[Git][security-tracker-team/security-tracker][master] Reserve DLA-3795-1 for knot-resolver
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d58a1355 by Markus Koschany at 2024-04-26T07:35:06+02:00 Reserve DLA-3795-1 for knot-resolver - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -294164,7 +294164,6 @@ CVE-2020-12668 (Jinjava before 2.5.4 allow access to arbitrary classes by callin NOT-FOR-US: Jinjava CVE-2020-12667 (Knot Resolver before 5.1.1 allows traffic amplification via a crafted ...) - knot-resolver 5.1.1-0.1 (bug #961076) - [buster] - knot-resolver (Minor issue; can be fixed via point release) NOTE: https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/ NOTE: commit: https://gitlab.labs.nic.cz/knot/knot-resolver/-/commit/54f05e4d7b2e47c0bdd30b84272fc503cc65304b NOTE: commit: https://gitlab.labs.nic.cz/knot/knot-resolver/-/commit/ba7b89db780fe3884b4e90090318e25ee5afb118 @@ -325401,7 +325400,6 @@ CVE-2019-19332 (An out-of-bounds memory write issue was found in the Linux Kerne NOTE: https://git.kernel.org/linus/433f4ba1904100da65a311033f17a9bf586b287e CVE-2019-19331 (knot-resolver before version 4.3.0 is vulnerable to denial of service ...) - knot-resolver 5.0.1-1 (bug #946181) - [buster] - knot-resolver (Minor issue; can be fixed via point release) NOTE: https://www.openwall.com/lists/oss-security/2019/12/04/4 CVE-2019-19329 (In Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-0 ...) NOT-FOR-US: Wikibase Wikidata Query Service GUI @@ -356412,13 +356410,11 @@ CVE-2019-10192 (A heap-buffer overflow vulnerability was found in the Redis hype NOTE: https://github.com/antirez/redis/commit/7f79849caa006f0d760b6c7e17f7796e3be92b4f (5.0.4) CVE-2019-10191 (A vulnerability was discovered in DNS resolver of knot resolver before ...) - knot-resolver 5.0.1-1 (bug #932048) - [buster] - knot-resolver (Minor issue; can be fixed via point release) NOTE: https://www.knot-resolver.cz/2019-07-10-knot-resolver-4.1.0.html NOTE: https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/839 NOTE: https://www.openwall.com/lists/oss-security/2019/07/14/1 CVE-2019-10190 (A vulnerability was discovered in DNS resolver component of knot resol ...) - knot-resolver 5.0.1-1 (bug #932048) - [buster] - knot-resolver (Minor issue; can be fixed via point release) NOTE: https://www.knot-resolver.cz/2019-07-10-knot-resolver-4.1.0.html NOTE: https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/827 NOTE: https://www.openwall.com/lists/oss-security/2019/07/14/1 = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Apr 2024] DLA-3795-1 knot-resolver - security update + {CVE-2019-10190 CVE-2019-10191 CVE-2019-19331 CVE-2020-12667} + [buster] - knot-resolver 3.2.1-3+deb10u2 [25 Apr 2024] DLA-3794-1 putty - security update {CVE-2020-14002 CVE-2021-36367 CVE-2023-48795 CVE-2019-17069} [buster] - putty 0.74-1+deb11u1~deb10u1 = data/dla-needed.txt = @@ -124,11 +124,6 @@ jenkins-htmlunit-core-js NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may NOTE: 20231231: … indeed be vulnerable. (lamby) -- -knot-resolver - NOTE: 20231029: Added by Front-Desk (gladk) - NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) - NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) --- less (Abhijith PA) NOTE: 20240418: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d58a13559c87c505e23427b90a9de979336e05e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d58a13559c87c505e23427b90a9de979336e05e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 9 commits: CVE-2024-31497,filezilla: buster is no-dsa
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 74696943 by Markus Koschany at 2024-04-21T23:11:59+02:00 CVE-2024-31497,filezilla: buster is no-dsa Minor issue. - - - - - 8bc9a7e7 by Markus Koschany at 2024-04-21T23:11:59+02:00 Add nghttp2 to dla-needed.txt - - - - - efec8650 by Markus Koschany at 2024-04-21T23:11:59+02:00 Add python-idna to dla-needed.txt - - - - - 51771358 by Markus Koschany at 2024-04-21T23:12:01+02:00 CVE-2024-3446,CVE-2024-3447,CVE-2024-3567,qemu: buster is no-dsa Minor issues. It is good practice not to run qemu directly as a privileged user. - - - - - 0e9b47d2 by Markus Koschany at 2024-04-21T23:12:01+02:00 Add tryton-server to dla-needed.txt and claim it - - - - - 7a3f0d28 by Markus Koschany at 2024-04-21T23:12:02+02:00 CVE-2024-31047,openexr: buster is no-dsa Minor issue - - - - - 76475ee7 by Markus Koschany at 2024-04-21T23:12:03+02:00 CVE-2024-32462,flatpak: buster is ignored We have previously marked sandbox escape issues as ignored because they were either intrusive to backport or could be easily mitigated. Although the fix for CVE-2024-32462 seems straightforward, the whole application should be upgraded to the version in Bullseye in my opinion. Since we approach the end of the Buster LTS cycle I am going to mark CVE-2024-32462 as ignored too. - - - - - 76d860ac by Markus Koschany at 2024-04-21T23:12:03+02:00 Add astropy to dla-needed.txt - - - - - d913e443 by Markus Koschany at 2024-04-21T23:12:03+02:00 Add php7.3 to dla-needed.txt and claim it - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -428,6 +428,7 @@ CVE-2024-32466 (Tolgee is an open-source localization platform. For the `/v2/pro CVE-2024-32462 (Flatpak is a system for building, distributing, and running sandboxed ...) {DSA-5666-1} - flatpak 1.14.6-1 + [buster] - flatpak (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/04/18/5 NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj NOTE: Fixed by: https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931 (1.15.8) @@ -2113,6 +2114,7 @@ CVE-2024-31497 (In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce gener - filezilla 3.67.0-1 [bookworm] - filezilla (Minor issue) [bullseye] - filezilla (Minor issue) + [buster] - filezilla (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/04/15/6 NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html CVE-2024-3804 (A vulnerability, which was classified as critical, has been found in V ...) @@ -3149,6 +3151,7 @@ CVE-2024-3567 (A flaw was found in QEMU. An assertion failure was present in the - qemu (bug #1068822) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) + [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274339 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/2273 CVE-2024-3566 (A command inject vulnerability allows an attacker to perform command i ...) @@ -3572,6 +3575,7 @@ CVE-2024-3447 - qemu (bug #1068821) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) + [buster] - qemu (Minor issue) NOTE: https://patchew.org/QEMU/20240404085549.16987-1-phi...@linaro.org/ NOTE: https://patchew.org/QEMU/20240409145524.27913-1-phi...@linaro.org/ NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 @@ -3735,6 +3739,7 @@ CVE-2024-3446 (A double free vulnerability was found in QEMU virtio devices (vir - qemu (bug #1068820) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) + [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274211 NOTE: https://patchew.org/QEMU/20240409105537.18308-1-phi...@linaro.org/ CVE-2024-3281 (A vulnerability was discovered in the firmware builds after 8.0.2.3267 ...) @@ -4499,6 +4504,7 @@ CVE-2024-31047 (An issue in Academy Software Foundation openexr v.3.2.3 and befo - openexr (bug #1068939) [bookworm] - openexr (Minor issue) [bullseye] - openexr (Minor issue) + [buster] - openexr (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/1680 NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1681 NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/7aa89e1d09b09d9f5dbb96976ee083a331ab9d71 = data/dla-needed.txt = @@ -33,6 +33,9 @@ ansible (debian) apache2 NOTE: 20240418: Added by Front-Desk (apo) -- +astropy + NOTE: 20240421
[Git][security-tracker-team/security-tracker][master] CVE-2024-3296,rust-openssl: buster is no-dsa
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 27ca1e5a by Markus Koschany at 2024-04-21T00:22:59+02:00 CVE-2024-3296,rust-openssl: buster is no-dsa Minor issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5565,6 +5565,7 @@ CVE-2024-3296 (A timing-based side-channel flaw exists in the rust-openssl packa - rust-openssl (bug #1068418) [bookworm] - rust-openssl (Minor issue) [bullseye] - rust-openssl (Minor issue) + [buster] - rust-openssl (Minor issue) NOTE: https://github.com/sfackler/rust-openssl/issues/2171 CVE-2024-31309 (HTTP/2 CONTINUATIONDoS attack can cause Apache Traffic Server to consu ...) {DSA-5659-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27ca1e5a875a146332b4153fdc898f654dc79d6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27ca1e5a875a146332b4153fdc898f654dc79d6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add trafficserver to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ea6baf28 by Markus Koschany at 2024-04-21T00:16:18+02:00 Add trafficserver to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -312,6 +312,9 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- +trafficserver + NOTE: 20240421: Added by Front-Desk (apo) +-- varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea6baf2801f7fab3421efc0efeeac405e8f44d90 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea6baf2801f7fab3421efc0efeeac405e8f44d90 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: Triage ffmpeg CVE as postponed for Buster.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 910f13ec by Markus Koschany at 2024-04-21T00:04:52+02:00 Triage ffmpeg CVE as postponed for Buster. We can wait until upstream fixes these issues in earlier releases. - - - - - dbf30577 by Markus Koschany at 2024-04-21T00:06:41+02:00 Add gunicorn to dla-needed.txt - - - - - 6906ca1b by Markus Koschany at 2024-04-21T00:10:16+02:00 Add libmojolicious-perl to dla-needed.txt - - - - - c5c88137 by Markus Koschany at 2024-04-21T00:11:28+02:00 CVE-2024-28863,node-tar: buster is no-dsa Minor issue - - - - - 305978e5 by Markus Koschany at 2024-04-21T00:13:02+02:00 CVE-2024-3262,node-tar: buster is no-dsa Minor issue - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -719,12 +719,14 @@ CVE-2024-31582 (FFmpeg version n6.1 was discovered to contain a heap buffer over - ffmpeg [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + [buster] - ffmpeg (Pick up when fixed in 4.3.x) NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/99debe5f823f45a482e1dc08de35879aa9c74bd2 (n7.0) CVE-2024-31581 (FFmpeg version n6.1 was discovered to contain an improper validation o ...) [experimental] - ffmpeg 7:7.0-1 - ffmpeg [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + [buster] - ffmpeg (Pick up when fixed in 4.3.x) NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ce0c178a408d43e71085c28a47d50dc939b60196 (n7.0) CVE-2024-31580 (PyTorch before v2.2.0 was discovered to contain a heap buffer overflow ...) - pytorch @@ -734,6 +736,7 @@ CVE-2024-31578 (FFmpeg version n6.1.1 was discovered to contain a heap use-after - ffmpeg [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + [buster] - ffmpeg (Pick up when fixed in 4.3.x) NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/3bb00c0a420c3ce83c6fafee30270d69622ccad7 (n7.0) CVE-2024-31463 (Ironic-image is an OpenStack Ironic deployment packaged and configured ...) TODO: check @@ -5238,6 +5241,7 @@ CVE-2024-3262 (Information exposure vulnerability in RT software affecting versi - request-tracker4 (bug #1068452) [bookworm] - request-tracker4 (Minor issue) [bullseye] - request-tracker4 (Minor issue) + [buster] - request-tracker4 (Minor issue) - request-tracker5 (bug #1068453) [bookworm] - request-tracker5 (Minor issue) NOTE: https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a @@ -9638,6 +9642,7 @@ CVE-2024-28863 (node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 h - node-tar 6.1.13+~cs7.0.5-2 [bookworm] - node-tar (Minor issue) [bullseye] - node-tar (Minor issue) + [buster] - node-tar (Minor issue) NOTE: https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36 NOTE: https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1) CVE-2024-28756 (The SolarEdge mySolarEdge application before 2.20.1 for Android has a ...) = data/dla-needed.txt = @@ -101,6 +101,9 @@ frr (tobi) glibc (Adrian Bunk) NOTE: 20240419: Added by coordinator (santiago) -- +gunicorn + NOTE: 20240421: Added by Front-Desk (apo) +-- h2o NOTE: 20231228: Added by Front-Desk (lamby) -- @@ -124,6 +127,9 @@ knot-resolver (Markus Koschany) less (Abhijith PA) NOTE: 20240418: Added by Front-Desk (apo) -- +libmojolicious-perl + NOTE: 20240421: Added by Front-Desk (apo) +-- libpgjava (Markus Koschany) NOTE: 20240308: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7d5031c83601fd63aa508b0a09294f2cdfdeb1bb...305978e5b03877349498cdb27f60179f994a9eed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7d5031c83601fd63aa508b0a09294f2cdfdeb1bb...305978e5b03877349498cdb27f60179f994a9eed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add pymongo to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d5031c8 by Markus Koschany at 2024-04-20T23:17:09+02:00 Add pymongo to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -227,6 +227,9 @@ putty (rouca) NOTE: 20240324: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/104 NOTE: 20240412: Wait for comments by maintainer -- +pymongo + NOTE: 20240420: Added by Front-Desk (apo) +-- python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d5031c83601fd63aa508b0a09294f2cdfdeb1bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d5031c83601fd63aa508b0a09294f2cdfdeb1bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add netty to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 03a1e375 by Markus Koschany at 2024-04-19T22:59:13+02:00 Add netty to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -169,6 +169,9 @@ mediawiki (guilhem) NOTE: 20240406: Added by Front-Desk (lamby) NOTE: 20240406: Added to address "TEMP-000-519C2D" at the time of writing. (lamby) -- +netty + NOTE: 20240419: Added by Front-Desk (apo) +-- nodejs (guilhem) NOTE: 20240406: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03a1e375358da18934c518631dc0d8a198bf86d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03a1e375358da18934c518631dc0d8a198bf86d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5667-1 for tomcat9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 434bed8e by Markus Koschany at 2024-04-19T21:28:22+02:00 Reserve DSA-5667-1 for tomcat9 - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -34531,7 +34531,6 @@ CVE-2023-46589 (Improper Input Validation vulnerability in Apache Tomcat.Tomcat {DSA-5665-1 DLA-3707-1} - tomcat10 10.1.16-1 (bug #1057082) - tomcat9 9.0.70-2 - [bullseye] - tomcat9 (Minor issue, fix along in next DSA) - tomcat8 NOTE: https://www.openwall.com/lists/oss-security/2023/11/28/2 NOTE: https://github.com/apache/tomcat/commit/b5776d769bffeade865061bc8ecbeb2b56167b08 (10.1.16) = data/DSA/list = @@ -1,3 +1,6 @@ +[19 Apr 2024] DSA-5667-1 tomcat9 - security update + {CVE-2023-46589 CVE-2024-23672 CVE-2024-24549} + [bullseye] - tomcat9 9.0.43-2~deb11u10 [19 Apr 2024] DSA-5666-1 flatpak - security update {CVE-2024-32462} [bullseye] - flatpak 1.10.8-0+deb11u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/434bed8e52cc60d128191cf3a369bcbeb0efcb9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/434bed8e52cc60d128191cf3a369bcbeb0efcb9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2024-2511,openssl: buster is postponed
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c90b39d0 by Markus Koschany at 2024-04-18T22:55:40+02:00 CVE-2024-2511,openssl: buster is postponed because this is a minor issue and prevented in default configurations. - - - - - af013b74 by Markus Koschany at 2024-04-18T23:07:52+02:00 Add less to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -4392,6 +4392,7 @@ CVE-2024-2511 (Issue summary: Some non-default TLS server configurations can cau - openssl (bug #1068658) [bookworm] - openssl (Minor issue, fix along with next update round) [bullseye] - openssl (Minor issue, fix along with next update round) + [buster] - openssl (Minor issue, fix along with next update round) NOTE: https://www.openssl.org/news/secadv/20240408.txt NOTE: https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08 (openssl-3.2.y) NOTE: https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce (openssl-3.1.y) = data/dla-needed.txt = @@ -121,6 +121,9 @@ knot-resolver (Markus Koschany) NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- +less + NOTE: 20240418: Added by Front-Desk (apo) +-- libpgjava (Markus Koschany) NOTE: 20240308: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fe9060aaad459b6b25898d26453ccaab552caec5...af013b7456d90da40faa7d46e23271cd66c7254c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fe9060aaad459b6b25898d26453ccaab552caec5...af013b7456d90da40faa7d46e23271cd66c7254c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add apache2 to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 360c6b52 by Markus Koschany at 2024-04-18T00:12:16+02:00 Add apache2 to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -30,6 +30,9 @@ ansible (debian) NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca) NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee -- +apache2 + NOTE: 20240418: Added by Front-Desk (apo) +-- atril NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/360c6b52193f2ef980b4775ddde1a636031abf96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/360c6b52193f2ef980b4775ddde1a636031abf96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Reserve DSA-5664-1 for jetty9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ffea03a by Markus Koschany at 2024-04-17T23:19:47+02:00 Reserve DSA-5664-1 for jetty9 - - - - - 92f7273d by Markus Koschany at 2024-04-17T23:21:17+02:00 Reserve DSA-5665-1 for tomcat10 - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -34221,7 +34221,6 @@ CVE-2023-34055 (In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3 CVE-2023-46589 (Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 1 ...) {DLA-3707-1} - tomcat10 10.1.16-1 (bug #1057082) - [bookworm] - tomcat10 (Minor issue, fix along in next DSA) - tomcat9 9.0.70-2 [bullseye] - tomcat9 (Minor issue, fix along in next DSA) - tomcat8 = data/DSA/list = @@ -1,3 +1,10 @@ +[17 Apr 2024] DSA-5665-1 tomcat10 - security update + {CVE-2023-46589 CVE-2024-23672 CVE-2024-24549} + [bookworm] - tomcat10 10.1.6-1+deb12u2 +[17 Apr 2024] DSA-5664-1 jetty9 - security update + {CVE-2024-22201} + [bullseye] - jetty9 9.4.50-4+deb11u2 + [bookworm] - jetty9 9.4.50-4+deb12u3 [17 Apr 2024] DSA-5663-1 firefox-esr - security update {CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864} [bullseye] - firefox-esr 115.10.0esr-1~deb11u1 = data/dsa-needed.txt = @@ -35,8 +35,6 @@ guix (jmm) -- h2o (jmm) -- -jetty9 (apo) --- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/99a6a8dd2eaf98b75e8a31741847c7e020543144...92f7273d5ac0dcb437618ca6d9f06fe04566 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/99a6a8dd2eaf98b75e8a31741847c7e020543144...92f7273d5ac0dcb437618ca6d9f06fe04566 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark open CVE for lucene-solr as EOL for buster
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c329976 by Markus Koschany at 2024-04-07T21:55:09+02:00 Mark open CVE for lucene-solr as EOL for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15316,21 +15316,25 @@ CVE-2023-6677 (Improper Neutralization of Special Elements used in an SQL Comman NOT-FOR-US: Oduyo Financial Technology Online Collection CVE-2023-50386 (Improper Control of Dynamically-Managed Code Resources, Unrestricted U ...) - lucene-solr 3.6.2+dfsg-23 + [buster] - lucene-solr (No longer supported in LTS) NOTE: https://solr.apache.org/security.html#cve-2023-50386-apache-solr-backuprestore-apis-allow-for-deployment-of-executables-in-malicious-configsets NOTE: https://www.openwall.com/lists/oss-security/2024/02/09/1 NOTE: Server components disabled in 3.6.2+dfsg-23, using that as the fixed version CVE-2023-50298 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - lucene-solr 3.6.2+dfsg-23 + [buster] - lucene-solr (No longer supported in LTS) NOTE: https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions NOTE: https://www.openwall.com/lists/oss-security/2024/02/09/2 NOTE: Server components disabled in 3.6.2+dfsg-23, using that as the fixed version CVE-2023-50292 (Incorrect Permission Assignment for Critical Resource, Improper Contro ...) - lucene-solr 3.6.2+dfsg-23 + [buster] - lucene-solr (No longer supported in LTS) NOTE: https://solr.apache.org/security.html#cve-2023-50292-apache-solr-schema-designer-blindly-trusts-all-configsets-possibly-leading-to-rce-by-unauthenticated-users NOTE: https://www.openwall.com/lists/oss-security/2024/02/09/3 NOTE: Server components disabled in 3.6.2+dfsg-23, using that as the fixed version CVE-2023-50291 (Insufficiently Protected Credentials vulnerability in Apache Solr. Th ...) - lucene-solr 3.6.2+dfsg-23 + [buster] - lucene-solr (No longer supported in LTS) NOTE: https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies NOTE: https://www.openwall.com/lists/oss-security/2024/02/09/4 NOTE: Server components disabled in 3.6.2+dfsg-23, using that as the fixed version View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c3299769d1664646df2e4c9a1e9a26604997a0c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c3299769d1664646df2e4c9a1e9a26604997a0c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove lucene-solr from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ca0d31eb by Markus Koschany at 2024-04-07T21:39:19+02:00 Remove lucene-solr from dla-needed.txt As discussed with Daniel Leidert via private email, I believe that we should EOL lucene-solr in Buster. This is a truly ancient version which most likely nobody uses in production. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -156,11 +156,6 @@ linux (Ben Hutchings) linux-5.10 NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- -lucene-solr - NOTE: 20240213: Added by Front-Desk (lamby) - NOTE: 20240407: Should the server components be disabled as in 3.6.2+dfsg-23 instead of trying to patch the CVEs? (dleidert) - NOTE: 20240407: I'm going to contact Markus, the maintainer. (dleidert) --- mediawiki (guilhem) NOTE: 20240406: Added by Front-Desk (lamby) NOTE: 20240406: Added to address "TEMP-000-519C2D" at the time of writing. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca0d31ebea43fea42f7979c2256664ce043c0b21 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca0d31ebea43fea42f7979c2256664ce043c0b21 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim libpgjava in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a83b404c by Markus Koschany at 2024-04-07T11:46:24+02:00 Claim libpgjava in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -115,7 +115,7 @@ knot-resolver (Markus Koschany) libdatetime-timezone-perl (Emilio) NOTE: 20240327: Added by pochu -- -libpgjava +libpgjava (Markus Koschany) NOTE: 20240308: Added by Front-Desk (opal) -- libreswan View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a83b404c6afee64b27c51c4936e53e4fc5bd322b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a83b404c6afee64b27c51c4936e53e4fc5bd322b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3780-1 for jetty9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 138dfde5 by Markus Koschany at 2024-04-06T23:02:56+02:00 Reserve DLA-3780-1 for jetty9 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Apr 2024] DLA-3780-1 jetty9 - security update + {CVE-2024-22201} + [buster] - jetty9 9.4.50-4+deb10u2 [06 Apr 2024] DLA-3779-1 tomcat9 - security update {CVE-2024-23672 CVE-2024-24549} [buster] - tomcat9 9.0.31-1~deb10u12 = data/dla-needed.txt = @@ -111,9 +111,6 @@ jenkins-htmlunit-core-js NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may NOTE: 20231231: … indeed be vulnerable. (lamby) -- -jetty9 (Markus Koschany) - NOTE: 20240303: Added by Front-Desk (apo) --- knot-resolver (Markus Koschany) NOTE: 20231029: Added by Front-Desk (gladk) NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/138dfde5b9ea93686debedcd7d3d23dfa3d3eeea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/138dfde5b9ea93686debedcd7d3d23dfa3d3eeea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-23833,openrefine: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 892d791c by Markus Koschany at 2024-04-06T21:57:41+02:00 CVE-2024-23833,openrefine: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14786,7 +14786,7 @@ CVE-2024-24739 (SAP Bank Account Management (BAM) allows an authenticated user w CVE-2024-24337 (CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aq ...) NOT-FOR-US: Koha Library Management System CVE-2024-23833 (OpenRefine is a free, open source power tool for working with messy da ...) - - openrefine (bug #1064192) + - openrefine 3.7.8-1 (bug #1064192) [bookworm] - openrefine (Minor issue) NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4 NOTE: https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a (3.7.8) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892d791c23ee215a6f721987c2752c445d9595af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892d791c23ee215a6f721987c2752c445d9595af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-24549,CVE-2024-23672,tomcat10: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0971733c by Markus Koschany at 2024-04-06T14:03:33+02:00 CVE-2024-24549,CVE-2024-23672,tomcat10: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6890,7 +6890,7 @@ CVE-2024-24692 (Race condition in the installer for Zoom Rooms Client for Window NOT-FOR-US: Zoom CVE-2024-24549 (Denial of Service due to improper input validation vulnerability for H ...) {DLA-3779-1} - - tomcat10 (bug #1066878) + - tomcat10 10.1.20-1 (bug #1066878) - tomcat9 9.0.70-2 NOTE: https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg NOTE: https://github.com/apache/tomcat/commit/d07c82194edb69d99b438828fe2cbfadbb207843 (10.1.19) @@ -6898,7 +6898,7 @@ CVE-2024-24549 (Denial of Service due to improper input validation vulnerability NOTE: Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version CVE-2024-23672 (Denial of Service via incomplete cleanup vulnerability in Apache Tomca ...) {DLA-3779-1} - - tomcat10 (bug #1066877) + - tomcat10 10.1.20-1 (bug #1066877) - tomcat9 9.0.70-2 NOTE: https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f NOTE: https://github.com/apache/tomcat/commit/0052b374684b613b0c849899b325ebe334ac6501 (10.1.19) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0971733c88eb4f025c2862556942f17ba54d772b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0971733c88eb4f025c2862556942f17ba54d772b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-22201,jetty9: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b2283ac by Markus Koschany at 2024-04-06T13:17:28+02:00 CVE-2024-22201,jetty9: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11745,7 +11745,7 @@ CVE-2024-23496 (A heap-based buffer overflow vulnerability exists in the GGUF li CVE-2024-22873 (Tencent Blueking CMDB v3.2.x to v3.9.x was discovered to contain a Ser ...) NOT-FOR-US: Tencent Blueking CMDB CVE-2024-22201 (Jetty is a Java based web server and servlet engine. An HTTP/2 SSL con ...) - - jetty9 (bug #1064923) + - jetty9 9.4.54-1 (bug #1064923) NOTE: https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98 NOTE: https://github.com/jetty/jetty.project/issues/11256 NOTE: Fixed by: https://github.com/jetty/jetty.project/commit/86586df0a8a4d9c6b5af9a621ad1adf1b494d39b (jetty-9.4.54.v20240208) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b2283ac1d373ef29d9cbaaf9bdfd9c20c38bb81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b2283ac1d373ef29d9cbaaf9bdfd9c20c38bb81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Claim knot-resolver and wordpress in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c336754 by Markus Koschany at 2024-04-06T07:39:03+02:00 Claim knot-resolver and wordpress in dla-needed.txt - - - - - c9dfd707 by Markus Koschany at 2024-04-06T07:39:56+02:00 Claim jetty9 in dsa-needed.txt - - - - - aa44a82e by Markus Koschany at 2024-04-06T07:49:26+02:00 CVE-2024-21733,tomcat9: buster is postponed Minor issue. Tests fail. Needs more investigation but is not critical. - - - - - 3 changed files: - data/CVE/list - data/dla-needed.txt - data/dsa-needed.txt Changes: = data/CVE/list = @@ -19167,6 +19167,7 @@ CVE-2023-28743 (Improper input validation for some Intel NUC BIOS firmware befor CVE-2024-21733 (Generation of Error Message Containing Sensitive Information vulnerabi ...) - tomcat9 9.0.53-1 [bullseye] - tomcat9 (Minor issue, fix along in next update) + [buster] - tomcat9 (Minor issue, fix along in next update) NOTE: https://www.openwall.com/lists/oss-security/2024/01/19/2 NOTE: https://github.com/apache/tomcat/commit/86ccc43940861703c2be96a5f35384407522125a (9.0.44) CVE-2024-23387 (FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability ...) = data/dla-needed.txt = @@ -114,7 +114,7 @@ jenkins-htmlunit-core-js jetty9 (Markus Koschany) NOTE: 20240303: Added by Front-Desk (apo) -- -knot-resolver +knot-resolver (Markus Koschany) NOTE: 20231029: Added by Front-Desk (gladk) NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) @@ -301,7 +301,7 @@ varnish NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- -wordpress +wordpress (Markus Koschany) NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookwork. Uploads to spu and ospu should be coordinated. (roberto) = data/dsa-needed.txt = @@ -31,7 +31,7 @@ gpac/oldstable -- h2o (jmm) -- -jetty9 +jetty9 (apo) -- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/80daa719eb36088138336e3dde00f0092652b90e...aa44a82e33686e44233c73cf7cdb6f0da3e0bf53 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/80daa719eb36088138336e3dde00f0092652b90e...aa44a82e33686e44233c73cf7cdb6f0da3e0bf53 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3779-1 for tomcat9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 80daa719 by Markus Koschany at 2024-04-06T07:15:20+02:00 Reserve DLA-3779-1 for tomcat9 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Apr 2024] DLA-3779-1 tomcat9 - security update + {CVE-2024-23672 CVE-2024-24549} + [buster] - tomcat9 9.0.31-1~deb10u12 [01 Apr 2024] DLA-3778-1 libvirt - security update {CVE-2020-10703 CVE-2020-12430 CVE-2020-25637 CVE-2021-3631 CVE-2021-3667 CVE-2021-3975 CVE-2021-4147 CVE-2022-0897 CVE-2024-1441 CVE-2024-2494 CVE-2024-2496} [buster] - libvirt 5.0.0-4+deb10u2 = data/dla-needed.txt = @@ -287,9 +287,6 @@ tinymce NOTE: 20240404: May be v. difficult to backport and/or not even vulnerable. (lamby) NOTE: 20240404: Check Ola's commit message in 21503da906. (lamby) -- -tomcat9 (Markus Koschany) - NOTE: 20240121: Added by Front-Desk (apo) --- tzdata (Emilio) NOTE: 20240327: Added by pochu -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80daa719eb36088138336e3dde00f0092652b90e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80daa719eb36088138336e3dde00f0092652b90e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reclaim jetty9 and tomcat9 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ca80d547 by Markus Koschany at 2024-03-19T21:23:46+01:00 Reclaim jetty9 and tomcat9 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -110,7 +110,7 @@ jenkins-htmlunit-core-js NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may NOTE: 20231231: … indeed be vulnerable. (lamby) -- -jetty9 +jetty9 (Markus Koschany) NOTE: 20240303: Added by Front-Desk (apo) -- knot-resolver @@ -280,7 +280,7 @@ tiff (Abhijith PA) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. (roberto) -- -tomcat9 +tomcat9 (Markus Koschany) NOTE: 20240121: Added by Front-Desk (apo) -- varnish View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca80d547f638bab621afb3ebdcccb6aea0a08662 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca80d547f638bab621afb3ebdcccb6aea0a08662 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2024-25710,libcommons-compress-java: buster is no-dsa
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cb11667d by Markus Koschany at 2024-03-19T21:22:18+01:00 CVE-2024-25710,libcommons-compress-java: buster is no-dsa Minor issue - - - - - 961b664a by Markus Koschany at 2024-03-19T21:22:58+01:00 Remove libcommons-compress-java from dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -8042,6 +8042,7 @@ CVE-2024-25710 (Loop with Unreachable Exit Condition ('Infinite Loop') vulnerabi - libcommons-compress-java (bug #1064413) [bookworm] - libcommons-compress-java (Minor issue) [bullseye] - libcommons-compress-java (Minor issue) + [buster] - libcommons-compress-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/02/19/1 NOTE: Related to and fixed by https://issues.apache.org/jira/browse/COMPRESS-632 CVE-2024-23114 (Deserialization of Untrusted Data vulnerability in Apache Camel Cassan ...) = data/dla-needed.txt = @@ -118,9 +118,6 @@ knot-resolver NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- -libcommons-compress-java - NOTE: 20240303: Added by Front-Desk (apo) --- libpgjava NOTE: 20240308: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bd90f1b2a8b6cf8b3a08366cb04f7a4b1430f3d0...961b664ae9d8f873cdba0cca9aceb7f760a69ac6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bd90f1b2a8b6cf8b3a08366cb04f7a4b1430f3d0...961b664ae9d8f873cdba0cca9aceb7f760a69ac6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-25710,libcommons-compress-java: Link to upstream ticket
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e90c111 by Markus Koschany at 2024-03-19T20:54:01+01:00 CVE-2024-25710,libcommons-compress-java: Link to upstream ticket Apparently this problem was discovered during some fuzzing and was just one of many improvements fixed by pull requests related to COMPRESS-632. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7875,6 +7875,7 @@ CVE-2024-25710 (Loop with Unreachable Exit Condition ('Infinite Loop') vulnerabi [bookworm] - libcommons-compress-java (Minor issue) [bullseye] - libcommons-compress-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/02/19/1 + NOTE: Related to and fixed by https://issues.apache.org/jira/browse/COMPRESS-632 CVE-2024-23114 (Deserialization of Untrusted Data vulnerability in Apache Camel Cassan ...) NOT-FOR-US: Apache Camel CVE-2024-22369 (Deserialization of Untrusted Data vulnerability in Apache Camel SQL Co ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e90c11189013a24887c772dcb27557e1d464877 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e90c11189013a24887c772dcb27557e1d464877 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3756-1 for wordpress
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c79e5d0 by Markus Koschany at 2024-03-10T18:21:29+01:00 Reserve DLA-3756-1 for wordpress - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[10 Mar 2024] DLA-3756-1 wordpress - security update + [buster] - wordpress 5.0.21+dfsg1-0+deb10u1 [09 Mar 2024] DLA-3755-1 tar - security update {CVE-2023-39804} [buster] - tar 1.30+dfsg-6+deb10u1 = data/dla-needed.txt = @@ -275,9 +275,6 @@ varnish NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- -wordpress - NOTE: 20240306: Added by Front-Desk (opal) --- zabbix NOTE: 20240212: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c79e5d0ef7bbd6375a027256d758712b443960b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c79e5d0ef7bbd6375a027256d758712b443960b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Reserve DSA-5637-1 for squid
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e1e12e3f by Markus Koschany at 2024-03-08T15:01:03+01:00 Reserve DSA-5637-1 for squid - - - - - 824c2821 by Markus Koschany at 2024-03-08T15:02:06+01:00 CVE-2023-46848,bookworm: mark as fixed in 5.7-2+deb12u1 - - - - - 47b3dbc2 by Markus Koschany at 2024-03-08T15:03:07+01:00 CVE-2024-25111,squid: bookworm is fixed in 5.7-2+deb12u1 - - - - - 97f39f57 by Markus Koschany at 2024-03-08T15:04:47+01:00 Readd squid to dsa-needed.txt There are still unfixed problems in both supported versions. Especially the fix for CVE-2023-5824 is kind of intrusive. - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -881,6 +881,7 @@ CVE-2024- [RUSTSEC-2024-0020] NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0020.html CVE-2024-25111 (Squid is a web proxy cache. Starting in version 3.5.27 and prior to ve ...) - squid 6.8-1 + [bookworm] - squid 5.7-2+deb12u1 - squid3 NOTE: https://lists.squid-cache.org/pipermail/squid-announce/2024-March/000165.html NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc @@ -27326,6 +27327,7 @@ CVE-2023-46724 (Squid is a caching proxy for the Web. Due to an Improper Validat NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3 CVE-2023-46848 (Squid is vulnerable to Denial of Service, where a remote attacker can ...) - squid 6.5-1 (bug #1055251) + [bookworm] - squid 5.7-2+deb12u1 [bullseye] - squid (Vulnerable code not present) [buster] - squid (Vulnerable code not present) - squid3 (Vulnerable code not present) = data/DSA/list = @@ -1,3 +1,7 @@ +[08 Mar 2024] DSA-5637-1 squid - security update + {CVE-2023-46724 CVE-2023-46846 CVE-2023-46847 CVE-2023-49285 CVE-2023-49286 CVE-2023-50269 CVE-2024-23638 CVE-2024-25617} + [bullseye] - squid 4.13-10+deb11u3 + [bookworm] - squid 5.7-2+deb12u1 [06 Mar 2024] DSA-5636-1 chromium - security update {CVE-2024-2173 CVE-2024-2174 CVE-2024-2176} [bookworm] - chromium 122.0.6261.111-1~deb12u1 = data/dsa-needed.txt = @@ -92,7 +92,7 @@ salt/oldstable samba/oldstable santiago started to backport patches to bullseye -- -squid (apo) +squid -- varnish -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2e10e39a30bfea25bd6803677d1498fc764aadaf...97f39f57692671e900d1819a4d5281d5b75c09f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2e10e39a30bfea25bd6803677d1498fc764aadaf...97f39f57692671e900d1819a4d5281d5b75c09f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-18860,squid: bookworm is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c1677e09 by Markus Koschany at 2024-03-05T23:23:09+01:00 CVE-2019-18860,squid: bookworm is not affected This issue was adressed in version 4.9, introduced to Debian unstable on 10 Nov 2019. https://github.com/squid-cache/squid/commit/5a90b4ce64c346ba7f317a278ba601091d9de076 @Salvatore, I hope just changing the fixed version does the trick here? - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -311441,7 +311441,7 @@ CVE-2023-49285 (Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP NOTE: http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patch CVE-2019-18860 (Squid before 4.9, when certain web browsers are used, mishandles HTML ...) {DSA-4732-1 DLA-2278-1} - - squid 6.5-1 (low) + - squid 4.9-1 (low) - squid3 NOTE: https://github.com/squid-cache/squid/pull/504 NOTE: https://github.com/squid-cache/squid/commit/5cc4b155cee1a4968109737f6eba2ef29d51034d (SQUID_5_0_1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1677e098d73aacd68bef3abdcb68d1f30e4c44b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1677e098d73aacd68bef3abdcb68d1f30e4c44b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 24 commits: CVE-2024-22201,jetty9: link to fixing commits for 9.x branch
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7cadf7f5 by Markus Koschany at 2024-03-04T13:06:38+01:00 CVE-2024-22201,jetty9: link to fixing commits for 9.x branch - - - - - 488675e6 by Markus Koschany at 2024-03-04T13:06:38+01:00 Add jetty9 to dla-needed.txt - - - - - dda9149f by Markus Koschany at 2024-03-04T13:06:38+01:00 Add libuv1 to dla-needed.txt - - - - - 10cd94f3 by Markus Koschany at 2024-03-04T13:06:38+01:00 Add yard to dla-needed.txt - - - - - f7c91a4b by Markus Koschany at 2024-03-04T13:06:39+01:00 CVE-2024-21742,apache-mime4j: buster is no-dsa Minor issue - - - - - eb5598a8 by Markus Koschany at 2024-03-04T13:06:41+01:00 CVE-2023-49100,arm-trusted-firmware: buster is no-dsa Minor issue - - - - - bf920f98 by Markus Koschany at 2024-03-04T13:06:42+01:00 CVE-2024-25629,c-ares: buster is no-dsa Minor issue - - - - - 25af6d89 by Markus Koschany at 2024-03-04T13:06:43+01:00 CVE-2024-24258,CVE-2024-24259,freeglut: buster is no-dsa Minor issue - - - - - 372269cb by Markus Koschany at 2024-03-04T13:06:44+01:00 Triage krb5 memory leaks as no-dsa for buster Minor issues. - - - - - 7b0caec9 by Markus Koschany at 2024-03-04T13:06:46+01:00 CVE-2022-48624,less: buster is no-dsa Minor issue. Can be fixed when more important issues arise. - - - - - 32b6a875 by Markus Koschany at 2024-03-04T13:06:46+01:00 Add libcommons-compress-java to dla-needed.txt - - - - - afd34344 by Markus Koschany at 2024-03-04T13:06:47+01:00 CVE-2023-45918,ncurses: buster is no-dsa Minor NULL pointer dereference bug. - - - - - 23a5576e by Markus Koschany at 2024-03-04T13:06:48+01:00 CVE-2024-27088,node-es5-ext: buster is no-dsa Minor issue - - - - - 1c70cc2b by Markus Koschany at 2024-03-04T13:06:48+01:00 Add nvidia-graphics-drivers to dla-needed.txt - - - - - 59de8769 by Markus Koschany at 2024-03-04T13:06:49+01:00 Add php-phpseclib to dla-needed.txt - - - - - e4f2317e by Markus Koschany at 2024-03-04T13:06:49+01:00 Add phpseclib to dla-needed.txt - - - - - 86daa2d7 by Markus Koschany at 2024-03-04T13:06:50+01:00 CVE-2024-1433,plasma-workspace: buster is no-dsa Minor issue - - - - - 4b93f9ea by Markus Koschany at 2024-03-04T13:06:51+01:00 CVE-2024-26130,python-cryptography: buster is no-dsa Minor issue - - - - - 294142c4 by Markus Koschany at 2024-03-04T13:06:52+01:00 CVE-2024-1892,python-scrapy: buster is no-dsa Minor issue - - - - - 8e6542f2 by Markus Koschany at 2024-03-04T13:06:54+01:00 CVE-2023-50868,CVE-2023-50387,systemd: buster is no-dsa DNSSEC is disabled by default and an experimental feature. - - - - - ab2db50c by Markus Koschany at 2024-03-04T13:06:55+01:00 CVE-2024-25262,texlive-bin: buster is no-dsa Minor issue - - - - - f7b7db95 by Markus Koschany at 2024-03-04T13:06:55+01:00 Add cpio to dla-needed.txt - - - - - e38cce11 by Markus Koschany at 2024-03-04T13:06:55+01:00 Add dnsmasq to dla-needed.txt - - - - - 336ad067 by Markus Koschany at 2024-03-04T13:06:56+01:00 CVE-2024-24246,qpdf: buster is not-affected The vulnerable code was introduced later, creating a PDF from an input source that contains JSON. https://github.com/qpdf/qpdf/commit/4fe2e06b4787ffb639f965ac840b51018308ec07#diff-8e435b97a9914d4318cc5829a9400e1e49c5b9bc16799de9aef9ef04c4b3f5c0 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -872,6 +872,7 @@ CVE-2024-24818 (EspoCRM is an Open Source Customer Relationship Management softw NOT-FOR-US: EspoCRM CVE-2024-24246 (Heap Buffer Overflow vulnerability in qpdf 11.9.0 allows attackers to ...) - qpdf 11.9.0-1 + [buster] - qpdf (Vulnerable code was introduced later) NOTE: https://github.com/qpdf/qpdf/issues/1123 NOTE: https://github.com/qpdf/qpdf/commit/cb0f390cc1f98a8e82b27259f8f3cd5f162992eb (v11.9.0) CVE-2024-24110 (SQL Injection vulnerability in crmeb_java before v1.3.4 allows attacke ...) @@ -1843,6 +1844,7 @@ CVE-2024-1892 (Parts of the Scrapy API were found to be vulnerable to a ReDoS at - python-scrapy 2.11.1-1 (bug #1065111) [bookworm] - python-scrapy (Minor issue) [bullseye] - python-scrapy (Minor issue) + [buster] - python-scrapy (Minor issue) NOTE: https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b/ NOTE: https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5 (2.11.1) CVE-2024-1866 @@ -2068,6 +2070,7 @@ CVE-2024-21742 (Improper input validation allows for header injection in MIME4J - apache-mime4j 0.8.10-1 (bug #1064966) [bookworm] - apache-mime4j (Minor issue) [bullseye] - apache-mime4j (Minor issue) + [buster] - apache-mime4j (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/02/27/5 NOTE: https://github.com/apache/james-mime4j/commit/9dec5df2a588fed8027839815daefa79ee66efd1
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3736-1 for unbound
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a57f0d7 by Markus Koschany at 2024-02-21T13:11:48+01:00 Reserve DLA-3736-1 for unbound - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[21 Feb 2024] DLA-3736-1 unbound - security update + {CVE-2023-50387 CVE-2023-50868} + [buster] - unbound 1.9.0-2+deb10u4 [19 Feb 2024] DLA-3735-1 runc - security update {CVE-2021-43784 CVE-2024-21626} [buster] - runc 1.0.0~rc6+dfsg1-3+deb10u3 = data/dla-needed.txt = @@ -294,9 +294,6 @@ tinymce tomcat9 (Markus Koschany) NOTE: 20240121: Added by Front-Desk (apo) -- -unbound (Markus Koschany) - NOTE: 20240214: Added by Front-Desk (lamby) --- varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a57f0d7fb0ec3ab98999811e2bc7d5531c895c5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a57f0d7fb0ec3ab98999811e2bc7d5531c895c5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim unbound in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d8f690d8 by Markus Koschany at 2024-02-14T22:13:09+01:00 Claim unbound in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -283,7 +283,7 @@ tinymce tomcat9 (Markus Koschany) NOTE: 20240121: Added by Front-Desk (apo) -- -unbound +unbound (Markus Koschany) NOTE: 20240214: Added by Front-Desk (lamby) -- varnish (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8f690d8769a1a30f877a56f753e3473ec716c28 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8f690d8769a1a30f877a56f753e3473ec716c28 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reclaim tomcat9 and knot-resolver.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a5b32c1b by Markus Koschany at 2024-02-11T00:58:18+01:00 Reclaim tomcat9 and knot-resolver. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -122,7 +122,7 @@ jenkins-htmlunit-core-js NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may NOTE: 20231231: … indeed be vulnerable. (lamby) -- -knot-resolver +knot-resolver (Markus Koschany) NOTE: 20231029: Added by Front-Desk (gladk) -- libreswan @@ -263,7 +263,7 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- -tomcat9 +tomcat9 (Markus Koschany) NOTE: 20240121: Added by Front-Desk (apo) -- varnish (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5b32c1bf0884c0f9ae295a56f0bddfea6efc776 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5b32c1bf0884c0f9ae295a56f0bddfea6efc776 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3721-1 for xorg-server
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: fd1078ed by Markus Koschany at 2024-01-25T22:53:07+01:00 Reserve DLA-3721-1 for xorg-server - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Jan 2024] DLA-3721-1 xorg-server - security update + {CVE-2023-6816 CVE-2024-0229 CVE-2024-0408 CVE-2024-0409 CVE-2024-21885 CVE-2024-21886} + [buster] - xorg-server 2:1.20.4-1+deb10u13 [25 Jan 2024] DLA-3720-1 thunderbird - security update {CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747 CVE-2024-0749 CVE-2024-0750 CVE-2024-0751 CVE-2024-0753 CVE-2024-0755} [buster] - thunderbird 1:115.7.0-1~deb10u1 = data/dla-needed.txt = @@ -304,9 +304,6 @@ wireshark NOTE: 20231204: DLA pending (bunk) NOTE: 20231218: Debugging a problem with the update. (bunk) -- -xorg-server (Markus Koschany) - NOTE: 20240117: Added by Front-Desk (lamby) --- zfs-linux (Utkarsh) NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20240801: the fix for other CVE wasn't obvious but about to be ready; D/ELA to be out soon. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd1078ed4f3c7d09292a71b0fe09ffa002e421d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd1078ed4f3c7d09292a71b0fe09ffa002e421d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3709-2 squid
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 35f2ce6a by Markus Koschany at 2024-01-22T19:52:02+01:00 Reserve DLA-3709-2 squid - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[22 Jan 2024] DLA-3709-2 squid - regression update + [buster] - squid 4.6-1+deb10u10 [21 Jan 2024] DLA-3714-1 keystone - security update {CVE-2021-3563 CVE-2021-38155} [buster] - keystone 2:14.2.0-0+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35f2ce6a23e98d93496ca7bf0334f2a9cfe4a157 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35f2ce6a23e98d93496ca7bf0334f2a9cfe4a157 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 18 commits: CVE-2022-41678,activemq: mark as unimportant
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 03d4849f by Markus Koschany at 2024-01-21T20:39:28+01:00 CVE-2022-41678,activemq: mark as unimportant We dont ship or use Jolokia. The assembly module in ActiveMQ is also ignored/disabled by default. - - - - - 3ea987f1 by Markus Koschany at 2024-01-21T20:39:29+01:00 CVE-2023-6879,aom: Buster is postponed Minor issue. Hard to see the security impact here. Can be fixed later. - - - - - ea933894 by Markus Koschany at 2024-01-21T20:39:29+01:00 Add atril to dla-needed.txt - - - - - 38a1 by Markus Koschany at 2024-01-21T20:39:29+01:00 Add exiftags to dla-needed.txt - - - - - 71338533 by Markus Koschany at 2024-01-21T20:39:29+01:00 Add freeimage to dla-needed.txt - - - - - 6af4d6bb by Markus Koschany at 2024-01-21T20:39:30+01:00 CVE-2024-22211,freerdp2: Buster is postponed Minor issue, can be fixed later. - - - - - 802c59fb by Markus Koschany at 2024-01-21T20:39:30+01:00 Add jinja2 to dla-needed.txt - - - - - 10676421 by Markus Koschany at 2024-01-21T20:39:30+01:00 Add libspreadsheet-parsexlsx-perl to dla-needed.txt - - - - - 310fe293 by Markus Koschany at 2024-01-21T20:39:32+01:00 CVE-2023-0437,mongo-c-driver: Buster is ignored Minor issue - - - - - e8938541 by Markus Koschany at 2024-01-21T20:39:32+01:00 Add nss to dla-needed.txt - - - - - 73d72703 by Markus Koschany at 2024-01-21T20:39:32+01:00 Add openjdk-11 to dla-needed.txt - - - - - 9c6b5418 by Markus Koschany at 2024-01-21T20:39:33+01:00 CVE-2023-50262,php-dompdf: Buster is not-affected SVG images are rejected by default. See also test case for CVE-2021-3902 - - - - - 0ca9fefc by Markus Koschany at 2024-01-21T20:39:33+01:00 Add pillow to dla-needed.txt - - - - - 21b4556b by Markus Koschany at 2024-01-21T20:39:33+01:00 Add rear to dla-needed.txt - - - - - eaf23c37 by Markus Koschany at 2024-01-21T20:39:33+01:00 Add ruby-httparty to dla-needed.txt - - - - - 9a1853c9 by Markus Koschany at 2024-01-21T20:39:34+01:00 CVE-2023-46749,shiro: Debian is not affected The blockSemicolon feature has been introduced with the fix for CVE-2020-13933. It is enabled by default. Mark CVE-2023-46749 fixed by the same versions as CVE-2020-13933. - - - - - ca0ea21c by Markus Koschany at 2024-01-21T20:39:36+01:00 CVE-2023-48104,sogo: Buster is ignored Minor issue similar to the previously ignored ones. - - - - - 4ddb296c by Markus Koschany at 2024-01-21T20:39:36+01:00 Claim tomcat9 in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -129,6 +129,7 @@ CVE-2024-22562 (swftools 0.9.2 was discovered to contain a Stack Buffer Underflo NOTE: https://github.com/matthiaskramm/swftools/issues/210 CVE-2024-22211 (FreeRDP is a set of free and open source remote desktop protocol libra ...) - freerdp2 (bug #1061173) + [buster] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rjhp-44rv-7v59 NOTE: https://github.com/FreeRDP/FreeRDP/commit/939e922936e9c3ae8fc204968645e5e7563a2fff (3.2.0) NOTE: https://github.com/FreeRDP/FreeRDP/commit/aeac3040cc99eeaff1e1171a822114c857b9dca9 (2.11.5) @@ -1112,6 +1113,7 @@ CVE-2023-49106 (Missing Password Field Masking vulnerability in Hitachi Device M NOT-FOR-US: Hitachi CVE-2023-48104 (Alinto SOGo before 5.9.1 is vulnerable to HTML Injection.) - sogo (bug #1060925) + [buster] - sogo (Minor issue) NOTE: Fixed by: https://github.com/Alinto/sogo/commit/7481ccf37087c3f456d7e5a844da01d0f8883098 (SOGo-5.9.1) CVE-2023-47460 (SQL injection vulnerability in Knovos Discovery v.22.67.0 allows a rem ...) NOT-FOR-US: Knovos Discovery @@ -1443,7 +1445,9 @@ CVE-2022-4962 (A vulnerability was found in Apollo 2.0.0/2.0.1 and classified as CVE-2023-50290 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - lucene-solr (Vulnerable code not yet present) CVE-2023-46749 (Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a p ...) - - shiro (bug #1060754) + - shiro 1.3.2-5 (bug #1060754) + [bullseye] - shiro 1.3.2-4+deb11u1 + [buster] - shiro 1.3.2-4+deb10u1 NOTE: https://www.openwall.com/lists/oss-security/2024/01/12/2 CVE-2024-0232 (A heap use-after-free issue has been identified in SQLite in the jsonP ...) - sqlite3 3.43.2-1 @@ -4401,6 +4405,7 @@ CVE-2023-7123 (A vulnerability, which was classified as critical, has been found NOT-FOR-US: SourceCodester Medicine Tracking System CVE-2023-6879 (Increasing the resolution of video frames, while performing a multi-th ...) - aom 3.7.1-1 + [buster] - aom (Minor issue) NOTE: https://crbug.com/aomedia/3491 NOTE: Fixed by: https://aomedia.googlesource.com/aom
