33:49Z Claim Python 3.4 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -96,7 +96,7 @@ policykit-1 (Emilio) -- poppler (Emilio) -- -python3.4 +python3.4 (Brian May) NOTE: 20181225: The update should include also the postponed and no-dsa NOTE: issues which were already fixed by us in Wheezy. (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93e30c40696c0cfb1b152ac83bf65c983cbb57c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93e30c40696c0cfb1b152ac83bf65c983cbb57c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Unclaim tiff for now
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 599c28ca by Brian May at 2018-11-20T06:44:31Z Unclaim tiff for now - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -88,7 +88,11 @@ symfony (Thorsten Alteholz) systemd NOTE: 20181119: tmpfiles.d issues remain, fix invasive, consider backporting all of tmpfiles.c (anarcat) -- -tiff (Brian May) +tiff + NOTE: CVE-2018-19210: No upstream patch yet. + NOTE: CVE-2018-18661: Easy to patch, but unable to reproduce the error. + NOTE: CVE-2018-18661: Not possible to prove it fixes the specified vulnerability. + NOTE: CVE-2018-18661: See thread starting at https://lists.debian.org/debian-lts/2018/11/msg00033.html -- uriparser (Lucas Kanashiro) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/599c28ca5b2e1905a163f9b6b00e68aaf37942e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/599c28ca5b2e1905a163f9b6b00e68aaf37942e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim tiff
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: b1c53523 by Brian May at 2018-11-07T06:08:26Z Claim tiff - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -101,7 +101,7 @@ systemd thunderbird (Emilio Pozuelo) NOTE: 20181106: needs rustc/cargo currently in NEW -- -tiff +tiff (Brian May) -- xen -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1c535230ba017fb37e4f15899a9080c4554762c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1c535230ba017fb37e4f15899a9080c4554762c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference to debian-lts post for tiff in dla-needed.txt
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f1fa214 by Brian May at 2018-08-16T07:08:20Z Add reference to debian-lts post for tiff in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -108,6 +108,7 @@ symfony NOTE: 20180630: email sent to maintainer, please wait some time before working on this package -- tiff + NOTE: See debian-lts post: https://lists.debian.org/debian-lts/2018/08/msg00036.html -- tomcat8 (Roberto C. Sánchez) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f1fa214d41169faeb52c91319a40e38c49d1acb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f1fa214d41169faeb52c91319a40e38c49d1acb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take twitter-bootstrap
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 40d03800 by Brian May at 2018-08-07T07:44:28Z Take twitter-bootstrap - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -112,7 +112,7 @@ tomcat8 (Roberto C. Sánchez) -- twig (Abhijith PA) -- -twitter-bootstrap +twitter-bootstrap (Brian May) -- twitter-bootstrap3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/40d03800dd60c936ca67ba4f4afc5e9c09beabf3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/40d03800dd60c936ca67ba4f4afc5e9c09beabf3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim gpac
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: d8d2f6fd by Brian May at 2018-07-17T17:23:40+10:00 Claim gpac - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -40,7 +40,7 @@ git-annex -- gosa (Mike Gabriel) -- -gpac +gpac (Brian May) -- graphicsmagick (Roberto C. Sánchez) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8d2f6fd813b6384cd7e7841e0e4cbdb461aeae6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8d2f6fd813b6384cd7e7841e0e4cbdb461aeae6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Deleted branch update_python_exceptions
Brian May deleted branch update_python_exceptions at Debian Security Tracker / security-tracker -- You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Pushed new branch update_python_exceptions
Brian May pushed new branch update_python_exceptions at Debian Security Tracker / security-tracker -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/tree/update_python_exceptions You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim sssd
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 9889b3eb by Brian May at 2018-07-10T17:01:20+10:00 Claim sssd - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -74,8 +74,7 @@ ruby2.1 (Santiago) slurm-llnl (Thorsten Alteholz) NOTE: 20180630: test package uploaded to https://people.debian.org/~alteholz/packages/jessie-lts/slurm-llnl/ -- -sssd - NOTE: 20180630: no fix available, so no email sent to maintainer yet +sssd (Brian May) -- symfony NOTE: 20180630: email sent to maintainer, please wait some time before working on this package View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9889b3ebf70085d28f84371a931adcced2ff19fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9889b3ebf70085d28f84371a931adcced2ff19fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Removed kmail from dla-needed.txt as no CVEs need fixing for Jessie
