[Git][security-tracker-team/security-tracker][master] LTS: reclaim shiro, xmlbeans
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 086e6cfa by Roberto C. Sánchez at 2021-05-04T18:47:07-04:00 LTS: reclaim shiro, xmlbeans - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -131,7 +131,7 @@ salt (Utkarsh) -- samba (Abhijith PA) -- -shiro +shiro (Roberto C. Sánchez) NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) @@ -143,7 +143,7 @@ spotweb NOTE: 20210122: Upstream fix trivially bypassed, reported under CVE-2021-3286 NOTE: 20210127: Upstream says "we can fix this but it may take some time", revisit later (Beuc) -- -xmlbeans +xmlbeans (Roberto C. Sánchez) NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the NOTE: 20210222: upstream release with the fix). Trying to determine how to NOTE: 20210222: implement the changes without introducing too much new code. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/086e6cfa3b58b134e7cbd8bf7bd6dbf8740befaa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/086e6cfa3b58b134e7cbd8bf7bd6dbf8740befaa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: re-claim shiro and xmlbeans; getting back on track
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 29d534b9 by Roberto C. Sánchez at 2021-04-07T14:10:57-04:00 LTS: re-claim shiro and xmlbeans; getting back on track - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -129,7 +129,7 @@ ruby-nokogiri salt (Utkarsh) NOTE: 20210329: WIP (utkarsh) -- -shiro +shiro (Roberto C. Sánchez) NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) @@ -144,7 +144,7 @@ spotweb subversion (Emilio) NOTE: 20210322: have a look at #985556 and #948834 -- -xmlbeans +xmlbeans (Roberto C. Sánchez) NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the NOTE: 20210222: upstream release with the fix). Trying to determine how to NOTE: 20210222: implement the changes without introducing too much new code. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29d534b9ede940dfa7b4e98c817ffe34adc9c352 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29d534b9ede940dfa7b4e98c817ffe34adc9c352 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: fix typo
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: cf3136a7 by Roberto C. Sánchez at 2021-03-25T21:21:07-04:00 fix typo - - - - - 540c2a73 by Roberto C. Sánchez at 2021-03-25T21:22:28-04:00 remove no-dsa tags from jquery vulnerabilities being fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -73070,9 +73070,7 @@ CVE-2020-11024 (In Moonlight iOS/tvOS before 4.0.1, the pairing process is vulne CVE-2020-11023 (In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, pa ...) {DSA-4693-1} - jquery - [buster] - jquery (Minor issue) - [stretch] - jquery (Minor issue) - [jessie] - jquery (Vulnerable code note present) + [jessie] - jquery (Vulnerable code not present) - drupal7 [jessie] - drupal7 (Vulnerable code not embedded) - node-jquery 3.5.0+dfsg-2 @@ -73086,9 +73084,7 @@ CVE-2020-11023 (In jQuery versions greater than or equal to 1.0.3 and before 3.5 CVE-2020-11022 (In jQuery versions greater than or equal to 1.2 and before 3.5.0, pass ...) {DSA-4693-1} - jquery - [buster] - jquery (Minor issue) - [stretch] - jquery (Minor issue) - [jessie] - jquery (Vulnerable code note present) + [jessie] - jquery (Vulnerable code not present) - node-jquery 3.5.0+dfsg-2 [buster] - node-jquery (Minor issue) - drupal7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4a0116cf6bf48778938c504c2c4d26f3661a88aa...540c2a739edb3b698cdcfb01caef7d1270d4200e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4a0116cf6bf48778938c504c2c4d26f3661a88aa...540c2a739edb3b698cdcfb01caef7d1270d4200e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2608-1 for jquery
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a0116cf by Roberto C. Sánchez at 2021-03-25T21:17:50-04:00 Reserve DLA-2608-1 for jquery - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Mar 2021] DLA-2608-1 jquery - security update + {CVE-2020-11022 CVE-2020-11023} + [stretch] - jquery 3.1.1-2+deb9u2 [25 Mar 2021] DLA-2607-1 firefox-esr - security update {CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987} [stretch] - firefox-esr 78.9.0esr-1~deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a0116cf6bf48778938c504c2c4d26f3661a88aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a0116cf6bf48778938c504c2c4d26f3661a88aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: (re)claim shiro in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f70c267 by Roberto C. Sánchez at 2021-03-16T21:52:32-04:00 LTS: (re)claim shiro in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -117,7 +117,7 @@ salt (Utkarsh) shadow (Sylvain Beucler) NOTE: 20210316: found new CVE, discussing with secteam -- -shiro +shiro (Roberto C. Sánchez) NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f70c26795a6e1afcdbdc46fe4455d1043427949 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f70c26795a6e1afcdbdc46fe4455d1043427949 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim xmlbeans and update status notes
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 65b07d8c by Roberto C. Sánchez at 2021-03-09T20:02:40-05:00 LTS: reclaim xmlbeans and update status notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -134,8 +134,10 @@ tomcat7 (Utkarsh) -- tomcat8 (Anton Gladky) -- -xmlbeans +xmlbeans (Roberto C. Sánchez) NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the NOTE: 20210222: upstream release with the fix). Trying to determine how to NOTE: 20210222: implement the changes without introducing too much new code. (roberto) + NOTE: 20210309: Have developed a minimal backport that accomplishes necessary security + NOTE: 20210309: fix with minimal new code. (roberto) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65b07d8c98aa4c0580565024ac74c4a3cae82129 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65b07d8c98aa4c0580565024ac74c4a3cae82129 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update notes for xmlbeans
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ceb844e by Roberto C. Sánchez at 2021-02-21T22:42:03-05:00 LTS: update notes for xmlbeans - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -124,6 +124,9 @@ subversion (Thorsten Alteholz) NOTE: 20210221: solving build problems -- xmlbeans (Roberto C. Sánchez) + NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the + NOTE: 20210222: upstream release with the fix). Trying to determine how to + NOTE: 20210222: implement the changes without introducing too much new code. (roberto) -- zeromq3 (Anton Gladky) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ceb844e7e90a0121d1c570e6ab2d08379c0cdee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ceb844e7e90a0121d1c570e6ab2d08379c0cdee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim xmlbeans in dla-needed.txt, WIP
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 876238d6 by Roberto C. Sánchez at 2021-02-08T06:44:54-05:00 LTS: reclaim xmlbeans in dla-needed.txt, WIP - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -110,5 +110,5 @@ xcftools (Markus Koschany) NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk) NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk) -- -xmlbeans +xmlbeans (Roberto C. Sánchez) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/876238d650088073615cafb1ebe5bd66c93584b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/876238d650088073615cafb1ebe5bd66c93584b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim shiro in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: fbabc0e2 by Roberto C. Sánchez at 2021-02-01T09:27:17-05:00 LTS: claim shiro in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -108,7 +108,7 @@ ruby-kaminari NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh) -- -shiro +shiro (Roberto C. Sánchez) NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbabc0e2aea1bcb858b89539f4b4c16dd0b843d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbabc0e2aea1bcb858b89539f4b4c16dd0b843d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2537-1 for ffmpeg
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 63141f7f by Roberto C. Sánchez at 2021-01-31T00:02:27-05:00 Reserve DLA-2537-1 for ffmpeg - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Jan 2021] DLA-2537-1 ffmpeg - security update + {CVE-2019-17539 CVE-2020-35965} + [stretch] - ffmpeg 7:3.2.15-0+deb9u2 [30 Jan 2021] DLA-2536-1 libsdl2 - security update {CVE-2019-7575 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 CVE-2019-7638 CVE-2019-13616 CVE-2020-14409 CVE-2020-14410} [stretch] - libsdl2 2.0.5+dfsg1-2+deb9u1 = data/dla-needed.txt = @@ -38,8 +38,6 @@ f2fs-tools (Abhijith PA) NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver) -- -ffmpeg (Roberto C. Sánchez) --- firefox-esr (Emilio) -- firmware-nonfree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63141f7f6c24091ee093a93df4a2d301f2b67c2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63141f7f6c24091ee093a93df4a2d301f2b67c2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: CVE-2020-35964/ffmpeg mark as for stretch
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 529c47f8 by Roberto C. Sánchez at 2021-01-30T20:02:00-05:00 LTS: CVE-2020-35964/ffmpeg mark as not-affected for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11286,6 +11286,7 @@ CVE-2020-35965 (decode_frame in libavcodec/exr.c in FFmpeg 4.3.1 has an out-of-b CVE-2020-35964 (track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bo ...) - ffmpeg 7:4.3.1-6 (bug #98) [buster] - ffmpeg (Wait for 4.1.7) + [stretch] - ffmpeg (Vulnerable code introduced later) NOTE: https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26622 CVE-2020-35963 (flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out- ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/529c47f897de07551fcc5ebf51a517fc15b26289 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/529c47f897de07551fcc5ebf51a517fc15b26289 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: CVE-2019-17539/ffmpeg remove tag, will be fixed
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 699fb536 by Roberto C. Sánchez at 2021-01-30T19:37:07-05:00 LTS: CVE-2019-17539/ffmpeg remove postponed tag, will be fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -99226,7 +99226,6 @@ CVE-2019-17540 (ImageMagick before 7.0.8-54 has a heap-based buffer overflow in CVE-2019-17539 (In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NUL ...) {DSA-4722-1} - ffmpeg 7:4.2.1-1 (low) - [stretch] - ffmpeg (Minor issue, wait until fixed in 3.2.x branch) - libav (low) [jessie] - libav (Vulnerable code introduced in v12.x) NOTE: https://github.com/FFmpeg/FFmpeg/commit/8df6884832ec413cf032dfaa45c23b1c7876670c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/699fb5365c22919a840b71a31a5f1224b9580085 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/699fb5365c22919a840b71a31a5f1224b9580085 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim xmlbeans and ffmpeg in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 007915b3 by Roberto C. Sánchez at 2021-01-22T19:48:08-05:00 LTS: claim xmlbeans and ffmpeg in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,7 +40,7 @@ f2fs-tools (Abhijith PA) NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver) -- -ffmpeg +ffmpeg (Roberto C. Sánchez) -- firmware-nonfree NOTE: 20201207: wait for the update in buster and backport that (Emilio) @@ -154,5 +154,5 @@ xcftools NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk) NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk) -- -xmlbeans +xmlbeans (Roberto C. Sánchez) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/007915b3395f09cd8415781b2ab4681d5dc1d0ff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/007915b3395f09cd8415781b2ab4681d5dc1d0ff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: re-claim shiro in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 46715607 by Roberto C. Sánchez at 2021-01-05T18:27:18-05:00 LTS: re-claim shiro in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -146,7 +146,7 @@ ruby-kaminari NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh) -- -shiro +shiro (Roberto C. Sánchez) NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46715607a66873a2aabfc3b7e60a10f59f59bebb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46715607a66873a2aabfc3b7e60a10f59f59bebb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Link upstream announcemnt and release notes for CVE-2020-17510/shiro
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 882a8b9e by Roberto C. Sánchez at 2020-12-22T20:51:08-05:00 Link upstream announcemnt and release notes for CVE-2020-17510/shiro - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35035,6 +35035,8 @@ CVE-2020-17511 (In Airflow versions prior to 1.10.13, when creating a user using CVE-2020-17510 (Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a spec ...) - shiro NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/7 + NOTE: https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E + NOTE: https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12349284=Text=12310950 CVE-2020-17509 [ATS negative cache option is vulnerable to a cache poisoning attack] RESERVED {DSA-4805-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/882a8b9e179a76e98258bb2985a6718b9a9a9ebc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/882a8b9e179a76e98258bb2985a6718b9a9a9ebc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: CVE-2020-15005/mediawiki will be fixed
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 82a98030 by Roberto C. Sánchez at 2020-12-22T20:11:54-05:00 LTS: CVE-2020-15005/mediawiki will be fixed - - - - - ffc529a3 by Roberto C. Sánchez at 2020-12-22T20:29:56-05:00 Reserve DLA-2504-1 for mediawiki - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -41021,7 +41021,6 @@ CVE-2020-15006 (Bludit 3.12.0 allows stored XSS via JavaScript code in an SVG do CVE-2020-15005 (In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34. ...) {DSA-4767-1} - mediawiki 1:1.31.8-1 - [stretch] - mediawiki (Minor issue) NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2020-June/093535.html CVE-2020-15004 (OX App Suite through 7.10.3 allows stats/diagnostic?param= XSS. ...) NOT-FOR-US: Open-Xchange App Suite = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Dec 2020] DLA-2504-1 mediawiki - security update + {CVE-2020-15005 CVE-2020-35477 CVE-2020-35479 CVE-2020-35480} + [stretch] - mediawiki 1:1.27.7-1~deb9u7 [22 Dec 2020] DLA-2412-2 openjdk-8 - regression update [stretch] - openjdk-8 8u275-b01-1~deb9u1 [21 Dec 2020] DLA-2503-1 node-ini - security update = data/dla-needed.txt = @@ -91,8 +91,6 @@ mariadb-10.1 (Adrian Bunk) NOTE: 20201207: still ongoing (bunk) NOTE: 20201220: debugging test failure in local build (bunk) -- -mediawiki (Roberto C. Sánchez) --- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/45060b59935ed05698d9d6ab7bb2bfe4e014be4c...ffc529a3709ee9860c8640dc796bbfff4f9029c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/45060b59935ed05698d9d6ab7bb2bfe4e014be4c...ffc529a3709ee9860c8640dc796bbfff4f9029c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: mark CVE-2020-35475/mediawiki as for stretch
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c20ffd8 by Roberto C. Sánchez at 2020-12-21T22:00:41-05:00 LTS: mark CVE-2020-35475/mediawiki as not-affected for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2489,6 +2489,7 @@ CVE-2020-35476 (A remote code execution vulnerability occurs in OpenTSDB through CVE-2020-35475 (In MediaWiki before 1.35.1, the messages userrights-expiry-current and ...) {DSA-4816-1} - mediawiki 1:1.35.1-1 + [stretch] - mediawiki (Introduced in 1.29) NOTE: https://phabricator.wikimedia.org/T268917 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2020-December/094126.html CVE-2020-35474 (In MediaWiki before 1.35.1, the combination of Html::rawElement and Me ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c20ffd8855871ec3010d3125ad9da27883a7295 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c20ffd8855871ec3010d3125ad9da27883a7295 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: stretch triage
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: bacefb3b by Roberto C. Sánchez at 2020-12-20T13:01:33-05:00 LTS: stretch triage - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -128,6 +128,8 @@ php-horde-trean NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver) -- +postsrsd +-- reel NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh) -- @@ -181,6 +183,11 @@ spip (Abhijith PA) NOTE: Low priority for us. sec team did DSA-4798-1 (abhijith) NOTE: 20201220: package in stretch in unusable. Contacted maintainer (abhijith) -- +spotweb + NOTE: 20201220: The affected code (PHP!) uses string concatenation to construct a SQL query. + NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands. + NOTE: 20201220: Yes, this is a dumpster fire. Claim this package at your own peril. (roberto) +-- wireshark NOTE: 20201007: during last triage, I marked some CVEs as no-dsa, it'd be great to include NOTE: 20201007: those fixes as well! \o/ (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bacefb3b1d441864774355876cf62a02583b7e7d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bacefb3b1d441864774355876cf62a02583b7e7d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim shiro, update notes
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ed458df by Roberto C. Sánchez at 2020-12-20T12:46:36-05:00 LTS: reclaim shiro, update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -162,10 +162,11 @@ ruby-kaminari NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh) -- -shiro +shiro (Roberto C. Sánchez) NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) + NOTE: 20201220: Upstream has responded. Working with them to backport fixes. (roberto) -- slirp (Thorsten Alteholz) NOTE: Upstream patch for CVE-2020-8608 requires patches for View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ed458df2bcc47656cf0976486c7d5bf8fdb1763 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ed458df2bcc47656cf0976486c7d5bf8fdb1763 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: mark CVE-2020-14394/qemu as for stretch
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: ced0213f by Roberto C. Sánchez at 2020-12-20T00:22:26-05:00 LTS: mark CVE-2020-14394/qemu as postponed for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41942,6 +41942,7 @@ CVE-2020-14395 CVE-2020-14394 [infinite loop in xhci_ring_chain_length() in hw/usb/hcd-xhci.c] RESERVED - qemu + [stretch] - qemu (Fix along in future DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1908004 CVE-2020-14393 (A buffer overflow was found in perl-DBI 1.643 in DBI.xs. A local ...) {DLA-2386-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ced0213f6fb283a09389ec287f8925bebd5c790d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ced0213f6fb283a09389ec287f8925bebd5c790d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: LTS: triage {CVE-2020-35490,CVE-2020-35491}/jackson-databind as
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: fe0bce11 by Roberto C. Sánchez at 2020-12-18T22:28:13-05:00 LTS: triage {CVE-2020-35490,CVE-2020-35491}/jackson-databind as no-dsa This is consistent with both how the same CVEs were handled for buster by the security team and how previous similar CVEs (CVE-2020-24616 and CVE-2020-24750) were handled by the LTS team. - - - - - 76d5aa7f by Roberto C. Sánchez at 2020-12-18T22:31:49-05:00 LTS: triage CVE-2020-29652/golang-go.crypto as not-affected - - - - - c61cdb7f by Roberto C. Sánchez at 2020-12-18T22:41:08-05:00 LTS: triage golang-1.8 and golang-1.7 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2040,12 +2040,14 @@ CVE-2020-35492 CVE-2020-35491 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) - jackson-databind [buster] - jackson-databind (Minor issue) + [stretch] - jackson-databind (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/2986 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-35490 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) - jackson-databind [buster] - jackson-databind (Minor issue) + [stretch] - jackson-databind (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/2986 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -4065,6 +4067,7 @@ CVE-2020-29653 RESERVED CVE-2020-29652 (A nil pointer dereference in the golang.org/x/crypto/ssh component thr ...) - golang-go.crypto + [stretch] - golang-go.crypto (Vulnerable code not present) - kubernetes NOTE: https://go-review.googlesource.com/c/crypto/+/278852 NOTE: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1 = data/dla-needed.txt = @@ -58,6 +58,12 @@ flac (Adrian Bunk) NOTE: 20201215: when preparing fix/advisory note that the same code change fixes both CVE-2020-0487 and CVE-2017-6888 (roberto) NOTE: 20201215: stretch and buster versions are very close; perhaps consider coordinating with security team and helping them by preparing an update for buster (roberto) -- +golang-1.7 + NOTE: 20201219: new CVEs may not be getting fixed, might need to ignore (roberto) +-- +golang-1.8 + NOTE: 20201219: new CVEs may not be getting fixed, might need to ignore (roberto) +-- golang-websocket -- imagemagick (Sylvain Beucler) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ced4449781949729fc5d3225e95df39fa111597e...c61cdb7f53756c142b4466bd95e5b0067bce9807 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ced4449781949729fc5d3225e95df39fa111597e...c61cdb7f53756c142b4466bd95e5b0067bce9807 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2500-1 for curl
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: ced44497 by Roberto C. Sánchez at 2020-12-18T21:53:34-05:00 Reserve DLA-2500-1 for curl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Dec 2020] DLA-2500-1 curl - security update + {CVE-2020-8284 CVE-2020-8285 CVE-2020-8286} + [stretch] - curl 7.52.1-5+deb9u13 [18 Dec 2020] DLA-2467-2 lxml - regression update [stretch] - lxml 3.7.1-1+deb9u3 [17 Dec 2020] DLA-2499-1 sympa - security update = data/dla-needed.txt = @@ -47,8 +47,6 @@ condor NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto) NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) -- -curl (Roberto C. Sánchez) --- f2fs-tools NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ced4449781949729fc5d3225e95df39fa111597e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ced4449781949729fc5d3225e95df39fa111597e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: triage libxstream-java
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: a180e00f by Roberto C. Sánchez at 2020-12-17T18:22:38-05:00 LTS: triage libxstream-java - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -84,6 +84,8 @@ lemonldap-ng (Utkarsh) libhibernate3-java NOTE: 20201115: No patch yet; unsure if version in LTS is vulnerable. (lamby) -- +libxstream-java (Markus Koschany) +-- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a180e00f25090d97abf0174bba2341d493226d37 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a180e00f25090d97abf0174bba2341d493226d37 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: triage CVE-2020-29663/icinga2 as for stretch
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 8566f098 by Roberto C. Sánchez at 2020-12-16T12:18:04-05:00 LTS: triage CVE-2020-29663/icinga2 as not-affected for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1799,6 +1799,7 @@ CVE-2020-29664 CVE-2020-29663 (Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where revoked ...) - icinga2 2.12.3-1 [buster] - icinga2 (Minor issue) + [stretch] - icinga2 (Vulnerable code not present) NOTE: https://github.com/Icinga/icinga2/security/advisories/GHSA-pcmr-2p2f-r7j6 NOTE: https://github.com/Icinga/icinga2/commit/abbd7d5494369af8bbf8fc12f5dc1a0f05a1f817 NOTE: https://github.com/Icinga/icinga2/commit/cae22a89da9e6a381904c3b207e5a3f93f6ed838 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8566f0988fe80d78c33f219859fa9ffc10376bec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8566f0988fe80d78c33f219859fa9ffc10376bec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: LTS: mark xen CVEs as EOL
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c93185c by Roberto C. Sánchez at 2020-12-15T18:38:07-05:00 LTS: mark xen CVEs as EOL - - - - - 28e63f24 by Roberto C. Sánchez at 2020-12-15T18:40:28-05:00 LTS: triage firefox-esr and thunderbird for stretch - - - - - 4f181fb9 by Roberto C. Sánchez at 2020-12-15T18:47:26-05:00 LTS: triage node-ini for stretch - - - - - 28c9af2f by Roberto C. Sánchez at 2020-12-15T19:00:02-05:00 fix broken link for commit related to CVE-2017-6888/flac - - - - - 76ae31a5 by Roberto C. Sánchez at 2020-12-15T19:01:38-05:00 LTS: triage flac for stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2529,10 +2529,12 @@ CVE-2020-29572 (app/View/Elements/genericElements/SingleViews/Fields/genericFiel CVE-2020-29571 (An issue was discovered in Xen through 4.14.x. A bounds check common t ...) {DSA-4812-1} - xen 4.14.0+88-g1d1d1f5391-1 + [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-359.html CVE-2020-29570 (An issue was discovered in Xen through 4.14.x. Recording of the per-vC ...) {DSA-4812-1} - xen 4.14.0+88-g1d1d1f5391-1 + [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-358.html CVE-2020-29569 (An issue was discovered in the Linux kernel through 5.10.1, as used wi ...) - linux @@ -2548,6 +2550,7 @@ CVE-2020-29567 (An issue was discovered in Xen 4.14.x. When moving IRQs between CVE-2020-29566 (An issue was discovered in Xen through 4.14.x. When they require assis ...) {DSA-4812-1} - xen 4.14.0+88-g1d1d1f5391-1 + [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-348.html CVE-2020-29565 (An issue was discovered in OpenStack Horizon before 15.3.2, 16.x befor ...) - horizon 3:18.6.1-1 (bug #976872) @@ -2928,34 +2931,42 @@ CVE-2020-29487 (An issue was discovered in Xen XAPI before 2020-12-15. Certain x CVE-2020-29486 (An issue was discovered in Xen through 4.14.x. Nodes in xenstore have ...) {DSA-4812-1} - xen 4.14.0+88-g1d1d1f5391-1 + [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-352.html CVE-2020-29485 (An issue was discovered in Xen 4.6 through 4.14.x. When acting upon a ...) {DSA-4812-1} - xen 4.14.0+88-g1d1d1f5391-1 + [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-330.html CVE-2020-29484 (An issue was discovered in Xen through 4.14.x. When a Xenstore watch f ...) {DSA-4812-1} - xen 4.14.0+88-g1d1d1f5391-1 + [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-324.html CVE-2020-29483 (An issue was discovered in Xen through 4.14.x. Xenstored and guests co ...) {DSA-4812-1} - xen 4.14.0+88-g1d1d1f5391-1 + [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-325.html CVE-2020-29482 (An issue was discovered in Xen through 4.14.x. A guest may access xens ...) {DSA-4812-1} - xen 4.14.0+88-g1d1d1f5391-1 + [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-323.html CVE-2020-29481 (An issue was discovered in Xen through 4.14.x. Access rights of Xensto ...) {DSA-4812-1} - xen 4.14.0+88-g1d1d1f5391-1 + [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-322.html CVE-2020-29480 (An issue was discovered in Xen through 4.14.x. Neither xenstore implem ...) {DSA-4812-1} - xen 4.14.0+88-g1d1d1f5391-1 + [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-115.html CVE-2020-29479 (An issue was discovered in Xen through 4.14.x. In the Ocaml xenstored ...) {DSA-4812-1} - xen 4.14.0+88-g1d1d1f5391-1 + [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-353.html CVE-2020-29478 RESERVED @@ -221269,7 +221280,8 @@ CVE-2017-6888 (An error in the "read_metadata_vorbiscomment_()" function (src/li [jessie] - flac (Minor issue) [wheezy] - flac (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-7/ - NOTE: https://git.xiph.org/?p=flac.git;a=commit;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67 + NOTE: https://git.xiph.org/?p=flac.git;a=commit;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67 (broken link) + NOTE: https://android.googlesource.com/platform/external/flac/+/4f47b63e9c971e6391590caf00a0f2a5ed612e67 CVE-2017-6887 (A boundary error within the "parse_tiff_ifd()" function (internal/dcra ...) {DSA-3950-1 DLA-1057-1} - libraw 0.18.2-2 (bug #864183) =
[Git][security-tracker-team/security-tracker][master] LTS: triage lxml
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: cc87469a by Roberto C. Sánchez at 2020-12-14T20:05:48-05:00 LTS: triage lxml - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -83,6 +83,8 @@ linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- +lxml (Roberto C. Sánchez) +-- mariadb-10.1 (Adrian Bunk) NOTE: 20201207: still ongoing (bunk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc87469af3d150bbf2746207b30d90d9ac1c20e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc87469af3d150bbf2746207b30d90d9ac1c20e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2340-2 for sqlite3
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 138ee6ba by Roberto C. Sánchez at 2020-12-10T09:25:52-05:00 Reserve DLA-2340-2 for sqlite3 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[10 Dec 2020] DLA-2340-2 sqlite3 - regression update + [stretch] - sqlite3 3.16.2-5+deb9u3 [10 Dec 2020] DLA-2488-1 python-apt - security update {CVE-2020-27351} [stretch] - python-apt 1.4.2 = data/dla-needed.txt = @@ -170,8 +170,6 @@ spice-vdagent (Abhijith PA) spip (Abhijith PA) NOTE: Low priority for us. sec team did DSA-4798-1 (abhijith) -- -sqlite3 (Roberto C. Sánchez) --- tomcat8 (Utkarsh) -- webcit (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/138ee6ba1d326689e1d502e112e701b44cefb0a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/138ee6ba1d326689e1d502e112e701b44cefb0a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take curl in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: c0acd9bb by Roberto C. Sánchez at 2020-12-09T07:25:48-05:00 LTS: take curl in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -46,7 +46,7 @@ condor NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto) NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) -- -curl +curl (Roberto C. Sánchez) -- f2fs-tools NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0acd9bb4ef0d851763d479987fead035de3ae35 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0acd9bb4ef0d851763d479987fead035de3ae35 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim sqlite3 in dla-needed.txt (regression was reported against update I prepared previously)
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: ff774e00 by Roberto C. Sánchez at 2020-12-08T10:00:45-05:00 LTS: claim sqlite3 in dla-needed.txt (regression was reported against update I prepared previously) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -164,7 +164,7 @@ spice-vdagent (Abhijith PA) spip (Abhijith PA) NOTE: Low priority for us. sec team did DSA-4798-1 (abhijith) -- -sqlite3 +sqlite3 (Roberto C. Sánchez) -- tomcat8 (Utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff774e00cc09a7a28241c867d833d624c7001499 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff774e00cc09a7a28241c867d833d624c7001499 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2476-1 for brotli
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e780447 by Roberto C. Sánchez at 2020-12-01T17:56:21-05:00 Reserve DLA-2476-1 for brotli - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Dec 2020] DLA-2476-1 brotli - security update + {CVE-2020-8927} + [stretch] - brotli 0.5.2+dfsg-2+deb9u1 [01 Dec 2020] DLA-2475-1 pdfresurrect - security update {CVE-2019-14934 CVE-2020-20740} [stretch] - pdfresurrect 0.12-6+deb9u1 = data/dla-needed.txt = @@ -27,11 +27,6 @@ ansible (Markus Koschany) NOTE: 20201130: Not everything is clear and obvious thus fixing some CVE is NOTE: 20201130: better than continue to ignore all of them. -- -brotli (Roberto C. Sánchez) - NOTE: 20201025: Requested patch review on debian-lts@l.d.o (roberto) - NOTE: 20201114: Requested assistance from original patch author. (roberto) - NOTE: 20201201: Upstream has responded and verified the required backport changes. (roberto) --- ceph NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby) NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e780447059dc7de19e820db8f46d05fc906eeb9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e780447059dc7de19e820db8f46d05fc906eeb9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim brotli, update notes
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: d9c23a4e by Roberto C. Sánchez at 2020-12-01T08:51:05-05:00 LTS: reclaim brotli, update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -27,9 +27,10 @@ ansible (Markus Koschany) NOTE: 20201130: Not everything is clear and obvious thus fixing some CVE is NOTE: 20201130: better than continue to ignore all of them. -- -brotli +brotli (Roberto C. Sánchez) NOTE: 20201025: Requested patch review on debian-lts@l.d.o (roberto) NOTE: 20201114: Requested assistance from original patch author. (roberto) + NOTE: 20201201: Upstream has responded and verified the required backport changes. (roberto) -- ceph NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9c23a4e543c1e2c3b46115f6c39428d0832d783 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9c23a4e543c1e2c3b46115f6c39428d0832d783 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2475-1 for pdfresurrect
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: b9c9fdec by Roberto C. Sánchez at 2020-12-01T07:53:52-05:00 Reserve DLA-2475-1 for pdfresurrect - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Dec 2020] DLA-2475-1 pdfresurrect - security update + {CVE-2019-14934 CVE-2020-20740} + [stretch] - pdfresurrect 0.12-6+deb9u1 [01 Dec 2020] DLA-2474-1 musl - security update {CVE-2020-28928} [stretch] - musl 1.1.16-3+deb9u1 = data/dla-needed.txt = @@ -109,8 +109,6 @@ pacemaker (Markus Koschany) NOTE: 20201130: I will ask the other bug reporters for feedback and testing NOTE: 20201130: in #974563. The update itself looks good to me. -- -pdfresurrect (Roberto C. Sánchez) --- php-horde-trean NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9c9fdec2f2bb1b3282c97dc349ac337c6954bb1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9c9fdec2f2bb1b3282c97dc349ac337c6954bb1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim pdfresurrect in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: f1bde5a5 by Roberto C. Sánchez at 2020-11-30T18:39:26-05:00 LTS: claim pdfresurrect in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -109,7 +109,7 @@ pacemaker (Markus Koschany) NOTE: 20201130: I will ask the other bug reporters for feedback and testing NOTE: 20201130: in #974563. The update itself looks good to me. -- -pdfresurrect +pdfresurrect (Roberto C. Sánchez) -- php-horde-trean NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1bde5a591edd77955512ae4ea56fd8912afc2c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1bde5a591edd77955512ae4ea56fd8912afc2c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: remove from CVE-2020-10704 in suites where it is being fixed
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 82aa4c1f by Roberto C. Sánchez at 2020-11-22T21:52:59-05:00 LTS: remove postponed from CVE-2020-10704 in suites where it is being fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -46244,8 +46244,6 @@ CVE-2020-10705 (A flaw was discovered in Undertow in versions before Undertow 2. CVE-2020-10704 (A flaw was found when using samba as an Active Directory Domain Contro ...) - samba 2:4.12.3+dfsg-2 (bug #960188) [buster] - samba (Can be fixed along in future DSA) - [stretch] - samba (Can be fixed along in future DSA) - [jessie] - samba (Minor issue and the patch is very invisible, eg. http://paste.debian.net/plain/1143919 is not even complete) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14334 NOTE: https://www.samba.org/samba/security/CVE-2020-10704.html CVE-2020-10703 (A NULL pointer dereference was found in the libvirt API responsible in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82aa4c1ff3a2aadc35117ce34267f564575b3e47 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82aa4c1ff3a2aadc35117ce34267f564575b3e47 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2463-1 for samba
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 4324b24b by Roberto C. Sánchez at 2020-11-22T21:51:02-05:00 Reserve DLA-2463-1 for samba - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Nov 2020] DLA-2463-1 samba - security update + {CVE-2020-1472 CVE-2020-10704 CVE-2020-10730 CVE-2020-10745 CVE-2020-10760 CVE-2020-14303 CVE-2020-14318 CVE-2020-14323 CVE-2020-14383} + [stretch] - samba 2:4.5.16+dfsg-1+deb9u3 [23 Nov 2020] DLA-2462-1 cimg - security update {CVE-2020-25693} [stretch] - cimg 1.7.9+dfsg-1+deb9u2 = data/dla-needed.txt = @@ -154,15 +154,6 @@ ruby-oauth -- salt (Abhijith PA) -- -samba (Roberto C. Sánchez) - NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh) - NOTE: 20200801: Stretch update already released, so no conflict. (roberto) - NOTE: 20200801: Patches for CVE-2020-14303, CVE-2020-10760, CVE-2020-10745, and CVE-2020-10740, are ready. (roberto) - NOTE: 20200801: Best to wait for additional CVEs before uploading; check with Roberto for patches. (roberto) - NOTE: 20200830: Will remove this entry and mark all current CVEs as postponed. But first I need to know were the patches are (ola). - NOTE: 20200903: As discussed internally, I will look into Samba AD CVEs and revisit the risk assessment, plus fix the more severe issues (sunweaver) - NOTE: 20201116: Still working to integrate zerologon fix. (roberto) --- shiro NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4324b24be6467fac302d1dfd3588bc34c136b991 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4324b24be6467fac302d1dfd3588bc34c136b991 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-19667/imagemagick as for stretch
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 7b15046b by Roberto C. Sánchez at 2020-11-22T20:46:33-05:00 Mark CVE-2020-19667/imagemagick as postponed for stretch After consulting with Emilio (who performed the ELTS triage for jessie), it is clear that this issue can wait to be fixed along with future issues in order to prevent proliferation of small updates. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -22956,6 +22956,7 @@ CVE-2020-19668 (Unverified indexs into the array lead to out of bound access in NOTE: https://github.com/saitoha/libsixel/issues/136 CVE-2020-19667 (Stack-based buffer overflow and unconditional jump in ReadXPMImage in ...) - imagemagick 8:6.9.11.24+dfsg-1 + [stretch] - imagemagick (Minor issue, can be fixed with later issues) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1895 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/26538669546730c5b2dc36e7d48850f1f6928f94 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/5462fd4725018567764c8f66bed98b7ee3e23006 = data/dla-needed.txt = @@ -54,8 +54,6 @@ golang-github-dgrijalva-jwt-go -- golang-golang-x-net-dev -- -imagemagick (Roberto C. Sánchez) --- influxdb -- intel-microcode View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b15046b2b9022aaa8dec7208629bc8ab49cc9c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b15046b2b9022aaa8dec7208629bc8ab49cc9c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: triage, add libsixel and mutt to dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: b0e44c6b by Roberto C. Sánchez at 2020-11-22T17:23:47-05:00 LTS: triage, add libsixel and mutt to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -73,6 +73,8 @@ lemonldap-ng (Utkarsh) libhibernate3-java NOTE: 20201115: No patch yet; unsure if version in LTS is vulnerable. (lamby) -- +libsixel +-- libxstream-java (Markus Koschany) -- linux (Ben Hutchings) @@ -90,6 +92,8 @@ mumble -- musl (Utkarsh) -- +mutt +-- open-build-service (Utkarsh) NOTE: 20201001: upstream is yet to work on CVE-2020-8021. Pinged them. NOTE: 20201001: cf: https://bugzilla.suse.com/show_bug.cgi?id=1171649 (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0e44c6bcbcc5c886e28e1c3b8b10f54babac0fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0e44c6bcbcc5c886e28e1c3b8b10f54babac0fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: Ensure ~/.cache exists before writing out tracker data cache
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 04703997 by Roberto C. Sánchez at 2020-11-21T09:10:24-05:00 LTS: Ensure ~/.cache exists before writing out tracker data cache If ~/.cache does not already exist, then this happens: $ ./bin/lts-cve-triage.py Updating ~/.cache/debian_security_tracker.json from https://security-tracker.debian.org/tracker/data/json ... Traceback (most recent call last): File ./bin/lts-cve-triage.py, line 94, in module tracker = TrackerData(update_cache=not args.skip_cache_update) File /home/roberto/src/freexian/security-tracker.git/bin/tracker_data.py, line 40, in __init__ self.update_cache() File /home/roberto/src/freexian/security-tracker.git/bin/tracker_data.py, line 77, in update_cache with open(self.cached_data_path, w) as cache_file: FileNotFoundError: [Errno 2] No such file or directory: /home/roberto/.cache/debian_security_tracker.json - - - - - 991d4223 by Roberto C. Sánchez at 2020-11-21T09:14:02-05:00 LTS: triage, add xdg-utils and imagemagick to dla-needed.txt - - - - - 2 changed files: - bin/tracker_data.py - data/dla-needed.txt Changes: = bin/tracker_data.py = @@ -25,6 +25,7 @@ import six class TrackerData(object): DATA_URL = "https://security-tracker.debian.org/tracker/data/json; GIT_URL = "https://salsa.debian.org/security-tracker-team/security-tracker.git; +CACHED_DATA_DIR = "~/.cache" CACHED_DATA_PATH = "~/.cache/debian_security_tracker.json" CACHED_REVISION_PATH = "~/.cache/debian_security_tracker.rev" GET_REVISION_COMMAND = \ @@ -33,6 +34,7 @@ class TrackerData(object): def __init__(self, update_cache=True): self._latest_revision = None +self.cached_data_dir = os.path.expanduser(self.CACHED_DATA_DIR) self.cached_data_path = os.path.expanduser(self.CACHED_DATA_PATH) self.cached_revision_path = os.path.expanduser( self.CACHED_REVISION_PATH) @@ -74,6 +76,9 @@ class TrackerData(object): self.DATA_URL)) response = requests.get(self.DATA_URL, allow_redirects=True) response.raise_for_status() +# if ~/.cache does not exist, then open() will fail; dec 448 -> octal 0700 +if not os.path.exists(self.cached_data_dir): +os.mkdir(self.cached_data_dir, mode=448) with open(self.cached_data_path, 'w') as cache_file: cache_file.write(response.text) with open(self.cached_revision_path, 'w') as rev_file: = data/dla-needed.txt = @@ -64,6 +64,8 @@ golang-github-dgrijalva-jwt-go -- golang-golang-x-net-dev -- +imagemagick (Roberto C. Sánchez) +-- influxdb -- intel-microcode (Utkarsh) @@ -200,6 +202,8 @@ xcftools NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk) NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk) -- +xdg-utils +-- zabbix (Sylvain Beucler) -- zsh (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d8ea8764ff0293c041e40f71bd430094582dc6b3...991d422320baca990ed6aa912b6b8e104ab71687 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d8ea8764ff0293c041e40f71bd430094582dc6b3...991d422320baca990ed6aa912b6b8e104ab71687 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2379-3 for mediawiki
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: e8d8f3de by Roberto C. Sánchez at 2020-11-21T00:13:57-05:00 Reserve DLA-2379-3 for mediawiki - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[21 Nov 2020] DLA-2379-3 mediawiki - regression update + [stretch] - mediawiki 1:1.27.7-1~deb9u6 [19 Nov 2020] DLA-2458-1 drupal7 - security update {CVE-2020-13666 CVE-2020-13671} [stretch] - drupal7 7.52-2+deb9u12 = data/dla-needed.txt = @@ -87,9 +87,6 @@ linux-4.19 (Ben Hutchings) -- mariadb-10.1 -- -mediawiki (Roberto C. Sánchez) - NOTE: 20201118: Regression reported in patch for CVE-2020-25827. (roberto) --- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8d8f3de166e6fc075bfe1fc669f2815b4fee16e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8d8f3de166e6fc075bfe1fc669f2815b4fee16e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: LTS: remove from CVE-2020-26217, as it will be investigated and fixed
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 1cf942cc by Roberto C. Sánchez at 2020-11-20T23:39:57-05:00 LTS: remove no-dsa from CVE-2020-26217, as it will be investigated and fixed - - - - - 7d9763dc by Roberto C. Sánchez at 2020-11-20T23:50:43-05:00 LTS: add musl to dla-needed.txt - - - - - 073fa9d5 by Roberto C. Sánchez at 2020-11-20T23:53:44-05:00 LTS: add pdfresurrect to dla-needed.txt - - - - - afefb10b by Roberto C. Sánchez at 2020-11-20T23:55:51-05:00 LTS: add vips to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -9188,7 +9188,6 @@ CVE-2020-26218 (touchbase.ai before version 2.0 is vulnerable to Cross-Site Scri NOT-FOR-US: touchbase.ai CVE-2020-26217 (XStream before version 1.4.14 is vulnerable to Remote Code Execution.T ...) - libxstream-java 1.4.14-1 - [stretch] - libxstream-java (Minor issue) NOTE: https://x-stream.github.io/CVE-2020-26217.html NOTE: https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2 NOTE: https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a = data/dla-needed.txt = @@ -97,6 +97,8 @@ mumble NOTE: 20200504: discussion going on with t...@security.debian.org and mumble maintainer (abhijith) NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg8.html (abhijith) -- +musl +-- open-build-service (Utkarsh) NOTE: 20201001: upstream is yet to work on CVE-2020-8021. Pinged them. NOTE: 20201001: cf: https://bugzilla.suse.com/show_bug.cgi?id=1171649 (utkarsh) @@ -110,6 +112,8 @@ openldap (Utkarsh) pacemaker (Markus Koschany) NOTE: 20201117: See #974563 for further information. -- +pdfresurrect +-- php-horde-trean NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver) @@ -180,6 +184,8 @@ spice-vdagent (Abhijith PA) -- thunderbird (Emilio) -- +vips +-- webcit (Markus Koschany) -- wireshark (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e83c314a4774e57bb450d77d83ba5de4bf1e9ea6...afefb10b4518439e14eb46cc9640e0da1827a5dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e83c314a4774e57bb450d77d83ba5de4bf1e9ea6...afefb10b4518439e14eb46cc9640e0da1827a5dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: LTS: add influxdb to dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c40b39b by Roberto C. Sánchez at 2020-11-19T21:41:19-05:00 LTS: add influxdb to dla-needed.txt - - - - - 22b8bb16 by Roberto C. Sánchez at 2020-11-19T21:51:14-05:00 LTS: add jupyter-notebook to dla-needed.txt - - - - - 2721aad3 by Roberto C. Sánchez at 2020-11-19T21:53:26-05:00 LTS: add php-pear to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -64,10 +64,14 @@ golang-github-dgrijalva-jwt-go -- golang-golang-x-net-dev -- +influxdb +-- intel-microcode (Utkarsh) NOTE: 20201117: hold off the update until it's settled in unstable, at least. NOTE: 20201117: each round of updates had caused regressions. Thanks Moritz! (utkarsh) -- +jupyter-notebook +-- lemonldap-ng (Utkarsh) NOTE: 20200910: Released a DLA for CVE-2020-24660 a few days ago, so could defer. (lamby) -- @@ -109,6 +113,8 @@ php-horde-trean NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver) -- +php-pear +-- pluxml NOTE: 20201011: issue is still open upstream. Also low priority for us (abhijith) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b25005428b88407679100b8d4fc5a65b3829d5a8...2721aad34b88d8f254e0a229d4e8a5d66dfd6f05 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b25005428b88407679100b8d4fc5a65b3829d5a8...2721aad34b88d8f254e0a229d4e8a5d66dfd6f05 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add drupal7 to dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: dcf7a540 by Roberto C. Sánchez at 2020-11-18T23:01:02-05:00 LTS: add drupal7 to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -46,6 +46,9 @@ condor NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto) NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) -- +drupal7 + NOTE: 20201119: Upstream advisory for CVE-2020-13666 mentions potential for jQuery regression; may need to include a related note in the DLA. (roberto) +-- f2fs-tools NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcf7a540f2b7b7b86b9651779c0f0263ac15a494 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcf7a540f2b7b7b86b9651779c0f0263ac15a494 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: triage CVE-2020-7774 as for stretch
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: cbe68f5e by Roberto C. Sánchez at 2020-11-18T22:55:37-05:00 LTS: triage CVE-2020-7774 as no-dsa for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53357,6 +53357,7 @@ CVE-2020-7775 CVE-2020-7774 (This affects the package y18n before 5.0.5. PoC by po6ix: const y18n = ...) - node-y18n [buster] - node-y18n (Minor issue) + [stretch] - node-y18n (Minor issue) NOTE: https://snyk.io/vuln/SNYK-JS-Y18N-1021887 NOTE: https://github.com/yargs/y18n/issues/96 NOTE: https://github.com/yargs/y18n/pull/108 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbe68f5e7420258889bde1f120f1eb9b4a7fd42b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbe68f5e7420258889bde1f120f1eb9b4a7fd42b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: remove tag from fixed CVE
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 14659c6d by Roberto C. Sánchez at 2020-11-18T22:26:15-05:00 LTS: remove postponed tag from fixed CVE - - - - - 29fe9f4f by Roberto C. Sánchez at 2020-11-18T22:28:09-05:00 Reserve DLA-2456-1 for python3.5 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -31256,7 +31256,6 @@ CVE-2019-20907 (In Lib/tarfile.py in Python through 3.8.3, an attacker is able t - python3.7 (low) [buster] - python3.7 3.7.3-2+deb10u2 - python3.5 (low) - [stretch] - python3.5 (Minor issue, can be fixed in next DLA) - python2.7 (low; bug #970099) [buster] - python2.7 (Minor issue) [stretch] - python2.7 (Minor issue, can be fixed in next DLA) = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Nov 2020] DLA-2456-1 python3.5 - security update + {CVE-2019-20907 CVE-2020-26116} + [stretch] - python3.5 3.5.3-1+deb9u3 [19 Nov 2020] DLA-2455-1 packer - security update {CVE-2020-9283} [stretch] - packer 0.10.2+dfsg-6+deb9u1 = data/dla-needed.txt = @@ -112,8 +112,6 @@ php-horde-trean pluxml NOTE: 20201011: issue is still open upstream. Also low priority for us (abhijith) -- -python3.5 (Roberto C. Sánchez) --- qemu (Thorsten Alteholz) -- raptor2 (Utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/54d687021507e40b22726f8bb423bd07f9231918...29fe9f4f0b5eb7ba13a275e532ae9f7600a66aa4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/54d687021507e40b22726f8bb423bd07f9231918...29fe9f4f0b5eb7ba13a275e532ae9f7600a66aa4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add/take mediawiki in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: d2a97a67 by Roberto C. Sánchez at 2020-11-18T09:25:37-05:00 LTS: add/take mediawiki in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -82,6 +82,9 @@ linux-4.19 (Ben Hutchings) -- mariadb-10.1 -- +mediawiki (Roberto C. Sánchez) + NOTE: 20201118: Regression reported in patch for CVE-2020-25827. (roberto) +-- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2a97a67b3ab4dcd3c6dd46e5c06f359e199f064 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2a97a67b3ab4dcd3c6dd46e5c06f359e199f064 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: mark CVE-2020-26217 as for stretch
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 655fcae9 by Roberto C. Sánchez at 2020-11-18T00:19:53-05:00 LTS: mark CVE-2020-26217 as no-dsa for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9008,6 +9008,7 @@ CVE-2020-26218 (touchbase.ai before version 2.0 is vulnerable to Cross-Site Scri NOT-FOR-US: touchbase.ai CVE-2020-26217 (XStream before version 1.4.14 is vulnerable to Remote Code Execution.T ...) - libxstream-java + [stretch] - libxstream-java (Minor issue) NOTE: https://x-stream.github.io/CVE-2020-26217.html NOTE: https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2 NOTE: https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/655fcae98bc3ff8fc797c7fc1d2ce4b9f0417ad5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/655fcae98bc3ff8fc797c7fc1d2ce4b9f0417ad5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2020-8277 as end-of-life for Stretch
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: a7833283 by Roberto C. Sánchez at 2020-11-16T21:39:11-05:00 mark CVE-2020-8277 as end-of-life for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51719,7 +51719,7 @@ CVE-2020-8278 CVE-2020-8277 [Denial of Service through DNS request] RESERVED - nodejs - [stretch] - nodejs (Nodejs in stretch not covered by security support) + [stretch] - nodejs (Nodejs in stretch not covered by security support) NOTE: https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/#denial-of-service-through-dns-request-cve-2020-8277 CVE-2020-8276 (The implementation of Brave Desktop's privacy-preserving analytics sys ...) NOT-FOR-US: Brave View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7833283a812840784c7a3639c160f7a6365ae59 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7833283a812840784c7a3639c160f7a6365ae59 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2020-8277 as end-of-life for Stretch
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 8424ac5c by Roberto C. Sánchez at 2020-11-16T21:29:17-05:00 mark CVE-2020-8277 as end-of-life for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51719,7 +51719,7 @@ CVE-2020-8278 CVE-2020-8277 [Denial of Service through DNS request] RESERVED - nodejs - [stretch] - nodejs (https://lists.debian.org/debian-lts/2020/02/msg00045.html and https://bugs.debian.org/931376) + [stretch] - nodejs (Nodejs in stretch not covered by security support) NOTE: https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/#denial-of-service-through-dns-request-cve-2020-8277 CVE-2020-8276 (The implementation of Brave Desktop's privacy-preserving analytics sys ...) NOT-FOR-US: Brave View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8424ac5c4eee94f3efeba21bf6ab845b895c0d4e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8424ac5c4eee94f3efeba21bf6ab845b895c0d4e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2020-8277 as no-dsa for Stretch
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d2aa0c5 by Roberto C. Sánchez at 2020-11-16T21:18:13-05:00 mark CVE-2020-8277 as no-dsa for Stretch - - - - - abeff85a by Roberto C. Sánchez at 2020-11-16T21:25:11-05:00 LTS: add raptor2 to dla-needed.txt - - - - - eda8efbe by Roberto C. Sánchez at 2020-11-16T21:26:42-05:00 LTS: add intel-microcode to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -51719,6 +51719,7 @@ CVE-2020-8278 CVE-2020-8277 [Denial of Service through DNS request] RESERVED - nodejs + [stretch] - nodejs (https://lists.debian.org/debian-lts/2020/02/msg00045.html and https://bugs.debian.org/931376) NOTE: https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/#denial-of-service-through-dns-request-cve-2020-8277 CVE-2020-8276 (The implementation of Brave Desktop's privacy-preserving analytics sys ...) NOT-FOR-US: Brave = data/dla-needed.txt = @@ -64,6 +64,8 @@ golang-github-dgrijalva-jwt-go -- golang-golang-x-net-dev -- +intel-microcode +-- lemonldap-ng (Utkarsh) NOTE: 20200910: Released a DLA for CVE-2020-24660 a few days ago, so could defer. (lamby) -- @@ -108,6 +110,8 @@ python3.5 (Roberto C. Sánchez) -- qemu (Thorsten Alteholz) -- +raptor2 +-- rclone (Brian May) NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. NOTE: Problems with upload, see https://bugs.debian.org/974877 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/75616460b1c53245487c4ac2497a534aa7225658...eda8efbe957087f7c9a63a3328a6c352b5d8a761 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/75616460b1c53245487c4ac2497a534aa7225658...eda8efbe957087f7c9a63a3328a6c352b5d8a761 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update samba status in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: a3cc29ac by Roberto C. Sánchez at 2020-11-15T20:20:51-05:00 LTS: update samba status in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -141,6 +141,7 @@ samba (Roberto C. Sánchez) NOTE: 20200801: Best to wait for additional CVEs before uploading; check with Roberto for patches. (roberto) NOTE: 20200830: Will remove this entry and mark all current CVEs as postponed. But first I need to know were the patches are (ola). NOTE: 20200903: As discussed internally, I will look into Samba AD CVEs and revisit the risk assessment, plus fix the more severe issues (sunweaver) + NOTE: 20201116: Still working to integrate zerologon fix. (roberto) -- shiro NOTE: 20200920: WIP View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3cc29aca3939d53a212f06da4efd7007e08394f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3cc29aca3939d53a212f06da4efd7007e08394f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim python3.5 in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 05b11d60 by Roberto C. Sánchez at 2020-11-14T15:32:42-05:00 LTS: claim python3.5 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -94,7 +94,7 @@ php-horde-trean pluxml NOTE: 20201011: issue is still open upstream. Also low priority for us (abhijith) -- -python3.5 +python3.5 (Roberto C. Sánchez) -- qemu (Thorsten Alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05b11d60ed0cc8e933afddc48342dab401d3aeba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05b11d60ed0cc8e933afddc48342dab401d3aeba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update brotli status in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 65f10393 by Roberto C. Sánchez at 2020-11-14T15:25:37-05:00 LTS: update brotli status in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,6 +23,7 @@ ansible (Markus Koschany) -- brotli (Roberto C. Sánchez) NOTE: 20201025: Requested patch review on debian-lts@l.d.o (roberto) + NOTE: 20201114: Requested assistance from original patch author. (roberto) -- ceph NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65f103934a2f65a628932b260985c7e46830f770 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65f103934a2f65a628932b260985c7e46830f770 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2448-1 for firefox-esr
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 207041d2 by Roberto C. Sánchez at 2020-11-11T20:52:44-05:00 Reserve DLA-2448-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[11 Nov 2020] DLA-2448-1 firefox-esr - security update + {CVE-2020-26950} + [stretch] - firefox-esr 78.4.1esr-1~deb9u1 [11 Nov 2020] DLA-2447-1 pacemaker - security update {CVE-2020-25654} [stretch] - pacemaker 1.1.16-1+deb9u1 = data/dla-needed.txt = @@ -46,8 +46,6 @@ f2fs-tools NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver) -- -firefox-esr (Roberto C. Sánchez) --- freerdp (Abhijith PA) -- golang-1.7 (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/207041d222c9fdc7db331e7d940c41692de16c1d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/207041d222c9fdc7db331e7d940c41692de16c1d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim firefox-esr
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: ed5ff2c0 by Roberto C. Sánchez at 2020-11-09T17:23:10-05:00 LTS: claim firefox-esr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -46,7 +46,7 @@ f2fs-tools NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver) -- -firefox-esr +firefox-esr (Roberto C. Sánchez) -- fossil NOTE: 20200903: looked into CVE-2020-24614: the fix for this CVE partially applies, but does not apply around a View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed5ff2c0c25ec9bd15220ef63aa1129229e34199 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed5ff2c0c25ec9bd15220ef63aa1129229e34199 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim brotli
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: da5b4f8e by Roberto C. Sánchez at 2020-11-09T07:33:38-05:00 LTS: reclaim brotli - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,7 +21,7 @@ ansible NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983 NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794 -- -brotli +brotli (Roberto C. Sánchez) NOTE: 20201025: Requested patch review on debian-lts@l.d.o (roberto) -- ceph View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da5b4f8eb7687c53121a7fb0b257f8279d689fd1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da5b4f8eb7687c53121a7fb0b257f8279d689fd1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take samba in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: e564d277 by Roberto C. Sánchez at 2020-10-31T16:51:42-04:00 LTS: take samba in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -159,7 +159,7 @@ ruby-kaminari -- ruby-oauth -- -samba +samba (Roberto C. Sánchez) NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh) NOTE: 20200801: Stretch update already released, so no conflict. (roberto) NOTE: 20200801: Patches for CVE-2020-14303, CVE-2020-10760, CVE-2020-10745, and CVE-2020-10740, are ready. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e564d2770be9fcacf12052ad8f104dcf4e974d9e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e564d2770be9fcacf12052ad8f104dcf4e974d9e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take Nov/Dec front desk weeks Mike had to vacate
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: cd006715 by Roberto C. Sánchez at 2020-10-30T16:59:15-04:00 LTS: take Nov/Dec front desk weeks Mike had to vacate - - - - - 1 changed file: - org/lts-frontdesk.2020.txt Changes: = org/lts-frontdesk.2020.txt = @@ -56,10 +56,10 @@ From 19-10 to 25-10:Thorsten Alteholz From 26-10 to 01-11:Utkarsh Gupta From 02-11 to 08-11:Chris Lamb From 09-11 to 15-11:Thorsten Alteholz -From 16-11 to 22-11: +From 16-11 to 22-11:Roberto C. Sánchez From 23-11 to 29-11:Abhijith PA From 30-11 to 06-12:Thorsten Alteholz From 07-12 to 13-12:Chris Lamb -From 14-12 to 20-12: +From 14-12 to 20-12:Roberto C. Sánchez From 21-12 to 27-12:Utkarsh Gupta From 28-12 to 03-01: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd006715183a3f49de4d3072985da6eda74c9258 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd006715183a3f49de4d3072985da6eda74c9258 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update brotli status
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: a4135efe by Roberto C. Sánchez at 2020-10-25T14:06:06-04:00 LTS: update brotli status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,6 +29,7 @@ ark NOTE: 20200921: CLI works but GUI not, It seems the fix is not compatible with the old architecture (abhijith) -- brotli (Roberto C. Sánchez) + NOTE: 20201025: Requested patch review on debian-lts@l.d.o (roberto) -- cacti NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4135efe2498de0da34d4628a4615180b897a921 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4135efe2498de0da34d4628a4615180b897a921 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update shiro status
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 73df766c by Roberto C. Sánchez at 2020-10-19T08:04:14-04:00 LTS: update shiro status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -182,6 +182,7 @@ samba shiro NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) + NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) -- slirp NOTE: Upstream patch for CVE-2020-8608 requires patches for View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73df766c978169e5a752869fb05a81f93ffa9dea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73df766c978169e5a752869fb05a81f93ffa9dea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim brotli
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: a46ff00c by Roberto C. Sánchez at 2020-10-07T15:28:04-04:00 LTS: claim brotli - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -30,7 +30,7 @@ ark NOTE: 20200907: patch https://people.debian.org/~abhijith/upload/backport_to_1608.patch crashes (abhijith) NOTE: 20200921: CLI works but GUI not, It seems the fix is not compatible with the old architecture (abhijith) -- -brotli +brotli (Roberto C. Sánchez) -- cacti NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a46ff00cb609f8a6026dba83160ac4c7886c1789 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a46ff00cb609f8a6026dba83160ac4c7886c1789 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2399-1 for packagekit
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 71f2437f by Roberto C. Sánchez at 2020-10-07T14:39:14-04:00 Reserve DLA-2399-1 for packagekit - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Oct 2020] DLA-2399-1 packagekit - security update + {CVE-2020-16121 CVE-2020-16122} + [stretch] - packagekit 1.1.5-2+deb9u2 [07 Oct 2020] DLA-2332-2 sane-backends - regression update [stretch] - sane-backends 1.0.25-4.1+deb9u2 [07 Oct 2020] DLA-2398-1 puma - security update = data/dla-needed.txt = @@ -115,8 +115,6 @@ open-build-service opendmarc NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten) -- -packagekit (Roberto C. Sánchez) --- php-horde-trean NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71f2437f1ef839a94db5a4ac091df7119c533486 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71f2437f1ef839a94db5a4ac091df7119c533486 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim packagekit
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 18176b63 by Roberto C. Sánchez at 2020-10-07T13:50:48-04:00 LTS: claim packagekit - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -115,7 +115,7 @@ open-build-service opendmarc NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten) -- -packagekit +packagekit (Roberto C. Sánchez) -- php-horde-trean NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18176b639f3baea70ff6e59eacf9e2ece46c00f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18176b639f3baea70ff6e59eacf9e2ece46c00f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2396-1 for tigervnc
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 66716baa by Roberto C. Sánchez at 2020-10-06T17:08:15-04:00 Reserve DLA-2396-1 for tigervnc - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Oct 2020] DLA-2396-1 tigervnc - security update + {CVE-2020-26117} + [stretch] - tigervnc 1.7.0+dfsg-7+deb9u2 [02 Oct 2020] DLA-2395-1 libvirt - security update {CVE-2020-25637} [stretch] - libvirt 3.0.0-4+deb9u5 = data/dla-needed.txt = @@ -190,8 +190,6 @@ sympa (Sylvain Beucler) -- thunderbird (Emilio) -- -tigervnc (Roberto C. Sánchez) --- tinymce (Abhijith PA) NOTE: 20201003: relevant commits are hard to chase down (abhijith) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66716baaabb52a747b340c17f808145a4f98db84 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66716baaabb52a747b340c17f808145a4f98db84 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2397-1 for php7.0
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ffd2315 by Roberto C. Sánchez at 2020-10-06T17:09:01-04:00 Reserve DLA-2397-1 for php7.0 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Oct 2020] DLA-2397-1 php7.0 - security update + {CVE-2020-7070} + [stretch] - php7.0 7.0.33-0+deb9u10 [06 Oct 2020] DLA-2396-1 tigervnc - security update {CVE-2020-26117} [stretch] - tigervnc 1.7.0+dfsg-7+deb9u2 = data/dla-needed.txt = @@ -117,8 +117,6 @@ opendmarc -- packagekit -- -php7.0 (Roberto C. Sánchez) --- php-horde-trean NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ffd2315223b746b7910250b86da82c454dfd517 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ffd2315223b746b7910250b86da82c454dfd517 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim php7.0
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 43453c49 by Roberto C. Sánchez at 2020-10-04T21:56:54-04:00 LTS: claim php7.0 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -116,7 +116,7 @@ opendmarc -- packagekit -- -php7.0 +php7.0 (Roberto C. Sánchez) -- php-horde-trean (Mike Gabriel) NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43453c49587c37fae26436a3ac74b90fa8a43a40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43453c49587c37fae26436a3ac74b90fa8a43a40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2395-1 for libvirt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c3b2a2a by Roberto C. Sánchez at 2020-10-02T11:03:33-04:00 Reserve DLA-2395-1 for libvirt - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[02 Oct 2020] DLA-2395-1 libvirt - security update + {CVE-2020-25637} + [stretch] - libvirt 3.0.0-4+deb9u5 [02 Oct 2020] DLA-2394-1 squid3 - security update {CVE-2020-15049 CVE-2020-15810 CVE-2020-15811 CVE-2020-24606} [stretch] - squid3 3.5.23-5+deb9u5 = data/dla-needed.txt = @@ -96,9 +96,6 @@ libonig -- libproxy (Emilio) -- -libvirt (Roberto C. Sánchez) - NOTE: 20201001: More investigation needed. (utkarsh) --- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c3b2a2a82457f5f0a8f83e05e952df92c40d663 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c3b2a2a82457f5f0a8f83e05e952df92c40d663 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim tigervnc
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c02be61 by Roberto C. Sánchez at 2020-10-01T19:27:02-04:00 LTS: claim tigervnc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -188,7 +188,7 @@ sympa -- thunderbird (Emilio) -- -tigervnc +tigervnc (Roberto C. Sánchez) -- tinymce (Abhijith PA) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c02be616ddc256a3a5cae12660b08a4055da512 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c02be616ddc256a3a5cae12660b08a4055da512 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim libvirt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 0beb1f52 by Roberto C. Sánchez at 2020-10-01T08:11:29-04:00 LTS: claim libvirt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -91,7 +91,7 @@ lemonldap-ng -- libproxy (Emilio) -- -libvirt +libvirt (Roberto C. Sánchez) NOTE: 20201001: More investigation needed. (utkarsh) -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0beb1f5299a07ee362e1896f1ea2bba004af2820 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0beb1f5299a07ee362e1896f1ea2bba004af2820 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update shiro notes in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: f4d34db5 by Roberto C. Sánchez at 2020-09-28T17:51:51-04:00 LTS: update shiro notes in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -170,6 +170,7 @@ samba -- shiro (Roberto C. Sánchez) NOTE: 20200920: WIP + NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) -- slirp NOTE: Upstream patch for CVE-2020-8608 requires patches for View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4d34db5ec340a76facd47a8fbbb86e3b0155ad1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4d34db5ec340a76facd47a8fbbb86e3b0155ad1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2379-2 for mediawiki
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: ab3b4427 by Roberto C. Sánchez at 2020-09-28T10:36:37-04:00 Reserve DLA-2379-2 for mediawiki - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[28 Sep 2020] DLA-2379-2 mediawiki - regression update + [stretch] - mediawiki 1:1.27.7-1~deb9u5 [28 Sep 2020] DLA-2386-1 libdbi-perl - security update {CVE-2019-20919 CVE-2020-14392 CVE-2020-14393} [stretch] - libdbi-perl 1.636-1+deb9u1 = data/dla-needed.txt = @@ -95,9 +95,6 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- -mediawiki (Roberto C. Sánchez) - NOTE: 20200927: maintainer reported regression in most recent upload. (roberto) --- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3b4427c9f39bd6db8985a872dab26cae5ac55c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3b4427c9f39bd6db8985a872dab26cae5ac55c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: re-add mediawiki to dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 638e7bf5 by Roberto C. Sánchez at 2020-09-27T17:37:43-04:00 LTS: re-add mediawiki to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -98,6 +98,9 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- +mediawiki (Roberto C. Sánchez) + NOTE: 20200927: maintainer reported regression in most recent upload. (roberto) +-- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/638e7bf5e94c5ae36630e5faac43580a5bf56504 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/638e7bf5e94c5ae36630e5faac43580a5bf56504 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2381-1 for lua5.3
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 9bd4e4f6 by Roberto C. Sánchez at 2020-09-26T10:02:27-04:00 Reserve DLA-2381-1 for lua5.3 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Sep 2020] DLA-2381-1 lua5.3 - security update + {CVE-2020-24370} + [stretch] - lua5.3 5.3.3-1+deb9u1 [26 Sep 2020] DLA-2380-1 ruby-gon - security update {CVE-2020-25739} [stretch] - ruby-gon 6.1.0-1+deb9u1 = data/dla-needed.txt = @@ -101,8 +101,6 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- -lua5.3 (Roberto C. Sánchez) --- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bd4e4f6b633c9cb4917cbab63581b9edb6e8024 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bd4e4f6b633c9cb4917cbab63581b9edb6e8024 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update CVE-2020-24370/lua5.3 notes
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 37c958bb by Roberto C. Sánchez at 2020-09-25T22:21:34-04:00 Update CVE-2020-24370/lua5.3 notes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3808,7 +3808,8 @@ CVE-2020-24370 (ldebug.c in Lua 5.4.0 allows a negation overflow and segmentatio - lua5.3 [buster] - lua5.3 (Minor issue) NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00324.html - NOTE: https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b + NOTE: (lua5.4) https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b + NOTE: (lua5.3) https://github.com/lua/lua/commit/b5bc89846721375fe30772eb8c5ab2786f362bf9 CVE-2020-24369 (ldebug.c in Lua 5.4.0 attempts to access debug information via the lin ...) - lua5.4 NOTE: https://github.com/lua/lua/commit/ae5b5ba529753c7a653901ffc29b5ea24c3fdf3a View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37c958bb5c6bd0b9a89550b589317841b0afc7d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37c958bb5c6bd0b9a89550b589317841b0afc7d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-24371/lua5.3 as
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 029b8925 by Roberto C. Sánchez at 2020-09-25T22:11:49-04:00 Mark CVE-2020-24371/lua5.3 as not-affected This applies for both buster and stretch (same upstream release in both). The upstream bug page indicates that the bug exists since 5.4.0, upstream backported the fix for CVE-2020-24370 to 5.3 but not the fix for CVE-2020-24371, and the vulnerable code appears to have been introduced by upstream commits e4287da3a6 and 1afd5a152d as part of 5.4.0 development. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3799,7 +3799,8 @@ CVE-2020-24372 (LuaJIT through 2.1.0-beta3 has an out-of-bounds read in lj_err_r CVE-2020-24371 (lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the ...) - lua5.4 - lua5.3 - [buster] - lua5.3 (Minor issue) + [buster] - lua5.3 (Vulnerable code not present) + [stretch] - lua5.3 (Vulnerable code not present) NOTE: https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110 NOTE: https://www.lua.org/bugs.html#5.4.0-9 CVE-2020-24370 (ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation faul ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/029b8925e964f7936da905ddece6bfaa070d83d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/029b8925e964f7936da905ddece6bfaa070d83d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fix typo
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 8caaa13f by Roberto C. Sánchez at 2020-09-25T21:49:22-04:00 fix typo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3799,13 +3799,13 @@ CVE-2020-24372 (LuaJIT through 2.1.0-beta3 has an out-of-bounds read in lj_err_r CVE-2020-24371 (lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the ...) - lua5.4 - lua5.3 - [buster] - lua5.3 (Minor isue) + [buster] - lua5.3 (Minor issue) NOTE: https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110 NOTE: https://www.lua.org/bugs.html#5.4.0-9 CVE-2020-24370 (ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation faul ...) - lua5.4 - lua5.3 - [buster] - lua5.3 (Minor isue) + [buster] - lua5.3 (Minor issue) NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00324.html NOTE: https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b CVE-2020-24369 (ldebug.c in Lua 5.4.0 attempts to access debug information via the lin ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8caaa13fecff7db0b7b897fec3337496e6360358 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8caaa13fecff7db0b7b897fec3337496e6360358 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim lua5.3
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: d5031a7a by Roberto C. Sánchez at 2020-09-25T21:36:02-04:00 LTS: claim lua5.3 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -101,7 +101,7 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- -lua5.3 +lua5.3 (Roberto C. Sánchez) -- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5031a7a53f9fe48cd9534b6ad7c7de3bce898d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5031a7a53f9fe48cd9534b6ad7c7de3bce898d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2379-1 for mediawiki
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 25bac2aa by Roberto C. Sánchez at 2020-09-25T21:05:56-04:00 Reserve DLA-2379-1 for mediawiki - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Sep 2020] DLA-2379-1 mediawiki - security update + {CVE-2020-25813 CVE-2020-25814 CVE-2020-25827 CVE-2020-25828} + [stretch] - mediawiki 1:1.27.7-1~deb9u4 [25 Sep 2020] DLA-2378-1 openssl1.0 - security update {CVE-2020-1968} [stretch] - openssl1.0 1.0.2u-1~deb9u2 = data/dla-needed.txt = @@ -103,8 +103,6 @@ linux-4.9 (Ben Hutchings) -- lua5.3 -- -mediawiki (Roberto C. Sánchez) --- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25bac2aa53cd27abd83d3ab826ddbd0739b4909a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25bac2aa53cd27abd83d3ab826ddbd0739b4909a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: mark CVE-2020-2581{2,5}/mediawiki as for stretch
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 2eca1517 by Roberto C. Sánchez at 2020-09-25T20:45:24-04:00 LTS: mark CVE-2020-2581{2,5}/mediawiki as not-affected for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -626,6 +626,7 @@ CVE-2020-25816 CVE-2020-25815 RESERVED - mediawiki + [stretch] - mediawiki (Vulnerable code introduced later) NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2020-September/093888.html NOTE: https://phabricator.wikimedia.org/T256171 CVE-2020-25814 @@ -644,6 +645,7 @@ CVE-2020-25812 RESERVED {DSA-4767-1} - mediawiki + [stretch] - mediawiki (Vulnerable code introduced later) NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2020-September/093888.html NOTE: https://phabricator.wikimedia.org/T255918 CVE-2020-25811 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2eca15177d1252167b0f991802430c1721a8271c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2eca15177d1252167b0f991802430c1721a8271c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim mediawiki
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 348978bf by Roberto C. Sánchez at 2020-09-25T17:51:54-04:00 LTS: claim mediawiki - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -103,7 +103,7 @@ linux-4.9 (Ben Hutchings) -- lua5.3 -- -mediawiki +mediawiki (Roberto C. Sánchez) -- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/348978bf60661d35ed0600b7d93706995fc980be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/348978bf60661d35ed0600b7d93706995fc980be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2378-1 for openssl1.0
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: b30e0825 by Roberto C. Sánchez at 2020-09-25T17:36:12-04:00 Reserve DLA-2378-1 for openssl1.0 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Sep 2020] DLA-2378-1 openssl1.0 - security update + {CVE-2020-1968} + [stretch] - openssl1.0 1.0.2u-1~deb9u2 [21 Sep 2020] DLA-2377-1 qt4-x11 - security update {CVE-2018-15518 CVE-2018-19869 CVE-2018-19870 CVE-2018-19871 CVE-2018-19872 CVE-2018-19873 CVE-2020-17507} [stretch] - qt4-x11 4:4.8.7+dfsg-11+deb9u1 = data/dla-needed.txt = @@ -122,8 +122,6 @@ open-build-service (Utkarsh Gupta) opendmarc NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten) -- -openssl1.0 (Roberto C. Sánchez) --- osc (Adrian Bunk) -- packagekit View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b30e082568e269c5082307e29e0d72a06e4e2664 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b30e082568e269c5082307e29e0d72a06e4e2664 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: remove openssl from dla-needed.txt, no open issues
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: eaae6e9f by Roberto C. Sánchez at 2020-09-25T17:13:26-04:00 LTS: remove openssl from dla-needed.txt, no open issues - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -122,8 +122,6 @@ open-build-service (Utkarsh Gupta) opendmarc NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten) -- -openssl (Roberto C. Sánchez) --- openssl1.0 (Roberto C. Sánchez) -- osc (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaae6e9f853c2987de8275fc45b65fe62bc52d7d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaae6e9f853c2987de8275fc45b65fe62bc52d7d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: mark CVE-2020-1968/openssl as for stretch
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a7d4e4b by Roberto C. Sánchez at 2020-09-25T17:12:46-04:00 LTS: mark CVE-2020-1968/openssl as not-affected for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -58673,6 +58673,7 @@ CVE-2020-1969 CVE-2020-1968 (The Raccoon attack exploits a flaw in the TLS specification which can ...) - openssl 1.1.1~~pre9-1 - openssl1.0 + [stretch] - openssl (Affected ciphers removed in upstream commit bc71f91, included in 1.1.0-pre2) NOTE: Marking the first openssl 1.1.1 version in unstable as the fixed version in sid NOTE: https://www.openssl.org/news/secadv/20200909.txt NOTE: https://raccoon-attack.com/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a7d4e4b4ca65b8c6e411b943d6f7a7e30878915 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a7d4e4b4ca65b8c6e411b943d6f7a7e30878915 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update status of squid3
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 8379b341 by Roberto C. Sánchez at 2020-09-25T16:48:07-04:00 LTS: update status of squid3 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -194,7 +194,10 @@ slirp -- snmptt (Abhijith PA) -- -squid3 (Roberto C. Sánchez) +squid3 + NOTE: 20200831: I have backported the HttpHeader parsing code now and + NOTE: incorporated the fixes for the latest CVE. I will send a RFT to + NOTE: debian-lts again before uploading. (apo) -- sympa NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8379b3411754d9337010c232b4ea4d702a946f15 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8379b3411754d9337010c232b4ea4d702a946f15 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim openssl and openssl1.0
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 7b9fffc5 by Roberto C. Sánchez at 2020-09-25T15:47:05-04:00 LTS: claim openssl and openssl1.0 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -122,9 +122,9 @@ open-build-service (Utkarsh Gupta) opendmarc NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten) -- -openssl +openssl (Roberto C. Sánchez) -- -openssl1.0 +openssl1.0 (Roberto C. Sánchez) -- osc (Adrian Bunk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b9fffc5d6a60c26c344a1474a5d0e1ccaa79856 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b9fffc5d6a60c26c344a1474a5d0e1ccaa79856 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim squid3 in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: b17ea56e by Roberto C. Sánchez at 2020-09-24T17:23:29-04:00 LTS: claim squid3 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -186,7 +186,7 @@ slirp -- snmptt (Abhijith PA) -- -squid3 +squid3 (Roberto C. Sánchez) -- sympa NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b17ea56ed94fe94f501ec6f0c4610abcaceadb54 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b17ea56ed94fe94f501ec6f0c4610abcaceadb54 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: triage CVE-2020-24659/gnutls28 as for stretch
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 0717bf79 by Roberto C. Sánchez at 2020-09-24T16:50:49-04:00 LTS: triage CVE-2020-24659/gnutls28 as not-affected for stretch - - - - - d474b9d6 by Roberto C. Sánchez at 2020-09-24T16:51:37-04:00 LTS: remove gnutls28 from dla-needed.txt, no open issues - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3112,6 +3112,7 @@ CVE-2020-24660 (An issue was discovered in LemonLDAP::NG through 2.0.8, when NGI CVE-2020-24659 (An issue was discovered in GnuTLS before 3.6.15. A server can trigger ...) - gnutls28 3.6.15-1 (bug #969547) [buster] - gnutls28 (Minor issue) + [stretch] - gnutls28 (Vulnerable code introduced later) NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04 NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1071 NOTE: https://gitlab.com/gnutls/gnutls/-/commit/29ee67c205855e848a0a26e6d0e4f65b6b943e0a = data/dla-needed.txt = @@ -76,9 +76,6 @@ fossil -- freerdp -- -gnutls28 (Roberto C. Sánchez) - NOTE: 20200920: WIP --- golang-1.7 -- golang-1.8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b0316b0cf79a15340c2de5317143f7c91d6d05c4...d474b9d6a604d6712bf97d73a21c324bff08c455 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b0316b0cf79a15340c2de5317143f7c91d6d05c4...d474b9d6a604d6712bf97d73a21c324bff08c455 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update notes (gnutls28, shiro)
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 9967aac8 by Roberto C. Sánchez at 2020-09-20T16:37:50-04:00 LTS: update notes (gnutls28, shiro) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,6 +74,7 @@ fossil freerdp -- gnutls28 (Roberto C. Sánchez) + NOTE: 20200920: WIP -- golang-1.7 -- @@ -184,6 +185,7 @@ samba (Mike Gabriel) NOTE: 20200903: As discussed internally, I will look into Samba AD CVEs and revisit the risk assessment, plus fix the more severe issues (sunweaver) -- shiro (Roberto C. Sánchez) + NOTE: 20200920: WIP -- slirp NOTE: Upstream patch for CVE-2020-8608 requires patches for View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9967aac85ba054b406820657e1d6a60f2af4e085 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9967aac85ba054b406820657e1d6a60f2af4e085 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim gnutls28, shiro
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 5295d431 by Roberto C. Sánchez at 2020-09-07T07:54:01-04:00 LTS: claim gnutls28, shiro - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -75,7 +75,7 @@ freerdp (Mike Gabriel) gnome-shell (Mike Gabriel) NOTE: 20200829: https://salsa.debian.org/gnome-team/gnome-shell/-/merge_requests/41 (sunweaver) -- -gnutls28 +gnutls28 (Roberto C. Sánchez) -- golang-go.crypto -- @@ -173,7 +173,7 @@ samba (Mike Gabriel) NOTE: 20200830: Will remove this entry and mark all current CVEs as postponed. But first I need to know were the patches are (ola). NOTE: 20200903: As discussed internally, I will look into Samba AD CVEs and revisit the risk assessment, plus fix the more severe issues (sunweaver) -- -shiro +shiro (Roberto C. Sánchez) -- slirp NOTE: Upstream patch for CVE-2020-8608 requires patches for NOTE: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5295d431548f46cb06d300635a2e1d9e9ee2f621 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5295d431548f46cb06d300635a2e1d9e9ee2f621 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2365-1 for netty-3.9
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: e4ceb712 by Roberto C. Sánchez at 2020-09-04T14:33:58-04:00 Reserve DLA-2365-1 for netty-3.9 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Sep 2020] DLA-2365-1 netty-3.9 - security update + {CVE-2019-16869 CVE-2019-20444 CVE-2019-20445} + [stretch] - netty-3.9 3.9.9.Final-1+deb9u1 [04 Sep 2020] DLA-2364-1 netty - security update {CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 CVE-2020-11612} [stretch] - netty 1:4.1.7-2+deb9u2 = data/dla-needed.txt = @@ -99,8 +99,6 @@ mumble NOTE: 20200504: discussion going on with t...@security.debian.org and mumble maintainer (abhijith) NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg8.html (abhijith) -- -netty-3.9 (Roberto C. Sánchez) --- nss (Adrian Bunk) NOTE: 20200706: from dsa-needed.txt: Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508 (Beuc) NOTE: 20200810: packages are being tested (bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4ceb7127675ae3ed29d45e3f933edb55cbe1071 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4ceb7127675ae3ed29d45e3f933edb55cbe1071 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2364-1 for netty
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 720a28d0 by Roberto C. Sánchez at 2020-09-04T14:33:14-04:00 Reserve DLA-2364-1 for netty - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Sep 2020] DLA-2364-1 netty - security update + {CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 CVE-2020-11612} + [stretch] - netty 1:4.1.7-2+deb9u2 [03 Sep 2020] DLA-2363-1 asyncpg - security update {CVE-2020-17446} [stretch] - asyncpg 0.8.4-1+deb9u1 = data/dla-needed.txt = @@ -99,8 +99,6 @@ mumble NOTE: 20200504: discussion going on with t...@security.debian.org and mumble maintainer (abhijith) NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg8.html (abhijith) -- -netty (Roberto C. Sánchez) --- netty-3.9 (Roberto C. Sánchez) -- nss (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/720a28d099ac3ab61d2aa2e3a324aee4442bdf46 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/720a28d099ac3ab61d2aa2e3a324aee4442bdf46 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "LTS: update issues which are to be fixed in stretch"
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: e41307db by Roberto C. Sánchez at 2020-08-25T09:18:24-04:00 Revert LTS: update issues which are to be fixed in stretch This reverts commit 469d496742e20fdfda0c6f83e6c0fb71cc406c8a. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40912,6 +40912,7 @@ CVE-2020-7238 (Netty 4.1.43.Final allows HTTP Request Smuggling because it misha {DLA-2110-1 DLA-2109-1} - netty 1:4.1.45-1 (bug #950967) - netty-3.9 + [stretch] - netty-3.9 (CVE-2019-16869 not fixed for stretch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1796225 NOTE: https://github.com/jdordonezn/CVE-2020-72381/issues/1 NOTE: Issue exists because of incomplete fix for CVE-2019-16869. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e41307dbac9958fd31b0d7b66c3050b54e622a2e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e41307dbac9958fd31b0d7b66c3050b54e622a2e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2344-1 for mongodb
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 1036b602 by Roberto C. Sánchez at 2020-08-24T18:54:48-04:00 Reserve DLA-2344-1 for mongodb - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Aug 2020] DLA-2344-1 mongodb - security update + {CVE-2020-7923} + [stretch] - mongodb 1:3.2.11-2+deb9u2 [24 Aug 2020] DLA-2343-1 icingaweb2 - security update {CVE-2020-24368} [stretch] - icingaweb2 2.4.1-1+deb9u1 = data/dla-needed.txt = @@ -102,8 +102,6 @@ linux-4.9 (Ben Hutchings) -- lua5.3 -- -mongodb (Roberto C. Sánchez) --- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1036b602b31f2725971acb7c3bbba4da82676bff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1036b602b31f2725971acb7c3bbba4da82676bff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update issues which are to be fixed in stretch
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 469d4967 by Roberto C. Sánchez at 2020-08-24T18:31:57-04:00 LTS: update issues which are to be fixed in stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40888,7 +40888,6 @@ CVE-2020-7238 (Netty 4.1.43.Final allows HTTP Request Smuggling because it misha {DLA-2110-1 DLA-2109-1} - netty 1:4.1.45-1 (bug #950967) - netty-3.9 - [stretch] - netty-3.9 (CVE-2019-16869 not fixed for stretch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1796225 NOTE: https://github.com/jdordonezn/CVE-2020-72381/issues/1 NOTE: Issue exists because of incomplete fix for CVE-2019-16869. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/469d496742e20fdfda0c6f83e6c0fb71cc406c8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/469d496742e20fdfda0c6f83e6c0fb71cc406c8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim netty, netty-3.9
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 78083c57 by Roberto C. Sánchez at 2020-08-24T16:04:34-04:00 LTS: claim netty, netty-3.9 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -113,9 +113,9 @@ mumble -- ndpi (Thorsten Alteholz) -- -netty +netty (Roberto C. Sánchez) -- -netty-3.9 +netty-3.9 (Roberto C. Sánchez) -- nss NOTE: 20200706: from dsa-needed.txt: Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508 (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78083c5785ff0834d6f32a7e061b3a0071db6364 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78083c5785ff0834d6f32a7e061b3a0071db6364 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2343-1 for icingaweb2
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 457c4691 by Roberto C. Sánchez at 2020-08-24T15:42:28-04:00 Reserve DLA-2343-1 for icingaweb2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Aug 2020] DLA-2343-1 icingaweb2 - security update + {CVE-2020-24368} + [stretch] - icingaweb2 2.4.1-1+deb9u1 [24 Aug 2020] DLA-2342-1 libjackson-json-java - security update {CVE-2017-7525 CVE-2017-15095 CVE-2019-10172} [stretch] - libjackson-json-java 1.9.2-8+deb9u1 = data/dla-needed.txt = @@ -89,8 +89,6 @@ guacamole-client (Mike Gabriel) NOTE: 20200815: The bad maintenance is not because of the maintainer, but because of upstream's delay to port the software NOTE: 20200815: over to the freerdp2 API. (sunweaver) -- -icingaweb2 (Roberto C. Sánchez) --- jetty9 -- jupyter-notebook (Mike Gabriel) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/457c4691ebc85c6f574e395225a67b2fc23593e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/457c4691ebc85c6f574e395225a67b2fc23593e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim icingaweb2
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 74a51ec9 by Roberto C. Sánchez at 2020-08-24T14:39:17-04:00 LTS: claim icingaweb2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -89,7 +89,7 @@ guacamole-client (Mike Gabriel) NOTE: 20200815: The bad maintenance is not because of the maintainer, but because of upstream's delay to port the software NOTE: 20200815: over to the freerdp2 API. (sunweaver) -- -icingaweb2 +icingaweb2 (Roberto C. Sánchez) -- jetty9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74a51ec950d8dfa4525c9b79a9c82a266b68fc79 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74a51ec950d8dfa4525c9b79a9c82a266b68fc79 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: remove chrony from dla-needed.txt, no remaining open issues
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 48d502e5 by Roberto C. Sánchez at 2020-08-24T14:36:25-04:00 LTS: remove chrony from dla-needed.txt, no remaining open issues - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -46,8 +46,6 @@ ceph NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby) NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby) -- -chrony (Roberto C. Sánchez) --- cimg NOTE: 20200709: Upstream patch is against a newer "load_network_external" NOTE: 20200709: method (vs "load_network") but is still missing the argument View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48d502e5bd2b6b77b31ffa4340c65196439e7c6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48d502e5bd2b6b77b31ffa4340c65196439e7c6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim chrony, mongodb
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 91624166 by Roberto C. Sánchez at 2020-08-24T08:49:41-04:00 LTS: claim chrony, mongodb - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -46,7 +46,7 @@ ceph NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby) NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby) -- -chrony +chrony (Roberto C. Sánchez) -- cimg NOTE: 20200709: Upstream patch is against a newer "load_network_external" @@ -106,7 +106,7 @@ linux-4.9 (Ben Hutchings) -- lua5.3 -- -mongodb +mongodb (Roberto C. Sánchez) -- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9162416630498e359aa7535a3f8d8e0689a29e53 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9162416630498e359aa7535a3f8d8e0689a29e53 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: triage tomcat7 CVEs in stretch; none affect libservlet3.0-java, which is...
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 227dec84 by Roberto C. Sánchez at 2020-08-22T20:18:30-04:00 LTS: triage tomcat7 CVEs in stretch; none affect libservlet3.0-java, which is the only binary package built from the tomcat7 source package in stretch - - - - - 09345bb5 by Roberto C. Sánchez at 2020-08-22T20:19:12-04:00 LTS: remove tomcat7 from dla-needed.txt, no open issues remain - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -35398,6 +35398,7 @@ CVE-2020-9484 (When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M - tomcat9 9.0.35-1 (bug #961209) - tomcat8 - tomcat7 + [stretch] - tomcat7 (No components in libservlet3.0-java binary package are affected) NOTE: https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca89023b1b (10.0.0-M5) NOTE: https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a (9.0.35) NOTE: https://github.com/apache/tomcat/commit/ec08af18d0f9ddca3f2d800ef66fe7fd20afef2f (8.5.55) @@ -55160,6 +55161,7 @@ CVE-2020-1938 (When using the Apache JServ Protocol (AJP), care must be taken wh - tomcat9 9.0.31-1 (bug #952437) - tomcat8 (bug #952438) - tomcat7 (bug #952436) + [stretch] - tomcat7 (No components in libservlet3.0-java binary package are affected) NOTE: AJP disabled in Debian in default configuration since 2008 NOTE: fixed in upstream versions 9.0.31, 8.5.51, 7.0.100 NOTE: https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487 @@ -55186,6 +55188,7 @@ CVE-2020-1935 (In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to - tomcat9 9.0.31-1 - tomcat8 - tomcat7 + [stretch] - tomcat7 (No components in libservlet3.0-java binary package are affected) NOTE: https://github.com/apache/tomcat/commit/8bfb0ff7f25fe7555a5eb2f7984f73546c11aa26 (9.0.31) NOTE: https://github.com/apache/tomcat/commit/8fbe2e962f0ea138d92361921643fe5abe0c4f56 (8.5.51) NOTE: https://github.com/apache/tomcat/commit/702bf15bea292915684d931526d95d4990b2e73d (7.0.100) @@ -64175,6 +64178,7 @@ CVE-2019-17569 (The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.4 - tomcat8 [jessie] - tomcat8 (vulnerable code introduced in later version) - tomcat7 + [stretch] - tomcat7 (No components in libservlet3.0-java binary package are affected) NOTE: https://github.com/apache/tomcat/commit/060ecc5eb839208687b7fcc9e35287ac8eb46998 (9.0.31) NOTE: https://github.com/apache/tomcat/commit/959f1dfd767bf3cb64776b44f7395d1d8d8f7ab3 (8.5.51) NOTE: https://github.com/apache/tomcat/commit/b191a0d9cf06f4e04257c221bfe41d2b108a9cc8 (7.0.100) @@ -64202,6 +64206,7 @@ CVE-2019-17563 (When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9. - tomcat9 9.0.31-1 - tomcat8 - tomcat7 + [stretch] - tomcat7 (No components in libservlet3.0-java binary package are affected) NOTE: https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652 (9.0.30) NOTE: https://github.com/apache/tomcat/commit/e19a202ee43b6e2a538be5515ae0ab32d8ef112c (8.5.50) NOTE: https://github.com/apache/tomcat/commit/ab72a106fe5d992abddda954e30849d7cf8cc583 (7.0.99) @@ -81001,6 +81006,7 @@ CVE-2019-12418 (When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 an - tomcat9 9.0.31-1 - tomcat8 - tomcat7 + [stretch] - tomcat7 (No components in libservlet3.0-java binary package are affected) NOTE: https://github.com/apache/tomcat/commit/1fc9f589dbdd8295cf313b2667ab041c425f99c3 (9.0.29) NOTE: https://github.com/apache/tomcat/commit/a91d7db4047d372b2f12999d3cf2bc3254c20d00 (8.5.48) NOTE: https://github.com/apache/tomcat/commit/bef3f40400243348d12f4abfe9b413f43897c02b (7.0.98) @@ -116675,6 +116681,7 @@ CVE-2019-0221 (The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8 - tomcat9 9.0.16-4 (bug #929895) - tomcat8 - tomcat7 + [stretch] - tomcat7 (No components in libservlet3.0-java binary package are affected) NOTE: affects debug channel, unlikely to be present in production websites: NOTE: https://mail-archives.apache.org/mod_mbox/www-announce/201905.mbox/%3cb1905aa6-f340-8d0b-58c4-8ac3ebcbf...@apache.org%3E NOTE: https://github.com/apache/tomcat/commit/15fcd16 (9.0.19) = data/dla-needed.txt = @@ -197,8 +197,6 @@ sympa NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh) NOTE: 20200604: shall
[Git][security-tracker-team/security-tracker][master] LTS: claim tomcat7
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: ccdff3a4 by Roberto C. Sánchez at 2020-08-22T19:00:03-04:00 LTS: claim tomcat7 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -197,7 +197,7 @@ sympa NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh) NOTE: 20200604: shall process the upload once the confirmation is given. (utkarsh) -- -tomcat7 +tomcat7 (Roberto C. Sánchez) -- wordpress NOTE: 20200710: Vulnerable to at least CVE-2020-4046. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccdff3a4b7042f419304f947f419d8b634f75ed7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccdff3a4b7042f419304f947f419d8b634f75ed7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits