[Git][security-tracker-team/security-tracker][master] CVE-2018-1000656,CVE-2019-1010084/flask: clarify situation a little more
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 43c5fcf9 by Sylvain Beucler at 2023-08-28T22:09:53+02:00 CVE-2018-1000656,CVE-2019-1010084/flask: clarify situation a little more - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -306283,9 +306283,9 @@ CVE-2019-1010084 (Dancer::Plugin::SimpleCRUD 1.14 and earlier is affected by: In CVE-2019-1010083 (The Pallets Project Flask before 1.0 is affected by: unexpected memory ...) - flask 1.0.2-1 [stretch] - flask (Minor issue) - [jessie] - flask (Minor issue) + [jessie] - flask (Minor issue, considered fixed with CVE-2018-1000656 TTBOOK) NOTE: https://www.palletsprojects.com/blog/flask-1-0-released/ - NOTE: https://github.com/pallets/flask/pull/2691/commits/ab4142215d836b0298fc47fa1e4b75408b9c37a0 + NOTE: https://github.com/pallets/flask/pull/2691/commits/ab4142215d836b0298fc47fa1e4b75408b9c37a0 (1.0) NOTE: After communication with MITRE, this CVE *might* overlap CVE-2018-1000656. NOTE: CVE-2019-1010083 was back then assigned by the DWF CNA, but the exact scope NOTE: of the CVE is unclear and might for instance be for an incomplete fix of @@ -344429,6 +344429,8 @@ CVE-2018-1000656 (The Pallets Project flask version Before 0.12.3 contains a CWE - flask 1.0.2-1 [stretch] - flask (Minor issue) NOTE: https://github.com/pallets/flask/pull/2691 + NOTE: https://github.com/pallets/flask/commit/b178e89e4456e777b1a7ac6d7199052d0dfdbbbe (1.0) + NOTE: https://github.com/pallets/flask/commit/b178e89e4456e777b1a7ac6d7199052d0dfdbbbe (0.12.3) CVE-2018-1000655 (Jsish version 2.4.65 contains a CWE-476: NULL Pointer Dereference vuln ...) NOT-FOR-US: Jsish CVE-2018-1000654 (GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43c5fcf95031a6a41705e5301574e2760f9df3f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43c5fcf95031a6a41705e5301574e2760f9df3f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: bullseye / libgdbm6:amd64 is a catastrophgy
Hello Marc, On 25/08/2023 11:24, Marc SCHAEFER wrote: AFAIK is bullseye not yet LTS-handled. Will LTS fixes important bugs, or only security fixes? I reported this: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043023 I have a local work-around (keep the buster version), and the maintainer also proposed another local work-around. Mine is running productively for a few weeks now. Will LTS, when it takes hold of bullseye, fix this important bug? First, from your bug report I read the maintainer's answer: "[...] you upgraded to oldstable, which will only receive security fixes." Actually, bullseye (even as oldstable) may receive updates for important bugs, through the point releases (proposed-updates): https://wiki.debian.org/DebianReleases/PointReleases LTS may also fix non-security bugs, but since it currently doesn't have point releases, this is rarer. Now the maintainer worries that the bug fix "could break other installations that used to work well". We tend to trust the maintainer's informed opinion, so we'd probably follow his advice and refrain from fixing the bug. Of course it's possible to continue the discussion with the maintainer (e.g. with comprehensive testing). In conclusion, I believe there's a higher chance of fixing the bug right now in bullseye/oldstable, rather later in bullseye/LTS. Cheers! Sylvain Beucler Debian LTS Team
[Git][security-tracker-team/security-tracker][master] dla: reference samba status update e-mail
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 08407242 by Sylvain Beucler at 2023-08-25T12:13:50+02:00 dla: reference samba status update e-mail - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -207,6 +207,7 @@ samba NOTE: 20230807: in the branch "lgarrett/2023-02-23-debian/buster-proposed" NOTE: 20230807: functional test framework is however needed (WIP) as most NOTE: 20230807: CVEs/bugfixes don't have test coverage. + NOTE: 20230822: https://lists.debian.org/debian-lts/2023/08/msg00027.html (lee) -- suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08407242e413d8642ae3046a2ae412341a40922d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08407242e413d8642ae3046a2ae412341a40922d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: drop gawk, aligning with other dists
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a557634 by Sylvain Beucler at 2023-08-25T12:11:57+02:00 dla: drop gawk, aligning with other dists - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2626,6 +2626,7 @@ CVE-2023-4157 (Improper Input Validation in GitHub repository omeka/omeka-s prio CVE-2023-4156 [heap out of bound read in builtin.c] - gawk 1:5.2.1-1 [bullseye] - gawk (Minor issue) + [buster] - gawk (Minor issue, OOB read) NOTE: https://mail.gnu.org/archive/html/bug-gawk/2022-08/msg0.html NOTE: https://mail.gnu.org/archive/html/bug-gawk/2022-08/msg00023.html NOTE: https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212 (gawk-5.2.0) = data/dla-needed.txt = @@ -61,11 +61,6 @@ flask-security (Sean Whitton) NOTE: 20230811: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/37 NOTE: 20230811: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) -- -gawk - NOTE: 20230806: Added by Front-Desk (gladk) - NOTE: 20230806: Please, check, whether CVE is applicable for buster - NOTE: 20230806: poc are available in the mailing list (gladk) --- glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230710: WIP (santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a55763462336dd088603f5b093c0a316e857866 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a55763462336dd088603f5b093c0a316e857866 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[SECURITY] [DLA 3541-1] w3m security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3541-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler August 24, 2023 https://wiki.debian.org/LTS - - Package: w3m Version: 0.5.3-37+deb10u1 CVE ID : CVE-2022-38223 Debian Bug : 1019599 Han Zheng discovered an out-of-bounds write in w3m, a text based web browser and pager. It can be triggered by sending a crafted HTML file to the w3m binary. It allows an attacker to cause Denial of Service (DoS) or possibly have unspecified other impact. For Debian 10 buster, this problem has been fixed in version 0.5.3-37+deb10u1. We recommend that you upgrade your w3m packages. For the detailed security status of w3m please refer to its security tracker page at: https://security-tracker.debian.org/tracker/w3m Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmTnQzYACgkQDTl9HeUl XjCWbQ/9FP5txMuSkIOUCrRVbtmz48c6REctn/AhK/X5vem5SnrqHv0fDdkQjLiU COOIOY87ij1vBQ8f1yCBGBH+nCqXZLvm3xg5Uctr9E05/QcU0KCMDXdC81Jr4YAz totfHZb5ReS2PioWf+A4c2r//7MzyIRvaHS6SjRH+Hs5ZQez7Y1i2t6Kc1G1gups n859FPdHLrIYjsGe1G+2u4dRBUcv7yEJAjNraRr4rcJfHGurgi1dlC/L8HTkJ5+4 Iyje78MR0tNtrbq90kcilwOXmWzaJYycX/bGPeVq2lPxpSlgeLPjQJ1H3HZjwXKv iQMe0cLM4aHPWd+BBJ6bxm8bQlwvbvMOx4At4IUJ3aLBDLgWOLJVKOSi0VxTu4+C T6CaG03+XioeVbz3NQArB8Ncg8liBiV9rgGoSCIqwo/tYcsPMvXx2uel10n+AZIu GqY8wKOLLSx2e9RsGLJYLV2/COc7ml1Lyvf4rg/fBYsv8yc5ZguN51dX7aPV5IcR WCdwdlVvW8B0jBMDRYh3j7uP6WawyBQOEQPQq6K1Hdb37xkZdReRgMbhiY1liJO9 E6MK8BTS1GcXxfu2Tz+NuXLp7Q5+dDN+ztOCYAynch2dQ1njkEl4izPR67LGq1VS Zho7EwKje6GhafTFadIsZ43fa9AjjRyvRDBp6d0TgIT70HGASXk= =lwx1 -END PGP SIGNATURE-
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3541-1 for w3m
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 24816548 by Sylvain Beucler at 2023-08-24T13:42:17+02:00 Reserve DLA-3541-1 for w3m - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -73652,7 +73652,6 @@ CVE-2022-38224 CVE-2022-38223 (There is an out-of-bounds write in checkType located in etc.c in w3m 0 ...) - w3m 0.5.3+git20230121-1 (bug #1019599) [bullseye] - w3m 0.5.3+git20210102-6+deb11u1 - [buster] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/242 NOTE: Initial fix: https://github.com/tats/w3m/commit/419ca82d57c72242817b55e2eaa4cdbf6916e7fa NOTE: Follow-up fix: https://github.com/tats/w3m/commit/25fb402cea405b263466c627f32513d186a38ade = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Aug 2023] DLA-3541-1 w3m - security update + {CVE-2022-38223} + [buster] - w3m 0.5.3-37+deb10u1 [23 Aug 2023] DLA-3540-1 mediawiki - security update {CVE-2023-29141} [buster] - mediawiki 1:1.31.16-1+deb10u6 = data/dla-needed.txt = @@ -221,9 +221,3 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -w3m (Sylvain Beucler) - NOTE: 20230812: Added by Front-Desk (Beuc) - NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/42 - NOTE: 20230812: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) - NOTE: 20230819: No ASAN errors with the PoCs, but the backported fixes do bring some (!), more testing needed. (Beuc) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24816548dd2b4d229941c70685e219675f1a742c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24816548dd2b4d229941c70685e219675f1a742c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update w3m status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5fb8ec48 by Sylvain Beucler at 2023-08-19T20:16:13+02:00 dla: update w3m status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -225,6 +225,7 @@ w3m (Sylvain Beucler) NOTE: 20230812: Added by Front-Desk (Beuc) NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/42 NOTE: 20230812: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) + NOTE: 20230819: No ASAN errors with the PoCs, but the backported fixes do bring some (!), more testing needed. (Beuc) -- zabbix (tobi) NOTE: 20230731: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fb8ec48bd756e99666061cf5da9029e3c6ac124 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fb8ec48bd756e99666061cf5da9029e3c6ac124 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim w3m
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e93a97df by Sylvain Beucler at 2023-08-14T12:04:24+02:00 dla: claim w3m - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -242,7 +242,7 @@ suricata (Adrian Bunk) unrar-nonfree (Markus Koschany) NOTE: 20230808: Added by Front-Desk (Beuc) -- -w3m +w3m (Sylvain Beucler) NOTE: 20230812: Added by Front-Desk (Beuc) NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/42 NOTE: 20230812: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e93a97dfff620559b9b535a763bb24fa52b00277 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e93a97dfff620559b9b535a763bb24fa52b00277 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: mention contributors should self-assign the (experimental) issues when claiming
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 91f1ddec by Sylvain Beucler at 2023-08-12T18:21:15+02:00 dla: mention contributors should self-assign the (experimental) issues when claiming - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -34,7 +34,7 @@ cinder -- datatables.js (guilhem) NOTE: 20230809: Added by Front-Desk (Beuc) - NOTE: 20230809: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/29 + NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/29 NOTE: 20230809: Follow fixes from bullseye 11.2 (1 CVE) (Beuc/front-desk) -- docker.io @@ -54,11 +54,11 @@ dogecoin flask NOTE: 20230811: Added by Front-Desk (Beuc) NOTE: 20230811: Check DSA-5442-1 (Beuc/front-desk) - NOTE: 20230811: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/35 + NOTE: 20230811: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/35 -- flask-security NOTE: 20230811: Added by Front-Desk (Beuc) - NOTE: 20230811: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/37 + NOTE: 20230811: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/37 NOTE: 20230811: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) -- gawk (Adrian Bunk) @@ -74,11 +74,11 @@ glib2.0 (santiago) -- gst-plugins-ugly1.0 NOTE: 20230812: Added by Front-Desk (Beuc) - NOTE: 20230812: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/39 + NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/39 -- i2p NOTE: 20230809: Added by Front-Desk (Beuc) - NOTE: 20230809: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 + NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 -- imagemagick (rouca) NOTE: 20230622: Added by Front-Desk (Beuc) @@ -100,17 +100,17 @@ linux (Ben Hutchings) -- lxc NOTE: 20230812: Added by Front-Desk (Beuc) - NOTE: 20230812: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/44 + NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/44 NOTE: 20230812: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) -- mediawiki NOTE: 20230810: Added by Front-Desk (Beuc) - NOTE: 20230810: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/31 + NOTE: 20230810: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/31 NOTE: 20230810: Check DSA-5447-1 (Beuc/front-desk) -- netatalk (Markus Koschany) NOTE: 20230812: Added by Front-Desk (Beuc) - NOTE: 20230812: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/38 + NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/38 NOTE: 20230812: Regression update request: https://lists.debian.org/debian-lts/2023/08/msg00014.html (Beuc/front-desk) -- nodejs (guilhem) @@ -140,7 +140,7 @@ open-vm-tools (Abhijith PA) -- opendmarc NOTE: 20230811: Added by Front-Desk (Beuc) - NOTE: 20230810: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/34 + NOTE: 20230810: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/34 -- openjdk-11 (Emilio) NOTE: 20230419: Added by Front-Desk (ola) @@ -155,12 +155,12 @@ openssl (gladk) -- orthanc NOTE: 20230812: Added by Front-Desk (Beuc) - NOTE: 20230812: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41 + NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41 NOTE: 20230812: Check DSA-5473-1 (Beuc/front-desk) -- otrs2 NOTE: 20230811: Added by Front-Desk (Beuc) - NOTE: 20230811: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/32 + NOTE
[Git][security-tracker-team/security-tracker][master] dla: add lxc
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e22ebcd0 by Sylvain Beucler at 2023-08-12T18:10:23+02:00 dla: add lxc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -98,6 +98,11 @@ libreoffice (rouca) linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- +lxc + NOTE: 20230812: Added by Front-Desk (Beuc) + NOTE: 20230812: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/44 + NOTE: 20230812: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) +-- mediawiki NOTE: 20230810: Added by Front-Desk (Beuc) NOTE: 20230810: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/31 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e22ebcd0ec2c6fbd994653c2ae366cb9c2e89055 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e22ebcd0ec2c6fbd994653c2ae366cb9c2e89055 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-38223/w3m: reference follow-up fix
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: f3079bb2 by Sylvain Beucler at 2023-08-12T17:54:16+02:00 CVE-2022-38223/w3m: reference follow-up fix - - - - - 0e990e9d by Sylvain Beucler at 2023-08-12T17:56:56+02:00 dla: add w3m - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -72163,8 +72163,8 @@ CVE-2022-38223 (There is an out-of-bounds write in checkType located in etc.c in [bullseye] - w3m 0.5.3+git20210102-6+deb11u1 [buster] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/242 - NOTE: https://github.com/tats/w3m/commit/419ca82d57c72242817b55e2eaa4cdbf6916e7fa - NOTE: Possibly incomplete fix: https://github.com/tats/w3m/issues/268 + NOTE: Initial fix: https://github.com/tats/w3m/commit/419ca82d57c72242817b55e2eaa4cdbf6916e7fa + NOTE: Follow-up fix: https://github.com/tats/w3m/commit/25fb402cea405b263466c627f32513d186a38ade CVE-2022-38222 (There is a use-after-free issue in JBIG2Stream::close() located in JBI ...) - xpdf (Debian uses poppler, which is not affected) CVE-2022-38221 (A buffer overflow in the FTcpListener thread in The Isle Evrima (the d ...) = data/dla-needed.txt = @@ -35,7 +35,7 @@ cinder datatables.js (guilhem) NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/29 - NOTE: 20230809: Follow fixes from 11.2 (1 CVE) (Beuc/front-desk) + NOTE: 20230809: Follow fixes from bullseye 11.2 (1 CVE) (Beuc/front-desk) -- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) @@ -59,7 +59,7 @@ flask flask-security NOTE: 20230811: Added by Front-Desk (Beuc) NOTE: 20230811: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/37 - NOTE: 20230811: Follow fixes from 11.7 (1 CVE) (Beuc/front-desk) + NOTE: 20230811: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) -- gawk (Adrian Bunk) NOTE: 20230806: Added by Front-Desk (gladk) @@ -249,6 +249,11 @@ suricata (Adrian Bunk) unrar-nonfree (Markus Koschany) NOTE: 20230808: Added by Front-Desk (Beuc) -- +w3m + NOTE: 20230812: Added by Front-Desk (Beuc) + NOTE: 20230812: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/42 + NOTE: 20230812: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) +-- zabbix (tobi) NOTE: 20230731: Added by Front-Desk (apo) NOTE: 20230812: WIP, patches backported but largerly untested. Will continue after VAC. (tobi) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/353458534ed653448b1c5aa5a21a9386257b4268...0e990e9dc8cfac76e0a89e1877300f92af617507 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/353458534ed653448b1c5aa5a21a9386257b4268...0e990e9dc8cfac76e0a89e1877300f92af617507 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add orthanc
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 35345853 by Sylvain Beucler at 2023-08-12T17:30:45+02:00 dla: add orthanc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -148,6 +148,11 @@ openjdk-11 (Emilio) openssl (gladk) NOTE: 20230731: Added by Front-Desk (apo) -- +orthanc + NOTE: 20230812: Added by Front-Desk (Beuc) + NOTE: 20230812: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41 + NOTE: 20230812: Check DSA-5473-1 (Beuc/front-desk) +-- otrs2 NOTE: 20230811: Added by Front-Desk (Beuc) NOTE: 20230811: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/32 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/353458534ed653448b1c5aa5a21a9386257b4268 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/353458534ed653448b1c5aa5a21a9386257b4268 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla: add gst-plugins-ugly1.0
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 0da9cbdf by Sylvain Beucler at 2023-08-12T12:30:36+02:00 dla: add gst-plugins-ugly1.0 - - - - - cfc31fe0 by Sylvain Beucler at 2023-08-12T12:31:06+02:00 CVE-2023-37788/golang-github-elazarl-goproxy: buster postponed - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3230,6 +3230,7 @@ CVE-2023-37788 (goproxy v1.1 was discovered to contain an issue which can lead t - golang-github-elazarl-goproxy (bug #1042474) [bookworm] - golang-github-elazarl-goproxy (Minor issue) [bullseye] - golang-github-elazarl-goproxy (Minor issue) + [buster] - golang-github-elazarl-goproxy (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/elazarl/goproxy/issues/502 CVE-2023-37758 (D-LINK DIR-815 v1.01 was discovered to contain a buffer overflow via t ...) NOT-FOR-US: D-LINK = data/dla-needed.txt = @@ -72,6 +72,10 @@ glib2.0 (santiago) NOTE: 20230724: buster should be ready. need if it's possible to run same reporter's fuzz test NOTE: 20230807: idem. -- +gst-plugins-ugly1.0 + NOTE: 20230812: Added by Front-Desk (Beuc) + NOTE: 20230812: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/39 +-- i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e901d9956e0e070cf910e5ce6979f7c8361813a7...cfc31fe0e8e0c05c994bd5a0bbc0b6dfc2899d7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e901d9956e0e070cf910e5ce6979f7c8361813a7...cfc31fe0e8e0c05c994bd5a0bbc0b6dfc2899d7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3180/qemu: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e901d995 by Sylvain Beucler at 2023-08-12T12:19:24+02:00 CVE-2023-3180/qemu: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1446,6 +1446,7 @@ CVE-2023-3180 (A flaw was found in the QEMU virtual crypto device while handling - qemu 1:8.0.4+dfsg-1 [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) + [buster] - qemu (Minor issue) NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/04b9b37edda85964cca033a48dcc0298036782f2 (v2.8.0-rc0) NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980 (master) NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f (v8.0.4) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e901d9956e0e070cf910e5ce6979f7c8361813a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e901d9956e0e070cf910e5ce6979f7c8361813a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add netatalk
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c2242e3 by Sylvain Beucler at 2023-08-12T11:39:18+02:00 dla: add netatalk - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -99,6 +99,11 @@ mediawiki NOTE: 20230810: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/31 NOTE: 20230810: Check DSA-5447-1 (Beuc/front-desk) -- +netatalk (Markus Koschany) + NOTE: 20230812: Added by Front-Desk (Beuc) + NOTE: 20230812: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/38 + NOTE: 20230812: Regression update request: https://lists.debian.org/debian-lts/2023/08/msg00014.html (Beuc/front-desk) +-- nodejs (guilhem) NOTE: 20230731: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c2242e33b9f2b1fd1c2f56ed0cc8662d2b844cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c2242e33b9f2b1fd1c2f56ed0cc8662d2b844cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update flask-security
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: c98ee868 by Sylvain Beucler at 2023-08-11T21:42:21+02:00 dla: update flask-security - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -59,6 +59,7 @@ flask flask-security NOTE: 20230811: Added by Front-Desk (Beuc) NOTE: 20230811: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/37 + NOTE: 20230811: Follow fixes from 11.7 (1 CVE) (Beuc/front-desk) -- gawk (Adrian Bunk) NOTE: 20230806: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c98ee8687b249a6bc7009fb9aaae95b529c46d20 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c98ee8687b249a6bc7009fb9aaae95b529c46d20 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add issue for flask-security
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 90af22f7 by Sylvain Beucler at 2023-08-11T21:32:28+02:00 dla: add issue for flask-security - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -58,6 +58,7 @@ flask -- flask-security NOTE: 20230811: Added by Front-Desk (Beuc) + NOTE: 20230811: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/37 -- gawk (Adrian Bunk) NOTE: 20230806: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90af22f725f981190427d457b690accbebcd85fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90af22f725f981190427d457b690accbebcd85fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla: add flask
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fb26ccc by Sylvain Beucler at 2023-08-11T21:30:38+02:00 dla: add flask - - - - - bfa627d4 by Sylvain Beucler at 2023-08-11T21:30:38+02:00 dla: add flask-security - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -51,6 +51,14 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- +flask + NOTE: 20230811: Added by Front-Desk (Beuc) + NOTE: 20230811: Check DSA-5442-1 (Beuc/front-desk) + NOTE: 20230811: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/35 +-- +flask-security + NOTE: 20230811: Added by Front-Desk (Beuc) +-- gawk (Adrian Bunk) NOTE: 20230806: Added by Front-Desk (gladk) NOTE: 20230806: Please, check, whether CVE is applicable for buster @@ -131,7 +139,7 @@ openssl (gladk) -- otrs2 NOTE: 20230811: Added by Front-Desk (Beuc) - NOTE: 2023081: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/32 + NOTE: 20230811: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/32 NOTE: 20230811: Lots of CVEs have been marked no-dsa or ignored (Non-free not supported), NOTE: 20230811: but this is a sponsored package, so they need to be fixed. (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/218d4bd3949299af27bbc6a59af28d37dc3a90b8...bfa627d409525873632b212219ce2117ea65ae12 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/218d4bd3949299af27bbc6a59af28d37dc3a90b8...bfa627d409525873632b212219ce2117ea65ae12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add opendmarc
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: efe69dd1 by Sylvain Beucler at 2023-08-11T20:29:41+02:00 dla: add opendmarc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -114,6 +114,10 @@ nvidia-cuda-toolkit open-vm-tools (Abhijith PA) NOTE: 20230731: Added by Front-Desk (apo) -- +opendmarc + NOTE: 20230811: Added by Front-Desk (Beuc) + NOTE: 20230810: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/34 +-- openjdk-11 (Emilio) NOTE: 20230419: Added by Front-Desk (ola) NOTE: 20230522: waiting for sid update (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/efe69dd177fe979c8069469aea7076343fe99cf9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/efe69dd177fe979c8069469aea7076343fe99cf9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: new CVE issued for python-git
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: bed564e5 by Sylvain Beucler at 2023-08-11T13:41:31+02:00 dla: new CVE issued for python-git - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -70,7 +70,7 @@ {CVE-2023-37329} [buster] - gst-plugins-bad1.0 1.14.4-1+deb10u3 [25 Jul 2023] DLA-3502-1 python-git - security update - {CVE-2022-24439} + {CVE-2022-24439 CVE-2023-40267} [buster] - python-git 2.1.11-1+deb10u1 [25 Jul 2023] DLA-3501-1 renderdoc - security update {CVE-2023-33863 CVE-2023-33864 CVE-2023-33865} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bed564e52fb04afcaf2ef43888fb79e6360f5faf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bed564e52fb04afcaf2ef43888fb79e6360f5faf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update ruby-loofah and ruby-rails-html-sanitizer status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c4b5b80 by Sylvain Beucler at 2023-08-11T13:28:46+02:00 dla: update ruby-loofah and ruby-rails-html-sanitizer status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -175,11 +175,13 @@ ruby-loofah NOTE: 20221231: Added by Front-Desk (ola) NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby) NOTE: 20230403: See "RFC: ruby-loofah 2.2.3-1+deb10u2" thread on debian-lts list. (lamby) - NOTE: 20230403: Everything ready, just waiting for ruby-rails-html-sanitizer/utkarsh (dleidert/inactive) + NOTE: 20230403: Everything ready in git, just waiting for ruby-rails-html-sanitizer/utkarsh (dleidert/inactive) + NOTE: 20230808: utkarsh mentions on IRC he's busy with other packages, this is "free to claim atm". (Beuc/front-desk) -- ruby-rails-html-sanitizer NOTE: 20221231: Added by Front-Desk (ola) NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh) + NOTE: 20230808: utkarsh mentions on IRC he's busy with other packages, this is "free to claim atm". (Beuc/front-desk) -- ruby-rmagick (rouca) NOTE: 20230808: Added by Front-Desk on rouca's (imagemagick package maintainer) request (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c4b5b80cc33975dad7ddaca5989b5cfaed2068a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c4b5b80cc33975dad7ddaca5989b5cfaed2068a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3823/php*: reference patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 7bfeb8ad by Sylvain Beucler at 2023-08-11T13:13:54+02:00 CVE-2023-3823/php*: reference patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36,6 +36,7 @@ CVE-2023-3823 (In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2 - php7.4 - php7.3 NOTE: https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr + NOTE: https://github.com/php/php-src/commit/c283c3ab0ba45d21b2b8745c1f9c7cbfe771c975 (php-8.0.30) NOTE: Fixed in: 8.0.30, 8.1.22, 8.2.8 CVE-2023-39553 (Improper Input Validation vulnerability in Apache Software Foundation ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bfeb8ad8be2742c2796c237c6ce54c554ed3047 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bfeb8ad8be2742c2796c237c6ce54c554ed3047 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3824/php*: reference patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: faf9fec3 by Sylvain Beucler at 2023-08-11T13:09:46+02:00 CVE-2023-3824/php*: reference patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,6 +29,7 @@ CVE-2023-3824 (In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2. - php7.4 - php7.3 NOTE: https://github.com/php/php-src/security/advisories/GHSA-jqcx-ccgc-xwhv + NOTE: https://github.com/php/php-src/commit/80316123f3e9dcce8ac419bd9dd43546e2ccb5ef (php-8.0.30) NOTE: Fixed in: 8.0.30, 8.1.22, 8.2.8 CVE-2023-3823 (In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* be ...) - php8.2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/faf9fec39fc4dfb4d3e30c500a4ac6b511754b27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/faf9fec39fc4dfb4d3e30c500a4ac6b511754b27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add issue for otrs2
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: b674a2ed by Sylvain Beucler at 2023-08-11T12:01:10+02:00 dla: add issue for otrs2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -127,6 +127,7 @@ openssl (gladk) -- otrs2 NOTE: 20230811: Added by Front-Desk (Beuc) + NOTE: 2023081: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/32 NOTE: 20230811: Lots of CVEs have been marked no-dsa or ignored (Non-free not supported), NOTE: 20230811: but this is a sponsored package, so they need to be fixed. (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b674a2ed6e4c84fdd8b6006b3d9cd7a67f91e498 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b674a2ed6e4c84fdd8b6006b3d9cd7a67f91e498 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add otrs2
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 50ac9d28 by Sylvain Beucler at 2023-08-11T12:00:03+02:00 dla: add otrs2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -125,6 +125,11 @@ openjdk-11 (Emilio) openssl (gladk) NOTE: 20230731: Added by Front-Desk (apo) -- +otrs2 + NOTE: 20230811: Added by Front-Desk (Beuc) + NOTE: 20230811: Lots of CVEs have been marked no-dsa or ignored (Non-free not supported), + NOTE: 20230811: but this is a sponsored package, so they need to be fixed. (Beuc/front-desk) +-- poppler (Adrian Bunk) NOTE: 20230804: Added by Front-Desk (gladk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50ac9d28f1a82c7dea1cef600461388e4795df02 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50ac9d28f1a82c7dea1cef600461388e4795df02 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-4016/procps: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c615cf9 by Sylvain Beucler at 2023-08-11T11:50:50+02:00 CVE-2023-4016/procps: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1607,6 +1607,7 @@ CVE-2023-4016 (Under some circumstances, this weakness allows a user who has acc - procps (bug #1042887) [bookworm] - procps (Minor issue) [bullseye] - procps (Minor issue) + [buster] - procps (Minor issue, DoS, rare conditions) NOTE: https://gitlab.com/procps-ng/procps/-/issues/297 NOTE: https://gitlab.com/procps-ng/procps/-/commit/2c933ecba3bb1d3041a5a7a53a7b4078a6003413 CVE-2023-3739 (Insufficient validation of untrusted input in Chromad in Google Chrome ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c615cf96295c784c83f76c9bb72d7a458ee9c2b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c615cf96295c784c83f76c9bb72d7a458ee9c2b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-36054/krb5: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 6defd9b6 by Sylvain Beucler at 2023-08-10T16:08:04+02:00 CVE-2023-36054/krb5: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -744,6 +744,7 @@ CVE-2023-36054 (lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.2 - krb5 [bookworm] - krb5 (Minor issue) [bullseye] - krb5 (Minor issue) + [buster] - krb5 (Minor issue, DoS) NOTE: https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd CVE-2023-34477 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6defd9b67ed8c49e3ebf4c971aa2ca8906ab3817 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6defd9b67ed8c49e3ebf4c971aa2ca8906ab3817 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add mediawiki
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: c316d5a2 by Sylvain Beucler at 2023-08-10T16:02:32+02:00 dla: add mediawiki - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -84,6 +84,11 @@ libreoffice (santiago) linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- +mediawiki + NOTE: 20230810: Added by Front-Desk (Beuc) + NOTE: 20230810: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/31 + NOTE: 20230810: Check DSA-5447-1 (Beuc/front-desk) +-- nodejs (guilhem) NOTE: 20230731: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c316d5a22d265961699b6b1fe8bbf562cbf74c2d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c316d5a22d265961699b6b1fe8bbf562cbf74c2d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2023-38497/cargo,rust-cargo: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: bc18d78d by Sylvain Beucler at 2023-08-10T14:10:45+02:00 CVE-2023-38497/cargo,rust-cargo: buster postponed - - - - - 52ebd861 by Sylvain Beucler at 2023-08-10T14:10:47+02:00 openbabel: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1036,9 +1036,11 @@ CVE-2023-38497 (Cargo downloads the Rust project\u2019s dependencies and compile - cargo [bookworm] - cargo (Minor issue) [bullseye] - cargo (Minor issue) + [buster] - cargo (Minor issue, hard to exploit) - rust-cargo [bookworm] - rust-cargo (Minor issue) [bullseye] - rust-cargo (Minor issue) + [buster] - rust-cargo (Minor issue, hard to exploit) NOTE: https://www.openwall.com/lists/oss-security/2023/08/03/2 NOTE: https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497 NOTE: https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87 @@ -46531,41 +46533,49 @@ CVE-2022-46295 (Multiple out-of-bounds write vulnerabilities exist in the transl - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) + [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 CVE-2022-46294 (Multiple out-of-bounds write vulnerabilities exist in the translationV ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) + [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 CVE-2022-46293 (Multiple out-of-bounds write vulnerabilities exist in the translationV ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) + [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 CVE-2022-46292 (Multiple out-of-bounds write vulnerabilities exist in the translationV ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) + [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 CVE-2022-46291 (Multiple out-of-bounds write vulnerabilities exist in the translationV ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) + [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 CVE-2022-46290 (Multiple out-of-bounds write vulnerabilities exist in the ORCA format ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) + [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665 CVE-2022-46289 (Multiple out-of-bounds write vulnerabilities exist in the ORCA format ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) + [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665 CVE-2022-46280 (A use of uninitialized pointer vulnerability exists in the PQS format ...) - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) + [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1670 CVE-2022-46278 RESERVED @@ -46607,6 +46617,7 @@ CVE-2022-44451 (A use of uninitialized pointer vulnerability exists in the MSI f - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) + [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1669 CVE-2022-43664 (A use-after-free vulnerability exists within the way Ichitaro Word Pro ...) NOT-FOR-US: Ichitaro @@ -46618,11 +46629,13 @@ CVE-2022-43467 (An out-of-bounds write vulnerability exists in the PQS format co - openbabel [bookworm] - openbabel (Minor issue) [bullseye] - openbabel (Minor issue) + [buster] - openbabel (Minor issue, no upstream patch yet) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1671 CVE-2022-42885 (A use of uninitialized pointer vulnerability exists in the GRO
[Git][security-tracker-team/security-tracker][master] CVE-2023-37276/python-aiohttp: buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 86284d7b by Sylvain Beucler at 2023-08-09T20:31:12+02:00 CVE-2023-37276/python-aiohttp: buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2575,9 +2575,11 @@ CVE-2023-37276 (aiohttp is an asynchronous HTTP client/server framework for asyn - python-aiohttp [bookworm] - python-aiohttp (Minor issue) [bullseye] - python-aiohttp (Minor issue) + [buster] - python-aiohttp (doesn't use llhttp, PoC is rejected with Bad Request) NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w NOTE: https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40 NOTE: https://hackerone.com/reports/2001873 + NOTE: http-parser->llhttp switch: https://github.com/aio-libs/aiohttp/commit/485a5fc49050f8f8bf0d7eec8a85b4d9b450386c (v3.8.0a4) CVE-2023-35900 (IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.4 a ...) NOT-FOR-US: IBM CVE-2023-35898 (IBM InfoSphere Information Server 11.7 could allow an authenticated us ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86284d7b9e2bd0bdd3328d516e2083a760e64ef8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86284d7b9e2bd0bdd3328d516e2083a760e64ef8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add datatables.js
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: af6ef93a by Sylvain Beucler at 2023-08-09T18:30:48+02:00 dla: add datatables.js - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -32,6 +32,11 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +datatables.js + NOTE: 20230809: Added by Front-Desk (Beuc) + NOTE: 20230809: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/29 + NOTE: 20230809: Follow fixes from 11.2 (1 CVE) (Beuc/front-desk) +-- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af6ef93a6ac2a2101c820d3fb3813bb590851755 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af6ef93a6ac2a2101c820d3fb3813bb590851755 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add i2p (with experimental issue-based LTS workflow)
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 256ed1ea by Sylvain Beucler at 2023-08-09T16:58:46+02:00 dla: add i2p (with experimental issue-based LTS workflow) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -60,6 +60,10 @@ glib2.0 (santiago) NOTE: 20230724: buster should be ready. need if it's possible to run same reporter's fuzz test NOTE: 20230807: idem. -- +i2p + NOTE: 20230809: Added by Front-Desk (Beuc) + NOTE: 20230809: Experimental issue-based workflow: please follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 +-- imagemagick (rouca) NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/256ed1ea6aa1b7601c7174448d16730916493138 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/256ed1ea6aa1b7601c7174448d16730916493138 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/embedded-code-copies: drop ruby versions <=wheezy
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 09b41c3c by Sylvain Beucler at 2023-08-09T11:18:40+02:00 data/embedded-code-copies: drop ruby versions <=wheezy - - - - - c9d9f0a6 by Sylvain Beucler at 2023-08-09T11:18:40+02:00 data/embedded-code-copies: document ruby-arel situation - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -1914,9 +1914,6 @@ dtoa - qt4-x11 (embed) - rhino (embed) NOTE: code translated to Java - - ruby1.8 (embed) - - ruby1.9 (embed) - - ruby1.9.1 (embed) - sdd (embed) - sfind (embed) - star (embed) @@ -2199,10 +2196,6 @@ kfreebsd-8 - kfreebsd-7 (old-version) - kfreebsd-6 (old-version) -ruby1.9.1 - - ruby1.9 (old-version) - - ruby1.8 (old-version) - maildrop - courier (embed) [./maildrop] @@ -3820,3 +3813,7 @@ llhttp (ITP: #977716) cakephp - zoneminder (embed; bug #1042970) + +ruby-arel + - rails 2:6.1.7.3+dfsg-2 (embed; bug #1038935) [activerecord/lib/arel*] + NOTE: ruby-arel to be RM'd from bookworm as well through -pu, in favor of the embedded copy View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f4e4937ef085b28cfbd17bfb41f19e7cad6056b3...c9d9f0a69b14fd25e4ae8fb286edc99a7a79edeb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f4e4937ef085b28cfbd17bfb41f19e7cad6056b3...c9d9f0a69b14fd25e4ae8fb286edc99a7a79edeb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add intel-microcode
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 41979053 by Sylvain Beucler at 2023-08-09T10:47:30+02:00 dla: add intel-microcode - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -64,6 +64,11 @@ imagemagick (rouca) NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- +intel-microcode + NOTE: 20230809: Added by Front-Desk (Beuc) + NOTE: 20230809: Please coordinate with the upcoming linux update (with bwh) so users don't have to reboot twice. + NOTE: 20230809: Upcoming DSA. (Beuc/front-desk) +-- libreoffice (santiago) NOTE: 20230530: Added by Front-Desk (pochu) NOTE: 20230718: http://people.debian.org/~abhijith/upload/lo (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/419790537452307a08a4f430e2d10df4f9db5cc7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/419790537452307a08a4f430e2d10df4f9db5cc7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add rar and unrar-nonfree
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: c1c67975 by Sylvain Beucler at 2023-08-08T21:31:23+02:00 dla: add rar and unrar-nonfree - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -150,6 +150,11 @@ rails NOTE: 20221024: to break thrice in less than 2 month. NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) -- +rar + NOTE: 20230808: Added by Front-Desk (Beuc) + NOTE: 20230808: CVE-2022-30333 was tagged "Non-free not supported" but we have sponsors for this package in buster, + NOTE: 20230808: so it should be fixed. Fixed by 6.12, not sure there's a fix in the 5.x series. (Beuc/front-desk) +-- ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) NOTE: 20230507: testing package @@ -200,6 +205,9 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- +unrar-nonfree + NOTE: 20230808: Added by Front-Desk (Beuc) +-- zabbix (tobi) NOTE: 20230731: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1c67975e96811c5fb381773626530d55487cf80 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1c67975e96811c5fb381773626530d55487cf80 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3896/vim: patches, affected versions, buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: fda70de4 by Sylvain Beucler at 2023-08-08T19:13:07+02:00 CVE-2023-3896/vim: patches, affected versions, buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -80,8 +80,12 @@ CVE-2023-4155 NOTE: https://git.kernel.org/linus/7588dbcebcbf0193ab5b76987396d0254270b04a CVE-2023-3896 (Divide By Zero in vim/vim from9.0.1367-1 to9.0.1367-3) - vim + [buster] - vim (Vulnerable code introduced later) NOTE: https://github.com/vim/vim/issues/12528 NOTE: https://github.com/vim/vim/pull/12540 + NOTE: Introduced by: https://github.com/vim/vim/commit/361895d2a15b4b04c009261eab5b3d69ebf1 (v9.0.0908) + NOTE: https://github.com/vim/vim/commit/8154e642aa476e1a5d3de66c34e8289845b2b797 (v9.0.1664) + NOTE: https://github.com/vim/vim/commit/e42989374144a63d986b878618aeac328e35ac3b (v9.0.1667) CVE-2023-3671 (The MultiParcels Shipping For WooCommerce WordPress plugin before 1.15 ...) NOT-FOR-US: WordPress plugin CVE-2023-3650 (The Bubble Menu WordPress plugin before 3.0.5 does not sanitize and es ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fda70de4f8e693b1051aed09d9768b6faa39fd12 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fda70de4f8e693b1051aed09d9768b6faa39fd12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add ruby-rmagick
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e40a706 by Sylvain Beucler at 2023-08-08T18:27:30+02:00 dla: add ruby-rmagick - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -165,6 +165,9 @@ ruby-rails-html-sanitizer NOTE: 20221231: Added by Front-Desk (ola) NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh) -- +ruby-rmagick (rouca) + NOTE: 20230808: Added by Front-Desk on rouca's (imagemagick package maintainer) request (Beuc) +-- salt NOTE: 20220814: Added by Front-Desk (gladk) NOTE: 20220814: I am not sure, whether it is possible to fix issues View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e40a706598d9b5c5c9aa543d14af008c55ab32c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e40a706598d9b5c5c9aa543d14af008c55ab32c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3978/golang-golang-x-net-dev: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ed6002e by Sylvain Beucler at 2023-08-07T20:03:12+02:00 CVE-2023-3978/golang-golang-x-net-dev: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -533,6 +533,7 @@ CVE-2023-4067 (The Bus Ticket Booking with Seat Reservation plugin for WordPress CVE-2023-3978 (Text nodes not in the HTML namespace are incorrectly literally rendere ...) - golang-golang-x-net (bug #1043163) - golang-golang-x-net-dev + [buster] - golang-golang-x-net-dev (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/cl/514896 NOTE: https://go.dev/issue/61615 NOTE: https://pkg.go.dev/vuln/GO-2023-1988 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ed6002e9d75e3bd7ff69ba354744c70fa7bf366 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ed6002e9d75e3bd7ff69ba354744c70fa7bf366 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-36617/ruby2.5,jruby: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e475358b by Sylvain Beucler at 2023-08-07T20:00:56+02:00 CVE-2023-36617/ruby2.5,jruby: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4785,9 +4785,11 @@ CVE-2023-36617 (A ReDoS issue was discovered in the URI component before 0.12.2 - ruby3.1 (Incomplete fix never applied) - ruby2.7 (Incomplete fix never applied) - ruby2.5 + [buster] - ruby2.5 (Minor issue, ReDoS) - jruby [bookworm] - jruby (Incomplete fix never applied) [bullseye] - jruby (Incomplete fix never applied) + [buster] - jruby (Minor issue, ReDoS) NOTE: https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/ NOTE: https://github.com/ruby/uri/commit/9010ee2536adda10a0555ae1ed6fe2f5808e6bf1 NOTE: https://github.com/ruby/uri/commit/9d7bcef1e6ad23c9c6e4932f297fb737888144c8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e475358bc65d999e794198822ea24411f562e7b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e475358bc65d999e794198822ea24411f562e7b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-25515,CVE-2023-25516/nvidia-graphics-drivers-legacy-340xx: buster ignored
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: caf87e32 by Sylvain Beucler at 2023-08-07T19:55:19+02:00 CVE-2023-25515,CVE-2023-25516/nvidia-graphics-drivers-legacy-340xx: buster ignored - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28364,6 +28364,7 @@ CVE-2023-25516 (NVIDIA GPU Display Driver for Linux contains a vulnerability in [bullseye] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #1039679) + [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia anymore) - nvidia-graphics-drivers 525.125.06-1 (bug #1039678) [bookworm] - nvidia-graphics-drivers 525.125.06-1~deb12u1 [bullseye] - nvidia-graphics-drivers (Non-free not supported) @@ -28388,6 +28389,7 @@ CVE-2023-25515 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne [bullseye] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #1039679) + [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia anymore) - nvidia-graphics-drivers 525.125.06-1 (bug #1039678) [bookworm] - nvidia-graphics-drivers 525.125.06-1~deb12u1 [bullseye] - nvidia-graphics-drivers (Non-free not supported) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caf87e328b6d7903dd5389f429abe20978f6b5b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caf87e328b6d7903dd5389f429abe20978f6b5b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "CVE-2023-38559/ghostscript: buster postponed"
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 02083da9 by Sylvain Beucler at 2023-08-07T17:44:51+02:00 Revert "CVE-2023-38559/ghostscript: buster postponed" This reverts commit 9a235de5c98c4c4e7fafc119d35ea2366a3051a5. Fixed by DLA 3519-1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -664,7 +664,6 @@ CVE-2023-38559 (A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn - ghostscript (bug #1043033) [bookworm] - ghostscript (Minor issue; can be batched together in a later update) [bullseye] - ghostscript (Minor issue; can be batched together in a later update) - [buster] - ghostscript (Minor issue; can be batched together in a later update) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706897 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f CVE-2023-38357 (Session tokens in RWS WorldServer 11.7.3 and earlier have a low entrop ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02083da91f6a860eb2ef34a14eb729f2e9493fab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02083da91f6a860eb2ef34a14eb729f2e9493fab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-38559/ghostscript: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a235de5 by Sylvain Beucler at 2023-08-07T16:43:26+02:00 CVE-2023-38559/ghostscript: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -664,6 +664,7 @@ CVE-2023-38559 (A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn - ghostscript (bug #1043033) [bookworm] - ghostscript (Minor issue; can be batched together in a later update) [bullseye] - ghostscript (Minor issue; can be batched together in a later update) + [buster] - ghostscript (Minor issue; can be batched together in a later update) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706897 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f CVE-2023-38357 (Session tokens in RWS WorldServer 11.7.3 and earlier have a low entrop ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a235de5c98c4c4e7fafc119d35ea2366a3051a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a235de5c98c4c4e7fafc119d35ea2366a3051a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix typo
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: f7bee307 by Sylvain Beucler at 2023-08-07T16:38:27+02:00 Fix typo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5258,7 +5258,7 @@ CVE-2023-3 (INEX IXP-Manager before 6.3.1 allows XSS. list-preamble.foil.php CVE-2023-36664 (Artifex Ghostscript through 10.01.2 mishandles permission validation f ...) {DSA-5446-1} - ghostscript 10.01.2~dfsg-1 - [buster] - ghostscript (Vulnerable code not present; no path validaton at all) + [buster] - ghostscript (Vulnerable code not present; no path validation at all) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706761 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706778 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7bee307e54c043ecc9a5c218e364801f47c7b74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7bee307e54c043ecc9a5c218e364801f47c7b74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3180/qemu: reference sanctioned patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 55d434cb by Sylvain Beucler at 2023-08-07T16:31:37+02:00 CVE-2023-3180/qemu: reference sanctioned patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -356,7 +356,7 @@ CVE-2023-3329 (SpiderControl SCADA Webserver versions 2.08 and prior are vulnera CVE-2023-3180 (A flaw was found in the QEMU virtual crypto device while handling data ...) - qemu NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/04b9b37edda85964cca033a48dcc0298036782f2 (v2.8.0-rc0) - NOTE: Proposed patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-08/msg00401.html + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980 (master) CVE-2023-39144 (Element55 KnowMore appliances version 21 and older was discovered to s ...) NOT-FOR-US: Element55 CVE-2023-39121 (emlog v2.1.9 was discovered to contain a SQL injection vulnerability v ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55d434cbd14a8fbcf6e0e5965f3d2061336a8934 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55d434cbd14a8fbcf6e0e5965f3d2061336a8934 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-4156/gawk: drop confusing link to non-OOB-read-related fixes
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 087685b9 by Sylvain Beucler at 2023-08-07T16:04:33+02:00 CVE-2023-4156/gawk: drop confusing link to non-OOB-read-related fixes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -116,7 +116,6 @@ CVE-2023-4156 [heap out of bound read in builtin.c] - gawk 1:5.2.1-1 [bullseye] - gawk (Minor issue) NOTE: https://mail.gnu.org/archive/html/bug-gawk/2022-08/msg0.html - NOTE: https://mail.gnu.org/archive/html/bug-gawk/2022-08/msg00023.html NOTE: https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212 (gawk-5.2.0) CVE-2023-4135 (A heap out-of-bounds memory read flaw was found in the virtual nvme de ...) - qemu View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/087685b9b2a14c608c3c7bf55955469f8ea6a9a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/087685b9b2a14c608c3c7bf55955469f8ea6a9a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-4156/gawk: reference patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 66e76a1c by Sylvain Beucler at 2023-08-07T15:55:52+02:00 CVE-2023-4156/gawk: reference patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -117,6 +117,7 @@ CVE-2023-4156 [heap out of bound read in builtin.c] [bullseye] - gawk (Minor issue) NOTE: https://mail.gnu.org/archive/html/bug-gawk/2022-08/msg0.html NOTE: https://mail.gnu.org/archive/html/bug-gawk/2022-08/msg00023.html + NOTE: https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212 (gawk-5.2.0) CVE-2023-4135 (A heap out-of-bounds memory read flaw was found in the virtual nvme de ...) - qemu [bookworm] - qemu (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66e76a1c110acfd0d010bdf2ab72250adbee54cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66e76a1c110acfd0d010bdf2ab72250adbee54cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: thunderbird already uploaded
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 0814efd6 by Sylvain Beucler at 2023-08-07T11:46:48+02:00 dla: thunderbird already uploaded - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -200,8 +200,9 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -thunderbird +thunderbird (Sylvain Beucler) NOTE: 20230804: Added by Front-Desk (gladk) + NOTE: 20230807: Maintainer updated buster directly, coordinating announcement (Beuc/front-desk) -- zabbix (tobi) NOTE: 20230731: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0814efd61cfe6b58bbfe9c59a28c4dedbe1232ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0814efd61cfe6b58bbfe9c59a28c4dedbe1232ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: Accepted thunderbird 1:102.14.0-1~deb10u1 (source) into oldoldstable
Hello Carsten, Thanks for updating Thunderbird for buster :) Do you want the LTS Team to take care of the DLA registration and announcement, or do you plan to do that yourself? (I assume this matches https://www.debian.org/security/2023/dsa-5469) Cheers! Sylvain Beucler Debian LTS Team On 06/08/2023 09:00, Debian FTP Masters wrote: Format: 1.8 Date: Sat, 05 Aug 2023 09:42:03 +0200 Source: thunderbird Architecture: source Version: 1:102.14.0-1~deb10u1 Distribution: buster-security Urgency: medium Maintainer: Carsten Schoenert Changed-By: Carsten Schoenert Changes: thunderbird (1:102.14.0-1~deb10u1) buster-security; urgency=medium . * Rebuild for buster-security Checksums-Sha1: 4172ee99537d6f458a556f16fa2bdb204a9240f7 8436 thunderbird_102.14.0-1~deb10u1.dsc f6256019a6362465a72c441e31c7b7d07831a242 552292 thunderbird_102.14.0-1~deb10u1.debian.tar.xz b3bbb709f76b740ebcf5e48d1bab7ca28110fc04 39454 thunderbird_102.14.0-1~deb10u1_amd64.buildinfo Checksums-Sha256: 4de4ec3460ef26cc30cd0c0dabbf6968c7a7a7e25469b6eb1c55d0bad739 8436 thunderbird_102.14.0-1~deb10u1.dsc 013a200c91b7b2f2669ea4893449ebadbeacd5aca3a543ad274424798ce8c171 552292 thunderbird_102.14.0-1~deb10u1.debian.tar.xz 5da213b4f3ca8ee8c2fd625c362948ef04f1447d3d88420148e6340f77e600f2 39454 thunderbird_102.14.0-1~deb10u1_amd64.buildinfo Files: e55f95efa78ee67676a224fee4ffc750 8436 mail optional thunderbird_102.14.0-1~deb10u1.dsc b9b12bcf2461d99d3b5e2a17710580b1 552292 mail optional thunderbird_102.14.0-1~deb10u1.debian.tar.xz 1b61621cb000b0209403f7832ef94a75 39454 mail optional thunderbird_102.14.0-1~deb10u1_amd64.buildinfo
[Git][security-tracker-team/security-tracker][master] CVE-2023-25435/tiff: reference prior CVE fixed with same patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 259dd1c5 by Sylvain Beucler at 2023-08-03T19:59:30+02:00 CVE-2023-25435/tiff: reference prior CVE fixed with same patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28032,6 +28032,7 @@ CVE-2023-25435 (libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContig [buster] - tiff 4.1.0+git191117-2~deb10u7 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/518 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38 (v4.5.1rc1) + NOTE: Same fix as CVE-2023-0795 CVE-2023-25434 (libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSample ...) - tiff 4.5.0-5 [bullseye] - tiff 4.2.0-1+deb11u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/259dd1c5210ff7bc2c69f6480f827c3d7cd7c65c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/259dd1c5210ff7bc2c69f6480f827c3d7cd7c65c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-4907/ffmpeg: buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f583338 by Sylvain Beucler at 2023-08-03T13:30:14+02:00 CVE-2022-4907/ffmpeg: buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27072,7 +27072,9 @@ CVE-2022-4907 (Uninitialized Use in FFmpeg in Google Chrome prior to 108.0.5359. - ffmpeg 7:6.0-4 [bookworm] - ffmpeg (Minor issue, wait until it lands in 5.1.x) [bullseye] - ffmpeg (Minor issue, wait until it lands in 4.3.x) + [buster] - ffmpeg (Vulnerable code introduced later) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/e601ec3c1991ee09ff45db3be4d894e5774f6f2b (n6.0) + NOTE: Introduced by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/c3bf53fab2165f52b3f71412664668dd75e10a0f (n5.1) CVE-2022-4906 (Inappropriate implementation in Blink in Google Chrome prior to 108.0. ...) {DSA-5293-1} - chromium 108.0.5359.71-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f5833386d7f41d06befbed3d2adb298547ae0de -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f5833386d7f41d06befbed3d2adb298547ae0de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-28864/chef: reference patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d9720f53 by Sylvain Beucler at 2023-08-03T12:10:41+02:00 CVE-2023-28864/chef: reference patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17219,6 +17219,7 @@ CVE-2023-28864 (Progress Chef Infra Server before 15.7 allows a local attacker t - chef NOTE: https://blog.mondoo.com/chef-infra-server-cve-2023-28864-impact-and-remediation NOTE: https://github.com/chef/chef-server/blob/8a2dc82148844767f7c7728633a03dcee812e56a/omnibus/files/server-ctl-cookbooks/infra-server/recipes/oc_bifrost.rb#L42 + NOTE: Fixed by: https://github.com/chef/chef-server/commit/985dfee99044ff477dbc08462b6d69add70f8608 (15.7.0) NOTE: only chef-server removed since 201207 CVE-2023-28863 (AMI MegaRAC SPx12 and SPx13 devices have Insufficient Verification of ...) NOT-FOR-US: AMI View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9720f53a6b8a954d896b70b50aa518956f11bae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9720f53a6b8a954d896b70b50aa518956f11bae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: tidy golang triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: cad08bb8 by Sylvain Beucler at 2023-08-02T21:02:36+02:00 dla: tidy golang triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15238,6 +15238,7 @@ CVE-2023-29409 - golang-1.19 1.19.12-1 - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support, follow bullseye DSAs/point-releases) NOTE: https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI CVE-2023-29408 RESERVED @@ -15249,6 +15250,7 @@ CVE-2023-29406 (The HTTP/1 client does not fully validate the contents of the Ho [bookworm] - golang-1.19 (Minor issue) - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://groups.google.com/g/golang-announce/c/2q13H6LEEx0 NOTE: https://github.com/golang/go/issues/60374 NOTE: https://github.com/golang/go/commit/312920c00aac9897b2a0693e752390b5b0711a5a (go1.20.6) @@ -15261,7 +15263,7 @@ CVE-2023-29405 (The go command may execute arbitrary code at build time when usi - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 - [buster] - golang-1.11 (Limited support) + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://groups.google.com/g/golang-announce/c/q5135a9d924 NOTE: https://github.com/golang/go/issues/60306 NOTE: https://github.com/golang/go/commit/fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4 (go1.20.5) @@ -15276,7 +15278,7 @@ CVE-2023-29404 (The go command may execute arbitrary code at build time when usi - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 - [buster] - golang-1.11 (Limited support) + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://groups.google.com/g/golang-announce/c/q5135a9d924 NOTE: https://github.com/golang/go/issues/60305 NOTE: https://github.com/golang/go/commit/356a419e2f811b65d227abcea1a346f8dcb154e0 (go1.20.5) @@ -15289,7 +15291,7 @@ CVE-2023-29403 (On Unix platforms, the Go runtime does not behave differently wh - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 - [buster] - golang-1.11 (Limited support) + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://groups.google.com/g/golang-announce/c/q5135a9d924 NOTE: https://github.com/golang/go/issues/60272 NOTE: https://github.com/golang/go/commit/36144ba429ef2650940c72e7a0b932af3612d420 (go1.20.5) @@ -15302,7 +15304,7 @@ CVE-2023-29402 (The go command may generate unexpected code at build time when u - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 - [buster] - golang-1.11 (Limited support) + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://groups.google.com/g/golang-announce/c/q5135a9d924 NOTE: https://github.com/golang/go/issues/60167 NOTE: https://github.com/golang/go/commit/c0ed873cd8259f16d0da67eee783fda49f45ef61 (go1.20.5) @@ -15311,7 +15313,7 @@ CVE-2023-29401 (The filename parameter of the Context.FileAttachment function is - golang-github-gin-gonic-gin (bug #1037530) [bookworm] - golang-github-gin-gonic-gin (Minor issue) [bullseye] - golang-github-gin-gonic-gin (Minor issue) - [buster] - golang-github-gin-gonic-gin (Minor issue) + [buster] - golang-github-gin-gonic-gin (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/gin-gonic/gin/issues/3555 NOTE: https://github.com/gin-gonic/gin/commit/2d4bbec941551479b1fdf1e54ece03e6e82a7e72 (v1.9.1) CVE-2023-29400 (Templates containing actions in unquoted HTML attributes (e.g. "attr={ ...) @@ -15323,7 +15325,7 @@ CVE-2023-29400 (Templates containing actions in unquoted HTML attributes (e.g. " - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 - [buster] - golang-1.11 (Minor issue) + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU NOTE: https://github.com/golang/go/issues/59722 NOTE: https://github.com/golang/go/commit/9db0e74f606b8afb28cc71d4b1c8b4ed24cabbf5 (go1.19.9) @@ -30459,7 +30461,7 @@ CVE-2023-24540 (Not all valid JavaScript whitespace characters are considered to - golang-1.15 [bullseye] - golang-1.15 (M
[Git][security-tracker-team/security-tracker][master] CVE-2023-28755/ruby*: reference follow-up CVE
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: cdf4bfb5 by Sylvain Beucler at 2023-08-02T20:48:16+02:00 CVE-2023-28755/ruby*: reference follow-up CVE - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17576,6 +17576,7 @@ CVE-2023-28755 (A ReDoS issue was discovered in the URI component through 0.12.0 NOTE: Fixed by: https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300 (v3_1_4) NOTE: Fixed by: https://github.com/ruby/uri/commit/eaf89cc31619d49e67c64d0b58ea9dc38892d175 (v0.12.1) NOTE: https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/ + NOTE: Incomplete fix, cf. CVE-2023-36617 CVE-2023-28754 (Deserialization of Untrusted Data vulnerability in Apache ShardingSphe ...) NOT-FOR-US: Apache ShardingSphere-Agent CVE-2023-28753 (netconsd prior to v0.2 was vulnerable to an integer overflow in its pa ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdf4bfb5767d2ce4a325292ddf42870ea771fc14 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdf4bfb5767d2ce4a325292ddf42870ea771fc14 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Typo
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: ccc03ddd by Sylvain Beucler at 2023-08-02T20:38:40+02:00 Typo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30522,7 +30522,7 @@ CVE-2023-24535 (Parsing invalid messages can panic. Parsing a text-format messag - python3.7 (unimportant) - python2.7 (unimportant) NOTE: https://github.com/python/cpython/issues/103800 - NOTE: Disupted upstream and not considered a security issue, negligible security impact + NOTE: Disputed upstream and not considered a security issue, negligible security impact CVE-2023-24534 (HTTP and MIME header parsing can allocate large amounts of memory, eve ...) - golang-1.20 1.20.3-1 [experimental] - golang-1.19 1.19.8-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccc03ddd03281ef94bf2ba6fbdc3146384fdbafc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccc03ddd03281ef94bf2ba6fbdc3146384fdbafc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3301/qemu: buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 8449c0d5 by Sylvain Beucler at 2023-08-02T20:11:31+02:00 CVE-2023-3301/qemu: buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -79,6 +79,7 @@ CVE-2023-3364 (An issue has been discovered in GitLab CE/EE affecting all versio - gitlab CVE-2023-3301 [net: triggerable assertion due to race condition in hot-unplug] - qemu 1:8.0.3+dfsg-1 + [buster] - qemu (vhost-vdpa introduced in v5.1) NOTE: https://github.com/qemu/qemu/commit/a0d7215e339b61c7d7a7b3fcf754954d80d93eb8 (v8.1.0-rc0) NOTE: https://github.com/qemu/qemu/commit/aab37b2002811f112d5c26337473486d7d585881 (v8.0.3) CVE-2023-3718 (An authenticated command injection vulnerability exists in the AOS-CX ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8449c0d5af0c6c2cb0f8df0ef0da41c7bf004b88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8449c0d5af0c6c2cb0f8df0ef0da41c7bf004b88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Debian LTS and ELTS - July 2023
Here is my public monthly report. Thanks to our sponsors for making this possible, and to Freexian for handling the offering. https://www.freexian.com/lts/debian/#sponsors LTS - nsis - Test and review DLA 3483-1 from Sean Whitton https://lists.debian.org/debian-lts/2023/07/msg00019.html https://lists.debian.org/debian-lts-announce/2023/07/msg5.html - python-git - DLA 3502-1 (1 CVE + 1 pending) https://lists.debian.org/debian-lts-announce/2023/07/msg00024.html - grpc - Investigate status including confusions in CVE descriptions - Drop (no more open issues) ELTS - mailman - Preliminary ELA work - Cancel due to end of ELTS support - python-git - Discover incomplete fix for CVE-2022-24439 and coordinate new fix https://github.com/gitpython-developers/GitPython/pull/1609 - ELA-894-1 (stretch, 1 CVE + 1 pending) https://www.freexian.com/lts/extended/updates/ela-894-1-python-git/ - twisted - Clean-up/refresh Git branches - ELA-896-1 (stretch & jessie, 3 CVEs) https://www.freexian.com/lts/extended/updates/ela-896-1-twisted/ - Front Desk (week 31 1/2) - Start triaging open issues - Re-check qemu open CVEs waiting for official patches - Fix 2 incomplete ELA entries in security trackers - Document sox upstream status - Clean-ups/precisions in work queue and package database Documentation and tooling - Improve work queue report ('find-work') (private tooling planned to be made public) - Query maintainer coordination info from existing 'lts-do-call-me' file - Clean-up package database accordingly and coordinate with 1 maintainer - Fix crash - LTS Documentation - TestSuites: further twisted testing https://lts-team.pages.debian.net/wiki/TestSuites/twisted.html - Fix DLA-3309-1/graphite-web announcement on webmasters notice https://bugs.debian.org/1041539 - Continue discussion on making stable-security build logs public after package release https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/51#note_412097 - Internal discussion on GitLab issue-based workflow for package updates - Help newcomers on IRC -- Sylvain Beucler Debian LTS Team
[Git][security-tracker-team/security-tracker][master] CVE-2023-32732/grpc: slight clarification
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 865da069 by Sylvain Beucler at 2023-08-01T19:53:11+02:00 CVE-2023-32732/grpc: slight clarification - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6032,7 +6032,7 @@ CVE-2023-32732 (gRPC contains a vulnerability whereby a client can cause a termi - grpc [bookworm] - grpc (Minor issue) [bullseye] - grpc (Minor issue) - [buster] - grpc (Minor issue; request smuggling; recheck if fixed or introduced by #32309 when CVE description is updated) + [buster] - grpc (Minor issue; request smuggling; recheck whether fixed or introduced by #32309 when CVE description is updated) NOTE: https://github.com/grpc/grpc/pull/32309 NOTE: CVE description and fix are sensible, but there seem to be confusion: https://github.com/grpc/grpc/pull/32309#issuecomment-1589703522 CVE-2023-32731 (When gRPC HTTP2 stack raised a header size exceeded error, it skipped ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/865da069cae14c3f6dcda67e64d278bc0345b18c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/865da069cae14c3f6dcda67e64d278bc0345b18c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2023-0330/qemu: fix is available, update buster triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d7614158 by Sylvain Beucler at 2023-07-31T19:46:32+02:00 CVE-2023-0330/qemu: fix is available, update buster triage - - - - - 18cf48d9 by Sylvain Beucler at 2023-07-31T19:46:34+02:00 CVE-2021-3750/qemu: reference final generic reentrancy fix, update buster triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32662,10 +32662,11 @@ CVE-2023-0330 (A vulnerability in the lsi53c895a device affects the latest versi - qemu 1:8.0.2+dfsg-1 (bug #1029155) [bookworm] - qemu 1:7.2+dfsg-7+deb12u1 [bullseye] - qemu (Minor issue) - [buster] - qemu (Minor issue, waiting for sanctioned patch) + [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2160151 NOTE: Proposed patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/e49884a90987744ddb54b2fadc770633eb6a4d62 (v8.0.1) + NOTE: See also generic re-entrancy ground work at https://gitlab.com/qemu-project/qemu/-/issues/556 CVE-2023-0329 (The Elementor Website Builder WordPress plugin before 3.12.2 does not ...) NOT-FOR-US: WordPress plugin CVE-2022-48261 (There is a misinterpretation of input vulnerability in BiSheng-WNM FW ...) @@ -138265,8 +138266,8 @@ CVE-2021-40320 CVE-2021-3750 (A DMA reentrancy issue was found in the USB EHCI controller emulation ...) - qemu 1:7.0+dfsg-1 [bullseye] - qemu (Minor issue) - [buster] - qemu (Minor issue, unclear status, follow bullseye updates) - [stretch] - qemu (Minor issue, unclear status, follow bullseye updates) + [buster] - qemu (Minor issue, follow bullseye updates) + [stretch] - qemu (Minor issue, follow bullseye updates) NOTE: https://gitlab.com/qemu-project/qemu/-/issues/541 NOTE: Fix for whole class of DMA MMIO reentrancy issues: https://gitlab.com/qemu-project/qemu/-/issues/556 NOTE: Patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-12/msg02356.html @@ -138274,6 +138275,7 @@ CVE-2021-3750 (A DMA reentrancy issue was found in the USB EHCI controller emula NOTE: https://gitlab.com/qemu-project/qemu/-/commit/58e74682baf4e1ad26b064d8c02e5bc99c75c5d9 (v7.0.0-rc1) NOTE: https://gitlab.com/qemu-project/qemu/-/commit/3ab6fdc91b72e156da22848f0003ff4225690ced (v7.0.0-rc1) NOTE: Possibly incomplete patch set: https://gitlab.com/qemu-project/qemu/-/issues/541#note_1179940468 + NOTE: Final fix: https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380 (v8.1.0-rc0) CVE-2021-3749 (axios is vulnerable to Inefficient Regular Expression Complexity) - node-axios 0.21.3+dfsg-1 [bullseye] - node-axios 0.21.1+dfsg-1+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/abb15c014e2e7ee5f7971b14c4f4cb6a299642c9...18cf48d997b292b7e353b322d2f3cbcd04149f38 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/abb15c014e2e7ee5f7971b14c4f4cb6a299642c9...18cf48d997b292b7e353b322d2f3cbcd04149f38 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2023-32731/grpc: precise links + buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ee54b17 by Sylvain Beucler at 2023-07-31T17:07:55+02:00 CVE-2023-32731/grpc: precise links + buster not-affected - - - - - f320dc28 by Sylvain Beucler at 2023-07-31T17:21:02+02:00 CVE-2023-32732/grpc: mention CVE possible confusion + buster postponed - - - - - 5f8c6de5 by Sylvain Beucler at 2023-07-31T17:21:38+02:00 dla: drop grpc (no more open issues) - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -5910,13 +5910,16 @@ CVE-2023-32732 (gRPC contains a vulnerability whereby a client can cause a termi - grpc [bookworm] - grpc (Minor issue) [bullseye] - grpc (Minor issue) + [buster] - grpc (Minor issue; request smuggling; recheck if fixed or introduced by #32309 when CVE description is updated) NOTE: https://github.com/grpc/grpc/pull/32309 + NOTE: CVE description and fix are sensible, but there seem to be confusion: https://github.com/grpc/grpc/pull/32309#issuecomment-1589703522 CVE-2023-32731 (When gRPC HTTP2 stack raised a header size exceeded error, it skipped ...) - grpc [bookworm] - grpc (Minor issue) [bullseye] - grpc (Minor issue) - NOTE: https://github.com/grpc/grpc/pull/32309 - NOTE: https://github.com/grpc/grpc/pull/33005 + [buster] - grpc (Vulnerable code introduced later) + NOTE: Introduced by: https://github.com/grpc/grpc/pull/32309#issuecomment-1589561295 (v1.53.0-pre1) + NOTE: Fixed by: https://github.com/grpc/grpc/commit/65a2a895afaf1d2072447b9baf246374b182a946 (v1.56.0-pre1) CVE-2023-32312 (UmbracoIdentityExtensions is an Umbraco add-on package that enables ea ...) NOT-FOR-US: UmbracoIdentityExtensions CVE-2023-3177 (A vulnerability has been found in SourceCodester Lost and Found Inform ...) = data/dla-needed.txt = @@ -57,10 +57,6 @@ glib2.0 (santiago) NOTE: 20230710: WIP (santiago) NOTE: 20230724: buster should be ready. need if it's possible to run same reporter's fuzz test -- -grpc (Sylvain Beucler) - NOTE: 20230614: Added by Front-Desk (opal) - NOTE: 20230618: CVE-2023-32731 fix will need a massive rewrite (rouca) --- hdf5 NOTE: 20230318: Added by Front-Desk (utkarsh) NOTE: 20230318: Consider fixing all the no-dsa and postponed issues as well. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9261a21b181ab264e7006e65a5e39c3f147cccba...5f8c6de5a54b2bd8c687cb7dfd51f42afa2f0c86 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9261a21b181ab264e7006e65a5e39c3f147cccba...5f8c6de5a54b2bd8c687cb7dfd51f42afa2f0c86 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-1428/grpc: introductory commit + buster triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: c53f6d4c by Sylvain Beucler at 2023-07-25T22:36:55+02:00 CVE-2023-1428/grpc: introductory commit + buster triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17645,7 +17645,9 @@ CVE-2023-1428 (There exists an vulnerability causing an abort() to be called in - grpc [bookworm] - grpc (Minor issue) [bullseye] - grpc (Minor issue) + [buster] - grpc (Vulnerable maxsize handler introduced later) NOTE: https://github.com/grpc/grpc/commit/2485fa94bd8a723e5c977d55a3ce10b301b437f8 (v1.54.0-pre1) + NOTE: Introduced by: https://github.com/grpc/grpc/commit/b2b70515583fe18e36c7e70b265808fa3154f734 (v1.52.0-pre1) CVE-2023-1427 (- The Photo Gallery by 10Web WordPress plugin before 1.8.15 did not en ...) NOT-FOR-US: WordPress plugin CVE-2023-1426 (The WP Tiles WordPress plugin through 1.1.2 does not ensure that posts ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c53f6d4ce0c7cbe2b7f0fa2b3a1a8675301adfd6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c53f6d4ce0c7cbe2b7f0fa2b3a1a8675301adfd6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[SECURITY] [DLA 3502-1] python-git security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3502-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler July 25, 2023 https://wiki.debian.org/LTS - - Package: python-git Version: 2.1.11-1+deb10u1 CVE ID : CVE-2022-24439 Debian Bug : 1027163 Sam Wheating discovered that python-git, a Python library to interact with Git repositories, is vulnerable to shell injection due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. For Debian 10 buster, this problem has been fixed in version 2.1.11-1+deb10u1. We recommend that you upgrade your python-git packages. For the detailed security status of python-git please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-git Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmS/n+EACgkQDTl9HeUl XjB23w//d+eU+w3R7+FCCGa8Tw1IoUzBxZjFMmNBVyPNIQ+zrGiluaEqWcziSf0p +SHGCCnAP4fmktU3s96RBVdeHUf+aHnDsB3YVe49N+OU3YR0Qjnyus3Kz/xlN7wR X4wewF2fAjeji1uj2LiWvInQQHjI1fmRdUYXa/x46Bc4tAxUoEzasNNn+noLzsSh J+Kstw/tY42x40wIj15UR3mL7VghpFFL7hsGkSp9Vrb980NDwUtSjvcF99qM6ly0 H3eI06eX9r5r+hshzj5PvUhBMyli5vprZ4zhuzSJIMb4NfIvCP0JvK6ItHqsVFO+ 00LhEm/Q18Iv2mxqEA+vmWUg5R1Rj2XfI1sA88/ER749eqh67v9Lm5ruDqoczQky ICGKN/ZPJxNdqBPnizwAfXXYnvpWsz0vu/9Q+R22Ux2NF90T9eohfy/lUDZdmu9l IsUq61z6FzAC+aRzBSSZk6kpeZKtzNvZFyY36nbPlZAtQGQRZBLv4Hp7mo4GKrHu J8l39wbLhndL0wwgZ6Z/yZ9Lno2KTmFbX/+0R7Dl6CG2OGM0Ituz6jgOu70YjOO8 p6gBkf93SsyZdIU34KF1AYerCzLXNBYY1Z5xQl0YV3rrv+wIGfnez7IFe6NcfZ5f 3PPjezFM5moy4uInmgkCraywTef+0VhAm5S5emmE6vMcMciLHuA= =7ZsA -END PGP SIGNATURE-
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3502-1 for python-git
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d370503 by Sylvain Beucler at 2023-07-25T12:08:36+02:00 Reserve DLA-3502-1 for python-git - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -104259,7 +104259,6 @@ CVE-2022-24440 (The package cocoapods-downloader before 1.6.0, from 1.6.2 and be CVE-2022-24439 (All versions of package gitpython are vulnerable to Remote Code Execut ...) - python-git 3.1.30-1 (bug #1027163) [bullseye] - python-git (Minor issue) - [buster] - python-git (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858 NOTE: https://github.com/gitpython-developers/GitPython/commit/787359d80d80225095567340aa5e7ec01847fa9a (3.1.30) NOTE: https://github.com/gitpython-developers/GitPython/commit/678a8fe08dd466fcfe8676294b52887955138960 (3.1.30) = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Jul 2023] DLA-3502-1 python-git - security update + {CVE-2022-24439} + [buster] - python-git 2.1.11-1+deb10u1 [25 Jul 2023] DLA-3501-1 renderdoc - security update {CVE-2023-33863 CVE-2023-33864 CVE-2023-33865} [buster] - renderdoc 1.2+dfsg-2+deb10u1 = data/dla-needed.txt = @@ -124,9 +124,6 @@ pandoc (guilhem) NOTE: 20230721: Discovered the upstream fix for CVE-2023-35936 was incomplete, NOTE: 20230721: got in touch with them and requested a new CVE. (guilhem) -- -python-git (Sylvain Beucler) - NOTE: 20230724: Added by Front-Desk (apo) --- python-glance-store NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d370503f40d83a7778cc08aab79ff9a73a856ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d370503f40d83a7778cc08aab79ff9a73a856ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim grpc
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d3ce0c2 by Sylvain Beucler at 2023-07-22T20:36:58+02:00 dla: claim grpc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -46,7 +46,7 @@ glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230710: WIP (santiago) -- -grpc +grpc (Sylvain Beucler) NOTE: 20230614: Added by Front-Desk (opal) NOTE: 20230618: CVE-2023-32731 fix will need a massive rewrite (rouca) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d3ce0c2900e3f748e9c420b6defc407909dbbb1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d3ce0c2900e3f748e9c420b6defc407909dbbb1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: precise note authors
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ac9edf5 by Sylvain Beucler at 2023-07-22T18:32:22+02:00 dla: precise note authors - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ rather than remove/replace existing ones. -- cairosvg NOTE: 20230323: Added by Front-Desk (gladk) - NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert) + NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive) -- cinder NOTE: 20230525: Added by Front-Desk (lamby) @@ -109,7 +109,7 @@ nvidia-cuda-toolkit -- openimageio NOTE: 20230406: Re-added due to regressions (apo) - NOTE: 20230612: Backporting is mostly done, but still some failures. + NOTE: 20230612: Backporting is mostly done, but still some failures. (gladk) -- openjdk-11 (Emilio) NOTE: 20230419: Added by Front-Desk (ola) @@ -125,8 +125,8 @@ pandoc (guilhem) python-glance-store NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. - NOTE: 20230705: JS: pushed a patched version to: https://salsa.debian.org/lts-team/packages/python-glance-store - NOTE: 20230705: JS: upstream patch looks fine to me but should probably be tested and released together with the other affected packages. + NOTE: 20230705: pushed a patched version to: https://salsa.debian.org/lts-team/packages/python-glance-store (jspricke) + NOTE: 20230705: upstream patch looks fine to me but should probably be tested and released together with the other affected packages. (jspricke) -- python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) @@ -164,7 +164,7 @@ ruby-loofah NOTE: 20221231: Added by Front-Desk (ola) NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby) NOTE: 20230403: See "RFC: ruby-loofah 2.2.3-1+deb10u2" thread on debian-lts list. (lamby) - NOTE: 20230403: Everything ready, just waiting for ruby-rails-html-sanitizer/utkarsh (dleidert) + NOTE: 20230403: Everything ready, just waiting for ruby-rails-html-sanitizer/utkarsh (dleidert/inactive) -- ruby-rails-html-sanitizer NOTE: 20221231: Added by Front-Desk (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ac9edf5c0ee7cc176a0f3967cc59088998560f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ac9edf5c0ee7cc176a0f3967cc59088998560f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-24439/python-git: reference follow-up fix
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: ac86be3e by Sylvain Beucler at 2023-07-15T18:26:41+02:00 CVE-2022-24439/python-git: reference follow-up fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -103164,6 +103164,7 @@ CVE-2022-24439 (All versions of package gitpython are vulnerable to Remote Code NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858 NOTE: https://github.com/gitpython-developers/GitPython/commit/787359d80d80225095567340aa5e7ec01847fa9a (3.1.30) NOTE: https://github.com/gitpython-developers/GitPython/commit/678a8fe08dd466fcfe8676294b52887955138960 (3.1.30) + NOTE: Follow-up fix: https://github.com/gitpython-developers/GitPython/commit/ca965ecc81853bca7675261729143f54e5bf4cdd (3.1.32, pending CVE request with Snyk) CVE-2022-24438 RESERVED CVE-2022-24437 (The package git-pull-or-clone before 2.0.2 are vulnerable to Command I ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac86be3e8cad1af87bb2e0ff9435807547bd4a47 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac86be3e8cad1af87bb2e0ff9435807547bd4a47 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: nsis CVE-2023-37378
Hi, On 08/07/2023 10:04, Sean Whitton wrote: On Sat 08 Jul 2023 at 09:14am +02, Salvatore Bonaccorso wrote: Just noticed the suffix for the version for the buster-security / LTS upload was +deb9u1, was this intentional? This should have been +deb10u1. It wasn't. Thank you for pointing out the mistake. I should have seen/noted this while doing my quick review, sorry about that. I guess I got confused as I'm working on a stretch update for another package. Cheers! Sylvain
[Git][security-tracker-team/security-tracker][master] CVE-2022-24439/python-git: clarify there's 2 fixes to apply
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: f7381a74 by Sylvain Beucler at 2023-07-08T12:02:37+02:00 CVE-2022-24439/python-git: clarify there's 2 fixes to apply - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -101741,8 +101741,8 @@ CVE-2022-24439 (All versions of package gitpython are vulnerable to Remote Code [bullseye] - python-git (Minor issue) [buster] - python-git (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858 - NOTE: https://github.com/gitpython-developers/GitPython/issues/1515 - NOTE: https://github.com/gitpython-developers/GitPython/pull/1521 + NOTE: https://github.com/gitpython-developers/GitPython/commit/787359d80d80225095567340aa5e7ec01847fa9a (3.1.30) + NOTE: https://github.com/gitpython-developers/GitPython/commit/678a8fe08dd466fcfe8676294b52887955138960 (3.1.30) CVE-2022-24438 RESERVED CVE-2022-24437 (The package git-pull-or-clone before 2.0.2 are vulnerable to Command I ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7381a74f3981791c979e78ded4634b8aeb3b0c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7381a74f3981791c979e78ded4634b8aeb3b0c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: nsis CVE-2023-37378
Hello Sean, I had a quick test with my: http://git.savannah.gnu.org/cgit/freedink.git/tree/nsis which is kinda old but does call WriteUninstaller. The installer and uninstaller appear to work correctly in a W10 VM. About the source changes, I'd recommend to use the CVE ID as part of the patch file name (otherwise it can be tedious to determine which fixed what, especially later on if there's (upstream) confusion over CVEs or regression fixes to consider). In addition I like to add a couple fields to note the source of the patch and some who/when info, e.g.: https://salsa.debian.org/lts-team/packages/runc/-/blob/debian/buster/debian/patches/CVE-2022-29162.patch Cheers! Sylvain Beucler Debian LTS Team On 06/07/2023 20:42, Sean Whitton wrote: Hello, I've prepared an upload to buster-security [1] to fix CVE-2023-37378. I've tested it using an example script from [2], but if anyone reading has a real, production NSIS script, that includes an uninstaller, in particular, then testing my upload by using it to build your script would be appreciated. I can provide .debs if it's not straightforward for you to build it. [1] https://salsa.debian.org/lts-team/packages/nsis [2] https://nsis.sourceforge.io/Simple_tutorials
Philippe Coval: Advocate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I support Philippe Coval 's request to become a Debian Maintainer. I only recently checked the technical work of Philippe Coval, but we've had numerous opportunities to work together at a local level over the past few years, typically in Linux User Groups. I witnessed that Philippe puts a strong and thoughtful emphasis on ethics, and strives to reach peaceful resolutions while working with groups of volunteers. Consequently I believe rzr's actions will honor the Debian Social Contract. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmSm6UAACgkQDTl9HeUl XjDGIxAAo+DSEAC+1BtsJ4jZOWhXQrknLDGfMLYqZfs3jinBpwELanUHbJVbLywi r4LsUJpEZcmVcX021gSAKPs05XJ0hS0GTIJ29l7tTSy9JoR9BzdHPQ5ZitrV33pZ Asq8UhmEcvIb+giH3AhJA108bMubVZlwA/wD29cS3bVJ+qNlTpTFbV+Iic5GBUkd KR6SbVX7XSnmBQCtyPmG2d2yBFFZlsOeRo5on4nLqws3ThWZnqJ2L9wJIFld/od9 KzkkSXxHVScEWOb8kXbAbK5D6+zIguhd6SvW0luGyKvWOXxK60OxbeAoyzyzQj3G AB9+HZEjYEPAbU7NhM8FfXMMuvvQ3MHOecBJKxSxKwqBFqlvx84as3kPubgD6m/W 9jdaRQ8zUjbjez+Wwghcs4X9/xMUr8cLkBp0UBUOtq3YTdKeKH7L6vWL7IGga4NJ bVdvMyr1r2lmUnDrVm8OWINCu5gdsx9u3/XgOp18VdBqt7BqBnzzRlrgNGemi8vN NOdx/YFLSTo21+GRtEFnF/k03pFSZfkf2ZZhUiHp4A4LEQ1wzCLsgHVAMnRHnKGA I735ldF6s7h0gKZEDn0Syja/X/GP3mYEFuQa6DO/+ycKSWvrdNCZZY+VCeR0308n O5EEcFs+SnW6xJLSGi+6PkXTg2lQilE7QNCmqYb16b48Qcn6EzY= =pb5I -END PGP SIGNATURE- Sylvain Beucler (via nm.debian.org) For details and to comment, visit https://nm.debian.org/process/1193/ -- https://nm.debian.org/process/1193/
[Git][security-tracker-team/security-tracker][master] dla: typo
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d703c5f1 by Sylvain Beucler at 2023-07-03T13:26:14+02:00 dla: typo - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -231,7 +231,7 @@ sabnzbdplus salt NOTE: 20220814: Added by Front-Desk (gladk) NOTE: 20220814: I am not sure, whether it is possible to fix issues - NOTE: 20220814: without backporting a newer verion. (Anton) + NOTE: 20220814: without backporting a newer version. (Anton) -- samba (Lee Garrett) NOTE: 20220904: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d703c5f16fad6f6a380123d0b0e7816f15124974 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d703c5f16fad6f6a380123d0b0e7816f15124974 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts-do-call-me: move info from packages.yml LTS package database
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c261f2a by Sylvain Beucler at 2023-07-01T16:54:20+02:00 lts-do-call-me: move info from packages.yml LTS package database - - - - - 1 changed file: - data/packages/lts-do-call-me Changes: = data/packages/lts-do-call-me = @@ -7,10 +7,11 @@ # All packages by Christoph Biedl fileDebConf19 conversation with apo busybox DebConf19 conversation with apo +schroot DebConf19 conversation with apo # Christoph Berg (credativ) postgresql.* (Christoph will always take care of updates, no need to contact him) -# However Christoph won't update EOL'd 9.6 for stretch +# However Christoph may not update EOL'd branches, e.g.: # https://lists.debian.org/debian-lts/2022/05/msg00054.html # Peter Palfrader @@ -30,6 +31,8 @@ openldap # all packages maintained by Thorsten Alteholz/Debian Printing Team cups +cups-filters +duktape # all packages maintained by Samuel Henrique # The main reason is to avoid duplication of work, so if I don't @@ -47,3 +50,15 @@ mariadb-10.5 mariadb galera-3 galera-4 + +# The maintainer is active in old releases, e.g. DLA 3190-2. +# https://lists.debian.org/debian-lts-announce/2022/12/msg00019.html +grub2 + +thunderbird 2023 contact with pochu + +modsecurity-crs 2022 contact with gladky + +# OpenStack packages from zigo +# https://lists.debian.org/debian-lts/2022/08/msg00011.html +nova View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c261f2a88f90203a97d6c6eb55dea2be45e1a03 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c261f2a88f90203a97d6c6eb55dea2be45e1a03 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Debian LTS and ELTS - June 2023
Here is my public monthly report. Thanks to our sponsors for making this possible, and to Freexian for handling the offering. https://www.freexian.com/lts/debian/#sponsors LTS - openssl - Reference/refresh recent patches in the security tracker - DLA 3449-1 (4 CVEs) https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html - ffmpeg - Track fixed CVEs in past upload - DLA 3454-1 (4.1.10->4.1.11 upgrade, with unregistered vulnerabilities) https://lists.debian.org/debian-lts-announce/2023/06/msg00016.html - python-werkzeug/bullseye upcoming DSA - Review (based on my DLA 3346-1 for the same package) - Front-Desk - Mark 16 packages for update - Triage or precise triage for 15+ CVEs - Request new CVE for package 'osslsigncode' - Clean-ups/precisions in work queue and package database - Follow-up on upload-related issues ELTS - sysstat - ELA-866-1 (1 CVE) https://www.freexian.com/lts/extended/updates/ela-866-1-sysstat/ - Front Desk - Associate CVEs from newer, branched Debian packages with different names to older ELTS packages (emacs*, golang*, netty*, openssl*, php*, python*, tomcat*) - Mark 11 supported packages for update - Triage or precise triage for 10+ CVEs - Clean-ups/precisions in work queue Documentation and tooling - Continue discussion on making stable-security build logs public after package release, now involving other teams https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/51 https://lists.debian.org/debian-lts/2023/06/msg1.html - Tooling: continue to revamp work queue report ('find-work') (private tooling planned to be made public) - Continue clean-up and finish review processes - Convert work queues (dla_needed.txt, ela_needed.txt) to drop duplicate information - Display warning if the Debian package maintainer requests involvement in LTS uploads (from 'data/packages/lts-do-call-me') - Display age in the work queue for each planned upload - LTS Documentation - TestSuites: ffmpeg: refresh for buster https://lts-team.pages.debian.net/wiki/TestSuites/ffmpeg.html - TestSuites: golang: refresh uploads involving reverse-dependencies https://lts-team.pages.debian.net/wiki/TestSuites/golang.html#finding-reverse-build-dependencies - TestSuites: refresh index, fix mark-up https://lts-team.pages.debian.net/wiki/TestSuites.html https://lts-team.pages.debian.net/wiki/TestSuites/php.html - Development: drop coordinator work from front-desk section, update/simplify 'package-operations' documentation, clarify debian-archive-keyring rationale https://lts-team.pages.debian.net/wiki/Development.html - Guide non-security LTS upload from non-team contributor https://bugs.debian.org/1039489 - Continue internal discussions on packages claimfiles format/workflow - Jitsi team meeting -- Sylvain Beucler Debian LTS Team
[Git][security-tracker-team/security-tracker][master] lts-do-call-me: use regex rather than non-path-globbing, to ease tooling implementation
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a602009 by Sylvain Beucler at 2023-06-27T21:08:43+02:00 lts-do-call-me: use regex rather than non-path-globbing, to ease tooling implementation - - - - - 1 changed file: - data/packages/lts-do-call-me Changes: = data/packages/lts-do-call-me = @@ -9,7 +9,7 @@ fileDebConf19 conversation with apo busybox DebConf19 conversation with apo # Christoph Berg (credativ) -postgresql* (Christoph will always take care of updates, no need to contact him) +postgresql.* (Christoph will always take care of updates, no need to contact him) # However Christoph won't update EOL'd 9.6 for stretch # https://lists.debian.org/debian-lts/2022/05/msg00054.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a602009c93ca48b64652de7bbe225c065928c02 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a602009c93ca48b64652de7bbe225c065928c02 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-10237/guava-libraries: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ceee209 by Sylvain Beucler at 2023-06-24T18:52:42+02:00 CVE-2018-10237/guava-libraries: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -349543,6 +349543,7 @@ CVE-2018-10238 (bvlc.c in skarg BACnet Protocol Stack bacserv 0.9.1 and 0.8.5 is NOT-FOR-US: skarg BACnet Protocol Stack CVE-2018-10237 (Unbounded memory allocation in Google Guava 11.0 through 24.x before 2 ...) - guava-libraries 29.0-1 + [buster] - guava-libraries (Minor issue, DoS) CVE-2018-10236 (POSCMS 3.2.18 allows remote attackers to execute arbitrary PHP code vi ...) NOT-FOR-US: POSCMS CVE-2018-10235 (POSCMS 3.2.10 allows remote attackers to execute arbitrary PHP code vi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ceee2093857a0c2dadd38ae9f0d205000e26548 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ceee2093857a0c2dadd38ae9f0d205000e26548 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-XXXX/osslsigncode: reference mitre request
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 3064ab90 by Sylvain Beucler at 2023-06-24T18:49:53+02:00 CVE-2023-/osslsigncode: reference mitre request - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4544,6 +4544,7 @@ CVE-2023-2629 (Improper Neutralization of Formula Elements in a CSV File in GitH CVE-2023- [several critical memory corruption vulnerabilities] - osslsigncode 2.3.0-1 (bug #1035875) NOTE: https://github.com/mtrojnar/osslsigncode/releases/tag/2.3 + NOTE: CVE Request 1477401 pending (2023-06-20) CVE-2023-32573 (In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x thro ...) - qt6-svg 6.4.2-2 - qtsvg-opensource-src 5.15.8-3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3064ab900b5fab08e702aee124a99f1aa0bec2fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3064ab900b5fab08e702aee124a99f1aa0bec2fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-34462/netty: buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fe99872 by Sylvain Beucler at 2023-06-24T18:35:15+02:00 CVE-2023-34462/netty: buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -270,6 +270,7 @@ CVE-2023-34462 (Netty is an asynchronous event-driven network application framew - netty (bug #1038947) [bookworm] - netty (Minor issue, fix along in future update) [bullseye] - netty (Minor issue, fix along in future update) + [buster] - netty (SslClientHelloHandler introduced in v4.1.46) NOTE: https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845 NOTE: https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32 (netty-4.1.94.Final) CVE-2023-34110 (Flask-AppBuilder is an application development framework, built on top ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fe99872000a1c15b587a5f652103951b0bfacc5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fe99872000a1c15b587a5f652103951b0bfacc5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] RUSTSEC-2023-0045/rust-memoffset: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 953781e2 by Sylvain Beucler at 2023-06-23T14:12:15+02:00 RUSTSEC-2023-0045/rust-memoffset: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -188,6 +188,7 @@ CVE-2023-2828 (Every `named` instance configured to run as a recursive resolver CVE-2023- [RUSTSEC-2023-0045] - rust-memoffset 0.6.4-1 [bullseye] - rust-memoffset (Minor issue) + [buster] - rust-memoffset (Minor issue, Undefined Behavior) NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0045.html NOTE: https://github.com/Gilnaa/memoffset/issues/24 CVE-2023-3339 (A vulnerability has been found in code-projects Agro-School Management ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/953781e2ab3752eb98e2ffa88a3e65e6494d80a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/953781e2ab3752eb98e2ffa88a3e65e6494d80a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3316/tiff: precise buster triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 3bd43388 by Sylvain Beucler at 2023-06-23T13:35:12+02:00 CVE-2023-3316/tiff: precise buster triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -260,7 +260,7 @@ CVE-2023-3316 (A NULL pointer dereference in TIFFClose() is caused by a failure - tiff 4.5.1~rc3-1 [bookworm] - tiff (Minor issue) [bullseye] - tiff (Minor issue) - [buster] - tiff (Minor issue, clean crash) + [buster] - tiff (Minor issue, DoS, PoC doesn't segfault) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/515 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/468 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536 (v4.5.1rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bd43388b97268ab1c257a15ed99e2297f647a0c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bd43388b97268ab1c257a15ed99e2297f647a0c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3316/tiff: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 8bcdd8c5 by Sylvain Beucler at 2023-06-23T13:23:50+02:00 CVE-2023-3316/tiff: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -260,6 +260,7 @@ CVE-2023-3316 (A NULL pointer dereference in TIFFClose() is caused by a failure - tiff 4.5.1~rc3-1 [bookworm] - tiff (Minor issue) [bullseye] - tiff (Minor issue) + [buster] - tiff (Minor issue, clean crash) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/515 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/468 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536 (v4.5.1rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bcdd8c5a4b93b9eed5cd4a7c713547c797f70f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bcdd8c5a4b93b9eed5cd4a7c713547c797f70f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-34867,CVE-2023-34868: buster ignored
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d42dca43 by Sylvain Beucler at 2023-06-23T13:20:53+02:00 CVE-2023-34867,CVE-2023-34868: buster ignored - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -724,10 +724,12 @@ CVE-2023-34878 (An issue was discovered in Ujcms v6.0.2 allows attackers to gain CVE-2023-34868 (Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertio ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5083 CVE-2023-34867 (Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertio ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5084 CVE-2023-34865 (Directory traversal vulnerability in ujcms 6.0.2 allows attackers to m ...) NOT-FOR-US: ujcms View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d42dca433879f911a36d3bbe316c9cf74e13a145 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d42dca433879f911a36d3bbe316c9cf74e13a145 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-34241/cups: reference introductory commit
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: bff7f5d0 by Sylvain Beucler at 2023-06-23T13:16:14+02:00 CVE-2023-34241/cups: reference introductory commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -650,6 +650,7 @@ CVE-2023-34241 (OpenPrinting CUPS is a standards-based, open source printing sys [buster] - cups (Minor issue; exploitable under specific conditions; can be fixed via point release) NOTE: https://www.openwall.com/lists/oss-security/2023/06/22/4 NOTE: https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2 + NOTE: Introduced by: https://github.com/OpenPrinting/cups/commit/996acce8760c538b9fee69c99f274ffc27744386#diff-ea18088a3c3df78fec37244a94c58754b6e5cb7fbfd7066f6124de51a73c284d (v2.2b1) CVE-2023-33243 (RedTeam Pentesting discovered that the web interface of STARFACE as we ...) NOT-FOR-US: STARFACE CVE-2023-32229 (Due to an error in the software interface to the secure element chip o ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bff7f5d0e5d74f2bb7105ce0b68efb417c097a77 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bff7f5d0e5d74f2bb7105ce0b68efb417c097a77 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-34241/cups: buster postponed + fix typo
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e72cf6d by Sylvain Beucler at 2023-06-23T12:54:17+02:00 CVE-2023-34241/cups: buster postponed + fix typo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -645,8 +645,9 @@ CVE-2023-34242 (Cilium is a networking, observability, and security solution wit - cilium (bug #858303) CVE-2023-34241 (OpenPrinting CUPS is a standards-based, open source printing system fo ...) - cups 2.4.2-5 (bug #1038885) - [bookworm] - cups (Minor issue; explotiable under specific conditions; can be fixed via point release) - [bullseye] - cups (Minor issue; explotiable under specific conditions; can be fixed via point release) + [bookworm] - cups (Minor issue; exploitable under specific conditions; can be fixed via point release) + [bullseye] - cups (Minor issue; exploitable under specific conditions; can be fixed via point release) + [buster] - cups (Minor issue; exploitable under specific conditions; can be fixed via point release) NOTE: https://www.openwall.com/lists/oss-security/2023/06/22/4 NOTE: https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2 CVE-2023-33243 (RedTeam Pentesting discovered that the web interface of STARFACE as we ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e72cf6dd30a59266881c1aef2359684bfd4ef70 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e72cf6dd30a59266881c1aef2359684bfd4ef70 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add bind9
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e9f154c9 by Sylvain Beucler at 2023-06-23T12:28:32+02:00 dla: add bind9 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -20,6 +20,10 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. +-- +bind9 + NOTE: 20230623: Added by Front-Desk (Beuc) + NOTE: 20230623: Upcoming DSA prepared by maintainer (Beuc/front-desk) -- c-ares (gladk) NOTE: 20230523: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9f154c916c632965dae1ebad4f73f5899cb9f11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9f154c916c632965dae1ebad4f73f5899cb9f11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: #1036797 bullseye-pu: package mariadb-10.5 10.5.20-0+deb11u1
Hello Otto, On 22/06/2023 19:41, Otto Kekäläinen wrote: I filed on May 26th this but never got any reply from stable managers: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=103679 It is affected by only one minor CVE-2022-47015. The same CVE was already fixed in DLA-3444-1 with MariaDB 10.3.39 which was the LTS until two weeks ago. Since bullseye is LTS now, I just wanted to quickly get ack'ed by the LTS team that I should prepare this as for Bullseye? bullseye is "oldstable" but security updates are still managed by the Security Team for 1 year, before LTS takes over in 2024. https://wiki.debian.org/LTS was recently updated and should carry the right information :) Cheers! Sylvain
[Git][security-tracker-team/security-tracker][master] dla: add imagemagick and assign to rouca
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ee9d7ab by Sylvain Beucler at 2023-06-22T16:50:21+02:00 dla: add imagemagick and assign to rouca - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -93,6 +93,10 @@ hdf5 NOTE: 20230520: additionally couldn't convince the build system to build for buster, something with the autogenerated .install files, NOTE: 20230520: so giving up on the package. (tobi) -- +imagemagick (rouca) + NOTE: 20230622: Added by Front-Desk (Beuc) + NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) +-- lemonldap-ng NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow 2 fixes from bullseye 11.7 (CVE-2023-28862 + unreferenced URL validation bypass) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ee9d7ab7d1b90cc19c86f628145d519c9a968fa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ee9d7ab7d1b90cc19c86f628145d519c9a968fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add lua5.3
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: f067070b by Sylvain Beucler at 2023-06-21T20:02:40+02:00 dla: add lua5.3 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -124,6 +124,12 @@ libx11 (Adrian Bunk) linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- +lua5.3 + NOTE: 20230621: Added by Front-Desk (Beuc) + NOTE: 20230621: A sponsor requested special attention to CVE-2019-6706 (which had been postponed waiting for a fix, now released) + NOTE: 20230621: Also fix the 2 other open CVEs if appropriate. + NOTE: 20230621: Please check with the security team if they'd be interested in a bullseye upload as well. (Beuc/front-desk) +-- minidlna (Thorsten Alteholz) NOTE: 20230614: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f067070ba9bf67c9479c5df2acc3ea164a0ca549 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f067070ba9bf67c9479c5df2acc3ea164a0ca549 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2019-6706/lua5.3: reference patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 96bdf598 by Sylvain Beucler at 2023-06-21T19:47:41+02:00 CVE-2019-6706/lua5.3: reference patch - - - - - 76a736e5 by Sylvain Beucler at 2023-06-21T19:48:40+02:00 CVE-2019-6706/lua5.3: refresh buster triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -305293,14 +305293,14 @@ CVE-2019-6707 (PHPSHE 1.7 has SQL injection via the admin.php?mod=product&act=st CVE-2019-6706 (Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For examp ...) - lua5.3 5.3.6-1 (bug #920321) [bullseye] - lua5.3 (Minor issue, revisit when fixed upstream) - [buster] - lua5.3 (Minor issue, revisit when fixed upstream) - [stretch] - lua5.3 (Minor issue, revisit when fixed upstream) + [buster] - lua5.3 (Minor issue) - lua5.2 (Vulnerable code introduced later) - lua5.1 (Vulnerable code introduced later) - lua50 (Vulnerable code introduced later) NOTE: http://lua.2524044.n2.nabble.com/Bug-Report-Use-after-free-in-debug-upvaluejoin-tc7685506.html NOTE: lua50 and lua5.1 don't have the affected code. NOTE: lua5.2 is not vulnerable as it doesn't free the value before using it. + NOTE: https://github.com/lua/lua/commit/89aee84cbc9224f638f3b7951b306d2ee8ecb71e (v5.3.6) CVE-2019-6705 RESERVED CVE-2019-6704 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ae5b29e98d9004ec832e0379356e296ff0291439...76a736e5e4d467b2b1d13a76d883f15ecb442a2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ae5b29e98d9004ec832e0379356e296ff0291439...76a736e5e4d467b2b1d13a76d883f15ecb442a2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2023-34623/jtidy: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: b6daac72 by Sylvain Beucler at 2023-06-21T18:16:30+02:00 CVE-2023-34623/jtidy: buster postponed - - - - - ae5b29e9 by Sylvain Beucler at 2023-06-21T18:17:31+02:00 dla: libx11: reference DSA - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -561,6 +561,7 @@ CVE-2023-34623 (An issue was discovered jtidy thru r938 allows attackers to caus - jtidy (bug #1038663) [bookworm] - jtidy (Minor issue) [bullseye] - jtidy (Minor issue) + [buster] - jtidy (Minor issue, DoS) NOTE: https://github.com/trajano/jtidy/issues/4 CVE-2023-34620 (An issue was discovered hjson thru 3.0.0 allows attackers to cause a d ...) NOT-FOR-US: hjson = data/dla-needed.txt = @@ -119,6 +119,7 @@ libusrsctp (rouca) -- libx11 (Adrian Bunk) NOTE: 20230615: Added by Front-Desk (opal) + NOTE: 20230621: Cf. DSA 5433-1 (Beuc/front-desk) -- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ab63e454a3e90d4367acea591488ae9cccea4f8f...ae5b29e98d9004ec832e0379356e296ff0291439 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ab63e454a3e90d4367acea591488ae9cccea4f8f...ae5b29e98d9004ec832e0379356e296ff0291439 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Bug#1035875: Arbitrary code execution vulnerability in versions < 2.3
Hi, I requested a CVE at cveform.mitre.org so we can start a discussion with upstream on clear grounds, and possibly involve other distros :) From https://github.com/mtrojnar/osslsigncode/compare/2.2...2.3 there are a lot of commits that fixes memory issues, e.g. fix double free in msi_dirent_new() Fix more fuzzer errors etc. so most probably there isn't a single clean patch to apply :/ We might want to just bump to buster and bullseye to 2.3, there's only one rdep AFAICS. Cheers! Sylvain Beucler Debian LTS Team (this week's Front-Desk person)
Bug#1035875: Arbitrary code execution vulnerability in versions < 2.3
Hi, I requested a CVE at cveform.mitre.org so we can start a discussion with upstream on clear grounds, and possibly involve other distros :) From https://github.com/mtrojnar/osslsigncode/compare/2.2...2.3 there are a lot of commits that fixes memory issues, e.g. fix double free in msi_dirent_new() Fix more fuzzer errors etc. so most probably there isn't a single clean patch to apply :/ We might want to just bump to buster and bullseye to 2.3, there's only one rdep AFAICS. Cheers! Sylvain Beucler Debian LTS Team (this week's Front-Desk person)
[Git][security-tracker-team/security-tracker][master] dla: add lemonldap-ng
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: ad00ad2e by Sylvain Beucler at 2023-06-20T20:19:05+02:00 dla: add lemonldap-ng - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -101,6 +101,10 @@ hsqldb1.8.0 NOTE: 20230619: Added by Front-Desk (Beuc) NOTE: 20230619: Upcoming DSA (Beuc/front-desk) -- +lemonldap-ng + NOTE: 20230620: Added by Front-Desk (Beuc) + NOTE: 20230620: Follow 2 fixes from bullseye 11.7 (CVE-2023-28862 + unreferenced URL validation bypass) (Beuc/front-desk) +-- libapache2-mod-auth-openidc NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fix from bullseye 11.7 (CVE-2022-23527) + 1 postponed CVE-2021-39191 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad00ad2efe93a4bc98faf1daf12635bf62587df5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad00ad2efe93a4bc98faf1daf12635bf62587df5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add libapache2-mod-auth-openidc
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 77adf71c by Sylvain Beucler at 2023-06-20T20:13:28+02:00 dla: add libapache2-mod-auth-openidc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -101,6 +101,10 @@ hsqldb1.8.0 NOTE: 20230619: Added by Front-Desk (Beuc) NOTE: 20230619: Upcoming DSA (Beuc/front-desk) -- +libapache2-mod-auth-openidc + NOTE: 20230620: Added by Front-Desk (Beuc) + NOTE: 20230620: Follow fix from bullseye 11.7 (CVE-2022-23527) + 1 postponed CVE-2021-39191 (Beuc/front-desk) +-- libfastjson (Thorsten Alteholz) NOTE: 20230507: Added by Front-Desk (ta) NOTE: 20230507: the CVE was fixed in json-c already View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77adf71c93e0eec0f5c2cb322352c25141586094 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77adf71c93e0eec0f5c2cb322352c25141586094 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add symfony
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 74aa04c8 by Sylvain Beucler at 2023-06-20T19:37:10+02:00 dla: add symfony - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -252,6 +252,10 @@ suricata NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), NOTE: 20230620: and possibly issue a DSA with a few CVEs that were fixed in later dists (Beuc/front-desk) -- +symfony + NOTE: 20230620: Added by Front-Desk (Beuc) + NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs) + 1 other postponed CVE (Beuc/front-desk) +-- syncthing NOTE: 20230616: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74aa04c8c692f48c1c9dcc34bfee38795c4cd843 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74aa04c8c692f48c1c9dcc34bfee38795c4cd843 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-38223/w3m: reference bug about incomplete fix
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 37cade30 by Sylvain Beucler at 2023-06-20T19:20:03+02:00 CVE-2022-38223/w3m: reference bug about incomplete fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -64552,6 +64552,7 @@ CVE-2022-38223 (There is an out-of-bounds write in checkType located in etc.c in [buster] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/242 NOTE: https://github.com/tats/w3m/commit/419ca82d57c72242817b55e2eaa4cdbf6916e7fa + NOTE: Possibly incomplete fix: https://github.com/tats/w3m/issues/268 CVE-2022-38222 (There is a use-after-free issue in JBIG2Stream::close() located in JBI ...) - xpdf (Debian uses poppler, which is not affected) CVE-2022-38221 (A buffer overflow in the FTcpListener thread in The Isle Evrima (the d ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37cade30bb2bcd359813aed52e6b75fba7b65073 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37cade30bb2bcd359813aed52e6b75fba7b65073 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add avahi
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d57f4203 by Sylvain Beucler at 2023-06-20T19:07:08+02:00 dla: add avahi - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -20,6 +20,10 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. +-- +avahi + NOTE: 20230620: Added by Front-Desk (Beuc) + NOTE: 20230620: Follow fix from bullseye 11.7 (CVE-2021-3468, already fixed in stretch & jessie) (Beuc/front-desk) -- c-ares (gladk) NOTE: 20230523: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d57f4203b944ebd8e682f6e2963d50d74e93f671 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d57f4203b944ebd8e682f6e2963d50d74e93f671 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla: fix-up triaging notes
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: cb3660c3 by Sylvain Beucler at 2023-06-20T18:50:24+02:00 dla: fix-up triaging notes - - - - - cac693ed by Sylvain Beucler at 2023-06-20T18:50:35+02:00 dla: add systemd - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -44,7 +44,7 @@ docker-registry (rouca) -- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) - NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk) + NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) NOTE: 20230424: Is in preparation. (gladk) -- dogecoin @@ -60,7 +60,7 @@ erlang (Markus Koschany) -- flatpak NOTE: 20230620: Added by Front-Desk (Beuc) - NOTE: 20230620: Follow fixes from bullseye 11.3 (Beuc/front-desk) + NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) -- fusiondirectory (Abhijith PA) NOTE: 20221203: Added by Front-Desk (gladk) @@ -251,6 +251,10 @@ suricata syncthing NOTE: 20230616: Added by Front-Desk (opal) -- +systemd + NOTE: 20230620: Added by Front-Desk (Beuc) + NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs + unreferenced security fixes + optionally non-security fixes) (Beuc/front-desk) +-- trafficserver NOTE: 20230618: Added by Front-Desk (opal) NOTE: 20230618: Low prio due to the few number of users. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d686a6983f6d7b2fc100ed8551d3dc6fc3f95acc...cac693ed667e558bd9292b50b15f05e2cc0a48bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d686a6983f6d7b2fc100ed8551d3dc6fc3f95acc...cac693ed667e558bd9292b50b15f05e2cc0a48bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2023-28100,CVE-2023-28101/flatpak: reference patches
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 07f19f44 by Sylvain Beucler at 2023-06-20T18:13:02+02:00 CVE-2023-28100,CVE-2023-28101/flatpak: reference patches - - - - - d686a698 by Sylvain Beucler at 2023-06-20T18:14:28+02:00 dla: add flatpak - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -14551,11 +14551,18 @@ CVE-2023-28101 (Flatpak is a system for building, distributing, and running sand [bullseye] - flatpak 1.10.8-0+deb11u1 [buster] - flatpak (Minor issue) NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8 + NOTE: https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869 (1.15.4) + NOTE: https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c (1.15.4) + NOTE: https://github.com/flatpak/flatpak/commit/409e34187de2b2b2c4ef34c79f417be698830f6c (1.15.4) + NOTE: https://github.com/flatpak/flatpak/commit/acd627a2fabe9856947399044dbf7aa79247c75b (1.10.8) + NOTE: https://github.com/flatpak/flatpak/commit/e88eedce76f79a5573df4fc38b344bbeaf7af024 (1.10.8) CVE-2023-28100 (Flatpak is a system for building, distributing, and running sandboxed ...) - flatpak 1.14.4-1 (bug #1033099) [bullseye] - flatpak 1.10.8-0+deb11u1 [buster] - flatpak (Minor issue) NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp + NOTE: https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9 (1.15.4) + NOTE: https://github.com/flatpak/flatpak/commit/a9bf18040cc075a70657c6090a59d7f6fe78f893 (1.10.8) CVE-2023-28099 (OpenSIPS is a Session Initiation Protocol (SIP) server implementation. ...) NOT-FOR-US: OpenSIPS CVE-2023-28098 (OpenSIPS is a Session Initiation Protocol (SIP) server implementation. ...) = data/dla-needed.txt = @@ -58,6 +58,10 @@ erlang (Markus Koschany) NOTE: 20221119: Added by Front-Desk (ta) NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) -- +flatpak + NOTE: 20230620: Added by Front-Desk (Beuc) + NOTE: 20230620: Follow fixes from bullseye 11.3 (Beuc/front-desk) +-- fusiondirectory (Abhijith PA) NOTE: 20221203: Added by Front-Desk (gladk) NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk). View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/23ac21a6809e0afba43fc939c07fe7843c088794...d686a6983f6d7b2fc100ed8551d3dc6fc3f95acc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/23ac21a6809e0afba43fc939c07fe7843c088794...d686a6983f6d7b2fc100ed8551d3dc6fc3f95acc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add suricata
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 23ac21a6 by Sylvain Beucler at 2023-06-20T17:46:50+02:00 dla: add suricata - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -238,6 +238,12 @@ samba (Lee Garrett) NOTE: 20220904: Many postponed or open CVE in general. (apo) NOTE: 20230323: Still working on the long list of CVEs, will likely release an intermittent package first (lee) -- +suricata + NOTE: 20230620: Added by Front-Desk (Beuc) + NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, + NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), + NOTE: 20230620: and possibly issue a DSA with a few CVEs that were fixed in later dists (Beuc/front-desk) +-- syncthing NOTE: 20230616: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23ac21a6809e0afba43fc939c07fe7843c088794 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23ac21a6809e0afba43fc939c07fe7843c088794 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: trace note author
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 432406f1 by Sylvain Beucler at 2023-06-20T11:24:07+02:00 dla: trace note author - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -125,7 +125,7 @@ nova NOTE: 20230302: Later suites (e.g. bullseye) ship a direct upstream patch and are not affected. NOTE: 20230302: We can either rework the patch, or disable .vmdk support entirely. NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk) - NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. + NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby) -- nvidia-cuda-toolkit (tobi) NOTE: 20230514: Added by Front-Desk (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/432406f188cce6bde2a60561b030fcaafdfa8583 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/432406f188cce6bde2a60561b030fcaafdfa8583 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: Request for suggestions/opinion about triaging decision for renderdoc
Hi, On 17/06/2023 22:14, Roberto C. Sánchez wrote: My opinion is that the package should be added to dla-needed.txt with a note linking to this thread on the mailing list. [snip] There should also be a note there to consider backporting a new upstream release once the security team decides what to do for bookworm and bullseye. Done: +renderdoc + NOTE: 20230620: Added by Front-Desk (Beuc) + NOTE: 20230620: See discussion at https://lists.debian.org/debian-lts/2023/06/msg00049.html + NOTE: 20230620: Summary: try to backport fixes; otherwise, since this is a end-user app with no rdeps, + NOTE: 20230620: coordinate with maintainer§eam to try and bump to 1.27 across all dists (Beuc/front-desk) Cheers! Sylvain/Front-Desk