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 64f13c22 by Brian May at 2018-07-05T18:54:39+10:00 Removed kmail from dla-needed.txt as no CVEs need fixing for Jessie - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -54,8 +54,6 @@ jetty (Hugo Lefeuvre) -- kdepim -- -kmail --- libav (Hugo Lefeuvre) NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, but encountered personal issues and had to stop. NOTE: 20180118: It is unlikely that he will start again in the next weeks. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/64f13c222527944af940041684f75e9a07f32676 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/64f13c222527944af940041684f75e9a07f32676 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove ipsec-tools from dla-needed.txt as no CVEs require fixing in Jessie
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ab10964 by Brian May at 2018-07-05T18:45:42+10:00 Remove ipsec-tools from dla-needed.txt as no CVEs require fixing in Jessie - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -41,9 +41,6 @@ graphicsmagick (Roberto C. Sánchez) -- intel-microcode -- -ipsec-tools - NOTE: CVE-2016-10396 fixed in wheezy. No further point release so this should be fixed this way instead. --- jetty (Hugo Lefeuvre) NOTE: jetty8 almost never marked as affected whereas jetty and jetty9 are. Reason ? NOTE: CVE-2018-12536 fixed in latest upstream release. Looks like upstream View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5ab10964ddfce26f5b54d5884e966f1a810ba0f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5ab10964ddfce26f5b54d5884e966f1a810ba0f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove liblouis from dla-needed as no open CVEs for Jessie
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 138ad089 by Brian May at 2018-07-05T18:44:34+10:00 Remove liblouis from dla-needed as no open CVEs for Jessie - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -69,8 +69,6 @@ libav (Hugo Lefeuvre) libidn (Santiago) NOTE: CVE-2017-14062 fixed in wheezy. 20180622: Markus reports that Santiago has proposed an update for this to the security team. (lamby) -- -liblouis --- libspring-java -- linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/138ad0899875f60b38555cec98ff654492b1caf6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/138ad0899875f60b38555cec98ff654492b1caf6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove kf5-messagelib from dla-needed as no open CVEs for stretch
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: f5f9406e by Brian May at 2018-07-05T18:08:42+10:00 Remove kf5-messagelib from dla-needed as no open CVEs for stretch - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -57,9 +57,6 @@ jetty (Hugo Lefeuvre) -- kdepim -- -kf5-messagelib - NOTE: 20180623: efail-related (lamby) --- kmail -- libav (Hugo Lefeuvre) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5f9406e4384965b81f6da8107693909c2cfcabd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5f9406e4384965b81f6da8107693909c2cfcabd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Deleted branch update_python
Brian May deleted branch update_python at Debian Security Tracker / security-tracker -- You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Pushed new branch update_python
Brian May pushed new branch update_python at Debian Security Tracker / security-tracker -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/tree/update_python You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1374-1 for firebird2.5
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 15443a61 by Brian May at 2018-05-11T16:05:23+10:00 Reserve DLA-1374-1 for firebird2.5 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[11 May 2018] DLA-1374-1 firebird2.5 - security update + {CVE-2017-11509} + [wheezy] - firebird2.5 2.5.2.26540.ds4-1~deb7u4 [09 May 2018] DLA-1373-1 php5 - security update {CVE-2018-10545 CVE-2018-10547 CVE-2018-10548} [wheezy] - php5 5.4.45-0+deb7u14 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -15,10 +15,6 @@ apache2 (Roberto C. Sánchez) cups (Thorsten Alteholz) NOTE: 20180318: not clear whether patch is fine, so no email to maintainer sent (alteholz) -- -firebird2.5 (Brian May) - NOTE: 20180411: no fix available upstream for CVE-2017-11509 - NOTE: 20180412: see https://gist.github.com/lamby/e0db9370bad433e949d70663cef533da/raw (lamby) --- firefox-esr (Emilio Pozuelo) -- glusterfs (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/15443a61761ae6c497c8036ae2784d9cd3e84c13 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/15443a61761ae6c497c8036ae2784d9cd3e84c13 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark calibre CVE-2018-7889 in wheezy
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: ef2f8d10 by Brian May at 2018-05-07T17:09:04+10:00 Mark calibre CVE-2018-7889 in wheezy There is no known fix for this, and a true fix is not possible without changing the configuration file formats not to allow executable code. See: * https://lists.debian.org/debian-lts/2018/04/msg00098.html * https://lists.debian.org/debian-lts/2018/05/msg9.html - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -6829,6 +6829,7 @@ CVE-2018-7890 (A remote code execution issue was discovered in Zoho ManageEngine NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2018-7889 (gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on ...) - calibre 3.19.0+dfsg-1 (bug #892242) + [wheezy] - calibre (Minor issue) NOTE: https://bugs.launchpad.net/calibre/+bug/1753870 NOTE: deserialization fix https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d NOTE: insufficient as import also loads configuration files, which are python executables, = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -12,10 +12,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- apache2 (Roberto C. Sánchez) -- -calibre (Brian May) - NOTE: 20180321: Instead of replacing pickle with json, maybe disable bookmarking (apo) - NOTE: 20180321: completely and invest the time to fix the Jessie version instead? (apo) --- cups (Thorsten Alteholz) NOTE: 20180318: not clear whether patch is fine, so no email to maintainer sent (alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ef2f8d10c6b656f307e6331a5e9767f4183824dc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ef2f8d10c6b656f307e6331a5e9767f4183824dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark cacti no-dsa in wheezy
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 7caee173 by Brian May at 2018-05-04T16:36:29+10:00 Mark cacti no-dsa in wheezy These security issues already marked no-dsa in Jessie and Stretch, and probably should be no-dsa in Wheezy too. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1603,11 +1603,13 @@ CVE-2018-10061 (Cacti before 1.1.37 has XSS because it makes certain htmlspecial - cacti 1.1.37+ds1-1 (low) [stretch] - cacti (Minor issue) [jessie] - cacti (Minor issue) + [wheezy] - cacti (Minor issue) NOTE: https://github.com/Cacti/cacti/issues/1457 CVE-2018-10060 (Cacti before 1.1.37 has XSS because it does not properly reject ...) - cacti 1.1.37+ds1-1 (low) [stretch] - cacti (Minor issue) [jessie] - cacti (Minor issue) + [wheezy] - cacti (Minor issue) NOTE: https://github.com/Cacti/cacti/issues/1457 CVE-2018-10059 (Cacti before 1.1.37 has XSS because the get_current_page function in ...) - cacti 1.1.37+ds1-1 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -12,12 +12,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- apache2 (Roberto C. Sánchez) -- -cacti - NOTE: 20180419: Only few commits apply to the Wheezy version so there is - NOTE: 20180419: probably less to fix than it looks like (apo) - NOTE: 20180426: Probably common with stretch patches. I fear the above just means that - NOTE: 20180426: it is more work, hence I didn't even start on it for stretch. (elbrus) --- calibre (Brian May) NOTE: 20180321: Instead of replacing pickle with json, maybe disable bookmarking (apo) NOTE: 20180321: completely and invest the time to fix the Jessie version instead? (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7caee1732319c4bf3368db82efa2b90da1426a0e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7caee1732319c4bf3368db82efa2b90da1426a0e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim calibre
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: a1751f50 by Brian May at 2018-05-03T17:39:40+10:00 Claim calibre Claim calibre, although it is not clear if this can actually be fixed. See https://lists.debian.org/debian-lts/2018/04/msg00054.html - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -18,7 +18,7 @@ cacti NOTE: 20180426: Probably common with stretch patches. I fear the above just means that NOTE: 20180426: it is more work, hence I didn't even start on it for stretch. (elbrus) -- -calibre +calibre (Brian May) NOTE: 20180321: Instead of replacing pickle with json, maybe disable bookmarking (apo) NOTE: 20180321: completely and invest the time to fix the Jessie version instead? (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a1751f50a1285b534ac5fc7e7a31d557aa5b6aae --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a1751f50a1285b534ac5fc7e7a31d557aa5b6aae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits