[Git][security-tracker-team/security-tracker][master] Reserve DLA-3793-1 for openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9432f13e by Emilio Pozuelo Monfort at 2024-04-22T15:40:27+02:00 Reserve DLA-3793-1 for openjdk-11 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Apr 2024] DLA-3793-1 openjdk-11 - security update + {CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094} + [buster] - openjdk-11 11.0.23+9-1~deb10u1 [22 Apr 2024] DLA-3792-1 samba - security update {CVE-2020-14318 CVE-2020-14323 CVE-2020-14383 CVE-2022-2127 CVE-2022-3437 CVE-2022-32742 CVE-2023-4091} [buster] - samba 2:4.9.5+dfsg-5+deb10u5 = data/dla-needed.txt = @@ -224,9 +224,6 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: See comment for nvidia-graphics-drivers. (apo/front-desk) -- -openjdk-11 (Emilio) - NOTE: 20240418: Added by pochu --- org-mode (Sean Whitton) NOTE: 20240405: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9432f13e7a54b0fad6fa9bf7d98f216df2e2d80d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9432f13e7a54b0fad6fa9bf7d98f216df2e2d80d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3791-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 149c9011 by Emilio Pozuelo Monfort at 2024-04-22T10:45:29+02:00 Reserve DLA-3791-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Apr 2024] DLA-3791-1 thunderbird - security update + {CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864} + [buster] - thunderbird 1:115.10.1-1~deb10u1 [19 Apr 2024] DLA-3790-1 firefox-esr - security update {CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864} [buster] - firefox-esr 115.10.0esr-1~deb10u1 = data/dla-needed.txt = @@ -312,9 +312,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird (Emilio) - NOTE: 20240422: Added by pochu --- tiff (Thorsten Alteholz) NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/149c90117adacad9bf88336a7b86d2376b4d9a36 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/149c90117adacad9bf88336a7b86d2376b4d9a36 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 93e291de by Emilio Pozuelo Monfort at 2024-04-22T10:38:15+02:00 lts: take thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -312,6 +312,9 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- +thunderbird (Emilio) + NOTE: 20240422: Added by pochu +-- tiff (Thorsten Alteholz) NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93e291de895e1409cac71ae1187a80ca845f1ce3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93e291de895e1409cac71ae1187a80ca845f1ce3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3790-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: f98509b7 by Emilio Pozuelo Monfort at 2024-04-19T12:38:22+02:00 Reserve DLA-3790-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Apr 2024] DLA-3790-1 firefox-esr - security update + {CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864} + [buster] - firefox-esr 115.10.0esr-1~deb10u1 [18 Apr 2024] DLA-3789-1 libdatetime-timezone-perl - security update [buster] - libdatetime-timezone-perl 1:2.23-1+2024a [18 Apr 2024] DLA-3788-1 tzdata - new timezone database = data/dla-needed.txt = @@ -82,9 +82,6 @@ emacs (Sean Whitton) NOTE: 20240403: for example, CVE-2024-30202. But I think it is vulnerable NOTE: 20240403: to CVE-2024-30203. (lamby) -- -firefox-esr (Emilio) - NOTE: 20240417: Added by pochu --- freeimage NOTE: 20240320: Added by Front-Desk (ta) NOTE: 20240320: lots of postponed issue could be fixed as well View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f98509b79d30833444c0df77c8033e896b39de4e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f98509b79d30833444c0df77c8033e896b39de4e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 98107aaa by Emilio Pozuelo Monfort at 2024-04-18T16:46:31+02:00 lts: take openjdk-11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -204,6 +204,9 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: See comment for nvidia-graphics-drivers. (apo/front-desk) -- +openjdk-11 (Emilio) + NOTE: 20240418: Added by pochu +-- org-mode (Sean Whitton) NOTE: 20240405: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98107aaaea779a8a1f67ed0581373771c4c2649d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98107aaaea779a8a1f67ed0581373771c4c2649d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3789-1 for libdatetime-timezone-perl
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 86677589 by Emilio Pozuelo Monfort at 2024-04-18T12:28:48+02:00 Reserve DLA-3789-1 for libdatetime-timezone-perl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[18 Apr 2024] DLA-3789-1 libdatetime-timezone-perl - security update + [buster] - libdatetime-timezone-perl 1:2.23-1+2024a [18 Apr 2024] DLA-3788-1 tzdata - new timezone database [buster] - tzdata 2024a-0+deb10u1 [15 Apr 2024] DLA-3787-1 xorg-server - security update = data/dla-needed.txt = @@ -121,10 +121,6 @@ knot-resolver (Markus Koschany) NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- -libdatetime-timezone-perl (Emilio) - NOTE: 20240327: Added by pochu - NOTE: 20240417: Blocked by tzdata update (Emilio) --- libpgjava (Markus Koschany) NOTE: 20240308: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86677589113dd97fbf0559e7e0173ee9efa087ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86677589113dd97fbf0559e7e0173ee9efa087ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3788-1 for tzdata
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: f0451d4c by Emilio Pozuelo Monfort at 2024-04-18T12:25:06+02:00 Reserve DLA-3788-1 for tzdata - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[18 Apr 2024] DLA-3788-1 tzdata - new timezone database + [buster] - tzdata 2024a-0+deb10u1 [15 Apr 2024] DLA-3787-1 xorg-server - security update {CVE-2024-31080 CVE-2024-31081 CVE-2024-31083} [buster] - xorg-server 2:1.20.4-1+deb10u14 = data/dla-needed.txt = @@ -298,10 +298,6 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- -tzdata (Emilio) - NOTE: 20240327: Added by pochu - NOTE: 20240417: updating to latest upstream instead of cherry-picking (Emilio) --- varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0451d4c01050da25abbebb401d583bc7d2f9a0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0451d4c01050da25abbebb401d583bc7d2f9a0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d09b63f by Emilio Pozuelo Monfort at 2024-04-17T10:41:55+02:00 lts: take firefox-esr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -76,6 +76,9 @@ emacs (Sean Whitton) NOTE: 20240403: for example, CVE-2024-30202. But I think it is vulnerable NOTE: 20240403: to CVE-2024-30203. (lamby) -- +firefox-esr (Emilio) + NOTE: 20240417: Added by pochu +-- freeimage NOTE: 20240320: Added by Front-Desk (ta) NOTE: 20240320: lots of postponed issue could be fixed as well View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d09b63f9a9d435ccf146e2eaed263e8e3be29e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d09b63f9a9d435ccf146e2eaed263e8e3be29e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take tzdata and libdatetime-timezone-perl
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 564e0e87 by Emilio Pozuelo Monfort at 2024-04-17T10:34:36+02:00 lts: take tzdata and libdatetime-timezone-perl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -112,8 +112,9 @@ knot-resolver (Markus Koschany) NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- -libdatetime-timezone-perl +libdatetime-timezone-perl (Emilio) NOTE: 20240327: Added by pochu + NOTE: 20240417: Blocked by tzdata update (Emilio) -- libpgjava (Markus Koschany) NOTE: 20240308: Added by Front-Desk (opal) @@ -287,8 +288,9 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- -tzdata +tzdata (Emilio) NOTE: 20240327: Added by pochu + NOTE: 20240417: updating to latest upstream instead of cherry-picking (Emilio) -- varnish NOTE: 20231117: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/564e0e879335799a577dab57168db7858ded3b07 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/564e0e879335799a577dab57168db7858ded3b07 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop buster from backports releases
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: f32ec428 by Emilio Pozuelo Monfort at 2024-04-15T09:44:57+02:00 Drop buster from backports releases buster-backports has been archived. - - - - - 1 changed file: - lib/debian-releases.mk Changes: = lib/debian-releases.mk = @@ -7,7 +7,7 @@ endef MAIN_RELEASES = $(call get_config, '.distributions | to_entries[] | select(.value.release) | .key') SECURITY_RELEASES = $(filter-out sid, $(MAIN_RELEASES)) -BACKPORT_RELEASES = $(SECURITY_RELEASES) +BACKPORT_RELEASES = $(filter-out buster, $(SECURITY_RELEASES)) # Define the variables for the release on the main mirror define add_main_release = View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f32ec428c14d08f392225bb2b29dc92777eb9d70 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f32ec428c14d08f392225bb2b29dc92777eb9d70 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take tzdata and libdatetime-timezone-perl
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e7a0619 by Emilio Pozuelo Monfort at 2024-03-27T11:49:13+01:00 lts: take tzdata and libdatetime-timezone-perl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -111,6 +111,9 @@ knot-resolver NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- +libdatetime-timezone-perl (Emilio) + NOTE: 20240327: Added by pochu +-- libpgjava NOTE: 20240308: Added by Front-Desk (opal) -- @@ -273,6 +276,9 @@ tiff (Abhijith PA) tomcat9 (Markus Koschany) NOTE: 20240121: Added by Front-Desk (apo) -- +tzdata (Emilio) + NOTE: 20240327: Added by pochu +-- varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e7a0619c39062532f46cf47661e835112f7400e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e7a0619c39062532f46cf47661e835112f7400e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3775-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 3bdc3fde by Emilio Pozuelo Monfort at 2024-03-25T16:39:04+01:00 Reserve DLA-3775-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Mar 2024] DLA-3775-1 firefox-esr - security update + {CVE-2023-5388 CVE-2024-0743 CVE-2024-2607 CVE-2024-2608 CVE-2024-2610 CVE-2024-2611 CVE-2024-2612 CVE-2024-2614 CVE-2024-2616 CVE-2024-29944} + [buster] - firefox-esr 115.9.1esr-1~deb10u1 [25 Mar 2024] DLA-3774-1 gross - security update {CVE-2023-52159} [buster] - gross 1.0.2-4.1~deb10u1 = data/dla-needed.txt = @@ -75,9 +75,6 @@ edk2 expat (tobi) NOTE: 20240306: Added by Front-Desk (opal) -- -firefox-esr (Emilio) - NOTE: 20240320: Added by Front-Desk (ta) --- freeimage NOTE: 20240320: Added by Front-Desk (ta) NOTE: 20240320: lots of postponed issue could be fixed as well View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bdc3fdeae3de5dbd9e10d29217817e1e77d1ccd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bdc3fdeae3de5dbd9e10d29217817e1e77d1ccd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: tracker_service: make unimportant issues non-red
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 05e8e523 by Emilio Pozuelo Monfort at 2024-03-21T11:21:59+01:00 tracker_service: make unimportant issues non-red They were marked as red and vulnerable. Since they are marked as unimportant, we should show that to not raise alarms. - - - - - 6331de58 by Emilio Pozuelo Monfort at 2024-03-25T08:39:28+00:00 Merge branch mark-unimportant-issues-non-red into master tracker_service: make unimportant issues non-red See merge request security-tracker-team/security-tracker!167 - - - - - 1 changed file: - bin/tracker_service.py Changes: = bin/tracker_service.py = @@ -439,6 +439,14 @@ data source.""")], page.append(make_table(gen_header())) +def is_unimportant(bug, package): +if bug.notes: +for note in bug.notes: +if note.package == package and str(note.urgency) == 'unimportant': +return True + +return False + if bug.notes: def gen_source(): @@ -453,8 +461,12 @@ data source.""")], self.make_source_package_ref(url, package), " (", self.make_pts_ref(url, package, 'PTS'), ")") if vulnerable == 1: -vuln = self.make_red('vulnerable') -version = self.make_red(version) +if is_unimportant(bug, old_pkg): +vuln = self.make_yellow('vulnerable (unimportant)') +version = self.make_yellow(version) +else: +vuln = self.make_red('vulnerable') +version = self.make_red(version) elif vulnerable == 2: vuln = self.make_purple('undetermined') version = self.make_purple(version) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5d55976a1e042c0466e5028e30db1e910a577c8b...6331de58722181077a1533dc934eef3c23719237 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5d55976a1e042c0466e5028e30db1e910a577c8b...6331de58722181077a1533dc934eef3c23719237 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3769-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 062ad09d by Emilio Pozuelo Monfort at 2024-03-23T12:21:50+01:00 Reserve DLA-3769-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Mar 2024] DLA-3769-1 thunderbird - security update + {CVE-2023-5388 CVE-2024-0743 CVE-2024-1936 CVE-2024-2607 CVE-2024-2608 CVE-2024-2610 CVE-2024-2611 CVE-2024-2612 CVE-2024-2614 CVE-2024-2616} + [buster] - thunderbird 1:115.9.0-1~deb10u1 [22 Mar 2024] DLA-3768-1 pillow - security update {CVE-2021-23437 CVE-2022-22817 CVE-2023-44271} [buster] - pillow 5.4.1-2+deb10u5 = data/dla-needed.txt = @@ -284,9 +284,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird (Emilio) - NOTE: 20240306: Added by Front-Desk (opal) --- tiff (Abhijith PA) NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/062ad09de1adc5a5ed07a49e266678be5aa6ff09 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/062ad09de1adc5a5ed07a49e266678be5aa6ff09 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Deleted branch mark-unimportant-issues-non-red
Emilio Pozuelo Monfort deleted branch mark-unimportant-issues-non-red at Debian Security Tracker / security-tracker -- You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Pushed new branch mark-unimportant-issues-non-red
Emilio Pozuelo Monfort pushed new branch mark-unimportant-issues-non-red at Debian Security Tracker / security-tracker -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/tree/mark-unimportant-issues-non-red You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: ff3cbf06 by Emilio Pozuelo Monfort at 2024-03-21T10:36:47+01:00 lts: take firefox-esr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -75,7 +75,7 @@ edk2 expat (tobi) NOTE: 20240306: Added by Front-Desk (opal) -- -firefox-esr +firefox-esr (Emilio) NOTE: 20240320: Added by Front-Desk (ta) -- freeimage View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff3cbf068d3f20c94a42a6ee42cb12d300d6aa06 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff3cbf068d3f20c94a42a6ee42cb12d300d6aa06 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: d01a78cb by Emilio Pozuelo Monfort at 2024-03-07T10:43:53+01:00 lts: take thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -313,7 +313,7 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird +thunderbird (Emilio) NOTE: 20240306: Added by Front-Desk (opal) -- tiff (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d01a78cb2db5f4285e4b5fbe0239811909d612bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d01a78cb2db5f4285e4b5fbe0239811909d612bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3748-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 6638922c by Emilio Pozuelo Monfort at 2024-03-04T08:53:26+01:00 Reserve DLA-3748-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Mar 2024] DLA-3748-1 thunderbird - security update + {CVE-2024-1546 CVE-2024-1547 CVE-2024-1548 CVE-2024-1549 CVE-2024-1550 CVE-2024-1551 CVE-2024-1552 CVE-2024-1553} + [buster] - thunderbird 1:115.8.0-1~deb10u1 [04 Mar 2024] DLA-3747-1 firefox-esr - security update {CVE-2024-1546 CVE-2024-1547 CVE-2024-1548 CVE-2024-1549 CVE-2024-1550 CVE-2024-1551 CVE-2024-1552 CVE-2024-1553} [buster] - firefox-esr 115.8.0esr-1~deb10u1 = data/dla-needed.txt = @@ -272,10 +272,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird (Emilio) - NOTE: 20240222: Added by Front-Desk (pochu) - NOTE: 20240222: send DLA after maintainer uploads 115.8.0 --- tiff (Abhijith PA) NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point release(s). (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6638922c4067bb974dbfa6366466863ff5044812 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6638922c4067bb974dbfa6366466863ff5044812 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3747-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 14d946b6 by Emilio Pozuelo Monfort at 2024-03-04T08:51:25+01:00 Reserve DLA-3747-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Mar 2024] DLA-3747-1 firefox-esr - security update + {CVE-2024-1546 CVE-2024-1547 CVE-2024-1548 CVE-2024-1549 CVE-2024-1550 CVE-2024-1551 CVE-2024-1552 CVE-2024-1553} + [buster] - firefox-esr 115.8.0esr-1~deb10u1 [29 Feb 2024] DLA-3746-1 wireshark - security update {CVE-2023-4511 CVE-2023-4513 CVE-2023-6175 CVE-2024-0208} [buster] - wireshark 2.6.20-0+deb10u8 = data/dla-needed.txt = @@ -94,9 +94,6 @@ edk2 exiftags NOTE: 20240121: Added by Front-Desk (apo) -- -firefox-esr (Emilio) - NOTE: 20240222: Added by Front-Desk (pochu) --- freeimage NOTE: 20240121: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14d946b6198855bbeb93fa72ca8365bebdbea6b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14d946b6198855bbeb93fa72ca8365bebdbea6b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: c97e7a88 by Emilio Pozuelo Monfort at 2024-03-04T08:49:58+01:00 lts: take thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -275,7 +275,7 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird +thunderbird (Emilio) NOTE: 20240222: Added by Front-Desk (pochu) NOTE: 20240222: send DLA after maintainer uploads 115.8.0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c97e7a88d4db282b15dfd07be7b36656f19b79ff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c97e7a88d4db282b15dfd07be7b36656f19b79ff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: add thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b41cf60 by Emilio Pozuelo Monfort at 2024-02-22T19:36:59+01:00 lts: add thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -280,6 +280,10 @@ suricata NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- +thunderbird + NOTE: 20240222: Added by Front-Desk (pochu) + NOTE: 20240222: send DLA after maintainer uploads 115.8.0 +-- tiff NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point release(s). (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b41cf60d5d814dee838af8c8a2bdff7b78b6dee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b41cf60d5d814dee838af8c8a2bdff7b78b6dee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f82bb5a by Emilio Pozuelo Monfort at 2024-02-22T19:35:15+01:00 lts: take firefox-esr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -94,6 +94,9 @@ engrampa exiftags NOTE: 20240121: Added by Front-Desk (apo) -- +firefox-esr (Emilio) + NOTE: 20240222: Added by Front-Desk (pochu) +-- freeimage NOTE: 20240121: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f82bb5afa8fde2fc0cf8f72e00fa9b2606f3d8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f82bb5afa8fde2fc0cf8f72e00fa9b2606f3d8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add missing reservation for DLA-3735-1
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 20ce78fb by Emilio Pozuelo Monfort at 2024-02-19T10:00:27+01:00 Add missing reservation for DLA-3735-1 https://lists.debian.org/debian-lts/2024/02/msg00016.html - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -161683,7 +161683,6 @@ CVE-2021-43784 (runc is a CLI tool for spawning and running containers on Linux {DLA-2841-1} - runc 1.0.3+ds1-1 [bullseye] - runc (Minor issue; not exploitable in 1.0.0) - [buster] - runc (Minor issue; not exploitable in 1.0.0) NOTE: https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/1 NOTE: Fixed by: https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Feb 2024] DLA-3735-1 runc - security update + {CVE-2021-43784 CVE-2024-21626} + [buster] - runc 1.0.0~rc6+dfsg1-3+deb10u3 [17 Feb 2024] DLA-3734-1 openvswitch - security update {CVE-2023-5366} [buster] - openvswitch 2.10.7+ds1-0+deb10u5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20ce78fbefbaf1516dbd9e7d6679974b1e985dce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20ce78fbefbaf1516dbd9e7d6679974b1e985dce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3728-1 for openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: cd2b7d69 by Emilio Pozuelo Monfort at 2024-01-31T16:30:47+01:00 Reserve DLA-3728-1 for openjdk-11 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Jan 2024] DLA-3728-1 openjdk-11 - security update + {CVE-2024-20918 CVE-2024-20919 CVE-2024-20921 CVE-2024-20926 CVE-2024-20945 CVE-2024-20952} + [buster] - openjdk-11 11.0.22+7-1~deb10u1 [31 Jan 2024] DLA-3727-1 firefox-esr - security update {CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747 CVE-2024-0749 CVE-2024-0750 CVE-2024-0751 CVE-2024-0753 CVE-2024-0755} [buster] - firefox-esr 115.7.0esr-1~deb10u1 = data/dla-needed.txt = @@ -168,9 +168,6 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -openjdk-11 (Emilio) - NOTE: 20240121: Added by Front-Desk (apo) --- putty (santiago) NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd2b7d69a2168c3a48c9029464fea5417b6f266d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd2b7d69a2168c3a48c9029464fea5417b6f266d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3727-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: a5866bd9 by Emilio Pozuelo Monfort at 2024-01-31T16:14:34+01:00 Reserve DLA-3727-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Jan 2024] DLA-3727-1 firefox-esr - security update + {CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747 CVE-2024-0749 CVE-2024-0750 CVE-2024-0751 CVE-2024-0753 CVE-2024-0755} + [buster] - firefox-esr 115.7.0esr-1~deb10u1 [30 Jan 2024] DLA-3726-1 bind9 - security update {CVE-2023-3341} [buster] - bind9 1:9.11.5.P4+dfsg-5.1+deb10u10 = data/dla-needed.txt = @@ -80,9 +80,6 @@ edk2 exiftags NOTE: 20240121: Added by Front-Desk (apo) -- -firefox-esr (Emilio) - NOTE: 20240125: Added by pochu --- freeimage NOTE: 20240121: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5866bd9075ef7cabfe2d55c99d3cbd757e75e9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5866bd9075ef7cabfe2d55c99d3cbd757e75e9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3720-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: e94fbd17 by Emilio Pozuelo Monfort at 2024-01-25T11:48:41+01:00 Reserve DLA-3720-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Jan 2024] DLA-3720-1 thunderbird - security update + {CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747 CVE-2024-0749 CVE-2024-0750 CVE-2024-0751 CVE-2024-0753 CVE-2024-0755} + [buster] - thunderbird 1:115.7.0-1~deb10u1 [25 Jan 2024] DLA-3719-1 phpseclib - security update {CVE-2023-48795} [buster] - phpseclib 1.0.19-3~deb10u2 = data/dla-needed.txt = @@ -278,9 +278,6 @@ suricata NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird (Emilio) - NOTE: 20240125: Added by pochu --- tiff NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point release(s). (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e94fbd171f2fd912f636b1642c7e0a87d82b1d43 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e94fbd171f2fd912f636b1642c7e0a87d82b1d43 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr and thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 78b9cf35 by Emilio Pozuelo Monfort at 2024-01-25T11:13:39+01:00 lts: take firefox-esr and thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -85,6 +85,9 @@ edk2 exiftags NOTE: 20240121: Added by Front-Desk (apo) -- +firefox-esr (Emilio) + NOTE: 20240125: Added by pochu +-- freeimage NOTE: 20240121: Added by Front-Desk (apo) -- @@ -275,6 +278,9 @@ suricata NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- +thunderbird (Emilio) + NOTE: 20240125: Added by pochu +-- tiff NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point release(s). (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78b9cf357cbb5246fc5956782c09a4b3da511db6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78b9cf357cbb5246fc5956782c09a4b3da511db6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 35fdad6d by Emilio Pozuelo Monfort at 2024-01-22T11:32:58+01:00 lts: take openjdk-11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -178,7 +178,7 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -openjdk-11 +openjdk-11 (Emilio) NOTE: 20240121: Added by Front-Desk (apo) -- php-phpseclib (guilhem) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35fdad6dbdff4b5543e97961fc269a70a891705d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35fdad6dbdff4b5543e97961fc269a70a891705d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3698-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c07ad52 by Emilio Pozuelo Monfort at 2023-12-29T11:10:44+01:00 Reserve DLA-3698-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Dec 2023] DLA-3698-1 thunderbird - security update + {CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859 CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6864 CVE-2023-6873 CVE-2023-50761 CVE-2023-50762} + [buster] - thunderbird 1:115.6.0-1~deb10u1 [29 Dec 2023] DLA-3697-1 firefox-esr - security update {CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859 CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6863 CVE-2023-6864 CVE-2023-6865 CVE-2023-6867} [buster] - firefox-esr 115.6.0esr-1~deb10u1 = data/dla-needed.txt = @@ -250,9 +250,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird (Emilio) - NOTE: 20231221: Added by pochu --- tinymce NOTE: 20231123: Added by Front-Desk (ola) NOTE: 20231216: Someone with more XSS experience needed to assess the View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c07ad52b7dff85c540be64bba12b23f43bbf222 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c07ad52b7dff85c540be64bba12b23f43bbf222 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3697-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: cf1e760e by Emilio Pozuelo Monfort at 2023-12-29T11:07:50+01:00 Reserve DLA-3697-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Dec 2023] DLA-3697-1 firefox-esr - security update + {CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859 CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6863 CVE-2023-6864 CVE-2023-6865 CVE-2023-6867} + [buster] - firefox-esr 115.6.0esr-1~deb10u1 [28 Dec 2023] DLA-3696-1 asterisk - security update {CVE-2023-37457 CVE-2023-38703 CVE-2023-49294 CVE-2023-49786} [buster] - asterisk 1:16.28.0~dfsg-0+deb10u4 = data/dla-needed.txt = @@ -75,9 +75,6 @@ dropbear (guilhem) exim4 (Markus Koschany) NOTE: 20231224: Added by Front-Desk (ta) -- -firefox-esr (Emilio) - NOTE: 20231221: Added by pochu --- frr NOTE: 20231119: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf1e760e9622c4378670cf0057bc642ae85338e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf1e760e9622c4378670cf0057bc642ae85338e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr and thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a1eec85 by Emilio Pozuelo Monfort at 2023-12-21T16:00:09+01:00 lts: take firefox-esr and thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -73,6 +73,9 @@ dogecoin dropbear (guilhem) NOTE: 20231219: Added by Front-Desk (ta) -- +firefox-esr (Emilio) + NOTE: 20231221: Added by pochu +-- frr NOTE: 20231119: Added by Front-Desk (apo) -- @@ -229,6 +232,9 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- +thunderbird (Emilio) + NOTE: 20231221: Added by pochu +-- tinymce NOTE: 20231123: Added by Front-Desk (ola) NOTE: 20231216: Someone with more XSS experience needed to assess the View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a1eec858c2d864b41e19defb8e3112f024ffc31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a1eec858c2d864b41e19defb8e3112f024ffc31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Makefile: add an update-cve-descriptions target
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: d7e47aa0 by Emilio Pozuelo Monfort at 2023-12-12T16:39:13+01:00 Makefile: add an update-cve-descriptions target This will be used by the tracker service instead of the update-nvd one, which will be removed later. - - - - - 1 changed file: - Makefile Changes: = Makefile = @@ -72,12 +72,15 @@ update-backports: $(foreach release,$(BACKPORT_RELEASES),update-$(release)_backp supported-update-targets: @echo -n "main security backports " @echo -n "$(RELEASES) " - @echo -n "packages lists nvd" + @echo -n "packages lists cve-descriptions nvd" # Other custom update rules update-lists: git fetch -q origin && git checkout -f origin/master -- data +update-cve-descriptions: + bin/update-cve-descriptions + # Since October 16, 2015 the XML data feeds are no longer available for # download in an uncompressed format. # As per October 16, 2019, the XML data feeds were discontinued and NVD @@ -102,4 +105,4 @@ update-compare-nvd: done bin/compare-nvd-cve 2> compare-nvd-cve.log -update-all: update-nvd update-lists update-packages all +update-all: update-cve-descriptions update-lists update-packages all View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7e47aa04024736d12cb721bbbc5dabd3bbde669 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7e47aa04024736d12cb721bbbc5dabd3bbde669 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3684-1 for tzdata
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: d7e704dc by Emilio Pozuelo Monfort at 2023-12-07T10:35:12+01:00 Reserve DLA-3684-1 for tzdata - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[07 Dec 2023] DLA-3684-1 tzdata - new timezone database + [buster] - tzdata 2021a-0+deb10u12 [05 Dec 2023] DLA-3683-1 roundcube - security update {CVE-2023-47272} [buster] - roundcube 1.3.17+dfsg.1-1~deb10u5 = data/dla-needed.txt = @@ -226,9 +226,6 @@ tomcat9 tor NOTE: 20231119: Added by Front-Desk (apo) -- -tzdata (Emilio) - NOTE: 20231206: Added by pochu --- varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7e704dcd46b9064c7df6bfc96c79d9115802751 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7e704dcd46b9064c7df6bfc96c79d9115802751 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take tzdata
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f35a06b by Emilio Pozuelo Monfort at 2023-12-06T11:29:10+01:00 lts: take tzdata - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -223,6 +223,9 @@ tomcat9 tor NOTE: 20231119: Added by Front-Desk (apo) -- +tzdata (Emilio) + NOTE: 20231206: Added by pochu +-- varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f35a06bf4ea12fc9ddc9f3d5e9af720069f983d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f35a06bf4ea12fc9ddc9f3d5e9af720069f983d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3674-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: d2d19d76 by Emilio Pozuelo Monfort at 2023-11-30T15:25:02+01:00 Reserve DLA-3674-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Nov 2023] DLA-3674-1 thunderbird - security update + {CVE-2023-6204 CVE-2023-6205 CVE-2023-6206 CVE-2023-6207 CVE-2023-6208 CVE-2023-6209 CVE-2023-6212} + [buster] - thunderbird 1:115.5.0-1~deb10u1 [28 Nov 2023] DLA-3673-1 gst-plugins-bad1.0 - security update {CVE-2023-6} [buster] - gst-plugins-bad1.0 1.14.4-1+deb10u5 = data/dla-needed.txt = @@ -222,9 +222,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird (Emilio) - NOTE: 20231122: Added by Front-Desk (ola) --- tinymce (Sean Whitton) NOTE: 20231123: Added by Front-Desk (ola) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2d19d76129e8fe47208e4e61965ab89029b7fef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2d19d76129e8fe47208e4e61965ab89029b7fef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3661-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b473de5 by Emilio Pozuelo Monfort at 2023-11-23T23:35:26+01:00 Reserve DLA-3661-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Nov 2023] DLA-3661-1 firefox-esr - security update + {CVE-2023-6204 CVE-2023-6205 CVE-2023-6206 CVE-2023-6207 CVE-2023-6208 CVE-2023-6209 CVE-2023-6212} + [buster] - firefox-esr 115.5.0esr-1~deb10u1 [22 Nov 2023] DLA-3660-1 gnutls28 - security update {CVE-2023-5981} [buster] - gnutls28 3.6.7-4+deb10u11 = data/dla-needed.txt = @@ -61,9 +61,6 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -firefox-esr (Emilio) - NOTE: 20231122: Added by Front-Desk (ola) --- flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b473de53704c7757d45a03db485bd9acce40ea2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b473de53704c7757d45a03db485bd9acce40ea2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr and thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 97415239 by Emilio Pozuelo Monfort at 2023-11-23T10:36:59+01:00 lts: take firefox-esr and thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -61,7 +61,7 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -firefox-esr +firefox-esr (Emilio) NOTE: 20231122: Added by Front-Desk (ola) -- flatpak @@ -261,7 +261,7 @@ suricata (Adrian Bunk) symfony (Markus Koschany) NOTE: 20231118: Added by Front-Desk (apo) -- -thunderbird +thunderbird (Emilio) NOTE: 20231122: Added by Front-Desk (ola) -- tor View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97415239a90462de31fc4d637dfd8b2d8fa6c5f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97415239a90462de31fc4d637dfd8b2d8fa6c5f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3653-1 for libclamunrar
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: cd2eff54 by Emilio Pozuelo Monfort at 2023-11-15T10:41:08+01:00 Reserve DLA-3653-1 for libclamunrar - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Nov 2023] DLA-3653-1 libclamunrar - security update + {CVE-2023-40477} + [buster] - libclamunrar 0.103.10-0+deb10u1 [14 Nov 2023] DLA-3652-1 ruby-sanitize - security update {CVE-2023-36823} [buster] - ruby-sanitize 4.6.6-2.1~deb10u2 = data/dla-needed.txt = @@ -100,10 +100,6 @@ keystone knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- -libclamunrar (Emilio) - NOTE: 20231113: Added by Front-Desk (apo) - NOTE: 20231113: Please upgrade to 0.103.10 to include the fix for CVE-2023-40477 --- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd2eff54b4255c7d413ca417fcb54a69b4de3a87 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd2eff54b4255c7d413ca417fcb54a69b4de3a87 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: drop clamav and add libclamunrar
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ed31dca by Emilio Pozuelo Monfort at 2023-11-14T09:49:24+01:00 lts: drop clamav and add libclamunrar The affected code is in src:libclamunrar, which is split from clamav. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,10 +40,6 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -clamav (Emilio) - NOTE: 20231113: Added by Front-Desk (apo) - NOTE: 20231113: Please upgrade to 0.103.10 to include the fix for CVE-2023-40477 (libclamunrar). --- curl NOTE: 20231103: Added by Front-Desk (lamby) NOTE: 20231103: Sync with stable. (lamby) @@ -104,6 +100,10 @@ keystone knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- +libclamunrar (Emilio) + NOTE: 20231113: Added by Front-Desk (apo) + NOTE: 20231113: Please upgrade to 0.103.10 to include the fix for CVE-2023-40477 +-- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ed31dca0342aad915b31132a2a7e3264d57b6e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ed31dca0342aad915b31132a2a7e3264d57b6e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take clamav
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: c2eab86f by Emilio Pozuelo Monfort at 2023-11-14T09:39:08+01:00 lts: take clamav Looks unaffected, but claim it for further investigation. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,7 +40,7 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -clamav +clamav (Emilio) NOTE: 20231113: Added by Front-Desk (apo) NOTE: 20231113: Please upgrade to 0.103.10 to include the fix for CVE-2023-40477 (libclamunrar). -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2eab86f47509fc19cc53fdf9bb3dcd1fe4903e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2eab86f47509fc19cc53fdf9bb3dcd1fe4903e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3651-1 for postgresql-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: bf97a667 by Emilio Pozuelo Monfort at 2023-11-14T09:31:04+01:00 Reserve DLA-3651-1 for postgresql-11 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[14 Nov 2023] DLA-3651-1 postgresql-11 - security update + {CVE-2023-5868 CVE-2023-5869 CVE-2023-5870} + [buster] - postgresql-11 11.22-0+deb10u1 [12 Nov 2023] DLA-3650-1 audiofile - security update {CVE-2019-13147 CVE-2022-24599} [buster] - audiofile 0.3.6-5+deb10u1 = data/dla-needed.txt = @@ -173,9 +173,6 @@ osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. -- -postgresql-11 (Emilio) - NOTE: 20231113: Added by pochu to take care of the announcement --- postgresql-multicorn NOTE: 20231108: Added by Front-Desk (santiago) NOTE: 20231108: Need to handle incompatibilities with versions in debian packages, brought up by PEP 440. See https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf97a667cdff45176cfda06b6b3b067b2cdb9aec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf97a667cdff45176cfda06b6b3b067b2cdb9aec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take postgresql-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 124b8dff by Emilio Pozuelo Monfort at 2023-11-13T09:13:57+01:00 lts: take postgresql-11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -168,6 +168,9 @@ osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. -- +postgresql-11 (Emilio) + NOTE: 20231113: Added by pochu to take care of the announcement +-- postgresql-multicorn NOTE: 20231108: Added by Front-Desk (santiago) NOTE: 20231108: Need to handle incompatibilities with versions in debian packages, brought up by PEP 440. See https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/124b8dffded463da01410e0547cd1249d5b98305 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/124b8dffded463da01410e0547cd1249d5b98305 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: remove obsolete audiofile note
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: ebea182c by Emilio Pozuelo Monfort at 2023-11-10T13:45:58+01:00 lts: remove obsolete audiofile note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,7 +26,6 @@ amanda -- audiofile (rouca) NOTE: 20230918: Added by Front-Desk (apo) - NOTE: 20230919: unfixed upstream (apo) -- bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebea182ca84c2000e79a2e188ce5977a7c4b2010 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebea182ca84c2000e79a2e188ce5977a7c4b2010 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Mark CVE-2023-43642/snappy-java as no-dsa on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 1151e0e3 by Emilio Pozuelo Monfort at 2023-11-10T13:29:37+01:00 Mark CVE-2023-43642/snappy-java as no-dsa on buster - - - - - 29e67e5e by Emilio Pozuelo Monfort at 2023-11-10T13:30:32+01:00 Mark two golang-1.11 issues as no-dsa on buster - - - - - d993030b by Emilio Pozuelo Monfort at 2023-11-10T13:35:36+01:00 Mark CVE-2023-26141/ruby-sidekiq as no-dsa on buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -475,6 +475,7 @@ CVE-2023-45284 (On Windows, The IsLocal function does not correctly detect reser - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 + [buster] - golang-1.11 (Minor issue) NOTE: https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY NOTE: https://github.com/golang/go/issues/63713 NOTE: https://github.com/golang/go/commit/9e933c189ca3a84f12995b3c799364a06abc4376 (go1.21.4) @@ -488,6 +489,7 @@ CVE-2023-45283 (The filepath package does not recognize paths with a \??\ prefix - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 + [buster] - golang-1.11 (Minor issue) NOTE: https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY NOTE: https://github.com/golang/go/issues/63713 NOTE: https://github.com/golang/go/commit/9e933c189ca3a84f12995b3c799364a06abc4376 (go1.21.4) @@ -8173,6 +8175,7 @@ CVE-2023-43642 (snappy-java is a Java port of the snappy, a fast C++ compresser/ - snappy-java 1.1.10.5-1 (bug #1053474) [bookworm] - snappy-java (Minor issue) [bullseye] - snappy-java (Minor issue) + [buster] - snappy-java (Minor issue) NOTE: https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5 (v1.1.10.4) NOTE: https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv CVE-2023-43458 (Cross Site Scripting (XSS) vulnerability in Resort Reservation System ...) @@ -41407,6 +41410,7 @@ CVE-2023-26142 (All versions of the package crow are vulnerable to HTTP Response NOT-FOR-US: Crow CVE-2023-26141 (Versions of the package sidekiq before 7.1.3 are vulnerable to Denial ...) - ruby-sidekiq + [buster] - ruby-sidekiq (Minor issue, DoS still possible) NOTE: https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107 NOTE: https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89 (v7.1.3) CVE-2023-26140 (Versions of the package @excalidraw/excalidraw from 0.0.0 are vulnerab ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3e1fe0e440a80dbcacc87dfad89b5b4dcb7971f1...d993030b744100af82567168e18fe795962291b0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3e1fe0e440a80dbcacc87dfad89b5b4dcb7971f1...d993030b744100af82567168e18fe795962291b0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2023-5072/jenkins-json as no-dsa on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: b6a2615d by Emilio Pozuelo Monfort at 2023-11-10T13:22:34+01:00 Mark CVE-2023-5072/jenkins-json as no-dsa on buster - - - - - 3e1fe0e4 by Emilio Pozuelo Monfort at 2023-11-10T13:23:28+01:00 Fix wrong CVE ID in DLA-3649-1 - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -4729,6 +4729,7 @@ CVE-2023-5072 (Denial of Service in JSON-Java versions up to and including 2023 - jenkins-json (bug #1053883) [bookworm] - jenkins-json (Minor issue) [bullseye] - jenkins-json (Minor issue) + [buster] - jenkins-json (Minor issue) - libjettison-java (bug #1053884) [bookworm] - libjettison-java (Minor issue) [bullseye] - libjettison-java (Minor issue) = data/DLA/list = @@ -1,5 +1,5 @@ [08 Nov 2023] DLA-3649-1 python-urllib3 - security update - {CVE-2023-43803} + {CVE-2023-45803} [buster] - python-urllib3 1.24.1-1+deb10u2 [07 Nov 2023] DLA-3648-1 tang - security update {CVE-2023-1672} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0d1a5c4a0c3571d7f6304660fa3cf067d94ccd36...3e1fe0e440a80dbcacc87dfad89b5b4dcb7971f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0d1a5c4a0c3571d7f6304660fa3cf067d94ccd36...3e1fe0e440a80dbcacc87dfad89b5b4dcb7971f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Triage CVE-2023-5678/openssl as postponed for buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: a20d208f by Emilio Pozuelo Monfort at 2023-11-08T12:58:49+01:00 Triage CVE-2023-5678/openssl as postponed for buster - - - - - eeb3ad01 by Emilio Pozuelo Monfort at 2023-11-08T12:58:51+01:00 Mark gpac issues as EOL for buster - - - - - d3d23685 by Emilio Pozuelo Monfort at 2023-11-08T12:58:51+01:00 lts: add ruby-sanitize - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -56,6 +56,7 @@ CVE-2023-46483 (Cross Site Scripting vulnerability in timetec AWDMS v.2.0 allows NOT-FOR-US: timetec AWDMS CVE-2023-46001 (Buffer Overflow vulnerability in gpac MP4Box v.2.3-DEV-rev573-g2013208 ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2629 NOTE: https://github.com/gpac/gpac/commit/e79b0cf7e72404750630bc01340e999f3940dbc4 CVE-2023-45380 (In the module "Order Duplicator " Clone and Delete Existing Order" (or ...) @@ -100,6 +101,7 @@ CVE-2023-45283 [path/filepath: recognize \??\ as a Root Local Device path prefix TODO: check if it should be considered "windows only" or still tracked due to issue in path parsing for windows paths CVE-2023-5998 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3.0-DEV.) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.com/bounties/ea02a231-b688-422b-a881-ef415bcf6113 NOTE: https://github.com/gpac/gpac/commit/db74835944548fc3bdf03121b0e012373bdebb3e CVE-2023-5996 @@ -1982,6 +1984,7 @@ CVE-2023-5678 (Issue summary: Generating excessively long X9.42 DH keys or check - openssl (bug #1055473) [bookworm] - openssl (Minor issue; can be fixed along with future update) [bullseye] - openssl (Minor issue; can be fixed along with future update) + [buster] - openssl (Minor issue; can be fixed along with future update) NOTE: https://www.openssl.org/news/secadv/20231106.txt NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017 (for 3.0.y) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c (for 1.1.1y) = data/dla-needed.txt = @@ -210,6 +210,9 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- +ruby-sanitize + NOTE: 20231108: Added by Front-Desk (pochu) +-- salt NOTE: 20220814: Added by Front-Desk (gladk) NOTE: 20220814: I am not sure, whether it is possible to fix issues View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ae562751e0b0d6af6c0c1b1491503bccec316f2...d3d23685c73af8d3add9a9f03dc68533d34ec01f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ae562751e0b0d6af6c0c1b1491503bccec316f2...d3d23685c73af8d3add9a9f03dc68533d34ec01f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2023-46361/jbig2dec as no-dsa on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 04c07598 by Emilio Pozuelo Monfort at 2023-11-06T13:20:58+01:00 Triage CVE-2023-46361/jbig2dec as no-dsa on buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -846,6 +846,7 @@ CVE-2023-46361 (Artifex Software jbig2dec v0.20 was discovered to contain a SEGV - jbig2dec (bug #1055387) [bookworm] - jbig2dec (Minor issue) [bullseye] - jbig2dec (Minor issue) + [buster] - jbig2dec (Minor issue) NOTE: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/jbig2dec-SEGV/jbig2dec-SEGV.md NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707308 CVE-2023-46356 (In the module "CSV Feeds PRO" (csvfeeds) before 2.6.1 from Bl Modules ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04c07598ab3785668d24d4eebbf1a46974a85529 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04c07598ab3785668d24d4eebbf1a46974a85529 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-43622/apache2 as n/a on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: cc7269c2 by Emilio Pozuelo Monfort at 2023-11-06T13:17:25+01:00 Mark CVE-2023-43622/apache2 as n/a on buster According to the upstream advisory, it was introduced in 2.4.55. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2798,7 +2798,7 @@ CVE-2023-43622 (An attacker, opening a HTTP/2 connection with an initial window - apache2 2.4.58-1 [bookworm] - apache2 (Minor issue) [bullseye] - apache2 (Minor issue) - [buster] - apache2 (Minor issue) + [buster] - apache2 (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2023/10/19/5 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-43622 CVE-2023-5654 (The React Developer Tools extension registers a message listener with ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc7269c2cd003196739da8956f1d025a45c26549 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc7269c2cd003196739da8956f1d025a45c26549 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: add vlc
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e00f4d9 by Emilio Pozuelo Monfort at 2023-11-06T13:02:19+01:00 lts: add vlc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -247,6 +247,10 @@ tang (Chris Lamb) NOTE: 20231103: Added by Front-Desk (lamby) NOTE: 20231103: Sync with stable. (lamby) -- +vlc + NOTE: 20231106: Added by Front-Desk (pochu) + NOTE: 20231106: Follow bullseye and update to 3.0.20 (pochu) +-- zabbix NOTE: 20231015: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e00f4d93eeb0e85957b4e7c95abce0a6dfe31c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e00f4d93eeb0e85957b4e7c95abce0a6dfe31c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3637-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 737b371c by Emilio Pozuelo Monfort at 2023-10-29T10:05:16+01:00 Reserve DLA-3637-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Oct 2023] DLA-3637-1 thunderbird - security update + {CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728 CVE-2023-5730 CVE-2023-5732} + [buster] - thunderbird 1:115.4.1-1~deb10u1 [29 Oct 2023] DLA-3636-1 openjdk-11 - security update {CVE-2023-22081} [buster] - openjdk-11 11.0.21+9-1~deb10u1 = data/dla-needed.txt = @@ -226,9 +226,6 @@ suricata (Adrian Bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) -- -thunderbird (Emilio) - NOTE: 20231025: Added by pochu --- trafficserver (Adrian Bunk) NOTE: 20231011: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/737b371ca077f9a285325a6f030b1dfbce51c28e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/737b371ca077f9a285325a6f030b1dfbce51c28e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3636-1 for openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 47feabec by Emilio Pozuelo Monfort at 2023-10-29T09:13:43+01:00 Reserve DLA-3636-1 for openjdk-11 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Oct 2023] DLA-3636-1 openjdk-11 - security update + {CVE-2023-22081} + [buster] - openjdk-11 11.0.21+9-1~deb10u1 [29 Oct 2023] DLA-3635-1 node-browserify-sign - security update {CVE-2023-46234} [buster] - node-browserify-sign 4.0.4-2+deb10u1 = data/dla-needed.txt = @@ -144,9 +144,6 @@ opendkim NOTE: 20230821: Added by Front-Desk (ta) NOTE: 20231006: Unfixed upstream as of today. (spwhitton) -- -openjdk-11 (Emilio) - NOTE: 20231019: Added by pochu --- osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47feabec02fb72c10cb16014c4a0867c55485d25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47feabec02fb72c10cb16014c4a0867c55485d25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3632-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a4a7257 by Emilio Pozuelo Monfort at 2023-10-27T08:38:33+02:00 Reserve DLA-3632-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[27 Oct 2023] DLA-3632-1 firefox-esr - security update + {CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728 CVE-2023-5730 CVE-2023-5732} + [buster] - firefox-esr 115.4.0esr-1~deb10u1 [25 Oct 2023] DLA-3631-1 xorg-server - security update {CVE-2023-5367 CVE-2023-5380} [buster] - xorg-server 2:1.20.4-1+deb10u10 = data/dla-needed.txt = @@ -58,9 +58,6 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -firefox-esr (Emilio) - NOTE: 20231024: Added by Front-Desk (gladk) --- flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a4a72570bfab97f4de3431af8b68989a24c7103 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a4a72570bfab97f4de3431af8b68989a24c7103 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] check-new-issues: don't exit when auto-setting nfu
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: b7b02b96 by Emilio Pozuelo Monfort at 2023-10-26T13:44:25+02:00 check-new-issues: dont exit when auto-setting nfu present_issue returns true to exit. - - - - - 1 changed file: - bin/check-new-issues Changes: = bin/check-new-issues = @@ -600,7 +600,7 @@ def present_issue(name): print("New entry automatically set to NFU:") entry = cves[name] print_cve(entry) -return True +return False auto_search(name) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7b02b96d69e12ab8f73f54e6218675e7fc90cdf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7b02b96d69e12ab8f73f54e6218675e7fc90cdf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr and thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 68a64f9b by Emilio Pozuelo Monfort at 2023-10-25T16:03:58+02:00 lts: take firefox-esr and thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -58,7 +58,7 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -firefox-esr +firefox-esr (Emilio) NOTE: 20231024: Added by Front-Desk (gladk) -- flatpak @@ -232,6 +232,9 @@ suricata (Adrian Bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) -- +thunderbird (Emilio) + NOTE: 20231025: Added by pochu +-- trafficserver (Adrian Bunk) NOTE: 20231011: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68a64f9befcce4f511adcd46ad0f6aa49cf7f868 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68a64f9befcce4f511adcd46ad0f6aa49cf7f868 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3628-1 for dbus
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 387ed84d by Emilio Pozuelo Monfort at 2023-10-23T15:34:08+02:00 Reserve DLA-3628-1 for dbus - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -18798,7 +18798,6 @@ CVE-2023-34969 (D-Bus before 1.15.6 sometimes allows unprivileged users to crash - dbus 1.14.8-1 (bug #1037151) [bookworm] - dbus 1.14.8-1~deb12u1 [bullseye] - dbus 1.12.28-0+deb11u1 - [buster] - dbus (Minor issue) NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/issues/457 CVE-2023-34239 (Gradio is an open-source Python library that is used to build machine ...) NOT-FOR-US: Gradio = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Oct 2023] DLA-3628-1 dbus - security update + {CVE-2023-34969} + [buster] - dbus 1.12.28-0+deb10u1 [23 Oct 2023] DLA-3627-1 redis - security update {CVE-2023-45145} [buster] - redis 5:5.0.14-1+deb10u5 = data/dla-needed.txt = @@ -48,10 +48,6 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -dbus (Emilio) - NOTE: 20231007: Added by Front-Desk (Beuc) - NOTE: 20231007: Follow fixes from bullseye 11.8 (1 CVE) (Beuc/front-desk) --- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/387ed84d4a20d859528a87f0afb0beafdeacc61c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/387ed84d4a20d859528a87f0afb0beafdeacc61c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 1002c182 by Emilio Pozuelo Monfort at 2023-10-19T12:37:53+02:00 lts: take openjdk-11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -157,6 +157,9 @@ opendkim NOTE: 20230821: Added by Front-Desk (ta) NOTE: 20231006: Unfixed upstream as of today. (spwhitton) -- +openjdk-11 (Emilio) + NOTE: 20231019: Added by pochu +-- osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1002c18253fd085d2f27813235dfbe9905c96b2a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1002c18253fd085d2f27813235dfbe9905c96b2a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3613-1 for curl
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 17dc31e4 by Emilio Pozuelo Monfort at 2023-10-11T13:43:30+02:00 Reserve DLA-3613-1 for curl - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -29879,7 +29879,6 @@ CVE-2023-28322 (An information disclosure vulnerability exists in curl (Minor issue) NOTE: https://curl.se/docs/CVE-2023-28321.html NOTE: Introduced by: https://github.com/curl/curl/commit/9631fa740708b1890197fad01e25b34b7e8eb80e (curl-7_12_0) NOTE: Fixed by: https://github.com/curl/curl/commit/199f2d440d8659b42670c1b796220792b01a97bf (curl-8_1_0) = data/DLA/list = @@ -1,3 +1,6 @@ +[11 Oct 2023] DLA-3613-1 curl - security update + {CVE-2023-28321 CVE-2023-38546} + [buster] - curl 7.64.0-4+deb10u7 [08 Oct 2023] DLA-3612-1 lemonldap-ng - security update {CVE-2023-44469} [buster] - lemonldap-ng 2.0.2+ds-7+deb10u10 = data/dla-needed.txt = @@ -54,11 +54,6 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -curl (Emilio) - NOTE: 20231007: Added by Front-Desk (Beuc) - NOTE: 20231007: Follow fixes from bullseye 11.8 (3 CVEs) (Beuc/front-desk) - NOTE: 20231007: upcoming high severity CVE (pochu) --- dbus (Emilio) NOTE: 20231007: Added by Front-Desk (Beuc) NOTE: 20231007: Follow fixes from bullseye 11.8 (1 CVE) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17dc31e495d3853edfcc5c005e4bf8422ad495cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17dc31e495d3853edfcc5c005e4bf8422ad495cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: check-new-issues: Define set_cve_nfu before using it for automatic processing
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 17fada11 by Salvatore Bonaccorso at 2023-10-06T22:31:07+02:00 check-new-issues: Define set_cve_nfu before using it for automatic processing When automatic NFU entry processing is enabled via the -a flag, then the processing will error out as set_cve_nfu is not known. Move the definition for set_cve_nfu upwards. Signed-off-by: Salvatore Bonaccorso car...@debian.org - - - - - 1071d84b by Emilio Pozuelo Monfort at 2023-10-09T07:00:11+00:00 Merge branch check-new-issues-automatic-processing into master check-new-issues: Define set_cve_nfu before using it for automatic processing See merge request security-tracker-team/security-tracker!150 - - - - - 1 changed file: - bin/check-new-issues Changes: = bin/check-new-issues = @@ -260,6 +260,14 @@ def read_embedded_copies(): else: syntax_error(f"Cannot parse {line}") +def set_cve_nfu(name, desc): +cve = cves[name] +# remove todo: check annotation... +cve.annotations = [ann for ann in cve.annotations if not ann_is_todo_check(ann)] +# ... and add a NFU annotation +ann = parsers.StringAnnotation(0, "NOT-FOR-US", desc) +cve.annotations.append(ann) + def syntax_error(s): print("embedded-code-copies: " + s, file=sys.stderr) sys.exit(1) @@ -466,14 +474,6 @@ if args.auto: save_datafile(cves.values(), datafile) sys.exit(0) -def set_cve_nfu(name, desc): -cve = cves[name] -# remove todo: check annotation... -cve.annotations = [ann for ann in cve.annotations if not ann_is_todo_check(ann)] -# ... and add a NFU annotation -ann = parsers.StringAnnotation(0, "NOT-FOR-US", desc) -cve.annotations.append(ann) - def print_full_entry(name): print("==") print(f"Name: {name}") View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/eda238e52649ab49bf993337da9b2ff0f15c5233...1071d84bc0b1878384b518ecb6936a5a34e69c26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/eda238e52649ab49bf993337da9b2ff0f15c5233...1071d84bc0b1878384b518ecb6936a5a34e69c26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take curl
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: ca4b9e0d by Emilio Pozuelo Monfort at 2023-10-07T18:43:54+02:00 lts: take curl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -50,9 +50,10 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -curl +curl (Emilio) NOTE: 20231007: Added by Front-Desk (Beuc) NOTE: 20231007: Follow fixes from bullseye 11.8 (3 CVEs) (Beuc/front-desk) + NOTE: 20231007: upcoming high severity CVE (pochu) -- dbus (Emilio) NOTE: 20231007: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca4b9e0d9e0f4ba6f49b07746586f36c66a77b00 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca4b9e0d9e0f4ba6f49b07746586f36c66a77b00 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take dbus
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 39cc5aad by Emilio Pozuelo Monfort at 2023-10-07T18:42:12+02:00 lts: take dbus - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,7 +54,7 @@ curl NOTE: 20231007: Added by Front-Desk (Beuc) NOTE: 20231007: Follow fixes from bullseye 11.8 (3 CVEs) (Beuc/front-desk) -- -dbus +dbus (Emilio) NOTE: 20231007: Added by Front-Desk (Beuc) NOTE: 20231007: Follow fixes from bullseye 11.8 (1 CVE) (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39cc5aadfd80c384cd1cba2007220167e6e745bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39cc5aadfd80c384cd1cba2007220167e6e745bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] check-new-issues: read the zip file after downloading it
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b1183bc by Emilio Pozuelo Monfort at 2023-10-05T14:00:52+02:00 check-new-issues: read the zip file after downloading it This was working when the file had already been downloaded, but was broken if the file was not present in some code reorganization. - - - - - 1 changed file: - bin/check-new-issues Changes: = bin/check-new-issues = @@ -352,10 +352,6 @@ ignore_bug_file = "data/packages/ignored-debian-bug-packages" wnppurl = "https://qa.debian.org/data/bts/wnpp_rm; wnppfile = "../wnpp_rm" -# used by read_cve5, used as a global so that we don't have to open the -# file repeatedly, since we only read cve5s one by one on demand -cve5_zip = zipfile.ZipFile(cve5_file) - issue_re = re.compile(r'CVE-20(?:0[3-9]|[1-9][0-9])|TEMP') auto_display_limit = 10 #$auto_display_limit = $opts{a} if defined $opts{a} @@ -374,6 +370,10 @@ if not args.no_download: debug("reading data...") +# used by read_cve5, used as a global so that we don't have to open the +# file repeatedly, since we only read cve5s one by one on demand +cve5_zip = zipfile.ZipFile(cve5_file) + # We have CVE 5.0 JSON information coming from MITRE, we use cve5 for those # We also have CVE information coming from our data/CVE/list, we use cve there cves = parse_cves() View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b1183bc8b2bd875588cfbc21de142cf9c7c6921 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b1183bc8b2bd875588cfbc21de142cf9c7c6921 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3603-1 for libxpm
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: e733a48c by Emilio Pozuelo Monfort at 2023-10-05T12:40:05+02:00 Reserve DLA-3603-1 for libxpm - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Oct 2023] DLA-3603-1 libxpm - security update + {CVE-2023-43786 CVE-2023-43787 CVE-2023-43788 CVE-2023-43789} + [buster] - libxpm 1:3.5.12-1+deb10u2 [05 Oct 2023] DLA-3602-1 libx11 - security update {CVE-2023-43785 CVE-2023-43786 CVE-2023-43787} [buster] - libx11 2:1.6.7-1+deb10u4 = data/dla-needed.txt = @@ -93,11 +93,6 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libxpm (Emilio) - NOTE: 20231004: Added by Front-Desk (Beuc) - NOTE: 20231004: Upcoming DSA (Beuc) - NOTE: 20231004: Some of the fixes are hardening for libx11 CVEs (Beuc) --- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e733a48c69399ed4151de4dd77f566105e48324e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e733a48c69399ed4151de4dd77f566105e48324e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3602-1 for libx11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 25638d2f by Emilio Pozuelo Monfort at 2023-10-05T11:57:18+02:00 Reserve DLA-3602-1 for libx11 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Oct 2023] DLA-3602-1 libx11 - security update + {CVE-2023-43785 CVE-2023-43786 CVE-2023-43787} + [buster] - libx11 2:1.6.7-1+deb10u4 [05 Oct 2023] DLA-3601-1 thunderbird - security update {CVE-2023-5169 CVE-2023-5171 CVE-2023-5176 CVE-2023-5217} [buster] - thunderbird 1:115.3.1-1~deb10u1 = data/dla-needed.txt = @@ -93,10 +93,6 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libx11 (Emilio) - NOTE: 20231004: Added by Front-Desk (Beuc) - NOTE: 20231004: Upcoming DSA (Beuc) --- libxpm (Emilio) NOTE: 20231004: Added by Front-Desk (Beuc) NOTE: 20231004: Upcoming DSA (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25638d2fef351e86aa509428498262d0cbe58ca2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25638d2fef351e86aa509428498262d0cbe58ca2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3601-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b7d0cc7 by Emilio Pozuelo Monfort at 2023-10-05T09:34:48+02:00 Reserve DLA-3601-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Oct 2023] DLA-3601-1 thunderbird - security update + {CVE-2023-5169 CVE-2023-5171 CVE-2023-5176 CVE-2023-5217} + [buster] - thunderbird 1:115.3.1-1~deb10u1 [04 Oct 2023] DLA-3600-1 postgresql-11 - security update {CVE-2023-39417} [buster] - postgresql-11 11.21-0+deb10u2 = data/dla-needed.txt = @@ -215,7 +215,3 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -thunderbird (Emilio) - NOTE: 20230926: Added by pochu - NOTE: 20230926: updating to 115.3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b7d0cc7483b66eb40b16801c6a7cdc833d48fd5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b7d0cc7483b66eb40b16801c6a7cdc833d48fd5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take libx11 and libxpm
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 02727e2f by Emilio Pozuelo Monfort at 2023-10-04T15:27:24+02:00 lts: take libx11 and libxpm - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -93,11 +93,11 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libx11 +libx11 (Emilio) NOTE: 20231004: Added by Front-Desk (Beuc) NOTE: 20231004: Upcoming DSA (Beuc) -- -libxpm +libxpm (Emilio) NOTE: 20231004: Added by Front-Desk (Beuc) NOTE: 20231004: Upcoming DSA (Beuc) NOTE: 20231004: Some of the fixes are hardening for libx11 CVEs (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02727e2fc4d8306ef5bf6b2c039942dae366ac2b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02727e2fc4d8306ef5bf6b2c039942dae366ac2b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: drop zabbix, no remaining issues
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 4aa3fb5f by Emilio Pozuelo Monfort at 2023-10-04T09:11:44+02:00 lts: drop zabbix, no remaining issues - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -210,6 +210,3 @@ thunderbird (Emilio) NOTE: 20230926: Added by pochu NOTE: 20230926: updating to 115.3 -- -zabbix - NOTE: 20230924: Added by Front-Desk (apo) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4aa3fb5f4f3601a341ad96e0ee9c81a4b543bf1b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4aa3fb5f4f3601a341ad96e0ee9c81a4b543bf1b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: mark CVE-2021-28025/qt4-x11 as no-dsa on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c002401 by Emilio Pozuelo Monfort at 2023-10-03T09:03:11+02:00 lts: mark CVE-2021-28025/qt4-x11 as no-dsa on buster Its likely fixed, but theres no point in having it listed in dla-needed indefinitely. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -179627,6 +179627,7 @@ CVE-2021-28025 (Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg ve [bullseye] - qtsvg-opensource-src (Minor issue) [buster] - qtsvg-opensource-src (Minor issue) - qt4-x11 + [buster] - qt4-x11 (Minor issue) NOTE: https://bugreports.qt.io/browse/QTBUG-91507 NOTE: https://code.qt.io/cgit/qt/qtsvg.git/commit/?id=7bbf88403fd2d1fe79fab7c8e469f8aeafeb7372 (v5.15.4-lts-lgpl) NOTE: Potentially to be considered a duplicte of CVE-2021-3481, ongoing clarification = data/dla-needed.txt = @@ -154,10 +154,6 @@ qemu (Sean Whitton) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20230924: Consider fixing postponed issues as well. (apo) -- -qt4-x11 - NOTE: 20230822: Re-added for one remaining open CVE (roberto) - NOTE: 20230822: CVE-2021-28025 maybe a dup of CVE-2021-3481; once resolved, fix or remove entry from this file (roberto) --- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c0024016213ebcb9f4f72ef8118322e005e5b71 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c0024016213ebcb9f4f72ef8118322e005e5b71 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Document file move for prometheus-alertmanager for CVE-2023-40577"
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: a5c81d86 by Emilio Pozuelo Monfort at 2023-10-02T23:37:53+02:00 Revert Document file move for prometheus-alertmanager for CVE-2023-40577 This belonged in data/dla-needed.txt, not here. This reverts commit 0d5f7c539cab1a93524828c15d3fc2dca76bce5f. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5213,7 +5213,6 @@ CVE-2023-40577 (Alertmanager handles alerts sent by client applications such as - prometheus-alertmanager 0.26.0+ds-1 (bug #1050558) NOTE: https://github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7j NOTE: https://github.com/prometheus/alertmanager/commit/8b9f2fd20c25e0d1e76aa0b407f7e354996d8e72 (v0.25.1) - NOTE: vulnerability before 625604df90b0f2e080f7d32fea4aa891675276d6 in 56 ui/app/src/Views/AlertList/AlertView.elm CVE-2023-40576 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 (Vulnerable code not present) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-x3x5-r7jm-5pq2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5c81d860667a98e21fa5ead0d71775c48f2eb1a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5c81d860667a98e21fa5ead0d71775c48f2eb1a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3598-1 for libvpx
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 569711cf by Emilio Pozuelo Monfort at 2023-10-01T22:10:18+02:00 Reserve DLA-3598-1 for libvpx - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -7047,7 +7047,7 @@ CVE-2023-39417 (IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found - postgresql-13 [bullseye] - postgresql-13 (Minor issue, fix along with next round of updates) - postgresql-11 - [buster] - postgresql-11 (Minor issue) + [buster] - postgresql-11 (Minor issue) NOTE: https://www.postgresql.org/support/security/CVE-2023-39417/ NOTE: https://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/ NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=de494ec14f6bd7f2676623a5934723a6c8ba51c2 (REL_15_4) = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Oct 2023] DLA-3598-1 libvpx - security update + {CVE-2023-5217 CVE-2023-44488} + [buster] - libvpx 1.7.0-3+deb10u2 [01 Oct 2023] DLA-3597-1 open-vm-tools - security update {CVE-2023-20900} [buster] - open-vm-tools 2:10.3.10-1+deb10u5 = data/dla-needed.txt = @@ -92,9 +92,6 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libvpx (Emilio) - NOTE: 20231001: Added by pochu --- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/569711cf59c05c781d8d822786e8d68232c299ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/569711cf59c05c781d8d822786e8d68232c299ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: add libvpx
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 2dc610a7 by Emilio Pozuelo Monfort at 2023-10-01T00:59:44+02:00 lts: add libvpx - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -92,6 +92,9 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- +libvpx (Emilio) + NOTE: 20231001: Added by pochu +-- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dc610a7e2dd09f8fb3350e1628455f780389f78 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dc610a7e2dd09f8fb3350e1628455f780389f78 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3591-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: cbb77d03 by Emilio Pozuelo Monfort at 2023-09-30T12:15:44+02:00 Reserve DLA-3591-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Sep 2023] DLA-3591-1 firefox-esr - security update + {CVE-2023-5217} + [buster] - firefox-esr 115.3.1esr-1~deb10u1 [29 Sep 2023] DLA-3590-1 python-reportlab - security update {CVE-2019-19450 CVE-2020-28463} [buster] - python-reportlab 3.5.13-1+deb10u2 = data/dla-needed.txt = @@ -66,9 +66,6 @@ dogecoin exim4 NOTE: 20230928: Added by Front-Desk (ola) -- -firefox-esr (Emilio) - NOTE: 20230929: Added by pochu --- firmware-nonfree (tobi) NOTE: 20230820: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbb77d03520a9eb9187fe26548f6eb01be3c16dc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbb77d03520a9eb9187fe26548f6eb01be3c16dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 17194f99 by Emilio Pozuelo Monfort at 2023-09-29T20:04:37+02:00 lts: take firefox-esr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -66,6 +66,9 @@ dogecoin exim4 NOTE: 20230928: Added by Front-Desk (ola) -- +firefox-esr (Emilio) + NOTE: 20230929: Added by pochu +-- firmware-nonfree (tobi) NOTE: 20230820: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17194f992760fefc3c8e30ff29c85c65afe6edc2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17194f992760fefc3c8e30ff29c85c65afe6edc2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Further triage CVE-2020-18831/exiv2
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 3591a7af by Emilio Pozuelo Monfort at 2023-09-29T18:43:39+02:00 Further triage CVE-2020-18831/exiv2 Mark the introductory commit, verified by source inspection and by testing it to trigger the invalid read. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -232124,10 +232124,11 @@ CVE-2020-18832 RESERVED CVE-2020-18831 (Buffer Overflow vulnerability in tEXtToDataBuf function in pngimage.cp ...) - exiv2 0.27.2-6 - [buster] - exiv2 (exiv2 -pR flags introduced later and poc fail with "Exiv2 exception in print action for file poc.png". Introduced later by chunked read.) + [buster] - exiv2 (Vulnerable code introduced later) NOTE: https://github.com/Exiv2/exiv2/issues/828 NOTE: https://github.com/Exiv2/exiv2/pull/862 - NOTE: https://github.com/Exiv2/exiv2/commit/6068df4c01ce915befb763bd0fd718d16a5df130 (v0.27.2-RC1) + NOTE: Introduced by: https://github.com/Exiv2/exiv2/commit/4617dc37284bb14c15fb884a7252de7c2b8b8854 + NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/6068df4c01ce915befb763bd0fd718d16a5df130 (v0.27.2-RC1) CVE-2020-18830 RESERVED CVE-2020-18829 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3591a7afcc995b33143f7ea9de0581c789b53498 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3591a7afcc995b33143f7ea9de0581c789b53498 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3587-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: e446e29d by Emilio Pozuelo Monfort at 2023-09-29T14:31:53+02:00 Reserve DLA-3587-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Sep 2023] DLA-3587-1 firefox-esr - security update + {CVE-2023-5169 CVE-2023-5171 CVE-2023-5176} + [buster] - firefox-esr 115.3.0esr-1~deb10u1 [28 Sep 2023] DLA-3586-1 ncurses - security update {CVE-2020-19189} [buster] - ncurses 6.1+20181013-2+deb10u4 = data/dla-needed.txt = @@ -69,10 +69,6 @@ exiv2 exim4 NOTE: 20230928: Added by Front-Desk (ola) -- -firefox-esr (Emilio) - NOTE: 20230926: Added by pochu - NOTE: 20230926: updating to ESR 115.3 --- firmware-nonfree (tobi) NOTE: 20230820: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e446e29d2238f8a69d7558136be5874ece01af0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e446e29d2238f8a69d7558136be5874ece01af0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Improve triaging for CVE-2020-21686
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: f960db9c by Emilio Pozuelo Monfort at 2023-09-27T09:39:12+02:00 Improve triaging for CVE-2020-21686 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -225262,9 +225262,9 @@ CVE-2020-21687 (Buffer Overflow vulnerability in scan function in stdscan.c in n NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392645 NOTE: Crash in CLI tool, no security impact CVE-2020-21686 (A stack-use-after-scope issue discovered in expand_mmac_params functio ...) - - nasm 2.15.04-1 (unimportant) + - nasm 2.15.04-1 + [buster] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392643 - NOTE: Crash in CLI tool, no security impact CVE-2020-21685 (Buffer Overflow vulnerability in hash_findi function in hashtbl.c in n ...) - nasm 2.15.04-1 (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392644 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f960db9c8af4b663e7d437507784f4ba9206df81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f960db9c8af4b663e7d437507784f4ba9206df81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr and thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 25e94294 by Emilio Pozuelo Monfort at 2023-09-26T12:08:56+02:00 lts: take firefox-esr and thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -66,6 +66,10 @@ dogecoin exiv2 NOTE: 20230906: Added by Front-Desk (lamby) -- +firefox-esr (Emilio) + NOTE: 20230926: Added by pochu + NOTE: 20230926: updating to ESR 115.3 +-- firmware-nonfree (tobi) NOTE: 20230820: Added by Front-Desk (ta) -- @@ -228,6 +232,10 @@ suricata (tobi) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- +thunderbird (Emilio) + NOTE: 20230926: Added by pochu + NOTE: 20230926: updating to 115.3 +-- trafficserver (Adrian Bunk) NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: have pinged Leo in Ubuntu to clarify the status on the View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25e942942f299f9247a3d0e3f5d7dec8fbefd515 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25e942942f299f9247a3d0e3f5d7dec8fbefd515 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nasm issues unimportant
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 992d54cd by Emilio Pozuelo Monfort at 2023-09-26T11:49:49+02:00 nasm issues unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -225123,8 +225123,9 @@ CVE-2020-21687 (Buffer Overflow vulnerability in scan function in stdscan.c in n NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392645 NOTE: Crash in CLI tool, no security impact CVE-2020-21686 (A stack-use-after-scope issue discovered in expand_mmac_params functio ...) - - nasm 2.15.04-1 + - nasm 2.15.04-1 (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392643 + NOTE: Crash in CLI tool, no security impact CVE-2020-21685 (Buffer Overflow vulnerability in hash_findi function in hashtbl.c in n ...) - nasm 2.15.04-1 (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392644 @@ -231362,9 +231363,10 @@ CVE-2020-18781 (Heap buffer overflow vulnerability in FilePOSIX::read in File.cp - audiofile NOTE: https://github.com/mpruett/audiofile/issues/56 CVE-2020-18780 (A Use After Free vulnerability in function new_Token in asm/preproc.c ...) - - nasm 2.15.04-1 + - nasm 2.15.04-1 (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392634 NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392711 + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/netwide-assembler/nasm/commit/7c88289e222dc5ef9f53f9e86ecaab1924744b88 (nasm-2.15.04rc6) CVE-2020-18779 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/992d54cdaf224e5c00d7ac0564162bcba6d6aa17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/992d54cdaf224e5c00d7ac0564162bcba6d6aa17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3571-1 for openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 0bf80032 by Emilio Pozuelo Monfort at 2023-09-19T09:44:51+02:00 Reserve DLA-3571-1 for openjdk-11 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Sep 2023] DLA-3571-1 openjdk-11 - security update + {CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968 CVE-2023-22006 CVE-2023-22036 CVE-2023-22041 CVE-2023-22045 CVE-2023-22049} + [buster] - openjdk-11 11.0.20+8-1~deb10u1 [18 Sep 2023] DLA-3570-1 libwebp - security update {CVE-2023-4863} [buster] - libwebp 0.6.1-2+deb10u3 = data/dla-needed.txt = @@ -155,14 +155,6 @@ open-vm-tools (Sean Whitton) opendkim NOTE: 20230821: Added by Front-Desk (ta) -- -openjdk-11 (Emilio) - NOTE: 20230419: Added by Front-Desk (ola) - NOTE: 20230522: waiting for sid update (pochu) - NOTE: 20230612: sid updated, preparing backport (pochu) - NOTE: 20230717: waiting for DSA, might wait for next CPU (pochu) - NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking - NOTE: 20230802: whether to change jtreg version (pochu) --- poppler NOTE: 20230908: Added by Front-Desk (lamby) NOTE: 20230908: Added due to CVE-2020-23804. However, please check CVE-2020-18839 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bf8003287c67db532ff4b25805ebd7ea0d1f169 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bf8003287c67db532ff4b25805ebd7ea0d1f169 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: reclaim openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 44d34756 by Emilio Pozuelo Monfort at 2023-09-19T09:43:46+02:00 lts: reclaim openjdk-11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -155,7 +155,7 @@ open-vm-tools (Sean Whitton) opendkim NOTE: 20230821: Added by Front-Desk (ta) -- -openjdk-11 +openjdk-11 (Emilio) NOTE: 20230419: Added by Front-Desk (ola) NOTE: 20230522: waiting for sid update (pochu) NOTE: 20230612: sid updated, preparing backport (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44d3475662d73abccad563300da61ae1d87ea39b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44d3475662d73abccad563300da61ae1d87ea39b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3570-1 for libwebp
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 26d1e74f by Emilio Pozuelo Monfort at 2023-09-18T14:05:27+02:00 Reserve DLA-3570-1 for libwebp - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Sep 2023] DLA-3570-1 libwebp - security update + {CVE-2023-4863} + [buster] - libwebp 0.6.1-2+deb10u3 [17 Sep 2023] DLA-3569-1 thunderbird - security update {CVE-2023-4863} [buster] - thunderbird 1:102.15.1-1~deb10u1 = data/dla-needed.txt = @@ -109,9 +109,6 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- -libwebp (Emilio) - NOTE: 20230918: Added by Front-Desk (pochu) --- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26d1e74fd09a3589d9008f85384b1910cad05a2a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26d1e74fd09a3589d9008f85384b1910cad05a2a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take libwebp
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: a1eeb221 by Emilio Pozuelo Monfort at 2023-09-18T10:03:36+02:00 lts: take libwebp - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -109,6 +109,9 @@ libreswan NOTE: 20230909: all due to code refactoring. I intend to package the version NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) -- +libwebp (Emilio) + NOTE: 20230918: Added by Front-Desk (pochu) +-- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1eeb22107e3042cd6d5369c420b4d91426f7453 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1eeb22107e3042cd6d5369c420b4d91426f7453 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3569-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 043bf358 by Emilio Pozuelo Monfort at 2023-09-17T11:41:51+02:00 Reserve DLA-3569-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Sep 2023] DLA-3569-1 thunderbird - security update + {CVE-2023-4863} + [buster] - thunderbird 1:102.15.1-1~deb10u1 [16 Sep 2023] DLA-3568-1 firefox-esr - security update {CVE-2023-4863} [buster] - firefox-esr 102.15.1esr-1~deb10u1 = data/dla-needed.txt = @@ -220,9 +220,6 @@ suricata NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -thunderbird (Emilio) - NOTE: 20230915: Added by Front-Desk (pochu) --- tiff (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/043bf35861920ff907500669900281997f5e75c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/043bf35861920ff907500669900281997f5e75c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3568-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9183dab6 by Emilio Pozuelo Monfort at 2023-09-16T11:03:32+02:00 Reserve DLA-3568-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[16 Sep 2023] DLA-3568-1 firefox-esr - security update + {CVE-2023-4863} + [buster] - firefox-esr 102.15.1esr-1~deb10u1 [15 Sep 2023] DLA-3567-1 c-ares - security update {CVE-2020-22217} [buster] - c-ares 1.14.0-1+deb10u4 = data/dla-needed.txt = @@ -62,9 +62,6 @@ exiv2 file (Thorsten Alteholz) NOTE: 20230901: Added by Front-Desk (gladk) -- -firefox-esr (Emilio) - NOTE: 20230915: Added by Front-Desk (pochu) --- firmware-nonfree NOTE: 20230820: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9183dab68b2603067b14804e49cc754f78e25c93 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9183dab68b2603067b14804e49cc754f78e25c93 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Triage webkit2gtk CVEs as EOL on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 81a98c4b by Emilio Pozuelo Monfort at 2023-09-15T11:38:22+02:00 Triage webkit2gtk CVEs as EOL on buster - - - - - 07708193 by Emilio Pozuelo Monfort at 2023-09-15T11:39:06+02:00 Mark CVE-2023-41000/gpac as EOL on buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -625,6 +625,7 @@ CVE-2023-41103 (Interact 7.9.79.5 allows stored Cross-site Scripting (XSS) attac CVE-2023-41000 (GPAC through 2.2.1 has a use-after-free vulnerability in the function ...) - gpac (bug #1051955) [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2550 NOTE: Fixed by: https://github.com/gpac/gpac/commit/0018b5e4e07a1465287e7dff69b387929f5a75fa CVE-2023-40946 (Schoolmate 1.3 is vulnerable to SQL Injection in the variable $usernam ...) @@ -903,6 +904,7 @@ CVE-2023-41053 (Redis is an in-memory database that persists on disk. Redis does CVE-2023-40397 (The issue was addressed with improved checks. This issue is fixed in m ...) {DSA-5468-1} - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0008.html @@ -1129,6 +1131,7 @@ CVE-2023-32379 (A buffer overflow issue was addressed with improved memory handl CVE-2023-32370 (A logic issue was addressed with improved validation. This issue is fi ...) {DSA-5396-1} - webkit2gtk 2.40.1-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.2-2 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0008.html @@ -26017,6 +26020,7 @@ CVE-2023-28199 (An out-of-bounds read issue existed that led to the disclosure o CVE-2023-28198 (A use-after-free issue was addressed with improved memory management. ...) {DSA-5396-1} - webkit2gtk 2.40.1-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.2-2 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0008.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e2136716a9d0336a9b5c8a65c62c180c5b9c3c03...07708193c722a0aa4c24b5aebb0167ca7f497e9f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e2136716a9d0336a9b5c8a65c62c180c5b9c3c03...07708193c722a0aa4c24b5aebb0167ca7f497e9f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr and thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: e2136716 by Emilio Pozuelo Monfort at 2023-09-15T11:37:07+02:00 lts: take firefox-esr and thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -62,6 +62,9 @@ exiv2 file (Thorsten Alteholz) NOTE: 20230901: Added by Front-Desk (gladk) -- +firefox-esr (Emilio) + NOTE: 20230915: Added by Front-Desk (pochu) +-- firmware-nonfree NOTE: 20230820: Added by Front-Desk (ta) -- @@ -215,6 +218,9 @@ suricata NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- +thunderbird (Emilio) + NOTE: 20230915: Added by Front-Desk (pochu) +-- tiff (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2136716a9d0336a9b5c8a65c62c180c5b9c3c03 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2136716a9d0336a9b5c8a65c62c180c5b9c3c03 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Link to upstream issue for zbar CVE-2023-40889 / CVE-2023-40890
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 7bf9d972 by Emilio Pozuelo Monfort at 2023-09-15T08:58:09+02:00 Link to upstream issue for zbar CVE-2023-40889 / CVE-2023-40890 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2313,9 +2313,11 @@ CVE-2023-41037 (OpenPGP.js is a JavaScript implementation of the OpenPGP protoco CVE-2023-40890 (A stack-based buffer overflow vulnerability exists in the lookup_seque ...) - zbar (bug #1051724) NOTE: https://hackmd.io/@cspl/H1PxPAUnn + NOTE: https://github.com/mchehab/zbar/issues/263 CVE-2023-40889 (A heap-based buffer overflow exists in the qr_reader_match_centers fun ...) - zbar (bug #1051724) NOTE: https://hackmd.io/@cspl/B1ZkFZv23 + NOTE: https://github.com/mchehab/zbar/issues/263 CVE-2023-40787 (In SpringBlade V3.6.0 when executing SQL query, the parameters submitt ...) NOT-FOR-US: SpringBlade CVE-2023-3646 (On affected platforms running Arista EOS with mirroring to multiple de ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bf9d9721335858617eccae835d88138019d6780 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bf9d9721335858617eccae835d88138019d6780 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3554-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 40090415 by Emilio Pozuelo Monfort at 2023-09-05T11:03:08+02:00 Reserve DLA-3554-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Sep 2023] DLA-3554-1 thunderbird - security update + {CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4581 CVE-2023-4584} + [buster] - thunderbird 1:102.15.0-1~deb10u1 [01 Sep 2023] DLA-3553-1 firefox-esr - security update {CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4581 CVE-2023-4584} [buster] - firefox-esr 102.15.0esr-1~deb10u1 = data/dla-needed.txt = @@ -227,9 +227,6 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -thunderbird (Emilio) - NOTE: 20230829: Added by pochu --- tiff (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/400904158e3e90d6592339182be9dacb161a3f27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/400904158e3e90d6592339182be9dacb161a3f27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3553-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 634c2cf0 by Emilio Pozuelo Monfort at 2023-09-01T15:27:40+02:00 Reserve DLA-3553-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Sep 2023] DLA-3553-1 firefox-esr - security update + {CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4581 CVE-2023-4584} + [buster] - firefox-esr 102.15.0esr-1~deb10u1 [31 Aug 2023] DLA-3552-1 gst-plugins-ugly1.0 - security update [buster] - gst-plugins-ugly1.0 1.14.4-1+deb10u2 [31 Aug 2023] DLA-3551-1 otrs2 - security update = data/dla-needed.txt = @@ -54,9 +54,6 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -firefox-esr (Emilio) - NOTE: 20230829: Added by pochu --- firmware-nonfree NOTE: 20230820: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/634c2cf04603de9f2fe73ed58cb5c283e3478e74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/634c2cf04603de9f2fe73ed58cb5c283e3478e74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ad9731c by Emilio Pozuelo Monfort at 2023-08-29T12:52:35+02:00 lts: take openjdk-11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -118,7 +118,7 @@ nvidia-cuda-toolkit opendkim NOTE: 20230821: Added by Front-Desk (ta) -- -openjdk-11 +openjdk-11 (Emilio) NOTE: 20230419: Added by Front-Desk (ola) NOTE: 20230522: waiting for sid update (pochu) NOTE: 20230612: sid updated, preparing backport (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ad9731c314ad7ef4cb80af96b172142aca30760 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ad9731c314ad7ef4cb80af96b172142aca30760 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr and thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 33364e18 by Emilio Pozuelo Monfort at 2023-08-29T11:33:55+02:00 lts: take firefox-esr and thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,6 +54,9 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- +firefox-esr (Emilio) + NOTE: 20230829: Added by pochu +-- firmware-nonfree NOTE: 20230820: Added by Front-Desk (ta) -- @@ -227,6 +230,9 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- +thunderbird (Emilio) + NOTE: 20230829: Added by pochu +-- tiff NOTE: 20230826: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33364e18f290dcea4378342c07d5fc05aa44e266 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33364e18f290dcea4378342c07d5fc05aa44e266 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3523-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 3099d0a5 by Emilio Pozuelo Monfort at 2023-08-09T18:41:58+02:00 Reserve DLA-3523-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Aug 2023] DLA-3523-1 firefox-esr - security update + {CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048 CVE-2023-4049 CVE-2023-4050 CVE-2023-4055 CVE-2023-4056} + [buster] - firefox-esr 102.14.0esr-1~deb10u1 [09 Aug 2023] DLA-3522-1 hdf5 - security update {CVE-2018-11206 CVE-2018-17233 CVE-2018-17234 CVE-2018-17237 CVE-2018-17434 CVE-2018-17437} [buster] - hdf5 1.10.4+repack-10+deb10u1 = data/dla-needed.txt = @@ -51,9 +51,6 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -firefox-esr (Emilio) - NOTE: 20230802: Added by pochu --- gawk (Adrian Bunk) NOTE: 20230806: Added by Front-Desk (gladk) NOTE: 20230806: Please, check, whether CVE is applicable for buster View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3099d0a54707cd27a87bf551860a18ad59501bc9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3099d0a54707cd27a87bf551860a18ad59501bc9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3521-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c787fee by Emilio Pozuelo Monfort at 2023-08-08T12:11:49+02:00 Reserve DLA-3521-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[08 Aug 2023] DLA-3521-1 thunderbird - security update + {CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048 CVE-2023-4049 CVE-2023-4050 CVE-2023-4055 CVE-2023-4056} + [buster] - thunderbird 1:102.14.0-1~deb10u1 [07 Aug 2023] DLA-3520-1 libhtmlcleaner-java - security update {CVE-2023-34624} [buster] - libhtmlcleaner-java 2.21-5+deb10u1 = data/dla-needed.txt = @@ -197,10 +197,6 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -thunderbird (Emilio) - NOTE: 20230804: Added by Front-Desk (gladk) - NOTE: 20230807: Maintainer updated buster directly, coordinating announcement (Beuc/front-desk) --- zabbix (tobi) NOTE: 20230731: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c787feee127b4320899314f2e470c64146c12c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c787feee127b4320899314f2e470c64146c12c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: b0fc32ad by Emilio Pozuelo Monfort at 2023-08-08T12:08:21+02:00 lts: take thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -197,7 +197,7 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -thunderbird (Sylvain Beucler) +thunderbird (Emilio) NOTE: 20230804: Added by Front-Desk (gladk) NOTE: 20230807: Maintainer updated buster directly, coordinating announcement (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0fc32ad8b81603f62d281b91815524f109afa55 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0fc32ad8b81603f62d281b91815524f109afa55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: c6052f73 by Emilio Pozuelo Monfort at 2023-08-02T10:40:42+02:00 lts: take firefox-esr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -56,6 +56,9 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- +firefox-esr (Emilio) + NOTE: 20230802: Added by pochu +-- glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230710: WIP (santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6052f73603c3fc726070b37d54780fd048cedcb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6052f73603c3fc726070b37d54780fd048cedcb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: retake openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 60490337 by Emilio Pozuelo Monfort at 2023-08-02T10:39:54+02:00 lts: retake openjdk-11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -114,11 +114,13 @@ openimageio (Markus Koschany) NOTE: 20230406: Re-added due to regressions (apo) NOTE: 20230612: Backporting is mostly done, but still some failures. (gladk) -- -openjdk-11 +openjdk-11 (Emilio) NOTE: 20230419: Added by Front-Desk (ola) NOTE: 20230522: waiting for sid update (pochu) NOTE: 20230612: sid updated, preparing backport (pochu) NOTE: 20230717: waiting for DSA, might wait for next CPU (pochu) + NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking + NOTE: 20230802: whether to change jtreg version (pochu) -- openssl (gladk) NOTE: 20230731: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60490337400f02acc7b3b355ce58399ebeedfd89 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60490337400f02acc7b3b355ce58399ebeedfd89 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3510-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ee597d7 by Emilio Pozuelo Monfort at 2023-07-31T09:36:19+02:00 Reserve DLA-3510-1 for thunderbird - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Jul 2023] DLA-3510-1 thunderbird - security update + {CVE-2023-3417} + [buster] - thunderbird 1:102.13.1-1~deb10u1 [27 Jul 2023] DLA-3509-1 libmail-dkim-perl - security update [buster] - libmail-dkim-perl 0.54-1+deb10u1 [27 Jul 2023] DLA-3508-1 linux - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ee597d76111bebd32bf0803cb5c1463136993ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ee597d76111bebd32bf0803cb5c1463136993ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove openjdk-8 from CVE-2023-22041 and CVE-2023-22044
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 829923d5 by Emilio Pozuelo Monfort at 2023-07-27T16:16:18+02:00 Remove openjdk-8 from CVE-2023-22041 and CVE-2023-22044 The Oracle CPU says it affects 8u271-perf, but OpenJDK is not affected. Presumably Oracle backported some HotSpot changes into -perf, so remove the tracking for OpenJDK 8u. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39580,7 +39580,6 @@ CVE-2023-22045 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E - openjdk-17 17.0.8+7-1 CVE-2023-22044 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DSA-5458-1} - - openjdk-8 8u382-ga-1 - openjdk-17 17.0.8+7-1 CVE-2023-22043 (Vulnerability in Oracle Java SE (component: JavaFX). The supported v ...) - openjfx 11+26-1 @@ -39589,7 +39588,6 @@ CVE-2023-22042 (Vulnerability in the Oracle Applications Framework product of Or NOT-FOR-US: Oracle CVE-2023-22041 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DSA-5458-1} - - openjdk-8 8u382-ga-1 - openjdk-11 11.0.20+8-1 - openjdk-17 17.0.8+7-1 CVE-2023-22040 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/829923d5ec496888a3297fd008b024a75cccd546 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/829923d5ec496888a3297fd008b024a75cccd546 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: reclaim openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 83cdbf80 by Emilio Pozuelo Monfort at 2023-07-17T22:12:45+02:00 lts: reclaim openjdk-11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -117,11 +117,11 @@ openimageio NOTE: 20230406: Re-added due to regressions (apo) NOTE: 20230612: Backporting is mostly done, but still some failures. -- -openjdk-11 +openjdk-11 (Emilio) NOTE: 20230419: Added by Front-Desk (ola) NOTE: 20230522: waiting for sid update (pochu) NOTE: 20230612: sid updated, preparing backport (pochu) - NOTE: 20230627: waiting for DSA (pochu) + NOTE: 20230717: waiting for DSA, might wait for next CPU (pochu) -- pandoc (guilhem) NOTE: 20230709: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83cdbf801b403ab64ffe9e1f76153f04a4df056f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83cdbf801b403ab64ffe9e1f76153f04a4df056f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3490-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 850b4742 by Emilio Pozuelo Monfort at 2023-07-11T09:26:33+02:00 Reserve DLA-3490-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[11 Jul 2023] DLA-3490-1 thunderbird - security update + {CVE-2023-37201 CVE-2023-37202 CVE-2023-37207 CVE-2023-37208 CVE-2023-37211} + [buster] - thunderbird 1:102.13.0-1~deb10u1 [10 Jul 2023] DLA-3489-1 mediawiki - security update {CVE-2022-47927} [buster] - mediawiki 1:1.31.16-1+deb10u5 = data/dla-needed.txt = @@ -215,9 +215,6 @@ symfony (guilhem) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs) + 1 other postponed CVE (Beuc/front-desk) -- -thunderbird (pochu) - NOTE: 20230704: Added by pochu --- tiff (Adrian Bunk) NOTE: 20230702: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/850b4742173e1fdc52ee6c9a08cefa6cc2c3aa39 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/850b4742173e1fdc52ee6c9a08cefa6cc2c3aa39 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits