from:"Roberto C . Sánchez"

[Git][security-tracker-team/security-tracker][master] LTS: reclaim shiro, xmlbeans

2021-05-04 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
086e6cfa by Roberto C. Sánchez at 2021-05-04T18:47:07-04:00
LTS: reclaim shiro, xmlbeans

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -131,7 +131,7 @@ salt (Utkarsh)
 --
 samba (Abhijith PA)
 --
-shiro
+shiro (Roberto C. Sánchez)
   NOTE: 20200920: WIP
   NOTE: 20200928: Still awaiting reponse to request for assistance sent to 
upstream dev list. (roberto)
   NOTE: 20201004: Sent additional request to upstream dev list; stil no 
response. (roberto)
@@ -143,7 +143,7 @@ spotweb
   NOTE: 20210122: Upstream fix trivially bypassed, reported under CVE-2021-3286
   NOTE: 20210127: Upstream says "we can fix this but it may take some time", 
revisit later (Beuc)
 --
-xmlbeans
+xmlbeans (Roberto C. Sánchez)
   NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the
   NOTE: 20210222: upstream release with the fix).  Trying to determine how to
   NOTE: 20210222: implement the changes without introducing too much new code. 
(roberto)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/086e6cfa3b58b134e7cbd8bf7bd6dbf8740befaa

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/086e6cfa3b58b134e7cbd8bf7bd6dbf8740befaa
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: re-claim shiro and xmlbeans; getting back on track

2021-04-07 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
29d534b9 by Roberto C. Sánchez at 2021-04-07T14:10:57-04:00
LTS: re-claim shiro and xmlbeans; getting back on track

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -129,7 +129,7 @@ ruby-nokogiri
 salt (Utkarsh)
   NOTE: 20210329: WIP (utkarsh)
 --
-shiro
+shiro (Roberto C. Sánchez)
   NOTE: 20200920: WIP
   NOTE: 20200928: Still awaiting reponse to request for assistance sent to 
upstream dev list. (roberto)
   NOTE: 20201004: Sent additional request to upstream dev list; stil no 
response. (roberto)
@@ -144,7 +144,7 @@ spotweb
 subversion (Emilio)
   NOTE: 20210322: have a look at #985556 and #948834
 --
-xmlbeans
+xmlbeans (Roberto C. Sánchez)
   NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the
   NOTE: 20210222: upstream release with the fix).  Trying to determine how to
   NOTE: 20210222: implement the changes without introducing too much new code. 
(roberto)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29d534b9ede940dfa7b4e98c817ffe34adc9c352

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29d534b9ede940dfa7b4e98c817ffe34adc9c352
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: fix typo

2021-03-25 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cf3136a7 by Roberto C. Sánchez at 2021-03-25T21:21:07-04:00
fix typo

- - - - -
540c2a73 by Roberto C. Sánchez at 2021-03-25T21:22:28-04:00
remove no-dsa tags from jquery vulnerabilities being fixed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -73070,9 +73070,7 @@ CVE-2020-11024 (In Moonlight iOS/tvOS before 4.0.1, the 
pairing process is vulne
 CVE-2020-11023 (In jQuery versions greater than or equal to 1.0.3 and before 
3.5.0, pa ...)
{DSA-4693-1}
- jquery 
-   [buster] - jquery  (Minor issue)
-   [stretch] - jquery  (Minor issue)
-   [jessie] - jquery  (Vulnerable code note present)
+   [jessie] - jquery  (Vulnerable code not present)
- drupal7 
[jessie] - drupal7  (Vulnerable code not embedded)
- node-jquery 3.5.0+dfsg-2
@@ -73086,9 +73084,7 @@ CVE-2020-11023 (In jQuery versions greater than or 
equal to 1.0.3 and before 3.5
 CVE-2020-11022 (In jQuery versions greater than or equal to 1.2 and before 
3.5.0, pass ...)
{DSA-4693-1}
- jquery 
-   [buster] - jquery  (Minor issue)
-   [stretch] - jquery  (Minor issue)
-   [jessie] - jquery  (Vulnerable code note present)
+   [jessie] - jquery  (Vulnerable code not present)
- node-jquery 3.5.0+dfsg-2
[buster] - node-jquery  (Minor issue)
- drupal7 



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4a0116cf6bf48778938c504c2c4d26f3661a88aa...540c2a739edb3b698cdcfb01caef7d1270d4200e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4a0116cf6bf48778938c504c2c4d26f3661a88aa...540c2a739edb3b698cdcfb01caef7d1270d4200e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2608-1 for jquery

2021-03-25 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4a0116cf by Roberto C. Sánchez at 2021-03-25T21:17:50-04:00
Reserve DLA-2608-1 for jquery

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[25 Mar 2021] DLA-2608-1 jquery - security update
+   {CVE-2020-11022 CVE-2020-11023}
+   [stretch] - jquery 3.1.1-2+deb9u2
 [25 Mar 2021] DLA-2607-1 firefox-esr - security update
{CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987}
[stretch] - firefox-esr 78.9.0esr-1~deb9u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a0116cf6bf48778938c504c2c4d26f3661a88aa

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a0116cf6bf48778938c504c2c4d26f3661a88aa
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: (re)claim shiro in dla-needed.txt

2021-03-16 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2f70c267 by Roberto C. Sánchez at 2021-03-16T21:52:32-04:00
LTS: (re)claim shiro in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -117,7 +117,7 @@ salt (Utkarsh)
 shadow (Sylvain Beucler)
   NOTE: 20210316: found new CVE, discussing with secteam
 --
-shiro
+shiro (Roberto C. Sánchez)
   NOTE: 20200920: WIP
   NOTE: 20200928: Still awaiting reponse to request for assistance sent to 
upstream dev list. (roberto)
   NOTE: 20201004: Sent additional request to upstream dev list; stil no 
response. (roberto)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f70c26795a6e1afcdbdc46fe4455d1043427949

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f70c26795a6e1afcdbdc46fe4455d1043427949
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: reclaim xmlbeans and update status notes

2021-03-09 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
65b07d8c by Roberto C. Sánchez at 2021-03-09T20:02:40-05:00
LTS: reclaim xmlbeans and update status notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -134,8 +134,10 @@ tomcat7 (Utkarsh)
 --
 tomcat8 (Anton Gladky)
 --
-xmlbeans
+xmlbeans (Roberto C. Sánchez)
   NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the
   NOTE: 20210222: upstream release with the fix).  Trying to determine how to
   NOTE: 20210222: implement the changes without introducing too much new code. 
(roberto)
+  NOTE: 20210309: Have developed a minimal backport that accomplishes 
necessary security
+  NOTE: 20210309: fix with minimal new code. (roberto)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65b07d8c98aa4c0580565024ac74c4a3cae82129

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65b07d8c98aa4c0580565024ac74c4a3cae82129
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: update notes for xmlbeans

2021-02-21 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0ceb844e by Roberto C. Sánchez at 2021-02-21T22:42:03-05:00
LTS: update notes for xmlbeans

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -124,6 +124,9 @@ subversion (Thorsten Alteholz)
   NOTE: 20210221: solving build problems
 --
 xmlbeans (Roberto C. Sánchez)
+  NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the
+  NOTE: 20210222: upstream release with the fix).  Trying to determine how to
+  NOTE: 20210222: implement the changes without introducing too much new code. 
(roberto)
 --
 zeromq3 (Anton Gladky)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ceb844e7e90a0121d1c570e6ab2d08379c0cdee

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ceb844e7e90a0121d1c570e6ab2d08379c0cdee
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: reclaim xmlbeans in dla-needed.txt, WIP

2021-02-08 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
876238d6 by Roberto C. Sánchez at 2021-02-08T06:44:54-05:00
LTS: reclaim xmlbeans in dla-needed.txt, WIP

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -110,5 +110,5 @@ xcftools (Markus Koschany)
   NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 
(gladk)
   NOTE: 20200605: Patch 
https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch
 (gladk)
 --
-xmlbeans
+xmlbeans (Roberto C. Sánchez)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/876238d650088073615cafb1ebe5bd66c93584b5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/876238d650088073615cafb1ebe5bd66c93584b5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim shiro in dla-needed.txt

2021-02-01 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fbabc0e2 by Roberto C. Sánchez at 2021-02-01T09:27:17-05:00
LTS: claim shiro in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -108,7 +108,7 @@ ruby-kaminari
   NOTE: 20201009: This (↑) is an app-level patch for a rails app. A 
library-level patch
   NOTE: 20201009: will needed to be written. Opened an issue at upstream, 
though somewhat inactive. (utkarsh)
 --
-shiro
+shiro (Roberto C. Sánchez)
   NOTE: 20200920: WIP
   NOTE: 20200928: Still awaiting reponse to request for assistance sent to 
upstream dev list. (roberto)
   NOTE: 20201004: Sent additional request to upstream dev list; stil no 
response. (roberto)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbabc0e2aea1bcb858b89539f4b4c16dd0b843d0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbabc0e2aea1bcb858b89539f4b4c16dd0b843d0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2537-1 for ffmpeg

2021-01-30 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
63141f7f by Roberto C. Sánchez at 2021-01-31T00:02:27-05:00
Reserve DLA-2537-1 for ffmpeg

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[31 Jan 2021] DLA-2537-1 ffmpeg - security update
+   {CVE-2019-17539 CVE-2020-35965}
+   [stretch] - ffmpeg 7:3.2.15-0+deb9u2
 [30 Jan 2021] DLA-2536-1 libsdl2 - security update
{CVE-2019-7575 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 
CVE-2019-7638 CVE-2019-13616 CVE-2020-14409 CVE-2020-14410}
[stretch] - libsdl2 2.0.5+dfsg1-2+deb9u1


=
data/dla-needed.txt
=
@@ -38,8 +38,6 @@ f2fs-tools (Abhijith PA)
   NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 
and 1.13.0, but it is not trivial to
   NOTE: 20200815: to detect which of the patches correlates to the CVE. 
Contacting upstream might be necessary. (sunweaver)
 --
-ffmpeg (Roberto C. Sánchez)
---
 firefox-esr (Emilio)
 --
 firmware-nonfree



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63141f7f6c24091ee093a93df4a2d301f2b67c2c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63141f7f6c24091ee093a93df4a2d301f2b67c2c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: CVE-2020-35964/ffmpeg mark as for stretch

2021-01-30 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
529c47f8 by Roberto C. Sánchez at 2021-01-30T20:02:00-05:00
LTS: CVE-2020-35964/ffmpeg mark as not-affected for stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -11286,6 +11286,7 @@ CVE-2020-35965 (decode_frame in libavcodec/exr.c in 
FFmpeg 4.3.1 has an out-of-b
 CVE-2020-35964 (track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an 
out-of-bo ...)
- ffmpeg 7:4.3.1-6 (bug #98)
[buster] - ffmpeg  (Wait for 4.1.7)
+   [stretch] - ffmpeg  (Vulnerable code introduced later)
NOTE: 
https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26622
 CVE-2020-35963 (flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has 
an out- ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/529c47f897de07551fcc5ebf51a517fc15b26289

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/529c47f897de07551fcc5ebf51a517fc15b26289
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: CVE-2019-17539/ffmpeg remove tag, will be fixed

2021-01-30 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
699fb536 by Roberto C. Sánchez at 2021-01-30T19:37:07-05:00
LTS: CVE-2019-17539/ffmpeg remove postponed tag, will be fixed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -99226,7 +99226,6 @@ CVE-2019-17540 (ImageMagick before 7.0.8-54 has a 
heap-based buffer overflow in
 CVE-2019-17539 (In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c 
allows a NUL ...)
{DSA-4722-1}
- ffmpeg 7:4.2.1-1 (low)
-   [stretch] - ffmpeg  (Minor issue, wait until fixed in 3.2.x 
branch)
- libav  (low)
[jessie] - libav  (Vulnerable code introduced in v12.x)
NOTE: 
https://github.com/FFmpeg/FFmpeg/commit/8df6884832ec413cf032dfaa45c23b1c7876670c



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/699fb5365c22919a840b71a31a5f1224b9580085

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/699fb5365c22919a840b71a31a5f1224b9580085
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim xmlbeans and ffmpeg in dla-needed.txt

2021-01-22 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
007915b3 by Roberto C. Sánchez at 2021-01-22T19:48:08-05:00
LTS: claim xmlbeans and ffmpeg in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -40,7 +40,7 @@ f2fs-tools (Abhijith PA)
   NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 
and 1.13.0, but it is not trivial to
   NOTE: 20200815: to detect which of the patches correlates to the CVE. 
Contacting upstream might be necessary. (sunweaver)
 --
-ffmpeg
+ffmpeg (Roberto C. Sánchez)
 --
 firmware-nonfree
   NOTE: 20201207: wait for the update in buster and backport that (Emilio)
@@ -154,5 +154,5 @@ xcftools
   NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 
(gladk)
   NOTE: 20200605: Patch 
https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch
 (gladk)
 --
-xmlbeans
+xmlbeans (Roberto C. Sánchez)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/007915b3395f09cd8415781b2ab4681d5dc1d0ff

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/007915b3395f09cd8415781b2ab4681d5dc1d0ff
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: re-claim shiro in dla-needed.txt

2021-01-05 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
46715607 by Roberto C. Sánchez at 2021-01-05T18:27:18-05:00
LTS: re-claim shiro in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -146,7 +146,7 @@ ruby-kaminari
   NOTE: 20201009: This (↑) is an app-level patch for a rails app. A 
library-level patch
   NOTE: 20201009: will needed to be written. Opened an issue at upstream, 
though somewhat inactive. (utkarsh)
 --
-shiro
+shiro (Roberto C. Sánchez)
   NOTE: 20200920: WIP
   NOTE: 20200928: Still awaiting reponse to request for assistance sent to 
upstream dev list. (roberto)
   NOTE: 20201004: Sent additional request to upstream dev list; stil no 
response. (roberto)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46715607a66873a2aabfc3b7e60a10f59f59bebb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46715607a66873a2aabfc3b7e60a10f59f59bebb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Link upstream announcemnt and release notes for CVE-2020-17510/shiro

2020-12-22 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
882a8b9e by Roberto C. Sánchez at 2020-12-22T20:51:08-05:00
Link upstream announcemnt and release notes for CVE-2020-17510/shiro

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -35035,6 +35035,8 @@ CVE-2020-17511 (In Airflow versions prior to 1.10.13, 
when creating a user using
 CVE-2020-17510 (Apache Shiro before 1.7.0, when using Apache Shiro with 
Spring, a spec ...)
- shiro 
NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/7
+   NOTE: 
https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E
+   NOTE: 
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12349284=Text=12310950
 CVE-2020-17509 [ATS negative cache option is vulnerable to a cache poisoning 
attack]
RESERVED
{DSA-4805-1}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/882a8b9e179a76e98258bb2985a6718b9a9a9ebc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/882a8b9e179a76e98258bb2985a6718b9a9a9ebc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: CVE-2020-15005/mediawiki will be fixed

2020-12-22 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
82a98030 by Roberto C. Sánchez at 2020-12-22T20:11:54-05:00
LTS: CVE-2020-15005/mediawiki will be fixed

- - - - -
ffc529a3 by Roberto C. Sánchez at 2020-12-22T20:29:56-05:00
Reserve DLA-2504-1 for mediawiki

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -41021,7 +41021,6 @@ CVE-2020-15006 (Bludit 3.12.0 allows stored XSS via 
JavaScript code in an SVG do
 CVE-2020-15005 (In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, 
and 1.34. ...)
{DSA-4767-1}
- mediawiki 1:1.31.8-1
-   [stretch] - mediawiki  (Minor issue)
NOTE: 
https://lists.wikimedia.org/pipermail/wikitech-l/2020-June/093535.html
 CVE-2020-15004 (OX App Suite through 7.10.3 allows stats/diagnostic?param= 
XSS. ...)
NOT-FOR-US: Open-Xchange App Suite


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[22 Dec 2020] DLA-2504-1 mediawiki - security update
+   {CVE-2020-15005 CVE-2020-35477 CVE-2020-35479 CVE-2020-35480}
+   [stretch] - mediawiki 1:1.27.7-1~deb9u7
 [22 Dec 2020] DLA-2412-2 openjdk-8 - regression update
[stretch] - openjdk-8 8u275-b01-1~deb9u1
 [21 Dec 2020] DLA-2503-1 node-ini - security update


=
data/dla-needed.txt
=
@@ -91,8 +91,6 @@ mariadb-10.1 (Adrian Bunk)
   NOTE: 20201207: still ongoing (bunk)
   NOTE: 20201220: debugging test failure in local build (bunk)
 --
-mediawiki (Roberto C. Sánchez)
---
 mumble
   NOTE: 20200325: Regression in last upload, forgot to follow up.
   NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/45060b59935ed05698d9d6ab7bb2bfe4e014be4c...ffc529a3709ee9860c8640dc796bbfff4f9029c1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/45060b59935ed05698d9d6ab7bb2bfe4e014be4c...ffc529a3709ee9860c8640dc796bbfff4f9029c1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: mark CVE-2020-35475/mediawiki as for stretch

2020-12-21 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4c20ffd8 by Roberto C. Sánchez at 2020-12-21T22:00:41-05:00
LTS: mark CVE-2020-35475/mediawiki as not-affected for stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2489,6 +2489,7 @@ CVE-2020-35476 (A remote code execution vulnerability 
occurs in OpenTSDB through
 CVE-2020-35475 (In MediaWiki before 1.35.1, the messages 
userrights-expiry-current and ...)
{DSA-4816-1}
- mediawiki 1:1.35.1-1
+   [stretch] - mediawiki  (Introduced in 1.29)
NOTE: https://phabricator.wikimedia.org/T268917
NOTE: 
https://lists.wikimedia.org/pipermail/wikitech-l/2020-December/094126.html
 CVE-2020-35474 (In MediaWiki before 1.35.1, the combination of 
Html::rawElement and Me ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c20ffd8855871ec3010d3125ad9da27883a7295

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c20ffd8855871ec3010d3125ad9da27883a7295
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: stretch triage

2020-12-20 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bacefb3b by Roberto C. Sánchez at 2020-12-20T13:01:33-05:00
LTS: stretch triage

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -128,6 +128,8 @@ php-horde-trean
   NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in 
https://bugs.horde.org/ticket/14926 (sunweaver)
   NOTE: 20200829: We may not expect too much activity regarding this by 
upstream. (sunweaver)
 --
+postsrsd
+--
 reel
   NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. 
(utkarsh)
 --
@@ -181,6 +183,11 @@ spip (Abhijith PA)
   NOTE: Low priority for us. sec team did DSA-4798-1 (abhijith)
   NOTE: 20201220: package in stretch in unusable. Contacted maintainer 
(abhijith)
 --
+spotweb
+  NOTE: 20201220: The affected code (PHP!) uses string concatenation to 
construct a SQL query.
+  NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands.
+  NOTE: 20201220: Yes, this is a dumpster fire.  Claim this package at your 
own peril. (roberto)
+--
 wireshark
   NOTE: 20201007: during last triage, I marked some CVEs as no-dsa, it'd be 
great to include
   NOTE: 20201007: those fixes as well! \o/ (utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bacefb3b1d441864774355876cf62a02583b7e7d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bacefb3b1d441864774355876cf62a02583b7e7d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: reclaim shiro, update notes

2020-12-20 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1ed458df by Roberto C. Sánchez at 2020-12-20T12:46:36-05:00
LTS: reclaim shiro, update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -162,10 +162,11 @@ ruby-kaminari
   NOTE: 20201009: This (↑) is an app-level patch for a rails app. A 
library-level patch
   NOTE: 20201009: will needed to be written. Opened an issue at upstream, 
though somewhat inactive. (utkarsh)
 --
-shiro
+shiro (Roberto C. Sánchez)
   NOTE: 20200920: WIP
   NOTE: 20200928: Still awaiting reponse to request for assistance sent to 
upstream dev list. (roberto)
   NOTE: 20201004: Sent additional request to upstream dev list; stil no 
response. (roberto)
+  NOTE: 20201220: Upstream has responded.  Working with them to backport 
fixes. (roberto)
 --
 slirp (Thorsten Alteholz)
   NOTE: Upstream patch for CVE-2020-8608 requires patches for



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ed458df2bcc47656cf0976486c7d5bf8fdb1763

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ed458df2bcc47656cf0976486c7d5bf8fdb1763
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: mark CVE-2020-14394/qemu as for stretch

2020-12-19 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ced0213f by Roberto C. Sánchez at 2020-12-20T00:22:26-05:00
LTS: mark CVE-2020-14394/qemu as postponed for stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -41942,6 +41942,7 @@ CVE-2020-14395
 CVE-2020-14394 [infinite loop in xhci_ring_chain_length() in hw/usb/hcd-xhci.c]
RESERVED
- qemu 
+   [stretch] - qemu  (Fix along in future DLA)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1908004
 CVE-2020-14393 (A buffer overflow was found in perl-DBI  1.643 in DBI.xs. 
A local  ...)
{DLA-2386-1}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ced0213f6fb283a09389ec287f8925bebd5c790d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ced0213f6fb283a09389ec287f8925bebd5c790d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 3 commits: LTS: triage {CVE-2020-35490,CVE-2020-35491}/jackson-databind as

2020-12-18 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fe0bce11 by Roberto C. Sánchez at 2020-12-18T22:28:13-05:00
LTS: triage {CVE-2020-35490,CVE-2020-35491}/jackson-databind as no-dsa

This is consistent with both how the same CVEs were handled for buster
by the security team and how previous similar CVEs (CVE-2020-24616 and
CVE-2020-24750) were handled by the LTS team.

- - - - -
76d5aa7f by Roberto C. Sánchez at 2020-12-18T22:31:49-05:00
LTS: triage CVE-2020-29652/golang-go.crypto as not-affected

- - - - -
c61cdb7f by Roberto C. Sánchez at 2020-12-18T22:41:08-05:00
LTS: triage golang-1.8 and golang-1.7

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -2040,12 +2040,14 @@ CVE-2020-35492
 CVE-2020-35491 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the 
interact ...)
- jackson-databind 
[buster] - jackson-databind  (Minor issue)
+   [stretch] - jackson-databind  (Minor issue)
NOTE: https://github.com/FasterXML/jackson-databind/issues/2986
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is 
enabled by default
NOTE: but still an issue when Default Typing is enabled.
 CVE-2020-35490 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the 
interact ...)
- jackson-databind 
[buster] - jackson-databind  (Minor issue)
+   [stretch] - jackson-databind  (Minor issue)
NOTE: https://github.com/FasterXML/jackson-databind/issues/2986
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is 
enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -4065,6 +4067,7 @@ CVE-2020-29653
RESERVED
 CVE-2020-29652 (A nil pointer dereference in the golang.org/x/crypto/ssh 
component thr ...)
- golang-go.crypto 
+   [stretch] - golang-go.crypto  (Vulnerable code not 
present)
- kubernetes 
NOTE: https://go-review.googlesource.com/c/crypto/+/278852
NOTE: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1


=
data/dla-needed.txt
=
@@ -58,6 +58,12 @@ flac (Adrian Bunk)
   NOTE: 20201215: when preparing fix/advisory note that the same code change 
fixes both CVE-2020-0487 and CVE-2017-6888 (roberto)
   NOTE: 20201215: stretch and buster versions are very close; perhaps consider 
coordinating with security team and helping them by preparing an update for 
buster (roberto)
 --
+golang-1.7
+  NOTE: 20201219: new CVEs may not be getting fixed, might need to ignore 
(roberto)
+--
+golang-1.8
+  NOTE: 20201219: new CVEs may not be getting fixed, might need to ignore 
(roberto)
+--
 golang-websocket
 --
 imagemagick (Sylvain Beucler)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ced4449781949729fc5d3225e95df39fa111597e...c61cdb7f53756c142b4466bd95e5b0067bce9807

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ced4449781949729fc5d3225e95df39fa111597e...c61cdb7f53756c142b4466bd95e5b0067bce9807
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2500-1 for curl

2020-12-18 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ced44497 by Roberto C. Sánchez at 2020-12-18T21:53:34-05:00
Reserve DLA-2500-1 for curl

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[18 Dec 2020] DLA-2500-1 curl - security update
+   {CVE-2020-8284 CVE-2020-8285 CVE-2020-8286}
+   [stretch] - curl 7.52.1-5+deb9u13
 [18 Dec 2020] DLA-2467-2 lxml - regression update
[stretch] - lxml 3.7.1-1+deb9u3
 [17 Dec 2020] DLA-2499-1 sympa - security update


=
data/dla-needed.txt
=
@@ -47,8 +47,6 @@ condor
   NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o 
(roberto)
   NOTE: 20200727: Waiting on maintainer feedback: 
https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
 --
-curl (Roberto C. Sánchez)
---
 f2fs-tools
   NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 
and 1.13.0, but it is not trivial to
   NOTE: 20200815: to detect which of the patches correlates to the CVE. 
Contacting upstream might be necessary. (sunweaver)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ced4449781949729fc5d3225e95df39fa111597e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ced4449781949729fc5d3225e95df39fa111597e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: triage libxstream-java

2020-12-17 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a180e00f by Roberto C. Sánchez at 2020-12-17T18:22:38-05:00
LTS: triage libxstream-java

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -84,6 +84,8 @@ lemonldap-ng (Utkarsh)
 libhibernate3-java
   NOTE: 20201115: No patch yet; unsure if version in LTS is vulnerable. (lamby)
 --
+libxstream-java (Markus Koschany)
+--
 linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a180e00f25090d97abf0174bba2341d493226d37

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a180e00f25090d97abf0174bba2341d493226d37
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: triage CVE-2020-29663/icinga2 as for stretch

2020-12-16 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8566f098 by Roberto C. Sánchez at 2020-12-16T12:18:04-05:00
LTS: triage CVE-2020-29663/icinga2 as not-affected for stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1799,6 +1799,7 @@ CVE-2020-29664
 CVE-2020-29663 (Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where 
revoked ...)
- icinga2 2.12.3-1
[buster] - icinga2  (Minor issue)
+   [stretch] - icinga2  (Vulnerable code not present)
NOTE: 
https://github.com/Icinga/icinga2/security/advisories/GHSA-pcmr-2p2f-r7j6
NOTE: 
https://github.com/Icinga/icinga2/commit/abbd7d5494369af8bbf8fc12f5dc1a0f05a1f817
NOTE: 
https://github.com/Icinga/icinga2/commit/cae22a89da9e6a381904c3b207e5a3f93f6ed838



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8566f0988fe80d78c33f219859fa9ffc10376bec

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8566f0988fe80d78c33f219859fa9ffc10376bec
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 5 commits: LTS: mark xen CVEs as EOL

2020-12-15 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2c93185c by Roberto C. Sánchez at 2020-12-15T18:38:07-05:00
LTS: mark xen CVEs as EOL

- - - - -
28e63f24 by Roberto C. Sánchez at 2020-12-15T18:40:28-05:00
LTS: triage firefox-esr and thunderbird for stretch

- - - - -
4f181fb9 by Roberto C. Sánchez at 2020-12-15T18:47:26-05:00
LTS: triage node-ini for stretch

- - - - -
28c9af2f by Roberto C. Sánchez at 2020-12-15T19:00:02-05:00
fix broken link for commit related to CVE-2017-6888/flac

- - - - -
76ae31a5 by Roberto C. Sánchez at 2020-12-15T19:01:38-05:00
LTS: triage flac for stretch

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -2529,10 +2529,12 @@ CVE-2020-29572 
(app/View/Elements/genericElements/SingleViews/Fields/genericFiel
 CVE-2020-29571 (An issue was discovered in Xen through 4.14.x. A bounds check 
common t ...)
{DSA-4812-1}
- xen 4.14.0+88-g1d1d1f5391-1
+   [stretch] - xen  (DSA 4602-1)
NOTE: https://xenbits.xen.org/xsa/advisory-359.html
 CVE-2020-29570 (An issue was discovered in Xen through 4.14.x. Recording of 
the per-vC ...)
{DSA-4812-1}
- xen 4.14.0+88-g1d1d1f5391-1
+   [stretch] - xen  (DSA 4602-1)
NOTE: https://xenbits.xen.org/xsa/advisory-358.html
 CVE-2020-29569 (An issue was discovered in the Linux kernel through 5.10.1, as 
used wi ...)
- linux 
@@ -2548,6 +2550,7 @@ CVE-2020-29567 (An issue was discovered in Xen 4.14.x. 
When moving IRQs between
 CVE-2020-29566 (An issue was discovered in Xen through 4.14.x. When they 
require assis ...)
{DSA-4812-1}
- xen 4.14.0+88-g1d1d1f5391-1
+   [stretch] - xen  (DSA 4602-1)
NOTE: https://xenbits.xen.org/xsa/advisory-348.html
 CVE-2020-29565 (An issue was discovered in OpenStack Horizon before 15.3.2, 
16.x befor ...)
- horizon 3:18.6.1-1 (bug #976872)
@@ -2928,34 +2931,42 @@ CVE-2020-29487 (An issue was discovered in Xen XAPI 
before 2020-12-15. Certain x
 CVE-2020-29486 (An issue was discovered in Xen through 4.14.x. Nodes in 
xenstore have  ...)
{DSA-4812-1}
- xen 4.14.0+88-g1d1d1f5391-1
+   [stretch] - xen  (DSA 4602-1)
NOTE: https://xenbits.xen.org/xsa/advisory-352.html
 CVE-2020-29485 (An issue was discovered in Xen 4.6 through 4.14.x. When acting 
upon a  ...)
{DSA-4812-1}
- xen 4.14.0+88-g1d1d1f5391-1
+   [stretch] - xen  (DSA 4602-1)
NOTE: https://xenbits.xen.org/xsa/advisory-330.html
 CVE-2020-29484 (An issue was discovered in Xen through 4.14.x. When a Xenstore 
watch f ...)
{DSA-4812-1}
- xen 4.14.0+88-g1d1d1f5391-1
+   [stretch] - xen  (DSA 4602-1)
NOTE: https://xenbits.xen.org/xsa/advisory-324.html
 CVE-2020-29483 (An issue was discovered in Xen through 4.14.x. Xenstored and 
guests co ...)
{DSA-4812-1}
- xen 4.14.0+88-g1d1d1f5391-1
+   [stretch] - xen  (DSA 4602-1)
NOTE: https://xenbits.xen.org/xsa/advisory-325.html
 CVE-2020-29482 (An issue was discovered in Xen through 4.14.x. A guest may 
access xens ...)
{DSA-4812-1}
- xen 4.14.0+88-g1d1d1f5391-1
+   [stretch] - xen  (DSA 4602-1)
NOTE: https://xenbits.xen.org/xsa/advisory-323.html
 CVE-2020-29481 (An issue was discovered in Xen through 4.14.x. Access rights 
of Xensto ...)
{DSA-4812-1}
- xen 4.14.0+88-g1d1d1f5391-1
+   [stretch] - xen  (DSA 4602-1)
NOTE: https://xenbits.xen.org/xsa/advisory-322.html
 CVE-2020-29480 (An issue was discovered in Xen through 4.14.x. Neither 
xenstore implem ...)
{DSA-4812-1}
- xen 4.14.0+88-g1d1d1f5391-1
+   [stretch] - xen  (DSA 4602-1)
NOTE: https://xenbits.xen.org/xsa/advisory-115.html
 CVE-2020-29479 (An issue was discovered in Xen through 4.14.x. In the Ocaml 
xenstored  ...)
{DSA-4812-1}
- xen 4.14.0+88-g1d1d1f5391-1
+   [stretch] - xen  (DSA 4602-1)
NOTE: https://xenbits.xen.org/xsa/advisory-353.html
 CVE-2020-29478
RESERVED
@@ -221269,7 +221280,8 @@ CVE-2017-6888 (An error in the 
"read_metadata_vorbiscomment_()" function (src/li
[jessie] - flac  (Minor issue)
[wheezy] - flac  (Minor issue)
NOTE: 
https://secuniaresearch.flexerasoftware.com/secunia_research/2017-7/
-   NOTE: 
https://git.xiph.org/?p=flac.git;a=commit;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67
+   NOTE: 
https://git.xiph.org/?p=flac.git;a=commit;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67
 (broken link)
+   NOTE: 
https://android.googlesource.com/platform/external/flac/+/4f47b63e9c971e6391590caf00a0f2a5ed612e67
 CVE-2017-6887 (A boundary error within the "parse_tiff_ifd()" function 
(internal/dcra ...)
{DSA-3950-1 DLA-1057-1}
- libraw 0.18.2-2 (bug #864183)


=

[Git][security-tracker-team/security-tracker][master] LTS: triage lxml

2020-12-14 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cc87469a by Roberto C. Sánchez at 2020-12-14T20:05:48-05:00
LTS: triage lxml

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -83,6 +83,8 @@ linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)
 --
+lxml (Roberto C. Sánchez)
+--
 mariadb-10.1 (Adrian Bunk)
   NOTE: 20201207: still ongoing (bunk)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc87469af3d150bbf2746207b30d90d9ac1c20e7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc87469af3d150bbf2746207b30d90d9ac1c20e7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2340-2 for sqlite3

2020-12-10 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
138ee6ba by Roberto C. Sánchez at 2020-12-10T09:25:52-05:00
Reserve DLA-2340-2 for sqlite3

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[10 Dec 2020] DLA-2340-2 sqlite3 - regression update
+   [stretch] - sqlite3 3.16.2-5+deb9u3
 [10 Dec 2020] DLA-2488-1 python-apt - security update
{CVE-2020-27351}
[stretch] - python-apt 1.4.2


=
data/dla-needed.txt
=
@@ -170,8 +170,6 @@ spice-vdagent (Abhijith PA)
 spip (Abhijith PA)
   NOTE: Low priority for us. sec team did DSA-4798-1 (abhijith)
 --
-sqlite3 (Roberto C. Sánchez)
---
 tomcat8 (Utkarsh)
 --
 webcit (Markus Koschany)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/138ee6ba1d326689e1d502e112e701b44cefb0a8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/138ee6ba1d326689e1d502e112e701b44cefb0a8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take curl in dla-needed.txt

2020-12-09 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c0acd9bb by Roberto C. Sánchez at 2020-12-09T07:25:48-05:00
LTS: take curl in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -46,7 +46,7 @@ condor
   NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o 
(roberto)
   NOTE: 20200727: Waiting on maintainer feedback: 
https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
 --
-curl
+curl (Roberto C. Sánchez)
 --
 f2fs-tools
   NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 
and 1.13.0, but it is not trivial to



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0acd9bb4ef0d851763d479987fead035de3ae35

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0acd9bb4ef0d851763d479987fead035de3ae35
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim sqlite3 in dla-needed.txt (regression was reported against update I prepared previously)

2020-12-08 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ff774e00 by Roberto C. Sánchez at 2020-12-08T10:00:45-05:00
LTS: claim sqlite3 in dla-needed.txt (regression was reported against update I 
prepared previously)

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -164,7 +164,7 @@ spice-vdagent (Abhijith PA)
 spip (Abhijith PA)
   NOTE: Low priority for us. sec team did DSA-4798-1 (abhijith)
 --
-sqlite3
+sqlite3 (Roberto C. Sánchez)
 --
 tomcat8 (Utkarsh)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff774e00cc09a7a28241c867d833d624c7001499

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff774e00cc09a7a28241c867d833d624c7001499
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2476-1 for brotli

2020-12-01 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9e780447 by Roberto C. Sánchez at 2020-12-01T17:56:21-05:00
Reserve DLA-2476-1 for brotli

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[01 Dec 2020] DLA-2476-1 brotli - security update
+   {CVE-2020-8927}
+   [stretch] - brotli 0.5.2+dfsg-2+deb9u1
 [01 Dec 2020] DLA-2475-1 pdfresurrect - security update
{CVE-2019-14934 CVE-2020-20740}
[stretch] - pdfresurrect 0.12-6+deb9u1


=
data/dla-needed.txt
=
@@ -27,11 +27,6 @@ ansible (Markus Koschany)
   NOTE: 20201130: Not everything is clear and obvious thus fixing some CVE is
   NOTE: 20201130: better than continue to ignore all of them.
 --
-brotli (Roberto C. Sánchez)
-  NOTE: 20201025: Requested patch review on debian-lts@l.d.o (roberto)
-  NOTE: 20201114: Requested assistance from original patch author. (roberto)
-  NOTE: 20201201: Upstream has responded and verified the required backport 
changes. (roberto)
---
 ceph
   NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
   NOTE: 20200707: Some discussion regarding removal 
<https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e780447059dc7de19e820db8f46d05fc906eeb9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e780447059dc7de19e820db8f46d05fc906eeb9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: reclaim brotli, update notes

2020-12-01 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d9c23a4e by Roberto C. Sánchez at 2020-12-01T08:51:05-05:00
LTS: reclaim brotli, update notes

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -27,9 +27,10 @@ ansible (Markus Koschany)
   NOTE: 20201130: Not everything is clear and obvious thus fixing some CVE is
   NOTE: 20201130: better than continue to ignore all of them.
 --
-brotli
+brotli (Roberto C. Sánchez)
   NOTE: 20201025: Requested patch review on debian-lts@l.d.o (roberto)
   NOTE: 20201114: Requested assistance from original patch author. (roberto)
+  NOTE: 20201201: Upstream has responded and verified the required backport 
changes. (roberto)
 --
 ceph
   NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9c23a4e543c1e2c3b46115f6c39428d0832d783

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9c23a4e543c1e2c3b46115f6c39428d0832d783
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2475-1 for pdfresurrect

2020-12-01 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b9c9fdec by Roberto C. Sánchez at 2020-12-01T07:53:52-05:00
Reserve DLA-2475-1 for pdfresurrect

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[01 Dec 2020] DLA-2475-1 pdfresurrect - security update
+   {CVE-2019-14934 CVE-2020-20740}
+   [stretch] - pdfresurrect 0.12-6+deb9u1
 [01 Dec 2020] DLA-2474-1 musl - security update
{CVE-2020-28928}
[stretch] - musl 1.1.16-3+deb9u1


=
data/dla-needed.txt
=
@@ -109,8 +109,6 @@ pacemaker (Markus Koschany)
   NOTE: 20201130: I will ask the other bug reporters for feedback and testing
   NOTE: 20201130: in #974563. The update itself looks good to me.
 --
-pdfresurrect (Roberto C. Sánchez)
---
 php-horde-trean
   NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in 
https://bugs.horde.org/ticket/14926 (sunweaver)
   NOTE: 20200829: We may not expect too much activity regarding this by 
upstream. (sunweaver)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9c9fdec2f2bb1b3282c97dc349ac337c6954bb1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9c9fdec2f2bb1b3282c97dc349ac337c6954bb1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim pdfresurrect in dla-needed.txt

2020-11-30 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f1bde5a5 by Roberto C. Sánchez at 2020-11-30T18:39:26-05:00
LTS: claim pdfresurrect in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -109,7 +109,7 @@ pacemaker (Markus Koschany)
   NOTE: 20201130: I will ask the other bug reporters for feedback and testing
   NOTE: 20201130: in #974563. The update itself looks good to me.
 --
-pdfresurrect
+pdfresurrect (Roberto C. Sánchez)
 --
 php-horde-trean
   NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in 
https://bugs.horde.org/ticket/14926 (sunweaver)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1bde5a591edd77955512ae4ea56fd8912afc2c6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1bde5a591edd77955512ae4ea56fd8912afc2c6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: remove from CVE-2020-10704 in suites where it is being fixed

2020-11-22 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
82aa4c1f by Roberto C. Sánchez at 2020-11-22T21:52:59-05:00
LTS: remove postponed from CVE-2020-10704 in suites where it is being 
fixed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -46244,8 +46244,6 @@ CVE-2020-10705 (A flaw was discovered in Undertow in 
versions before Undertow 2.
 CVE-2020-10704 (A flaw was found when using samba as an Active Directory 
Domain Contro ...)
- samba 2:4.12.3+dfsg-2 (bug #960188)
[buster] - samba  (Can be fixed along in future DSA)
-   [stretch] - samba  (Can be fixed along in future DSA)
-   [jessie] - samba  (Minor issue and the patch is very 
invisible, eg. http://paste.debian.net/plain/1143919 is not even complete)
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14334
NOTE: https://www.samba.org/samba/security/CVE-2020-10704.html
 CVE-2020-10703 (A NULL pointer dereference was found in the libvirt API 
responsible in ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82aa4c1ff3a2aadc35117ce34267f564575b3e47

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82aa4c1ff3a2aadc35117ce34267f564575b3e47
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2463-1 for samba

2020-11-22 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4324b24b by Roberto C. Sánchez at 2020-11-22T21:51:02-05:00
Reserve DLA-2463-1 for samba

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[22 Nov 2020] DLA-2463-1 samba - security update
+   {CVE-2020-1472 CVE-2020-10704 CVE-2020-10730 CVE-2020-10745 
CVE-2020-10760 CVE-2020-14303 CVE-2020-14318 CVE-2020-14323 CVE-2020-14383}
+   [stretch] - samba 2:4.5.16+dfsg-1+deb9u3
 [23 Nov 2020] DLA-2462-1 cimg - security update
{CVE-2020-25693}
[stretch] - cimg 1.7.9+dfsg-1+deb9u2


=
data/dla-needed.txt
=
@@ -154,15 +154,6 @@ ruby-oauth
 --
 salt (Abhijith PA)
 --
-samba (Roberto C. Sánchez)
-  NOTE: 20200703: Check with security team so that there's no clash for 
Stretch update. (utkarsh)
-  NOTE: 20200801: Stretch update already released, so no conflict. (roberto)
-  NOTE: 20200801: Patches for CVE-2020-14303, CVE-2020-10760, CVE-2020-10745, 
and CVE-2020-10740, are ready. (roberto)
-  NOTE: 20200801: Best to wait for additional CVEs before uploading; check 
with Roberto for patches. (roberto)
-  NOTE: 20200830: Will remove this entry and mark all current CVEs as 
postponed. But first I need to know were the patches are (ola).
-  NOTE: 20200903: As discussed internally, I will look into Samba AD CVEs and 
revisit the risk assessment, plus fix the more severe issues (sunweaver)
-  NOTE: 20201116: Still working to integrate zerologon fix. (roberto)
---
 shiro
   NOTE: 20200920: WIP
   NOTE: 20200928: Still awaiting reponse to request for assistance sent to 
upstream dev list. (roberto)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4324b24be6467fac302d1dfd3588bc34c136b991

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4324b24be6467fac302d1dfd3588bc34c136b991
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-19667/imagemagick as for stretch

2020-11-22 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7b15046b by Roberto C. Sánchez at 2020-11-22T20:46:33-05:00
Mark CVE-2020-19667/imagemagick as postponed for stretch

After consulting with Emilio (who performed the ELTS triage for jessie),
it is clear that this issue can wait to be fixed along with future
issues in order to prevent proliferation of small updates.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -22956,6 +22956,7 @@ CVE-2020-19668 (Unverified indexs into the array lead 
to out of bound access in
NOTE: https://github.com/saitoha/libsixel/issues/136
 CVE-2020-19667 (Stack-based buffer overflow and unconditional jump in 
ReadXPMImage in  ...)
- imagemagick 8:6.9.11.24+dfsg-1
+   [stretch] - imagemagick  (Minor issue, can be fixed with 
later issues)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1895
NOTE: ImageMagick6: 
https://github.com/ImageMagick/ImageMagick6/commit/26538669546730c5b2dc36e7d48850f1f6928f94
NOTE: ImageMagick: 
https://github.com/ImageMagick/ImageMagick/commit/5462fd4725018567764c8f66bed98b7ee3e23006


=
data/dla-needed.txt
=
@@ -54,8 +54,6 @@ golang-github-dgrijalva-jwt-go
 --
 golang-golang-x-net-dev
 --
-imagemagick (Roberto C. Sánchez)
---
 influxdb
 --
 intel-microcode



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b15046b2b9022aaa8dec7208629bc8ab49cc9c0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b15046b2b9022aaa8dec7208629bc8ab49cc9c0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: triage, add libsixel and mutt to dla-needed.txt

2020-11-22 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b0e44c6b by Roberto C. Sánchez at 2020-11-22T17:23:47-05:00
LTS: triage, add libsixel and mutt to dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -73,6 +73,8 @@ lemonldap-ng (Utkarsh)
 libhibernate3-java
   NOTE: 20201115: No patch yet; unsure if version in LTS is vulnerable. (lamby)
 --
+libsixel
+--
 libxstream-java (Markus Koschany)
 --
 linux (Ben Hutchings)
@@ -90,6 +92,8 @@ mumble
 --
 musl (Utkarsh)
 --
+mutt
+--
 open-build-service (Utkarsh)
   NOTE: 20201001: upstream is yet to work on CVE-2020-8021. Pinged them.
   NOTE: 20201001: cf: https://bugzilla.suse.com/show_bug.cgi?id=1171649 
(utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0e44c6bcbcc5c886e28e1c3b8b10f54babac0fe

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0e44c6bcbcc5c886e28e1c3b8b10f54babac0fe
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: Ensure ~/.cache exists before writing out tracker data cache

2020-11-21 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
04703997 by Roberto C. Sánchez at 2020-11-21T09:10:24-05:00
LTS: Ensure ~/.cache exists before writing out tracker data cache

If ~/.cache does not already exist, then this happens:

$ ./bin/lts-cve-triage.py
Updating ~/.cache/debian_security_tracker.json from 
https://security-tracker.debian.org/tracker/data/json ...
Traceback (most recent call last):
  File ./bin/lts-cve-triage.py, line 94, in module
tracker = TrackerData(update_cache=not args.skip_cache_update)
  File 
/home/roberto/src/freexian/security-tracker.git/bin/tracker_data.py,
 line 40, in __init__
self.update_cache()
  File 
/home/roberto/src/freexian/security-tracker.git/bin/tracker_data.py,
 line 77, in update_cache
with open(self.cached_data_path, w) as cache_file:
FileNotFoundError: [Errno 2] No such file or directory: 
/home/roberto/.cache/debian_security_tracker.json

- - - - -
991d4223 by Roberto C. Sánchez at 2020-11-21T09:14:02-05:00
LTS: triage, add xdg-utils and imagemagick to dla-needed.txt

- - - - -


2 changed files:

- bin/tracker_data.py
- data/dla-needed.txt


Changes:

=
bin/tracker_data.py
=
@@ -25,6 +25,7 @@ import six
 class TrackerData(object):
 DATA_URL = "https://security-tracker.debian.org/tracker/data/json;
 GIT_URL = 
"https://salsa.debian.org/security-tracker-team/security-tracker.git;
+CACHED_DATA_DIR = "~/.cache"
 CACHED_DATA_PATH = "~/.cache/debian_security_tracker.json"
 CACHED_REVISION_PATH = "~/.cache/debian_security_tracker.rev"
 GET_REVISION_COMMAND = \
@@ -33,6 +34,7 @@ class TrackerData(object):
 
 def __init__(self, update_cache=True):
 self._latest_revision = None
+self.cached_data_dir = os.path.expanduser(self.CACHED_DATA_DIR)
 self.cached_data_path = os.path.expanduser(self.CACHED_DATA_PATH)
 self.cached_revision_path = os.path.expanduser(
 self.CACHED_REVISION_PATH)
@@ -74,6 +76,9 @@ class TrackerData(object):
self.DATA_URL))
 response = requests.get(self.DATA_URL, allow_redirects=True)
 response.raise_for_status()
+# if ~/.cache does not exist, then open() will fail; dec 448 -> octal 
0700
+if not os.path.exists(self.cached_data_dir):
+os.mkdir(self.cached_data_dir, mode=448)
 with open(self.cached_data_path, 'w') as cache_file:
 cache_file.write(response.text)
 with open(self.cached_revision_path, 'w') as rev_file:


=
data/dla-needed.txt
=
@@ -64,6 +64,8 @@ golang-github-dgrijalva-jwt-go
 --
 golang-golang-x-net-dev
 --
+imagemagick (Roberto C. Sánchez)
+--
 influxdb
 --
 intel-microcode (Utkarsh)
@@ -200,6 +202,8 @@ xcftools
   NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 
(gladk)
   NOTE: 20200605: Patch 
https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch
 (gladk)
 --
+xdg-utils
+--
 zabbix (Sylvain Beucler)
 --
 zsh (Markus Koschany)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d8ea8764ff0293c041e40f71bd430094582dc6b3...991d422320baca990ed6aa912b6b8e104ab71687

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d8ea8764ff0293c041e40f71bd430094582dc6b3...991d422320baca990ed6aa912b6b8e104ab71687
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2379-3 for mediawiki

2020-11-20 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e8d8f3de by Roberto C. Sánchez at 2020-11-21T00:13:57-05:00
Reserve DLA-2379-3 for mediawiki

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[21 Nov 2020] DLA-2379-3 mediawiki - regression update
+   [stretch] - mediawiki 1:1.27.7-1~deb9u6
 [19 Nov 2020] DLA-2458-1 drupal7 - security update
{CVE-2020-13666 CVE-2020-13671}
[stretch] - drupal7 7.52-2+deb9u12


=
data/dla-needed.txt
=
@@ -87,9 +87,6 @@ linux-4.19 (Ben Hutchings)
 --
 mariadb-10.1
 --
-mediawiki (Roberto C. Sánchez)
-  NOTE: 20201118: Regression reported in patch for CVE-2020-25827. (roberto)
---
 mumble
   NOTE: 20200325: Regression in last upload, forgot to follow up.
   NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8d8f3de166e6fc075bfe1fc669f2815b4fee16e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8d8f3de166e6fc075bfe1fc669f2815b4fee16e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 4 commits: LTS: remove from CVE-2020-26217, as it will be investigated and fixed

2020-11-20 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1cf942cc by Roberto C. Sánchez at 2020-11-20T23:39:57-05:00
LTS: remove no-dsa from CVE-2020-26217, as it will be investigated and 
fixed

- - - - -
7d9763dc by Roberto C. Sánchez at 2020-11-20T23:50:43-05:00
LTS: add musl to dla-needed.txt

- - - - -
073fa9d5 by Roberto C. Sánchez at 2020-11-20T23:53:44-05:00
LTS: add pdfresurrect to dla-needed.txt

- - - - -
afefb10b by Roberto C. Sánchez at 2020-11-20T23:55:51-05:00
LTS: add vips to dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -9188,7 +9188,6 @@ CVE-2020-26218 (touchbase.ai before version 2.0 is 
vulnerable to Cross-Site Scri
NOT-FOR-US: touchbase.ai
 CVE-2020-26217 (XStream before version 1.4.14 is vulnerable to Remote Code 
Execution.T ...)
- libxstream-java 1.4.14-1
-   [stretch] - libxstream-java  (Minor issue)
NOTE: https://x-stream.github.io/CVE-2020-26217.html
NOTE: 
https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
NOTE: 
https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a


=
data/dla-needed.txt
=
@@ -97,6 +97,8 @@ mumble
   NOTE: 20200504: discussion going on with t...@security.debian.org and mumble 
maintainer (abhijith)
   NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg8.html 
(abhijith)
 --
+musl
+--
 open-build-service (Utkarsh)
   NOTE: 20201001: upstream is yet to work on CVE-2020-8021. Pinged them.
   NOTE: 20201001: cf: https://bugzilla.suse.com/show_bug.cgi?id=1171649 
(utkarsh)
@@ -110,6 +112,8 @@ openldap (Utkarsh)
 pacemaker (Markus Koschany)
   NOTE: 20201117: See #974563 for further information.
 --
+pdfresurrect
+--
 php-horde-trean
   NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in 
https://bugs.horde.org/ticket/14926 (sunweaver)
   NOTE: 20200829: We may not expect too much activity regarding this by 
upstream. (sunweaver)
@@ -180,6 +184,8 @@ spice-vdagent (Abhijith PA)
 --
 thunderbird (Emilio)
 --
+vips
+--
 webcit (Markus Koschany)
 --
 wireshark (Adrian Bunk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e83c314a4774e57bb450d77d83ba5de4bf1e9ea6...afefb10b4518439e14eb46cc9640e0da1827a5dd

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e83c314a4774e57bb450d77d83ba5de4bf1e9ea6...afefb10b4518439e14eb46cc9640e0da1827a5dd
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 3 commits: LTS: add influxdb to dla-needed.txt

2020-11-19 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9c40b39b by Roberto C. Sánchez at 2020-11-19T21:41:19-05:00
LTS: add influxdb to dla-needed.txt

- - - - -
22b8bb16 by Roberto C. Sánchez at 2020-11-19T21:51:14-05:00
LTS: add jupyter-notebook to dla-needed.txt

- - - - -
2721aad3 by Roberto C. Sánchez at 2020-11-19T21:53:26-05:00
LTS: add php-pear to dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -64,10 +64,14 @@ golang-github-dgrijalva-jwt-go
 --
 golang-golang-x-net-dev
 --
+influxdb
+--
 intel-microcode (Utkarsh)
   NOTE: 20201117: hold off the update until it's settled in unstable, at least.
   NOTE: 20201117: each round of updates had caused regressions. Thanks Moritz! 
(utkarsh)
 --
+jupyter-notebook
+--
 lemonldap-ng (Utkarsh)
   NOTE: 20200910: Released a DLA for CVE-2020-24660 a few days ago, so could 
defer. (lamby)
 --
@@ -109,6 +113,8 @@ php-horde-trean
   NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in 
https://bugs.horde.org/ticket/14926 (sunweaver)
   NOTE: 20200829: We may not expect too much activity regarding this by 
upstream. (sunweaver)
 --
+php-pear
+--
 pluxml
   NOTE: 20201011: issue is still open upstream. Also low priority for us 
(abhijith)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b25005428b88407679100b8d4fc5a65b3829d5a8...2721aad34b88d8f254e0a229d4e8a5d66dfd6f05

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b25005428b88407679100b8d4fc5a65b3829d5a8...2721aad34b88d8f254e0a229d4e8a5d66dfd6f05
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add drupal7 to dla-needed.txt

2020-11-18 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dcf7a540 by Roberto C. Sánchez at 2020-11-18T23:01:02-05:00
LTS: add drupal7 to dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -46,6 +46,9 @@ condor
   NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o 
(roberto)
   NOTE: 20200727: Waiting on maintainer feedback: 
https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
 --
+drupal7
+  NOTE: 20201119: Upstream advisory for CVE-2020-13666 mentions potential for 
jQuery regression; may need to include a related note in the DLA. (roberto)
+--
 f2fs-tools
   NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 
and 1.13.0, but it is not trivial to
   NOTE: 20200815: to detect which of the patches correlates to the CVE. 
Contacting upstream might be necessary. (sunweaver)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcf7a540f2b7b7b86b9651779c0f0263ac15a494

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcf7a540f2b7b7b86b9651779c0f0263ac15a494
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: triage CVE-2020-7774 as for stretch

2020-11-18 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cbe68f5e by Roberto C. Sánchez at 2020-11-18T22:55:37-05:00
LTS: triage CVE-2020-7774 as no-dsa for stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -53357,6 +53357,7 @@ CVE-2020-7775
 CVE-2020-7774 (This affects the package y18n before 5.0.5. PoC by po6ix: const 
y18n = ...)
- node-y18n 
[buster] - node-y18n  (Minor issue)
+   [stretch] - node-y18n  (Minor issue)
NOTE: https://snyk.io/vuln/SNYK-JS-Y18N-1021887
NOTE: https://github.com/yargs/y18n/issues/96
NOTE: https://github.com/yargs/y18n/pull/108



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbe68f5e7420258889bde1f120f1eb9b4a7fd42b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbe68f5e7420258889bde1f120f1eb9b4a7fd42b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: remove tag from fixed CVE

2020-11-18 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
14659c6d by Roberto C. Sánchez at 2020-11-18T22:26:15-05:00
LTS: remove postponed tag from fixed CVE

- - - - -
29fe9f4f by Roberto C. Sánchez at 2020-11-18T22:28:09-05:00
Reserve DLA-2456-1 for python3.5

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -31256,7 +31256,6 @@ CVE-2019-20907 (In Lib/tarfile.py in Python through 
3.8.3, an attacker is able t
- python3.7  (low)
[buster] - python3.7 3.7.3-2+deb10u2
- python3.5  (low)
-   [stretch] - python3.5  (Minor issue, can be fixed in next 
DLA)
- python2.7  (low; bug #970099)
[buster] - python2.7  (Minor issue)
[stretch] - python2.7  (Minor issue, can be fixed in next 
DLA)


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[18 Nov 2020] DLA-2456-1 python3.5 - security update
+   {CVE-2019-20907 CVE-2020-26116}
+   [stretch] - python3.5 3.5.3-1+deb9u3
 [19 Nov 2020] DLA-2455-1 packer - security update
{CVE-2020-9283}
[stretch] - packer 0.10.2+dfsg-6+deb9u1


=
data/dla-needed.txt
=
@@ -112,8 +112,6 @@ php-horde-trean
 pluxml
   NOTE: 20201011: issue is still open upstream. Also low priority for us 
(abhijith)
 --
-python3.5 (Roberto C. Sánchez)
---
 qemu (Thorsten Alteholz)
 --
 raptor2 (Utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/54d687021507e40b22726f8bb423bd07f9231918...29fe9f4f0b5eb7ba13a275e532ae9f7600a66aa4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/54d687021507e40b22726f8bb423bd07f9231918...29fe9f4f0b5eb7ba13a275e532ae9f7600a66aa4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add/take mediawiki in dla-needed.txt

2020-11-18 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d2a97a67 by Roberto C. Sánchez at 2020-11-18T09:25:37-05:00
LTS: add/take mediawiki in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -82,6 +82,9 @@ linux-4.19 (Ben Hutchings)
 --
 mariadb-10.1
 --
+mediawiki (Roberto C. Sánchez)
+  NOTE: 20201118: Regression reported in patch for CVE-2020-25827. (roberto)
+--
 mumble
   NOTE: 20200325: Regression in last upload, forgot to follow up.
   NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2a97a67b3ab4dcd3c6dd46e5c06f359e199f064

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2a97a67b3ab4dcd3c6dd46e5c06f359e199f064
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: mark CVE-2020-26217 as for stretch

2020-11-17 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
655fcae9 by Roberto C. Sánchez at 2020-11-18T00:19:53-05:00
LTS: mark CVE-2020-26217 as no-dsa for stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -9008,6 +9008,7 @@ CVE-2020-26218 (touchbase.ai before version 2.0 is 
vulnerable to Cross-Site Scri
NOT-FOR-US: touchbase.ai
 CVE-2020-26217 (XStream before version 1.4.14 is vulnerable to Remote Code 
Execution.T ...)
- libxstream-java 
+   [stretch] - libxstream-java  (Minor issue)
NOTE: https://x-stream.github.io/CVE-2020-26217.html
NOTE: 
https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
NOTE: 
https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/655fcae98bc3ff8fc797c7fc1d2ce4b9f0417ad5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/655fcae98bc3ff8fc797c7fc1d2ce4b9f0417ad5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] mark CVE-2020-8277 as end-of-life for Stretch

2020-11-16 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a7833283 by Roberto C. Sánchez at 2020-11-16T21:39:11-05:00
mark CVE-2020-8277 as end-of-life for Stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -51719,7 +51719,7 @@ CVE-2020-8278
 CVE-2020-8277 [Denial of Service through DNS request]
RESERVED
- nodejs 
-   [stretch] - nodejs  (Nodejs in stretch not covered by security 
support)
+   [stretch] - nodejs  (Nodejs in stretch not covered by 
security support)
NOTE: 
https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/#denial-of-service-through-dns-request-cve-2020-8277
 CVE-2020-8276 (The implementation of Brave Desktop's privacy-preserving 
analytics sys ...)
NOT-FOR-US: Brave



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7833283a812840784c7a3639c160f7a6365ae59

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7833283a812840784c7a3639c160f7a6365ae59
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] mark CVE-2020-8277 as end-of-life for Stretch

2020-11-16 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8424ac5c by Roberto C. Sánchez at 2020-11-16T21:29:17-05:00
mark CVE-2020-8277 as end-of-life for Stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -51719,7 +51719,7 @@ CVE-2020-8278
 CVE-2020-8277 [Denial of Service through DNS request]
RESERVED
- nodejs 
-   [stretch] - nodejs  
(https://lists.debian.org/debian-lts/2020/02/msg00045.html and 
https://bugs.debian.org/931376)
+   [stretch] - nodejs  (Nodejs in stretch not covered by security 
support)
NOTE: 
https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/#denial-of-service-through-dns-request-cve-2020-8277
 CVE-2020-8276 (The implementation of Brave Desktop's privacy-preserving 
analytics sys ...)
NOT-FOR-US: Brave



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8424ac5c4eee94f3efeba21bf6ab845b895c0d4e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8424ac5c4eee94f3efeba21bf6ab845b895c0d4e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2020-8277 as no-dsa for Stretch

2020-11-16 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9d2aa0c5 by Roberto C. Sánchez at 2020-11-16T21:18:13-05:00
mark CVE-2020-8277 as no-dsa for Stretch

- - - - -
abeff85a by Roberto C. Sánchez at 2020-11-16T21:25:11-05:00
LTS: add raptor2 to dla-needed.txt

- - - - -
eda8efbe by Roberto C. Sánchez at 2020-11-16T21:26:42-05:00
LTS: add intel-microcode to dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -51719,6 +51719,7 @@ CVE-2020-8278
 CVE-2020-8277 [Denial of Service through DNS request]
RESERVED
- nodejs 
+   [stretch] - nodejs  
(https://lists.debian.org/debian-lts/2020/02/msg00045.html and 
https://bugs.debian.org/931376)
NOTE: 
https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/#denial-of-service-through-dns-request-cve-2020-8277
 CVE-2020-8276 (The implementation of Brave Desktop's privacy-preserving 
analytics sys ...)
NOT-FOR-US: Brave


=
data/dla-needed.txt
=
@@ -64,6 +64,8 @@ golang-github-dgrijalva-jwt-go
 --
 golang-golang-x-net-dev
 --
+intel-microcode
+--
 lemonldap-ng (Utkarsh)
   NOTE: 20200910: Released a DLA for CVE-2020-24660 a few days ago, so could 
defer. (lamby)
 --
@@ -108,6 +110,8 @@ python3.5 (Roberto C. Sánchez)
 --
 qemu (Thorsten Alteholz)
 --
+raptor2
+--
 rclone (Brian May)
   NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto.
   NOTE: Problems with upload, see https://bugs.debian.org/974877



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/75616460b1c53245487c4ac2497a534aa7225658...eda8efbe957087f7c9a63a3328a6c352b5d8a761

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/75616460b1c53245487c4ac2497a534aa7225658...eda8efbe957087f7c9a63a3328a6c352b5d8a761
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: update samba status in dla-needed.txt

2020-11-15 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a3cc29ac by Roberto C. Sánchez at 2020-11-15T20:20:51-05:00
LTS: update samba status in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -141,6 +141,7 @@ samba (Roberto C. Sánchez)
   NOTE: 20200801: Best to wait for additional CVEs before uploading; check 
with Roberto for patches. (roberto)
   NOTE: 20200830: Will remove this entry and mark all current CVEs as 
postponed. But first I need to know were the patches are (ola).
   NOTE: 20200903: As discussed internally, I will look into Samba AD CVEs and 
revisit the risk assessment, plus fix the more severe issues (sunweaver)
+  NOTE: 20201116: Still working to integrate zerologon fix. (roberto)
 --
 shiro
   NOTE: 20200920: WIP



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3cc29aca3939d53a212f06da4efd7007e08394f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3cc29aca3939d53a212f06da4efd7007e08394f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim python3.5 in dla-needed.txt

2020-11-14 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
05b11d60 by Roberto C. Sánchez at 2020-11-14T15:32:42-05:00
LTS: claim python3.5 in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -94,7 +94,7 @@ php-horde-trean
 pluxml
   NOTE: 20201011: issue is still open upstream. Also low priority for us 
(abhijith)
 --
-python3.5
+python3.5 (Roberto C. Sánchez)
 --
 qemu (Thorsten Alteholz)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05b11d60ed0cc8e933afddc48342dab401d3aeba

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05b11d60ed0cc8e933afddc48342dab401d3aeba
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: update brotli status in dla-needed.txt

2020-11-14 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
65f10393 by Roberto C. Sánchez at 2020-11-14T15:25:37-05:00
LTS: update brotli status in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -23,6 +23,7 @@ ansible (Markus Koschany)
 --
 brotli (Roberto C. Sánchez)
   NOTE: 20201025: Requested patch review on debian-lts@l.d.o (roberto)
+  NOTE: 20201114: Requested assistance from original patch author. (roberto)
 --
 ceph
   NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65f103934a2f65a628932b260985c7e46830f770

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65f103934a2f65a628932b260985c7e46830f770
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2448-1 for firefox-esr

2020-11-11 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
207041d2 by Roberto C. Sánchez at 2020-11-11T20:52:44-05:00
Reserve DLA-2448-1 for firefox-esr

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[11 Nov 2020] DLA-2448-1 firefox-esr - security update
+   {CVE-2020-26950}
+   [stretch] - firefox-esr 78.4.1esr-1~deb9u1
 [11 Nov 2020] DLA-2447-1 pacemaker - security update
{CVE-2020-25654}
[stretch] - pacemaker 1.1.16-1+deb9u1


=
data/dla-needed.txt
=
@@ -46,8 +46,6 @@ f2fs-tools
   NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 
and 1.13.0, but it is not trivial to
   NOTE: 20200815: to detect which of the patches correlates to the CVE. 
Contacting upstream might be necessary. (sunweaver)
 --
-firefox-esr (Roberto C. Sánchez)
---
 freerdp (Abhijith PA)
 --
 golang-1.7 (Thorsten Alteholz)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/207041d222c9fdc7db331e7d940c41692de16c1d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/207041d222c9fdc7db331e7d940c41692de16c1d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim firefox-esr

2020-11-09 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ed5ff2c0 by Roberto C. Sánchez at 2020-11-09T17:23:10-05:00
LTS: claim firefox-esr

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -46,7 +46,7 @@ f2fs-tools
   NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 
and 1.13.0, but it is not trivial to
   NOTE: 20200815: to detect which of the patches correlates to the CVE. 
Contacting upstream might be necessary. (sunweaver)
 --
-firefox-esr
+firefox-esr (Roberto C. Sánchez)
 --
 fossil
   NOTE: 20200903: looked into CVE-2020-24614: the fix for this CVE partially 
applies, but does not apply around a



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed5ff2c0c25ec9bd15220ef63aa1129229e34199

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed5ff2c0c25ec9bd15220ef63aa1129229e34199
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: reclaim brotli

2020-11-09 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
da5b4f8e by Roberto C. Sánchez at 2020-11-09T07:33:38-05:00
LTS: reclaim brotli

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -21,7 +21,7 @@ ansible
   NOTE: 20200508: bam: Upstream fix was reverted - 
https://github.com/ansible/ansible/pull/68983
   NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794
 --
-brotli
+brotli (Roberto C. Sánchez)
   NOTE: 20201025: Requested patch review on debian-lts@l.d.o (roberto)
 --
 ceph



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da5b4f8eb7687c53121a7fb0b257f8279d689fd1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da5b4f8eb7687c53121a7fb0b257f8279d689fd1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take samba in dla-needed.txt

2020-10-31 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e564d277 by Roberto C. Sánchez at 2020-10-31T16:51:42-04:00
LTS: take samba in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -159,7 +159,7 @@ ruby-kaminari
 --
 ruby-oauth
 --
-samba
+samba (Roberto C. Sánchez)
   NOTE: 20200703: Check with security team so that there's no clash for 
Stretch update. (utkarsh)
   NOTE: 20200801: Stretch update already released, so no conflict. (roberto)
   NOTE: 20200801: Patches for CVE-2020-14303, CVE-2020-10760, CVE-2020-10745, 
and CVE-2020-10740, are ready. (roberto)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e564d2770be9fcacf12052ad8f104dcf4e974d9e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e564d2770be9fcacf12052ad8f104dcf4e974d9e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take Nov/Dec front desk weeks Mike had to vacate

2020-10-30 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cd006715 by Roberto C. Sánchez at 2020-10-30T16:59:15-04:00
LTS: take Nov/Dec front desk weeks Mike had to vacate

- - - - -


1 changed file:

- org/lts-frontdesk.2020.txt


Changes:

=
org/lts-frontdesk.2020.txt
=
@@ -56,10 +56,10 @@ From 19-10 to 25-10:Thorsten Alteholz 
 From 26-10 to 01-11:Utkarsh Gupta 
 From 02-11 to 08-11:Chris Lamb 
 From 09-11 to 15-11:Thorsten Alteholz 
-From 16-11 to 22-11:
+From 16-11 to 22-11:Roberto C. Sánchez 
 From 23-11 to 29-11:Abhijith PA 
 From 30-11 to 06-12:Thorsten Alteholz 
 From 07-12 to 13-12:Chris Lamb 
-From 14-12 to 20-12:
+From 14-12 to 20-12:Roberto C. Sánchez 
 From 21-12 to 27-12:Utkarsh Gupta 
 From 28-12 to 03-01:



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd006715183a3f49de4d3072985da6eda74c9258

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd006715183a3f49de4d3072985da6eda74c9258
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: update brotli status

2020-10-25 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a4135efe by Roberto C. Sánchez at 2020-10-25T14:06:06-04:00
LTS: update brotli status

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -29,6 +29,7 @@ ark
   NOTE: 20200921: CLI works but GUI not, It seems the fix is not compatible 
with the old architecture (abhijith)
 --
 brotli (Roberto C. Sánchez)
+  NOTE: 20201025: Requested patch review on debian-lts@l.d.o (roberto)
 --
 cacti
   NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for 
jessie version (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4135efe2498de0da34d4628a4615180b897a921

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4135efe2498de0da34d4628a4615180b897a921
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: update shiro status

2020-10-19 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
73df766c by Roberto C. Sánchez at 2020-10-19T08:04:14-04:00
LTS: update shiro status

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -182,6 +182,7 @@ samba
 shiro
   NOTE: 20200920: WIP
   NOTE: 20200928: Still awaiting reponse to request for assistance sent to 
upstream dev list. (roberto)
+  NOTE: 20201004: Sent additional request to upstream dev list; stil no 
response. (roberto)
 --
 slirp
   NOTE: Upstream patch for CVE-2020-8608 requires patches for



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73df766c978169e5a752869fb05a81f93ffa9dea

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73df766c978169e5a752869fb05a81f93ffa9dea
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim brotli

2020-10-07 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a46ff00c by Roberto C. Sánchez at 2020-10-07T15:28:04-04:00
LTS: claim brotli

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -30,7 +30,7 @@ ark
   NOTE: 20200907: patch 
https://people.debian.org/~abhijith/upload/backport_to_1608.patch crashes 
(abhijith)
   NOTE: 20200921: CLI works but GUI not, It seems the fix is not compatible 
with the old architecture (abhijith)
 --
-brotli
+brotli (Roberto C. Sánchez)
 --
 cacti
   NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for 
jessie version (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a46ff00cb609f8a6026dba83160ac4c7886c1789

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a46ff00cb609f8a6026dba83160ac4c7886c1789
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2399-1 for packagekit

2020-10-07 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
71f2437f by Roberto C. Sánchez at 2020-10-07T14:39:14-04:00
Reserve DLA-2399-1 for packagekit

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[07 Oct 2020] DLA-2399-1 packagekit - security update
+   {CVE-2020-16121 CVE-2020-16122}
+   [stretch] - packagekit 1.1.5-2+deb9u2
 [07 Oct 2020] DLA-2332-2 sane-backends - regression update
[stretch] - sane-backends 1.0.25-4.1+deb9u2
 [07 Oct 2020] DLA-2398-1 puma - security update


=
data/dla-needed.txt
=
@@ -115,8 +115,6 @@ open-build-service
 opendmarc
   NOTE: 20200719: no patches for remaining CVEs available, everything else is 
already done in Stretch (thorsten)
 --
-packagekit (Roberto C. Sánchez)
---
 php-horde-trean
   NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in 
https://bugs.horde.org/ticket/14926 (sunweaver)
   NOTE: 20200829: We may not expect too much activity regarding this by 
upstream. (sunweaver)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71f2437f1ef839a94db5a4ac091df7119c533486

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71f2437f1ef839a94db5a4ac091df7119c533486
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim packagekit

2020-10-07 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
18176b63 by Roberto C. Sánchez at 2020-10-07T13:50:48-04:00
LTS: claim packagekit

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -115,7 +115,7 @@ open-build-service
 opendmarc
   NOTE: 20200719: no patches for remaining CVEs available, everything else is 
already done in Stretch (thorsten)
 --
-packagekit
+packagekit (Roberto C. Sánchez)
 --
 php-horde-trean
   NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in 
https://bugs.horde.org/ticket/14926 (sunweaver)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18176b639f3baea70ff6e59eacf9e2ece46c00f4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18176b639f3baea70ff6e59eacf9e2ece46c00f4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2396-1 for tigervnc

2020-10-06 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
66716baa by Roberto C. Sánchez at 2020-10-06T17:08:15-04:00
Reserve DLA-2396-1 for tigervnc

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[06 Oct 2020] DLA-2396-1 tigervnc - security update
+   {CVE-2020-26117}
+   [stretch] - tigervnc 1.7.0+dfsg-7+deb9u2
 [02 Oct 2020] DLA-2395-1 libvirt - security update
{CVE-2020-25637}
[stretch] - libvirt 3.0.0-4+deb9u5


=
data/dla-needed.txt
=
@@ -190,8 +190,6 @@ sympa (Sylvain Beucler)
 --
 thunderbird (Emilio)
 --
-tigervnc (Roberto C. Sánchez)
---
 tinymce (Abhijith PA)
   NOTE: 20201003: relevant commits are hard to chase down (abhijith)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66716baaabb52a747b340c17f808145a4f98db84

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66716baaabb52a747b340c17f808145a4f98db84
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2397-1 for php7.0

2020-10-06 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8ffd2315 by Roberto C. Sánchez at 2020-10-06T17:09:01-04:00
Reserve DLA-2397-1 for php7.0

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[06 Oct 2020] DLA-2397-1 php7.0 - security update
+   {CVE-2020-7070}
+   [stretch] - php7.0 7.0.33-0+deb9u10
 [06 Oct 2020] DLA-2396-1 tigervnc - security update
{CVE-2020-26117}
[stretch] - tigervnc 1.7.0+dfsg-7+deb9u2


=
data/dla-needed.txt
=
@@ -117,8 +117,6 @@ opendmarc
 --
 packagekit
 --
-php7.0 (Roberto C. Sánchez)
---
 php-horde-trean
   NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in 
https://bugs.horde.org/ticket/14926 (sunweaver)
   NOTE: 20200829: We may not expect too much activity regarding this by 
upstream. (sunweaver)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ffd2315223b746b7910250b86da82c454dfd517

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ffd2315223b746b7910250b86da82c454dfd517
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim php7.0

2020-10-04 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
43453c49 by Roberto C. Sánchez at 2020-10-04T21:56:54-04:00
LTS: claim php7.0

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -116,7 +116,7 @@ opendmarc
 --
 packagekit
 --
-php7.0
+php7.0 (Roberto C. Sánchez)
 --
 php-horde-trean (Mike Gabriel)
   NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in 
https://bugs.horde.org/ticket/14926 (sunweaver)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43453c49587c37fae26436a3ac74b90fa8a43a40

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43453c49587c37fae26436a3ac74b90fa8a43a40
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2395-1 for libvirt

2020-10-02 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9c3b2a2a by Roberto C. Sánchez at 2020-10-02T11:03:33-04:00
Reserve DLA-2395-1 for libvirt

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[02 Oct 2020] DLA-2395-1 libvirt - security update
+   {CVE-2020-25637}
+   [stretch] - libvirt 3.0.0-4+deb9u5
 [02 Oct 2020] DLA-2394-1 squid3 - security update
{CVE-2020-15049 CVE-2020-15810 CVE-2020-15811 CVE-2020-24606}
[stretch] - squid3 3.5.23-5+deb9u5


=
data/dla-needed.txt
=
@@ -96,9 +96,6 @@ libonig
 --
 libproxy (Emilio)
 --
-libvirt (Roberto C. Sánchez)
-  NOTE: 20201001: More investigation needed. (utkarsh)
---
 linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c3b2a2a82457f5f0a8f83e05e952df92c40d663

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c3b2a2a82457f5f0a8f83e05e952df92c40d663
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim tigervnc

2020-10-01 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2c02be61 by Roberto C. Sánchez at 2020-10-01T19:27:02-04:00
LTS: claim tigervnc

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -188,7 +188,7 @@ sympa
 --
 thunderbird (Emilio)
 --
-tigervnc
+tigervnc (Roberto C. Sánchez)
 --
 tinymce (Abhijith PA)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c02be616ddc256a3a5cae12660b08a4055da512

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c02be616ddc256a3a5cae12660b08a4055da512
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim libvirt

2020-10-01 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0beb1f52 by Roberto C. Sánchez at 2020-10-01T08:11:29-04:00
LTS: claim libvirt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -91,7 +91,7 @@ lemonldap-ng
 --
 libproxy (Emilio)
 --
-libvirt
+libvirt (Roberto C. Sánchez)
   NOTE: 20201001: More investigation needed. (utkarsh)
 --
 linux (Ben Hutchings)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0beb1f5299a07ee362e1896f1ea2bba004af2820

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0beb1f5299a07ee362e1896f1ea2bba004af2820
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: update shiro notes in dla-needed.txt

2020-09-28 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f4d34db5 by Roberto C. Sánchez at 2020-09-28T17:51:51-04:00
LTS: update shiro notes in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -170,6 +170,7 @@ samba
 --
 shiro (Roberto C. Sánchez)
   NOTE: 20200920: WIP
+  NOTE: 20200928: Still awaiting reponse to request for assistance sent to 
upstream dev list. (roberto)
 --
 slirp
   NOTE: Upstream patch for CVE-2020-8608 requires patches for



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4d34db5ec340a76facd47a8fbbb86e3b0155ad1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4d34db5ec340a76facd47a8fbbb86e3b0155ad1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2379-2 for mediawiki

2020-09-28 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ab3b4427 by Roberto C. Sánchez at 2020-09-28T10:36:37-04:00
Reserve DLA-2379-2 for mediawiki

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[28 Sep 2020] DLA-2379-2 mediawiki - regression update
+   [stretch] - mediawiki 1:1.27.7-1~deb9u5
 [28 Sep 2020] DLA-2386-1 libdbi-perl - security update
{CVE-2019-20919 CVE-2020-14392 CVE-2020-14393}
[stretch] - libdbi-perl 1.636-1+deb9u1


=
data/dla-needed.txt
=
@@ -95,9 +95,6 @@ linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)
 --
-mediawiki (Roberto C. Sánchez)
-  NOTE: 20200927: maintainer reported regression in most recent upload. 
(roberto)
---
 mumble
   NOTE: 20200325: Regression in last upload, forgot to follow up.
   NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3b4427c9f39bd6db8985a872dab26cae5ac55c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3b4427c9f39bd6db8985a872dab26cae5ac55c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: re-add mediawiki to dla-needed.txt

2020-09-27 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
638e7bf5 by Roberto C. Sánchez at 2020-09-27T17:37:43-04:00
LTS: re-add mediawiki to dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -98,6 +98,9 @@ linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)
 --
+mediawiki (Roberto C. Sánchez)
+  NOTE: 20200927: maintainer reported regression in most recent upload. 
(roberto)
+--
 mumble
   NOTE: 20200325: Regression in last upload, forgot to follow up.
   NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/638e7bf5e94c5ae36630e5faac43580a5bf56504

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/638e7bf5e94c5ae36630e5faac43580a5bf56504
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2381-1 for lua5.3

2020-09-26 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9bd4e4f6 by Roberto C. Sánchez at 2020-09-26T10:02:27-04:00
Reserve DLA-2381-1 for lua5.3

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[26 Sep 2020] DLA-2381-1 lua5.3 - security update
+   {CVE-2020-24370}
+   [stretch] - lua5.3 5.3.3-1+deb9u1
 [26 Sep 2020] DLA-2380-1 ruby-gon - security update
{CVE-2020-25739}
[stretch] - ruby-gon 6.1.0-1+deb9u1


=
data/dla-needed.txt
=
@@ -101,8 +101,6 @@ linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)
 --
-lua5.3 (Roberto C. Sánchez)
---
 mumble
   NOTE: 20200325: Regression in last upload, forgot to follow up.
   NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bd4e4f6b633c9cb4917cbab63581b9edb6e8024

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bd4e4f6b633c9cb4917cbab63581b9edb6e8024
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update CVE-2020-24370/lua5.3 notes

2020-09-25 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
37c958bb by Roberto C. Sánchez at 2020-09-25T22:21:34-04:00
Update CVE-2020-24370/lua5.3 notes

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3808,7 +3808,8 @@ CVE-2020-24370 (ldebug.c in Lua 5.4.0 allows a negation 
overflow and segmentatio
- lua5.3 
[buster] - lua5.3  (Minor issue)
NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00324.html
-   NOTE: 
https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b
+   NOTE: (lua5.4) 
https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b
+   NOTE: (lua5.3) 
https://github.com/lua/lua/commit/b5bc89846721375fe30772eb8c5ab2786f362bf9
 CVE-2020-24369 (ldebug.c in Lua 5.4.0 attempts to access debug information via 
the lin ...)
- lua5.4 
NOTE: 
https://github.com/lua/lua/commit/ae5b5ba529753c7a653901ffc29b5ea24c3fdf3a



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37c958bb5c6bd0b9a89550b589317841b0afc7d5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37c958bb5c6bd0b9a89550b589317841b0afc7d5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-24371/lua5.3 as

2020-09-25 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
029b8925 by Roberto C. Sánchez at 2020-09-25T22:11:49-04:00
Mark CVE-2020-24371/lua5.3 as not-affected

This applies for both buster and stretch (same upstream release in
both).  The upstream bug page indicates that the bug exists since 5.4.0,
upstream backported the fix for CVE-2020-24370 to 5.3 but not the fix
for CVE-2020-24371, and the vulnerable code appears to have been
introduced by upstream commits e4287da3a6 and 1afd5a152d as part of
5.4.0 development.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3799,7 +3799,8 @@ CVE-2020-24372 (LuaJIT through 2.1.0-beta3 has an 
out-of-bounds read in lj_err_r
 CVE-2020-24371 (lgc.c in Lua 5.4.0 mishandles the interaction between barriers 
and the ...)
- lua5.4 
- lua5.3 
-   [buster] - lua5.3  (Minor issue)
+   [buster] - lua5.3  (Vulnerable code not present)
+   [stretch] - lua5.3  (Vulnerable code not present)
NOTE: 
https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110
NOTE: https://www.lua.org/bugs.html#5.4.0-9
 CVE-2020-24370 (ldebug.c in Lua 5.4.0 allows a negation overflow and 
segmentation faul ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/029b8925e964f7936da905ddece6bfaa070d83d8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/029b8925e964f7936da905ddece6bfaa070d83d8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] fix typo

2020-09-25 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8caaa13f by Roberto C. Sánchez at 2020-09-25T21:49:22-04:00
fix typo

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3799,13 +3799,13 @@ CVE-2020-24372 (LuaJIT through 2.1.0-beta3 has an 
out-of-bounds read in lj_err_r
 CVE-2020-24371 (lgc.c in Lua 5.4.0 mishandles the interaction between barriers 
and the ...)
- lua5.4 
- lua5.3 
-   [buster] - lua5.3  (Minor isue)
+   [buster] - lua5.3  (Minor issue)
NOTE: 
https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110
NOTE: https://www.lua.org/bugs.html#5.4.0-9
 CVE-2020-24370 (ldebug.c in Lua 5.4.0 allows a negation overflow and 
segmentation faul ...)
- lua5.4 
- lua5.3 
-   [buster] - lua5.3  (Minor isue)
+   [buster] - lua5.3  (Minor issue)
NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00324.html
NOTE: 
https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b
 CVE-2020-24369 (ldebug.c in Lua 5.4.0 attempts to access debug information via 
the lin ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8caaa13fecff7db0b7b897fec3337496e6360358

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8caaa13fecff7db0b7b897fec3337496e6360358
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim lua5.3

2020-09-25 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d5031a7a by Roberto C. Sánchez at 2020-09-25T21:36:02-04:00
LTS: claim lua5.3

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -101,7 +101,7 @@ linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)
 --
-lua5.3
+lua5.3 (Roberto C. Sánchez)
 --
 mumble
   NOTE: 20200325: Regression in last upload, forgot to follow up.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5031a7a53f9fe48cd9534b6ad7c7de3bce898d1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5031a7a53f9fe48cd9534b6ad7c7de3bce898d1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2379-1 for mediawiki

2020-09-25 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
25bac2aa by Roberto C. Sánchez at 2020-09-25T21:05:56-04:00
Reserve DLA-2379-1 for mediawiki

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[25 Sep 2020] DLA-2379-1 mediawiki - security update
+   {CVE-2020-25813 CVE-2020-25814 CVE-2020-25827 CVE-2020-25828}
+   [stretch] - mediawiki 1:1.27.7-1~deb9u4
 [25 Sep 2020] DLA-2378-1 openssl1.0 - security update
{CVE-2020-1968}
[stretch] - openssl1.0 1.0.2u-1~deb9u2


=
data/dla-needed.txt
=
@@ -103,8 +103,6 @@ linux-4.9 (Ben Hutchings)
 --
 lua5.3
 --
-mediawiki (Roberto C. Sánchez)
---
 mumble
   NOTE: 20200325: Regression in last upload, forgot to follow up.
   NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25bac2aa53cd27abd83d3ab826ddbd0739b4909a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25bac2aa53cd27abd83d3ab826ddbd0739b4909a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: mark CVE-2020-2581{2,5}/mediawiki as for stretch

2020-09-25 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2eca1517 by Roberto C. Sánchez at 2020-09-25T20:45:24-04:00
LTS: mark CVE-2020-2581{2,5}/mediawiki as not-affected for stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -626,6 +626,7 @@ CVE-2020-25816
 CVE-2020-25815
RESERVED
- mediawiki 
+   [stretch] - mediawiki  (Vulnerable code introduced later)
NOTE: 
https://lists.wikimedia.org/pipermail/wikitech-l/2020-September/093888.html
NOTE: https://phabricator.wikimedia.org/T256171
 CVE-2020-25814
@@ -644,6 +645,7 @@ CVE-2020-25812
RESERVED
{DSA-4767-1}
- mediawiki 
+   [stretch] - mediawiki  (Vulnerable code introduced later)
NOTE: 
https://lists.wikimedia.org/pipermail/wikitech-l/2020-September/093888.html
NOTE: https://phabricator.wikimedia.org/T255918
 CVE-2020-25811



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2eca15177d1252167b0f991802430c1721a8271c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2eca15177d1252167b0f991802430c1721a8271c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim mediawiki

2020-09-25 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
348978bf by Roberto C. Sánchez at 2020-09-25T17:51:54-04:00
LTS: claim mediawiki

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -103,7 +103,7 @@ linux-4.9 (Ben Hutchings)
 --
 lua5.3
 --
-mediawiki
+mediawiki (Roberto C. Sánchez)
 --
 mumble
   NOTE: 20200325: Regression in last upload, forgot to follow up.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/348978bf60661d35ed0600b7d93706995fc980be

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/348978bf60661d35ed0600b7d93706995fc980be
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2378-1 for openssl1.0

2020-09-25 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b30e0825 by Roberto C. Sánchez at 2020-09-25T17:36:12-04:00
Reserve DLA-2378-1 for openssl1.0

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[25 Sep 2020] DLA-2378-1 openssl1.0 - security update
+   {CVE-2020-1968}
+   [stretch] - openssl1.0 1.0.2u-1~deb9u2
 [21 Sep 2020] DLA-2377-1 qt4-x11 - security update
{CVE-2018-15518 CVE-2018-19869 CVE-2018-19870 CVE-2018-19871 
CVE-2018-19872 CVE-2018-19873 CVE-2020-17507}
[stretch] - qt4-x11 4:4.8.7+dfsg-11+deb9u1


=
data/dla-needed.txt
=
@@ -122,8 +122,6 @@ open-build-service (Utkarsh Gupta)
 opendmarc
   NOTE: 20200719: no patches for remaining CVEs available, everything else is 
already done in Stretch (thorsten)
 --
-openssl1.0 (Roberto C. Sánchez)
---
 osc (Adrian Bunk)
 --
 packagekit



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b30e082568e269c5082307e29e0d72a06e4e2664

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b30e082568e269c5082307e29e0d72a06e4e2664
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: remove openssl from dla-needed.txt, no open issues

2020-09-25 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
eaae6e9f by Roberto C. Sánchez at 2020-09-25T17:13:26-04:00
LTS: remove openssl from dla-needed.txt, no open issues

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -122,8 +122,6 @@ open-build-service (Utkarsh Gupta)
 opendmarc
   NOTE: 20200719: no patches for remaining CVEs available, everything else is 
already done in Stretch (thorsten)
 --
-openssl (Roberto C. Sánchez)
---
 openssl1.0 (Roberto C. Sánchez)
 --
 osc (Adrian Bunk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaae6e9f853c2987de8275fc45b65fe62bc52d7d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaae6e9f853c2987de8275fc45b65fe62bc52d7d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: mark CVE-2020-1968/openssl as for stretch

2020-09-25 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6a7d4e4b by Roberto C. Sánchez at 2020-09-25T17:12:46-04:00
LTS: mark CVE-2020-1968/openssl as not-affected for stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -58673,6 +58673,7 @@ CVE-2020-1969
 CVE-2020-1968 (The Raccoon attack exploits a flaw in the TLS specification 
which can  ...)
- openssl 1.1.1~~pre9-1
- openssl1.0 
+   [stretch] - openssl  (Affected ciphers removed in 
upstream commit bc71f91, included in 1.1.0-pre2)
NOTE: Marking the first openssl 1.1.1 version in unstable as the fixed 
version in sid
NOTE: https://www.openssl.org/news/secadv/20200909.txt
NOTE: https://raccoon-attack.com/



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a7d4e4b4ca65b8c6e411b943d6f7a7e30878915

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a7d4e4b4ca65b8c6e411b943d6f7a7e30878915
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: update status of squid3

2020-09-25 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8379b341 by Roberto C. Sánchez at 2020-09-25T16:48:07-04:00
LTS: update status of squid3

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -194,7 +194,10 @@ slirp
 --
 snmptt (Abhijith PA)
 --
-squid3 (Roberto C. Sánchez)
+squid3
+  NOTE: 20200831: I have backported the HttpHeader parsing code now and
+  NOTE: incorporated the fixes for the latest CVE. I will send a RFT to
+  NOTE: debian-lts again before uploading. (apo)
 --
 sympa
   NOTE: 20200525: Incomplete patch. Not the complete patch is made public. 
(utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8379b3411754d9337010c232b4ea4d702a946f15

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8379b3411754d9337010c232b4ea4d702a946f15
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim openssl and openssl1.0

2020-09-25 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7b9fffc5 by Roberto C. Sánchez at 2020-09-25T15:47:05-04:00
LTS: claim openssl and openssl1.0

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -122,9 +122,9 @@ open-build-service (Utkarsh Gupta)
 opendmarc
   NOTE: 20200719: no patches for remaining CVEs available, everything else is 
already done in Stretch (thorsten)
 --
-openssl
+openssl (Roberto C. Sánchez)
 --
-openssl1.0
+openssl1.0 (Roberto C. Sánchez)
 --
 osc (Adrian Bunk)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b9fffc5d6a60c26c344a1474a5d0e1ccaa79856

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b9fffc5d6a60c26c344a1474a5d0e1ccaa79856
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim squid3 in dla-needed.txt

2020-09-24 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b17ea56e by Roberto C. Sánchez at 2020-09-24T17:23:29-04:00
LTS: claim squid3 in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -186,7 +186,7 @@ slirp
 --
 snmptt (Abhijith PA)
 --
-squid3
+squid3 (Roberto C. Sánchez)
 --
 sympa
   NOTE: 20200525: Incomplete patch. Not the complete patch is made public. 
(utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b17ea56ed94fe94f501ec6f0c4610abcaceadb54

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b17ea56ed94fe94f501ec6f0c4610abcaceadb54
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: triage CVE-2020-24659/gnutls28 as for stretch

2020-09-24 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0717bf79 by Roberto C. Sánchez at 2020-09-24T16:50:49-04:00
LTS: triage CVE-2020-24659/gnutls28 as not-affected for stretch

- - - - -
d474b9d6 by Roberto C. Sánchez at 2020-09-24T16:51:37-04:00
LTS: remove gnutls28 from dla-needed.txt, no open issues

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -3112,6 +3112,7 @@ CVE-2020-24660 (An issue was discovered in LemonLDAP::NG 
through 2.0.8, when NGI
 CVE-2020-24659 (An issue was discovered in GnuTLS before 3.6.15. A server can 
trigger  ...)
- gnutls28 3.6.15-1 (bug #969547)
[buster] - gnutls28  (Minor issue)
+   [stretch] - gnutls28  (Vulnerable code introduced later)
NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04
NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1071
NOTE: 
https://gitlab.com/gnutls/gnutls/-/commit/29ee67c205855e848a0a26e6d0e4f65b6b943e0a


=
data/dla-needed.txt
=
@@ -76,9 +76,6 @@ fossil
 --
 freerdp
 --
-gnutls28 (Roberto C. Sánchez)
-  NOTE: 20200920: WIP
---
 golang-1.7
 --
 golang-1.8



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b0316b0cf79a15340c2de5317143f7c91d6d05c4...d474b9d6a604d6712bf97d73a21c324bff08c455

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b0316b0cf79a15340c2de5317143f7c91d6d05c4...d474b9d6a604d6712bf97d73a21c324bff08c455
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: update notes (gnutls28, shiro)

2020-09-20 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9967aac8 by Roberto C. Sánchez at 2020-09-20T16:37:50-04:00
LTS: update notes (gnutls28, shiro)

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -74,6 +74,7 @@ fossil
 freerdp
 --
 gnutls28 (Roberto C. Sánchez)
+  NOTE: 20200920: WIP
 --
 golang-1.7
 --
@@ -184,6 +185,7 @@ samba (Mike Gabriel)
   NOTE: 20200903: As discussed internally, I will look into Samba AD CVEs and 
revisit the risk assessment, plus fix the more severe issues (sunweaver)
 --
 shiro (Roberto C. Sánchez)
+  NOTE: 20200920: WIP
 --
 slirp
   NOTE: Upstream patch for CVE-2020-8608 requires patches for



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9967aac85ba054b406820657e1d6a60f2af4e085

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9967aac85ba054b406820657e1d6a60f2af4e085
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim gnutls28, shiro

2020-09-07 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5295d431 by Roberto C. Sánchez at 2020-09-07T07:54:01-04:00
LTS: claim gnutls28, shiro

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -75,7 +75,7 @@ freerdp (Mike Gabriel)
 gnome-shell (Mike Gabriel)
   NOTE: 20200829: 
https://salsa.debian.org/gnome-team/gnome-shell/-/merge_requests/41 (sunweaver)
 --
-gnutls28
+gnutls28 (Roberto C. Sánchez)
 --
 golang-go.crypto
 --
@@ -173,7 +173,7 @@ samba (Mike Gabriel)
   NOTE: 20200830: Will remove this entry and mark all current CVEs as 
postponed. But first I need to know were the patches are (ola).
   NOTE: 20200903: As discussed internally, I will look into Samba AD CVEs and 
revisit the risk assessment, plus fix the more severe issues (sunweaver)
 --
-shiro
+shiro (Roberto C. Sánchez)
 --
 slirp
   NOTE: Upstream patch for CVE-2020-8608 requires patches for NOTE:



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5295d431548f46cb06d300635a2e1d9e9ee2f621

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5295d431548f46cb06d300635a2e1d9e9ee2f621
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2365-1 for netty-3.9

2020-09-04 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e4ceb712 by Roberto C. Sánchez at 2020-09-04T14:33:58-04:00
Reserve DLA-2365-1 for netty-3.9

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[04 Sep 2020] DLA-2365-1 netty-3.9 - security update
+   {CVE-2019-16869 CVE-2019-20444 CVE-2019-20445}
+   [stretch] - netty-3.9 3.9.9.Final-1+deb9u1
 [04 Sep 2020] DLA-2364-1 netty - security update
{CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 CVE-2020-11612}
[stretch] - netty 1:4.1.7-2+deb9u2


=
data/dla-needed.txt
=
@@ -99,8 +99,6 @@ mumble
   NOTE: 20200504: discussion going on with t...@security.debian.org and mumble 
maintainer (abhijith)
   NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg8.html 
(abhijith)
 --
-netty-3.9 (Roberto C. Sánchez)
---
 nss (Adrian Bunk)
   NOTE: 20200706: from dsa-needed.txt: Roberto proposed an update including 
fixes for CVE-2018-12404 and CVE-2018-18508 (Beuc)
   NOTE: 20200810: packages are being tested (bunk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4ceb7127675ae3ed29d45e3f933edb55cbe1071

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4ceb7127675ae3ed29d45e3f933edb55cbe1071
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2364-1 for netty

2020-09-04 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
720a28d0 by Roberto C. Sánchez at 2020-09-04T14:33:14-04:00
Reserve DLA-2364-1 for netty

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[04 Sep 2020] DLA-2364-1 netty - security update
+   {CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 CVE-2020-11612}
+   [stretch] - netty 1:4.1.7-2+deb9u2
 [03 Sep 2020] DLA-2363-1 asyncpg - security update
{CVE-2020-17446}
[stretch] - asyncpg 0.8.4-1+deb9u1


=
data/dla-needed.txt
=
@@ -99,8 +99,6 @@ mumble
   NOTE: 20200504: discussion going on with t...@security.debian.org and mumble 
maintainer (abhijith)
   NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg8.html 
(abhijith)
 --
-netty (Roberto C. Sánchez)
---
 netty-3.9 (Roberto C. Sánchez)
 --
 nss (Adrian Bunk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/720a28d099ac3ab61d2aa2e3a324aee4442bdf46

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/720a28d099ac3ab61d2aa2e3a324aee4442bdf46
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Revert "LTS: update issues which are to be fixed in stretch"

2020-08-25 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e41307db by Roberto C. Sánchez at 2020-08-25T09:18:24-04:00
Revert LTS: update issues which are to be fixed in stretch

This reverts commit 469d496742e20fdfda0c6f83e6c0fb71cc406c8a.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -40912,6 +40912,7 @@ CVE-2020-7238 (Netty 4.1.43.Final allows HTTP Request 
Smuggling because it misha
{DLA-2110-1 DLA-2109-1}
- netty 1:4.1.45-1 (bug #950967)
- netty-3.9 
+   [stretch] - netty-3.9  (CVE-2019-16869 not fixed for 
stretch)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1796225
NOTE: https://github.com/jdordonezn/CVE-2020-72381/issues/1
NOTE: Issue exists because of incomplete fix for CVE-2019-16869.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e41307dbac9958fd31b0d7b66c3050b54e622a2e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e41307dbac9958fd31b0d7b66c3050b54e622a2e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2344-1 for mongodb

2020-08-24 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1036b602 by Roberto C. Sánchez at 2020-08-24T18:54:48-04:00
Reserve DLA-2344-1 for mongodb

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[24 Aug 2020] DLA-2344-1 mongodb - security update
+   {CVE-2020-7923}
+   [stretch] - mongodb 1:3.2.11-2+deb9u2
 [24 Aug 2020] DLA-2343-1 icingaweb2 - security update
{CVE-2020-24368}
[stretch] - icingaweb2 2.4.1-1+deb9u1


=
data/dla-needed.txt
=
@@ -102,8 +102,6 @@ linux-4.9 (Ben Hutchings)
 --
 lua5.3
 --
-mongodb (Roberto C. Sánchez)
---
 mumble
   NOTE: 20200325: Regression in last upload, forgot to follow up.
   NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1036b602b31f2725971acb7c3bbba4da82676bff

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1036b602b31f2725971acb7c3bbba4da82676bff
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: update issues which are to be fixed in stretch

2020-08-24 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
469d4967 by Roberto C. Sánchez at 2020-08-24T18:31:57-04:00
LTS: update issues which are to be fixed in stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -40888,7 +40888,6 @@ CVE-2020-7238 (Netty 4.1.43.Final allows HTTP Request 
Smuggling because it misha
{DLA-2110-1 DLA-2109-1}
- netty 1:4.1.45-1 (bug #950967)
- netty-3.9 
-   [stretch] - netty-3.9  (CVE-2019-16869 not fixed for 
stretch)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1796225
NOTE: https://github.com/jdordonezn/CVE-2020-72381/issues/1
NOTE: Issue exists because of incomplete fix for CVE-2019-16869.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/469d496742e20fdfda0c6f83e6c0fb71cc406c8a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/469d496742e20fdfda0c6f83e6c0fb71cc406c8a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim netty, netty-3.9

2020-08-24 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
78083c57 by Roberto C. Sánchez at 2020-08-24T16:04:34-04:00
LTS: claim netty, netty-3.9

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -113,9 +113,9 @@ mumble
 --
 ndpi (Thorsten Alteholz)
 --
-netty
+netty (Roberto C. Sánchez)
 --
-netty-3.9
+netty-3.9 (Roberto C. Sánchez)
 --
 nss
   NOTE: 20200706: from dsa-needed.txt: Roberto proposed an update including 
fixes for CVE-2018-12404 and CVE-2018-18508 (Beuc)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78083c5785ff0834d6f32a7e061b3a0071db6364

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78083c5785ff0834d6f32a7e061b3a0071db6364
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-2343-1 for icingaweb2

2020-08-24 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
457c4691 by Roberto C. Sánchez at 2020-08-24T15:42:28-04:00
Reserve DLA-2343-1 for icingaweb2

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[24 Aug 2020] DLA-2343-1 icingaweb2 - security update
+   {CVE-2020-24368}
+   [stretch] - icingaweb2 2.4.1-1+deb9u1
 [24 Aug 2020] DLA-2342-1 libjackson-json-java - security update
{CVE-2017-7525 CVE-2017-15095 CVE-2019-10172}
[stretch] - libjackson-json-java 1.9.2-8+deb9u1


=
data/dla-needed.txt
=
@@ -89,8 +89,6 @@ guacamole-client (Mike Gabriel)
   NOTE: 20200815: The bad maintenance is not because of the maintainer, but 
because of upstream's delay to port the software
   NOTE: 20200815: over to the freerdp2 API. (sunweaver)
 --
-icingaweb2 (Roberto C. Sánchez)
---
 jetty9
 --
 jupyter-notebook (Mike Gabriel)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/457c4691ebc85c6f574e395225a67b2fc23593e1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/457c4691ebc85c6f574e395225a67b2fc23593e1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim icingaweb2

2020-08-24 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
74a51ec9 by Roberto C. Sánchez at 2020-08-24T14:39:17-04:00
LTS: claim icingaweb2

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -89,7 +89,7 @@ guacamole-client (Mike Gabriel)
   NOTE: 20200815: The bad maintenance is not because of the maintainer, but 
because of upstream's delay to port the software
   NOTE: 20200815: over to the freerdp2 API. (sunweaver)
 --
-icingaweb2
+icingaweb2 (Roberto C. Sánchez)
 --
 jetty9
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74a51ec950d8dfa4525c9b79a9c82a266b68fc79

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74a51ec950d8dfa4525c9b79a9c82a266b68fc79
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: remove chrony from dla-needed.txt, no remaining open issues

2020-08-24 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
48d502e5 by Roberto C. Sánchez at 2020-08-24T14:36:25-04:00
LTS: remove chrony from dla-needed.txt, no remaining open issues

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -46,8 +46,6 @@ ceph
   NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
   NOTE: 20200707: Some discussion regarding removal 
<https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby)
 --
-chrony (Roberto C. Sánchez)
---
 cimg
   NOTE: 20200709: Upstream patch is against a newer "load_network_external"
   NOTE: 20200709: method (vs "load_network") but is still missing the argument



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48d502e5bd2b6b77b31ffa4340c65196439e7c6e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48d502e5bd2b6b77b31ffa4340c65196439e7c6e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim chrony, mongodb

2020-08-24 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
91624166 by Roberto C. Sánchez at 2020-08-24T08:49:41-04:00
LTS: claim chrony, mongodb

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -46,7 +46,7 @@ ceph
   NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
   NOTE: 20200707: Some discussion regarding removal 
<https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby)
 --
-chrony
+chrony (Roberto C. Sánchez)
 --
 cimg
   NOTE: 20200709: Upstream patch is against a newer "load_network_external"
@@ -106,7 +106,7 @@ linux-4.9 (Ben Hutchings)
 --
 lua5.3
 --
-mongodb
+mongodb (Roberto C. Sánchez)
 --
 mumble
   NOTE: 20200325: Regression in last upload, forgot to follow up.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9162416630498e359aa7535a3f8d8e0689a29e53

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9162416630498e359aa7535a3f8d8e0689a29e53
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: triage tomcat7 CVEs in stretch; none affect libservlet3.0-java, which is...

2020-08-22 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
227dec84 by Roberto C. Sánchez at 2020-08-22T20:18:30-04:00
LTS: triage tomcat7 CVEs in stretch; none affect libservlet3.0-java, which is 
the only binary package built from the tomcat7 source package in stretch

- - - - -
09345bb5 by Roberto C. Sánchez at 2020-08-22T20:19:12-04:00
LTS: remove tomcat7 from dla-needed.txt, no open issues remain

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -35398,6 +35398,7 @@ CVE-2020-9484 (When using Apache Tomcat versions 
10.0.0-M1 to 10.0.0-M4, 9.0.0.M
- tomcat9 9.0.35-1 (bug #961209)
- tomcat8 
- tomcat7 
+   [stretch] - tomcat7  (No components in libservlet3.0-java 
binary package are affected)
NOTE: 
https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca89023b1b
 (10.0.0-M5)
NOTE: 
https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a
 (9.0.35)
NOTE: 
https://github.com/apache/tomcat/commit/ec08af18d0f9ddca3f2d800ef66fe7fd20afef2f
 (8.5.55)
@@ -55160,6 +55161,7 @@ CVE-2020-1938 (When using the Apache JServ Protocol 
(AJP), care must be taken wh
- tomcat9 9.0.31-1 (bug #952437)
- tomcat8  (bug #952438)
- tomcat7  (bug #952436)
+   [stretch] - tomcat7  (No components in libservlet3.0-java 
binary package are affected)
NOTE: AJP disabled in Debian in default configuration since 2008
NOTE: fixed in upstream versions 9.0.31, 8.5.51, 7.0.100
NOTE: 
https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
@@ -55186,6 +55188,7 @@ CVE-2020-1935 (In Apache Tomcat 9.0.0.M1 to 9.0.30, 
8.5.0 to 8.5.50 and 7.0.0 to
- tomcat9 9.0.31-1
- tomcat8 
- tomcat7 
+   [stretch] - tomcat7  (No components in libservlet3.0-java 
binary package are affected)
NOTE: 
https://github.com/apache/tomcat/commit/8bfb0ff7f25fe7555a5eb2f7984f73546c11aa26
 (9.0.31)
NOTE: 
https://github.com/apache/tomcat/commit/8fbe2e962f0ea138d92361921643fe5abe0c4f56
 (8.5.51)
NOTE: 
https://github.com/apache/tomcat/commit/702bf15bea292915684d931526d95d4990b2e73d
 (7.0.100)
@@ -64175,6 +64178,7 @@ CVE-2019-17569 (The refactoring present in Apache 
Tomcat 9.0.28 to 9.0.30, 8.5.4
- tomcat8 
[jessie] - tomcat8  (vulnerable code introduced in later 
version)
- tomcat7 
+   [stretch] - tomcat7  (No components in libservlet3.0-java 
binary package are affected)
NOTE: 
https://github.com/apache/tomcat/commit/060ecc5eb839208687b7fcc9e35287ac8eb46998
 (9.0.31)
NOTE: 
https://github.com/apache/tomcat/commit/959f1dfd767bf3cb64776b44f7395d1d8d8f7ab3
 (8.5.51)
NOTE: 
https://github.com/apache/tomcat/commit/b191a0d9cf06f4e04257c221bfe41d2b108a9cc8
 (7.0.100)
@@ -64202,6 +64206,7 @@ CVE-2019-17563 (When using FORM authentication with 
Apache Tomcat 9.0.0.M1 to 9.
- tomcat9 9.0.31-1
- tomcat8 
- tomcat7 
+   [stretch] - tomcat7  (No components in libservlet3.0-java 
binary package are affected)
NOTE: 
https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652
 (9.0.30)
NOTE: 
https://github.com/apache/tomcat/commit/e19a202ee43b6e2a538be5515ae0ab32d8ef112c
 (8.5.50)
NOTE: 
https://github.com/apache/tomcat/commit/ab72a106fe5d992abddda954e30849d7cf8cc583
 (7.0.99)
@@ -81001,6 +81006,7 @@ CVE-2019-12418 (When Apache Tomcat 9.0.0.M1 to 9.0.28, 
8.5.0 to 8.5.47, 7.0.0 an
- tomcat9 9.0.31-1
- tomcat8 
- tomcat7 
+   [stretch] - tomcat7  (No components in libservlet3.0-java 
binary package are affected)
NOTE: 
https://github.com/apache/tomcat/commit/1fc9f589dbdd8295cf313b2667ab041c425f99c3
 (9.0.29)
NOTE: 
https://github.com/apache/tomcat/commit/a91d7db4047d372b2f12999d3cf2bc3254c20d00
 (8.5.48)
NOTE: 
https://github.com/apache/tomcat/commit/bef3f40400243348d12f4abfe9b413f43897c02b
 (7.0.98)
@@ -116675,6 +116681,7 @@ CVE-2019-0221 (The SSI printenv command in Apache 
Tomcat 9.0.0.M1 to 9.0.0.17, 8
- tomcat9 9.0.16-4 (bug #929895)
- tomcat8 
- tomcat7 
+   [stretch] - tomcat7  (No components in libservlet3.0-java 
binary package are affected)
NOTE: affects debug channel, unlikely to be present in production 
websites:
NOTE: 
https://mail-archives.apache.org/mod_mbox/www-announce/201905.mbox/%3cb1905aa6-f340-8d0b-58c4-8ac3ebcbf...@apache.org%3E
NOTE: https://github.com/apache/tomcat/commit/15fcd16 (9.0.19)


=
data/dla-needed.txt
=
@@ -197,8 +197,6 @@ sympa
   NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh)
   NOTE: 20200604: shall

[Git][security-tracker-team/security-tracker][master] LTS: claim tomcat7

2020-08-22 Thread Roberto C . Sánchez



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ccdff3a4 by Roberto C. Sánchez at 2020-08-22T19:00:03-04:00
LTS: claim tomcat7

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -197,7 +197,7 @@ sympa
   NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh)
   NOTE: 20200604: shall process the upload once the confirmation is given. 
(utkarsh)
 --
-tomcat7
+tomcat7 (Roberto C. Sánchez)
 --
 wordpress
   NOTE: 20200710: Vulnerable to at least CVE-2020-4046. (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccdff3a4b7042f419304f947f419d8b634f75ed7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccdff3a4b7042f419304f947f419d8b634f75ed7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

1 2 3 4 5 >

1 - 100 of 411 matches

Mail list logo