[Git][security-tracker-team/security-tracker][master] Update information on CVE-2019-11779
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 093ede5c by Salvatore Bonaccorso at 2019-10-19T22:11:43Z Update information on CVE-2019-11779 Directly reference the upstream issue and fixes in the 1.5.x and 1.6.x branches. According to Roger Light (upstream) this issue should affect versions 1.5 to 1.6.5 inclusive and was fixed in 1.6.6 and 1.5.9. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19634,7 +19634,9 @@ CVE-2019-11780 CVE-2019-11779 (In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT cli ...) - mosquitto 1.6.6-1 (bug #940654) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160 - NOTE: patches available at https://mosquitto.org/files/cve/2019-11779/ + NOTE: https://github.com/eclipse/mosquitto/issues/1412 + NOTE: https://github.com/eclipse/mosquitto/commit/106675093177335b18521bc0e5ad1d95343ad652 (1.6.6) + NOTE: https://github.com/eclipse/mosquitto/commit/84681d9728ceb7f6ea2b6751b4d87200d8a62f14 (1.5.9) CVE-2019-11778 (If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1 ...) - mosquitto 1.6.6-1 [buster] - mosquitto (Session expiry interval support introduced in 1.6) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/093ede5cba4a6a18747fcf96111aec53c094158b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/093ede5cba4a6a18747fcf96111aec53c094158b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2019-11778/mosquitto
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f14e7b7e by Salvatore Bonaccorso at 2019-10-19T22:06:07Z Update information on CVE-2019-11778/mosquitto - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19637,8 +19637,13 @@ CVE-2019-11779 (In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQ NOTE: patches available at https://mosquitto.org/files/cve/2019-11779/ CVE-2019-11778 (If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1 ...) - mosquitto 1.6.6-1 + [buster] - mosquitto (Session expiry interval support introduced in 1.6) + [stretch] - mosquitto (Session expiry interval support introduced in 1.6) + [jessie] - mosquitto (Session expiry interval support introduced in 1.6) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=551162 - NOTE: patches available at https://mosquitto.org/files/cve/2019-11778/ (directory empty) + NOTE: https://github.com/eclipse/mosquitto/issues/1401 + NOTE: https://github.com/eclipse/mosquitto/commit/8407c6d146d1e8299127737d9735afc782e04ea8 + NOTE: https://github.com/eclipse/mosquitto/commit/6f3e7b9ceb43e2626a32340c26b69ac8ae5e9c8c CVE-2019-11777 (In the Eclipse Paho Java client library version 1.2.0, when connecting ...) NOT-FOR-US: Eclipse Paho Java client CVE-2019-11776 (In Eclipse BIRT versions 1.0 to 4.7, the Report Viewer allows Reflecte ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f14e7b7ebd63d22a0b481aef7cf1b961e5ade409 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f14e7b7ebd63d22a0b481aef7cf1b961e5ade409 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-16865,pillow: Mark as no-dsa for Jessie
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 728a31ed by Markus Koschany at 2019-10-19T21:58:47Z CVE-2019-16865,pillow: Mark as no-dsa for Jessie Jessie is affected but I believe the risk of introducing regressions is too high in this case. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4222,6 +4222,7 @@ CVE-2019-16865 (An issue was discovered in Pillow before 6.2.0. When reading spe - pillow 6.2.0-1 (low) [buster] - pillow (Minor issue) [stretch] - pillow (Minor issue) + [jessie] - pillow (Risk of regressions is too high) - python-imaging NOTE: https://github.com/python-pillow/Pillow/pull/4101 NOTE: https://github.com/python-pillow/Pillow/pull/4102 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/728a31ed03fe8d9af7c0a0101057ec77e3385e60 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/728a31ed03fe8d9af7c0a0101057ec77e3385e60 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] patches for mosquitto CVE-2019-11778 CVE-2019-11779
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 84830518 by Thorsten Alteholz at 2019-10-19T21:48:59Z patches for mosquitto CVE-2019-11778 CVE-2019-11779 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19633,9 +19633,11 @@ CVE-2019-11780 CVE-2019-11779 (In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT cli ...) - mosquitto 1.6.6-1 (bug #940654) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160 + NOTE: patches available at https://mosquitto.org/files/cve/2019-11779/ CVE-2019-11778 (If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1 ...) - mosquitto 1.6.6-1 NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=551162 + NOTE: patches available at https://mosquitto.org/files/cve/2019-11778/ (directory empty) CVE-2019-11777 (In the Eclipse Paho Java client library version 1.2.0, when connecting ...) NOT-FOR-US: Eclipse Paho Java client CVE-2019-11776 (In Eclipse BIRT versions 1.0 to 4.7, the Report Viewer allows Reflecte ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/848305184da37ea7ede3d025d75f17dc9a1329fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/848305184da37ea7ede3d025d75f17dc9a1329fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-15939,opencv: Mark as postponed for Jessie
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cb9acbb2 by Markus Koschany at 2019-10-19T21:30:38Z CVE-2019-15939,opencv: Mark as postponed for Jessie Minor issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6660,6 +6660,7 @@ CVE-2019-15939 (An issue was discovered in OpenCV 4.1.0. There is a divide-by-ze - opencv 4.1.2+dfsg-3 [buster] - opencv (Minor issue) [stretch] - opencv (Minor issue) + [jessie] - opencv (Minor issue) NOTE: https://github.com/OpenCV/opencv/issues/15287 NOTE: https://github.com/opencv/opencv/pull/15382 CVE-2019-15938 (Pengutronix barebox through 2019.08.1 has a remote buffer overflow in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb9acbb21694d75a6b1cd7d9dfa51e01a2d2b3ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb9acbb21694d75a6b1cd7d9dfa51e01a2d2b3ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 12843ed4 by security tracker role at 2019-10-19T20:10:24Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2019-18214 (The Video_Converter app 0.1.0 for Nextcloud allows denial of service ( ...) + TODO: check +CVE-2019-18213 + RESERVED +CVE-2019-18212 + RESERVED +CVE-2019-18211 + RESERVED CVE-2019-18210 RESERVED CVE-2019-18209 (templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser doe ...) @@ -2489,6 +2497,7 @@ CVE-2019-17545 (GDAL through 3.0.1 has a poolDestroy double free in OGRExpatReal NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16178 NOTE: https://github.com/OSGeo/gdal/commit/148115fcc40f1651a5d15fa34c9a8c528e7147bb CVE-2019-17544 (libaspell.a in GNU Aspell before 0.60.8 has a stack-based buffer over- ...) + {DLA-1966-1} - aspell (low) [buster] - aspell (Minor issue) [stretch] - aspell (Minor issue) @@ -41452,6 +41461,7 @@ CVE-2019-3691 CVE-2019-3690 RESERVED CVE-2019-3689 (The nfs-utils package in SUSE Linux Enterprise Server 12 before and in ...) + {DLA-1965-1} - nfs-utils (bug #940848) [buster] - nfs-utils (Minor issue) [stretch] - nfs-utils (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/12843ed44689169c82eafd0f5af1ff2c30f9da42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/12843ed44689169c82eafd0f5af1ff2c30f9da42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: update imagemagick notes
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: d24f85ca by Hugo Lefeuvre at 2019-10-19T15:19:55Z dla-needed: update imagemagick notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -33,16 +33,14 @@ ibus (Markus Koschany) NOTE: beware of the regression introduced by upstreams first patch -- imagemagick (Hugo Lefeuvre) - NOTE: 20190902: several minor postponed issues with simple patch: preparing an update - NOTE: just for them would be wasting time, but let's include these patches in a - NOTE: future update when new issues appear. NOTE: CVE-2019-13391, CVE-2019-13308: patch is large, undocumented and potentially NOTE: insufficient. wait for upstream to answer on bug report, or tag . NOTE: CVE-2019-10131: patch is sufficient, but technically so-so in my opinion: NOTE: instead of avoiding off-by-one reads (check length BEFORE reading, not after!) NOTE: we allocate one more byte. this works, but does not 'obviously' fix the issue and NOTE: can be misleading... DEP3 comments would be nice. (hle) - NOTE: 20191015: two new CVEs, check. + NOTE: 20191019: preparing an update for the new batch of CVEs. + NOTE: CVE-2019-17540: unclear upstream fixes in ImageMagick6, this is very messy. -- imapfilter NOTE: 20190910: No patch exists but a possible solution. Note that openssl in View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d24f85ca6fc0382a1664e04b1e4c501b81a82f94 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d24f85ca6fc0382a1664e04b1e4c501b81a82f94 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-18209/etherpad-lite
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dce19b01 by Salvatore Bonaccorso at 2019-10-19T15:04:53Z Add CVE-2019-18209/etherpad-lite - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2019-18210 RESERVED CVE-2019-18209 (templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser doe ...) - TODO: check + - etherpad-lite (bug #576998) CVE-2019-18208 RESERVED CVE-2019-18207 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dce19b01846c14501dbbd0f1b1ca60cb69b638c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dce19b01846c14501dbbd0f1b1ca60cb69b638c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] DLA-1965-1: Add epoch to version for nfs-utils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ce94337 by Salvatore Bonaccorso at 2019-10-19T14:55:23Z DLA-1965-1: Add epoch to version for nfs-utils - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,6 +1,6 @@ [19 Oct 2019] DLA-1965-1 nfs-utils - security update {CVE-2019-3689} - [jessie] - nfs-utils 1.2.8-9+deb8u1 + [jessie] - nfs-utils 1:1.2.8-9+deb8u1 [18 Oct 2019] DLA-1963-2 poppler - regression update [jessie] - poppler 0.26.5-2+deb8u13 [17 Oct 2019] DLA-1964-1 sudo - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0ce94337ba71bd3fcceaf759b3652f1dc29924db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0ce94337ba71bd3fcceaf759b3652f1dc29924db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-15139/imagemagick: add followup patch
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 1bf395d4 by Hugo Lefeuvre at 2019-10-19T14:48:29Z CVE-2019-15139/imagemagick: add followup patch partly reverts 6d46f0a046a5... - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9012,6 +9012,8 @@ CVE-2019-15139 (The XWD image (X Window System window dumping file) parsing comp - imagemagick (bug #941670) NOTE: https://github.com/ImageMagick/ImageMagick/commit/c78993d138bf480ab4652b5a48379d4ff75ba5f7 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/6d46f0a046a58e7c4567a86ba1b9cb847d5b1968 + NOTE: ImageMagick6: followup, partly reverts previous patch: + NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e295b8193a1413a39d5c0b3e18fa7ca952c35cdf NOTE: https://github.com/ImageMagick/ImageMagick/issues/1553 CVE-2019-15138 (The html-pdf package 2.2.0 for Node.js has an arbitrary file read vuln ...) NOT-FOR-US: node html-pdf View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1bf395d42203b9b986d14f9a80dd400b41381df3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1bf395d42203b9b986d14f9a80dd400b41381df3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-15140/imagemagick: add followup patch
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 57ce08d1 by Hugo Lefeuvre at 2019-10-19T14:26:52Z CVE-2019-15140/imagemagick: add followup patch this is probably minor, but still nice to take into account when cherry picking 5caef6e97f3f575 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9005,6 +9005,8 @@ CVE-2019-15140 (coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers - imagemagick (bug #941671) NOTE: https://github.com/ImageMagick/ImageMagick/commit/f7206618d27c2e69d977abf40e3035a33e5f6be0 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/5caef6e97f3f575cf7bea497865a4c1e624b8010 + NOTE: followup, previous patch introduced compiler warnings + NOTE: https://github.com/ImageMagick/ImageMagick6/commit/5caef6e97f3f575cf7bea497865a4c1e624b8010 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1554 CVE-2019-15139 (The XWD image (X Window System window dumping file) parsing component ...) - imagemagick (bug #941670) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/57ce08d11f984f13eafbfbee3ffb50f80a18c5b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/57ce08d11f984f13eafbfbee3ffb50f80a18c5b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1965-1 for nfs-utils
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: ea3dfda3 by Sylvain Beucler at 2019-10-19T14:22:48Z Reserve DLA-1965-1 for nfs-utils - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Oct 2019] DLA-1965-1 nfs-utils - security update + {CVE-2019-3689} + [jessie] - nfs-utils 1.2.8-9+deb8u1 [18 Oct 2019] DLA-1963-2 poppler - regression update [jessie] - poppler 0.26.5-2+deb8u13 [17 Oct 2019] DLA-1964-1 sudo - security update = data/dla-needed.txt = @@ -95,9 +95,6 @@ linux-4.9 (Ben Hutchings) -- mosquitto (Thorsten Alteholz) -- -nfs-utils (Sylvain Beucler) - NOTE: 20191009: proposed patch to upstream and sid, waiting for feedback before backport --- nghttp2 (Mike Gabriel) NOTE: 20190930: nghttp2 in jessie is likely not affected by CVE-2019-95{11,13}. NOTE: 20190930: waiting for feedback from Thorsten and Abhijith as they put View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea3dfda38cfc7b2c265c4d570721a061426a0c90 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea3dfda38cfc7b2c265c4d570721a061426a0c90 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-16723/cacti: upstream published a new fix
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f11ca68 by Hugo Lefeuvre at 2019-10-19T13:35:55Z CVE-2019-16723/cacti: upstream published a new fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4512,10 +4512,12 @@ CVE-2019-16723 (In Cacti through 1.2.6, authenticated users may bypass authoriza [jessie] - cacti (vulnerability introduced later) NOTE: vulnerability introduced in NOTE: https://github.com/Cacti/cacti/commit/cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326 - NOTE: see Debian bug report for more explanations + NOTE: see Debian bug report for more information NOTE: https://github.com/Cacti/cacti/issues/2964 NOTE: https://github.com/Cacti/cacti/commit/7a6a17252a1cbda180b61fff244cb3ce797d5264 NOTE: https://github.com/Cacti/cacti/commit/c7cf4a26e4848872b48094e67f8d0a01dd7613d2 + NOTE: after further discussion, upstream issued a new fix which reverts previous commits + NOTE: https://github.com/Cacti/cacti/commit/cfb0733597af97abc92270de4f47cbfa32f9ce8b NOTE: The original issue mentions only a bypass via graph_json.php but there are NOTE: additional permission checks missed while checking the issue fixed with the NOTE: upstream commits. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f11ca684174bef20adc6db080021b94089fc751 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f11ca684174bef20adc6db080021b94089fc751 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-17596/golang-1.13
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a162174 by Salvatore Bonaccorso at 2019-10-19T12:26:27Z Add fixed version for CVE-2019-17596/golang-1.13 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2270,7 +2270,7 @@ CVE-2017-1002201 (In haml versions prior to version 5.0.0.beta.2, when using use NOTE: https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2 CVE-2019-17596 [crypto/dsa: invalid public key causes panic in dsa.Verify] RESERVED - - golang-1.13 (bug #942628) + - golang-1.13 1.13.3-1 (bug #942628) - golang-1.12 1.12.12-1 (bug #942629) - golang-1.11 - golang-1.8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8a162174a88372afda880c16577627ac60e613b4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8a162174a88372afda880c16577627ac60e613b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-17596/golang-1.12
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4711fe38 by Salvatore Bonaccorso at 2019-10-19T12:25:07Z Add fixed version for CVE-2019-17596/golang-1.12 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2271,7 +2271,7 @@ CVE-2017-1002201 (In haml versions prior to version 5.0.0.beta.2, when using use CVE-2019-17596 [crypto/dsa: invalid public key causes panic in dsa.Verify] RESERVED - golang-1.13 (bug #942628) - - golang-1.12 (bug #942629) + - golang-1.12 1.12.12-1 (bug #942629) - golang-1.11 - golang-1.8 - golang-1.7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4711fe38212b430dabea2eb919b19c96fddcbb4a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4711fe38212b430dabea2eb919b19c96fddcbb4a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-18197/libxslt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e78b67e by Salvatore Bonaccorso at 2019-10-19T12:24:02Z Add Debian bug reference for CVE-2019-18197/libxslt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,7 +23,7 @@ CVE-2019-18200 CVE-2019-18199 RESERVED CVE-2019-18197 (In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable i ...) - - libxslt + - libxslt (bug #942646) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e78b67ea36d9c7ad1a55f0f72a73c41e6291170 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e78b67ea36d9c7ad1a55f0f72a73c41e6291170 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-18197/libxlt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e176e7d4 by Salvatore Bonaccorso at 2019-10-19T09:48:15Z Add CVE-2019-18197/libxlt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,7 +23,11 @@ CVE-2019-18200 CVE-2019-18199 RESERVED CVE-2019-18197 (In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable i ...) - TODO: check + - libxslt + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914 + NOTE: https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285 CVE-2019-18196 RESERVED CVE-2019-18198 (In the Linux kernel before 5.3.4, a reference count usage error in the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e176e7d428598f123c1c6d800e374f3acbcf45b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e176e7d428598f123c1c6d800e374f3acbcf45b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix Typo3 to TYPO3
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: d6827f4b by Henri Salo at 2019-10-19T08:58:32Z Fix Typo3 to TYPO3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4578,11 +4578,11 @@ CVE-2019-16702 (Integard Pro 2.2.0.9026 allows remote attackers to execute arbit CVE-2019-16701 (pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection vi ...) NOT-FOR-US: pfSense CVE-2019-16700 (The slub_events (aka SLUB: Event Registration) extension through 3.0.2 ...) - NOT-FOR-US: Typo3 extension + NOT-FOR-US: TYPO3 extension CVE-2019-16699 (The sr_freecap (aka freeCap CAPTCHA) extension 2.4.5 and below and 2.5 ...) - NOT-FOR-US: Typo3 extension + NOT-FOR-US: TYPO3 extension CVE-2019-16698 (The direct_mail (aka Direct Mail) extension through 5.2.2 for TYPO3 ha ...) - NOT-FOR-US: Typo3 extension + NOT-FOR-US: TYPO3 extension CVE-2019-16697 RESERVED CVE-2019-16696 (phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit. ...) @@ -4614,7 +4614,7 @@ CVE-2019-16684 (An issue was discovered in the image-manager in Xoops 2.5.10. Wh CVE-2019-16683 (An issue was discovered in the image-manager in Xoops 2.5.10. When the ...) NOT-FOR-US: Xoops CVE-2019-16682 (The url_redirect (aka URL redirect) extension through 1.2.1 for TYPO3 ...) - NOT-FOR-US: Typo3 extension + NOT-FOR-US: TYPO3 extension CVE-2018-21018 (Mastodon before 2.6.3 mishandles timeouts of incompletely established ...) NOT-FOR-US: Mastodon CVE-2019-16681 (The Traveloka application 3.14.0 for Android exports com.traveloka.and ...) @@ -17204,9 +17204,9 @@ CVE-2019-12749 (dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1. NOTE: https://gitlab.freedesktop.org/dbus/dbus/issues/269 NOTE: https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016 CVE-2019-12748 (TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS. ...) - NOT-FOR-US: Typo3 + NOT-FOR-US: TYPO3 CVE-2019-12747 (TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization ...) - NOT-FOR-US: Typo3 + NOT-FOR-US: TYPO3 CVE-2019-12746 (An issue was discovered in Open Ticket Request System (OTRS) Community ...) {DLA-1877-1} - otrs2 6.0.20-1 @@ -19490,7 +19490,7 @@ CVE-2019-11833 (fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zer - linux 4.19.37-4 NOTE: Fixed by: https://git.kernel.org/linus/592acbf16821288ecdc4192c47e3774a4c48bb64 CVE-2019-11832 (TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execut ...) - NOT-FOR-US: Typo3 + NOT-FOR-US: TYPO3 CVE-2019-11831 (The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1 ...) {DSA-4445-1 DLA-1797-1} - drupal7 (bug #928688) @@ -140267,7 +140267,7 @@ CVE-2017-6372 CVE-2017-6371 RESERVED CVE-2017-6370 (TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI i ...) - NOT-FOR-US: Typo3 + NOT-FOR-US: TYPO3 CVE-2017-6369 (Insufficient checks in the UDF subsystem in Firebird 2.5.x before 2.5. ...) {DSA-3824-1 DLA-879-1} - firebird2.5 (bug #858641) @@ -141456,9 +141456,9 @@ CVE-2017-5965 (The package manager in Sitecore CRM 8.1 Rev 151207 allows remote CVE-2017-5964 (An issue was discovered in Emoncms through 9.8.0. The vulnerability ex ...) NOT-FOR-US: Emoncms CVE-2017-5963 (An issue was discovered in caddy (for TYPO3) before 7.2.10. The vulner ...) - NOT-FOR-US: Typo3 extension + NOT-FOR-US: TYPO3 extension CVE-2017-5962 (An issue was discovered in contexts_wurfl (for TYPO3) before 0.4.2. Th ...) - NOT-FOR-US: Typo3 extension + NOT-FOR-US: TYPO3 extension CVE-2017-5961 (An issue was discovered in ionize through 1.0.8. The vulnerability exi ...) NOT-FOR-US: ionize CVE-2017-5960 (An issue was discovered in Phalcon Eye through 0.4.1. The vulnerabilit ...) @@ -184171,17 +184171,17 @@ CVE-2015-8765 (Intel McAfee ePolicy Orchestrator (ePO) 4.6.9 and earlier, 5.0.x, CVE-2015-8761 (The Values module 7.x-1.x before 7.x-1.2 for Drupal does not properly ...) NOT-FOR-US: Values module for Drupal CVE-2015-8760 (The Flvplayer component in TYPO3 6.2.x before 6.2.16 allows remote att ...) - NOT-FOR-US: Typo3 + NOT-FOR-US: TYPO3 CVE-2015-8759 (Cross-site scripting (XSS) vulnerability in the typoLink function in T ...) - NOT-FOR-US: Typo3 + NOT-FOR-US: TYPO3 CVE-2015-8758 (Multiple cross-site scripting (XSS) vulnerabilities in unspecified fro ...) - NOT-FOR-US: Typo3 + NOT-FOR-US: TYPO3 CVE-2015-8757 (Cross-site scripting (XSS) vulnerability in the Extension Manager in T ...) - NOT-FOR-US: Typo3 + NOT-FOR-US: TYPO3 CVE-2015-8756
[Git][security-tracker-team/security-tracker][master] Fix minor typos
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 8327a5a7 by Henri Salo at 2019-10-19T08:52:16Z Fix minor typos - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4578,11 +4578,11 @@ CVE-2019-16702 (Integard Pro 2.2.0.9026 allows remote attackers to execute arbit CVE-2019-16701 (pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection vi ...) NOT-FOR-US: pfSense CVE-2019-16700 (The slub_events (aka SLUB: Event Registration) extension through 3.0.2 ...) - NOT-FOR-US: Typo3 extenstion + NOT-FOR-US: Typo3 extension CVE-2019-16699 (The sr_freecap (aka freeCap CAPTCHA) extension 2.4.5 and below and 2.5 ...) - NOT-FOR-US: Typo3 extenstion + NOT-FOR-US: Typo3 extension CVE-2019-16698 (The direct_mail (aka Direct Mail) extension through 5.2.2 for TYPO3 ha ...) - NOT-FOR-US: Typo3 extenstion + NOT-FOR-US: Typo3 extension CVE-2019-16697 RESERVED CVE-2019-16696 (phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8327a5a7904fcb5d64234cb80f0ca785d4d1c063 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8327a5a7904fcb5d64234cb80f0ca785d4d1c063 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce16fb44 by security tracker role at 2019-10-19T08:10:23Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,32 @@ -CVE-2019-18198 [ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule] +CVE-2019-18210 + RESERVED +CVE-2019-18209 (templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser doe ...) + TODO: check +CVE-2019-18208 + RESERVED +CVE-2019-18207 + RESERVED +CVE-2019-18206 + RESERVED +CVE-2019-18205 + RESERVED +CVE-2019-18204 + RESERVED +CVE-2019-18203 + RESERVED +CVE-2019-18202 (Information Disclosure is possible on WAGO Series PFC100 and PFC200 de ...) + TODO: check +CVE-2019-18201 + RESERVED +CVE-2019-18200 + RESERVED +CVE-2019-18199 + RESERVED +CVE-2019-18197 (In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable i ...) + TODO: check +CVE-2019-18196 + RESERVED +CVE-2019-18198 (In the Linux kernel before 5.3.4, a reference count usage error in the ...) - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/ca7a03c4175366a92cee0ccc4fec0038c3266e26 NOTE: https://launchpad.net/bugs/1847478 @@ -39685,8 +39713,8 @@ CVE-2019-4411 RESERVED CVE-2019-4410 (IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, and 19. ...) NOT-FOR-US: IBM -CVE-2019-4409 - RESERVED +CVE-2019-4409 (HCL Traveler versions 9.x and earlier are susceptible to cross-site sc ...) + TODO: check CVE-2019-4408 RESERVED CVE-2019-4407 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ce16fb446038b6956cbbc803d33cb1b7ada77d2f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ce16fb446038b6956cbbc803d33cb1b7ada77d2f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-18198/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 13af5cd8 by Salvatore Bonaccorso at 2019-10-19T07:04:49Z Add CVE-2019-18198/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2019-18198 [ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule] + - linux (Vulnerable code introduced later) + NOTE: https://git.kernel.org/linus/ca7a03c4175366a92cee0ccc4fec0038c3266e26 + NOTE: https://launchpad.net/bugs/1847478 CVE-2019-18195 RESERVED CVE-2019-18194 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13af5cd8dc2a19dff87a8f2ce5f09234e89a770c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13af5cd8dc2a19dff87a8f2ce5f09234e89a770c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for CVE-2019-17596
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8588ddc9 by Salvatore Bonaccorso at 2019-10-19T06:39:43Z Add Debian bug references for CVE-2019-17596 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2234,8 +2234,8 @@ CVE-2017-1002201 (In haml versions prior to version 5.0.0.beta.2, when using use NOTE: https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2 CVE-2019-17596 [crypto/dsa: invalid public key causes panic in dsa.Verify] RESERVED - - golang-1.13 - - golang-1.12 + - golang-1.13 (bug #942628) + - golang-1.12 (bug #942629) - golang-1.11 - golang-1.8 - golang-1.7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8588ddc9ec67044cd73ceb2b438128833e17cea7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8588ddc9ec67044cd73ceb2b438128833e17cea7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-17596/golang
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 47bd9acb by Salvatore Bonaccorso at 2019-10-19T06:16:38Z Add CVE-2019-17596/golang - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2232,8 +2232,17 @@ CVE-2017-1002201 (In haml versions prior to version 5.0.0.beta.2, when using use - ruby-haml 5.0.4-1 NOTE: https://snyk.io/vuln/SNYK-RUBY-HAML-20362 NOTE: https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2 -CVE-2019-17596 +CVE-2019-17596 [crypto/dsa: invalid public key causes panic in dsa.Verify] RESERVED + - golang-1.13 + - golang-1.12 + - golang-1.11 + - golang-1.8 + - golang-1.7 + - golang + NOTE: https://golang.org/issue/34960 + NOTE: https://github.com/golang/go/issues/34962 (1.13 backport) + NOTE: https://github.com/golang/go/issues/34961 (1.12 backport) CVE-2019-17595 (There is a heap-based buffer over-read in the fmt_entry function in ti ...) - ncurses (low; bug #942401) [buster] - ncurses (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/47bd9acb603613e6b94191d6802c93c4d57ec372 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/47bd9acb603613e6b94191d6802c93c4d57ec372 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits