[Git][security-tracker-team/security-tracker][master] xymon spu/ospu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fca37c42 by Moritz Muehlenhoff at 2019-08-23T05:30:02Z xymon spu/ospu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -200,3 +200,19 @@ CVE-2017-11358 [stretch] - sox 14.4.1-5+deb9u2 CVE-2017-11332 [stretch] - sox 14.4.1-5+deb9u2 +CVE-2019-13486 + [stretch] - xymon 4.3.28-2+deb9u1 +CVE-2019-13485 + [stretch] - xymon 4.3.28-2+deb9u1 +CVE-2019-13484 + [stretch] - xymon 4.3.28-2+deb9u1 +CVE-2019-13455 + [stretch] - xymon 4.3.28-2+deb9u1 +CVE-2019-13273 + [stretch] - xymon 4.3.28-2+deb9u1 +CVE-2019-13274 + [stretch] - xymon 4.3.28-2+deb9u1 +CVE-2019-13451 + [stretch] - xymon 4.3.28-2+deb9u1 +CVE-2019-13452 + [stretch] - xymon 4.3.28-2+deb9u1 = data/next-point-update.txt = @@ -103,3 +103,19 @@ CVE-2019-3900 [buster] - linux 4.19.67-1 CVE-2019-9506 [buster] - linux 4.19.67-1 +CVE-2019-13486 + [buster] - xymon 4.3.28-5+deb10u1 +CVE-2019-13485 + [buster] - xymon 4.3.28-5+deb10u1 +CVE-2019-13484 + [buster] - xymon 4.3.28-5+deb10u1 +CVE-2019-13455 + [buster] - xymon 4.3.28-5+deb10u1 +CVE-2019-13273 + [buster] - xymon 4.3.28-5+deb10u1 +CVE-2019-13274 + [buster] - xymon 4.3.28-5+deb10u1 +CVE-2019-13451 + [buster] - xymon 4.3.28-5+deb10u1 +CVE-2019-13452 + [buster] - xymon 4.3.28-5+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fca37c4207e67ddf0c04d5746accfa906c4ae30f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fca37c4207e67ddf0c04d5746accfa906c4ae30f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track some more CVE fixes for src:linux with stretch-pu upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c286ed95 by Salvatore Bonaccorso at 2019-08-23T04:28:03Z Track some more CVE fixes for src:linux with stretch-pu upload One CVE was fixed already in the 4.9.185-1 upload (back then no CVE assigned) and three more in versions between 4.9.185 and 4.9.189 as uploaded and thus included as well in 4.9.189-1. - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -109,6 +109,14 @@ CVE-2019-10142 [stretch] - linux 4.9.184-1 CVE-2019-15221 [stretch] - linux 4.9.185-1 +CVE-2019-9506 + [stretch] - linux 4.9.185-1 +CVE-2019-15220 + [stretch] - linux 4.9.189-1 +CVE-2019-15211 + [stretch] - linux 4.9.189-1 +CVE-2019-15215 + [stretch] - linux 4.9.189-1 CVE-2019-10153 [stretch] - fence-agents 4.0.25-1+deb9u1 CVE-2016-10711 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c286ed95f6c2778f616c5f1e8ead9881102b23d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c286ed95f6c2778f616c5f1e8ead9881102b23d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] sox opsu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ae0453fa by Moritz Muehlenhoff at 2019-08-22T21:06:30Z sox opsu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -166,3 +166,29 @@ CVE-2019-8675 [stretch] - cups 2.2.1-8+deb9u4 CVE-2019-14275 [stretch] - fig2dev 1:3.2.6a-2+deb9u2 +CVE-2019-8354 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2019-8355 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2019-8356 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2019-8357 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2019-1010004 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2017-18189 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2017-15642 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2017-15372 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2017-15371 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2017-15370 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2017-11359 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2017-11358 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2017-11332 + [stretch] - sox 14.4.1-5+deb9u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae0453fa69ffd7a702b184484d60c7a66baf68cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae0453fa69ffd7a702b184484d60c7a66baf68cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: add djvulibre
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: e2354555 by Thorsten Alteholz at 2019-08-22T20:38:20Z add djvulibre - - - - - 8d166c49 by Thorsten Alteholz at 2019-08-22T20:42:07Z add adplug - - - - - 38a2cb15 by Thorsten Alteholz at 2019-08-22T20:50:36Z add cimg - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -9,9 +9,14 @@ To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues +-- +adplug -- apache2 (Markus Koschany) -- +cimg + NOTE: inline function load_network_external is affected, variable filename +-- clamav (Hugo Lefeuvre) NOTE: wait for definitive patch to be available, then upgrade to latest upstream NOTE: release (follow stretch changes) (hle) @@ -21,6 +26,8 @@ clamav (Hugo Lefeuvre) -- dnsmasq (Mike Gabriel) -- +djvulibre (Thorsten Alteholz) +-- faad2 (Hugo Lefeuvre) NOTE: 20190820: Last PR pending review: https://github.com/knik0/faad2/pull/38 NOTE: Upload with recent patches will happen soon. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1e37e5d9935a07b83b359724166921bb7af2acbe...38a2cb157755c287167dd8220b0da034d324c316 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1e37e5d9935a07b83b359724166921bb7af2acbe...38a2cb157755c287167dd8220b0da034d324c316 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1893-1 for cups
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1e37e5d9 by Thorsten Alteholz at 2019-08-22T20:30:09Z
Reserve DLA-1893-1 for cups
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[22 Aug 2019] DLA-1893-1 cups - security update
+ {CVE-2019-8675 CVE-2019-8696}
+ [jessie] - cups 1.7.5-11+deb8u5
[21 Aug 2019] DLA-1886-2 openjdk-7 - regression update
[jessie] - openjdk-7 7u231-2.6.19-1~deb8u2
[20 Aug 2019] DLA-1892-1 flask - security update
=
data/dla-needed.txt
=
@@ -19,8 +19,6 @@ clamav (Hugo Lefeuvre)
NOTE: 20190822: upstream has released 0.101.4, wait for stretch update (see
bug
NOTE: report) (hle)
--
-cups (Thorsten Alteholz)
---
dnsmasq (Mike Gabriel)
--
faad2 (Hugo Lefeuvre)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1e37e5d9935a07b83b359724166921bb7af2acbe
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1e37e5d9935a07b83b359724166921bb7af2acbe
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1238{5,6}/ampache
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1e089f2b by Salvatore Bonaccorso at 2019-08-22T20:38:27Z
Add CVE-2019-1238{5,6}/ampache
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -9462,9 +9462,9 @@ CVE-2019-12387 (In Twisted before 19.2.1, twisted.web did
not validate or saniti
[jessie] - twisted (Minor issue)
NOTE:
https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2
CVE-2019-12386 (An issue was discovered in Ampache through 3.9.1. A stored XSS
exists ...)
- TODO: check
+ - ampache
CVE-2019-12385 (An issue was discovered in Ampache through 3.9.1. The search
engine is ...)
- TODO: check
+ - ampache
CVE-2019-12384 (FasterXML jackson-databind 2.x before 2.9.9.1 might allow
attackers to ...)
{DLA-1831-1}
- jackson-databind 2.9.8-3 (bug #930750)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1e089f2bf3fcefd67759aea82c2adf6333d0278c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1e089f2bf3fcefd67759aea82c2adf6333d0278c
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-15314/tikiwiki
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 050b9ed9 by Salvatore Bonaccorso at 2019-08-22T20:37:37Z Add CVE-2019-15314/tikiwiki - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -181,7 +181,7 @@ CVE-2009-5158 (The google-analyticator plugin before 5.2.1 for WordPress has ins CVE-2008-7321 (The tubepress plugin before 1.6.5 for WordPress has XSS. ...) NOT-FOR-US: tubepress plugin for WordPress CVE-2019-15314 (tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to uplo ...) - TODO: check + - tikiwiki CVE-2019-15313 RESERVED CVE-2019-15312 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/050b9ed94dd360fc98329d9ac082e6a84f6aa76b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/050b9ed94dd360fc98329d9ac082e6a84f6aa76b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 78de003a by Salvatore Bonaccorso at 2019-08-22T20:24:21Z Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -63,9 +63,9 @@ CVE-2019-15318 (The yikes-inc-easy-mailchimp-extender plugin before 6.5.3 for Wo CVE-2019-15317 (The give plugin before 2.4.7 for WordPress has XSS via a donor name. ...) NOT-FOR-US: give plugin for WordPress CVE-2019-15316 (Valve Steam Client for Windows through 2019-08-20 has weak folder perm ...) - TODO: check + NOT-FOR-US: Valve Steam Client for Windows CVE-2019-15315 (Valve Steam Client for Windows through 2019-08-16 allows privilege esc ...) - TODO: check + NOT-FOR-US: Valve Steam Client for Windows CVE-2018-20986 RESERVED CVE-2018-20985 (The wp-payeezy-pay plugin before 2.98 for WordPress has local file inc ...) @@ -133,7 +133,7 @@ CVE-2016-10922 (The woocommerce-store-toolkit plugin before 1.5.7 for WordPress CVE-2016-10921 (The gallery-photo-gallery plugin before 1.0.1 for WordPress has SQL in ...) NOT-FOR-US: gallery-photo-gallery plugin for WordPress CVE-2016-10920 (The gnucommerce plugin before 0.5.7-BETA for WordPress has XSS. ...) - TODO: check + NOT-FOR-US: gnucommerce plugin for WordPress CVE-2016-10919 (The wassup plugin before 1.9.1 for WordPress has XSS via the Top stats ...) NOT-FOR-US: wassup plugin for WordPress CVE-2016-10918 (The gallery-by-supsystic plugin before 1.8.6 for WordPress has CSRF. ...) @@ -997,7 +997,7 @@ CVE-2019-15062 (An issue was discovered in Dolibarr 11.0.0-alpha. A user can sto CVE-2019-15061 RESERVED CVE-2019-15060 (The traceroute function on the TP-Link TL-WR840N v4 router with firmwa ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2019-15059 RESERVED CVE-2019-15058 (stb_image.h (aka the stb image loader) 2.23 has a heap-based buffer ov ...) @@ -2559,7 +2559,7 @@ CVE-2019-14471 (TestLink 1.9.19 has XSS via the error.php message parameter. ... CVE-2019-14470 RESERVED CVE-2019-14469 (In Nexus Repository Manager before 3.18.0, users with elevated privile ...) - TODO: check + NOT-FOR-US: Nexus Repository Manager CVE-2019-14468 (GnuCOBOL 2.2 has a buffer overflow in cb_push_op in cobc/field.c via c ...) - gnucobol (bug #933884) [buster] - gnucobol (Minor issue) @@ -8164,7 +8164,7 @@ CVE-2019-12891 CVE-2019-12890 (RedwoodHQ 2.5.5 does not require any authentication for database opera ...) NOT-FOR-US: RedwoodHQ CVE-2019-12889 (An unauthenticated privilege escalation exists in SailPoint Desktop Pa ...) - TODO: check + NOT-FOR-US: SailPoint Desktop Password Reset CVE-2019-12888 REJECTED CVE-2019-12887 (KeyIdentity LinOTP before 2.10.5.3 has Incorrect Access Control (issue ...) @@ -13037,11 +13037,11 @@ CVE-2019-11033 (Applaud HCM 4.0.42+ uses HTML tag fields for HTML inputs in a fo CVE-2019-11032 (In EasyToRecruit (E2R) before 2.11, the upload feature and the Candida ...) NOT-FOR-US: EasyToRecruit CVE-2019-11031 (Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the auto-up ...) - TODO: check + NOT-FOR-US: Mirasys VMS CVE-2019-11030 (Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Mirasys ...) - TODO: check + NOT-FOR-US: Mirasys VMS CVE-2019-11029 (Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Downloa ...) - TODO: check + NOT-FOR-US: Mirasys VMS CVE-2019-11028 (GAT-Ship Web Module before 1.40 suffers from a vulnerability allowing ...) NOT-FOR-US: GAT-Ship Web Module CVE-2015-9284 (The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site ...) @@ -13220,7 +13220,7 @@ CVE-2019-10962 (BD Alaris Gateway versions, 1.0.13,1.1.3 Build 10,1.1.3 MR Build CVE-2019-10961 (In Advantech WebAccess HMI Designer Version 2.1.9.23 and prior, proces ...) NOT-FOR-US: Advantech WebAccess HMI Designer CVE-2019-10960 (Zebra Industrial Printers All Versions, Zebra printers are shipped wit ...) - TODO: check + NOT-FOR-US: Zebra Industrial Printers CVE-2019-10959 (BD Alaris Gateway Workstation Versions, 1.1.3 Build 10, 1.1.3 MR Build ...) NOT-FOR-US: BD Alaris Gateway CVE-2019-10958 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/78de003aa262cc45d13bc87a7cdbe88926afe6f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/78de003aa262cc45d13bc87a7cdbe88926afe6f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net
[Git][security-tracker-team/security-tracker][master] Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e12a7bb by Salvatore Bonaccorso at 2019-08-22T20:18:02Z Process several NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2019-15331 (The wp-support-plus-responsive-ticket-system plugin before 9.1.2 for W ...) - TODO: check + NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2019-15330 (The webp-express plugin before 0.14.11 for WordPress has insufficient ...) - TODO: check + NOT-FOR-US: webp-express plugin for WordPress CVE-2019-15329 RESERVED CVE-2019-15328 @@ -13,55 +13,55 @@ CVE-2019-15326 CVE-2019-15325 RESERVED CVE-2018-20988 (The wpgform plugin before 0.94 for WordPress has eval injection in the ...) - TODO: check + NOT-FOR-US: wpgform plugin for WordPress CVE-2018-20987 (The newsletters-lite plugin before 4.6.8.6 for WordPress has PHP objec ...) - TODO: check + NOT-FOR-US: newsletters-lite plugin for WordPress CVE-2017-18586 (The insert-pages plugin before 3.2.4 for WordPress has directory trave ...) - TODO: check + NOT-FOR-US: insert-pages plugin for WordPress CVE-2016-10930 (The wp-support-plus-responsive-ticket-system plugin before 7.1.0 for W ...) - TODO: check + NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2015-9341 (The wp-file-upload plugin before 3.4.1 for WordPress has insufficient ...) - TODO: check + NOT-FOR-US: wp-file-upload plugin for WordPress CVE-2015-9340 (The wp-file-upload plugin before 3.0.0 for WordPress has insufficient ...) - TODO: check + NOT-FOR-US: wp-file-upload plugin for WordPress CVE-2015-9339 (The wp-file-upload plugin before 2.7.1 for WordPress has insufficient ...) - TODO: check + NOT-FOR-US: wp-file-upload plugin for WordPress CVE-2015-9338 (The wp-file-upload plugin before 2.5.0 for WordPress has insufficient ...) - TODO: check + NOT-FOR-US: wp-file-upload plugin for WordPress CVE-2014-10394 (The rich-counter plugin before 1.2.0 for WordPress has JavaScript inje ...) - TODO: check + NOT-FOR-US: rich-counter plugin for WordPress CVE-2014-10393 RESERVED CVE-2014-10392 (The cforms2 plugin before 10.2 for WordPress has XSS. ...) - TODO: check + NOT-FOR-US: cforms2 plugin for WordPress CVE-2014-10391 (The wp-support-plus-responsive-ticket-system plugin before 4.1 for Wor ...) - TODO: check + NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2014-10390 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) - TODO: check + NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2014-10389 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) - TODO: check + NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2014-10388 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) - TODO: check + NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2014-10387 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) - TODO: check + NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2014-10386 (The wp-live-chat-support plugin before 4.1.0 for WordPress has JavaScr ...) - TODO: check + NOT-FOR-US: wp-live-chat-support plugin for WordPress CVE-2019-15324 (The ad-inserter plugin before 2.4.22 for WordPress has remote code exe ...) - TODO: check + NOT-FOR-US: ad-inserter plugin for WordPress CVE-2019-15323 (The ad-inserter plugin before 2.4.20 for WordPress has path traversal. ...) - TODO: check + NOT-FOR-US: ad-inserter plugin for WordPress CVE-2019-15322 (The shortcode-factory plugin before 2.8 for WordPress has Local File I ...) - TODO: check + NOT-FOR-US: shortcode-factory plugin for WordPress CVE-2019-15321 (The option-tree plugin before 2.7.3 for WordPress has Object Injection ...) - TODO: check + NOT-FOR-US: option-tree plugin for WordPress CVE-2019-15320 (The option-tree plugin before 2.7.3 for WordPress has Object Injection ...) - TODO: check + NOT-FOR-US: option-tree plugin for WordPress CVE-2019-15319 (The option-tree plugin before 2.7.0 for WordPress has Object Injection ...) - TODO: check + NOT-FOR-US: option-tree plugin for WordPress CVE-2019-15318 (The yikes-inc-easy-mailchimp-extender plugin before 6.5.3 for WordPres ...) - TODO: check + NOT-FOR-US: yikes-inc-easy-mailchimp-extender plugin for WordPress CVE-2019-15317 (The give plugin before 2.4.7 for WordPress has XSS via a donor name.
[Git][security-tracker-team/security-tracker][master] Cleanup one REJECTED entry
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: acb34e4b by Salvatore Bonaccorso at 2019-08-22T20:12:34Z Cleanup one REJECTED entry - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -360,7 +360,6 @@ CVE-2019-15232 (Live555 before 2019.08.16 has a Use-After-Free because GenericMe NOTE: Fixed upstream in 2019.08.16 according to available information. CVE-2019-15231 REJECTED - - webmin CVE-2019-15230 RESERVED CVE-2019-15229 (FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/acb34e4b3920818bf4756c1411c171c2e6a4991c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/acb34e4b3920818bf4756c1411c171c2e6a4991c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c31b7a4 by security tracker role at 2019-08-22T20:10:30Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,139 +1,187 @@ -CVE-2019-15324 - RESERVED -CVE-2019-15323 - RESERVED -CVE-2019-15322 +CVE-2019-15331 (The wp-support-plus-responsive-ticket-system plugin before 9.1.2 for W ...) + TODO: check +CVE-2019-15330 (The webp-express plugin before 0.14.11 for WordPress has insufficient ...) + TODO: check +CVE-2019-15329 RESERVED -CVE-2019-15321 +CVE-2019-15328 RESERVED -CVE-2019-15320 +CVE-2019-15327 RESERVED -CVE-2019-15319 +CVE-2019-15326 RESERVED -CVE-2019-15318 +CVE-2019-15325 RESERVED -CVE-2019-15317 +CVE-2018-20988 (The wpgform plugin before 0.94 for WordPress has eval injection in the ...) + TODO: check +CVE-2018-20987 (The newsletters-lite plugin before 4.6.8.6 for WordPress has PHP objec ...) + TODO: check +CVE-2017-18586 (The insert-pages plugin before 3.2.4 for WordPress has directory trave ...) + TODO: check +CVE-2016-10930 (The wp-support-plus-responsive-ticket-system plugin before 7.1.0 for W ...) + TODO: check +CVE-2015-9341 (The wp-file-upload plugin before 3.4.1 for WordPress has insufficient ...) + TODO: check +CVE-2015-9340 (The wp-file-upload plugin before 3.0.0 for WordPress has insufficient ...) + TODO: check +CVE-2015-9339 (The wp-file-upload plugin before 2.7.1 for WordPress has insufficient ...) + TODO: check +CVE-2015-9338 (The wp-file-upload plugin before 2.5.0 for WordPress has insufficient ...) + TODO: check +CVE-2014-10394 (The rich-counter plugin before 1.2.0 for WordPress has JavaScript inje ...) + TODO: check +CVE-2014-10393 RESERVED +CVE-2014-10392 (The cforms2 plugin before 10.2 for WordPress has XSS. ...) + TODO: check +CVE-2014-10391 (The wp-support-plus-responsive-ticket-system plugin before 4.1 for Wor ...) + TODO: check +CVE-2014-10390 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) + TODO: check +CVE-2014-10389 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) + TODO: check +CVE-2014-10388 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) + TODO: check +CVE-2014-10387 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) + TODO: check +CVE-2014-10386 (The wp-live-chat-support plugin before 4.1.0 for WordPress has JavaScr ...) + TODO: check +CVE-2019-15324 (The ad-inserter plugin before 2.4.22 for WordPress has remote code exe ...) + TODO: check +CVE-2019-15323 (The ad-inserter plugin before 2.4.20 for WordPress has path traversal. ...) + TODO: check +CVE-2019-15322 (The shortcode-factory plugin before 2.8 for WordPress has Local File I ...) + TODO: check +CVE-2019-15321 (The option-tree plugin before 2.7.3 for WordPress has Object Injection ...) + TODO: check +CVE-2019-15320 (The option-tree plugin before 2.7.3 for WordPress has Object Injection ...) + TODO: check +CVE-2019-15319 (The option-tree plugin before 2.7.0 for WordPress has Object Injection ...) + TODO: check +CVE-2019-15318 (The yikes-inc-easy-mailchimp-extender plugin before 6.5.3 for WordPres ...) + TODO: check +CVE-2019-15317 (The give plugin before 2.4.7 for WordPress has XSS via a donor name. ...) + TODO: check CVE-2019-15316 (Valve Steam Client for Windows through 2019-08-20 has weak folder perm ...) TODO: check CVE-2019-15315 (Valve Steam Client for Windows through 2019-08-16 allows privilege esc ...) TODO: check CVE-2018-20986 RESERVED -CVE-2018-20985 - RESERVED -CVE-2018-20984 - RESERVED -CVE-2018-20983 - RESERVED -CVE-2018-20982 - RESERVED -CVE-2018-20981 - RESERVED -CVE-2018-20980 - RESERVED -CVE-2018-20979 - RESERVED +CVE-2018-20985 (The wp-payeezy-pay plugin before 2.98 for WordPress has local file inc ...) + TODO: check +CVE-2018-20984 (The patreon-connect plugin before 1.2.2 for WordPress has Object Injec ...) + TODO: check +CVE-2018-20983 (The wp-retina-2x plugin before 5.2.3 for WordPress has XSS. ...) + TODO: check +CVE-2018-20982 (The media-library-assistant plugin before 2.74 for WordPress has XSS v ...) + TODO: check +CVE-2018-20981 (The ninja-forms plugin before 3.3.9 for WordPress has insufficient res ...) + TODO: check +CVE-2018-20980 (The ninja-forms plugin before 3.2.15 for WordPress has parameter tampe ...) + TODO: check +CVE-2018-20979 (The contact-form-7 plugin before 5.0.4 for WordPress has privilege esc ...) + TODO: check CVE-2017-18585 RESERVED -CVE-2017-18584 - RESERVED
[Git][security-tracker-team/security-tracker][master] CVE-2019-6956/faad2: add upstream bug report
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: a498aff5 by Hugo Lefeuvre at 2019-08-22T19:42:30Z CVE-2019-6956/faad2: add upstream bug report - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24496,6 +24496,7 @@ CVE-2019-6956 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAA [buster] - faad2 (Minor issue) [stretch] - faad2 (Minor issue) NOTE: https://sourceforge.net/p/faac/bugs/240/ + NOTE: https://github.com/knik0/faad2/issues/39 CVE-2019-6955 RESERVED CVE-2019-6954 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a498aff5dead8297f65c25b6f3f83e17b7f0b1eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a498aff5dead8297f65c25b6f3f83e17b7f0b1eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: update clamav entry
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 03c9de45 by Hugo Lefeuvre at 2019-08-22T19:39:54Z dla-needed: update clamav entry - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -16,8 +16,8 @@ clamav (Hugo Lefeuvre) NOTE: wait for definitive patch to be available, then upgrade to latest upstream NOTE: release (follow stretch changes) (hle) NOTE: https://lists.debian.org/debian-lts/2019/08/msg00023.html - NOTE: 20190818: upstream has released a new patch, waiting for the final - NOTE: release to come out (hle) + NOTE: 20190822: upstream has released 0.101.4, wait for stretch update (see bug + NOTE: report) (hle) -- cups (Thorsten Alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/03c9de45a02287c3ed4d25e09ceb54a84df1c5df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/03c9de45a02287c3ed4d25e09ceb54a84df1c5df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nginx DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c5bfeec9 by Moritz Muehlenhoff at 2019-08-22T19:34:58Z
nginx DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[22 Aug 2019] DSA-4505-1 nginx - security update
+ {CVE-2019-9511 CVE-2019-9513 CVE-2019-9516}
+ [stretch] - nginx 1.10.3-1+deb9u3
+ [buster] - nginx 1.14.2-2+deb10u1
[20 Aug 2019] DSA-4504-1 vlc - security update
{CVE-2019-13602 CVE-2019-13962 CVE-2019-14437 CVE-2019-14438
CVE-2019-14498 CVE-2019-14533 CVE-2019-14534 CVE-2019-14535 CVE-2019-14776
CVE-2019-14777 CVE-2019-14778 CVE-2019-14970}
[stretch] - vlc 3.0.8-0+deb9u1
=
data/dsa-needed.txt
=
@@ -38,9 +38,6 @@ linux (carnil)
--
mercurial/oldstable
--
-nginx
- Maintainer proposed debdiffs, needs to be reviewed
---
nodejs
--
nss (jmm)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5bfeec9920e79bca38bad137c3db7d11818fefb
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5bfeec9920e79bca38bad137c3db7d11818fefb
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust fixed version for CVE-2019-14444/binutils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 148fb0a8 by Salvatore Bonaccorso at 2019-08-22T19:14:40Z Adjust fixed version for CVE-2019-1/binutils The fix is already included in the upload to unstable as 2.32.51.20190813-1. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3149,7 +3149,7 @@ CVE-2007-6763 (SAS Drug Development (SDD) before 32DRG02 mishandles logout actio CVE-2019-14445 RESERVED CVE-2019-1 (apply_relocations in readelf.c in GNU Binutils 2.32 contains an intege ...) - - binutils 2.32.51.20190821-1 (unimportant) + - binutils 2.32.51.20190813-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24829 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 NOTE: binutils not covered by security support View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/148fb0a85f82ff875a1cee24d0d7cb5d47cc5d85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/148fb0a85f82ff875a1cee24d0d7cb5d47cc5d85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-384{3,4}/systemd fixed with the upload to unstable of v242
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ad06eba0 by Salvatore Bonaccorso at 2019-08-22T18:53:01Z
CVE-2019-384{3,4}/systemd fixed with the upload to unstable of v242
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -31822,7 +31822,7 @@ CVE-2019-3845 (A lack of access control was found in
the message queues maintain
NOT-FOR-US: qpid dispatch router
CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser
propert ...)
[experimental] - systemd 242-1
- - systemd (bug #928102)
+ - systemd 242-4 (bug #928102)
[buster] - systemd (Minor issue; exploit vector needs control
both of the service and a helper outside)
[stretch] - systemd (Minor issue; exploit vector needs
control both of the service and a helper outside)
[jessie] - systemd (Vulnerable code introduced later)
@@ -31832,7 +31832,7 @@ CVE-2019-3844 (It was discovered that a systemd service
that uses DynamicUser pr
NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596
CVE-2019-3843 (It was discovered that a systemd service that uses DynamicUser
propert ...)
[experimental] - systemd 242-1
- - systemd (bug #928102)
+ - systemd 242-4 (bug #928102)
[buster] - systemd (Minor issue; exploit vector needs control
both of the service and a helper outside)
[stretch] - systemd (Minor issue; exploit vector needs
control both of the service and a helper outside)
[jessie] - systemd (Vulnerable code introduced later)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad06eba0eb8e0574f2b78a3a8ae6bca40d4a4f27
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad06eba0eb8e0574f2b78a3a8ae6bca40d4a4f27
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Add note for xtrlock.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 897c6ded by Chris Lamb at 2019-08-22T16:06:27Z data/dla-needed.txt: Add note for xtrlock. - - - - - 0fbaa8f2 by Chris Lamb at 2019-08-22T16:07:46Z data/dla-needed.txt: Add attribution to notes. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -27,7 +27,7 @@ faad2 (Hugo Lefeuvre) NOTE: 20190820: Last PR pending review: https://github.com/knik0/faad2/pull/38 NOTE: Upload with recent patches will happen soon. NOTE: Still many open duplicates, currently triaging. - NOTE: Requested CVE number for temporary entry. + NOTE: Requested CVE number for temporary entry. (hpe) -- freeimage NOTE: Maintainer will take care of the update. @@ -121,9 +121,10 @@ wordpress NOTE: 20190614: No upstream fix yet. (apo) -- xen - NOTE: 20190629: Contacted credativ support and asked for a status update + NOTE: 20190629: Contacted credativ support and asked for a status update (apo) -- xtrlock (Chris Lamb) + NOTE: 20190822: WIP on #830726 (lamby) -- xymon (Hugo Lefeuvre) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1d4d1c7cab819722e849707b643bc1d1a59d04f1...0fbaa8f27aad4f4d4dfef96beebdae6a21949375 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1d4d1c7cab819722e849707b643bc1d1a59d04f1...0fbaa8f27aad4f4d4dfef96beebdae6a21949375 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark vlc as EOL in Jessie
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
bc6f4160 by Thorsten Alteholz at 2019-08-22T13:03:58Z
mark vlc as EOL in Jessie
- - - - -
db2474d0 by Thorsten Alteholz at 2019-08-22T13:06:42Z
mark CVE-2014-10375 as no-dsa for Jessie
- - - - -
1d4d1c7c by Thorsten Alteholz at 2019-08-22T13:08:01Z
mark CVE-2019-13990 as no-dsa for Jessie
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1082,6 +1082,7 @@ CVE-2014-10375 (handle_messages in eXtl_tls.c in eXosip
before 5.0.0 mishandles
- libexosip2 (bug #934766)
[buster] - libexosip2 (Minor issue)
[stretch] - libexosip2 (Minor issue)
+ [jessie] - libexosip2 (Minor issue)
NOTE:
http://git.savannah.nongnu.org/cgit/exosip.git/commit/?id=2549e421c14aff886629b8482c14af800f411070
CVE-2013-7476 (The simple-fields plugin before 1.2 for WordPress has CSRF in
the admi ...)
NOT-FOR-US: simple-fields plugin for WordPress
@@ -1209,6 +1210,7 @@ CVE-2019-14970
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ [jessie] - vlc
(https://lists.debian.org/debian-security-announce/2018/msg00130.html)
NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14969 (Netwrix Auditor before 9.8 has insecure permissions on
%PROGRAMDATA%\N ...)
NOT-FOR-US: Netwrix Auditor
@@ -1742,16 +1744,19 @@ CVE-2019-14778
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ [jessie] - vlc
(https://lists.debian.org/debian-security-announce/2018/msg00130.html)
NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14777
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ [jessie] - vlc
(https://lists.debian.org/debian-security-announce/2018/msg00130.html)
NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14776
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ [jessie] - vlc
(https://lists.debian.org/debian-security-announce/2018/msg00130.html)
NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14775
RESERVED
@@ -2329,16 +2334,19 @@ CVE-2019-14535
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ [jessie] - vlc
(https://lists.debian.org/debian-security-announce/2018/msg00130.html)
NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14534
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ [jessie] - vlc
(https://lists.debian.org/debian-security-announce/2018/msg00130.html)
NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14533
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ [jessie] - vlc
(https://lists.debian.org/debian-security-announce/2018/msg00130.html)
NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14532 (An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There
is an off ...)
- sleuthkit (unimportant)
@@ -2431,6 +2439,7 @@ CVE-2019-14498
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ [jessie] - vlc
(https://lists.debian.org/debian-security-announce/2018/msg00130.html)
NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14497 (ModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in
MilkyTr ...)
- milkytracker (bug #933964)
@@ -3171,11 +3180,13 @@ CVE-2019-14438
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ [jessie] - vlc
(https://lists.debian.org/debian-security-announce/2018/msg00130.html)
NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14437
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ [jessie] - vlc
(https://lists.debian.org/debian-security-announce/2018/msg00130.html)
NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14436
RESERVED
@@ -4321,6 +4332,7 @@ CVE-2019-13990 (initDocumentParser in
xml/XMLSchedulingDataProcessor.java in Ter
- libquartz-java (bug #933169)
[buster] - libquartz-java (Minor issue)
[stretch] - libquartz-java (Minor issue)
+ [jessie] - libquartz-java (Minor issue)
- libquartz2-java (bug #933170)
[buster] - libquartz2-java (Minor issue)
[stretch] - libquartz2-java (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/fc993a944ff22cd5f642189e04a6e975bce0b14e...1d4d1c7cab819722e849707b643bc1d1a59d04f1
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/fc993a944ff22cd5f642189e04a6e975bce0b14e...1d4d1c7cab819722e849707b643bc1d1a59d04f1
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
[Git][security-tracker-team/security-tracker][master] binutils fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fc993a94 by Moritz Muehlenhoff at 2019-08-22T09:58:22Z binutils fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3140,7 +3140,7 @@ CVE-2007-6763 (SAS Drug Development (SDD) before 32DRG02 mishandles logout actio CVE-2019-14445 RESERVED CVE-2019-1 (apply_relocations in readelf.c in GNU Binutils 2.32 contains an intege ...) - - binutils (unimportant) + - binutils 2.32.51.20190821-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24829 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 NOTE: binutils not covered by security support View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fc993a944ff22cd5f642189e04a6e975bce0b14e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fc993a944ff22cd5f642189e04a6e975bce0b14e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bro fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e06214e3 by Moritz Muehlenhoff at 2019-08-22T09:00:36Z bro fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49845,9 +49845,9 @@ CVE-2018-17021 (Cross-site scripting (XSS) vulnerability on ASUS GT-AC5300 devic CVE-2018-17020 (ASUS GT-AC5300 devices with firmware through 3.0.0.4.384_32738 allow r ...) NOT-FOR-US: ASUS GT-AC5300 devices CVE-2018-17019 (In Bro through 2.5.5, there is a DoS in IRC protocol names command par ...) - - bro (bug #908779) + - bro 2.6.1+ds1-1 (bug #908779) [buster] - bro 2.5.5-1+deb10u1 - [stretch] - bro (Minor issue) + [stretch] - bro (Minor issue) NOTE: https://github.com/bro/bro/commit/c2b18849f8bb833253538f5dfedb4ed1dc176a30 CVE-2018-17018 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...) NOT-FOR-US: TP-Link @@ -50556,9 +50556,9 @@ CVE-2018-16808 (An issue was discovered in Dolibarr through 7.0.0. There is Stor - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/issues/9449 CVE-2018-16807 (In Bro through 2.5.5, there is a memory leak potentially leading to Do ...) - - bro (low; bug #908614) + - bro 2.6.1+ds1-1 (low; bug #908614) [buster] - bro 2.5.5-1+deb10u1 - [stretch] - bro (Minor issue) + [stretch] - bro (Minor issue) NOTE: https://github.com/bro/bro/commit/34d0cf886ca16c665f673a299e295b2a2bc14533 CVE-2018-16806 (A Pektron Passive Keyless Entry and Start (PKES) system, as used on th ...) NOT-FOR-US: Tesla View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e06214e3ab5f4e119434f9a7ddbb86592c6d3ecf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e06214e3ab5f4e119434f9a7ddbb86592c6d3ecf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f8f310d2 by security tracker role at 2019-08-22T08:10:21Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,137 @@ +CVE-2019-15324 + RESERVED +CVE-2019-15323 + RESERVED +CVE-2019-15322 + RESERVED +CVE-2019-15321 + RESERVED +CVE-2019-15320 + RESERVED +CVE-2019-15319 + RESERVED +CVE-2019-15318 + RESERVED +CVE-2019-15317 + RESERVED +CVE-2019-15316 (Valve Steam Client for Windows through 2019-08-20 has weak folder perm ...) + TODO: check +CVE-2019-15315 (Valve Steam Client for Windows through 2019-08-16 allows privilege esc ...) + TODO: check +CVE-2018-20986 + RESERVED +CVE-2018-20985 + RESERVED +CVE-2018-20984 + RESERVED +CVE-2018-20983 + RESERVED +CVE-2018-20982 + RESERVED +CVE-2018-20981 + RESERVED +CVE-2018-20980 + RESERVED +CVE-2018-20979 + RESERVED +CVE-2017-18585 + RESERVED +CVE-2017-18584 + RESERVED +CVE-2017-18583 + RESERVED +CVE-2017-18582 + RESERVED +CVE-2017-18581 + RESERVED +CVE-2017-18580 + RESERVED +CVE-2017-18579 + RESERVED +CVE-2017-18578 + RESERVED +CVE-2017-18577 + RESERVED +CVE-2017-18576 + RESERVED +CVE-2017-18575 + RESERVED +CVE-2017-18574 + RESERVED +CVE-2017-18573 + RESERVED +CVE-2017-18572 + RESERVED +CVE-2017-18571 + RESERVED +CVE-2017-18570 + RESERVED +CVE-2016-10929 + RESERVED +CVE-2016-10928 + RESERVED +CVE-2016-10927 + RESERVED +CVE-2016-10926 + RESERVED +CVE-2016-10925 + RESERVED +CVE-2016-10924 + RESERVED +CVE-2016-10923 + RESERVED +CVE-2016-10922 + RESERVED +CVE-2016-10921 + RESERVED +CVE-2016-10920 + RESERVED +CVE-2016-10919 + RESERVED +CVE-2016-10918 + RESERVED +CVE-2016-10917 + RESERVED +CVE-2016-10916 + RESERVED +CVE-2015-9337 + RESERVED +CVE-2015-9336 + RESERVED +CVE-2015-9335 + RESERVED +CVE-2015-9334 + RESERVED +CVE-2015-9333 + RESERVED +CVE-2014-10385 + RESERVED +CVE-2014-10384 + RESERVED +CVE-2014-10383 + RESERVED +CVE-2014-10382 + RESERVED +CVE-2013-7483 + RESERVED +CVE-2013-7482 + RESERVED +CVE-2013-7481 + RESERVED +CVE-2013-7480 + RESERVED +CVE-2013-7479 + RESERVED +CVE-2013-7478 + RESERVED +CVE-2013-7477 + RESERVED +CVE-2012-6716 + RESERVED +CVE-2009-5158 + RESERVED +CVE-2008-7321 + RESERVED CVE-2019-15314 RESERVED CVE-2019-15313 @@ -1620,6 +1754,7 @@ CVE-2019-14776 CVE-2019-14775 RESERVED CVE-2019-12625 [clamav zip DoS] + RESERVED - clamav (bug #934359) [buster] - clamav (ClamAV is updated via -updates) [stretch] - clamav (ClamAV is updated via -updates) @@ -1831,10 +1966,10 @@ CVE-2019-14688 RESERVED CVE-2019-14687 (A DLL hijacking vulnerability exists in Trend Micro Password Manager 5 ...) NOT-FOR-US: Trend Micro -CVE-2019-14686 - RESERVED -CVE-2019-14685 - RESERVED +CVE-2019-14686 (A DLL hijacking vulnerability exists in the Trend Micro Security's 201 ...) + TODO: check +CVE-2019-14685 (A local privilege escalation vulnerability exists in Trend Micro Secur ...) + TODO: check CVE-2019-14684 (A DLL hijacking vulnerability exists in Trend Micro Password Manager 5 ...) NOT-FOR-US: Trend Micro CVE-2019-14683 (The codection "Import users from CSV with meta" plugin before 1.14.2.2 ...) @@ -11282,12 +11417,12 @@ CVE-2019-11605 RESERVED CVE-2019-11604 (An issue was discovered in Quest KACE Systems Management Appliance bef ...) NOT-FOR-US: Quest KACE Systems Management Appliance -CVE-2019-11603 - RESERVED -CVE-2019-11602 - RESERVED -CVE-2019-11601 - RESERVED +CVE-2019-11603 (A HTTP Traversal Attack in earlier versions than ProSyst mBS SDK 8.2.6 ...) + TODO: check +CVE-2019-11602 (Leakage of stack traces in remote access to backup restore in ea ...) + TODO: check +CVE-2019-11601 (A directory traversal vulnerability in remote access to backup r ...) + TODO: check CVE-2019-11600 (A SQL injection vulnerability in the activities API in OpenProject bef ...) NOT-FOR-US: OpenProject CVE-2018-20835 (A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File O ...) @@ -13824,8 +13959,8 @@ CVE-2019-10689 (VVX products using UCS software version 5.9.2 and earlier with B NOT-FOR-US: VVX products using UCS software CVE-2019-10688 (VVX products with software versions including and prior to, UCS 5.9.2 ...) NOT-FOR-US: VVX products using UCS -CVE-2019-10687 - RESERVED +CVE-2019-10687 (KBPublisher 6.0.2.1 has SQL Injection via the
[Git][security-tracker-team/security-tracker][master] ruby-rest-client n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 85c1b08b by Moritz Muehlenhoff at 2019-08-22T07:34:59Z ruby-rest-client n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -191,7 +191,7 @@ CVE-2019-15226 CVE-2019-15225 (In Envoy through 1.11.1, users may configure a route to match incoming ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2019-15224 (The rest-client gem 1.6.13 for Ruby, as distributed on RubyGems.org, i ...) - TODO: check + - ruby-rest-client (Backdoored version not uploaded to Debian) CVE-2019-15223 (An issue was discovered in the Linux kernel before 5.1.8. There is a N ...) - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/0b074ab7fc0d575247b9cc9f93bb7e007ca38840 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/85c1b08b919d9c3340c2b63a23f197b1b91a2407 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/85c1b08b919d9c3340c2b63a23f197b1b91a2407 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] pump removed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 687aaa22 by Moritz Muehlenhoff at 2019-08-22T06:28:28Z pump removed libzstd n/a for oldstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1935,7 +1935,7 @@ CVE-2019-14654 (In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users au CVE-2018-20954 (The "Security and Privacy" Encryption feature in Mailpile before 1.0.0 ...) NOT-FOR-US: Mailpile CVE-2019- [Buffer overflow during processing of large server replies] - - pump (bug #933674) + - pump (bug #933674) CVE-2019-14653 (pandao Editor.md 1.5.0 allows XSS via an attribute of an ABBR or SUP e ...) NOT-FOR-US: pandao Editor.md CVE-2019-14652 @@ -10407,6 +10407,7 @@ CVE-2019-11923 RESERVED CVE-2019-11922 (A race condition in the one-pass compression functions of Zstandard pr ...) - libzstd 1.3.8+dfsg-2 + [stretch] - libzstd (Vulnerable code not present) NOTE: https://github.com/facebook/zstd/commit/3e5cdf1b6a85843e991d7d10f6a2567c15580da0 CVE-2019-11921 (An out of bounds write is possible via a specially crafted packet in c ...) NOT-FOR-US: Proxygen View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/687aaa22994a5d13c34cac66ac213da0bb6a6dd5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/687aaa22994a5d13c34cac66ac213da0bb6a6dd5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference to VLC VideoLAN-SB-VLC-308 bulletin
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f977e145 by Salvatore Bonaccorso at 2019-08-22T06:17:07Z
Add reference to VLC VideoLAN-SB-VLC-308 bulletin
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1073,6 +1073,7 @@ CVE-2019-14970
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14969 (Netwrix Auditor before 9.8 has insecure permissions on
%PROGRAMDATA%\N ...)
NOT-FOR-US: Netwrix Auditor
CVE-2019-14968 (An issue was discovered in imcat 4.9. There is SQL Injection
via the i ...)
@@ -1605,14 +1606,17 @@ CVE-2019-14778
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14777
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14776
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14775
RESERVED
CVE-2019-12625 [clamav zip DoS]
@@ -2188,14 +2192,17 @@ CVE-2019-14535
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14534
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14533
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14532 (An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There
is an off ...)
- sleuthkit (unimportant)
NOTE: https://github.com/sleuthkit/sleuthkit/issues/1575
@@ -2287,6 +2294,7 @@ CVE-2019-14498
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14497 (ModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in
MilkyTr ...)
- milkytracker (bug #933964)
NOTE: https://github.com/milkytracker/MilkyTracker/issues/182
@@ -3026,10 +3034,12 @@ CVE-2019-14438
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14437
RESERVED
{DSA-4504-1}
- vlc 3.0.8-1
+ NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14436
RESERVED
CVE-2019-14435
@@ -4238,6 +4248,7 @@ CVE-2019-13962 (lavc_CopyPicture in
modules/codec/avcodec/video.c in VideoLAN VL
[jessie] - vlc
(https://lists.debian.org/debian-security-announce/2018/msg00130.html)
NOTE:
http://git.videolan.org/?p=vlc/vlc-3.0.git;a=commit;h=2b4f9d0b0e0861f262c90e9b9b94e7d53b864509
NOTE: https://trac.videolan.org/vlc/ticket/22240
+ NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-13961 (A CSRF vulnerability was found in flatCore before 1.5, leading
to the ...)
NOT-FOR-US: flatCore
CVE-2019-13960 (** DISPUTED ** In libjpeg-turbo 2.0.2, a large amount of
memory can be ...)
@@ -6038,6 +6049,7 @@ CVE-2019-13602 (An Integer Underflow in
MP4_EIA608_Convert() in modules/demux/mp
[jessie] - vlc
(https://lists.debian.org/debian-security-announce/2018/msg00130.html)
NOTE:
https://git.videolan.org/?p=vlc.git;a=commit;h=8e8e0d72447f8378244f5b4a3dcde036dbeb1491
NOTE:
https://git.videolan.org/?p=vlc.git;a=commit;h=b2b157076d9e94df34502dd8df0787deb940e938
+ NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-13601
RESERVED
CVE-2019-13600
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f977e145fc9670cb717506b7dbd0d9f2e90063e3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f977e145fc9670cb717506b7dbd0d9f2e90063e3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track assigned CVE for clamav issue (CVE-2019-12625)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 92814fdd by Salvatore Bonaccorso at 2019-08-22T06:05:44Z Track assigned CVE for clamav issue (CVE-2019-12625) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1615,13 +1615,14 @@ CVE-2019-14776 - vlc 3.0.8-1 CVE-2019-14775 RESERVED -CVE-2019- [clamav zip DoS] +CVE-2019-12625 [clamav zip DoS] - clamav (bug #934359) [buster] - clamav (ClamAV is updated via -updates) [stretch] - clamav (ClamAV is updated via -updates) NOTE: https://www.openwall.com/lists/oss-security/2019/08/06/3 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=12356 NOTE: Partially adressed already in 0.101.2+dfsg-3 but incomplete. + NOTE: https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html CVE-2019-14774 (The woo-variation-swatches (aka Variation Swatches for WooCommerce) pl ...) NOT-FOR-US: Wordpress plugin CVE-2019-14773 (admin/includes/class.actions.snippet.php in the "Woody ad snippets" pl ...) @@ -8613,8 +8614,6 @@ CVE-2019-12627 (A vulnerability in the application policy configuration of the C TODO: check CVE-2019-12626 (A vulnerability in the web-based management interface of Cisco Unified ...) TODO: check -CVE-2019-12625 - RESERVED CVE-2019-12624 (A vulnerability in the web-based management interface of Cisco IOS XE ...) TODO: check CVE-2019-12623 (A vulnerability in the web server functionality of Cisco Enterprise Ne ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/92814fdd3810e68ac15c7cbdec829a11db028420 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/92814fdd3810e68ac15c7cbdec829a11db028420 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take apache2 from dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e00868e by Salvatore Bonaccorso at 2019-08-22T06:00:41Z Take apache2 from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -15,7 +15,7 @@ If needed, specify the release by adding a slash after the name of the source pa 389-ds-base (fw) Thorsten Alteholz proposed an update -- -apache2 +apache2 (carnil) -- evince/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1e00868ed7e6562b632e3f5fc390257433007dd0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1e00868ed7e6562b632e3f5fc390257433007dd0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
