Re: Using Salsa-CI as pre-upload QA for Bullseye and Buster uploads: Lintian and Piuparts
Hi! On 12/11/2022 22:31, Otto Kekäläinen wrote: I was wondering how common is it for DDs to use Salsa-CI while doing quality assurance prior to Bullseye and Buster uploads? I personally tend to run initial builds and dep-8 tests locally, because when they fail, I have to re-run them manually to properly debug and fix the failures anyway. (not to mention additional manual tests) Also I do my LTS (security) work in a VM without access to my Debian credentials (gpg, ssh) so I can e.g. run various vulnerability PoCs and exploits with a reasonable peace of mind; which makes it inconvenient to push to Salsa. I'd be interested in knowing how other LTS contributors handle those issues :) Cheers! Sylvain Beucler Debian LTS Team
[Git][security-tracker-team/security-tracker][master] dla: add inetutils
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a7d55c38 by Sylvain Beucler at 2022-11-12T17:05:25+01:00 dla: add inetutils - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -95,6 +95,10 @@ imagemagick NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) -- +inetutils + NOTE: 20221112: Programming language: C. + NOTE: 20221112: Follow fixes from bullseye 11.5 (Beuc/front-desk) +-- ini4j NOTE: 20221012: Programming language: Java. NOTE: 20221012: Require investigation (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7d55c38479e37b74892ff720bb28e12012f6ff2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7d55c38479e37b74892ff720bb28e12012f6ff2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] TEMP-0000000-DD73A0/php-illuminate-database: buster fixed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e079878 by Sylvain Beucler at 2022-11-12T16:48:26+01:00 TEMP-000-DD73A0/php-illuminate-database: buster fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -126870,7 +126870,11 @@ CVE-2021- [SQL Server LIMIT / OFFSET SQL Injection] CVE-2021- [Unexpected database bindings via requests (follow-up)] - php-laravel-framework 6.20.14+dfsg-1 - php-illuminate-database + [buster] - php-illuminate-database 5.7.27-1+deb10u1 NOTE: https://github.com/laravel/framework/security/advisories/GHSA-x7p5-p2c9-phvg + NOTE: https://github.com/illuminate/database/commit/c2d71addea1a2c79b8a4369ee57d3c08da57b601 (v6.20.14) + NOTE: https://github.com/illuminate/database/commit/7797c2ae3fc9814963f0b8bb9c6c9bfd32988623 (v6.20.14) + NOTE: https://github.com/illuminate/database/commit/fd2d667140194c658698310ef913043d28241c63 (v6.20.14) CVE-2021-21263 (Laravel is a web application framework. Versions of Laravel before 6.2 ...) - php-laravel-framework 6.20.11+dfsg-1 (bug #980095) - php-illuminate-database (bug #980899) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e0798787912fabf18bc4b4f00a03df57bd96ed0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e0798787912fabf18bc4b4f00a03df57bd96ed0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-3957/gpac: buster end-of-life
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f774c1a by Sylvain Beucler at 2022-11-12T16:21:48+01:00 CVE-2022-3957/gpac: buster end-of-life - - - - - e36a7af7 by Sylvain Beucler at 2022-11-12T16:21:48+01:00 dla: add sysstat - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -106,6 +106,7 @@ CVE-2022-3958 RESERVED CVE-2022-3957 (A vulnerability classified as problematic was found in GPAC. Affected ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/2191e66aa7df750e8ef01781b1930bea87b713bb CVE-2022-3956 (A vulnerability classified as critical has been found in tsruban HHIMS ...) NOT-FOR-US: tsruban HHIMS = data/dla-needed.txt = @@ -356,6 +356,10 @@ sox NOTE: 20220818: Requires some investigation; see #1012138 etc. NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) -- +sysstat + NOTE: 20221112: Programming language: C. + NOTE: 20221112: 1 new and 1 old pending CVE to fix (Beuc/front-desk) +-- tiff NOTE: 20221031: Programming language: C. NOTE: 20221031: VCS: https://salsa.debian.org/lts-team/packages/tiff.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4d22791cf2b7c2ce6e452e997e89dd0819cbf3fc...e36a7af73158449af0e9920953fb125b817c0463 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4d22791cf2b7c2ce6e452e997e89dd0819cbf3fc...e36a7af73158449af0e9920953fb125b817c0463 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add libsdl2
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c767c32 by Sylvain Beucler at 2022-11-11T16:04:09+01:00 dla: add libsdl2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -143,6 +143,10 @@ libde265 libreoffice NOTE: 20221012: Programming language: C++. -- +libsdl2 + NOTE: 2022: Programming language: C. + NOTE: 2022: Sync with jessie/stretch/bullseye (Beuc/front-desk) +-- libstb NOTE: 2022: Programming language: C. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c767c3235fef13da84300966326e60d448a7cf4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c767c3235fef13da84300966326e60d448a7cf4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add libarchive
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a5ed4a9f by Sylvain Beucler at 2022-11-11T15:56:42+01:00 dla: add libarchive - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -127,6 +127,10 @@ lava (Dominik George) libapreq2 NOTE: 20221031: Programming language: C. -- +libarchive + NOTE: 2022: Programming language: C. + NOTE: 2022: Sync with jessie/stretch/bullseye-11.3 (Beuc/front-desk) +-- libcommons-jxpath-java NOTE: 20221027: Programming language: Java. NOTE: 20221027: Maintainer notes: Wait for the outcome of upstream discussion. See CVE-2022-41852 for pull requests. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5ed4a9f4009a78425abd24180834319d97286de -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5ed4a9f4009a78425abd24180834319d97286de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add jqueryui
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 32139bac by Sylvain Beucler at 2022-11-11T15:48:12+01:00 dla: add jqueryui - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -110,6 +110,10 @@ jhead joblib (Dominik George) NOTE: 20221006: Programming language: Python. -- +jqueryui + NOTE: 2022: Programming language: JavaScript. + NOTE: 2022: Follow fixes from bullseye 11.2 (and jessie/elts) (Beuc/front-desk) +-- jupyter-core (Dominik George) NOTE: 20221102: Programming language: Python. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32139bacda677848cfc8677232f85eb2b53c75d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32139bacda677848cfc8677232f85eb2b53c75d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add nginx
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a69c0daa by Sylvain Beucler at 2022-11-11T14:30:37+01:00 dla: add nginx - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -164,6 +164,10 @@ netatalk NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) -- +nginx + NOTE: 2022: Programming language: C. + NOTE: 2022: Upcoming DSA + follow fixes from bullseye 11.4 (Beuc/front-desk) +-- node-cached-path-relative NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.3 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a69c0daafb28a67b3beab3c9599835c2308018ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a69c0daafb28a67b3beab3c9599835c2308018ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2022-32149: fix buster package name
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ebeb330 by Sylvain Beucler at 2022-11-11T12:55:46+01:00 CVE-2022-32149: fix buster package name - - - - - c196c055 by Sylvain Beucler at 2022-11-11T12:56:36+01:00 CVE-2022-3821/systemd: buster postponed - - - - - 6c119973 by Sylvain Beucler at 2022-11-11T12:57:38+01:00 CVE-2022-45063/xterm: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -216,6 +216,7 @@ CVE-2022-3909 CVE-2022-45063 (xterm before 375 allows code execution via font ops, e.g., because an ...) - xterm 375-1 [bullseye] - xterm (Minor issue; mitigated by default in Debian) + [buster] - xterm (Minor issue; mitigated by default in Debian) NOTE: https://www.openwall.com/lists/oss-security/2022/11/10/1 NOTE: Debian sets defaults for allowWindowOps and allowFontOps resources to false since NOTE: 238-1, mitigating the issue. @@ -2408,6 +2409,7 @@ CVE-2022-3822 CVE-2022-3821 (An off-by-one Error issue was discovered in Systemd in format_timespan ...) - systemd 251.3-1 [bullseye] - systemd (Minor issue) + [buster] - systemd (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2139327 NOTE: https://github.com/systemd/systemd/issues/23928 NOTE: https://github.com/systemd/systemd/pull/23933 @@ -36864,8 +36866,8 @@ CVE-2022-32150 RESERVED CVE-2022-32149 (An attacker may cause a denial of service by crafting an Accept-Langua ...) - golang-golang-x-text 0.3.8-1 (bug #1021785) - [buster] - golang-golang-x-text (Limited support, minor issue, follow bullseye DSAs/point-releases (renamed package)) - golang-x-text + [buster] - golang-x-text (Limited support, minor issue, follow bullseye DSAs/point-releases (renamed package)) NOTE: https://groups.google.com/g/golang-dev/c/qfPIly0X7aU NOTE: https://go.dev/issue/56152 NOTE: https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c (v0.3.8) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fea4d7f9f38f203364dfb0401cef272a94a55a86...6c119973e728f65bbc93e3ae24b35dc693d0f5e0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fea4d7f9f38f203364dfb0401cef272a94a55a86...6c119973e728f65bbc93e3ae24b35dc693d0f5e0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2022-21227/node-sqlite3: buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: af25ae6a by Sylvain Beucler at 2022-11-11T12:20:38+01:00 CVE-2022-21227/node-sqlite3: buster not-affected - - - - - cfa302c1 by Sylvain Beucler at 2022-11-11T12:27:46+01:00 CVE-2021-33623/node-trim-newlines: reference patches - - - - - fea4d7f9 by Sylvain Beucler at 2022-11-11T12:34:30+01:00 dla: add NodeJS packages with bullseye-pu to backport - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -55390,11 +55390,12 @@ CVE-2022-21230 (This affects all versions of package org.nanohttpd:nanohttpd. Wh CVE-2022-21227 (The package sqlite3 before 5.0.3 are vulnerable to Denial of Service ( ...) - node-sqlite3 5.0.6+ds1-1 [bullseye] - node-sqlite3 5.0.0+ds1-1+deb11u1 - [buster] - node-sqlite3 (minor issue) + [buster] - node-sqlite3 (Vulnerable code introduced later) [stretch] - node-sqlite3 (Nodejs in stretch not covered by security support) NOTE: https://github.com/advisories/GHSA-9qrh-qjmc-5w2p NOTE: Fixed by: https://github.com/TryGhost/node-sqlite3/commit/593c9d498be2510d286349134537e3bf89401c4a (v5.0.3) NOTE: https://security.snyk.io/vuln/SNYK-JS-SQLITE3-2388645 + NOTE: Introduced by: https://github.com/TryGhost/node-sqlite3/commit/dd3ef522088bb5cafede25b9fe661f892b6f10ba (v5.0.0) CVE-2022-21223 (The package cocoapods-downloader before 1.6.2 are vulnerable to Comman ...) NOT-FOR-US: cocoapods-downloader CVE-2022-21222 (The package css-what before 2.1.3 are vulnerable to Regular Expression ...) @@ -104866,6 +104867,8 @@ CVE-2021-33623 (The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for [buster] - node-trim-newlines (Minor issue) [stretch] - node-trim-newlines (Nodejs in stretch not covered by security support) NOTE: https://github.com/advisories/GHSA-7p7h-4mm5-852v + NOTE: https://github.com/sindresorhus/trim-newlines/commit/25246c6ce5eea1c82d448998733a6302a4350d91 (v4.0.1) + NOTE: https://github.com/sindresorhus/trim-newlines/commit/b10d5f4afef832b16bc56d49fc52c68cbd403869 (v3.0.1) CVE-2021-33622 (Sylabs Singularity 3.5.x and 3.6.x, and SingularityPRO before 3.5-8, h ...) [experimental] - singularity-container 3.9.4+ds2-1 - singularity-container 3.9.5+ds1-2 (bug #990201) = data/dla-needed.txt = @@ -164,12 +164,68 @@ netatalk NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) -- +node-cached-path-relative + NOTE: 2022: Programming language: JavaScript. + NOTE: 2022: Follow fixes from bullseye 11.3 (Beuc/front-desk) +-- node-css-what NOTE: 20221031: Programming language: Javascript. -- +node-eventsource + NOTE: 2022: Programming language: JavaScript. + NOTE: 2022: Follow fixes from bullseye 11.4 (Beuc/front-desk) +-- +node-fetch + NOTE: 2022: Programming language: JavaScript. + NOTE: 2022: Follow fixes from bullseye 11.3 (Beuc/front-desk) +-- +node-follow-redirects + NOTE: 2022: Programming language: JavaScript. + NOTE: 2022: Follow fixes from bullseye 11.3 (Beuc/front-desk) +-- +node-got + NOTE: 2022: Programming language: JavaScript. + NOTE: 2022: Follow fixes from bullseye 11.4 (Beuc/front-desk) +-- +node-json-schema + NOTE: 2022: Programming language: JavaScript. + NOTE: 2022: Follow fixes from bullseye 11.2 (Beuc/front-desk) +-- +node-loader-utils + NOTE: 2022: Programming language: JavaScript. + NOTE: 2022: upcoming bullseye PU https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023798 (Beuc/front-desk) +-- +node-log4js + NOTE: 2022: Programming language: JavaScript. + NOTE: 2022: Follow fixes from bullseye 11.5 (Beuc/front-desk) +-- +node-moment + NOTE: 2022: Programming language: JavaScript. + NOTE: 2022: Follow fixes from bullseye 11.4 and 11.5 (Beuc/front-desk) +-- +node-nth-check + NOTE: 2022: Programming language: JavaScript. + NOTE: 2022: Follow fixes from bullseye 11.3 (Beuc/front-desk) +-- +node-object-path + NOTE: 2022: Programming language: JavaScript. + NOTE: 2022: Follow fixes from bullseye 11.1 (Beuc/front-desk) +-- +node-set-value + NOTE: 2022: Programming language: JavaScript. + NOTE: 2022: Follow fixes from bullseye 11.1 (Beuc/front-desk) +-- node-tar NOTE: 20220907: Programming language: JavaScript. -- +node-trim-newlines + NOTE: 2022: Programming language: JavaScript. + NOTE: 2022: Follow fixes from bullseye 11.3 (Beuc/front-desk) +-- +node-url-parse + NOTE: 2022: Programming language: JavaScript. + NOTE: 2022: Follow fixes from bullseye 11.4 + check postponed issues (Beuc/front-desk
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2021-3805/node-object-path: fix wrong patch URL from mitre
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 3be1e72c by Sylvain Beucler at 2022-11-11T11:40:45+01:00 CVE-2021-3805/node-object-path: fix wrong patch URL from mitre - - - - - ed88d9e4 by Sylvain Beucler at 2022-11-11T11:47:49+01:00 CVE-2021-23440/node-set-value: fix wrong patch URL from mitre - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -85758,7 +85758,7 @@ CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification o [buster] - node-object-path (Minor issue) [stretch] - node-object-path (Nodejs in stretch not covered by security support) NOTE: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053 - NOTE: https://github.com/mariocasciaro/object-path/commit/e6bb638ffdd431176701b3e9024f80050d0ef0a6 + NOTE: https://github.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884 (v0.11.8) CVE-2021-41303 (Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a ...) - shiro (bug #1014819) [bullseye] - shiro (Minor issue) @@ -130851,7 +130851,7 @@ CVE-2021-23440 (This affects the package set-value before 2.0.1, =3.0.0 [bullseye] - node-set-value 3.0.1-2+deb11u1 [buster] - node-set-value (Minor issue) [stretch] - node-set-value (Nodejs in stretch not covered by security support) - NOTE: https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452 (v4.0.1) + NOTE: https://github.com/jonschlinkert/set-value/commit/b057b1b8cf986746b27a145629d593c6bb4ab7c4 (v4.0.1) NOTE: https://github.com/jonschlinkert/set-value/pull/33/commits/383b72d47c74a55ae8b6e231da548f9280a4296a NOTE: https://github.com/jonschlinkert/set-value/pull/33 CVE-2021-23439 (This affects the package file-upload-with-preview before 4.2.0. A file ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f8ef1b71af7c159c5a39d9672fcbbcc79ed8fc93...ed88d9e44bbe54b8b4497a912af00a1d1acab7c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f8ef1b71af7c159c5a39d9672fcbbcc79ed8fc93...ed88d9e44bbe54b8b4497a912af00a1d1acab7c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2022-32149/golang-golang-x-text: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 27948f86 by Sylvain Beucler at 2022-11-11T10:43:38+01:00 CVE-2022-32149/golang-golang-x-text: buster postponed - - - - - aa2075b8 by Sylvain Beucler at 2022-11-11T10:43:39+01:00 CVE-2022-3275/puppet-module-puppetlabs-apt: buster postponed - - - - - f8ef1b71 by Sylvain Beucler at 2022-11-11T10:43:39+01:00 dla: add libstb - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -12657,6 +12657,7 @@ CVE-2022-3276 (Command injection is possible in the puppetlabs-mysql module prio CVE-2022-3275 (Command injection is possible in the puppetlabs-apt module prior to ve ...) - puppet-module-puppetlabs-apt (bug #1023625) [bullseye] - puppet-module-puppetlabs-apt (Minor issue) + [buster] - puppet-module-puppetlabs-apt (Minor issue, rare condition, follow buster status) NOTE: https://puppet.com/security/cve/CVE-2022-3275 NOTE: https://github.com/puppetlabs/puppetlabs-apt/commit/c26ad2a54f318b4d6fbe55f837b00cd6afd9f1eb (v9.0.0) CVE-2022-3274 (Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffwe ...) @@ -36863,6 +36864,7 @@ CVE-2022-32150 RESERVED CVE-2022-32149 (An attacker may cause a denial of service by crafting an Accept-Langua ...) - golang-golang-x-text 0.3.8-1 (bug #1021785) + [buster] - golang-golang-x-text (Limited support, minor issue, follow bullseye DSAs/point-releases (renamed package)) - golang-x-text NOTE: https://groups.google.com/g/golang-dev/c/qfPIly0X7aU NOTE: https://go.dev/issue/56152 = data/dla-needed.txt = @@ -135,6 +135,9 @@ libde265 libreoffice NOTE: 20221012: Programming language: C++. -- +libstb + NOTE: 2022: Programming language: C. +-- linux (Ben Hutchings) -- man2html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1a7adcf093a16eb24c9e808d034cf0fcef7418e8...f8ef1b71af7c159c5a39d9672fcbbcc79ed8fc93 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1a7adcf093a16eb24c9e808d034cf0fcef7418e8...f8ef1b71af7c159c5a39d9672fcbbcc79ed8fc93 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-45061/python3.7: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 457048bf by Sylvain Beucler at 2022-11-11T08:42:03+01:00 CVE-2022-45061/python3.7: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -205,6 +205,7 @@ CVE-2022-45061 (An issue was discovered in Python before 3.11.1. An unnecessary - python3.9 [bullseye] - python3.9 (Minor issue) - python3.7 + [buster] - python3.7 (Minor issue; fix along with next DLA) NOTE: https://github.com/python/cpython/issues/98433 NOTE: https://github.com/python/cpython/pull/99092 NOTE: https://github.com/python/cpython/commit/a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15 (3.11-branch) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/457048bf53a1d01e83915bfd3d6ab2812310eef6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/457048bf53a1d01e83915bfd3d6ab2812310eef6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: php-cas: update note
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 768dcc5c by Sylvain Beucler at 2022-11-11T08:18:10+01:00 dla: php-cas: update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -185,6 +185,7 @@ php-cas NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola) NOTE: 20221107: php-cas only has 2 reverse-deps in buster (fusiondirectory, ocsinventory-reports), NOTE: 20221107: consider fixing all 3 packages; also check situation in ELTS for reference (Beuc/front-desk) + NOTE: 20221110: upcoming DSA (Beuc/front-desk) -- php-phpseclib (Sylvain Beucler) NOTE: 20220909: Programming language: PHP. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/768dcc5c5db8dc922c01eca1ea6843fdc90718ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/768dcc5c5db8dc922c01eca1ea6843fdc90718ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: golang*: fix a few buster triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 69c04ad5 by Sylvain Beucler at 2022-11-09T18:07:33+01:00 golang*: fix a few buster triage - - - - - 133342c6 by Sylvain Beucler at 2022-11-09T18:07:33+01:00 dla: add golang-github-nats-io-jwt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -36628,6 +36628,7 @@ CVE-2022-32150 RESERVED CVE-2022-32149 (An attacker may cause a denial of service by crafting an Accept-Langua ...) - golang-golang-x-text 0.3.8-1 (bug #1021785) + - golang-x-text NOTE: https://groups.google.com/g/golang-dev/c/qfPIly0X7aU NOTE: https://go.dev/issue/56152 NOTE: https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c (v0.3.8) @@ -140203,7 +140204,7 @@ CVE-2021-20207 REJECTED CVE-2021-20206 (An improper limitation of path name flaw was found in containernetwork ...) - golang-github-appc-cni 0.8.1-1 (bug #983659) - [buster] - golang-github-appc-cni (Minor issue; can be fixed via point release) + [buster] - golang-github-appc-cni (Limited support, minor issue) [stretch] - golang-github-appc-cni (Minor issue) NOTE: https://github.com/containernetworking/cni/pull/808 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1919391 @@ -180436,7 +180437,7 @@ CVE-2020-15217 (In GLPI before version 9.5.2, there is a leakage of user informa - glpi CVE-2020-15216 (In goxmldsig (XML Digital Signatures implemented in pure Go) before ve ...) - golang-github-russellhaering-goxmldsig 1.1.0-1 (bug #971615) - [buster] - golang-github-russellhaering-goxmldsig (Limited support, minor issue, no build rdeps, follow bullseye DSAs/point-releases) + [buster] - golang-github-russellhaering-goxmldsig (Limited support, minor issue, no build rdeps) NOTE: https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7 NOTE: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64 CVE-2020-15215 (Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2 is vuln ...) = data/dla-needed.txt = @@ -70,6 +70,10 @@ golang-1.11 NOTE: 20220916: Harmonize with bullseye and stretch: 9 CVEs fixed in Debian 11.2 & 11.3 + 2 CVEs fixed in stretch-lts (Beuc/front-desk) NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24921 -- +golang-github-nats-io-jwt + NOTE: 20221109: Programming language: Go. + NOTE: 20221109: Special attention: limited support, cf. buster release notes; not in bullseye +-- golang-go.crypto NOTE: 20220915: Programming language: Go. NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ea2c44aecc8a086ac63fb5e5316adc8718c4522f...133342c6b0f1b4767eb217c24695a0b6b2e7a874 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ea2c44aecc8a086ac63fb5e5316adc8718c4522f...133342c6b0f1b4767eb217c24695a0b6b2e7a874 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add varnish
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b048af4 by Sylvain Beucler at 2022-11-09T16:36:43+01:00 dla: add varnish - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -294,6 +294,10 @@ trafficserver (Abhijith PA) twisted NOTE: 20221030: Programming language: Python. -- +varnish + NOTE: 20221109: Programming language: C. + NOTE: 20221109: First DLA, 3 minor CVEs to fix (Beuc/front-desk) +-- vim NOTE: 20221108: Programming language: C. NOTE: 20221108: VCS: https://salsa.debian.org/lts-team/packages/vim.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b048af4e1ee7877c95c9697f448d6f1a9f3a4ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b048af4e1ee7877c95c9697f448d6f1a9f3a4ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-22027/ffmpeg: drop stretch triage
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d4683788 by Sylvain Beucler at 2022-11-09T13:42:47+01:00
CVE-2020-22027/ffmpeg: drop stretch triage
so it can be revisited in ELTS
3-4 lines is not particularly invasive, most probably stretch was not-affected
really
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -165315,7 +165315,6 @@ CVE-2020-22028 (Buffer Overflow vulnerability exists
in FFmpeg 4.2 in filter_ver
CVE-2020-22027 (A heap-based Buffer Overflow vulnerability exits in FFmpeg 4.2
in defl ...)
{DSA-4990-1}
- ffmpeg 7:4.3-2
- [stretch] - ffmpeg (Required change too invasive, original
patch need to be completely rewritten)
NOTE:
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=e787f8fd7ee99ba0c3e0f086ce2ce59eea7ed86c
NOTE: https://trac.ffmpeg.org/ticket/8242
CVE-2020-22026 (Buffer Overflow vulnerability exists in FFmpeg 4.2 in the
config_input ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d46837888b823cf6988117ce5f2c8b613d8e096b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d46837888b823cf6988117ce5f2c8b613d8e096b
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts-cve-triage.py: move down unexpected_nodsa
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2946a3e3 by Sylvain Beucler at 2022-11-09T13:39:55+01:00
lts-cve-triage.py: move down unexpected_nodsa
this sub-report rarely triggers action from front-desk and is of lower priority
- - - - -
1 changed file:
- bin/lts-cve-triage.py
Changes:
=
bin/lts-cve-triage.py
=
@@ -69,12 +69,12 @@ LIST_NAMES = (
.format(**RELEASES)),
('triage_other',
'Other issues to triage (no special status)'),
-('unexpected_nodsa',
- ('Issues tagged no-dsa in {lts} that are open in {next_lts}')
- .format(**RELEASES)),
('triage_possible_missed_fixes',
('Issues postponed for {lts}, but already fixed in {next_lts} via DSA or
point releases (to be fixed or )')
.format(**RELEASES)),
+('unexpected_nodsa',
+ ('Issues tagged no-dsa in {lts} that are open in {next_lts}')
+ .format(**RELEASES)),
('possible_easy_fixes',
('Issues from dla-needed.txt that are already fixed in {next_lts}')
.format(**RELEASES)),
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2946a3e3b34af3a7c88c93f9a8ca405ce4da08c3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2946a3e3b34af3a7c88c93f9a8ca405ce4da08c3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add qemu
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a5a10cee by Sylvain Beucler at 2022-11-08T20:08:34+01:00 dla: add qemu - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -227,6 +227,11 @@ python-django (Chris Lamb) NOTE: 20221103: Re-added pre-20221031 comments from Git and reclaimed; will upload at least CVE-2022-28346 soon. (lamby) NOTE: 20221104: Uploaded with three more CVEs: CVE-2022-28346 CVE-2021-45115 CVE-2021-45116 (lamby) -- +qemu + NOTE: 20221108: Programming language: C. + NOTE: 20221108: I updated the status of all opened (minor) CVEs to more clearly state whether we can fix or are waiting for a patch, + NOTE: 20221108: there's about half of them that can be fixed (or definitely ignored if we can't) (Beuc/front-desk) +-- r-cran-commonmark NOTE: 20221009: Programming language: R. NOTE: 20221009: Please synchronize with ghostwriter. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5a10cee15787ce0a2f1514aa40e0e84e40504ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5a10cee15787ce0a2f1514aa40e0e84e40504ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] qemu: update buster triage 2019-2020 for LTS
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7563bbe4 by Sylvain Beucler at 2022-11-08T17:57:30+01:00
qemu: update buster triage 2019-2020 for LTS
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -140657,10 +140657,10 @@ CVE-2020-35504 (A NULL pointer dereference flaw was
found in the SCSI emulation
CVE-2020-35503 (A NULL pointer dereference flaw was found in the megasas-gen2
SCSI hos ...)
- qemu (bug #979678)
[bullseye] - qemu (Minor issue)
- [buster] - qemu (Fix along in future DSA)
- [stretch] - qemu (Fix along in future DLA)
+ [buster] - qemu (Minor issue, waiting for sanctioned patch)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1910346
- NOTE: No upstream patch as of 2022-04-21
+ NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2020-12/msg06065.html
+ NOTE: No sanctioned upstream patch as of 2022-11-08
CVE-2020-35502 (A flaw was found in Privoxy in versions before 3.0.29. Memory
leaks wh ...)
{DLA-2548-1}
- privoxy 3.0.29-1
@@ -144896,7 +144896,7 @@ CVE-2020-29130 (slirp.c in libslirp through 4.3.1 has
a buffer over-read because
{DLA-2560-1}
- libslirp 4.4.0-1
- qemu 1:4.1-2
- [buster] - qemu (Fix along in future DSA)
+ [buster] - qemu (Fix along with next DLA, fixed in
stretch-lts)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f
(v4.4.0)
NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as
fixed.
NOTE:
https://github.com/rootless-containers/slirp4netns/security/advisories/GHSA-2j37-w439-87q3
@@ -156645,27 +156645,24 @@ CVE-2020-25744 (SaferVPN before 5.0.3.3 on Windows
could allow low-privileged us
CVE-2020-25743 (hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer
dereferen ...)
- qemu (bug #970940)
[bullseye] - qemu (Minor issue, revisit when fixed upstream)
- [buster] - qemu (Fix along in next qemu DSA)
- [stretch] - qemu (Fix along in future DLA)
+ [buster] - qemu (Minor issue, waiting for sanctioned patch)
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01568.html
NOTE:
https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fide_nullptr1
- NOTE: No upstream patch as of 2022-04-21
+ NOTE: No sanctioned upstream patch as of 2022-11-08
CVE-2020-25742 (pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has
a NULL p ...)
- qemu (bug #971390)
[bullseye] - qemu (Minor issue, revisit when fixed upstream)
- [buster] - qemu (Fix along in next qemu DSA)
- [stretch] - qemu (Fix along in future DLA)
+ [buster] - qemu (Minor issue, waiting for sanctioned patch)
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05294.html
NOTE:
https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Flsi_nullptr1
- NOTE: No upstream patch as of 2022-04-21
+ NOTE: No sanctioned upstream patch as of 2022-11-08
CVE-2020-25741 (fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL
pointer d ...)
- qemu (bug #970939)
[bullseye] - qemu (Minor issue, revisit when fixed upstream)
- [buster] - qemu (Fix along in next qemu DSA)
- [stretch] - qemu (Fix along in future DLA)
+ [buster] - qemu (Minor issue, waiting for sanctioned patch)
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg07779.html
NOTE:
https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Ffdc_nullptr1
- NOTE: No upstream patch as of 2022-04-21
+ NOTE: No sanctioned upstream patch as of 2022-11-08
CVE-2020-25740
RESERVED
CVE-2020-25739 (An issue was discovered in the gon gem before gon-6.4.0 for
Ruby. Mult ...)
@@ -158425,7 +158422,7 @@ CVE-2020-25086 (Ecommerce-CodeIgniter-Bootstrap
before 2020-08-03 allows XSS in
CVE-2021-3409 (The patch for CVE-2020-17380/CVE-2020-25085 was found to be
ineffectiv ...)
{DLA-2623-1}
- qemu 1:5.2+dfsg-10 (bug #986795)
- [buster] - qemu (CVE-2020-17380/CVE-2020-25085 weren't
backported to Buster)
+ [buster] - qemu (CVE-2020-17380 wasn't backported to
Buster)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
NOTE: https://www.openwall.com/lists/oss-security/2021/03/09/1
NOTE: New patch series:
https://lists.nongnu.org/archive/html/qemu-devel/2021-03/msg00949.html
@@ -158434,6 +158431,7 @@ CVE-2021-3409 (The patch for
CVE-2020-17380/CVE-2020-25085 was found to be ineff
NOTE:
https://git.qemu.org/?p=qemu.git;a=commit;h=bc6f28995ff88f5d82c38afcfd65406f0ae375aa
NOTE:
https://git.qemu.org/?p=qemu.git;a=commit;h=5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd
NOTE
[Git][security-tracker-team/security-tracker][master] qemu: update buster triage 2021-2022 for LTS
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2e85e39d by Sylvain Beucler at 2022-11-08T14:14:18+01:00
qemu: update buster triage 2021-2022 for LTS
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -50003,9 +50003,9 @@ CVE-2022-1051 (The WPQA Builder Plugin WordPress plugin
before 5.2, used as a co
CVE-2022-1050 (A flaw was found in the QEMU implementation of VMWare's
paravirtual RD ...)
- qemu 1:7.1+dfsg-2 (bug #1014589)
[bullseye] - qemu (Minor issue)
- [buster] - qemu (Minor issue)
+ [buster] - qemu (Minor issue, waiting for sanctioned patch,
patch included in unstable)
[stretch] - qemu (rdma devices introduced in v2.12)
- NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html
+ NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2022-04/msg00273.html
CVE-2022-1049 (A flaw was found in the Pacemaker configuration tool (pcs). The
pcs da ...)
{DSA-5226-1 DLA-3108-1}
- pcs 0.11.3-1
@@ -53665,7 +53665,7 @@ CVE-2022-26354 (A flaw was found in the vhost-vsock
device of QEMU. In case of e
CVE-2022-26353 (A flaw was found in the virtio-net device of QEMU. This flaw
was inadv ...)
{DSA-5133-1}
- qemu 1:7.0+dfsg-1
- [buster] - qemu (Original upstream fix for CVE-2021-3748
not applied)
+ [buster] - qemu (Original upstream fix for CVE-2021-3748
not applied, new fix applied in DSA)
[stretch] - qemu (Original upstream fix for
CVE-2021-3748 not applied)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2063197
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg02438.html
@@ -64081,7 +64081,7 @@ CVE-2022-0218 (The WP HTML Mail WordPress plugin is
vulnerable to unauthorized a
CVE-2022-0216 (A use-after-free vulnerability was found in the LSI53C895A SCSI
Host B ...)
- qemu 1:7.1+dfsg-1 (bug #1014590)
[bullseye] - qemu (Minor issue)
- [buster] - qemu (Minor issue)
+ [buster] - qemu (Minor issue, DoS, fix along with next DLA)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2036953
NOTE: https://starlabs.sg/advisories/22/22-0216/
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/972
@@ -77748,7 +77748,7 @@ CVE-2021-3930 (An off-by-one error was found in the
SCSI device emulation in QEM
CVE-2021-3929 (A DMA reentrancy issue was found in the NVM Express Controller
(NVME) ...)
- qemu 1:7.0+dfsg-1
[bullseye] - qemu (Minor issue; nvme support preliminary
supported)
- [buster] - qemu (Minor issue; nvme support preliminary
supported)
+ [buster] - qemu (Minor issue; nvme support preliminary
supported, possibly not-affected)
[stretch] - qemu (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2020298
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/556
@@ -88053,8 +88053,8 @@ CVE-2021-40320
CVE-2021-3750 (A DMA reentrancy issue was found in the USB EHCI controller
emulation ...)
- qemu 1:7.0+dfsg-1
[bullseye] - qemu (Minor issue)
- [buster] - qemu (Minor issue)
- [stretch] - qemu (Fix along with a future DLA)
+ [buster] - qemu (Minor issue, fix along with next DLA)
+ [stretch] - qemu (Fix along with next DLA)
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/541
NOTE: Fix for whole class of DMA MMIO reentrancy issues:
https://gitlab.com/qemu-project/qemu/-/issues/556
NOTE: Patchset:
https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html
@@ -88072,6 +88072,7 @@ CVE-2021-3748 (A use-after-free vulnerability was found
in the virtio-net device
{DSA-4980-1 DLA-3099-1 DLA-2970-1}
- qemu 1:6.1+dfsg-6 (bug #993401)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1998514
+ NOTE:
https://gitlab.com/qemu-project/qemu/-/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6
(v6.2.0-rc0)
NOTE: When fixing this issue make sure to not open CVE-2022-26353
CVE-2021-40319
RESERVED
@@ -88638,10 +88639,9 @@ CVE-2021-3739 (A NULL pointer dereference flaw was
found in the btrfs_rm_device
CVE-2021-3735 (A deadlock issue was found in the AHCI controller device of
QEMU. It o ...)
- qemu (bug #1014767)
[bullseye] - qemu (Minor issue)
- [buster] - qemu (Minor issue)
- [stretch] - qemu (Fix along with a future DLA)
+ [buster] - qemu (Minor issue, waiting for patch)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1997184
- NOTE: No upstream patch as of 2022-01-28
+ NOTE: No upstream patch as of 2022-11-08
CVE-2021-40083 (Knot Resolver before 5.3.2 is prone to an assertion failure,
triggerab ...)
[experimental] - knot-resolver 5.4.1-1
- knot-resolver 5.4.1-2
[Git][security-tracker-team/security-tracker][master] CVE-2022-3872/qemu: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 81631ea8 by Sylvain Beucler at 2022-11-08T12:16:33+01:00 CVE-2022-3872/qemu: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40,8 +40,10 @@ CVE-2022-3873 (Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/draw NOT-FOR-US: jgraph/drawio CVE-2022-3872 (An off-by-one read/write issue was found in the SDHCI device of QEMU. ...) - qemu + [buster] - qemu (Minor issue, DoS, waiting for sanctioned patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2140567 - NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01068.html + NOTE: patch proposal 1: https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01068.html + NOTE: patch proposal 2: https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01161.html CVE-2022-45043 RESERVED CVE-2022-45042 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81631ea8c16d131e8d4a951a70ed5e6fb430e2a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81631ea8c16d131e8d4a951a70ed5e6fb430e2a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: phpseclib,php-phpseclib: update status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 00ea0937 by Sylvain Beucler at 2022-11-08T12:01:58+01:00 dla: phpseclib,php-phpseclib: update status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -191,7 +191,9 @@ php-cas -- php-phpseclib (Sylvain Beucler) NOTE: 20220909: Programming language: PHP. - NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix.. + NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix.. (ola) + NOTE: 20221104: Attempted to clarify vulnerability status (cf. 02cd83d1d917dc5964440185226aa11e40058546) (Beuc) + NOTE: 20221108: buster is missing testsuite in both phpseclib packages, contacted maintainer to decide whether to backport testsuite or just bump version (Beuc) -- php7.3 NOTE: 20221031: Programming language: C. @@ -199,7 +201,9 @@ php7.3 -- phpseclib (Sylvain Beucler) NOTE: 20220909: Programming language: PHP. - NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix.. + NOTE: 20220909: Note the discussion whether 1.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix.. (ola) + NOTE: 20221104: Attempted to clarify vulnerability status (cf. 02cd83d1d917dc5964440185226aa11e40058546) (Beuc) + NOTE: 20221108: buster is missing testsuite in both phpseclib packages, contacted maintainer to decide whether to backport testsuite or just bump version (Beuc) -- pluxml NOTE: 20220913: Programming language: PHP. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00ea09374e10b0c8053c5eaf0f3eb6a856eaca00 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00ea09374e10b0c8053c5eaf0f3eb6a856eaca00 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: Pre-creating Git repos in salsa.d.o/lts-team/packages/ - or not?
Hi,
On 07/11/2022 19:08, Anton Gladky wrote:
as you know one of our goals is to keep the git-history of all {E,L}TS
uploads. Some semi-automatic repo creation scripts are in a test phase
to ease this process. I have created some repos and
imported the last available security versions of packages into that.
Sure, if the maintainer of the particular package allows to push security
updates of {E,L}TS process, feel free to do it! Just drop the repo and
change the link in the VCS.
Point is: if the LTS repo already exists, I assume there was a conscious
decision /not/ to host it in the maintainer's repo. (Otherwise every
contributor would ask the maintainer every time they prepare an upload.)
I think creating the repo is the uploader's responsibility, not the
front-desk's or coordinator's.
Cheers!
Sylvain
[Git][security-tracker-team/security-tracker][master] dla: php-cas: add note
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e20a81f by Sylvain Beucler at 2022-11-07T16:40:33+01:00 dla: php-cas: add note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -185,7 +185,9 @@ openexr -- php-cas NOTE: 20221105: Programming language: PHP. - NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. + NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola) + NOTE: 20221107: php-cas only has 2 reverse-deps in buster (fusiondirectory, ocsinventory-reports), + NOTE: 20221107: consider fixing all 3 packages; also check situation in ELTS for reference (Beuc/front-desk) -- php-phpseclib (Sylvain Beucler) NOTE: 20220909: Programming language: PHP. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e20a81f67c69e774a9e85656db800ec9253ba5f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e20a81f67c69e774a9e85656db800ec9253ba5f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add puppet-module-puppetlabs-mysql
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: bcd9cc23 by Sylvain Beucler at 2022-11-07T15:36:55+01:00 dla: add puppet-module-puppetlabs-mysql - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -207,6 +207,9 @@ protobuf NOTE: 20221031: Programming language: Several. NOTE: 20221031: Note the 'Note' that one of the CVEs affects the generated code and must therefore get special attention from the application developer using protobuf. -- +puppet-module-puppetlabs-mysql + NOTE: 20221107: Programming language: Puppet, Ruby. +-- python-django (Chris Lamb) NOTE: 20220911: Some issue was fixed in stretch so it should also be fixed for buster. NOTE: 20221018: There are 4 CVEs on the debian/buster branch that are seemingly unreleased: CVE-2020-24583, CVE-2020-24584, CVE-2021-3281 and CVE-2021-23336. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bcd9cc2328299bb80ad7b4bd73789c442ead177d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bcd9cc2328299bb80ad7b4bd73789c442ead177d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add libde265
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 1cabfaa4 by Sylvain Beucler at 2022-11-07T13:46:01+01:00 dla: add libde265 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -127,6 +127,11 @@ libcommons-jxpath-java NOTE: 20221027: Programming language: Java. NOTE: 20221027: Maintainer notes: Wait for the outcome of upstream discussion. See CVE-2022-41852 for pull requests. -- +libde265 + NOTE: 20221107: Programming language: C++. + NOTE: 20221107: Most vulnerabilities unfixed upstream, but a handful are fixed, and v1.0.9 (2022-10) is a security release (Beuc/front-desk) + NOTE: 20221107: No prior DSA/DLA/ELA afaics (Beuc/front-desk) +-- libjettison-java NOTE: 20221030: Programming language: Java. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cabfaa4f1a4f366d7e102be8e15b5829db403d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cabfaa4f1a4f366d7e102be8e15b5829db403d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Pre-creating Git repos in salsa.d.o/lts-team/packages/ - or not?
Hi, I see that a few repositories in salsa.d.o/lts-team/packages/ were created for packages that haven't been claimed yet. https://salsa.debian.org/lts-team/packages?sort=created_desc (I'm not sure who/what did it exactly, there's activity from "Bot-LTS-package", which may be the 'package-operations' script, then manual activity from Anton.) That means the repo was created and imported before there was a chance to discuss with the package maintainers whether they want to host the (E)LTS branch there or at another location (such as, their own salsa repo). I think this adds confusion. When I check the "VCS" field in dla-needed.txt, I assume this is the preferred repository for development, following an explicit decision from a previous contributor who worked on the package - not the result of semi-automation. Thoughts? Cheers! Sylvain
[Git][security-tracker-team/security-tracker][master] 2 commits: dla: claim phpseclib/php-phpseclib
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 159ff561 by Sylvain Beucler at 2022-11-04T17:28:34+01:00 dla: claim phpseclib/php-phpseclib - - - - - 02cd83d1 by Sylvain Beucler at 2022-11-04T17:28:36+01:00 CVE-2021-30130/phpseclib,php-phpseclib: attempt to clarify - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -113150,16 +113150,16 @@ CVE-2021-30131 RESERVED CVE-2021-30130 (phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1. ...) - phpseclib 1.0.19-3 - [stretch] - phpseclib (Only affects 3.x branch) - php-phpseclib 2.0.30-2 - [stretch] - php-phpseclib (Only affects 3.x branch) - php-phpseclib3 3.0.7-1 NOTE: https://github.com/phpseclib/phpseclib/pull/1635#issuecomment-826994890 NOTE: Introduced by: https://github.com/phpseclib/phpseclib/commit/cc32cd2e95b18a0c0118bbf1928327675c9e64a9 (v3.0 / RSA::SIGNATURE_RELAXED_PKCS1) - NOTE: According to upstream, 1.x and 2.x are not vulnerable, the fix on these branches only backports more exhaustive PKCS#1 v1.5 support (functional change) - NOTE: According to upstream, 1.x and 2.x have the problem described as "incompatibility issue in phpseclib v1, v2, v3 (strict mode)'s RSA PKCS#1 v1.5 - NOTE: signature verification suffering from rejecting valid signatures whose encoded message uses implicit hash algorithm's NULL parameter." but - NOTE: this is not considered as a security problem. + NOTE: Fixed by: https://github.com/phpseclib/phpseclib/commit/05550b9c490bf342bce66de75d127d2f75c48bdd (1.0.20, 2.0.31, 3.0.7) + NOTE: Fixed by: https://github.com/phpseclib/phpseclib/commit/42fc46e9a92c2ce5b10d2fbfb00b630417d6dfbe (3.0.7) + NOTE: According to upstream in #1635, "v2.0 does not have a vulnerability" (only non-security bugs). + NOTE: However, a lot of identical fixes were applied to all 1.x/2.x/3.x branches upstream. + NOTE: They were also backported in bullseye/testing in 1.x/2.x (claimed as a CVE-2021-30130 fix). + NOTE: Given the broad scope of this CVE description, let's assume that those fixes are needed in 1.x/2.x. CVE-2021-30129 (A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to ...) NOT-FOR-US: Apache Mina SSHD CVE-2021-30128 (Apache OFBiz has unsafe deserialization prior to 17.12.07 version ...) = data/dla-needed.txt = @@ -172,7 +172,7 @@ openexr NOTE: 20220904: Programming language: C++. NOTE: 20220904: Should be synced with Stretch. (apo) -- -php-phpseclib +php-phpseclib (Sylvain Beucler) NOTE: 20220909: Programming language: PHP. NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix.. -- @@ -180,7 +180,7 @@ php7.3 NOTE: 20221031: Programming language: C. NOTE: 20221031: CVE-2022-37454 is what is of most concern. -- -phpseclib +phpseclib (Sylvain Beucler) NOTE: 20220909: Programming language: PHP. NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix.. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/52f7600f1f4db8114a8d5f39f11244df1423...02cd83d1d917dc5964440185226aa11e40058546 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/52f7600f1f4db8114a8d5f39f11244df1423...02cd83d1d917dc5964440185226aa11e40058546 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[SECURITY] [DLA 3178-1] ffmpeg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3178-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler November 04, 2022 https://wiki.debian.org/LTS - - Package: ffmpeg Version: 7:4.1.10-0+deb10u1 Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed. For Debian 10 buster, this problem has been fixed in version 7:4.1.10-0+deb10u1. We recommend that you upgrade your ffmpeg packages. For the detailed security status of ffmpeg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ffmpeg Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmNlHGEACgkQDTl9HeUl XjCqMRAAxJ1TCKDjRUIc5I6TIZ47bFuf0TSGfTaxoyaVEZRJ15fIDnpDUm86Pr3e fK4wunVSh6CdzzjaMxbODLCLUXT1pWx1bqDrzuYsjh2O8hW0x8jyZb/GwQAyp8y0 BtTaOadsujlp5FbY0C4v2QtYAxe9JSiJj85UQ2B7djDMEs2Se4vv6I49w2MaAfQG IAfc0QNoQZz+eHInhir/g5s0QmwRnsPlwihUcR7hhcP1dZS8BAkVY53PYBtMc7Gs j9epofq2MIrw/c0TdH7AnVjH0ah+Zb9evuvZq30AZEMmdUIuX9788kj4CQHqNWUL nbmKHbiIlgOY3yDrALg8kEtGner77JA8RxVJfx1FcpacKggNg3DfoYVdT0Vfm7t1 vGGPZJVe8RT80b2JhB1izttA+lyYlSY799EXm2FgE6nN0dK8+WGl4STqGq0lzG0H nFMATpE71RmgFTEFwXcAcaiERt2c+hdXeiU0SFn6xvxDmep+7OjU/vNqSBaz6VSm G6vqPmDQo+H6A6dXUpSUswLKrcoXitPZfRfY2Hh4mOPwtW7FIILpVdI0zBGrgwVQ qdLACkOYEac6aTF6K6HHVuqUViwO5wqCGKyfD9lolt/x4p1yxGjGJOfYEwmpqah0 7ecWgybK+6h2Vgval5kZCQsXrT+K5FquT3wzWNJb+rZUeUIJOIA= =ZOJr -END PGP SIGNATURE-
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3178-1 for ffmpeg
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
14f929ca by Sylvain Beucler at 2022-11-04T15:04:32+01:00
Reserve DLA-3178-1 for ffmpeg
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[04 Nov 2022] DLA-3178-1 ffmpeg - security update
+ [buster] - ffmpeg 7:4.1.10-0+deb10u1
[04 Nov 2022] DLA-3177-1 python-django - security update
{CVE-2021-45115 CVE-2021-45116 CVE-2022-28346}
[buster] - python-django 1:1.11.29-1+deb10u3
=
data/dla-needed.txt
=
@@ -47,9 +47,6 @@ exiv2 (Dominik George)
NOTE: 20220819: Programming language: C++.
NOTE: 20220819:
https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292
does not directly apply, but a very quick glance suggests the earlier code may
be equally vulnerable. (Chris Lamb)
--
-ffmpeg (Sylvain Beucler)
- NOTE: Should be updated to 4.1.10
---
firmware-nonfree
NOTE: 20220906: Consider to check the severity of the issues again and judge
whether a correction is worth it.
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14f929ca57708a679eaf87f8ee0c5c3de388c263
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14f929ca57708a679eaf87f8ee0c5c3de388c263
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-2879,CVE-2022-2880,CVE-2022-41715/golang-1.11: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 461da654 by Sylvain Beucler at 2022-11-04T09:23:32+01:00 CVE-2022-2879,CVE-2022-2880,CVE-2022-41715/golang-1.11: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10414,6 +10414,7 @@ CVE-2022-41715 (Programs which compile regular expressions from untrusted source - golang-1.17 - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/55949 NOTE: https://github.com/golang/go/commit/645abfe529dc325e16daa17210640c2907d1c17a (go1.19.2) NOTE: https://github.com/golang/go/commit/e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997 (go1.18.7) @@ -18950,6 +18951,7 @@ CVE-2022-2880 (Requests forwarded by ReverseProxy include the raw query paramete - golang-1.17 - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/54663 NOTE: https://github.com/golang/go/commit/f6d844510d5f1e3b3098eba255d9b633d45eac3b (go1.19.2) NOTE: https://github.com/golang/go/commit/9d2c73a9fd69e45876509bb3bdb2af99bf77da1e (go1.18.7) @@ -18959,6 +18961,7 @@ CVE-2022-2879 (Reader.Read does not set a limit on the maximum size of file head - golang-1.17 - golang-1.15 - golang-1.11 + [buster] - golang-1.11 (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/54853 NOTE: https://github.com/golang/go/commit/4fa773cdefd20be093c84f731be7d4febf5536fa (go1.19.2) NOTE: https://github.com/golang/go/commit/0a723816cd205576945fa57fbdde7e6532d59d08 (go1.18.7) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/461da654173bba221c0b58cf8a0c56f6d168fbd0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/461da654173bba221c0b58cf8a0c56f6d168fbd0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: DLA-3010-1/ffmpeg: reference 3 CVEs
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
256dda50 by Sylvain Beucler at 2022-11-03T17:50:51+01:00
DLA-3010-1/ffmpeg: reference 3 CVEs
- - - - -
fd3d2462 by Sylvain Beucler at 2022-11-03T17:55:14+01:00
CVE-2020-20896/ffmpeg: fix stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/DLA/list
Changes:
=
data/CVE/list
=
@@ -163887,10 +163887,10 @@ CVE-2020-21689
CVE-2020-21688 (A heap-use-after-free in the av_freep function in
libavutil/mem.c of F ...)
{DSA-5126-1 DSA-4998-1}
- ffmpeg 7:4.4-5
- [stretch] - ffmpeg (Minor issue; can be fixed in next
update)
NOTE: https://trac.ffmpeg.org/ticket/8186
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=22c3cd176079dd104ec7610ead697235b04396f1
(4.4)
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f7c9b1ed56b98eede5756d6865a10305982b4570
(4.1.9)
+ NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f1a77222da98dbe4b8eeda54d68deefe6adcd299
(3.2.17)
CVE-2020-21687
RESERVED
CVE-2020-21686
@@ -165655,10 +165655,11 @@ CVE-2020-20897
CVE-2020-20896 (An issue was discovered in function latm_write_packet in
libavformat/l ...)
{DSA-5126-1}
- ffmpeg 7:4.3-2
- [stretch] - ffmpeg (Minor issue; can be fixed in next
update)
+ [stretch] - ffmpeg (Vulnerable code introduced later)
NOTE:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/dd01947397b98e94c3f2a79d5820aaf4594f4d3b
(4.3)
NOTE:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/6fe33489be72eee8010c28165f4b12870df4c600
(4.1.9)
NOTE: https://trac.ffmpeg.org/ticket/8273
+ NOTE: Introduced in:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/8b3ec51de8a04f4442297f2f835e925cab7b0597
(3.4)
CVE-2020-20895
REJECTED
CVE-2020-20894
@@ -165668,16 +165669,16 @@ CVE-2020-20893
CVE-2020-20892 (An issue was discovered in function filter_frame in
libavfilter/vf_len ...)
{DSA-5126-1}
- ffmpeg 7:4.3-2
- [stretch] - ffmpeg (Minor issue; can be fixed in next
update)
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=19587c9332f5be4f6bc6d7b2b8ef3fd21dfeaa01
(4.3)
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=439645004bb672a29145621549cb87acdb2f84db
(4.1.9)
+ NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=94e502e96b0870177e0af4c1e8718ac71475e374
(3.2.17)
NOTE: https://trac.ffmpeg.org/ticket/8265
CVE-2020-20891 (Buffer Overflow vulnerability in function config_input in
libavfilter/ ...)
{DSA-5126-1}
- ffmpeg 7:4.3-2
- [stretch] - ffmpeg (Minor issue; can be fixed in next
update)
NOTE:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/64a805883d7223c868a683f0030837d859edd2ab
(4.3)
NOTE:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d5cb859665d62658d7859f345650fcb38528c4ab
(4.1.9)
+ NOTE:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/f8b4426c10aa65f4c04847a50ebfdcb8782a49b7
(3.2.17)
NOTE: https://trac.ffmpeg.org/ticket/8282
CVE-2020-20890
RESERVED
=
data/DLA/list
=
@@ -487,7 +487,7 @@
{CVE-2022-0261 CVE-2022-0351 CVE-2022-0413 CVE-2022-0443 CVE-2022-0572
CVE-2022-1154 CVE-2022-1616 CVE-2022-1619 CVE-2022-1621}
[stretch] - vim 2:8.0.0197-4+deb9u6
[16 May 2022] DLA-3010-1 ffmpeg - security update
- {CVE-2020-20902}
+ {CVE-2020-20902 CVE-2020-20891 CVE-2020-20892 CVE-2020-21688}
[stretch] - ffmpeg 7:3.2.18-0+deb9u1
[16 May 2022] DLA-3009-1 cifs-utils - security update
{CVE-2022-27239 CVE-2022-29869}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e85e9a9ea2d58ddf06bf31ef6ee6c15ed2a2bb91...fd3d2462654538a6b13a9536fb2e63aab7aa2c57
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e85e9a9ea2d58ddf06bf31ef6ee6c15ed2a2bb91...fd3d2462654538a6b13a9536fb2e63aab7aa2c57
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim ffmpeg
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 38dbe76e by Sylvain Beucler at 2022-11-03T16:54:05+01:00 dla: claim ffmpeg - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,7 +52,7 @@ exiv2 (Dominik George) NOTE: 20220819: Programming language: C++. NOTE: 20220819: https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292 does not directly apply, but a very quick glance suggests the earlier code may be equally vulnerable. (Chris Lamb) -- -ffmpeg +ffmpeg (Sylvain Beucler) NOTE: Should be updated to 4.1.10 -- firmware-nonfree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38dbe76e425051db15c9fe9c7736a6218a5acb32 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38dbe76e425051db15c9fe9c7736a6218a5acb32 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: attribute kopanocore status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ec53c92 by Sylvain Beucler at 2022-11-03T16:28:48+01:00 dla: attribute kopanocore status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -122,7 +122,7 @@ jupyter-core -- kopanocore NOTE: 20220801: Programming language: C++. - NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) + NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) (gusnan/retired) -- lava NOTE: 20221031: Programming language: Python. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ec53c92b646f054867eaa10a4bd5c805a0afb5c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ec53c92b646f054867eaa10a4bd5c805a0afb5c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-42919/python*: clarify notes
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 462d2059 by Sylvain Beucler at 2022-11-03T12:48:05+01:00 CVE-2022-42919/python*: clarify notes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6310,15 +6310,15 @@ CVE-2022-42919 [Linux specific local privilege escalation via the multiprocessin - python3.10 - python3.9 - python3.7 - [buster] - python3.7 (Vulnerable functionality introduced later) + [buster] - python3.7 (Vulnerable functionality backported later in 3.7.8) NOTE: https://github.com/python/cpython/issues/97514 NOTE: https://github.com/python/cpython/commit/4686d77a04570a663164c03193d9def23c89b122 (3.11-branch) NOTE: https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2 (3.10-branch) NOTE: https://github.com/python/cpython/commit/b43496c01a554cf41ae654a0379efae18609ad39 (3.9-branch) NOTE: The patch for 3.9 and later only removes the default preference for abstract sockets which NOTE: prevents CVE-2022-42919. Versions 3.8.4 and 3.7.8 are not vulnerable by default (but issue present) - NOTE: though users need to manually users would need to make specific uncommon multiprocessing API calls - NOTE: specifying their own forkserver control socket path. + NOTE: though users would need to make specific uncommon multiprocessing API calls specifying their own + NOTE: forkserver control socket path. Earlier 3.x versions are not vulnerable. CVE-2022-3503 (A vulnerability was found in SourceCodester Purchase Order Management ...) NOT-FOR-US: SourceCodester CVE-2022-3502 (A vulnerability was found in Human Resource Management System 1.0. It ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/462d20593fda70e3cb63031de0edbd3acd697115 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/462d20593fda70e3cb63031de0edbd3acd697115 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: android-platform-system-core: contribute additional note
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 6feed6fc by Sylvain Beucler at 2022-11-03T10:20:17+01:00 dla: android-platform-system-core: contribute additional note (I registered the CVEs in the tracker this week) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -16,7 +16,8 @@ rather than remove/replace existing ones. android-platform-system-core NOTE: 20221102: Programming language: C++. NOTE: 20221102: The package in buster is likely affected but since no known fix is available it is hard to tell without running the proof of concept code. - NOTE: 20221102: Consider ignoring this if Debian Security team see the CVEs as minor. + NOTE: 20221102: Consider ignoring this if Debian Security team see the CVEs as minor. (ola) + NOTE: 20221103: Both PoCs (CVE-2022-20128 & CVE-2022-3168) work for me in buster (Beuc) -- asterisk (Markus Koschany) NOTE: 20220810: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6feed6fcfebe6c4e2438f54b97b74984f2ee98ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6feed6fcfebe6c4e2438f54b97b74984f2ee98ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Debian LTS and ELTS - October 2022
Here is my public monthly report. Thanks to our sponsors for making this possible, and to Freexian for handling the offering. https://www.freexian.com/services/debian-lts.html#sponsors LTS - nodejs - Finish work started in September (cf. previous report) - DLA-3137-1 https://lists.debian.org/debian-lts-announce/2022/10/msg6.html - ruby-nekorigi & rexical (1 common CVE) - DLA 3149-1 https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html - DLA 3150-1 https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html - bluez - Clarify/precise CVE triage - Sync past fixes from stretch DLAs to buster, fix new issues - Testing on physical Bluetooth chip - DLA-3157-1 https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html ELTS - Front Desk (October/November week 1/2) - Mark 6 supported packages for update - Associate CVEs from newer, branched 'python3.*' and 'php*' Debian packages to older ELTS packages - Contribute to main Debian security-tracker triage for several CVEs Documentation and tooling - LTS Documentation - Enable e-mail notifications for lts-team.pages.debian.net changes - Development procedures: update stretch->buster https://lts-team.pages.debian.net/wiki/LTS-Development.html (now https://lts-team.pages.debian.net/wiki/Development.html) - Test suite: minor fixes https://lts-team.pages.debian.net/wiki/TestSuites/autopkgtest.html https://lts-team.pages.debian.net/wiki/TestSuites/ffmpeg.html https://lts-team.pages.debian.net/wiki/TestSuites/nodejs.html - LTS/ELTS git repositories list (internal/private) - Fix a few locations (mariadb) and branch name (exim4) - Answer call for review/testing about glibc https://lists.debian.org/debian-lts/2022/10/msg00022.html https://lists.debian.org/debian-lts/2022/10/msg00031.html - Answer LTS Thunderbird user question https://lists.debian.org/debian-lts/2022/10/msg00021.html - Monthly meeting (video/Jitsi) -- Sylvain Beucler Debian LTS Team
[Git][security-tracker-team/security-tracker][master] CVE-2022-20128,CVE-2022-3168 (adb): also register with...
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d51ffb08 by Sylvain Beucler at 2022-11-02T09:45:02+01:00 CVE-2022-20128,CVE-2022-3168 (adb): also register with android-platform-system-core package (= bullseye) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12698,6 +12698,7 @@ CVE-2022-3168 RESERVED [experimental] - android-platform-tools 33.0.3-1~exp1 - android-platform-tools + - android-platform-system-core NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/5 CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.1 ...) - openvswitch (bug #1021740) @@ -79819,6 +79820,7 @@ CVE-2022-20128 RESERVED [experimental] - android-platform-tools 33.0.3-1~exp1 - android-platform-tools + - android-platform-system-core NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/5 CVE-2022-20127 (In ce_t4t_data_cback of ce_t4t.cc, there is a possible out of bounds w ...) NOT-FOR-US: Android View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d51ffb082202fac7869c867d6d0c1bf6e56c5f8d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d51ffb082202fac7869c867d6d0c1bf6e56c5f8d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-31008/rabbitmq-server: references patches reducing the affected versions range
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 0076ed8e by Sylvain Beucler at 2022-10-31T22:23:20+01:00 CVE-2022-31008/rabbitmq-server: references patches reducing the affected versions range not triaging, letting LTS front-desk and/or security-team confirm that busterbullseye shouldnt be affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37187,6 +37187,9 @@ CVE-2022-31008 (RabbitMQ is a multi-protocol messaging and streaming broker. In - rabbitmq-server 3.10.8-1 NOTE: https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8 NOTE: https://github.com/rabbitmq/rabbitmq-server/pull/4841 + NOTE: obfuscation introduced in (built-in) Shovel plugin in: https://github.com/rabbitmq/rabbitmq-server/commit/6dbdc991c3111aa4ffa12a150b1402cf5c5e798e (v3.10.0-beta.2) + NOTE: obfuscation introduced in (built-in) Federation plugin in: https://github.com/rabbitmq/rabbitmq-server/commit/c1b5812cee6ac038737d62ca0b32cfd2db537653 (v3.8.10-rc.1) + NOTE: set_credentials_obfuscation_secret introduced in: https://github.com/rabbitmq/rabbitmq-server/commit/5ea51050452ea45874e89166090cb825c1277656 (v3.8.10) CVE-2022-31007 (eLabFTW is an electronic lab notebook manager for research teams. Prio ...) NOT-FOR-US: eLabFTW CVE-2022-31006 (indy-node is the server portion of Hyperledger Indy, a distributed led ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0076ed8e08340af238232179fa66f74f779dfb40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0076ed8e08340af238232179fa66f74f779dfb40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-3276/puppet-module-puppetlabs-mysql: reference commits following upstream confirmation
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fd20b1f by Sylvain Beucler at 2022-10-31T16:36:30+01:00 CVE-2022-3276/puppet-module-puppetlabs-mysql: reference commits following upstream confirmation - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9547,8 +9547,10 @@ CVE-2020-36604 (hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisonin CVE-2022-3276 (Command injection is possible in the puppetlabs-mysql module prior to ...) - puppet-module-puppetlabs-mysql NOTE: https://puppet.com/security/cve/CVE-2022-3276 - NOTE: Possible fix https://github.com/puppetlabs/puppetlabs-mysql/pull/1484 - NOTE: https://github.com/puppetlabs/puppetlabs-mysql/pull/1484#issuecomment-1296367876 + NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/f83792b256fa6acc1b1375b3bfed257629a5c02d (v13.0.0) + NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/18813a151f150a374a52141db520ed2a8d38b071 (v13.0.0) + NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/6f531ad85c22ceeb5076347e6998e1d25b056dfd (v13.0.0) + NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/e70e7fd130aaa2fe1cefe4ccb628b304ad3c180a (v13.0.0) CVE-2022-3275 (Command injection is possible in the puppetlabs-apt module prior to ve ...) - puppet-module-puppetlabs-apt NOTE: https://puppet.com/security/cve/CVE-2022-3275 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fd20b1fe0491fdbff213dedcdd7858b25e3ebb7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fd20b1fe0491fdbff213dedcdd7858b25e3ebb7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-20128,CVE-2022-3168/android-platform-tools (adb): reference public disclosure
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 35eb7223 by Sylvain Beucler at 2022-10-31T15:29:27+01:00 CVE-2022-20128,CVE-2022-3168/android-platform-tools (adb): reference public disclosure - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12115,6 +12115,10 @@ CVE-2022-3169 (A flaw was found in the Linux kernel. A denial of service flaw ma NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=214771 CVE-2022-3168 RESERVED + [experimental] - android-platform-tools 33.0.3-1~exp1 + - android-platform-tools + NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/5 + TODO: check CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.1 ...) - openvswitch (bug #1021740) [bullseye] - openvswitch (Minor issue) @@ -79228,6 +79232,10 @@ CVE-2022-20129 (In registerPhoneAccount of PhoneAccountRegistrar.java, there is NOT-FOR-US: Android CVE-2022-20128 RESERVED + [experimental] - android-platform-tools 33.0.3-1~exp1 + - android-platform-tools + NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/5 + TODO: check CVE-2022-20127 (In ce_t4t_data_cback of ce_t4t.cc, there is a possible out of bounds w ...) NOT-FOR-US: Android CVE-2022-20126 (In setScanMode of AdapterService.java, there is a possible way to enab ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35eb72233021215178ec03cac7fb99f0eb345489 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35eb72233021215178ec03cac7fb99f0eb345489 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-37454/php*: introduced in 7.2
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 38f016b3 by Sylvain Beucler at 2022-10-31T14:18:51+01:00 CVE-2022-37454/php*: introduced in 7.2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19402,6 +19402,7 @@ CVE-2022-37454 (The Keccak XKCP SHA-3 reference implementation before fdc6fef ha NOTE: https://mouha.be/sha-3-buffer-overflow/ NOTE: PHP Bug: https://bugs.php.net/bug.php?id=81738 NOTE: PHP fixed in: 7.4.33, 8.0.25, 8.1.12 + NOTE: For PHP, introduced in: https://github.com/php/php-src/commit/91663a92d1697fc30a7ba4687d73e0f63ec2baa1 (php-7.2.0alpha1) NOTE: Fixed by: https://github.com/php/php-src/commit/248f647724e385bfb8d83aa5b5a5ca3c4ee2c7fd (php-8.2.0RC5) NOTE: https://github.com/python/cpython/issues/98517 NOTE: https://github.com/python/cpython/commit/0e4e058602d93b88256ff90bbef501ba20be9dd3 (3.10-branch) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38f016b32cb272c7d81309d8a49e449b05af4867 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38f016b32cb272c7d81309d8a49e449b05af4867 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-37454/python3*: introduced in 3.6
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 380c2080 by Sylvain Beucler at 2022-10-31T11:10:29+01:00 CVE-2022-37454/python3*: introduced in 3.6 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19406,6 +19406,7 @@ CVE-2022-37454 (The Keccak XKCP SHA-3 reference implementation before fdc6fef ha NOTE: https://github.com/python/cpython/commit/857efee6d2d43c5c12fc7e377ce437144c728ab8 (3.9-branch) NOTE: https://github.com/python/cpython/commit/948c6794711458fd148a3fa62296cadeeb2ed631 (3.8-branch) NOTE: https://github.com/python/cpython/commit/8088c90044ba04cd5624b278340ebf934dbee4a5 (3.7-branch) + NOTE: For Python, introduced in: https://github.com/python/cpython/commit/6fe2a75b645044ca2b5dac03e8d850567b547a9a (3.6) NOTE: Versions which have the OpenSSL sha3 delegation are not affected by the issue and only ship NOTE: source-wise the bundled _sha3 XKCP module code. NOTE: OpenSSL sha3 delegation added in https://github.com/python/cpython/commit/d5b3f6b7f9fc74438009af63f1de01bd77be9385 (v3.9.0b1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/380c2080a59b272d609f0ff196435416de201713 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/380c2080a59b272d609f0ff196435416de201713 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[SECURITY] [DLA 3157-1] bluez security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3157-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler October 24, 2022 https://wiki.debian.org/LTS - - Package: bluez Version: 5.50-1.2~deb10u3 CVE ID : CVE-2019-8921 CVE-2019-8922 CVE-2021-41229 CVE-2021-43400 CVE-2022-0204 CVE-2022-39176 CVE-2022-39177 Debian Bug : 998626 1000262 1003712 Several vulnerabilities were discovered in BlueZ, the Linux Bluetooth protocol stack. An attacker could cause a denial-of-service (DoS) or leak information. CVE-2019-8921 SDP infoleak, the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data. CVE-2019-8922 SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response. CVE-2021-41229 sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash. CVE-2021-43400 A use-after-free in gatt-database.c can occur when a client disconnects during D-Bus processing of a WriteValue call. CVE-2022-0204 A heap overflow vulnerability was found in bluez. An attacker with local network access could pass specially crafted files causing an application to halt or crash, leading to a denial of service. CVE-2022-39176 BlueZ allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len. CVE-2022-39177 BlueZ allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c. For Debian 10 buster, these problems have been fixed in version 5.50-1.2~deb10u3. We recommend that you upgrade your bluez packages. For the detailed security status of bluez please refer to its security tracker page at: https://security-tracker.debian.org/tracker/bluez Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmNWbWAACgkQDTl9HeUl XjDrzhAAi2eDAo7tZMmJEKn62ZAEOw/AlMKTU7QHVvq9N3XFLDvYVt6x7wWSszaW CRa5Rps908YQEjnj2P5eLR4LJ3pZnhrr0ZMlgfzMPa48ZKW6CyLNZOOunrsos5gH aQszVDnxb861hMvZl8ZxUdIF0/WsEI5az9HGDSIUKHWlMLZj/jAGaxYbJHVkVZZa 1E5vnswd3cWqOhrFY2S0NKgvoUSEl5Us8y33g8nr5+AdSa3n2BLRfpoUwm6lRLAk CydEbqJ+zzgbOIGTrWBo5pOQjrewSoLkAfQ8k5BI88io6Wt2J++iRsViso9TLPDP y6HnK7B6jF2tnZpUtmcEWOhH4nr74Js6hqBcl0Y7gMLfkxP57JdWm4IWXrgrjbJH dNipWxuglMrKBjgd4fODM2bR7FTXX7drSUwcjW85ytJOPVxxA/Yq+Gd6EjaiMWaa GqaG1ARX1PFdSRpksl1fwn8wF9C6mxRaJt2yRd0SNQlNpXK393q1MgnRv2gURl8n zNDRkmp9eZqFA3EWTf4/xslllInjvtBZ1xPy0h+dKDD/LSggC6H2SDUKk93ADgtC XgfdyJaUxgTmV5JnJ1T2uCNjeUg3ESzlCIkULVb3JD3O8Ygl0P9CExYq2CyyHAvD 739mI0wK2JwUu2E4MTr8pmKfs3wVHIynTLNRqCTo5eVFgAn98/U= =71GU -END PGP SIGNATURE-
[Git][security-tracker-team/security-tracker][master] CVE-2022-3637/bluez: buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 68ac7208 by Sylvain Beucler at 2022-10-24T12:24:29+02:00 CVE-2022-3637/bluez: buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -501,7 +501,9 @@ CVE-2022-3638 (A vulnerability was found in Nginx and classified as problematic. NOTE: Fixed by: https://github.com/nginx/nginx/commit/14341ce2377d38a268261e0fec65b6915ae6e95e (release-1.23.1) CVE-2022-3637 (A vulnerability has been found in Linux Kernel and classified as probl ...) - bluez 5.65-1 - NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f (5.65) + [buster] - bluez (Vulnerable code introduced later) + NOTE: Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f (5.65) + NOTE: Introduced by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7ce36e236c1bdb1941242b00e1d5c7812749a2de (5.65) CVE-2022-3636 (A vulnerability, which was classified as critical, was found in Linux ...) - linux (No vulnerable code in any upstream or Debian released version) NOTE: https://git.kernel.org/linus/17a5f6a78dc7b8db385de346092d7d9f9dc24df6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68ac720860d32a21910da1e9ad55bdf428d5896d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68ac720860d32a21910da1e9ad55bdf428d5896d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3157-1 for bluez
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
58c0d545 by Sylvain Beucler at 2022-10-24T11:39:55+02:00
Reserve DLA-3157-1 for bluez
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -57646,7 +57646,6 @@ CVE-2022-0205 (The YOP Poll WordPress plugin before
6.3.5 does not sanitise and
CVE-2022-0204 (A heap overflow vulnerability was found in bluez in versions
prior to ...)
- bluez 5.64-1 (bug #1003712)
[bullseye] - bluez (Minor issue)
- [buster] - bluez (Minor issue)
[stretch] - bluez (Minor issue)
NOTE:
https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q
NOTE: Fixed by:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=591c546c536b42bef696d027f64aa22434f8c3f0
(5.63)
@@ -71155,7 +71154,6 @@ CVE-2021-3929 (A DMA reentrancy issue was found in the
NVM Express Controller (N
CVE-2021-43400 (An issue was discovered in gatt-database.c in BlueZ 5.61. A
use-after- ...)
- bluez 5.62-1 (bug #998626)
[bullseye] - bluez (Minor issue; can be fixed in point release)
- [buster] - bluez (Minor issue; can be fixed in point release)
[stretch] - bluez (invasive patch, requires post-stretch
revamps)
NOTE: Introduced by:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=93b64d9ca8a2bb663e37904d4b2c702c58a36e4f
(5.40)
NOTE: Fixed by:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=838c0dc7641e1c991c0f3027bf94bee4606012f8
(5.62)
@@ -78991,7 +78989,6 @@ CVE-2021-41229 (BlueZ is a Bluetooth protocol stack for
Linux. In affected versi
{DLA-2827-1}
- bluez 5.62-2 (bug #1000262)
[bullseye] - bluez (Minor issue)
- [buster] - bluez (Minor issue)
NOTE:
https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq
NOTE: Introduced by:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=d939483328489fb835bb425d36f7c7c73d52c388
(4.0)
NOTE: Fixed by:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e79417ed7185b150a056d4eb3a1ab528b91d2fc0
@@ -247781,13 +247778,11 @@ CVE-2019-8923 (XAMPP through 5.6.8 and previous
allows SQL injection via the cds
CVE-2019-8922 (A heap-based buffer overflow was discovered in bluetoothd in
BlueZ thr ...)
{DLA-2827-1}
- bluez 5.54-1
- [buster] - bluez (Minor issue)
NOTE:
https://ssd-disclosure.com/ssd-advisory-linux-bluez-information-leak-and-heap-overflow/
NOTE:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=6c7243fb6ab90b7b855cead98c66394fedea135f
(5.51)
CVE-2019-8921 (An issue was discovered in bluetoothd in BlueZ through 5.48.
The vulne ...)
{DLA-2827-1}
- bluez 5.54-1
- [buster] - bluez (Minor issue)
NOTE:
https://ssd-disclosure.com/ssd-advisory-linux-bluez-information-leak-and-heap-overflow/
NOTE:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7bf67b32709d828fafa26256b4c78331760c6e93
(5.51)
CVE-2019-8920 (iart.php in XAMPP 1.7.0 has XSS, a related issue to
CVE-2008-3569. ...)
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[24 Oct 2022] DLA-3157-1 bluez - security update
+ {CVE-2019-8921 CVE-2019-8922 CVE-2021-41229 CVE-2021-43400
CVE-2022-0204 CVE-2022-39176 CVE-2022-39177}
+ [buster] - bluez 5.50-1.2~deb10u3
[20 Oct 2022] DLA-3156-1 firefox-esr - security update
{CVE-2022-42927 CVE-2022-42928 CVE-2022-42929 CVE-2022-42932}
[buster] - firefox-esr 102.4.0esr-1~deb10u1
=
data/dla-needed.txt
=
@@ -20,10 +20,6 @@ asterisk (Markus Koschany)
NOTE: 20221002: Done. Will ask for a public review tomorrow though. (apo)
NOTE: 20221018: https://lists.debian.org/debian-lts/2022/10/msg00037.html
--
-bluez (Sylvain Beucler)
- NOTE: 20220902: Programming language: C.
- NOTE: 20220902: Consider synchronizing with Stretch. (apo)
---
clickhouse
NOTE: 20221003: Programming language: C++.
NOTE: 20221003: One pull request closes several CVEs.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58c0d54588f7ba2815d6db6cde270c88d131bb15
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58c0d54588f7ba2815d6db6cde270c88d131bb15
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-3563/bluez: buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: cd62ac22 by Sylvain Beucler at 2022-10-22T18:17:20+02:00 CVE-2022-3563/bluez: buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1585,7 +1585,9 @@ CVE-2022-3564 (A vulnerability classified as critical was found in Linux Kernel. CVE-2022-3563 (A vulnerability classified as problematic has been found in Linux Kern ...) - bluez 5.65-1 [bullseye] - bluez (Minor issue; Only an issue in mgmt-tester test tool) + [buster] - bluez (Vulnerable code introduced later) NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e3c92f1f786f0b55440bd908b55894d0c792cf0e (5.65) + NOTE: Introduced by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=bc3a76f01f461db19381f1922cdaeac222dfd374 (5.56) CVE-2022-3562 RESERVED CVE-2022-3561 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd62ac22052c7dbf94e235670cc1e341b4345c62 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd62ac22052c7dbf94e235670cc1e341b4345c62 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-3658/bluez: precise buster triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 6fa79b59 by Sylvain Beucler at 2022-10-18T19:50:32+02:00 CVE-2021-3658/bluez: precise buster triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -88353,7 +88353,7 @@ CVE-2021-3659 (A NULL pointer dereference flaw was found in the Linux kernel CVE-2021-3658 (bluetoothd from bluez incorrectly saves adapters' Discoverable status ...) - bluez 5.61-1 (bug #991596) [bullseye] - bluez (Minor issue) - [buster] - bluez (Minor issue) + [buster] - bluez (Vulnerable code introduced later) [stretch] - bluez (Vulnerable code introduced later) NOTE: Introduced by https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=d04eb02f9bad8795297210ef80e262be16ea8f07 (5.51) NOTE: Fixed by https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=b497b5942a8beb8f89ca1c359c54ad67ec843055 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fa79b5988f77d7c27deb25edd4dfe97ca2095bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fa79b5988f77d7c27deb25edd4dfe97ca2095bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-10911/bluez: clarify buster triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: c2b134bc by Sylvain Beucler at 2022-10-18T18:51:53+02:00 CVE-2018-10911/bluez: clarify buster triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -294385,8 +294385,8 @@ CVE-2018-10911 (A flaw was found in the way dic_unserialize function of glusterf NOTE: https://github.com/gluster/glusterfs/commit/cc3271ebf3aacdbbc77fdd527375af78ab12ea8d CVE-2018-10910 (A bug in Bluez may allow for the Bluetooth Discoverable state being se ...) - bluez 5.54-1 (low; bug #925369) - [buster] - bluez (Minor issue) - [stretch] - bluez (Minor issue, does not affected Gnome Bluetooth in stretch) + [buster] - bluez (Minor issue, invasive fix, workaround present in buster's gnome-bluetooth) + [stretch] - bluez (Minor issue, does not affect Gnome Bluetooth in stretch) [jessie] - bluez (Minor issue because in gnome-bluetooth <= 3.26 the D-Bus calls were synchronous and thus the issue in bluez will have no actual affect) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1606203 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1602985 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2b134bc3583024eaf25a329af5b4f059abad3fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2b134bc3583024eaf25a329af5b4f059abad3fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim bluez
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 06a682df by Sylvain Beucler at 2022-10-18T17:23:09+02:00 dla: claim bluez - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -19,7 +19,7 @@ asterisk (Markus Koschany) NOTE: 20220829: bullseye and buster. (apo) NOTE: 20221002: Done. Will ask for a public review tomorrow though. (apo) -- -bluez +bluez (Sylvain Beucler) NOTE: 20220902: Programming language: C. NOTE: 20220902: Consider synchronizing with Stretch. (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06a682df0ff10938fbda8d57aabe2e91aee8453b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06a682df0ff10938fbda8d57aabe2e91aee8453b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: Call for testing: glibc update for buster
Hi, On 17/10/2022 10:00, Helmut Grohne wrote: On Wed, Oct 12, 2022 at 03:45:11PM +0200, Sylvain Beucler wrote: I'll give it some testing on my buster system. Thank you. I take the absense of a further reponse as "nothing broke". Right, although I was kinda waiting for your input on other points rather than answer to myself on this one :) - a methodology point: if there's some uncertainty on CVE-2016-10228 (note: which is a 2020 fix really), that neither secteam nor the maintainers decided to fix in other Debian dists, maybe it's not worth the risk to fix it in LTS. I read your note that other distros (ubuntu, redhat) did so though, contacting the maintainers could help evaluate the risk better. Yeah. I'm fixing quite a number of issues that were not previously considered. Even though these were non-trivial to fix, I believe that we should fix them. Leaving them as is would mean that character conversion involving untrusted inputs is not supported at all. Seems like a hard sell, right? Depends on the levels of risks involved (local CPU DoS vs. possible regression), but again the maintainers would better know what to answer. Cheers! Sylvain Beucler Debian LTS Team
[SECURITY] [DLA 3150-1] rexical security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3150-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler October 12, 2022 https://wiki.debian.org/LTS - - Package: rexical Version: 1.0.5-2+deb10u1 CVE ID : CVE-2019-5477 Debian Bug : 940905 A command injection vulnerability was found in Rexical, a lexical scanner generator for the Ruby programming language. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem. For Debian 10 buster, this problem has been fixed in version 1.0.5-2+deb10u1. We recommend that you upgrade your rexical packages. For the detailed security status of rexical please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rexical Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmNG0s8ACgkQDTl9HeUl XjCtXhAApFUn4K3bXYJ8UjIg7UWowFZX2HNKsxfYTJAQfWsMlPCkCct+crq4Yjri urdqwgNgvvV91M39w6nSCSztGlNiPAOrBy7sVAahaKs6EJcREo+6zdwzqe510mrF 2dXUaXU075vEvDhYgVvYHUDxOy5INBeQvYBiPOtIaaFEbIx8sTelLwFFvc2JRRUO M+a5hUaY51s0/pwfBJVfZaDGlM7BfDQBT4/6N4koSiHWCWWBnis8IS2vJlj8C58F y87s5hicLduS4jJ2ek6mdrunoCaZV26QrR7yp79xshoDFVILgqY3EfKWzQumE8EU 50tjQkVP7bZrsy4L3RV+4zkvovrnRgsItn0DXhDaCgH/NdQPgJ5EJnSG+psBbjzm 8X35+hqgzTL4G7nHmDB8KR0eQWbtaqRwHs+yTPkAAngz4XlPMFaJOHd3cJjcZ0FI FaLj/KsjxLrOSxH4tG9xPhYziwZtAyydTEpbyHMpNtgcs8UuEdIuvTZ9fOlI59rl mdBU8GIbT7Jc2IeqQglOYFEXcrI5AjcWEk/FQNWQWlVFXl/4q0avOVUZpwUnRKwp vjTE0M1QdAkXUJC2+WPf+Xe/qcCbwjAW5wTs9R/JVaxpSW/0HZry9OTaoLEf8LOI tn73TC+LaPvlxT/WFxSeoxNnmZy1DG+kivfmqktdX60n4GIzVmE= =z82s -END PGP SIGNATURE-
[SECURITY] [DLA 3149-1] ruby-nokogiri security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3149-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler October 12, 2022 https://wiki.debian.org/LTS - - Package: ruby-nokogiri Version: 1.10.0+dfsg1-2+deb10u1 CVE ID : CVE-2019-5477 CVE-2020-26247 CVE-2022-24836 Debian Bug : 934802 978967 1009787 Multiple vulnerabilities were discovered in Nokogiri, an HTML/XML/SAX/Reader parser for the Ruby programming language, leading to command injection, XML external entity injection (XXE), and denial-of-service (DoS). CVE-2019-5477 A command injection vulnerability allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. CVE-2020-26247 XXE vulnerability: XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. CVE-2022-24836 Nokogiri contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. For Debian 10 buster, these problems have been fixed in version 1.10.0+dfsg1-2+deb10u1. We recommend that you upgrade your ruby-nokogiri packages. For the detailed security status of ruby-nokogiri please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-nokogiri Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmNG0qcACgkQDTl9HeUl XjCOZhAAiFM9mYvi7aUOSdrrxHlwPN+GXrG3emtk4+gUpASQ5DC8PsdYiqDTEDlP GKVGVjfNaEuHCXCieQIk7198O4gOSrSs2KSLBlIvZnZYIaxmBv39Vhu+AevQh8Gx ZeXxGe50q+VFHZBoDz0BWTITBndMkR0J8sUbbjUvDbBlrOjyD7iVsT+orSiBtq74 /hkgLsYPF2PuKciTEN7P9XhaYcZ33GK3T9GBG2fxNjD8P+TlsnPy3qMhycWCskdd WFKa3kUwG+3MMCPe37vZFKlb4nDSPxqDPlRBczOeon0ea0A318dtUIfQx7ddAFYG lT9pH5Uon0XzX9ZfOGy2wfQsX0+wPoe7fOqszr0xik2Sq48CiSNkiQltqOYCzxdT cPc2/eRSNOfNfMvrLhsw85zur0h/oGPiE35Gkag+BMSB+Je/n+8NPww2vjQ8Llao QG02BtMXDLDXmn96tTYOMLa7HnVOucIJEVpFLegBH+ruSd6ITdKvmoRCAKGWd/1T 0R3UbUhVogyDsySEokHOJgqYo74Z0qk1ktKjtZo3NvO4GOOl7K+3J4Hp1wd0PtbG iT3HPB+VdpuaNjceiy6MVuJY+8oVtotLTCMwPFXWYF8doCczgOZHUrvJUTkl/0sI xa1ZxGNtsIIvN69LWpNw0LIfXDIlbvd6d0zx/BcQ6nZ4nMEJt24= =aoDP -END PGP SIGNATURE-
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3150-1 for rexical
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9cfd8525 by Sylvain Beucler at 2022-10-12T16:18:19+02:00
Reserve DLA-3150-1 for rexical
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -254402,7 +254402,6 @@ CVE-2019-5478 (A weakness was found in Encrypt Only
boot mode in Zynq UltraScale
CVE-2019-5477 (A command injection vulnerability in Nokogiri v1.10.3 and
earlier allo ...)
{DLA-1933-1}
- rexical 1.0.7-1 (bug #940905)
- [buster] - rexical (Minor issue, can be fixed via point
release)
[stretch] - rexical (Minor issue, can be fixed via point
release)
- ruby-nokogiri 1.10.4+dfsg1-1 (bug #934802)
[stretch] - ruby-nokogiri (Minor issue, can be fixed via point
release)
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[12 Oct 2022] DLA-3150-1 rexical - security update
+ {CVE-2019-5477}
+ [buster] - rexical 1.0.5-2+deb10u1
[12 Oct 2022] DLA-3149-1 ruby-nokogiri - security update
{CVE-2019-5477 CVE-2020-26247 CVE-2022-24836}
[buster] - ruby-nokogiri 1.10.0+dfsg1-2+deb10u1
=
data/dla-needed.txt
=
@@ -162,9 +162,6 @@ rainloop
NOTE: 20220913: also there's an unofficial one for CVE-2022-29360;
NOTE: 20220913: Evaluate the situation and decide whether we should support
or EOL this package (Beuc/front-desk)
--
-rexical (Sylvain Beucler)
- NOTE: 20221009: Programming language: Ruby.
---
ruby-sinatra
NOTE: 20220911: Programming language: ruby
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9cfd8525637a67e88e1df3836733ab3ae67f12dc
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9cfd8525637a67e88e1df3836733ab3ae67f12dc
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3149-1 for ruby-nokogiri
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a4b235a9 by Sylvain Beucler at 2022-10-12T16:17:12+02:00
Reserve DLA-3149-1 for ruby-nokogiri
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -146515,7 +146515,6 @@ CVE-2020-26248 (In the PrestaShop module
"productcomments" before version 4.2.1,
CVE-2020-26247 (Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader
parsers wit ...)
{DLA-2678-1}
- ruby-nokogiri 1.11.1+dfsg-1 (low; bug #978967)
- [buster] - ruby-nokogiri (Minor issue)
NOTE:
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
NOTE:
https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b
(v1.11.0.rc4)
CVE-2020-26246 (Pimcore is an open source digital experience platform. In
Pimcore befo ...)
@@ -254406,7 +254405,6 @@ CVE-2019-5477 (A command injection vulnerability in
Nokogiri v1.10.3 and earlier
[buster] - rexical (Minor issue, can be fixed via point
release)
[stretch] - rexical (Minor issue, can be fixed via point
release)
- ruby-nokogiri 1.10.4+dfsg1-1 (bug #934802)
- [buster] - ruby-nokogiri (Minor issue, can be fixed via point
release)
[stretch] - ruby-nokogiri (Minor issue, can be fixed via point
release)
NOTE: https://github.com/sparklemotion/nokogiri/issues/1915
NOTE: Processes are vulnerable only if the undocumented method
Nokogiri::CSS::Tokenizer#load_file
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[12 Oct 2022] DLA-3149-1 ruby-nokogiri - security update
+ {CVE-2019-5477 CVE-2020-26247 CVE-2022-24836}
+ [buster] - ruby-nokogiri 1.10.0+dfsg1-2+deb10u1
[12 Oct 2022] DLA-3148-1 mediawiki - security update
{CVE-2022-41765 CVE-2022-41767}
[buster] - mediawiki 1:1.31.16-1+deb10u4
=
data/dla-needed.txt
=
@@ -165,10 +165,6 @@ rainloop
rexical (Sylvain Beucler)
NOTE: 20221009: Programming language: Ruby.
--
-ruby-nokogiri (Sylvain Beucler)
- NOTE: 20220911: Programming language: ruby
- NOTE: 20220911: CVE-2022-24836 was fixed in stretch so it should be fixed in
buster too.
---
ruby-sinatra
NOTE: 20220911: Programming language: ruby
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4b235a96ac45c7d0cf3714c7b2b6de5ae3f51f5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4b235a96ac45c7d0cf3714c7b2b6de5ae3f51f5
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: Call for testing: glibc update for buster
Hi, I'll give it some testing on my buster system. A couple things I noticed right now: - dist in debian/changelog should be 'buster-security' (not 'buster') - debdiff|diffstat shows spurious '.pc' work files from quilt (plus a change in a patches/README which maybe adds more noise than it helps in a security upload, but that's a matter of taste) - a methodology point: if there's some uncertainty on CVE-2016-10228 (note: which is a 2020 fix really), that neither secteam nor the maintainers decided to fix in other Debian dists, maybe it's not worth the risk to fix it in LTS. I read your note that other distros (ubuntu, redhat) did so though, contacting the maintainers could help evaluate the risk better. Cheers! Sylvain On 11/10/2022 15:25, Helmut Grohne wrote: I've prepared a LTS update for glibc and seek people testing it. Builds for amd64 and armfh as well as a .debdiff are available from http://subdivi.de/~helmut/glibc_lts. I plan to fix no less than 14 CVEs. Those mostly fall into one of the following categories: * 4 * iconv * 2 * unix sockets * setuid environment filtering * getcwd * glob * memcpy on armhf * mq_notify * sinl * wordexp * nscd Please refer to debian/changelog and the respective patches for details. If you happen to have applications covering any of these, feedback is welcome. Beware that this update changes two private glibc symbols for fixing CVE-2016-10228. These symbols are used for testing the change via iconv_prog, which happens to not be installed into a binary package. I've not located any uses in any other glibc library. As a result, I believe that these symbol changes to be harmless even though Aurelien Jarno cautioned about it. My judgement is partially confirmed by RedHat and Canonical shipping these symbol changes in their security updates. On the flip side, I'm observing a number of unexpected references to one symbol that did change prototype, see https://codesearch.debian.net/search?q=__gconv_open=1. Most of these uses are broken since bullseye, so I hope that they're all dead code. More eyeballs appreciated. You see this is glibc, so I'd rather give it more testing than brick user systems. Please Cc me in replies.
Re: Cannot read newsgroups with new Thunderbird
Hi, I don't use the NNTP feature myself, but since we're following the Thunderbird ESR releases, there's a high chance that it's a bug in upstream Thunderbird. Unless the same works in other Debian dists (bullseye or bookworm, who also upgraded to 102esr), I'd suggest you look at the official Thunderbird contact points. Cheers! Sylvain Beucler Debian LTS Team On 05/10/2022 15:17, Miroslav Skoric wrote: After a recent Thunderbird upgrade in Buster (from version 91-something to 101-something, or like), it stopped handling newsgroups properly (where the source is News Server (NNTP) on the same machine, and there nothing was changed/upgraded). To be precise, Thunderbird now seems downloading new messages from the NNTP server, then shows the new number of messages in the folder pane, but displays an empty content in the message pane, i.e. Subject and From columns are empty, while Date column is filled with 1/1/70 - for all news messages that arrived since the Thunderbird upgrade. Btw, handling personal emails (from the local POP Mail Server) is ok. Any idea?
[Git][security-tracker-team/security-tracker][master] CVE-2019-5477/ruby-nokogiri: reference patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9df7b62f by Sylvain Beucler at 2022-10-08T19:56:28+02:00 CVE-2019-5477/ruby-nokogiri: reference patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -253891,6 +253891,7 @@ CVE-2019-5477 (A command injection vulnerability in Nokogiri v1.10.3 and earlier NOTE: is being passed untrusted user input. NOTE: https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926 NOTE: Change in rexical is covered by the scope of this CVE. + NOTE: https://github.com/sparklemotion/nokogiri/commit/5fe449fd3ab8cc25a71499128529c821c10dde83?w=1 (v1.10.4) CVE-2019-5476 (An SQL Injection in the Nextcloud Lookup-Server v0.3.0 (running o ...) NOT-FOR-US: Nextcloud Lookup-Server CVE-2019-5475 (The Nexus Yum Repository Plugin in v2 is vulnerable to Remote Code Exe ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9df7b62fa7b34210a52b840607c88bdc6b24dc57 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9df7b62fa7b34210a52b840607c88bdc6b24dc57 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim ruby-nokogiri
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: f4576e1c by Sylvain Beucler at 2022-10-08T18:55:30+02:00 dla: claim ruby-nokogiri - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -150,7 +150,7 @@ rainloop NOTE: 20220913: also there's an unofficial one for CVE-2022-29360; NOTE: 20220913: Evaluate the situation and decide whether we should support or EOL this package (Beuc/front-desk) -- -ruby-nokogiri +ruby-nokogiri (Sylvain Beucler) NOTE: 20220911: Programming language: ruby NOTE: 20220911: CVE-2022-24836 was fixed in stretch so it should be fixed in buster too. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4576e1c191af5e1a6ce19f2274538dd3d152328 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4576e1c191af5e1a6ce19f2274538dd3d152328 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[SECURITY] [DLA 3137-1] nodejs security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3137-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler October 05, 2022 https://wiki.debian.org/LTS - - Package: nodejs Version: 10.24.0~dfsg-1~deb10u2 CVE ID : CVE-2021-22930 CVE-2021-22939 CVE-2021-22940 CVE-2022-21824 CVE-2022-32212 Debian Bug : 1004177 Multiple vulnerabilities were discovered in Node.js, a JavaScript runtime environment, which could result in memory corruption, invalid certificate validation, prototype pollution or command injection. CVE-2021-22930, CVE-2021-22940 Use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. CVE-2021-22939 If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. CVE-2022-21824 Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". CVE-2022-32212 OS Command Injection vulnerability due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. For Debian 10 buster, these problems have been fixed in version 10.24.0~dfsg-1~deb10u2. We recommend that you upgrade your nodejs packages. For the detailed security status of nodejs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nodejs Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmM9n8cACgkQDTl9HeUl XjBSsA//SMbXY5eKOi7aRdFmQbM9xEUvmz6SqrR6ods301RyqLo5Qdl6DX0lCtx8 SfKOoaD9v8V6iK+mO4qZ4SzmKzQlajywCnUkwxhIlbPtcB+ZTbQWfbQcYTS1LyQZ /0PleFVwWY90MQt5z5GyxNHth9OIrG9t3hyt53iAE2Yl+xUrWaZF1f7KVMAKZ8jp z5/Cu6SQtD4QCLbC/r05GcFCWz2C43PMNrGzGnkN5ZmDXZoMPX1FwF7BZAg31y2r Iux+fAq+wcg69Mheuwyn56xV34rjfyKkR/NERYDchDN8unjvGaGRQVGJ7koT3zHD tS4eQjhuXLioLvTOJdfy5M44qiQbKsMVOnefgecOvh0fWHLSB4zTmoXBpEIc7i+f 0W60W+6CnjTWMMlWGHIErtZgOfJKyyFKW3zzNyVWEdOhB8o0Cg9z1Zlx8/UxAMiV yVKFAGcX/VG2RM0eTuybrE+rvF2Go1fZSns8k/61/0855Rm1DRRgPWGNJ37bz+Qo 88Vxlh9Bpiq8ARsXsCc/En0w4bUXQp3zc3yakZxecgL7ZKfle7ae53uGoulnqRJ9 kHltq40DevOBezsRc+NFNDul4Lb4Egr9mmG42RyRgMMMuigDMa1ncscXBQV6WeAx z7LPpx0Czniq3Omac8Hdis9BFZaqDCaR/dLn69FqBjJJXcsRqw8= =40S6 -END PGP SIGNATURE-
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3137-1 for nodejs
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
4f5f9af6 by Sylvain Beucler at 2022-10-05T15:46:06+02:00
Reserve DLA-3137-1 for nodejs
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -121503,7 +121503,6 @@ CVE-2021-22941 (Improper Access Control in Citrix
ShareFile storage zones contro
CVE-2021-22940 (Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a
use aft ...)
- nodejs 12.22.5~dfsg-1
[bullseye] - nodejs (Incomplete fix for CVE-2021-22930
not applied)
- [buster] - nodejs (Incomplete fix for CVE-2021-22930 not
applied)
[stretch] - nodejs (Incomplete fix for CVE-2021-22930
not applied)
NOTE: https://github.com/nodejs/node/pull/39423
NOTE:
https://github.com/nodejs/node/commit/2008c9722fcf7591e39013691f303934b622df7b
(v12.22.5)
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[05 Oct 2022] DLA-3137-1 nodejs - security update
+ {CVE-2021-22930 CVE-2021-22939 CVE-2021-22940 CVE-2022-21824
CVE-2022-32212}
+ [buster] - nodejs 10.24.0~dfsg-1~deb10u2
[04 Oct 2022] DLA-3136-1 barbican - security update
{CVE-2022-3100}
[buster] - barbican 1:7.0.0-1+deb10u1
=
data/dla-needed.txt
=
@@ -106,12 +106,6 @@ netatalk
node-tar
NOTE: 20220907: Programming language: JavaScript.
--
-nodejs (Sylvain Beucler)
- NOTE: 20220801: Programming language: JavaScript, C/C++, Python.
- NOTE: 20220801: one of the upstream fixes doesn't address the security issue
(jmm)
- NOTE: 20220912: backporting patches and determining testing procedures (Beuc)
- NOTE: 20220926: resuming work after 1 week of FD + other side tasks (Beuc)
---
openexr
NOTE: 20220904: Programming language: C++.
NOTE: 20220904: Should be synced with Stretch. (apo)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f5f9af6437aa0c0842b5e3c801a2cab1adaff1c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f5f9af6437aa0c0842b5e3c801a2cab1adaff1c
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-44531,CVE-2021-44532,CVE-2021-44533/nodejs: buster ignored + add references
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d54a9c94 by Sylvain Beucler at 2022-10-04T19:47:42+02:00
CVE-2021-44531,CVE-2021-44532,CVE-2021-44533/nodejs: buster ignored + add
references
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -62969,20 +62969,27 @@ CVE-2021-44534
CVE-2021-44533 (Node.js 12.22.9, 14.18.3, 16.13.2, and
17.3.1 did ...)
{DSA-5170-1}
- nodejs 12.22.9~dfsg-1 (bug #1004177)
+ [buster] - nodejs (Minor issue, requires MITM and uncommon
CA, invasive/hard to backport)
[stretch] - nodejs (Nodejs in stretch not covered by
security support)
NOTE:
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#incorrect-handling-of-certificate-subject-and-issuer-fields-medium-cve-2021-44533
+ NOTE: https://hackerone.com/reports/1429694
NOTE:
https://github.com/nodejs/node/commit/8c2db2c86baff110a1d905ed1e0dd4e1c4fd2dd1
(v12.x)
CVE-2021-44532 (Node.js 12.22.9, 14.18.3, 16.13.2, and
17.3.1 conv ...)
{DSA-5170-1}
- nodejs 12.22.9~dfsg-1 (bug #1004177)
+ [buster] - nodejs (Minor issue, requires MITM and uncommon
CA, invasive/hard to backport)
[stretch] - nodejs (Nodejs in stretch not covered by
security support)
NOTE:
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#certificate-verification-bypass-via-string-injection-medium-cve-2021-44532
+ NOTE: https://hackerone.com/reports/1429694
NOTE:
https://github.com/nodejs/node/commit/19873abfb24dce75042efe76dc5633052677
(v12.x)
+ NOTE:
https://github.com/nodejs/node/commit/a5c7843cab6fdb9c845edadc2a7b9b30e02c8bf2
(v12.x)
CVE-2021-44531 (Accepting arbitrary Subject Alternative Name (SAN) types,
unless a PKI ...)
{DSA-5170-1}
- nodejs 12.22.9~dfsg-1 (bug #1004177)
+ [buster] - nodejs (Minor issue, requires MITM and uncommon
CA, invasive/hard to backport)
[stretch] - nodejs (Nodejs in stretch not covered by
security support)
NOTE:
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#improper-handling-of-uri-subject-alternative-names-medium-cve-2021-44531
+ NOTE: https://hackerone.com/reports/1429694
NOTE:
https://github.com/nodejs/node/commit/e0fe6a635e5929a364986a6c39dc3585b9ddcd85
(v12.x)
NOTE:
https://github.com/nodejs/node/commit/a5c7843cab6fdb9c845edadc2a7b9b30e02c8bf2
(v12.x)
CVE-2021-44530 (An injection vulnerability exists in a third-party library
used in Uni ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d54a9c94a605d03b6a15482f8033153f6bb66016
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d54a9c94a605d03b6a15482f8033153f6bb66016
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-35255/nodejs: reference patches, buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: ac1e0a17 by Sylvain Beucler at 2022-10-03T13:03:36+02:00 CVE-2022-35255/nodejs: reference patches, buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17747,7 +17747,10 @@ CVE-2022-35256 [HTTP Request Smuggling Due to Incorrect Parsing of Header Fields CVE-2022-35255 [Weak randomness in WebCrypto keygen] RESERVED - nodejs 18.10.0+dfsg-1 + [buster] - nodejs (Vulnerable code introduced later) NOTE: https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255 + NOTE: https://github.com/nodejs/node/commit/0c2a5723beff39d1f62daec96b5389da3d427e79 (v18.9.1) + NOTE: Introduced by https://github.com/nodejs/node/commit/dae283d96fd31ad0f30840a7e55ac97294f505ac (v15.0.0) CVE-2022-35254 RESERVED CVE-2022-35253 (A vulnerability exists in Hyperledger Fabric 2.4 could allow an at ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac1e0a177b3c67d23c6b3dcf4bbf2d4bccfa67fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac1e0a177b3c67d23c6b3dcf4bbf2d4bccfa67fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-35256/nodejs: reference patches, buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: cc7a7b4d by Sylvain Beucler at 2022-10-03T12:53:56+02:00 CVE-2022-35256/nodejs: reference patches, buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17739,8 +17739,11 @@ CVE-2022-35257 (A local privilege escalation vulnerability in UI Desktop for Win CVE-2022-35256 [HTTP Request Smuggling Due to Incorrect Parsing of Header Fields] RESERVED - nodejs 18.10.0+dfsg-1 + [buster] - nodejs (llhttp dependency/embedding introduced in 12.x) - llhttp (bug #977716) NOTE: https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256 + NOTE: https://github.com/nodejs/node/commit/2e92e5b71d071cb989d8d109d278427041a47e44 (main) + NOTE: https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 (v14.20.1) CVE-2022-35255 [Weak randomness in WebCrypto keygen] RESERVED - nodejs 18.10.0+dfsg-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc7a7b4d099479af64d325cf3bbd4b811c757c87 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc7a7b4d099479af64d325cf3bbd4b811c757c87 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Debian LTS and ELTS - September 2022
Here is my public monthly report. Thanks to our sponsors for making this possible, and to Freexian for handling the offering. https://www.freexian.com/services/debian-lts.html#sponsors LTS - Front Desk - Standardize/clarify buster-lts triage for golang* packages - Mark 10 packages for update - Triage or precise triage for multiple CVEs - Guide two non-team contributors (bzip2 and pcs) https://lists.debian.org/debian-lts/2022/09/msg00042.html https://lists.debian.org/debian-lts/2022/09/msg00060.html - nodejs - Newly supported package / ecosystem - Reference CVEs information and patches, precise buster triage - Prepare DLA (in progress), backport patches - Fix test-suite, initiate documentation (see below) ELTS - Front Desk - Mark 3 supported packages for update - Associate CVEs from newer separate branched 'golang-1.x' packages to ELTS' 'golang' Documentation and tooling - LTS Documentation - Clarify package claims and front-desk bypass procedures https://lts-team.pages.debian.net/wiki/LTS-Development.html#claim-the-issue-in-the-security-tracker-in-dla-needed-txt https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/49 - Unify front-desk docs (public and private), clarify role attributions https://lts-team.pages.debian.net/wiki/LTS-Development.html#front-desk-duties https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/48 - Discuss triage during stable->oldstable harmonization https://lists.debian.org/debian-lts/2022/09/msg00072.html - nodejs testing procedures https://lts-team.pages.debian.net/wiki/TestSuites/nodejs.html - Internal doc: reference bin/review-update-needed from the main security-tracker, similar to a new tool - Fixes to new (private) bin/package-operations front-desk tooling - IRC meeting http://meetbot.debian.net/debian-lts/2022/debian-lts.2022-09-22-13.58.html -- Sylvain Beucler Debian LTS Team
Re: What do do with bullseye minor issues?
Hi, On 29/09/2022 09:09, Emilio Pozuelo Monfort wrote: On 28/09/2022 23:54, Ola Lundqvist wrote: Took me a month to get down here in the email backlog. I think your reasoning makes sense. I have added the following to the LTS/Development page. "If a CVE has been fixed in Debian Stable it should, in general, be fixed in LTS as well, or marked as ignored. It does not make sense to have such CVEs marked as postponed or no-dsa since either the Debian Security team or the maintainer have decided that it was worth fixing." Please update that page if you think I was unclear or wrong. Note: the documentation was moved away from the wiki. I don't think that's correct. Say for example: Package foo has two CVEs: - CVE-2022-1234 of high severity, affecting stable - CVE-2022-5678 of minor severity, affecting stable and oldstable The sec-team fixes both. Now, what do we do? According to your reasoning, we should either do a DLA to fix a single minor issue, or mark it as ignored. I think marking it as postponed is the correct course of action here. That would be a rare corner case in the "Issues postponed for , but already fixed in via DSA or point releases (to be fixed or )" report in lts-cve-triage.py, which I've never seen happen so far. Ola is basically documenting that report in the documentation, maybe in a too coercive phrasing. Such as CVE would keep being reported until fixed (we can live with that). But since we do not time-limit such a issue there's a chance that the "minor" CVE remains unfixed forever, so maybe it's good to fix it right away nonetheless. I can think of similar situations when a maintainer fixes a minor issue through a point release. It could be fixed or postponed, but there's no need to ignore it. would be for e.g. a minor issue with invasive, risky-to-backport patch. There's no need to ignore it indeed, but that's a possibility. However, after a point-release, I believe leaving it indefinitely doesn't make sense. We know whether we'll fix it like stable, or never will (ignored). Hence the report and Ola's recommendation. Note that all this is usually not decided during the first-pass triaging, but later on, after a fix landed in stable. Cheers! Sylvain
[Git][security-tracker-team/security-tracker][master] dla: update nodejs notes
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 47285e9e by Sylvain Beucler at 2022-09-27T15:25:22+02:00 dla: update nodejs notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -98,6 +98,7 @@ nodejs (Sylvain Beucler) NOTE: 20220801: Programming language: JavaScript, C/C++, Python. NOTE: 20220801: one of the upstream fixes doesn't address the security issue (jmm) NOTE: 20220912: backporting patches and determining testing procedures (Beuc) + NOTE: 20220926: resuming work after 1 week of FD + other side tasks (Beuc) -- openexr NOTE: 20220904: Programming language: C++. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47285e9e9f99001b5da5a66f930bf05c1c0cf23c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47285e9e9f99001b5da5a66f930bf05c1c0cf23c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add e17
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 514877fd by Sylvain Beucler at 2022-09-17T11:58:28+02:00 dla: add e17 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -32,6 +32,10 @@ dovecot NOTE: 20220913: VCS: https://salsa.debian.org/lts-team/packages/dovecot.git NOTE: 20220913: Harmonize with bullseye: 1 CVE fixed in Debian 11.5 + 2 other postponed CVEs (Beuc/front-desk) -- +e17 + NOTE: 20220917: Programming language: C. + NOTE: 20220917: upcoming DSA, 0-day any->root local escalation exploit (Beuc/front-desk) +-- exiv2 (Roberto C. Sánchez) NOTE: 20220819: Programming language: C++. NOTE: 20220819: https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292 does not directly apply, but a very quick glance suggests the earlier code may be equally vulnerable. (Chris Lamb) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/514877fdbe69c184081e963c5368520a4c8e61fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/514877fdbe69c184081e963c5368520a4c8e61fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-3222/gpac: buster end-of-life
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 30f5dc99 by Sylvain Beucler at 2022-09-17T11:44:02+02:00 CVE-2022-3222/gpac: buster end-of-life - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -73,6 +73,7 @@ CVE-2022-3223 (Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/d NOT-FOR-US: jgraph/drawio CVE-2022-3222 (Uncontrolled Recursion in GitHub repository gpac/gpac prior to 2.1.0-D ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/b29c69fa-3eac-41e4-9d4f-d861aba18235/ NOTE: https://github.com/gpac/gpac/commit/4e7736d7ec7bf64026daa611da951993bb42fdaf CVE-2022-3221 (Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffwe ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30f5dc99584ab1e8dd50d1e9d751397658b303b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30f5dc99584ab1e8dd50d1e9d751397658b303b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add wireshark
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 54339883 by Sylvain Beucler at 2022-09-16T13:53:02+02:00 dla: add wireshark - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -190,6 +190,9 @@ vim NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/vim.git -- +wireshark + NOTE: 20220916: Programming language: C. +-- wkhtmltopdf NOTE: 20220904: Programming language: C++. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/543398837d34bb7c6744092a886fe2da446e567c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/543398837d34bb7c6744092a886fe2da446e567c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: golang: standardize/clarify buster-lts triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e9e59255 by Sylvain Beucler at 2022-09-16T13:08:02+02:00 golang: standardize/clarify buster-lts triage following discussion with Ola - - - - - 584817f4 by Sylvain Beucler at 2022-09-16T13:08:44+02:00 dla add golang-1.11 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -21292,7 +21292,7 @@ CVE-2022-1997 (Cross-site Scripting (XSS) - Stored in GitHub repository francois CVE-2022-1996 (Authorization Bypass Through User-Controlled Key in GitHub repository ...) - golang-github-emicklei-go-restful (bug #1012763) [bullseye] - golang-github-emicklei-go-restful (Minor issue) - [buster] - golang-github-emicklei-go-restful (Minor issue) + [buster] - golang-github-emicklei-go-restful (Limited support, follow bullseye DSAs/point-releases) NOTE: https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1/ NOTE: https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10 CVE-2022-1995 (The Malware Scanner WordPress plugin before 4.5.2 does not sanitise an ...) @@ -22152,7 +22152,7 @@ CVE-2022-32189 (A too-short encoded message can cause a panic in Float.GobDecode - golang-1.17 1.17.13-1 - golang-1.15 - golang-1.11 - [buster] - golang-1.11 (Limited support) + [buster] - golang-1.11 (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/53871 NOTE: https://groups.google.com/g/golang-nuts/c/DCFSyTGM0wU NOTE: https://github.com/golang/go/commit/055113ef364337607e3e72ed7d48df67fde6fc66 (master, go1.19) @@ -22248,7 +22248,7 @@ CVE-2022-32148 (Improper exposure of client IP addresses in net/http before Go 1 - golang-1.17 1.17.13-1 - golang-1.15 - golang-1.11 - [buster] - golang-1.11 (Limited support) + [buster] - golang-1.11 (Limited support, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/53423 NOTE: https://github.com/golang/go/commit/b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a (go1.19rc1) NOTE: https://github.com/golang/go/commit/ebea1e3353fa766025aa5190b9c7cc05cf069187 (go1.18.4) @@ -22287,7 +22287,7 @@ CVE-2022-1962 (Uncontrolled recursion in the Parse functions in go/parser before - golang-1.17 1.17.13-1 - golang-1.15 - golang-1.11 - [buster] - golang-1.11 (Limited support) + [buster] - golang-1.11 (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/53616 NOTE: https://github.com/golang/go/commit/695be961d57508da5a82217f7415200a11845879 (go1.19rc2) NOTE: https://github.com/golang/go/commit/0d1615b23f9a558aa0a1957b4c81596220eb8ec4 (go1.18.4) @@ -26612,7 +26612,7 @@ CVE-2022-30635 (Uncontrolled recursion in Decoder.Decode in encoding/gob before - golang-1.17 1.17.13-1 - golang-1.15 - golang-1.11 - [buster] - golang-1.11 (Limited support) + [buster] - golang-1.11 (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/53615 NOTE: https://github.com/golang/go/commit/6fa37e98ea4382bf881428ee0c150ce591500eb7 (go1.19rc2) NOTE: https://github.com/golang/go/commit/fb979a50823e5a0575cf6166b3f17a13364cbf81 (go1.18.4) @@ -26634,7 +26634,7 @@ CVE-2022-30633 (Uncontrolled recursion in Unmarshal in encoding/xml before Go 1. - golang-1.17 1.17.13-1 - golang-1.15 - golang-1.11 - [buster] - golang-1.11 (Limited support) + [buster] - golang-1.11 (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/53611 NOTE: https://github.com/golang/go/commit/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08 (go1.19rc2) NOTE: https://github.com/golang/go/commit/2924ced71d16297320e8ff18829c2038e6ad8d9b (go1.18.4) @@ -26645,7 +26645,7 @@ CVE-2022-30632 (Uncontrolled recursion in Glob in path/filepath before Go 1.17.1 - golang-1.17 1.17.13-1 - golang-1.15 - golang-1.11 - [buster] - golang-1.11 (Limited support) + [buster] - golang-1.11 (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/53416 NOTE: https://github.com/golang/go/commit/ac68c6c683409f98250d34ad282b9e1b0c9095ef (go1.19rc2) NOTE: https://github.com/golang/go/commit/5ebd862b1714dad1544bd10a24c47cdb53ad7f46 (go1.18.4) @@ -26656,7 +26656,7 @@ CVE-2022-30631 (Uncontrolled recursion in Reader.Read in compress/gzip before Go - golang-1.17 1.17.13-1 - golang-1.15 - golang-1.11 - [buster] - golang-1.11 (Limited support) + [buster] - golang-1.11 (Limited support, follow bullseye DSAs
[Git][security-tracker-team/security-tracker][master] dla: golang-websocket: update note
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 28d43909 by Sylvain Beucler at 2022-09-15T14:06:02+02:00 dla: golang-websocket: update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -62,6 +62,11 @@ golang-go.crypto NOTE: 20220915: Special attention: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1 NOTE: 20220915: Special attention: also check bullseye status -- +golang-websocket + NOTE: 20220915: Programming language: Go. + NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) + NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies +-- imagemagick NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28d439092595209cc74c7f0f96e09441d8d14c2e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28d439092595209cc74c7f0f96e09441d8d14c2e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add golang-go.crypto
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: c626c4aa by Sylvain Beucler at 2022-09-15T12:51:57+02:00 dla: add golang-go.crypto - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -55,6 +55,13 @@ glibc NOTE: 20220913: Programming language: C, Assembly. NOTE: 20220913: Harmonize with bullseye: 4 CVEs fixed in Debian 11.3 and Debian 11.5 (Beuc/front-desk) -- +golang-go.crypto + NOTE: 20220915: Programming language: Go. + NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk) + NOTE: 20220915: Special attention: limited support, cf. buster release notes + NOTE: 20220915: Special attention: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1 + NOTE: 20220915: Special attention: also check bullseye status +-- imagemagick NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c626c4aac10e061cfd3ec014a5e31204a61f1433 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c626c4aac10e061cfd3ec014a5e31204a61f1433 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: Accepted pcs 0.10.1-2+deb10u1 (source) into oldstable
Hello, On 14/09/2022 22:43, Valentin Vidic wrote: On Wed, Sep 14, 2022 at 06:46:47PM +0200, Sylvain Beucler wrote: Thank you for claiming 'pcs' in dla-needed.txt and uploading a fixed version. LTS uploads follow a procedure which notably involves reserving a DLA in the security tracker and sending announcements to the mailing list and website, see: https://lts-team.pages.debian.net/wiki/LTS-Development.html Note that uploads are not validated (provided you're DD) and are immediately available to the end users. I can handle this administrative part of the upload (announcement text would be appreciated), but first I'm coordinating with you: do you have further work to do, are you waiting for us to check/review something? Hi and sorry about that. I was planning to follow the DLA procedure but ran out of time lately. The description from stable can probably be reused here: A security issue was discovered in pcs, a corosync and pacemaker configuration tool: * CVE-2022-1049 It was discovered that expired accounts were still able to login via PAM. For Debian 10 "Buster", the problem has been fixed in version 0.10.1-2+deb10u1. Let me know if you will send this out or I should give it a try? You can certainly give it a try if you have the time. The description adapted from the DSA sounds good. Feel free to ask here or at #debian-lts if you have further questions. Cheers! Sylvain Beucler Debian LTS Team
[Git][security-tracker-team/security-tracker][master] CVE-2022-30630/golang: introduced in 1.16
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 50c4c9b8 by Sylvain Beucler at 2022-09-14T19:42:52+02:00 CVE-2022-30630/golang: introduced in 1.16 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26415,12 +26415,12 @@ CVE-2022-30630 (Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go - golang-1.18 1.18.4-1 - golang-1.17 1.17.13-1 - golang-1.15 - - golang-1.11 - [buster] - golang-1.11 (Limited support) NOTE: https://go.dev/issue/53415 NOTE: https://github.com/golang/go/commit/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59 (go1.19rc2) NOTE: https://github.com/golang/go/commit/315e80d293b684ac2902819e58f618f1b5a14d49 (go1.18.4) NOTE: https://github.com/golang/go/commit/8c1d8c836270615cfb5b229932269048ef59ac07 (go1.17.12) + NOTE: Introduced by https://github.com/golang/go/commit/b64202bc29b9c1cf0118878d1c0acc9cdb2308f6 (go1.16beta1) + NOTE: io/fs/Glob.go introduced in 1.16; see CVE-2022-30632 for similar older code in path/filepath/ CVE-2022-30629 (Non-random values for ticket_age_add in session tickets in crypto/tls ...) - golang-1.18 1.18.3-1 - golang-1.17 1.17.11-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50c4c9b854212249d80efd2bfe0361146d3c947e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50c4c9b854212249d80efd2bfe0361146d3c947e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-28131/golang: reference patches
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 57672f15 by Sylvain Beucler at 2022-09-14T19:24:02+02:00 CVE-2022-28131/golang: reference patches - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33990,6 +33990,10 @@ CVE-2022-28131 (In Decoder.Skip in encoding/xml in Go before 1.17.12 and 1.18.x - golang-1.15 - golang-1.11 [buster] - golang-1.11 (Limited support) + NOTE: https://github.com/golang/go/issues/53614 + NOTE: https://github.com/golang/go/commit/08c46ed43d80bbb67cb904944ea3417989be4af3 (go1.19rc2) + NOTE: https://github.com/golang/go/commit/90f040ec510dd678b7860d70ca77e5682f4c7e96 (go1.18.4) + NOTE: https://github.com/golang/go/commit/58facfbe7db2fbb9afed794b281a70bdb12a60ae (go1.17.12) CVE-2022-28130 RESERVED CVE-2022-28129 (Improper Input Validation vulnerability in HTTP/1.1 header parsing of ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57672f15b9f0332de0f814ba02b953e94e473122 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57672f15b9f0332de0f814ba02b953e94e473122 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: Accepted pcs 0.10.1-2+deb10u1 (source) into oldstable
Hello Valentin, Thank you for claiming 'pcs' in dla-needed.txt and uploading a fixed version. LTS uploads follow a procedure which notably involves reserving a DLA in the security tracker and sending announcements to the mailing list and website, see: https://lts-team.pages.debian.net/wiki/LTS-Development.html Note that uploads are not validated (provided you're DD) and are immediately available to the end users. I can handle this administrative part of the upload (announcement text would be appreciated), but first I'm coordinating with you: do you have further work to do, are you waiting for us to check/review something? Cheers! Sylvain Beucler Debian LTS Team On 12/09/2022 00:50, Debian FTP Masters wrote: Format: 1.8 Date: Sun, 04 Sep 2022 21:55:16 +0200 Source: pcs Architecture: source Version: 0.10.1-2+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian HA Maintainers Changed-By: Valentin Vidic Changes: pcs (0.10.1-2+deb10u1) buster-security; urgency=high . * d/patches: add fix for CVE-2022-1049 Checksums-Sha1: 256edea0145842422958382f44d4d6e5041013bf 2192 pcs_0.10.1-2+deb10u1.dsc e933ccad637141fc4814890d82c5d274cee45b32 1543718 pcs_0.10.1.orig.tar.gz 6da49f52e5a32e9398f2b716ca655132c2feff5f 166556 pcs_0.10.1-2+deb10u1.debian.tar.xz beb6e956ab70b02402c76d1b7b39e4bfed434078 6923 pcs_0.10.1-2+deb10u1_source.buildinfo Checksums-Sha256: 016832a8dadc7330a43d0f75aa538ffea62e09506220e5ef8dc56495e7239764 2192 pcs_0.10.1-2+deb10u1.dsc 61d36fc96c05a4724b76f45216a483e514c9da5b486ba77e906ae45722592cf2 1543718 pcs_0.10.1.orig.tar.gz c621dc384298849aa990cc027712f9a1d6eb9b14c557914e4273ad2b52beadd9 166556 pcs_0.10.1-2+deb10u1.debian.tar.xz 8aea519fc77163d2951fc845a9e4bd59d35e95024a53b06c600fd2e07d2d728c 6923 pcs_0.10.1-2+deb10u1_source.buildinfo Files: 9222bc71db53999c37ce1c27d36ceb68 2192 admin optional pcs_0.10.1-2+deb10u1.dsc 4c7af40096b89752e7fdcea636e9b8b9 1543718 admin optional pcs_0.10.1.orig.tar.gz 17daac52a88b60e4293e920b59d9c6d7 166556 admin optional pcs_0.10.1-2+deb10u1.debian.tar.xz 284b0d649f7934bf03fc12f5ec43250d 6923 admin optional pcs_0.10.1-2+deb10u1_source.buildinfo
[Git][security-tracker-team/security-tracker][master] CVE-2022-38266/leptonlib: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e5e33f82 by Sylvain Beucler at 2022-09-14T14:37:38+02:00 CVE-2022-38266/leptonlib: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6063,6 +6063,7 @@ CVE-2022-38267 (School Activity Updates with SMS Notification v1.0 was discovere CVE-2022-38266 (An issue in the Leptonica linked library (v1.79.0) in Tesseract v5.0.0 ...) - leptonlib 1.82.0-1 [bullseye] - leptonlib (Minor issue) + [buster] - leptonlib (Minor issue, SIGFPE in CLI tools) NOTE: https://github.com/DanBloomberg/leptonica/commit/f062b42c0ea8dddebdc6a152fd16152de215d614 (1.81.0) NOTE: https://github.com/tesseract-ocr/tesseract/issues/3498 CVE-2022-38265 (Apartment Visitor Management System v1.0 was discovered to contain a S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e5e33f820d74e64764292873c5614c100ada7c89 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e5e33f820d74e64764292873c5614c100ada7c89 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add notes for rainloop
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: db27c8b6 by Sylvain Beucler at 2022-09-13T19:16:30+02:00 dla: add notes for rainloop - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -149,6 +149,10 @@ rails (Abhijith PA) rainloop NOTE: 20220913: Programming language: PHP, JavaScript. NOTE: 20220913: Special attention: orphaned as of 2022-09. + NOTE: 20220913: Upstream appeared dead but there was activity 2 weeks ago, + NOTE: 20220913: a "SnappyMail" fork exists and may have patches we can use, + NOTE: 20220913: also there's an unofficial one for CVE-2022-29360; + NOTE: 20220913: Evaluate the situation and decide whether we should support or EOL this package (Beuc/front-desk) -- ruby-nokogiri NOTE: 20220911: Programming language: ruby View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db27c8b64bd55ebd54d47dae1986f6c2383d22da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db27c8b64bd55ebd54d47dae1986f6c2383d22da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add rainloop
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e4db1453 by Sylvain Beucler at 2022-09-13T18:59:18+02:00 dla: add rainloop - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -146,6 +146,10 @@ rails (Abhijith PA) NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg4.html (abhijith) NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith) -- +rainloop + NOTE: 20220913: Programming language: PHP, JavaScript. + NOTE: 20220913: Special attention: orphaned as of 2022-09. +-- ruby-nokogiri NOTE: 20220911: Programming language: ruby NOTE: 20220911: CVE-2022-24836 was fixed in stretch so it should be fixed in buster too. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4db145306c9af2625ab1429b22ef967cdafe59c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4db145306c9af2625ab1429b22ef967cdafe59c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add dovecot
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9534dd1f by Sylvain Beucler at 2022-09-13T18:27:55+02:00 dla: add dovecot - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -27,6 +27,11 @@ curl NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. -- +dovecot + NOTE: 20220913: Programming language: C. + NOTE: 20220913: VCS: https://salsa.debian.org/lts-team/packages/dovecot.git + NOTE: 20220913: Harmonize with bullseye: 1 CVE fixed in Debian 11.5 + 2 other postponed CVEs (Beuc/front-desk) +-- exiv2 NOTE: 20220819: Programming language: C++. NOTE: 20220819: https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292 does not directly apply, but a very quick glance suggests the earlier code may be equally vulnerable. (Chris Lamb) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9534dd1f71f1c4bd0fc341ba2f4e2079592cbfce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9534dd1f71f1c4bd0fc341ba2f4e2079592cbfce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-33193/apache2: link patches from distros with close versions
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e0e1200b by Sylvain Beucler at 2022-09-13T17:56:32+02:00 CVE-2021-33193/apache2: link patches from distros with close versions - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -90781,11 +90781,13 @@ CVE-2021-33194 (golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allow CVE-2021-33193 (A crafted method sent through HTTP/2 will bypass validation and be for ...) - apache2 2.4.48-4 [bullseye] - apache2 2.4.48-3.1+deb11u1 - [buster] - apache2 (Revisit when a suitable backport is available for 2.4.38) + [buster] - apache2 (Fix along with next DLA) [stretch] - apache2 (Revisit when a suitable backport is available for 2.4.25) NOTE: https://portswigger.net/research/http2 - NOTE: https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c + NOTE: https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c (2.4.49) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-33193 + NOTE: https://git.centos.org/rpms/httpd/blob/c496dea5e0b6e82a9f503e973fc5d5ea93a94180/f/SOURCES/httpd-2.4.37-CVE-2021-33193.patch (2.4.37) + NOTE: http://launchpadlibrarian.net/559974735/apache2_2.4.29-1ubuntu4.16_2.4.29-1ubuntu4.17.diff.gz (2.4.29) CVE-2021-33192 (A vulnerability in the HTML pages of Apache Jena Fuseki allows an atta ...) - apache-jena (bug #1014982) NOTE: https://lists.apache.org/thread/sq6q94q0prqwr9vdm2wptglcq1kv98k8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0e1200b0e9aa4ead96fc224e9e5f7a401a0e3da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0e1200b0e9aa4ead96fc224e9e5f7a401a0e3da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Bug#961654: buster-pu: package bzip2/1.0.6-9.2~deb10u1
Hi, IIUC this is about fixing 2 non-security bugs, that were introduced prior to buster's initial release. I personally don't think this fits the LTS project scope. Maybe other LTS members will have a different opinion. Cheers! Sylvain Beucler Debian LTS Team On 13/09/2022 15:27, Santiago R.R. wrote: El 10/09/22 a las 19:11, Adam D. Barratt escribió: On Wed, 2020-05-27 at 11:56 +0200, Santiago R.R. wrote: Since 1.0.6-9, bzip2 was built without the -D_FILE_OFFSET_BITS=64 CPPFLAG, and so it's not able to handle > 2GB files in 32-bit archs. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944557 I've uploaded a fixed version to unstable yesterday. It would be great to fix it also in buster. Please, consider the attached debdiff. Would it be OK for you to upload it? Apologies for apparently letting this sit unanswered. (FTR there was a reply from a non-SRM member 18 months ago.) And I am sorry I missed that answer. The final point release for buster has now happened, so any further updates to packages in buster will need to be handled via LTS. I'm therefore going to close this request now. [snip] I am forwarding this to the LTS folks, so they can decide about this change.
Bug#961654: buster-pu: package bzip2/1.0.6-9.2~deb10u1
Hi, IIUC this is about fixing 2 non-security bugs, that were introduced prior to buster's initial release. I personally don't think this fits the LTS project scope. Maybe other LTS members will have a different opinion. Cheers! Sylvain Beucler Debian LTS Team On 13/09/2022 15:27, Santiago R.R. wrote: El 10/09/22 a las 19:11, Adam D. Barratt escribió: On Wed, 2020-05-27 at 11:56 +0200, Santiago R.R. wrote: Since 1.0.6-9, bzip2 was built without the -D_FILE_OFFSET_BITS=64 CPPFLAG, and so it's not able to handle > 2GB files in 32-bit archs. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944557 I've uploaded a fixed version to unstable yesterday. It would be great to fix it also in buster. Please, consider the attached debdiff. Would it be OK for you to upload it? Apologies for apparently letting this sit unanswered. (FTR there was a reply from a non-SRM member 18 months ago.) And I am sorry I missed that answer. The final point release for buster has now happened, so any further updates to packages in buster will need to be handled via LTS. I'm therefore going to close this request now. [snip] I am forwarding this to the LTS folks, so they can decide about this change.
Re: Bug#961654: buster-pu: package bzip2/1.0.6-9.2~deb10u1
Hi, IIUC this is about fixing 2 non-security bugs, that were introduced prior to buster's initial release. I personally don't think this fits the LTS project scope. Maybe other LTS members will have a different opinion. Cheers! Sylvain Beucler Debian LTS Team On 13/09/2022 15:27, Santiago R.R. wrote: El 10/09/22 a las 19:11, Adam D. Barratt escribió: On Wed, 2020-05-27 at 11:56 +0200, Santiago R.R. wrote: Since 1.0.6-9, bzip2 was built without the -D_FILE_OFFSET_BITS=64 CPPFLAG, and so it's not able to handle > 2GB files in 32-bit archs. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944557 I've uploaded a fixed version to unstable yesterday. It would be great to fix it also in buster. Please, consider the attached debdiff. Would it be OK for you to upload it? Apologies for apparently letting this sit unanswered. (FTR there was a reply from a non-SRM member 18 months ago.) And I am sorry I missed that answer. The final point release for buster has now happened, so any further updates to packages in buster will need to be handled via LTS. I'm therefore going to close this request now. [snip] I am forwarding this to the LTS folks, so they can decide about this change.
[Git][security-tracker-team/security-tracker][master] dla: add glibc
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 469aeac5 by Sylvain Beucler at 2022-09-13T11:10:07+02:00 dla: add glibc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -43,6 +43,10 @@ glib2.0 NOTE: 20220901: Programming language: C. NOTE: 20220901: Special attention: High Popcon!. -- +glibc + NOTE: 20220913: Programming language: C, Assembly. + NOTE: 20220913: Harmonize with bullseye: 4 CVEs fixed in Debian 11.3 and Debian 11.5 (Beuc/front-desk) +-- imagemagick NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/469aeac51fe4c4b7ceafa0785d6d597cae6742ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/469aeac51fe4c4b7ceafa0785d6d597cae6742ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla: add pluxml
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: cefce46c by Sylvain Beucler at 2022-09-13T11:00:44+02:00 dla: add pluxml - - - - - 36fe0037 by Sylvain Beucler at 2022-09-13T11:00:46+02:00 nvidia-graphics-drivers: no-dsa-ignored to precise triage for lts-cve-triage.py - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -23431,7 +23431,7 @@ CVE-2022-31615 RESERVED - nvidia-graphics-drivers 470.141.03-1 (bug #1016614) [bullseye] - nvidia-graphics-drivers 470.141.03-1~deb11u1 - [buster] - nvidia-graphics-drivers (Non-free not supported) + [buster] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #1016615) [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) - nvidia-graphics-drivers-legacy-390xx 390.154-1 (bug #1016616) @@ -23463,7 +23463,7 @@ CVE-2022-31608 RESERVED - nvidia-graphics-drivers 470.141.03-1 (bug #1016614) [bullseye] - nvidia-graphics-drivers 470.141.03-1~deb11u1 - [buster] - nvidia-graphics-drivers (Non-free not supported) + [buster] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #1016615) [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) - nvidia-graphics-drivers-legacy-390xx 390.154-1 (bug #1016616) @@ -23483,7 +23483,7 @@ CVE-2022-31607 RESERVED - nvidia-graphics-drivers 470.141.03-1 (bug #1016614) [bullseye] - nvidia-graphics-drivers 470.141.03-1~deb11u1 - [buster] - nvidia-graphics-drivers (Non-free not supported) + [buster] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #1016615) [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) - nvidia-graphics-drivers-legacy-390xx 390.154-1 (bug #1016616) @@ -33589,7 +33589,7 @@ CVE-2022-28193 (NVIDIA Jetson Linux Driver Package contains a vulnerability in t CVE-2022-28192 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...) - nvidia-graphics-drivers 470.129.06-1 (bug #1011140) [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1 - [buster] - nvidia-graphics-drivers (Non-free not supported) + [buster] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-tesla-418 (bug #1011143) [bullseye] - nvidia-graphics-drivers-tesla-418 (Non-free not supported, driver is EOLed and updates impossible) - nvidia-graphics-drivers-tesla-450 450.191.01-1 (bug #1011144) @@ -33604,7 +33604,7 @@ CVE-2022-28192 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU CVE-2022-28191 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...) - nvidia-graphics-drivers 470.129.06-1 (bug #1011140) [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1 - [buster] - nvidia-graphics-drivers (Non-free not supported) + [buster] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-tesla-460 (bug #1011145) [bullseye] - nvidia-graphics-drivers-tesla-460 (Non-free not supported) - nvidia-graphics-drivers-tesla-470 470.129.06-1 (bug #1011146) @@ -33625,7 +33625,7 @@ CVE-2022-28186 (NVIDIA GPU Display Driver for Windows contains a vulnerability i CVE-2022-28185 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...) - nvidia-graphics-drivers 470.129.06-1 (bug #1011140) [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1 - [buster] - nvidia-graphics-drivers (Non-free not supported) + [buster] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #1011141) [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) [stretch] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia anymore) @@ -33646,7 +33646,7 @@ CVE-2022-28185 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne CVE-2022-28184 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...) - nvidia-graphics-drivers 470.129.06-1 (bug #1011140) [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1 - [buster] - nvidia-graphics-drivers (Non-free not supported) + [buster] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-tesla-460 (bug #1011145) [bullseye] - nvidia-graphics-drivers-tesla-460 (Non-free not supported) - nvidia-graphics-drivers-tesla-470 470.129.06-1 (bug #1011146) @@ -33657,7 +33657,7 @@ CVE-2022-28184 (NVIDIA GPU Display Driver
[Git][security-tracker-team/security-tracker][master] dla: add gdal
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 43c4475b by Sylvain Beucler at 2022-09-13T10:23:12+02:00 dla: add gdal - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -34,6 +34,11 @@ exiv2 firmware-nonfree NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it. -- +gdal + NOTE: 20220913: Programming language: C/C++, Python. + NOTE: 20220913: Upcoming DSA (Beuc/front-desk) + NOTE: 20220913: 2 CVEs already fixed in stretch (Beuc/front-desk) +-- glib2.0 NOTE: 20220901: Programming language: C. NOTE: 20220901: Special attention: High Popcon!. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43c4475b68f3cdf1b90102b62045ba9829f20539 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43c4475b68f3cdf1b90102b62045ba9829f20539 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-1705/golang: buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: fdaedd28 by Sylvain Beucler at 2022-09-13T09:57:42+02:00 CVE-2022-1705/golang: buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26246,12 +26246,13 @@ CVE-2022-1705 (Acceptance of some invalid Transfer-Encoding headers in the HTTP/ - golang-1.18 1.18.4-1 - golang-1.17 1.17.13-1 - golang-1.15 - - golang-1.11 + - golang-1.11 [buster] - golang-1.11 (Limited support) NOTE: https://go.dev/issue/53188 NOTE: https://github.com/golang/go/commit/e5017a93fcde94f09836200bca55324af037ee5f (go1.19rc1) NOTE: https://github.com/golang/go/commit/222ee24a0046ae61679f4d97967e3b4058a3b90e (go1.18.4) NOTE: https://github.com/golang/go/commit/d13431c37ab62f9755f705731536ff74e7165b08 (go1.17.12) + NOTE: Introduced by https://github.com/golang/go/commit/d5734d4f2dd1168dc3df94f2b9912299aea0c0ac (go1.15beta1) CVE-2022-1704 (Due to an XML external entity reference, the software parses XML in th ...) NOT-FOR-US: Ignition CVE-2022-1703 (Improper neutralization of special elements in the SonicWall SSL-VPN S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdaedd28feece2b0c0e10f89118ed08f63aa8e66 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdaedd28feece2b0c0e10f89118ed08f63aa8e66 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-10735/python3.7: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: b60bef9d by Sylvain Beucler at 2022-09-13T08:48:32+02:00 CVE-2020-10735/python3.7: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -179051,6 +179051,7 @@ CVE-2020-10735 (A flaw was found in python. In algorithms with quadratic time co - python3.9 [bullseye] - python3.9 (Minor issue) - python3.7 + [buster] - python3.7 (Minor issue, CPU DoS) NOTE: https://github.com/python/cpython/issues/95778 NOTE: https://github.com/python/cpython/pull/96499 NOTE: https://github.com/python/cpython/commit/f8b71da9aac6ea74808dcdd0cc266e705431356b (v3.11.0rc2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b60bef9d72e724e357d7d94078e6a13756318b92 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b60bef9d72e724e357d7d94078e6a13756318b92 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla: add node-thenify
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a09bf999 by Sylvain Beucler at 2022-09-12T14:13:12+02:00 dla: add node-thenify - - - - - bd463e40 by Sylvain Beucler at 2022-09-12T14:14:19+02:00 dla: update nodejs status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -77,9 +77,13 @@ netatalk (Stefano Rivera) node-tar NOTE: 20220907: Programming language: JavaScript. -- +node-thenify + NOTE: 20220912: Programming language: JavaScript. +-- nodejs (Sylvain Beucler) NOTE: 20220801: Programming language: JavaScript, C/C++, Python. NOTE: 20220801: one of the upstream fixes doesn't address the security issue (jmm) + NOTE: 20220912: backporting patches and determining testing procedures (Beuc) -- nova NOTE: 20220912: Programming language: Python. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d77e9778412311f08e23942a1bc3927c3557d214...bd463e400b5c4eb8440decc2e069fc89f4901340 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d77e9778412311f08e23942a1bc3927c3557d214...bd463e400b5c4eb8440decc2e069fc89f4901340 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: node-thenify
Hi, If sponsored packages are already handled, and we have time to fix this package, and I think we can fix it. I think we need to evaluate a package's usage only when fixing is problematic (time constraints, backport issues, uncooperative upstream...). Package usage would then be used among other elements to make a decision about the supporting the package further. That doesn't appear to be the case here, so I'll add it to dla-needed.txt. Cheers! Sylvain On 09/09/2022 23:45, Ola Lundqvist wrote: Hi follow LTS contributors It is this kind of question again. "Is it worth it?". We have CVE-2020-7677 on node-thenify. According to popcorn we have three installations. That is of course a lower end number since popcorn only counts the popcorn users, but anyway it indicates that the installation number is really low. It is in fact the lowest popcorn score I have seen so far. Then about the vulnerability itself. It is an arbitrary code execution, but it is on the client side, and the user have get some code injected into it that is passed to this function. This means you have to find some other code that use this functionality and in some way pass it through. It can be done but the likelihood is lower. Further I can see that node-* packages were unsupported in stretch. They seem to be in buster however. Quite a lot of node-* packages have fairly severe issues declared as minor issues. I could not find any arbitrary code execution vulnerabilities though. So my question is, should we fix node-thenify? I guess so but I want to raise the question.
Re: Updating OpenStack compute (aka src:nova) in Buster
Hi Thomas, To answer the second part of your e-mail: > How to proceed? Can I simply upload the normal way? IS there a 3rd > party peer reviewing accepting / rejecting uploads for LTS? While LTS is mostly handled by members of the LTS Team, any DD can contribute directly; we have a few maintainers who want to handle the upload and/or want to review any changes in their packages: https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/packages/lts-do-call-me The steps to handle the upload are described at: https://lts-team.pages.debian.net/wiki/LTS-Development.html and of course joint work is possible (e.g. delegate the announcement to the LTS team). Last, you can contribute to LTS-specific documentation, e.g.: https://lts-team.pages.debian.net/wiki/TestSuites/OpenStack.html How would you like to handle future OpenStack-related LTS uploads? Cheers! Sylvain On Mon, Sep 12, 2022 at 07:14:05AM +0200, Anton Gladky wrote: > Hi Thomas, > > thanks for the note. I have added the package into the data/dla_needed.txt > with > the corresponding message. So, somebody will take care of it. > > > Am So., 11. Sept. 2022 um 12:51 Uhr schrieb Thomas Goirand >: > > > Hi, > > > > In the OpenStack team git, there are updates for nova 2:18.1.0-6+deb10u1 > > (CVE-2019-14433/ OSSA-2019-003). Can someone pick it up and upload it to > > Buster? It was never accepted in Buster due to the difficulties > > communicating with the Stable release team (too slow response, etc. that > > leads to /me giving up...). Though IMO, it'd be a very good candidate > > for buster LTS. > > > > The latest Buster version is in the debian/rocky branch at: > > https://salsa.debian.org/openstack-team/services/nova/ > > > > How to proceed? Can I simply upload the normal way? IS there a 3rd party > > peer reviewing accepting / rejecting uploads for LTS?
[Git][security-tracker-team/security-tracker][master] dla: last buster point release is out, drop conflict caution note
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: bfcda862 by Sylvain Beucler at 2022-09-12T10:26:29+02:00 dla: last buster point release is out, drop conflict caution note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -12,10 +12,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -NOTE: IMPORTANT: during 2022-08, make sure you do NOT conflict with a -NOTE: IMPORTANT: prepared upload for buster's last point release, see: -NOTE: IMPORTANT: https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=release.debian@packages.debian.org;tag=pu - -- asterisk (Markus Koschany) NOTE: 20220810: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfcda862ebd204d208eddde3cf5d333f5bde221c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfcda862ebd204d208eddde3cf5d333f5bde221c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-22959, CVE-2021-22960, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215/nod...
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
74328a5a by Sylvain Beucler at 2022-09-06T19:38:57+02:00
CVE-2021-22959,CVE-2021-22960,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215/nodejs:
buster not-affected
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -20368,18 +20368,21 @@ CVE-2022-32216
RESERVED
CVE-2022-32215 (The llhttp parser in the http module in Node v17.6.0 does not
correctl ...)
- nodejs 18.6.0+dfsg-3
+ [buster] - nodejs (llhttp dependency/embedding
introduced in 12.x)
- llhttp (bug #977716)
NOTE:
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-incorrect-parsing-of-multi-line-transfer-encoding-medium-cve-2022-32215
NOTE:
https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd
(v14.x)
NOTE:
https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a
(main)
CVE-2022-32214 (The llhttp parser in the http module in Node.js does not
strictly use ...)
- nodejs 18.6.0+dfsg-3
+ [buster] - nodejs (llhttp dependency/embedding
introduced in 12.x)
- llhttp (bug #977716)
NOTE:
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-improper-delimiting-of-header-fields-medium-cve-2022-32214
NOTE:
https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd
(v14.x)
NOTE:
https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a
(main)
CVE-2022-32213 (The llhttp parser in the http module in Node.js v17.x does not
correct ...)
- nodejs 18.6.0+dfsg-3
+ [buster] - nodejs (llhttp dependency/embedding
introduced in 12.x)
- llhttp (bug #977716)
NOTE:
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-flawed-parsing-of-transfer-encoding-medium-cve-2022-32213
NOTE:
https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd
(v14.x)
@@ -115365,12 +115368,16 @@ CVE-2021-22961 (A code injection vulnerability
exists within the firewall softwa
CVE-2021-22960 (The parse function in llhttp 2.1.4 and 6.0.6.
ignores chunk ...)
{DSA-5170-1}
- nodejs 12.22.7~dfsg-1
+ [buster] - nodejs (llhttp dependency/embedding
introduced in 12.x)
[stretch] - nodejs (Nodejs in stretch not covered by
security support)
+ NOTE:
https://github.com/nodejs/node/commit/21a2e554e3eaa325abbdb28f366928d0ccc0a0f0
(v12.22.7)
NOTE:
https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/#http-request-smuggling-when-parsing-the-body-medium-cve-2021-22960
CVE-2021-22959 (The parser in accepts requests with a space (SP) right after
the heade ...)
{DSA-5170-1}
- nodejs 12.22.7~dfsg-1
+ [buster] - nodejs (llhttp dependency/embedding
introduced in 12.x)
[stretch] - nodejs (Nodejs in stretch not covered by
security support)
+ NOTE:
https://github.com/nodejs/node/commit/21a2e554e3eaa325abbdb28f366928d0ccc0a0f0
(v12.22.7)
NOTE:
https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/#http-request-smuggling-due-to-spaced-in-headers-medium-cve-2021-22959
CVE-2021-22958 (A Server-Side Request Forgery vulnerability was found in
concrete5 ...)
NOT-FOR-US: Concrete CMS
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74328a5a3750f2d6339b29149c41f6ac661bcb0e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74328a5a3750f2d6339b29149c41f6ac661bcb0e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-22939/nodejs: reference patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 1300eaef by Sylvain Beucler at 2022-09-06T19:11:44+02:00 CVE-2021-22939/nodejs: reference patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -115436,6 +115436,7 @@ CVE-2021-22939 (If the Node.js https API was used incorrectly and "undefined" wa - nodejs 12.22.5~dfsg-1 [bullseye] - nodejs 12.22.5~dfsg-2~11u1 [stretch] - nodejs (Nodejs in stretch not covered by security support) + NOTE: https://github.com/nodejs/node/commit/1780bbc3291357f7c3370892eb311fc7a62afe8d (v12.22.5) NOTE: https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#incomplete-validation-of-rejectunauthorized-parameter-low-cve-2021-22939 CVE-2021-22938 (A vulnerability in Pulse Connect Secure before 9.1R12 could allow an a ...) NOT-FOR-US: Pulse Connect Secure View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1300eaef415f4e3ddc1913abcda60357d7cb9db7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1300eaef415f4e3ddc1913abcda60357d7cb9db7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-22930,CVE-2021-22940/nodejs: reference issues and complete patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: b59278eb by Sylvain Beucler at 2022-09-06T19:04:45+02:00 CVE-2021-22930,CVE-2021-22940/nodejs: reference issues and complete patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -115429,6 +115429,8 @@ CVE-2021-22940 (Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a u [bullseye] - nodejs (Incomplete fix for CVE-2021-22930 not applied) [buster] - nodejs (Incomplete fix for CVE-2021-22930 not applied) [stretch] - nodejs (Incomplete fix for CVE-2021-22930 not applied) + NOTE: https://github.com/nodejs/node/pull/39423 + NOTE: https://github.com/nodejs/node/commit/2008c9722fcf7591e39013691f303934b622df7b (v12.22.5) NOTE: https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#use-after-free-on-close-http2-on-stream-canceling-high-cve-2021-22940 CVE-2021-22939 (If the Node.js https API was used incorrectly and "undefined" was in p ...) - nodejs 12.22.5~dfsg-1 @@ -115456,7 +115458,8 @@ CVE-2021-22930 (Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a u - nodejs 12.22.4~dfsg-1 [bullseye] - nodejs 12.22.5~dfsg-2~11u1 [stretch] - nodejs (Nodejs in stretch not covered by security support) - NOTE: https://github.com/nodejs/node/commit/b263f2585ab53f56e0e22b46cf1f8519a8af8a05 + NOTE: https://github.com/nodejs/node/issues/38964 + NOTE: https://github.com/nodejs/node/commit/b263f2585ab53f56e0e22b46cf1f8519a8af8a05 (v12.22.4) NOTE: https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/#use-after-free-on-close-http2-on-stream-canceling-high-cve-2021-22930 NOTE: Possible incomplete fix (at least for v12): https://github.com/nodejs/node/issues/38964#issuecomment-889936936 NOTE: CVE for the incomplete fix tracked as CVE-2021-22940 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b59278eb311b5db0ed165e604e41ec4e70c01c54 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b59278eb311b5db0ed165e604e41ec4e70c01c54 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Debian LTS - August 2022
Here is my public monthly report. Thanks to our sponsors for making this possible, and to Freexian for handling the offering. https://www.freexian.com/services/debian-lts.html#sponsors LTS - Coordinate update of unsupported packages list for buster https://lists.debian.org/debian-lts/2022/08/msg1.html https://salsa.debian.org/debian/debian-security-support/ - Unplanned triage/coordination - qemu: coordinate pending update from security team and work from abhijith that got untracked in the buster transition https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007931#10 - librecad: follow-up on possible mistriage https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010349#15 - gst-plugins-good1.0: announce DLA from non-team contributor https://lists.debian.org/debian-lts-announce/2022/08/msg1.html - exim4 - DLA 3082-1 https://lists.debian.org/debian-lts-announce/2022/08/msg00014.html Documentation and tooling - LTS documentation - Add link to PGP-based approvals for mailing lists Restore table of contents https://lts-team.pages.debian.net/wiki/LTS-Development.html#announce-the-update - Add copyright information for TestSuites pages Sync test suites changes made during migration Remove duplicate and fix filename typo https://lts-team.pages.debian.net/wiki/LTS-TestSuites.html - LTS/find-work - re-introduce packages sort by priority (sponsors funding) for buster - notify about possibly outdated priority information - New weekly information report: internal discussion on how to present and handle outstanding package updates - Monthly meeting (using Jitsi) -- Sylvain Beucler Debian LTS Team
Re: Accepted webkit2gtk 2.36.7-1~deb10u1 (source) into oldstable
Hi all, On 30/08/2022 07:38, Carsten Schoenert wrote: Hello Anton, Am 29.08.22 um 22:28 schrieb Anton Gladky: Hi Carsten, thanks for update! As the buster is now in LTS hands, would you want us to release a DLA? sure, I've somehow forgotten that Buster is now LTS handled. In the past Emilio did that job to take care about the releasing TB for LTS. Emilio, while you're at it I saw another webkit2gtk buster update from Alberto (thanks!) 2 days ago; not sure if you had already planned to announce a DLA for it like last time? If you're busy let me know and I'll handle it. Cheers! Sylvain