[Git][security-tracker-team/security-tracker][master] 6 commits: Triage libcrypto++ CVE as no-dsa for Buster.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 307fc42f by Markus Koschany at 2024-01-15T15:02:54+01:00 Triage libcrypto++ CVE as no-dsa for Buster. Minor issues - - - - - e6e036e0 by Markus Koschany at 2024-01-15T15:02:56+01:00 CVE-2023-37117,liblivemedia: Mark Buster as ignored Minor issue - - - - - 5861332b by Markus Koschany at 2024-01-15T15:02:57+01:00 CVE-2024-0217,packagekit: Mark Buster as ignored Minor issue - - - - - 5c88fac8 by Markus Koschany at 2024-01-15T15:02:57+01:00 Add php-phpseclib to dla-needed.txt - - - - - 87aeee20 by Markus Koschany at 2024-01-15T15:02:57+01:00 Add phpseclib to dla-needed.txt - - - - - b1c9809e by Markus Koschany at 2024-01-15T15:02:58+01:00 CVE-2023-51713,proftpd-dfsg: Buster is no-dsa Minor issue - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -448,6 +448,7 @@ CVE-2023-40250 (Buffer Copy without Checking Size of Input ('Classic Buffer Over NOT-FOR-US: Hancom CVE-2023-37117 (A heap-use-after-free vulnerability was found in live555 version 2023. ...) - liblivemedia + [buster] - liblivemedia (Minor issue) NOTE: http://lists.live555.com/pipermail/live-devel/2023-June/022331.html CVE-2023-36842 (An Improper Check for Unusual or Exceptional Conditions vulnerability ...) NOT-FOR-US: Juniper @@ -2218,6 +2219,7 @@ CVE-2024-0217 (A use-after-free flaw was found in PackageKitd. In some condition - packagekit (bug #1060016) [bookworm] - packagekit (Minor issue) [bullseye] - packagekit (Minor issue) + [buster] - packagekit (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2256624 NOTE: Reducing impact via: https://github.com/PackageKit/PackageKit/commit/64278c9127e342b56ead99556161f7e86f79 (v1.2.7) CVE-2024-0201 (The Product Expiry for WooCommerce plugin for WordPress is vulnerable ...) @@ -3849,6 +3851,7 @@ CVE-2023-51713 (make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte o - proftpd-dfsg 1.3.8.a+dfsg-1 [bookworm] - proftpd-dfsg (Minor issue) [bullseye] - proftpd-dfsg (Minor issue) + [buster] - proftpd-dfsg (Minor issue) NOTE: https://github.com/proftpd/proftpd/issues/1683 NOTE: https://github.com/proftpd/proftpd/commit/1376d8ccc0966d1ce9a1c76b32c6a9ca61bbe67f (v1.3.9rc1) NOTE: https://github.com/proftpd/proftpd/commit/97bbe68363ccf2de0c07f67170ec64a8b4d62592 (v1.3.8a) @@ -4989,16 +4992,19 @@ CVE-2023-50981 (ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allow - libcrypto++ (bug #1059312) [bookworm] - libcrypto++ (Minor issue) [bullseye] - libcrypto++ (Minor issue) + [buster] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1249 CVE-2023-50980 (gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to ...) - libcrypto++ (bug #1059311) [bookworm] - libcrypto++ (Minor issue) [bullseye] - libcrypto++ (Minor issue) + [buster] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1248 CVE-2023-50979 (Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side channel during ...) - libcrypto++ (bug #1059310) [bookworm] - libcrypto++ (Minor issue) [bullseye] - libcrypto++ (Minor issue) + [buster] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1247 CVE-2023-50976 (Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing authoriz ...) NOT-FOR-US: Redpanda = data/dla-needed.txt = @@ -168,6 +168,12 @@ nvidia-cuda-toolkit paramiko (tobi) NOTE: 20231225: Added by Front-Desk (ta) -- +php-phpseclib + NOTE: 20240114: Added by Front-Desk (apo) +-- +phpseclib + NOTE: 20240114: Added by Front-Desk (apo) +-- putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/770f6309c626cce57af1d61a098bc4177462b6b4...b1c9809e51889076bbc11b788cf51fa2ab9ca472 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/770f6309c626cce57af1d61a098bc4177462b6b4...b1c9809e51889076bbc11b788cf51fa2ab9ca472 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Remove postfix from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0070eef2 by Markus Koschany at 2024-01-09T08:41:19+01:00 Remove postfix from dla-needed.txt - - - - - 622e37f6 by Markus Koschany at 2024-01-09T08:41:20+01:00 CVE-2023-51764,postfix: Mark Buster as no-dsa There exists a configuration setting described in https://www.postfix.org/smtp-smuggling.html to mitigate the problem. - - - - - 998aa899 by Markus Koschany at 2024-01-09T08:41:20+01:00 Claim knot-resolver in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2144,6 +2144,7 @@ CVE-2023-51764 (Postfix through 3.8.4 allows SMTP smuggling unless configured wi - postfix 3.8.4-1 (bug #1059230) [bookworm] - postfix (Minor issue; mitigations exist) [bullseye] - postfix (Minor issue; mitigations exist) + [buster] - postfix (Minor issue; mitigations exist) NOTE: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6 NOTE: https://www.postfix.org/smtp-smuggling.html = data/dla-needed.txt = @@ -107,7 +107,7 @@ keystone (rouca) NOTE: 20231102: Sync (eg. CVE-2021-38155) with stable etc. (lamby) NOTE: 20240105: FTBFS due to https://github.com/testing-cabal/subunit/pull/40 (rouca) -- -knot-resolver +knot-resolver (Markus Koschany) NOTE: 20231029: Added by Front-Desk (gladk) -- kodi (Abhijith PA) @@ -164,9 +164,6 @@ nvidia-cuda-toolkit paramiko (tobi) NOTE: 20231225: Added by Front-Desk (ta) -- -postfix (Markus Koschany) - NOTE: 20231224: Added by Front-Desk (ta) --- putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7f373d763b04b785f33c37fcd3ff3fbd1c7151c3...998aa899a4882bc9b0d48e98ba615eb71f20576f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7f373d763b04b785f33c37fcd3ff3fbd1c7151c3...998aa899a4882bc9b0d48e98ba615eb71f20576f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Re-add squid to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c5c209dd by Markus Koschany at 2024-01-09T01:15:53+01:00 Re-add squid to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -227,6 +227,11 @@ samba sendmail NOTE: 20231224: Added by Front-Desk (ta) -- +squid + NOTE: 20240109: Added by Front-Desk (apo) + NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix + NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) +-- sudo (Adrian Bunk) NOTE: 20231224: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5c209dda1e2c84085886d5ed351c61c605e5248 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5c209dda1e2c84085886d5ed351c61c605e5248 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3709-1 for squid
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b5444bf5 by Markus Koschany at 2024-01-09T01:01:18+01:00 Reserve DLA-3709-1 for squid - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Jan 2024] DLA-3709-1 squid - security update + {CVE-2023-46846 CVE-2023-46847 CVE-2023-49285 CVE-2023-49286 CVE-2023-50269} + [buster] - squid 4.6-1+deb10u9 [05 Jan 2024] DLA-3708-1 exim4 - security update {CVE-2023-51766} [buster] - exim4 4.92-8+deb10u9 = data/dla-needed.txt = @@ -227,11 +227,6 @@ samba sendmail NOTE: 20231224: Added by Front-Desk (ta) -- -squid - NOTE: 20231102: Added by Front-Desk (lamby) - NOTE: 20231218: Investigating new CVE. (apo) - NOTE: 20231223: The update requires a few more tests. Intend to release after the holidays. --- sudo (Adrian Bunk) NOTE: 20231224: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5444bf525df42a73e046417729621220c206b80 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5444bf525df42a73e046417729621220c206b80 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2023-46728,squid: Mark Buster as ignored
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a58e795 by Markus Koschany at 2024-01-08T21:51:11+01:00 CVE-2023-46728,squid: Mark Buster as ignored Gopher support has been removed upstream. Since Gopher is ancient and rarely used, we recommend to reject all gopher URL requests. - - - - - 9c498ef6 by Markus Koschany at 2024-01-08T23:24:45+01:00 Merge branch master of salsa.debian.org:security-tracker-team/security-tracker - - - - - 0dada7df by Markus Koschany at 2024-01-08T23:25:58+01:00 CVE-2023-46728,squid: Mark Bullseye and Bookworm also as ignored The same reasoning applies to newer releases. Gopher support has just been removed, no fix is available and the simple workaround is to reject Gopher URLs which in 2024 shouldnt be a problem. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13502,6 +13502,9 @@ CVE-2021-46897 (views.py in Wagtail CRX CodeRed Extensions (formerly CodeRed CMS NOT-FOR-US: Wagtail CRX CodeRed Extensions CVE-2023-46728 (Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and ...) - squid 6.1-1 + [bookworm] - squid (unsupported, Gopher support has been removed upstream) + [bullseye] - squid (unsupported, Gopher support has been removed upstream) + [buster] - squid (unsupported, Gopher support has been removed upstream) NOTE: No code fix, gopher support was removed: NOTE: https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3 (SQUID_6_0_1) NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-cg5h-v6vc-w33f View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2f31272fab38603e91f0ec86d08b77d8ac71b410...0dada7df366d9b70323fc63d2605600605281d11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2f31272fab38603e91f0ec86d08b77d8ac71b410...0dada7df366d9b70323fc63d2605600605281d11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim postfix in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bdf2ecb3 by Markus Koschany at 2024-01-05T23:22:16+01:00 Claim postfix in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -166,7 +166,7 @@ nvidia-cuda-toolkit paramiko NOTE: 20231225: Added by Front-Desk (ta) -- -postfix +postfix (Markus Koschany) NOTE: 20231224: Added by Front-Desk (ta) -- putty View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdf2ecb3ce4155955c9c1af4c6e3fc3f6b1c2a3f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdf2ecb3ce4155955c9c1af4c6e3fc3f6b1c2a3f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3708-1 for exim4
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f36ff2f by Markus Koschany at 2024-01-05T23:04:57+01:00 Reserve DLA-3708-1 for exim4 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Jan 2024] DLA-3708-1 exim4 - security update + {CVE-2023-51766} + [buster] - exim4 4.92-8+deb10u9 [05 Jan 2024] DLA-3707-1 tomcat9 - security update {CVE-2023-46589} [buster] - tomcat9 9.0.31-1~deb10u11 = data/dla-needed.txt = @@ -78,9 +78,6 @@ edk2 NOTE: 20231230: Added by Front-Desk (lamby) NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release (lamby) -- -exim4 (Markus Koschany) - NOTE: 20231224: Added by Front-Desk (ta) --- frr NOTE: 20231119: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f36ff2fae0813faa15c850fcf3fe84d141cae98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f36ff2fae0813faa15c850fcf3fe84d141cae98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim squid in dsa-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d093b40 by Markus Koschany at 2024-01-04T22:25:51+01:00 Claim squid in dsa-needed.txt - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -79,7 +79,7 @@ samba/oldstable slurm-wlm Asking Gennaro Oliva for preparing updates -- -squid +squid (apo) -- varnish -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d093b40f9b18bfc0af0ac4a676953bc2d9ec196 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d093b40f9b18bfc0af0ac4a676953bc2d9ec196 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5596-1 for asterisk
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b91e60e8 by Markus Koschany at 2024-01-04T22:13:06+01:00 Reserve DSA-5596-1 for asterisk - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[04 Jan 2024] DSA-5596-1 asterisk - security update + {CVE-2023-37457 CVE-2023-38703 CVE-2023-49294 CVE-2023-49786} + [bullseye] - asterisk 1:16.28.0~dfsg-0+deb11u4 [04 Jan 2024] DSA-5595-1 chromium - security update {CVE-2024-0222 CVE-2024-0223 CVE-2024-0224 CVE-2024-0225} [bullseye] - chromium 120.0.6099.199-1~deb11u1 = data/dsa-needed.txt = @@ -11,8 +11,6 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. --- -asterisk (apo) -- cacti -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b91e60e8b9a5ad770ff41965f1c3c3f8cc30348b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b91e60e8b9a5ad770ff41965f1c3c3f8cc30348b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3706-1 for netatalk
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bc48f615 by Markus Koschany at 2024-01-04T22:06:55+01:00 Reserve DLA-3706-1 for netatalk - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Jan 2024] DLA-3706-1 netatalk - security update + {CVE-2022-22995} + [buster] - netatalk 3.1.12~ds-3+deb10u5 [31 Dec 2023] DLA-3705-1 php-guzzlehttp-psr7 - security update {CVE-2023-29197} [buster] - php-guzzlehttp-psr7 1.4.2-0.1+deb10u2 = data/dla-needed.txt = @@ -146,9 +146,6 @@ linux-5.10 mariadb-10.3 NOTE: 20231129: Added by Front-Desk (Beuc) -- -netatalk (Markus Koschany) - NOTE: 20231119: Added by Front-Desk (apo) --- node-webpack NOTE: 20231005: Added by Front-Desk (Beuc) NOTE: 20231005: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc48f61554df39ba1fedbf1d484199cd0e915448 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc48f61554df39ba1fedbf1d484199cd0e915448 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Claim asterisk in dsa-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 346e501d by Markus Koschany at 2023-12-29T00:06:20+01:00 Claim asterisk in dsa-needed.txt - - - - - 48def921 by Markus Koschany at 2023-12-29T00:07:48+01:00 Claim exim4 and netatalk in dla-needed.txt - - - - - 2 changed files: - data/dla-needed.txt - data/dsa-needed.txt Changes: = data/dla-needed.txt = @@ -72,7 +72,7 @@ dogecoin dropbear (guilhem) NOTE: 20231219: Added by Front-Desk (ta) -- -exim4 +exim4 (Markus Koschany) NOTE: 20231224: Added by Front-Desk (ta) -- firefox-esr (Emilio) @@ -144,7 +144,7 @@ linux-5.10 mariadb-10.3 NOTE: 20231129: Added by Front-Desk (Beuc) -- -netatalk +netatalk (Markus Koschany) NOTE: 20231119: Added by Front-Desk (apo) -- node-webpack = data/dsa-needed.txt = @@ -12,7 +12,7 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. -- -asterisk +asterisk (apo) -- cryptojs -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d420ec5228fd0d5fe5a0015d72ab585b1a3238a3...48def921c58bd6308eb95dab35d751484b216dfc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d420ec5228fd0d5fe5a0015d72ab585b1a3238a3...48def921c58bd6308eb95dab35d751484b216dfc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3696-1 for asterisk
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d420ec52 by Markus Koschany at 2023-12-28T23:55:14+01:00 Reserve DLA-3696-1 for asterisk - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Dec 2023] DLA-3696-1 asterisk - security update + {CVE-2023-37457 CVE-2023-38703 CVE-2023-49294 CVE-2023-49786} + [buster] - asterisk 1:16.28.0~dfsg-0+deb10u4 [28 Dec 2023] DLA-3695-1 ansible - security update {CVE-2019-10206 CVE-2021-3447 CVE-2021-3583 CVE-2021-3620 CVE-2021-20178 CVE-2021-20191 CVE-2022-3697 CVE-2023-5115} [buster] - ansible 2.7.7+dfsg-1+deb10u2 = data/dla-needed.txt = @@ -30,9 +30,6 @@ ansible NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca) NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee -- -asterisk (Markus Koschany) - NOTE: 20231210: Added by Front-Desk (ta) --- bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) NOTE: 20231008: backporting patches View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d420ec5228fd0d5fe5a0015d72ab585b1a3238a3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d420ec5228fd0d5fe5a0015d72ab585b1a3238a3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Remove bouncycastle from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a07c938 by Markus Koschany at 2023-12-23T22:00:07+01:00 Remove bouncycastle from dla-needed.txt - - - - - 5775dc48 by Markus Koschany at 2023-12-23T22:09:43+01:00 CVE-2023-33202,bouncycastle: Buster is ignored Buster is vulnerable. Just apply the test patch from https://salsa.debian.org/java-team/bouncycastle/-/blob/buster/debian/patches/test-CVE-2023-33202.patch?ref_type=heads to verify it. The ASN1 module has been completely reworked in newer releases and the upstream patch cannot be applied as is. I know that the changes break reverse-dependencies hence I am going to mark this issue as ignored in Buster. - - - - - 15d84ba1 by Markus Koschany at 2023-12-23T22:10:43+01:00 Update squid notes. Claim asterisk in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -5765,6 +5765,7 @@ CVE-2023-33202 (Bouncy Castle for Java before 1.73 contains a potential Denial o - bouncycastle 1.77-1 (bug #1056754) [bookworm] - bouncycastle (Minor issue) [bullseye] - bouncycastle (Minor issue) + [buster] - bouncycastle (Minor issue) NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33202 NOTE: Fixed by https://github.com/bcgit/bc-java/commit/0c576892862ed41894f49a8f639112e8d66d229c (r1rv73) CVE-2023-43123 (On unix-like systems, the temporary directory is shared between all us ...) = data/dla-needed.txt = @@ -29,7 +29,7 @@ ansible (rouca) NOTE: 20231217: Begin to triage CVEs (rouca) NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca) -- -asterisk +asterisk (Markus Koschany) NOTE: 20231210: Added by Front-Desk (ta) -- bind9 (Thorsten Alteholz) @@ -37,12 +37,6 @@ bind9 (Thorsten Alteholz) NOTE: 20231008: backporting patches NOTE: 20231217: almost done with testing -- -bouncycastle (Markus Koschany) - NOTE: 20231127: Added by Front-Desk (Beuc) - NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 was fixed in stretch-lts (Beuc/front-desk) - NOTE: 20231128: I can't find changes in PEMParser.java related to CVE-2023-33202, maybe contact upstream (Beuc/front-desk) - NOTE: 20231218: Decision impending. (apo) --- cacti (Sylvain Beucler) NOTE: 20230906: Added by Front-Desk (lamby) NOTE: 20231205: Triaging CVEs backlog (Beuc) @@ -217,6 +211,7 @@ samba squid (Markus Koschany) NOTE: 20231102: Added by Front-Desk (lamby) NOTE: 20231218: Investigating new CVE. (apo) + NOTE: 20231223: The update requires a few more tests. Intend to release after the holidays. -- suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/87fd535340305ac0bdabf6eb1c931776f0599262...15d84ba15106c190afd0ad7cdc8fe1d234b1a1b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/87fd535340305ac0bdabf6eb1c931776f0599262...15d84ba15106c190afd0ad7cdc8fe1d234b1a1b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes of squid and bouncycastle in dla-needed.txt and reclaim the
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bfb04929 by Markus Koschany at 2023-12-18T15:47:48+01:00 Update notes of squid and bouncycastle in dla-needed.txt and reclaim the packages. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -37,10 +37,11 @@ bind9 (Thorsten Alteholz) NOTE: 20231008: backporting patches NOTE: 20231217: almost done with testing -- -bouncycastle +bouncycastle (Markus Koschany) NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 was fixed in stretch-lts (Beuc/front-desk) NOTE: 20231128: I can't find changes in PEMParser.java related to CVE-2023-33202, maybe contact upstream (Beuc/front-desk) + NOTE: 20231218: Decision impending. (apo) -- cacti (Sylvain Beucler) NOTE: 20230906: Added by Front-Desk (lamby) @@ -205,8 +206,9 @@ salt samba NOTE: 20230918: Added by Front-Desk (apo) -- -squid +squid (Markus Koschany) NOTE: 20231102: Added by Front-Desk (lamby) + NOTE: 20231218: Investigating new CVE. (apo) -- suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfb04929cfee7d2f42db0a4d284c88fffe92132e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfb04929cfee7d2f42db0a4d284c88fffe92132e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3687-1 for rabbitmq-server
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0cba743a by Markus Koschany at 2023-12-13T23:11:31+01:00 Reserve DLA-3687-1 for rabbitmq-server - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[13 Dec 2023] DLA-3687-1 rabbitmq-server - security update + {CVE-2023-46118} + [buster] - rabbitmq-server 3.8.2-1+deb10u2 [13 Dec 2023] DLA-3686-1 xorg-server - security update {CVE-2023-6377 CVE-2023-6478} [buster] - xorg-server 2:1.20.4-1+deb10u11 = data/dla-needed.txt = @@ -170,9 +170,6 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -rabbitmq-server (Markus Koschany) - NOTE: 20231119: Added by Front-Desk (apo) --- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cba743a4d9db4adee1ee207214af2b75acaafa7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cba743a4d9db4adee1ee207214af2b75acaafa7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reclaim rabbitmq-server in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f2ec2f3d by Markus Koschany at 2023-12-11T18:41:52+01:00 Reclaim rabbitmq-server in dla-needed.txt Ready. Coming soon. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -170,7 +170,7 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -rabbitmq-server +rabbitmq-server (Markus Koschany) NOTE: 20231119: Added by Front-Desk (apo) -- rails View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2ec2f3d8588cc9eed9cbe391d2a044ab041a787 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2ec2f3d8588cc9eed9cbe391d2a044ab041a787 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-33202,bouncycastle: link to fixing commit
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b02c3a18 by Markus Koschany at 2023-12-04T18:04:21+01:00 CVE-2023-33202,bouncycastle: link to fixing commit The actual fix is not in PEMParser.java but in ASN1Set.java. Upstream provided more details and a reproducer to me but asked me not to share it for now. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1412,6 +1412,7 @@ CVE-2023-33202 (Bouncy Castle for Java before 1.73 contains a potential Denial o [bookworm] - bouncycastle (Minor issue) [bullseye] - bouncycastle (Minor issue) NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33202 + NOTE: Fixed by https://github.com/bcgit/bc-java/commit/0c576892862ed41894f49a8f639112e8d66d229c CVE-2023-43123 (On unix-like systems, the temporary directory is shared between all us ...) NOT-FOR-US: Apache Storm CVE-2023-49146 (DOMSanitizer (aka dom-sanitizer) before 1.0.7 allows XSS via an SVG do ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b02c3a18d2e8220176f1682824731a973b3c3281 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b02c3a18d2e8220176f1682824731a973b3c3281 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-46589,tomcat10: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 29938fd3 by Markus Koschany at 2023-12-03T13:39:17+01:00 CVE-2023-46589,tomcat10: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -714,7 +714,7 @@ CVE-2023-40056 (SQL Injection Remote Code Vulnerability was found in the SolarWi CVE-2023-34055 (In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, ...) NOT-FOR-US: Spring Boot CVE-2023-46589 (Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 1 ...) - - tomcat10 (bug #1057082) + - tomcat10 10.1.16-1 (bug #1057082) - tomcat9 9.0.70-2 - tomcat8 NOTE: https://www.openwall.com/lists/oss-security/2023/11/28/2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29938fd3598d60cb5719050d922ae571261e8586 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29938fd3598d60cb5719050d922ae571261e8586 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove flatpak from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e9a816a by Markus Koschany at 2023-11-30T23:11:40+01:00 Remove flatpak from dla-needed.txt As discussed with Sylvain via private email. Here is my reasoning from 13.07.2023 again. CVE-2023-28100 and CVE-2023-28101 are minor issues and most users will install their applications via GUIs and from trusted repositories anyway. An upgrade to the 1.10.x series would require backports of at least bubblewrap and ostree. This may or may not cause regressions in other applications. The risk to reward ratio is rather unfavorable in this case and since targeted fixes are also intrusive and sensible workarounds do exist, it is better to keep flatpak as is. - - - - - 1fd38ff1 by Markus Koschany at 2023-11-30T23:13:56+01:00 CVE-2023-28100,CVE-2023-28101,flatpak: mark both CVE as ignored in Buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -39151,7 +39151,7 @@ CVE-2023-28102 (discordrb is an implementation of the Discord API using Ruby. In CVE-2023-28101 (Flatpak is a system for building, distributing, and running sandboxed ...) - flatpak 1.14.4-1 (bug #1033098) [bullseye] - flatpak 1.10.8-0+deb11u1 - [buster] - flatpak (Minor issue) + [buster] - flatpak (Minor issue) NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8 NOTE: https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869 (1.15.4) NOTE: https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c (1.15.4) @@ -39161,7 +39161,7 @@ CVE-2023-28101 (Flatpak is a system for building, distributing, and running sand CVE-2023-28100 (Flatpak is a system for building, distributing, and running sandboxed ...) - flatpak 1.14.4-1 (bug #1033099) [bullseye] - flatpak 1.10.8-0+deb11u1 - [buster] - flatpak (Minor issue) + [buster] - flatpak (Minor issue) NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp NOTE: https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9 (1.15.4) NOTE: https://github.com/flatpak/flatpak/commit/a9bf18040cc075a70657c6090a59d7f6fe78f893 (1.10.8) = data/dla-needed.txt = @@ -59,10 +59,6 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -flatpak - NOTE: 20231006: Added by Front-Desk (Beuc) - NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) --- frr NOTE: 20231119: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8bf283d8bfddc75770dd9178b0d15c025c8e3ebf...1fd38ff1b65935881a8402e4d42d556f695a3023 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8bf283d8bfddc75770dd9178b0d15c025c8e3ebf...1fd38ff1b65935881a8402e4d42d556f695a3023 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-33201,CVE-2023-33202,bouncycastle: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0fde016a by Markus Koschany at 2023-11-30T22:29:20+01:00 CVE-2023-33201,CVE-2023-33202,bouncycastle: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -938,7 +938,7 @@ CVE-2023-3631 (Improper Neutralization of Special Elements used in an SQL Comman CVE-2023-3377 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: Veribilim Software Computer Veribase CVE-2023-33202 (Bouncy Castle for Java before 1.73 contains a potential Denial of Serv ...) - - bouncycastle (bug #1056754) + - bouncycastle 1.77-1 (bug #1056754) [bookworm] - bouncycastle (Minor issue) [bullseye] - bouncycastle (Minor issue) NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33202 @@ -27501,7 +27501,7 @@ CVE-2023-33203 (The Linux kernel before 6.2.9 has a race condition and resultant NOTE: https://git.kernel.org/linus/6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75 (6.3-rc4) CVE-2023-33201 (Bouncy Castle For Java before 1.74 is affected by an LDAP injection vu ...) {DLA-3514-1} - - bouncycastle (bug #1040050) + - bouncycastle 1.77-1 (bug #1040050) [bookworm] - bouncycastle (Minor issue) [bullseye] - bouncycastle (Minor issue) NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33201 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fde016ab6c3471d88617f700dbcabd3587edafd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fde016ab6c3471d88617f700dbcabd3587edafd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-23583,intel-microcode: clarify postponed reason
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2403d2a9 by Markus Koschany at 2023-11-29T12:21:35+01:00 CVE-2023-23583,intel-microcode: clarify postponed reason CVE-2023-23583 affects only newer CPU features. Can be fixed with the next round of CVE. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2254,7 +2254,7 @@ CVE-2023-5528 (A security issue was discovered in Kubernetes where a user that c CVE-2023-23583 (Sequence of processor instructions leads to unexpected behavior for so ...) {DSA-5563-1} - intel-microcode 3.20231114.1 (bug #1055962) - [buster] - intel-microcode (Wait for exposure in unstable) + [buster] - intel-microcode (Minor issue for older releases. Affects only newer CPU features.) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00950.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20231114 NOTE: https://lock.cmpxchg8b.com/reptar.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2403d2a9914645e7fe9a32e5af08273d54b95e5d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2403d2a9914645e7fe9a32e5af08273d54b95e5d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim bouncycastle and squid in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 79f6e7d8 by Markus Koschany at 2023-11-27T19:43:26+01:00 Claim bouncycastle and squid in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,7 +29,7 @@ bind9 (Thorsten Alteholz) NOTE: 20231008: backporting patches NOTE: 20231119: almost done with testing -- -bouncycastle +bouncycastle (Markus Koschany) NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 was fixed in stretch-lts (Beuc/front-desk) -- @@ -221,7 +221,7 @@ salt samba NOTE: 20230918: Added by Front-Desk (apo) -- -squid +squid (Markus Koschany) NOTE: 20231102: Added by Front-Desk (lamby) -- suricata (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79f6e7d8bef1f46d3da8fcb2043bcc3cbea6b48e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79f6e7d8bef1f46d3da8fcb2043bcc3cbea6b48e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove curl from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ad8336e by Markus Koschany at 2023-11-24T19:40:42+01:00 Remove curl from dla-needed.txt This was a bit confusing. Apparently curl was added to dla-needed.txt and afterwards someone triaged the two open CVE as no-dsa. I reviewed the decision to mark CVE-2023-27534 and CVE-2023-28322 and I believe no-dsa is the correct decision. CVE-2023-28322 does not affect the command line tool and even a use after free is not present in libcurl. This is a rather theoretical behavior violation. CVE-2023-27534 requires the new internal dnybuf functions which are not present in Busters curl version. The described scenario is unlikely because sftp users are usually restricted by the ssh server and a buggy client cant just simply access a file in another users home directory. - - - - - 658354ca by Markus Koschany at 2023-11-24T19:40:42+01:00 Claim rabbitmq-server in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -43,10 +43,6 @@ cinder cryptojs (guilhem) NOTE: 20231119: Added by Front-Desk (apo) -- -curl (Markus Koschany) - NOTE: 20231103: Added by Front-Desk (lamby) - NOTE: 20231103: Sync with stable. (lamby) --- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) @@ -188,7 +184,7 @@ python-requestbuilder NOTE: 20231108: Added by Front-Desk (santiago) NOTE: 20231108: Need to handle incompatibilities with versions in debian packages, brought up by PEP 440. See https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70 -- -rabbitmq-server +rabbitmq-server (Markus Koschany) NOTE: 20231119: Added by Front-Desk (apo) -- rails View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7e00cf6fe4933a4259a4e230e870dcbaa59337e3...658354ca67fe6ddab6709e10ebf22a55c4c7c53e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7e00cf6fe4933a4259a4e230e870dcbaa59337e3...658354ca67fe6ddab6709e10ebf22a55c4c7c53e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3664-1 for symfony
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 317bbfde by Markus Koschany at 2023-11-24T19:19:15+01:00 Reserve DLA-3664-1 for symfony - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Nov 2023] DLA-3664-1 symfony - security update + {CVE-2023-46734} + [buster] - symfony 3.4.22+dfsg-2+deb10u3 [24 Nov 2023] DLA-3663-1 strongswan - security update {CVE-2023-41913} [buster] - strongswan 5.7.2-1+deb10u4 = data/dla-needed.txt = @@ -245,9 +245,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -symfony (Markus Koschany) - NOTE: 20231118: Added by Front-Desk (apo) --- thunderbird (Emilio) NOTE: 20231122: Added by Front-Desk (ola) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/317bbfde51264bb0ced64c23b7db51a99a7172b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/317bbfde51264bb0ced64c23b7db51a99a7172b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Claim curl and symfony in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f36c0119 by Markus Koschany at 2023-11-22T20:07:05+01:00 Claim curl and symfony in dla-needed.txt - - - - - fc9c0a74 by Markus Koschany at 2023-11-22T20:08:15+01:00 Reserve DLA-3660-1 for gnutls28 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Nov 2023] DLA-3660-1 gnutls28 - security update + {CVE-2023-5981} + [buster] - gnutls28 3.6.7-4+deb10u11 [21 Nov 2023] DLA-3659-1 gimp - security update {CVE-2022-30067 CVE-2023-2 CVE-2023-4} [buster] - gimp 2.10.8-2+deb10u1 = data/dla-needed.txt = @@ -43,7 +43,7 @@ cinder cryptojs (guilhem) NOTE: 20231119: Added by Front-Desk (apo) -- -curl +curl (Markus Koschany) NOTE: 20231103: Added by Front-Desk (lamby) NOTE: 20231103: Sync with stable. (lamby) -- @@ -75,9 +75,6 @@ freeimage (gladk) frr NOTE: 20231119: Added by Front-Desk (apo) -- -gnutls28 (Markus Koschany) - NOTE: 20231117: Added by Front-Desk (apo) --- gst-plugins-bad1.0 (Thorsten Alteholz) NOTE: 20231118: Added by Front-Desk (apo) -- @@ -258,7 +255,7 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -symfony +symfony (Markus Koschany) NOTE: 20231118: Added by Front-Desk (apo) -- tor View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/815355e66df3a41c63115d214d90577269c430ae...fc9c0a74db24c7f32f782c3e3fdc674b0ec6daf9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/815355e66df3a41c63115d214d90577269c430ae...fc9c0a74db24c7f32f782c3e3fdc674b0ec6daf9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim gnutls28 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6bedd532 by Markus Koschany at 2023-11-20T23:24:17+01:00 Claim gnutls28 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -78,7 +78,7 @@ frr gimp (Adrian Bunk) NOTE: 20231117: Added by Front-Desk (apo) -- -gnutls28 +gnutls28 (Markus Koschany) NOTE: 20231117: Added by Front-Desk (apo) -- gst-plugins-bad1.0 (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bedd532f7cf29192ea1a8e272cfa819b1e8bdd9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bedd532f7cf29192ea1a8e272cfa819b1e8bdd9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3658-1 for wordpress
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: fb6522fe by Markus Koschany at 2023-11-20T21:52:00+01:00 Reserve DLA-3658-1 for wordpress - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Nov 2023] DLA-3658-1 wordpress - security update + {CVE-2023-5561 CVE-2023-3} + [buster] - wordpress 5.0.20+dfsg1-0+deb10u1 [20 Nov 2023] DLA-3657-1 activemq - security update {CVE-2020-13920 CVE-2021-26117 CVE-2023-46604} [buster] - activemq 5.15.16-0+deb10u1 = data/dla-needed.txt = @@ -274,9 +274,6 @@ vlc wireshark (Adrian Bunk) NOTE: 20231118: Added by Front-Desk (apo) -- -wordpress (Markus Koschany) - NOTE: 20231119: Added by Front-Desk (apo) --- zabbix NOTE: 20231015: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb6522fee7ae6e2c6036673fe37295b789d19a42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb6522fee7ae6e2c6036673fe37295b789d19a42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3657-1 for activemq
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e07f843a by Markus Koschany at 2023-11-20T21:50:55+01:00 Reserve DLA-3657-1 for activemq - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -193223,7 +193223,6 @@ CVE-2021-26118 (While investigating ARTEMIS-2964 it was found that the creation CVE-2021-26117 (The optional ActiveMQ LDAP login module can be configured to use anony ...) {DLA-2583-1} - activemq 5.16.1-1 (bug #982590) - [buster] - activemq (Minor issue) NOTE: https://issues.apache.org/jira/browse/AMQ-8035 NOTE: https://www.openwall.com/lists/oss-security/2021/01/27/6 NOTE: https://gitbox.apache.org/repos/asf?p=activemq.git;h=c9f68f4c64b2687eee283b95538753665d2b229b @@ -253458,7 +253457,6 @@ CVE-2020-13921 (**Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking CVE-2020-13920 (Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX ...) {DLA-2400-1} - activemq 5.16.0-1 - [buster] - activemq (Minor issue; can be fixed via point release) NOTE: http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt NOTE: When fixing this issue make sure to use a complete fix and not open up NOTE: CVE-2020-11998 (a regression introduced in 5.15.12 in the commit preventing = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Nov 2023] DLA-3657-1 activemq - security update + {CVE-2020-13920 CVE-2021-26117 CVE-2023-46604} + [buster] - activemq 5.15.16-0+deb10u1 [19 Nov 2023] DLA-3656-1 netty - security update {CVE-2023-44487} [buster] - netty 1:4.1.33-1+deb10u4 = data/dla-needed.txt = @@ -20,9 +20,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. --- -activemq (Markus Koschany) - NOTE: 20231119: Added by Front-Desk (apo) -- amanda (tobi) NOTE: 20230730: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e07f843a9e7b32633480ecd9c86c043b422f5cfe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e07f843a9e7b32633480ecd9c86c043b422f5cfe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2023-39999,wordpress: link to upstream changeset
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c92d43c by Markus Koschany at 2023-11-20T20:19:11+01:00 CVE-2023-3,wordpress: link to upstream changeset - - - - - aef5fe37 by Markus Koschany at 2023-11-20T20:22:40+01:00 CVE-2023-38000,wordpress: link to upstream changeset Triage Buster as not affected because the vulnerable code was introduced in version 5.9. - - - - - 098d5334 by Markus Koschany at 2023-11-20T20:24:22+01:00 CVE-2023-5561,wordpress: link to upstream changeset - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5749,6 +5749,7 @@ CVE-2023-5575 (Improper access control in the permission inheritance in Devoluti CVE-2023-5561 (WordPress does not properly restrict which user fields are searchable ...) - wordpress 6.3.2+dfsg1-1 NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/ + NOTE: https://core.trac.wordpress.org/changeset/56840/ CVE-2023-5422 (The functions to fetch e-mail via POP3 or IMAP as well as sending e-ma ...) NOT-FOR-US: OTRS NOTE: Could possibly affect Znuny, we'll let their security team figure it out @@ -6187,11 +6188,14 @@ CVE-2023-40682 (IBM App Connect Enterprise 12.0.1.0 through 12.0.8.0 contains an CVE-2023-3 (Exposure of Sensitive Information to an Unauthorized Actor in WordPres ...) - wordpress 6.3.2+dfsg1-1 NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/ + NOTE: https://core.trac.wordpress.org/changeset/56843/ CVE-2023-39960 (Nextcloud Server provides data storage for Nextcloud, an open source c ...) - nextcloud-server (bug #941708) CVE-2023-38000 (Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability i ...) - wordpress 6.3.2+dfsg1-1 + [buster] - wordpress (Vulnerable code was introduced in 5.9) NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/ + NOTE: https://plugins.trac.wordpress.org/changeset/2978318/gutenberg/trunk/build/block-library/blocks/post-navigation-link.php CVE-2023-34977 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) NOT-FOR-US: QNAP CVE-2023-34976 (A SQL injection vulnerability has been reported to affect Video Statio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c5e85dbfd2249a20e31e5f264e25aec4a608b5cf...098d53342e7ef4e730ad1f1dd5701c138ddfb13d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c5e85dbfd2249a20e31e5f264e25aec4a608b5cf...098d53342e7ef4e730ad1f1dd5701c138ddfb13d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2023-48011: link to correct fixing commit again
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c9a56471 by Markus Koschany at 2023-11-19T21:34:16+01:00 CVE-2023-48011: link to correct fixing commit again - - - - - 25bc891b by Markus Koschany at 2023-11-19T21:34:49+01:00 Claim wordpress in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -560,7 +560,7 @@ CVE-2023-48011 (GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain - gpac (bug #1056282) [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2613 - NOTE: https://github.com/gpac/gpac/commit/66abf0887c89c29a484d9e65e70882794e9e3a1b + NOTE: https://github.com/gpac/gpac/commit/c70f49dda4946d6db6aa55588f6a756b76bd84ea CVE-2023-47637 (Pimcore is an Open Source Data & Experience Management Platform. In af ...) NOT-FOR-US: Pimcore CVE-2023-47636 (The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Fu ...) = data/dla-needed.txt = @@ -277,7 +277,7 @@ vlc wireshark (Adrian Bunk) NOTE: 20231118: Added by Front-Desk (apo) -- -wordpress +wordpress (Markus Koschany) NOTE: 20231119: Added by Front-Desk (apo) -- zabbix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/30e3b3d4b805656e4211eb455adf07d37c678e86...25bc891bc23ba7e487e014aba675972e4dff2bbe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/30e3b3d4b805656e4211eb455adf07d37c678e86...25bc891bc23ba7e487e014aba675972e4dff2bbe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5558-1 for netty
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: fb8c6f97 by Markus Koschany at 2023-11-18T16:58:07+01:00 Reserve DSA-5558-1 for netty - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -22182,8 +22182,6 @@ CVE-2023-34553 (An issue was discovered in WAFU Keyless Smart Lock v1.0 allows a NOT-FOR-US: WAFU Keyless Smart Lock CVE-2023-34462 (Netty is an asynchronous event-driven network application framework fo ...) - netty 1:4.1.48-8 (bug #1038947) - [bookworm] - netty (Minor issue, fix along in future update) - [bullseye] - netty (Minor issue, fix along in future update) [buster] - netty (SslClientHelloHandler introduced in v4.1.46) NOTE: https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845 NOTE: https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32 (netty-4.1.94.Final) = data/DSA/list = @@ -1,3 +1,7 @@ +[18 Nov 2023] DSA-5558-1 netty - security update + {CVE-2023-34462 CVE-2023-44487} + [bullseye] - netty 1:4.1.48-4+deb11u2 + [bookworm] - netty 1:4.1.48-7+deb12u1 [17 Nov 2023] DSA-5557-1 webkit2gtk - security update {CVE-2023-41983 CVE-2023-42852} [bullseye] - webkit2gtk 2.42.2-1~deb11u1 = data/dsa-needed.txt = @@ -42,8 +42,6 @@ linux (carnil) nbconvert/oldstable Guilhem Moulin proposed an update ready for review -- -netty (apo) --- nghttp2 -- nodejs View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb8c6f97071556ac2984b4ebea230efb8c2225e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb8c6f97071556ac2984b4ebea230efb8c2225e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Add gst-plugins-bad1.0 to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 533a66d6 by Markus Koschany at 2023-11-18T01:19:37+01:00 Add gst-plugins-bad1.0 to dla-needed.txt - - - - - 79818a3b by Markus Koschany at 2023-11-18T01:51:00+01:00 CVE-2023-46118,rabbitmq-server: link to upstream pull request - - - - - 02adfda7 by Markus Koschany at 2023-11-18T02:02:30+01:00 Add symfony to dla-needed.txt - - - - - 2caaabc3 by Markus Koschany at 2023-11-18T02:09:04+01:00 Add wireshark to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -4126,6 +4126,7 @@ CVE-2023-46119 (Parse Server is an open source backend that can be deployed to a CVE-2023-46118 (RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API ...) - rabbitmq-server NOTE: https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gqpg + NOTE: https://github.com/rabbitmq/rabbitmq-server/pull/9708 CVE-2023-4 (File Upload vulnerability in zzzCMS v.2.1.9 allows a remote attacker t ...) NOT-FOR-US: zzzCMS CVE-2023-45554 (File Upload vulnerability in zzzCMS v.2.1.9 allows a remote attacker t ...) = data/dla-needed.txt = @@ -79,6 +79,9 @@ gimp gnutls28 NOTE: 20231117: Added by Front-Desk (apo) -- +gst-plugins-bad1.0 + NOTE: 20231118: Added by Front-Desk (apo) +-- horizon NOTE: 20231101: Added by Front-Desk (lamby) NOTE: 20231101: Sync with bullseye (CVE-2022-45582). (lamby) @@ -248,6 +251,9 @@ suricata (Adrian Bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) -- +symfony + NOTE: 20231118: Added by Front-Desk (apo) +-- varnish NOTE: 20231117: Added by Front-Desk (apo) -- @@ -255,6 +261,9 @@ vlc NOTE: 20231106: Added by Front-Desk (pochu) NOTE: 20231106: Follow bullseye and update to 3.0.20 (pochu) -- +wireshark + NOTE: 20231118: Added by Front-Desk (apo) +-- zabbix NOTE: 20231015: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8b3307455343db44a32860038ada53dd0ad6537c...2caaabc3619c77ce9500558c7960572dd138f48e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8b3307455343db44a32860038ada53dd0ad6537c...2caaabc3619c77ce9500558c7960572dd138f48e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 8 commits: Add gnutls28 to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b1140c02 by Markus Koschany at 2023-11-17T11:27:33+01:00 Add gnutls28 to dla-needed.txt - - - - - 11e42605 by Markus Koschany at 2023-11-17T11:53:16+01:00 CVE-2023-44429,gst-plugins-bad1.0: Buster is not affected The vulnerable code was introduced later. https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/13d55627f0be18c52dd1019c1f464acfe2da8b98 - - - - - a501a7d4 by Markus Koschany at 2023-11-17T12:57:13+01:00 Add varnish to dla-needed.txt - - - - - 56e1eb6f by Markus Koschany at 2023-11-17T12:58:37+01:00 CVE-2023-44487,varnish: link to upstream issue - - - - - c4d23181 by Markus Koschany at 2023-11-17T13:02:35+01:00 Add zlib to dla-needed.txt - - - - - 75f5bceb by Markus Koschany at 2023-11-17T13:06:42+01:00 CVE-2023-45853: minizip is also affected - - - - - dd2ed1c6 by Markus Koschany at 2023-11-17T13:08:22+01:00 Add minizip to dla-needed.txt - - - - - 3f64dc16 by Markus Koschany at 2023-11-17T13:29:08+01:00 Add gimp to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -5927,6 +5927,7 @@ CVE-2023-45855 (qdPM 9.2 allows Directory Traversal to list files and directorie NOT-FOR-US: qdPM CVE-2023-45853 (MiniZip in zlib through 1.3 has an integer overflow and resultant heap ...) - zlib (bug #1054290) + - minizip NOTE: https://github.com/madler/zlib/pull/843 NOTE: https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c CVE-2023-45852 (In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticat ...) @@ -7020,6 +7021,7 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource NOTE: netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p NOTE: netty: https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 (netty-4.1.100.Final) NOTE: varnish: https://varnish-cache.org/security/VSV00013.html + NOTE: varnish: https://github.com/varnishcache/varnish-cache/issues/3996 NOTE: Unaffected implementations not requiring code changes: NOTE: - rust-hyper: https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected NOTE: - apache2: https://chaos.social/@icing/111210915918780532 @@ -8814,6 +8816,7 @@ CVE-2023-6 [MXF demuxer use-after-free] NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7dfaa57b6f9b55f17ffe824bd8988bb71ae11353 (1.22.7) CVE-2023-44429 [AV1 codec parser buffer overflow] - gst-plugins-bad1.0 (bug #1056102) + [buster] - gst-plugins-bad1.0 (Vulnerable code was introduced later) - gst-plugins-bad0.10 NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0009.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5634 = data/dla-needed.txt = @@ -80,6 +80,12 @@ galera-3 (Adrian Bunk) NOTE: 20231028: Acc. to CVE notes the open issue is fixed in 26.4.12. Please, try to find a corresponding commit and try to backport it. Otherwise - no-dsa. (gladk) NOTE: 20231113: Investigating whether vulnerability already existed before commit introducing current code. (bunk) -- +gimp + NOTE: 20231117: Added by Front-Desk (apo) +-- +gnutls28 + NOTE: 20231117: Added by Front-Desk (apo) +-- horizon NOTE: 20231101: Added by Front-Desk (lamby) NOTE: 20231101: Sync with bullseye (CVE-2022-45582). (lamby) @@ -130,6 +136,9 @@ lwip mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- +minizip + NOTE: 20231117: Added by Front-Desk (apo) +-- netty (Markus Koschany) NOTE: 20231104: Added by Front-Desk (lamby) NOTE: 20231104: For, at least, CVE-2023-44487. (lamby) @@ -246,6 +255,9 @@ suricata (Adrian Bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) -- +varnish + NOTE: 20231117: Added by Front-Desk (apo) +-- vlc NOTE: 20231106: Added by Front-Desk (pochu) NOTE: 20231106: Follow bullseye and update to 3.0.20 (pochu) @@ -253,3 +265,6 @@ vlc zabbix NOTE: 20231015: Added by Front-Desk (ta) -- +zlib + NOTE: 20231117: Added by Front-Desk (apo) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f94cf8c879dce13ad5e9adf9fdf12b42f398d5b3...3f64dc160be59799aefb332345bb3a33996253bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f94cf8c879dce13ad5e9adf9fdf12b42f398d5b3...3f64dc160be59799aefb332345bb3a33996253bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing
[Git][security-tracker-team/security-tracker][master] Add clamav to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fda347f by Markus Koschany at 2023-11-13T21:35:37+01:00 Add clamav to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,6 +40,10 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +clamav + NOTE: 20231113: Added by Front-Desk (apo) + NOTE: 20231113: Please upgrade to 0.103.10 to include the fix for CVE-2023-40477 (libclamunrar). +-- curl NOTE: 20231103: Added by Front-Desk (lamby) NOTE: 20231103: Sync with stable. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fda347fcc8485c94ccb6c9fe4e9fe258949cae9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fda347fcc8485c94ccb6c9fe4e9fe258949cae9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim netty in dsa-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f70238ad by Markus Koschany at 2023-11-12T20:52:57+01:00 Claim netty in dsa-needed.txt - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -29,7 +29,7 @@ linux (carnil) nbconvert/oldstable Guilhem Moulin proposed an update ready for review -- -netty +netty (apo) -- nghttp2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f70238ad164b805f14da30b776f2c5586b4426a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f70238ad164b805f14da30b776f2c5586b4426a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-34462,CVE-2023-44487,netty: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 62f81dd4 by Markus Koschany at 2023-11-11T23:32:16+01:00 CVE-2023-34462,CVE-2023-44487,netty: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5722,7 +5722,7 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource - nginx 1.24.0-2 (unimportant; bug #1053770) - nghttp2 1.57.0-1 (bug #1053769) - jetty9 9.4.53-1 - - netty (bug #1054234) + - netty 1:4.1.48-8 (bug #1054234) NOTE: Tomcat: https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49 (10.1.14) NOTE: Tomcat: https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a (9.0.81) NOTE: Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version @@ -20779,7 +20779,7 @@ CVE-2023-35131 (Content on the groups page required additional sanitizing to pre CVE-2023-34553 (An issue was discovered in WAFU Keyless Smart Lock v1.0 allows attacke ...) NOT-FOR-US: WAFU Keyless Smart Lock CVE-2023-34462 (Netty is an asynchronous event-driven network application framework fo ...) - - netty (bug #1038947) + - netty 1:4.1.48-8 (bug #1038947) [bookworm] - netty (Minor issue, fix along in future update) [bullseye] - netty (Minor issue, fix along in future update) [buster] - netty (SslClientHelloHandler introduced in v4.1.46) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62f81dd4abba17cd0b018c7ab988755facc14ddc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62f81dd4abba17cd0b018c7ab988755facc14ddc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Remove mosquitto from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 09a3a1a9 by Markus Koschany at 2023-11-10T02:02:52+01:00 Remove mosquitto from dla-needed.txt - - - - - 853f87ec by Markus Koschany at 2023-11-10T02:03:45+01:00 CVE-2023-5632,mosquitto: buster is not affected The vulnerable code was introduced two years later with https://github.com/eclipse/mosquitto/commit/fabdfcc060432f07595b4a10d4f4fb3d075c64dc#diff-0c14597a927dfee68f01aabb70f76e8d1191380e890978a1cc263855478d6138 - - - - - 673a8bc8 by Markus Koschany at 2023-11-10T02:07:22+01:00 CVE-2023-28366,mosquitto: mark buster as ignored This potential memory leak requires a rewrite of packet handling core functions. Upstream was unsure whether the buster version is affected but did not intend to fix such an old version anyway. It seems mosquitto is ABI stable between 1.5 to 2.x but that does not imply configuration options behave identical. The risk of regressions is thus rather high. An upgrade to the version in Bullseye would be a more sensible approach because this version has an excellent test coverage though. At the moment I tend to ignore this problem because of the regression risks involved. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3807,6 +3807,7 @@ CVE-2023-5642 (Advantech R-SeeNet v2.4.23 allows an unauthenticated remote attac NOT-FOR-US: Advantech R-SeeNet CVE-2023-5632 (In Eclipse Mosquito before and including 2.0.5, establishing a connect ...) - mosquitto 2.0.7-1 + [buster] - mosquitto (The vulnerable code was introduced later) NOTE: https://github.com/eclipse/mosquitto/pull/2053 NOTE: https://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d (v2.0.6) CVE-2023-5631 (Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 al ...) @@ -34856,6 +34857,7 @@ CVE-2023-28368 (TP-Link L2 switch T2600G-28SQ firmware versions prior to 'T2600G CVE-2023-28366 (The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a ...) {DSA-5511-1} - mosquitto 2.0.17-1 + [buster] - mosquitto (Minor memory leak which requires rewrite of core functions) NOTE: https://mosquitto.org/blog/2023/08/version-2-0-16-released/ NOTE: https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9 (v2.0.16) NOTE: Regression fix: https://github.com/eclipse/mosquitto/commit/bfb373d774d8530e8d6620776304a3e0b0201793 = data/dla-needed.txt = @@ -133,10 +133,6 @@ lwip mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- -mosquitto (Markus Koschany) - NOTE: 20230924: Added by Front-Desk (apo) - NOTE: 20231009: Waiting for upstream clarification how to proceed with open CVE. (apo) --- netty (Markus Koschany) NOTE: 20231104: Added by Front-Desk (lamby) NOTE: 20231104: For, at least, CVE-2023-44487. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8a4db919093d6ee4a452964cfa1a3214fc8bd8e3...673a8bc8b99a4dbb09b70c603bde8334982e35bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8a4db919093d6ee4a452964cfa1a3214fc8bd8e3...673a8bc8b99a4dbb09b70c603bde8334982e35bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3647-1 for trapperkeeper-webserver-jetty9-clojure
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 670f51ad by Markus Koschany at 2023-11-07T00:03:06+01:00 Reserve DLA-3647-1 for trapperkeeper-webserver-jetty9-clojure - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[07 Nov 2023] DLA-3647-1 trapperkeeper-webserver-jetty9-clojure - security update + [buster] - trapperkeeper-webserver-jetty9-clojure 1.7.0-2+deb10u2 [05 Nov 2023] DLA-3646-1 open-vm-tools - security update {CVE-2023-34058 CVE-2023-34059} [buster] - open-vm-tools 2:10.3.10-1+deb10u6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/670f51ade33e395efbee1490eb13893c41830441 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/670f51ade33e395efbee1490eb13893c41830441 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Remove memcached from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 334571c9 by Markus Koschany at 2023-11-05T00:13:24+01:00 Remove memcached from dla-needed.txt - - - - - d66194c5 by Markus Koschany at 2023-11-05T00:14:38+01:00 Triage CVE-2023-46852,CVE-2023-46853,memcached as not affected for Buster The vulnerable code was introduced in later releases. See https://github.com/memcached/memcached/commit/d22b66483bce8843110795609386edc6ebf65b69 - - - - - a6dea465 by Markus Koschany at 2023-11-05T00:17:30+01:00 Claim netty in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1092,11 +1092,13 @@ CVE-2023-46853 (In Memcached before 1.6.22, an off-by-one error exists when proc - memcached 1.6.22-1 [bookworm] - memcached (Minor issue) [bullseye] - memcached (Minor issue) + [buster] - memcached (The vulnerable code was introduced later) NOTE: https://github.com/memcached/memcached/commit/6987918e9a3094ec4fc8976f01f769f624d790fa (1.6.22) CVE-2023-46852 (In Memcached before 1.6.22, a buffer overflow exists when processing m ...) - memcached 1.6.22-1 [bookworm] - memcached (Minor issue) [bullseye] - memcached (Minor issue) + [buster] - memcached (The vulnerable code was introduced later) NOTE: https://github.com/memcached/memcached/commit/76a6c363c18cfe7b6a1524ae64202ac9db330767 (1.6.22) CVE-2023-46604 (Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerabili ...) - activemq (bug #1054909) = data/dla-needed.txt = @@ -132,14 +132,11 @@ lwip mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- -memcached (Markus Koschany) - NOTE: 20231029: Added by Front-Desk (gladk) --- mosquitto (Markus Koschany) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20231009: Waiting for upstream clarification how to proceed with open CVE. (apo) -- -netty +netty (Markus Koschany) NOTE: 20231104: Added by Front-Desk (lamby) NOTE: 20231104: For, at least, CVE-2023-44487. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/10d0f985fa27b64648fbb9e89d112ba6386220cd...a6dea465fc1ab0e1751bff0880c481020624cd99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/10d0f985fa27b64648fbb9e89d112ba6386220cd...a6dea465fc1ab0e1751bff0880c481020624cd99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim memcached and mosquitto
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e9655085 by Markus Koschany at 2023-10-31T18:18:32+01:00 Claim memcached and mosquitto - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -116,10 +116,10 @@ linux-5.10 mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- -memcached +memcached (Markus Koschany) NOTE: 20231029: Added by Front-Desk (gladk) -- -mosquitto +mosquitto (Markus Koschany) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20231009: Waiting for upstream clarification how to proceed with open CVE. (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9655085a671e5ff7a1fa1445ead0094c48f50e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9655085a671e5ff7a1fa1445ead0094c48f50e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3641-1 for jetty9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c93dfd66 by Markus Koschany at 2023-10-30T21:05:48+01:00 Reserve DLA-3641-1 for jetty9 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -218554,7 +218554,6 @@ CVE-2020-27219 (In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 NOT-FOR-US: Eclipse Hawkbit CVE-2020-27218 (In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 ...) - jetty9 9.4.35-1 (bug #976211) - [buster] - jetty9 (Minor issue, too intrusive to backport, patch introduces regressions, workarounds exist) [stretch] - jetty9 (Minor issue, request smuggling in specific conditions, invasive, patch introduces regressions, workarounds exist) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=568892 NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm-8wh8 = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Oct 2023] DLA-3641-1 jetty9 - security update + {CVE-2020-27218 CVE-2023-36478 CVE-2023-44487} + [buster] - jetty9 9.4.50-4+deb10u1 [30 Oct 2023] DLA-3640-1 distro-info - database update [buster] - distro-info 0.21+deb10u1 [30 Oct 2023] DLA-3639-1 distro-info-data - database update = data/dla-needed.txt = @@ -87,9 +87,6 @@ imagemagick NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) NOTE: 20231014: Some work under git branch debian/buster but unease -- -jetty9 (Markus Koschany) - NOTE: 20231011: Added by Front-Desk (ta) --- knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c93dfd66cac3e599ad34df17a76ce1764e427450 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c93dfd66cac3e599ad34df17a76ce1764e427450 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5540-1 for jetty9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 61ae1034 by Markus Koschany at 2023-10-30T20:33:50+01:00 Reserve DSA-5540-1 for jetty9 - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[30 Oct 2023] DSA-5540-1 jetty9 - security update + {CVE-2023-36478 CVE-2023-44487} + [bullseye] - jetty9 9.4.50-4+deb11u1 + [bookworm] - jetty9 9.4.50-4+deb12u2 [30 Oct 2023] DSA-5539-1 node-browserify-sign - security update {CVE-2023-46234} [bullseye] - node-browserify-sign 4.2.1-1+deb11u1 = data/dsa-needed.txt = @@ -24,8 +24,6 @@ fastdds -- gpac/oldstable (jmm) -- -jetty9 --- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ae1034546fcc75a7dcd658c9e8345fdc5eead4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ae1034546fcc75a7dcd658c9e8345fdc5eead4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim jetty9 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a2fecbde by Markus Koschany at 2023-10-17T14:56:30+02:00 Claim jetty9 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -96,7 +96,7 @@ imagemagick NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) NOTE: 20231014: Some work under git branch debian/buster but unease -- -jetty9 +jetty9 (Markus Koschany) NOTE: 20231011: Added by Front-Desk (ta) -- krb5 (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2fecbdee7a34155c020ecee642a44a6d7088c04 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2fecbdee7a34155c020ecee642a44a6d7088c04 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3622-1 for axis
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 40bc7938 by Markus Koschany at 2023-10-17T14:43:58+02:00 Reserve DLA-3622-1 for axis - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Oct 2023] DLA-3622-1 axis - security update + {CVE-2023-40743} + [buster] - axis 1.4-28+deb10u1 [17 Oct 2023] DLA-3617-2 tomcat9 - regression update [buster] - tomcat9 9.0.31-1~deb10u10 [16 Oct 2023] DLA-3621-1 nghttp2 - security update = data/dla-needed.txt = @@ -29,12 +29,6 @@ audiofile NOTE: 20230918: Added by Front-Desk (apo) NOTE: 20230919: unfixed upstream (apo) -- -axis (Markus Koschany) - NOTE: 20230924: Added by Front-Desk (apo) - NOTE: 20231009: buster has the same version as bullseye/bookworm/trixie/sid - NOTE: 20231009: Any update will first have to go into bullseye/bookworm/sid - NOTE: 20231009: to avoid buster having higher version than bullseye. (bunk) --- bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) NOTE: 20231008: backporting patches View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40bc79382b6d9243ab0965277a7f170dd2d64b37 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40bc79382b6d9243ab0965277a7f170dd2d64b37 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-40743,axis: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3eb92488 by Markus Koschany at 2023-10-17T01:19:16+02:00 CVE-2023-40743,axis: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6261,7 +6261,7 @@ CVE-2023-31242 (An authentication bypass vulnerability exists in the OAS Engine CVE-2023-2453 (There is insufficient sanitization of tainted file names that are dire ...) NOT-FOR-US: PHP-Fusion CVE-2023-40743 (** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an ...) - - axis (bug #1051288) + - axis 1.4-29 (bug #1051288) NOTE: https://www.openwall.com/lists/oss-security/2023/09/05/1 NOTE: https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 CVE-2023-34322 [top-level shadow reference dropped too early for 64-bit PV guests] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3eb924883e3f98459627b172c58f2aec33ea17ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3eb924883e3f98459627b172c58f2aec33ea17ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3617-2 for tomcat9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 549a6c75 by Markus Koschany at 2023-10-17T00:21:00+02:00 Reserve DLA-3617-2 for tomcat9 - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[17 Oct 2023] DLA-3617-2 tomcat9 - regression update + [buster] - tomcat9 9.0.31-1~deb10u10 [16 Oct 2023] DLA-3621-1 nghttp2 - security update {CVE-2020-11080 CVE-2023-44487} [buster] - nghttp2 1.36.0-2+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/549a6c75859147d3f8919efed3460245d2d07489 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/549a6c75859147d3f8919efed3460245d2d07489 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5522-3 for tomcat9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ea48b2ca by Markus Koschany at 2023-10-16T23:32:07+02:00 Reserve DSA-5522-3 for tomcat9 - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,5 @@ +[16 Oct 2023] DSA-5522-3 tomcat9 - regression update + [bullseye] - tomcat9 9.0.43-2~deb11u9 [16 Oct 2023] DSA-5528-1 node-babel7 - security update {CVE-2023-45133} [bullseye] - node-babel7 7.12.12+~cs150.141.84-6+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea48b2ca665e23fd0ca6499c29a0b2340184a244 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea48b2ca665e23fd0ca6499c29a0b2340184a244 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3617-1 for tomcat9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e22f6593 by Markus Koschany at 2023-10-13T15:55:42+02:00 Reserve DLA-3617-1 for tomcat9 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -7325,7 +7325,6 @@ CVE-2023-41080 (URL Redirection to Untrusted Site ('Open Redirect') vulnerabilit {DSA-5522-1 DSA-5521-1} - tomcat10 10.1.13-1 - tomcat9 9.0.70-2 - [buster] - tomcat9 (Minor issue; can be fixed later) - tomcat8 NOTE: https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f NOTE: https://github.com/apache/tomcat/commit/bb4624a9f3e69d495182ebfa68d7983076407a27 (10.1.13) @@ -40230,7 +40229,6 @@ CVE-2023-24998 (Apache Commons FileUpload before 1.5 does not limit the number o - tomcat10 10.1.5-1 - tomcat9 9.0.70-2 [bullseye] - tomcat9 (Minor issue, fix along with future update) - [buster] - tomcat9 (Minor issue) - libcommons-fileupload-java 1.4-2 (bug #1031733) [bullseye] - libcommons-fileupload-java (Minor issue) [buster] - libcommons-fileupload-java (Minor issue) = data/DLA/list = @@ -1,3 +1,6 @@ +[13 Oct 2023] DLA-3617-1 tomcat9 - security update + {CVE-2023-24998 CVE-2023-41080 CVE-2023-42795 CVE-2023-44487 CVE-2023-45648} + [buster] - tomcat9 9.0.31-1~deb10u9 [12 Oct 2023] DLA-3616-1 org-mode - security update {CVE-2023-28617} [buster] - org-mode 9.1.14+dfsg-3+deb10u1 = data/dla-needed.txt = @@ -228,9 +228,6 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -tomcat9 (apo) - NOTE: 20231010: Added by Front-Desk (ta) --- trafficserver NOTE: 20231011: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e22f6593983254826e85d54c9676fccaab0806cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e22f6593983254826e85d54c9676fccaab0806cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5522-2 tomcat9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f3250a1 by Markus Koschany at 2023-10-12T22:27:42+02:00 Reserve DSA-5522-2 tomcat9 - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,5 @@ +[12 Oct 2023] DSA-5522-2 tomcat9 - regression update + [bullseye] - tomcat9 9.0.43-2~deb11u8 [12 Oct 2023] DSA-5527-1 webkit2gtk - security update {CVE-2023-39928 CVE-2023-41074 CVE-2023-41993} [bullseye] - webkit2gtk 2.42.1-1~deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f3250a15b606a2885c8c9a4832248fb2b5ca0c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f3250a15b606a2885c8c9a4832248fb2b5ca0c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage tomcat9 issues in bookworm, trixie and sid
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 68b144c3 by Markus Koschany at 2023-10-12T00:00:06+02:00 Triage tomcat9 issues in bookworm, trixie and sid Marking them as fixed in 9.0.70-2 because the server stack has been removed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -272,7 +272,7 @@ CVE-2023-4309 (Election Services Co. (ESC) Internet Election Service is vulnerab CVE-2023-45648 (Improper Input Validation vulnerability in Apache Tomcat.Tomcatfrom 11 ...) {DSA-5522-1 DSA-5521-1} - tomcat10 10.1.14-1 - - tomcat9 + - tomcat9 9.0.70-2 - tomcat8 NOTE: https://www.openwall.com/lists/oss-security/2023/10/10/10 CVE-2023-45601 (A vulnerability has been identified in Parasolid V35.0 (All versions < ...) @@ -350,7 +350,7 @@ CVE-2023-42796 (A vulnerability has been identified in CP-8031 MASTER MODULE (Al CVE-2023-42795 (Incomplete Cleanup vulnerability in Apache Tomcat.When recycling vario ...) {DSA-5522-1 DSA-5521-1} - tomcat10 10.1.14-1 - - tomcat9 + - tomcat9 9.0.70-2 - tomcat8 NOTE: https://www.openwall.com/lists/oss-security/2023/10/10/9 CVE-2023-42794 (Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork ...) @@ -689,7 +689,7 @@ CVE-2023-3961 [smbd allows client access to unix domain sockets on the file syst NOTE: In scope for continued Samba support CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource consum ...) {DSA-5522-1 DSA-5521-1} - - tomcat9 + - tomcat9 9.0.70-2 - tomcat10 10.1.14-1 - trafficserver (bug #1053801) - h2o View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68b144c3d473e1a704e2dcc030101dfe2f6fa590 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68b144c3d473e1a704e2dcc030101dfe2f6fa590 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Correct CVE entry for tomcat9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b5a4cb63 by Markus Koschany at 2023-10-10T23:53:45+02:00 Correct CVE entry for tomcat9 - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,5 +1,5 @@ [10 Oct 2023] DSA-5522-1 tomcat9 - security update - {CVE-2023-28709 CVE-2023-41080 CVE-2023-42795 CVE-2023-44487 CVE-2023-45648} + {CVE-2023-24998 CVE-2023-41080 CVE-2023-42795 CVE-2023-44487 CVE-2023-45648} [bullseye] - tomcat9 9.0.43-2~deb11u7 [10 Oct 2023] DSA-5521-1 tomcat10 - security update {CVE-2023-28709 CVE-2023-41080 CVE-2023-42795 CVE-2023-44487 CVE-2023-45648} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5a4cb63ffda6bab01817b3587617ae6a7550a4c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5a4cb63ffda6bab01817b3587617ae6a7550a4c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Reserve DSA-5521-1 tomcat10
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ceefb87 by Markus Koschany at 2023-10-10T23:44:04+02:00 Reserve DSA-5521-1 tomcat10 - - - - - a9d230fc by Markus Koschany at 2023-10-10T23:44:58+02:00 Reserve DSA-5522-1 tomcat9 - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -6831,9 +6831,7 @@ CVE-2023-41121 (Array AG OS before 9.4.0.499 allows denial of service: remote at NOT-FOR-US: Array AG OS CVE-2023-41080 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability in F ...) - tomcat10 10.1.13-1 - [bookworm] - tomcat10 (Minor issue, fix along with future update) - tomcat9 9.0.70-2 - [bullseye] - tomcat9 (Minor issue, fix along with future update) [buster] - tomcat9 (Minor issue; can be fixed later) - tomcat8 NOTE: https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f @@ -28308,7 +28306,6 @@ CVE-2023-1552 (ToolboxST prior to version 7.10 is affected by a deserialization CVE-2023-28709 (The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 ...) [experimental] - tomcat10 10.1.8-1 - tomcat10 10.1.10-1 - [bookworm] - tomcat10 (Fix when more important issues arise) - tomcat9 (Incomplete fix for CVE-2023-24998 not applied) NOTE: https://github.com/apache/tomcat/commit/ba848da71c523d94950d3c53c19ea155189df9dc (10.1.8) NOTE: https://github.com/apache/tomcat/commit/fbd81421629afe8b8a3922d59020cde81caea861 (9.0.74) = data/DSA/list = @@ -1,3 +1,9 @@ +[10 Oct 2023] DSA-5522-1 tomcat9 - security update + {CVE-2023-28709 CVE-2023-41080 CVE-2023-42795 CVE-2023-44487 CVE-2023-45648} + [bullseye] - tomcat9 9.0.43-2~deb11u7 +[10 Oct 2023] DSA-5521-1 tomcat10 - security update + {CVE-2023-28709 CVE-2023-41080 CVE-2023-42795 CVE-2023-44487 CVE-2023-45648} + [bookworm] - tomcat10 10.1.6-1+deb12u1 [10 Oct 2023] DSA-5520-1 mediawiki - security update {CVE-2023-3550 CVE-2023-45360 CVE-2023-45362 CVE-2023-45363} [bullseye] - mediawiki 1:1.35.13-1~deb11u1 = data/dsa-needed.txt = @@ -88,10 +88,6 @@ samba/oldstable -- tiff (aron) -- -tomcat10 (apo) --- -tomcat9 (apo) --- trafficserver -- webkit2gtk View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6fde24493013142fb644cd33a60110c7aaccfb1a...a9d230fce15d918f248fef4d75a9faa6da02c12e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6fde24493013142fb644cd33a60110c7aaccfb1a...a9d230fce15d918f248fef4d75a9faa6da02c12e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Update status of mosquitto in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cf8fce17 by Markus Koschany at 2023-10-09T17:00:58+02:00 Update status of mosquitto in dla-needed.txt - - - - - 8e741655 by Markus Koschany at 2023-10-09T17:01:47+02:00 Claim axis in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,7 +29,7 @@ audiofile NOTE: 20230918: Added by Front-Desk (apo) NOTE: 20230919: unfixed upstream (apo) -- -axis +axis (Markus Koschany) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20231009: buster has the same version as bullseye/bookworm/trixie/sid NOTE: 20231009: Any update will first have to go into bullseye/bookworm/sid @@ -121,8 +121,9 @@ linux (Ben Hutchings) linux-5.10 (Ben Hutchings) NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- -mosquitto +mosquitto (Markus Koschany) NOTE: 20230924: Added by Front-Desk (apo) + NOTE: 20231009: Waiting for upstream clarification how to proceed with open CVE. (apo) -- node-webpack NOTE: 20231005: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/06c9a8c793683242bd0cf3a109148e5542dae21b...8e741655b2e44f21d3e089ce395e6a826560ac78 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/06c9a8c793683242bd0cf3a109148e5542dae21b...8e741655b2e44f21d3e089ce395e6a826560ac78 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2023-41115,exim4: Buster is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e81fdd4 by Markus Koschany at 2023-10-03T02:37:46+02:00 CVE-2023-41115,exim4: Buster is not affected The external authenticator support was introduced later. https://git.exim.org/exim.git/commit/c4a8c663b74a35b547d8320547079ca56b3b772e - - - - - e21481ea by Markus Koschany at 2023-10-03T02:37:47+02:00 Triage CVE-2023-42117,CVE-2023-42119,exim4 as no dsa for Buster Minor issues - - - - - 9b9ab4e5 by Markus Koschany at 2023-10-03T02:37:47+02:00 Reserve DLA-3599-1 for exim4 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -505,6 +505,7 @@ CVE-2023-42119 [Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerabili - exim4 [bookworm] - exim4 (Minor issue; use Exim4 with a trustworthy DNS resolver able to validate the data according to the DNS record types) [bullseye] - exim4 (Minor issue; use Exim4 with a trustworthy DNS resolver able to validate the data according to the DNS record types) + [buster] - exim4 (Minor issue; use Exim4 with a trustworthy DNS resolver able to validate the data according to the DNS record types) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1473/ NOTE: https://bugs.exim.org/show_bug.cgi?id=3033 NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5 @@ -520,6 +521,7 @@ CVE-2023-42117 [Exim Improper Neutralization of Special Elements Remote Code Exe - exim4 [bookworm] - exim4 (Only an issue if Exim4 run behind an untrusted proxy-protocol proxy) [bullseye] - exim4 (Only an issue if Exim4 run behind an untrusted proxy-protocol proxy) + [buster] - exim4 (Only an issue if Exim4 run behind an untrusted proxy-protocol proxy) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1471/ NOTE: https://bugs.exim.org/show_bug.cgi?id=3031 NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5 @@ -532,6 +534,7 @@ CVE-2023-42116 [Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Exec NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4 CVE-2023-42115 [Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability] - exim4 + [buster] - exim4 (External authenticator support was introduced later) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1469/ NOTE: https://bugs.exim.org/show_bug.cgi?id=2999 NOTE: https://www.openwall.com/lists/oss-security/2023/09/29/5 = data/DLA/list = @@ -1,3 +1,6 @@ +[02 Oct 2023] DLA-3599-1 exim4 - security update + {CVE-2023-42114 CVE-2023-42116} + [buster] - exim4 4.92-8+deb10u8 [01 Oct 2023] DLA-3598-1 libvpx - security update {CVE-2023-5217 CVE-2023-44488} [buster] - libvpx 1.7.0-3+deb10u2 = data/dla-needed.txt = @@ -60,9 +60,6 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -exim4 (Markus Koschany) - NOTE: 20230928: Added by Front-Desk (ola) --- freeimage (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ab624e7ba25919b37cdf4d30fa60790c6b7c4fbc...9b9ab4e5e605c4e60feb8dc63dbc1680e1d58e5f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ab624e7ba25919b37cdf4d30fa60790c6b7c4fbc...9b9ab4e5e605c4e60feb8dc63dbc1680e1d58e5f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Reserve DSA-5511-1 mosquitto
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e92462c4 by Markus Koschany at 2023-10-01T21:14:32+02:00 Reserve DSA-5511-1 mosquitto - - - - - 93bfc428 by Markus Koschany at 2023-10-01T21:15:32+02:00 CVE-2021-41039,mosquitto: Mark Bullseye as fixed in version 2.0.11-1+deb11u1 - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -145932,7 +145932,7 @@ CVE-2021-41040 (In Eclipse Wakaama, ever since its inception until 2021-01-14, t NOT-FOR-US: Eclipse Wakaama CVE-2021-41039 (In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client conn ...) - mosquitto 2.0.11-1.2 (bug #1001028) - [bullseye] - mosquitto (Minor issue) + [bullseye] - mosquitto 2.0.11-1+deb11u1 [buster] - mosquitto (Vulnerable code introduced later) [stretch] - mosquitto (Vulnerable code introduced later) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=575314 @@ -162484,8 +162484,6 @@ CVE-2021-34435 (In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension al NOT-FOR-US: Eclipse Theia CVE-2021-34434 (In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic se ...) - mosquitto 2.0.15-1 (bug #993400) - [bookworm] - mosquitto (Minor issue) - [bullseye] - mosquitto (Minor issue) [buster] - mosquitto (Vulnerable code introduced later) [stretch] - mosquitto (Vulnerable code introduced later) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=575324 = data/DSA/list = @@ -1,3 +1,7 @@ +[01 Oct 2023] DSA-5511-1 mosquitto - security update + {CVE-2021-34434 CVE-2023-0809 CVE-2023-3592 CVE-2023-28366} + [bullseye] - mosquitto 2.0.11-1+deb11u1 + [bookworm] - mosquitto 2.0.11-1.2+deb12u1 [29 Sep 2023] DSA-5510-1 libvpx - security update {CVE-2023-5217} [bullseye] - libvpx 1.9.0-1+deb11u1 = data/dsa-needed.txt = @@ -34,8 +34,6 @@ linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v5.10.y and 6.1.y versions -- -mosquitto (apo) --- nbconvert/oldstable Guilhem Moulin proposed an update ready for review -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bb645b353882fde01e99d5488fb9ebcae1002eda...93bfc42850c9f06c82dc245db2e046ab3b68def0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bb645b353882fde01e99d5488fb9ebcae1002eda...93bfc42850c9f06c82dc245db2e046ab3b68def0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3597-1 for open-vm-tools
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bb645b35 by Markus Koschany at 2023-10-01T21:06:07+02:00 Reserve DLA-3597-1 for open-vm-tools - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Oct 2023] DLA-3597-1 open-vm-tools - security update + {CVE-2023-20900} + [buster] - open-vm-tools 2:10.3.10-1+deb10u5 [30 Sep 2023] DLA-3596-1 firmware-nonfree - security update {CVE-2022-27635 CVE-2022-36351 CVE-2022-38076 CVE-2022-40964 CVE-2022-46329} [buster] - firmware-nonfree 20190114+really20220913-0+deb10u2 = data/dla-needed.txt = @@ -120,12 +120,6 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -open-vm-tools (Markus Koschany) - NOTE: 20230907: Added by Front-Desk (lamby) - NOTE: 20230925: Prepared the update in git, but don't have an OpenVZ host to - NOTE: 20230925: hand for testing, and more efficient for someone with one - NOTE: 20230925: already set up to test the update. (spwhitton) --- opendkim NOTE: 20230821: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb645b353882fde01e99d5488fb9ebcae1002eda -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb645b353882fde01e99d5488fb9ebcae1002eda You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2023-0809,mosquitto: Buster is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d271c1b5 by Markus Koschany at 2023-10-01T19:37:00+02:00 CVE-2023-0809,mosquitto: Buster is not affected The vulnerable code was introduced later. mosq_cs_new function is already used. - - - - - dcf602a7 by Markus Koschany at 2023-10-01T19:38:15+02:00 CVE-2023-3592,mosquitto: Buster is not affected The vulnerable code was introduced later. property_broker.c was added in November 2018 and the code was not present in other files before https://github.com/eclipse/mosquitto/commit/d5108956bf99507d521246959913bc650133d971#diff-21faf3c608ab100dac4ee821522de6ccf68e2b672fc8829b9c5042b63da5742b - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35563,10 +35563,12 @@ CVE-2023-0810 (Cross-site Scripting (XSS) - Stored in GitHub repository btcpayse CVE-2023-0809 RESERVED - mosquitto 2.0.17-1 + [buster] - mosquitto (The vulnerable code was introduced later) NOTE: https://mosquitto.org/blog/2023/08/version-2-0-16-released/ NOTE: Fixed by https://github.com/eclipse/mosquitto/commit/a3c680fbb00a0019573fb84c29332e845e6efcad CVE-2023-3592 - mosquitto 2.0.17-1 + [buster] - mosquitto (The vulnerable code was introduced later) NOTE: https://mosquitto.org/blog/2023/08/version-2-0-16-released/ NOTE: https://github.com/eclipse/mosquitto/commit/00b24e0eb0686e9a76feb71fdaee650cb7e612fa (v2.0.16) CVE-2023-0808 (A vulnerability was found in Deye/Revolt/Bosswerk Inverter MW3_15U_540 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/64bb6ce217b2e3fe952c2f72d03fd430e41177c1...dcf602a7d088f2870b42ae2b497a0e937ad5f8c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/64bb6ce217b2e3fe952c2f72d03fd430e41177c1...dcf602a7d088f2870b42ae2b497a0e937ad5f8c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim exim4 and open-vm-tools in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: db032b36 by Markus Koschany at 2023-09-30T23:45:52+02:00 Claim exim4 and open-vm-tools in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -60,7 +60,7 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -exim4 +exim4 (Markus Koschany) NOTE: 20230928: Added by Front-Desk (ola) -- freeimage (gladk) @@ -122,7 +122,7 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -open-vm-tools +open-vm-tools (Markus Koschany) NOTE: 20230907: Added by Front-Desk (lamby) NOTE: 20230925: Prepared the update in git, but don't have an OpenVZ host to NOTE: 20230925: hand for testing, and more efficient for someone with one View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db032b369fb4dcaf48eee1abe0a8a63724ea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db032b369fb4dcaf48eee1abe0a8a63724ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-28366,mosquitto: Link to regression fixes
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ff94e9b by Markus Koschany at 2023-09-30T20:39:00+02:00 CVE-2023-28366,mosquitto: Link to regression fixes Those commits have to be applied as well. The regression was detected by the 06-bridge-b2br-disconnect-qos1.py broker test. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27630,6 +27630,8 @@ CVE-2023-28366 (The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 - mosquitto 2.0.17-1 NOTE: https://mosquitto.org/blog/2023/08/version-2-0-16-released/ NOTE: https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9 (v2.0.16) + NOTE: Regression fix: https://github.com/eclipse/mosquitto/commit/bfb373d774d8530e8d6620776304a3e0b0201793 + NOTE: Regression fix: https://github.com/eclipse/mosquitto/commit/28d96d8ebca9f6bdb7f272f1095760953e62d828 CVE-2023-28365 (A backup file vulnerability found in UniFi applications (Version 7.3.8 ...) NOT-FOR-US: UniFi CVE-2023-28364 (An Open Redirect vulnerability exists prior to version 1.52.117, where ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ff94e9b1d4670964f7c72158cee7f1885c2b817 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ff94e9b1d4670964f7c72158cee7f1885c2b817 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3592-1 for jetty9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 422e1958 by Markus Koschany at 2023-09-30T14:33:31+02:00 Reserve DLA-3592-1 for jetty9 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Sep 2023] DLA-3592-1 jetty9 - security update + {CVE-2023-26048 CVE-2023-26049 CVE-2023-36479 CVE-2023-40167} + [buster] - jetty9 9.4.16-0+deb10u3 [30 Sep 2023] DLA-3591-1 firefox-esr - security update {CVE-2023-5217} [buster] - firefox-esr 115.3.1esr-1~deb10u1 = data/dla-needed.txt = @@ -94,9 +94,6 @@ imagemagick NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- -jetty9 (Markus Koschany) - NOTE: 20230924: Added by Front-Desk (apo) --- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/422e19584c98eaf7bf7fc556f5d2e55298308767 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/422e19584c98eaf7bf7fc556f5d2e55298308767 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-0809,mosquitto: link to fixing commit
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 291e1209 by Markus Koschany at 2023-09-29T02:48:30+02:00 CVE-2023-0809,mosquitto: link to fixing commit https://github.com/eclipse/mosquitto/commit/a3c680fbb00a0019573fb84c29332e845e6efcad - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35201,6 +35201,7 @@ CVE-2023-0809 RESERVED - mosquitto 2.0.17-1 NOTE: https://mosquitto.org/blog/2023/08/version-2-0-16-released/ + NOTE: Fixed by https://github.com/eclipse/mosquitto/commit/a3c680fbb00a0019573fb84c29332e845e6efcad CVE-2023-3592 - mosquitto 2.0.17-1 NOTE: https://mosquitto.org/blog/2023/08/version-2-0-16-released/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/291e120913c1430711fba5af1a643e6fa0fe852d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/291e120913c1430711fba5af1a643e6fa0fe852d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5507-1 for jetty9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 011881fc by Markus Koschany at 2023-09-28T23:01:45+02:00 Reserve DSA-5507-1 for jetty9 - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[28 Sep 2023] DSA-5507-1 jetty9 - security update + {CVE-2023-26048 CVE-2023-26049 CVE-2023-36479 CVE-2023-40167 CVE-2023-41900} + [bullseye] - jetty9 9.4.39-3+deb11u2 + [bookworm] - jetty9 9.4.50-4+deb12u1 [28 Sep 2023] DSA-5506-1 firefox-esr - security update {CVE-2023-5169 CVE-2023-5171 CVE-2023-5176} [bullseye] - firefox-esr 115.3.0esr-1~deb11u1 = data/dsa-needed.txt = @@ -29,8 +29,6 @@ gpac/oldstable (jmm) -- gst-plugins-bad1.0 (carnil) -- -jetty9 --- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/011881fcfb0e1b694e54527e270e26000f706163 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/011881fcfb0e1b694e54527e270e26000f706163 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-36479,jetty9: mark it as fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cfd1c79c by Markus Koschany at 2023-09-28T22:51:25+02:00 CVE-2023-36479,jetty9: mark it as fixed in unstable Upstream just declared the CGI class as deprecated and it will finally be removed in the 12.x series. Apparently there are some rare corner cases that make the use of the CGI servlet potentially unsafe. As an alternative there is Fast CGI and I think most people would want to use this one. Hence it is ok in my opinion to mark it as fixed (deprecated) and move on. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1857,7 +1857,7 @@ CVE-2023-36658 (An issue was discovered in OPSWAT MetaDefender KIOSK 4.6.1.9996. CVE-2023-36657 (An issue was discovered in OPSWAT MetaDefender KIOSK 4.6.1.9996. Built ...) NOT-FOR-US: OPSWAT MetaDefender KIOSK CVE-2023-36479 (Eclipse Jetty Canonical Repository is the canonical repository for the ...) - - jetty9 + - jetty9 9.4.52-1 NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j NOTE: https://github.com/eclipse/jetty.project/pull/9888 NOTE: Jetty 9.x, 10.x, and 11.x the org.eclipse.jetty.servlets.CGI has been deprecated View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfd1c79c39de9488c7ade0c1b826fd1b2ae3ff22 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfd1c79c39de9488c7ade0c1b826fd1b2ae3ff22 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-41900,jetty9: Buster is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 66047330 by Markus Koschany at 2023-09-27T21:22:25+02:00 CVE-2023-41900,jetty9: Buster is not affected The vulnerable code was introduced in version 9.4.21 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1288,6 +1288,7 @@ CVE-2023-41901 REJECTED CVE-2023-41900 (Jetty is a Java based web server and servlet engine. Versions 9.4.21 t ...) - jetty9 9.4.52-1 + [buster] - jetty9 (The vulnerable code was introduced in 9.4.21) NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48 NOTE: https://github.com/eclipse/jetty.project/pull/9528 (10.0.16, 11.0.16) NOTE: https://github.com/eclipse/jetty.project/pull/9660 (9.4.52) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/660473300f24e8e35082f7ffa6948e903c02fe09 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/660473300f24e8e35082f7ffa6948e903c02fe09 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-40167,jetty9: link to fixing commits
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 419aec35 by Markus Koschany at 2023-09-26T18:44:07+02:00 CVE-2023-40167,jetty9: link to fixing commits - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1091,6 +1091,8 @@ CVE-2023-40588 (Discourse is an open-source discussion platform. Prior to versio CVE-2023-40167 (Jetty is a Java based web server and servlet engine. Prior to versions ...) - jetty9 9.4.52-1 NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6 + NOTE: https://github.com/eclipse/jetty.project/pull/10329 + NOTE: https://github.com/eclipse/jetty.project/commit/e4d596eafc887bcd813ae6e28295b5ce327def47 CVE-2023-40019 (FreeSWITCH is a Software Defined Telecom Stack enabling the digital tr ...) - freeswitch (bug #389591) CVE-2023-40018 (FreeSWITCH is a Software Defined Telecom Stack enabling the digital tr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/419aec353d91c063157753388e7b8473b7d56c4d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/419aec353d91c063157753388e7b8473b7d56c4d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3584-1 for netatalk
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 9efbf153 by Markus Koschany at 2023-09-25T22:40:15+02:00 Reserve DLA-3584-1 for netatalk - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Sep 2023] DLA-3584-1 netatalk - security update + {CVE-2023-42464} + [buster] - netatalk 3.1.12~ds-3+deb10u4 [25 Sep 2023] DLA-3583-1 glib2.0 - security update {CVE-2023-29499 CVE-2023-32611 CVE-2023-32665} [buster] - glib2.0 2.58.3-2+deb10u5 = data/dla-needed.txt = @@ -119,9 +119,6 @@ nasm (tobi) ncurses (Sean Whitton) NOTE: 20230921: Added by Front-Desk (apo) -- -netatalk (Markus Koschany) - NOTE: 20230924: Added by Front-Desk (apo) --- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9efbf153e5b584a2a4a8ae235606812fa1ef2bec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9efbf153e5b584a2a4a8ae235606812fa1ef2bec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: Link to jss bug report
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0584393d by Markus Koschany at 2023-09-24T23:53:05+02:00 Link to jss bug report - - - - - ad87c4af by Markus Koschany at 2023-09-25T00:02:51+02:00 Add prometheus-alertmanager to dla-needed.txt - - - - - 3237caa5 by Markus Koschany at 2023-09-25T00:10:11+02:00 Add phppgadmin to dla-needed.txt - - - - - ac0b8e12 by Markus Koschany at 2023-09-25T00:12:59+02:00 Add puma to dla-needed.txt - - - - - ca49e4d1 by Markus Koschany at 2023-09-25T00:25:41+02:00 Add osslsigncode to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -53763,7 +53763,7 @@ CVE-2022-4133 REJECTED CVE-2022-4132 [Tomcat: Memory leak in JSS] RESERVED - - jss + - jss (bug #1052575) [buster] - jss (The vulnerable code was introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2147372 NOTE: Triggered by: https://github.com/dogtagpki/jss/pull/928 = data/dla-needed.txt = @@ -161,12 +161,26 @@ open-vm-tools (Sean Whitton) opendkim NOTE: 20230821: Added by Front-Desk (ta) -- +osslsigncode + NOTE: 20230925: Added by Front-Desk (apo) + NOTE: 20230925: Maybe a new upstream release should just do the trick here. +-- +phppgadmin + NOTE: 20230925: Added by Front-Desk (apo) +-- poppler NOTE: 20230908: Added by Front-Desk (lamby) NOTE: 20230908: Added due to CVE-2020-23804. However, please check CVE-2020-18839 NOTE: 20230908: as I suspect this is a duplicate of CVE-2020-27778 (which has already NOTE: 20230908: been fixed). (lamby) -- +prometheus-alertmanager + NOTE: 20230925: Added by Front-Desk (apo) + NOTE: 20230925: Vulnerable code is in ui/app/src/Views/AlertList/AlertView.elm +-- +puma + NOTE: 20230925: Added by Front-Desk (apo) +-- python-git NOTE: 20230923: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/670c7491ac5b41d8e232a71bf289dd5d0b3e1775...ca49e4d19a3118dec3be56686339c9b5b6dbc129 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/670c7491ac5b41d8e232a71bf289dd5d0b3e1775...ca49e4d19a3118dec3be56686339c9b5b6dbc129 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits