[Git][security-tracker-team/security-tracker][master] Add note on sarg-reports using mktemp in own Debian shipped version
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b776f749 by Salvatore Bonaccorso at 2020-01-21T08:06:52+01:00 Add note on sarg-reports using mktemp in own Debian shipped version - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15094,6 +15094,8 @@ CVE-2019-18932 [sarg: insecure usage of /tmp/sarg allows privilege escalation / RESERVED - sarg NOTE: https://www.openwall.com/lists/oss-security/2020/01/20/6 + NOTE: The sarg-reports as shipped in Debian has already safe use of mktemp for + NOTE: use of temporary files and directories. CVE-2019-18931 (Western Digital My Cloud EX2 Ultra firmware 2.31.195 allows a Buffer O ...) NOT-FOR-US: Western Digital My Cloud EX2 Ultra firmware CVE-2019-18930 (Western Digital My Cloud EX2 Ultra firmware 2.31.183 allows web users ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b776f7494a515d8dda29a7625cf0131f69bf8398 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b776f7494a515d8dda29a7625cf0131f69bf8398 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-14888/undertow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 37e3e4b3 by Salvatore Bonaccorso at 2020-01-21T07:59:52+01:00 Add CVE-2019-14888/undertow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29598,6 +29598,8 @@ CVE-2019-14889 (A flaw was found with the libssh API function ssh_scp_new() in v NOTE: https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d163a943737fe4160f7233925df2eee1f9a CVE-2019-14888 RESERVED + - undertow + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1772464 CVE-2019-14887 RESERVED CVE-2019-14886 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/37e3e4b3b9abdb03f3b47033407f36341e80b23d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/37e3e4b3b9abdb03f3b47033407f36341e80b23d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Some more CVE fixes were cherry-picked for 4.9.210-1 upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b1114183 by Salvatore Bonaccorso at 2020-01-21T07:51:29+01:00 Some more CVE fixes were cherry-picked for 4.9.210-1 upload - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -130,8 +130,14 @@ CVE-2016-10894 [stretch] - xtrlock 2.8+deb9u1 CVE-2019-16275 [stretch] - wpa 2:2.4-1+deb9u5 +CVE-2018-13093 + [stretch] - linux 4.9.210-1 +CVE-2018-13094 + [stretch] - linux 4.9.210-1 CVE-2018-20976 [stretch] - linux 4.9.210-1 +CVE-2018-21008 + [stretch] - linux 4.9.210-1 CVE-2019-0136 [stretch] - linux 4.9.210-1 CVE-2019-10220 @@ -146,10 +152,18 @@ CVE-2019-14816 [stretch] - linux 4.9.210-1 CVE-2019-14895 [stretch] - linux 4.9.210-1 +CVE-2019-14896 + [stretch] - linux 4.9.210-1 +CVE-2019-14897 + [stretch] - linux 4.9.210-1 +CVE-2019-14901 + [stretch] - linux 4.9.210-1 CVE-2019-15030 [stretch] - linux 4.9.210-1 CVE-2019-15098 [stretch] - linux 4.9.210-1 +CVE-2019-15217 + [stretch] - linux 4.9.210-1 CVE-2019-15291 [stretch] - linux 4.9.210-1 CVE-2019-15505 @@ -188,6 +202,8 @@ CVE-2019-19037 [stretch] - linux 4.9.210-1 CVE-2019-19049 [stretch] - linux 4.9.210-1 +CVE-2019-19051 + [stretch] - linux 4.9.210-1 CVE-2019-19052 [stretch] - linux 4.9.210-1 CVE-2019-19056 @@ -232,8 +248,14 @@ CVE-2019-19536 [stretch] - linux 4.9.210-1 CVE-2019-19537 [stretch] - linux 4.9.210-1 +CVE-2019-19767 + [stretch] - linux 4.9.210-1 +CVE-2019-19947 + [stretch] - linux 4.9.210-1 CVE-2019-19965 [stretch] - linux 4.9.210-1 +CVE-2019-20096 + [stretch] - linux 4.9.210-1 CVE-2019-2215 [stretch] - linux 4.9.210-1 CVE-2019-12614 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1114183693ab7fc8e84b33116aef79c3c954be8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1114183693ab7fc8e84b33116aef79c3c954be8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-18932/sarg
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 66a5c1e2 by Henri Salo at 2020-01-21T08:46:12+02:00 CVE-2019-18932/sarg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15090,8 +15090,10 @@ CVE-2019-18934 (Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec NOTE: https://nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt CVE-2019-18933 (In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new ...) NOT-FOR-US: Zulip -CVE-2019-18932 +CVE-2019-18932 [sarg: insecure usage of /tmp/sarg allows privilege escalation / DoS attack vector] RESERVED + - sarg + NOTE: https://www.openwall.com/lists/oss-security/2020/01/20/6 CVE-2019-18931 (Western Digital My Cloud EX2 Ultra firmware 2.31.195 allows a Buffer O ...) NOT-FOR-US: Western Digital My Cloud EX2 Ultra firmware CVE-2019-18930 (Western Digital My Cloud EX2 Ultra firmware 2.31.183 allows web users ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/66a5c1e251f8fc01e532eaa9f895f0310a6c2943 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/66a5c1e251f8fc01e532eaa9f895f0310a6c2943 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track pending CVEs for linux via stretch-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7337fb94 by Salvatore Bonaccorso at 2020-01-21T07:24:57+01:00 Track pending CVEs for linux via stretch-pu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -130,3 +130,111 @@ CVE-2016-10894 [stretch] - xtrlock 2.8+deb9u1 CVE-2019-16275 [stretch] - wpa 2:2.4-1+deb9u5 +CVE-2018-20976 + [stretch] - linux 4.9.210-1 +CVE-2019-0136 + [stretch] - linux 4.9.210-1 +CVE-2019-10220 + [stretch] - linux 4.9.210-1 +CVE-2019-14615 + [stretch] - linux 4.9.210-1 +CVE-2019-14814 + [stretch] - linux 4.9.210-1 +CVE-2019-14815 + [stretch] - linux 4.9.210-1 +CVE-2019-14816 + [stretch] - linux 4.9.210-1 +CVE-2019-14895 + [stretch] - linux 4.9.210-1 +CVE-2019-15030 + [stretch] - linux 4.9.210-1 +CVE-2019-15098 + [stretch] - linux 4.9.210-1 +CVE-2019-15291 + [stretch] - linux 4.9.210-1 +CVE-2019-15505 + [stretch] - linux 4.9.210-1 +CVE-2019-15917 + [stretch] - linux 4.9.210-1 +CVE-2019-16746 + [stretch] - linux 4.9.210-1 +CVE-2019-17052 + [stretch] - linux 4.9.210-1 +CVE-2019-17053 + [stretch] - linux 4.9.210-1 +CVE-2019-17054 + [stretch] - linux 4.9.210-1 +CVE-2019-17055 + [stretch] - linux 4.9.210-1 +CVE-2019-17056 + [stretch] - linux 4.9.210-1 +CVE-2019-17075 + [stretch] - linux 4.9.210-1 +CVE-2019-17133 + [stretch] - linux 4.9.210-1 +CVE-2019-17666 + [stretch] - linux 4.9.210-1 +CVE-2019-18282 + [stretch] - linux 4.9.210-1 +CVE-2019-18660 + [stretch] - linux 4.9.210-1 +CVE-2019-18683 + [stretch] - linux 4.9.210-1 +CVE-2019-18806 + [stretch] - linux 4.9.210-1 +CVE-2019-18809 + [stretch] - linux 4.9.210-1 +CVE-2019-19037 + [stretch] - linux 4.9.210-1 +CVE-2019-19049 + [stretch] - linux 4.9.210-1 +CVE-2019-19052 + [stretch] - linux 4.9.210-1 +CVE-2019-19056 + [stretch] - linux 4.9.210-1 +CVE-2019-19057 + [stretch] - linux 4.9.210-1 +CVE-2019-19062 + [stretch] - linux 4.9.210-1 +CVE-2019-19063 + [stretch] - linux 4.9.210-1 +CVE-2019-19066 + [stretch] - linux 4.9.210-1 +CVE-2019-19068 + [stretch] - linux 4.9.210-1 +CVE-2019-19227 + [stretch] - linux 4.9.210-1 +CVE-2019-19332 + [stretch] - linux 4.9.210-1 +CVE-2019-19447 + [stretch] - linux 4.9.210-1 +CVE-2019-19523 + [stretch] - linux 4.9.210-1 +CVE-2019-19524 + [stretch] - linux 4.9.210-1 +CVE-2019-19525 + [stretch] - linux 4.9.210-1 +CVE-2019-19527 + [stretch] - linux 4.9.210-1 +CVE-2019-19530 + [stretch] - linux 4.9.210-1 +CVE-2019-19531 + [stretch] - linux 4.9.210-1 +CVE-2019-19532 + [stretch] - linux 4.9.210-1 +CVE-2019-19533 + [stretch] - linux 4.9.210-1 +CVE-2019-19534 + [stretch] - linux 4.9.210-1 +CVE-2019-19535 + [stretch] - linux 4.9.210-1 +CVE-2019-19536 + [stretch] - linux 4.9.210-1 +CVE-2019-19537 + [stretch] - linux 4.9.210-1 +CVE-2019-19965 + [stretch] - linux 4.9.210-1 +CVE-2019-2215 + [stretch] - linux 4.9.210-1 +CVE-2019-12614 + [stretch] - linux 4.9.210-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7337fb9472bb084fba0687a3354c117516e4b5fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7337fb9472bb084fba0687a3354c117516e4b5fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-16239/openconnect
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
662fe38a by Salvatore Bonaccorso at 2020-01-21T06:42:23+01:00
Add fixed version for CVE-2019-16239/openconnect
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -25381,7 +25381,7 @@ CVE-2019-16240
RESERVED
CVE-2019-16239 (process_http_response in OpenConnect before 8.05 has a Buffer
Overflow ...)
{DLA-1945-1}
- - openconnect (bug #940871)
+ - openconnect 8.02-1.1 (bug #940871)
NOTE:
http://lists.infradead.org/pipermail/openconnect-devel/2019-September/005412.html
NOTE:
https://github.com/openconnect/openconnect/commit/875f0a65ab73f4fb581ca870fd3a901bd278f8e8
CVE-2019-16378 (OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 is prone
to a si ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/662fe38a427fab87d0987cf7d9c9ad6f92fade6d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/662fe38a427fab87d0987cf7d9c9ad6f92fade6d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added information about the squid3 patch analysis made.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 570671f5 by Ola Lundqvist at 2020-01-20T22:27:53+01:00 Added information about the squid3 patch analysis made. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -113,12 +113,18 @@ sqlite3 (Thorsten Alteholz) NOTE: 20200112: WIP -- squid3 - NOTE: 20191210: Requires new API SBuf. + NOTE: 20191210: CVE-2019-12523 and CVE-2019-18676 Requires new API SBuf. NOTE: 20200116: Researched other distros to see if any had backported the fixes. No luck. NOTE: 20200116: Tried for some time to reproduce the vulnerabilities, but did not succeed. NOTE: 20200116: The change is rather involved when considering the new SBuf API, so not NOTE: 20200116: being able to reproduce makes it impossible isolate the minimal change that NOTE: 20200116: addresses the vulnerabilities. (roberto) + NOTE: 20200120: CVE-2019-12523 It looks like the only new checks is the introduction of NID + NOTE: 20200120: checks in parseUrn. This function replaces parseFinish. It should be easy + NOTE: 20200120: to add those checks without introducing SBuf. (Ola) + NOTE: 20200120: CVE-2019-18676 however is more complicated to locate. Potentially the // skipping + NOTE: 20200120: or the absolute function is the issue but it is hard to tell without more + NOTE: 20200120: details on the intention. (Ola) -- storebackup (Utkarsh Gupta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/570671f57054d4cb93b5100a0e3e5f0f54686a88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/570671f57054d4cb93b5100a0e3e5f0f54686a88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for openconnect update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f4f38592 by Salvatore Bonaccorso at 2020-01-20T21:25:19+01:00
Reserve DSA number for openconnect update
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[20 Jan 2020] DSA-4607-1 openconnect - security update
+ {CVE-2019-16239}
+ [stretch] - openconnect 7.08-1+deb9u1
+ [buster] - openconnect 8.02-1+deb10u1
[20 Jan 2020] DSA-4606-1 chromium - security update
{CVE-2019-13725 CVE-2019-13726 CVE-2019-13727 CVE-2019-13728
CVE-2019-13729 CVE-2019-13730 CVE-2019-13732 CVE-2019-13734 CVE-2019-13735
CVE-2019-13736 CVE-2019-13737 CVE-2019-13738 CVE-2019-13739 CVE-2019-13740
CVE-2019-13741 CVE-2019-13742 CVE-2019-13743 CVE-2019-13744 CVE-2019-13745
CVE-2019-13746 CVE-2019-13747 CVE-2019-13748 CVE-2019-13749 CVE-2019-13750
CVE-2019-13751 CVE-2019-13752 CVE-2019-13753 CVE-2019-13754 CVE-2019-13755
CVE-2019-13756 CVE-2019-13757 CVE-2019-13758 CVE-2019-13759 CVE-2019-13761
CVE-2019-13762 CVE-2019-13763 CVE-2019-13764 CVE-2019-13767 CVE-2020-6377
CVE-2020-6378 CVE-2020-6379 CVE-2020-6380}
[buster] - chromium 79.0.3945.130-1~deb10u1
=
data/dsa-needed.txt
=
@@ -36,8 +36,6 @@ nodejs
nss/oldstable (jmm)
Roberto proposed an update including fixes for CVE-2018-12404 and
CVE-2018-18508
--
-openconnect (carnil)
---
openjdk-8 (jmm)
--
php7.0
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f4f38592fa3ff97c17e8640ad99e0cf47b9fc104
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f4f38592fa3ff97c17e8640ad99e0cf47b9fc104
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d6638748 by security tracker role at 2020-01-20T20:10:24+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,5 @@
+CVE-2019-20382
+ RESERVED
CVE-2020-7238
RESERVED
CVE-2020-7237 (Cacti 1.2.8 allows Remote Code Execution (by privileged users)
via she ...)
@@ -1855,14 +1857,18 @@ CVE-2020-6381
RESERVED
CVE-2020-6380
RESERVED
+ {DSA-4606-1}
- chromium 79.0.3945.130-1
CVE-2020-6379
RESERVED
+ {DSA-4606-1}
- chromium 79.0.3945.130-1
CVE-2020-6378
RESERVED
+ {DSA-4606-1}
- chromium 79.0.3945.130-1
CVE-2020-6377 (Use after free in audio in Google Chrome prior to 79.0.3945.117
allowe ...)
+ {DSA-4606-1}
- chromium 79.0.3945.130-1
CVE-2020-6376
RESERVED
@@ -4637,6 +4643,7 @@ CVE-2019-20210 (The CTHthemes CityBook before 2.3.4,
TownHub before 1.0.6, and E
CVE-2019-20209 (The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and
EasyBoo ...)
NOT-FOR-US: themes for WordPress
CVE-2019-20208 (dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a
stack-based ...)
+ {DLA-2072-1}
- gpac
[buster] - gpac (Minor issue)
[stretch] - gpac (Minor issue)
@@ -4833,11 +4840,13 @@ CVE-2019-20173
CVE-2019-20172 (Kernel/VM/MemoryManager.cpp in SerenityOS before 2019-12-30
does not r ...)
NOT-FOR-US: SerenityOS
CVE-2019-20171 (An issue was discovered in GPAC version 0.8.0 and
0.9.0-development-20 ...)
+ {DLA-2072-1}
- gpac
NOTE: https://github.com/gpac/gpac/issues/1337
NOTE:
https://github.com/gpac/gpac/commit/72cdc5048dead86bb1df7d21e0b9975e49cf2d97
NOTE:
https://github.com/gpac/gpac/commit/2bcca3f1d4605100bb27d3ed7be25b53cddbc75c
CVE-2019-20170 (An issue was discovered in GPAC version 0.8.0 and
0.9.0-development-20 ...)
+ {DLA-2072-1}
- gpac
NOTE: https://github.com/gpac/gpac/issues/1328
NOTE:
https://github.com/gpac/gpac/commit/16856430287cc10f495eb241910b4dc45b193e03
@@ -4861,6 +4870,7 @@ CVE-2019-20166 (An issue was discovered in GPAC version
0.8.0 and 0.9.0-developm
NOTE: https://github.com/gpac/gpac/issues/1331
NOTE:
https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80
(chunk #2)
CVE-2019-20165 (An issue was discovered in GPAC version 0.8.0 and
0.9.0-development-20 ...)
+ {DLA-2072-1}
- gpac
NOTE: https://github.com/gpac/gpac/issues/1338
NOTE:
https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80
(chunk #1)
@@ -4869,14 +4879,17 @@ CVE-2019-20164 (An issue was discovered in GPAC version
0.8.0 and 0.9.0-developm
NOTE: https://github.com/gpac/gpac/issues/1332
NOTE:
https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80
(chunk #2)
CVE-2019-20163 (An issue was discovered in GPAC version 0.8.0 and
0.9.0-development-20 ...)
+ {DLA-2072-1}
- gpac
NOTE: https://github.com/gpac/gpac/issues/1335
NOTE:
https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80
(chunk #4)
CVE-2019-20162 (An issue was discovered in GPAC version 0.8.0 and
0.9.0-development-20 ...)
+ {DLA-2072-1}
- gpac
NOTE: https://github.com/gpac/gpac/issues/1327
NOTE:
https://github.com/gpac/gpac/commit/3c0ba42546c8148c51169c3908e845c308746c77
CVE-2019-20161 (An issue was discovered in GPAC version 0.8.0 and
0.9.0-development-20 ...)
+ {DLA-2072-1}
- gpac
NOTE: https://github.com/gpac/gpac/issues/1320
NOTE:
https://github.com/gpac/gpac/commit/7a09732d4978586e6284e84caa9c301b2fa5e956
@@ -23058,7 +23071,7 @@ CVE-2019-17027
RESERVED
CVE-2019-17026
RESERVED
- {DSA-4603-1 DSA-4600-1 DLA-2061-1}
+ {DSA-4603-1 DSA-4600-1 DLA-2071-1 DLA-2061-1}
- firefox 72.0.1-1 (bug #948452)
- firefox-esr 68.4.1esr-1
- thunderbird 1:68.4.1-1
@@ -23068,7 +23081,7 @@ CVE-2019-17025 (Mozilla developers reported memory
safety bugs present in Firefo
- firefox 72.0-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17025
CVE-2019-17024 (Mozilla developers reported memory safety bugs present in
Firefox 71 a ...)
- {DSA-4603-1 DSA-4600-1 DLA-2061-1}
+ {DSA-4603-1 DSA-4600-1 DLA-2071-1 DLA-2061-1}
- firefox 72.0-1
- firefox-esr 68.4.0esr-1
- thunderbird 1:68.4.1-1
@@ -23082,7 +23095,7 @@ CVE-2019-17023 (After a HelloRetryRequest has been
sent, the client may negotiat
NOTE:
https://hg.mozilla.org/projects/nss/rev/d64102b76a437f24d98a20480dcc9f1655143e7c
NOTE:
[Git][security-tracker-team/security-tracker][master] still working on tomcat8 in jessie
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 7bfe0afe by Abhijith PA at 2020-01-21T00:48:49+05:30 still working on tomcat8 in jessie - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -128,7 +128,7 @@ tomcat7 (Markus Koschany) NOTE: 20200115: https://people.debian.org/~apo/tomcat7/ NOTE: 20200115: waiting for sunweaver's review -- -tomcat8 +tomcat8 (Abhijith PA) NOTE: 20200106: Almost done. Working on failing testcase. -- transfig (Dylan Aïssi) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7bfe0afe53862951bcb0b12aab096ef5b74099db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7bfe0afe53862951bcb0b12aab096ef5b74099db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-18899/apt-cacher-ng
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d8a230f by Salvatore Bonaccorso at 2020-01-20T19:03:16+01:00 Add CVE-2019-18899/apt-cacher-ng - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15149,6 +15149,7 @@ CVE-2019-18900 RESERVED CVE-2019-18899 RESERVED + - apt-cacher-ng (openSUSE specific systemd service unit configuration) CVE-2019-18898 RESERVED NOT-FOR-US: SUSE specific packaging issue in %posttrans section in src:trousers View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9d8a230f0143dfc1bb190e5b61bb2ba6ca045b16 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9d8a230f0143dfc1bb190e5b61bb2ba6ca045b16 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: 9125a615 by Holger Levsen at 2020-01-20T18:57:30+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Holger Levsen hol...@layer-acht.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -128,7 +128,7 @@ tomcat7 (Markus Koschany) NOTE: 20200115: https://people.debian.org/~apo/tomcat7/ NOTE: 20200115: waiting for sunweaver's review -- -tomcat8 (Abhijith PA) +tomcat8 NOTE: 20200106: Almost done. Working on failing testcase. -- transfig (Dylan Aïssi) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9125a61536a4399947a38dc5d3a7aa1a1d72b2db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9125a61536a4399947a38dc5d3a7aa1a1d72b2db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add and claim storebackup
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 41693fa2 by Utkarsh Gupta at 2020-01-20T23:23:38+05:30 Add and claim storebackup - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -120,8 +120,10 @@ squid3 NOTE: 20200116: being able to reproduce makes it impossible isolate the minimal change that NOTE: 20200116: addresses the vulnerabilities. (roberto) -- +storebackup (Utkarsh Gupta) +-- suricata (Mike Gabriel) +-- tomcat7 (Markus Koschany) NOTE: 20200115: https://people.debian.org/~apo/tomcat7/ NOTE: 20200115: waiting for sunweaver's review View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/41693fa297eb01e86892e3c7db4352966039a1b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/41693fa297eb01e86892e3c7db4352966039a1b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-7040/storebackup
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: caf07d44 by Salvatore Bonaccorso at 2020-01-20T17:36:55+01:00 Add Debian bug reference for CVE-2020-7040/storebackup - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -426,7 +426,7 @@ CVE-2020-7041 RESERVED CVE-2020-7040 [storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock] RESERVED - - storebackup + - storebackup (bug #949393) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1156767 NOTE: https://www.openwall.com/lists/oss-security/2020/01/20/3 NOTE: SuSE provided patch: https://www.openwall.com/lists/oss-security/2020/01/20/3/1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/caf07d4443f83ddbb8f5a4e7de232668ecd49c39 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/caf07d4443f83ddbb8f5a4e7de232668ecd49c39 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-7040/storebackup
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61cdcd7d by Salvatore Bonaccorso at 2020-01-20T17:21:53+01:00 Add CVE-2020-7040/storebackup - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -424,8 +424,12 @@ CVE-2020-7042 RESERVED CVE-2020-7041 RESERVED -CVE-2020-7040 +CVE-2020-7040 [storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock] RESERVED + - storebackup + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1156767 + NOTE: https://www.openwall.com/lists/oss-security/2020/01/20/3 + NOTE: SuSE provided patch: https://www.openwall.com/lists/oss-security/2020/01/20/3/1 CVE-2020-7039 (tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, misman ...) - libslirp 4.1.0-2 (bug #949084) - qemu 1:4.1-2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/61cdcd7dca1e1f69e76559aac333d02411f4581e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/61cdcd7dca1e1f69e76559aac333d02411f4581e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2019-5477/rexical
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
55ab601d by Salvatore Bonaccorso at 2020-01-20T17:13:18+01:00
Add fixed version via unstable for CVE-2019-5477/rexical
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -57643,7 +57643,7 @@ CVE-2019-5478 (A weakness was found in Encrypt Only
boot mode in Zynq UltraScale
NOT-FOR-US: Encrypt Only boot mode in Zynq UltraScale+ devices
CVE-2019-5477 (A command injection vulnerability in Nokogiri v1.10.3 and
earlier allo ...)
{DLA-1933-1}
- - rexical (bug #940905)
+ - rexical 1.0.7-1 (bug #940905)
[buster] - rexical (Minor issue, can be fixed via point
release)
[stretch] - rexical (Minor issue, can be fixed via point
release)
- ruby-nokogiri 1.10.4+dfsg1-1 (bug #934802)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/55ab601d91d1d288facfdd693c4747907cd4d81b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/55ab601d91d1d288facfdd693c4747907cd4d81b
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference commits for CVE-2019-1579{5,6}/python-apt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
477e90c4 by Salvatore Bonaccorso at 2020-01-20T16:22:16+01:00
Reference commits for CVE-2019-1579{5,6}/python-apt
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -26577,9 +26577,12 @@ CVE-2019-15797
CVE-2019-15796 [python-apt: Check that repository is trusted before
downloading from it]
RESERVED
- python-apt 1.8.5
+ NOTE:
https://salsa.debian.org/apt-team/python-apt/commit/b4eef110b7ba4fb21cc0dd92585756f50e0100c9
(1.8.5)
+ NOTE:
https://salsa.debian.org/apt-team/python-apt/commit/e3321eb9792bf3b4cace4cee47dc6da00fbee929
(1.8.5)
CVE-2019-15795 [python-apt: Do not use MD5 for verifying downloads]
RESERVED
- python-apt 1.8.5
+ NOTE:
https://salsa.debian.org/apt-team/python-apt/commit/e175130e51c2b0424f3dfeb825e3dc598fec1a24
(1.8.5)
CVE-2019-15794
RESERVED
CVE-2019-15793
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/477e90c4bbaeb1197f46bdb64fecdfc3865e9fb3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/477e90c4bbaeb1197f46bdb64fecdfc3865e9fb3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove no-dsa tagged entries which got an update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d5def294 by Salvatore Bonaccorso at 2020-01-20T16:15:05+01:00 Remove no-dsa tagged entries which got an update According to 27cacdce393d (DLA-2072-1: fix fixed CVEs) those three CVEs were fixed as well in the recent DLA-2072-1, thus removing the no-dsa/postponed tags. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24980,14 +24980,12 @@ CVE-2018-21016 (audio_sample_entry_AddBox() at isomedia/box_code_base.c in GPAC - gpac (bug #940882) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) - [jessie] - gpac (Minor issue, local DoS in function 'mp4a_AddBox') NOTE: https://github.com/gpac/gpac/issues/1180 NOTE: https://github.com/gpac/gpac/commit/ea13945f3c2dc2c21e30e2731bf2782384307a13 CVE-2018-21015 (AVC_DuplicateConfig() at isomedia/avc_ext.c in GPAC 0.7.1 allows remot ...) - gpac (bug #940882) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) - [jessie] - gpac (Minor issue, local DoS) NOTE: https://github.com/gpac/gpac/issues/1179 NOTE: https://github.com/gpac/gpac/commit/0545bb0a01bfac6764c43bd5074e9c2d1eae495f CVE-2019-16342 @@ -33640,7 +33638,6 @@ CVE-2019-13618 (In GPAC before 0.8.0, isomedia/isom_read.c in libgpac.a has a he - gpac (low; bug #932242) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) - [jessie] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1250 NOTE: https://github.com/gpac/gpac/commit/c23d54ed15a70b4543e3191e6ead5097cda0878b CVE-2019-13617 (njs through 0.3.3, used in NGINX, has a heap-based buffer over-read in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5def2948a22bf4d3e50da1fc1fe6a9e23d9f9b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5def2948a22bf4d3e50da1fc1fe6a9e23d9f9b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add python-apt
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: bc6dd14e by Thorsten Alteholz at 2020-01-20T15:23:00+01:00 add python-apt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,6 +74,8 @@ openjpeg2 (Mike Gabriel) -- otrs2 (Abhijith PA) -- +python-apt +-- python-pysaml2 (Abhijith PA) -- python-reportlab (Hugo Lefeuvre) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bc6dd14ee7f2905b6c00d43bee0f23bfc2b17128 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bc6dd14ee7f2905b6c00d43bee0f23bfc2b17128 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] DLA-2072-1: fix fixed CVEs
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
27cacdce by Sylvain Beucler at 2020-01-20T14:34:34+01:00
DLA-2072-1: fix fixed CVEs
- - - - -
1 changed file:
- data/DLA/list
Changes:
=
data/DLA/list
=
@@ -1,5 +1,5 @@
[20 Jan 2020] DLA-2072-1 gpac - security update
- {CVE-2019-20161 CVE-2019-20162 CVE-2019-20163 CVE-2019-20165
CVE-2019-20168 CVE-2019-20169 CVE-2019-20170 CVE-2019-20171 CVE-2019-20208}
+ {CVE-2018-21015 CVE-2018-21016 CVE-2019-13618 CVE-2019-20161
CVE-2019-20162 CVE-2019-20163 CVE-2019-20165 CVE-2019-20170 CVE-2019-20171
CVE-2019-20208}
[jessie] - gpac 0.5.0+svn5324~dfsg1-1+deb8u5
[20 Jan 2020] DLA-2071-1 thunderbird - security update
{CVE-2019-17016 CVE-2019-17017 CVE-2019-17022 CVE-2019-17024
CVE-2019-17026}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/27cacdce393d377bdd9fd6ffd806cdb0d8878253
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/27cacdce393d377bdd9fd6ffd806cdb0d8878253
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] wpa ospu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ea4847fd by Moritz Muehlenhoff at 2020-01-20T14:12:39+01:00 wpa ospu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -128,3 +128,5 @@ CVE-2017-14062 [stretch] - libidn 1.33-1+deb9u1 CVE-2016-10894 [stretch] - xtrlock 2.8+deb9u1 +CVE-2019-16275 + [stretch] - wpa 2:2.4-1+deb9u5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea4847fd4fbd383e4593442a56ffada2a72a5fbe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea4847fd4fbd383e4593442a56ffada2a72a5fbe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new python-apt issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 42fe9ba9 by Moritz Muehlenhoff at 2020-01-20T14:10:43+01:00 new python-apt issues otrs fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13686,20 +13686,20 @@ CVE-2020-1769 CVE-2020-1768 RESERVED CVE-2020-1767 (Agent A is able to save a draft (i.e. for customer reply). Then Agent ...) - - otrs2 + - otrs2 6.0.25-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-03/ NOTE: https://github.com/OTRS/otrs/commit/5f488fd6c809064ee49def3a432030258d211570 CVE-2020-1766 (Due to improper handling of uploaded images it is possible in very unl ...) - - otrs2 + - otrs2 6.0.25-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-02/ NOTE: https://github.com/OTRS/otrs/commit/128078b0bb30f601ed97d4a13906644264ee6013 (OTRS6) NOTE: https://github.com/OTRS/otrs/commit/b7d80f9000fc9a435743d8d1d7d44d9a17483a9a (OTRS5) CVE-2020-1765 (An improper control of parameters allows the spoofing of the from fiel ...) - - otrs2 + - otrs2 6.0.25-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-01/ @@ -26576,10 +26576,12 @@ CVE-2019-15798 RESERVED CVE-2019-15797 RESERVED -CVE-2019-15796 +CVE-2019-15796 [python-apt: Check that repository is trusted before downloading from it] RESERVED -CVE-2019-15795 + - python-apt 1.8.5 +CVE-2019-15795 [python-apt: Do not use MD5 for verifying downloads] RESERVED + - python-apt 1.8.5 CVE-2019-15794 RESERVED CVE-2019-15793 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/42fe9ba99f31733c2b89fc6d5cf36c023b26608f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/42fe9ba99f31733c2b89fc6d5cf36c023b26608f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2072-1 for gpac
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f6732248 by Sylvain Beucler at 2020-01-20T13:53:22+01:00
Reserve DLA-2072-1 for gpac
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[20 Jan 2020] DLA-2072-1 gpac - security update
+ {CVE-2019-20161 CVE-2019-20162 CVE-2019-20163 CVE-2019-20165
CVE-2019-20168 CVE-2019-20169 CVE-2019-20170 CVE-2019-20171 CVE-2019-20208}
+ [jessie] - gpac 0.5.0+svn5324~dfsg1-1+deb8u5
[20 Jan 2020] DLA-2071-1 thunderbird - security update
{CVE-2019-17016 CVE-2019-17017 CVE-2019-17022 CVE-2019-17024
CVE-2019-17026}
[jessie] - thunderbird 1:68.4.1-1~deb8u1
=
data/dla-needed.txt
=
@@ -17,10 +17,6 @@ clamav (Hugo Lefeuvre)
NOTE: team would like to wait for an init script for the new clamonacc
NOTE: binary, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946557
--
-gpac (Sylvain Beucler)
- NOTE: 20200105: All open issues are unfixed. Adding it here for future
- NOTE: triaging when more information are available. (apo)
---
graphicsmagick (Thorsten Alteholz)
NOTE: 20200119: WIP
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f67322484453980d793c35c5252482f46dc5c205
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f67322484453980d793c35c5252482f46dc5c205
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-6630,CVE-2020-6631/gpac: jessie triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: baf11202 by Sylvain Beucler at 2020-01-20T13:30:25+01:00 CVE-2020-6630,CVE-2020-6631/gpac: jessie triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1303,11 +1303,13 @@ CVE-2020-6632 (In PrestaShop 1.7.6.2, XSS can occur during addition or removal o NOT-FOR-US: PrestaShop CVE-2020-6631 (An issue was discovered in GPAC version 0.8.0. There is a NULL pointer ...) - gpac + [jessie] - gpac (Minor issue, clean crash, MP42TS not shipped, incomplete patch) NOTE: https://github.com/gpac/gpac/issues/1378 NOTE: https://github.com/gpac/gpac/commit/c7e46e948ebe2d4a532539c7e714cdf655b84521 NOTE: fix considered "ugly" by upstream and introduces abort(3)-based DoS CVE-2020-6630 (An issue was discovered in GPAC version 0.8.0. There is a NULL pointer ...) - gpac + [jessie] - gpac (Minor issue, clean crash, MP42TS not shipped, incomplete patch) NOTE: https://github.com/gpac/gpac/issues/1377 NOTE: https://github.com/gpac/gpac/commit/c7e46e948ebe2d4a532539c7e714cdf655b84521 NOTE: fix considered "ugly" by upstream and introduces abort(3)-based DoS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/baf112021aa00f296f8b027eec0ddf13467f1827 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/baf112021aa00f296f8b027eec0ddf13467f1827 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium dsa
Michael Gilbert pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5aaa66ac by Michael Gilbert at 2020-01-20T11:55:54+00:00
chromium dsa
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[20 Jan 2020] DSA-4606-1 chromium - security update
+ {CVE-2019-13725 CVE-2019-13726 CVE-2019-13727 CVE-2019-13728
CVE-2019-13729 CVE-2019-13730 CVE-2019-13732 CVE-2019-13734 CVE-2019-13735
CVE-2019-13736 CVE-2019-13737 CVE-2019-13738 CVE-2019-13739 CVE-2019-13740
CVE-2019-13741 CVE-2019-13742 CVE-2019-13743 CVE-2019-13744 CVE-2019-13745
CVE-2019-13746 CVE-2019-13747 CVE-2019-13748 CVE-2019-13749 CVE-2019-13750
CVE-2019-13751 CVE-2019-13752 CVE-2019-13753 CVE-2019-13754 CVE-2019-13755
CVE-2019-13756 CVE-2019-13757 CVE-2019-13758 CVE-2019-13759 CVE-2019-13761
CVE-2019-13762 CVE-2019-13763 CVE-2019-13764 CVE-2019-13767 CVE-2020-6377
CVE-2020-6378 CVE-2020-6379 CVE-2020-6380}
+ [buster] - chromium 79.0.3945.130-1~deb10u1
[19 Jan 2020] DSA-4605-1 openjdk-11 - security update
{CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601 CVE-2020-2604
CVE-2020-2654 CVE-2020-2655}
[buster] - openjdk-11 11.0.6+10-1~deb10u1
=
data/dsa-needed.txt
=
@@ -11,8 +11,6 @@ To pick an issue, simply add your uid behind it.
If needed, specify the release by adding a slash after the name of the source
package.
---
-chromium
--
curl (ghedo)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/5aaa66ac7553e1ca0d2b7d9c0eb6f362564ce717
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/5aaa66ac7553e1ca0d2b7d9c0eb6f362564ce717
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2071-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
193ad34f by Emilio Pozuelo Monfort at 2020-01-20T11:52:03+01:00
Reserve DLA-2071-1 for thunderbird
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[20 Jan 2020] DLA-2071-1 thunderbird - security update
+ {CVE-2019-17016 CVE-2019-17017 CVE-2019-17022 CVE-2019-17024
CVE-2019-17026}
+ [jessie] - thunderbird 1:68.4.1-1~deb8u1
[19 Jan 2020] DLA-2070-1 ruby-excon - security update
{CVE-2019-16779}
[jessie] - ruby-excon 0.33.0-2+deb8u1
=
data/dla-needed.txt
=
@@ -124,8 +124,6 @@ squid3
--
suricata (Mike Gabriel)
---
-thunderbird (Emilio)
---
tomcat7 (Markus Koschany)
NOTE: 20200115: https://people.debian.org/~apo/tomcat7/
NOTE: 20200115: waiting for sunweaver's review
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/193ad34f087359589a209e60dc4cdd7796e63768
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/193ad34f087359589a209e60dc4cdd7796e63768
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b4552a3 by Salvatore Bonaccorso at 2020-01-20T09:34:00+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,17 +3,17 @@ CVE-2020-7238 CVE-2020-7237 (Cacti 1.2.8 allows Remote Code Execution (by privileged users) via she ...) TODO: check CVE-2020-7236 (UHP UHP-100 3.4.1.15, 3.4.2.4, and 3.4.3 devices allow XSS via cw2?td= ...) - TODO: check + NOT-FOR-US: UHP UHP-100 devices CVE-2020-7235 (UHP UHP-100 3.4.1.15, 3.4.2.4, and 3.4.3 devices allow XSS via cB3?ta= ...) - TODO: check + NOT-FOR-US: UHP UHP-100 devices CVE-2020-7234 (Ruckus ZoneFlex R310 104.0.0.0.1347 devices allow Stored XSS via the S ...) - TODO: check + NOT-FOR-US: Ruckus ZoneFlex R310 devices CVE-2020-7233 (KMS Controls BAC-A1616BC BACnet devices have a cleartext password of s ...) - TODO: check + NOT-FOR-US: KMS Controls BAC-A1616BC BACnet devices CVE-2020-7232 (Evoko Home 1.31 devices allow remote attackers to obtain sensitive inf ...) - TODO: check + NOT-FOR-US: Evoko Home devices CVE-2020-7231 (Evoko Home 1.31 devices provide different error messages for failed lo ...) - TODO: check + NOT-FOR-US: Evoko Home devices CVE-2019-20381 (TestLink before 1.9.20 allows XSS via non-lowercase javascript: in the ...) TODO: check CVE-2016-11018 @@ -49,7 +49,7 @@ CVE-2020-7217 CVE-2020-7216 RESERVED CVE-2020-7215 (An issue was discovered in Gallagher Command Centre 7.x before 7.90.99 ...) - TODO: check + NOT-FOR-US: Gallagher Command Centre CVE-2020-7214 RESERVED CVE-2020-7213 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2b4552a303c5b76e12ed327dc1370dde7e542363 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2b4552a303c5b76e12ed327dc1370dde7e542363 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
fdc16fb7 by security tracker role at 2020-01-20T08:10:28+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,23 @@
+CVE-2020-7238
+ RESERVED
+CVE-2020-7237 (Cacti 1.2.8 allows Remote Code Execution (by privileged users)
via she ...)
+ TODO: check
+CVE-2020-7236 (UHP UHP-100 3.4.1.15, 3.4.2.4, and 3.4.3 devices allow XSS via
cw2?td= ...)
+ TODO: check
+CVE-2020-7235 (UHP UHP-100 3.4.1.15, 3.4.2.4, and 3.4.3 devices allow XSS via
cB3?ta= ...)
+ TODO: check
+CVE-2020-7234 (Ruckus ZoneFlex R310 104.0.0.0.1347 devices allow Stored XSS
via the S ...)
+ TODO: check
+CVE-2020-7233 (KMS Controls BAC-A1616BC BACnet devices have a cleartext
password of s ...)
+ TODO: check
+CVE-2020-7232 (Evoko Home 1.31 devices allow remote attackers to obtain
sensitive inf ...)
+ TODO: check
+CVE-2020-7231 (Evoko Home 1.31 devices provide different error messages for
failed lo ...)
+ TODO: check
+CVE-2019-20381 (TestLink before 1.9.20 allows XSS via non-lowercase
javascript: in the ...)
+ TODO: check
+CVE-2016-11018
+ RESERVED
CVE-2020-7230
RESERVED
CVE-2020-7229
@@ -28,8 +48,8 @@ CVE-2020-7217
RESERVED
CVE-2020-7216
RESERVED
-CVE-2020-7215
- RESERVED
+CVE-2020-7215 (An issue was discovered in Gallagher Command Centre 7.x before
7.90.99 ...)
+ TODO: check
CVE-2020-7214
RESERVED
CVE-2020-7213
@@ -11018,9 +11038,11 @@ CVE-2020-2657 (Vulnerability in the Oracle CRM
Technical Foundation product of O
CVE-2020-2656 (Vulnerability in the Oracle Solaris product of Oracle Systems
(compone ...)
NOT-FOR-US: Oracle
CVE-2020-2655 (Vulnerability in the Java SE product of Oracle Java SE
(component: JSS ...)
+ {DSA-4605-1}
- openjdk-13 13.0.2+8-1
- openjdk-11 11.0.6+10-1
CVE-2020-2654 (Vulnerability in the Java SE product of Oracle Java SE
(component: Lib ...)
+ {DSA-4605-1}
- openjdk-13 13.0.2+8-1
- openjdk-11 11.0.6+10-1
- openjdk-8
@@ -11125,6 +11147,7 @@ CVE-2020-2606 (Vulnerability in the PeopleSoft
Enterprise PeopleTools product of
CVE-2020-2605 (Vulnerability in the Oracle Solaris product of Oracle Systems
(compone ...)
NOT-FOR-US: Oracle
CVE-2020-2604 (Vulnerability in the Oracle GraalVM Enterprise Edition product
of Orac ...)
+ {DSA-4605-1}
- openjdk-13 13.0.2+8-1
- openjdk-11 11.0.6+10-1
- openjdk-8
@@ -11134,6 +11157,7 @@ CVE-2020-2603 (Vulnerability in the Oracle Field
Service product of Oracle E-Bus
CVE-2020-2602 (Vulnerability in the PeopleSoft Enterprise PeopleTools product
of Orac ...)
NOT-FOR-US: Oracle
CVE-2020-2601 (Vulnerability in the Java SE, Java SE Embedded product of
Oracle Java ...)
+ {DSA-4605-1}
- openjdk-13 13.0.2+8-1
- openjdk-11 11.0.6+10-1
- openjdk-8
@@ -11153,6 +11177,7 @@ CVE-2020-2595 (Vulnerability in the Oracle GraalVM
Enterprise Edition product of
CVE-2020-2594
RESERVED
CVE-2020-2593 (Vulnerability in the Java SE, Java SE Embedded product of
Oracle Java ...)
+ {DSA-4605-1}
- openjdk-13 13.0.2+8-1
- openjdk-11 11.0.6+10-1
- openjdk-8
@@ -11162,6 +11187,7 @@ CVE-2020-2592 (Vulnerability in the Oracle AutoVue
product of Oracle Supply Chai
CVE-2020-2591 (Vulnerability in the Oracle Web Applications Desktop Integrator
produc ...)
NOT-FOR-US: Oracle
CVE-2020-2590 (Vulnerability in the Java SE, Java SE Embedded product of
Oracle Java ...)
+ {DSA-4605-1}
- openjdk-13 13.0.2+8-1
- openjdk-11 11.0.6+10-1
- openjdk-8
@@ -11182,6 +11208,7 @@ CVE-2020-2584 (Vulnerability in the MySQL Server
product of Oracle MySQL (compon
- mysql-5.7
NOTE:
https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL
CVE-2020-2583 (Vulnerability in the Java SE, Java SE Embedded product of
Oracle Java ...)
+ {DSA-4605-1}
- openjdk-13 13.0.2+8-1
- openjdk-11 11.0.6+10-1
- openjdk-8
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/fdc16fb7ac4b8e93f5d55e21ad94d588d48848b4
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/fdc16fb7ac4b8e93f5d55e21ad94d588d48848b4
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
