[Git][security-tracker-team/security-tracker][master] Add note on sarg-reports using mktemp in own Debian shipped version
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b776f749 by Salvatore Bonaccorso at 2020-01-21T08:06:52+01:00 Add note on sarg-reports using mktemp in own Debian shipped version - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15094,6 +15094,8 @@ CVE-2019-18932 [sarg: insecure usage of /tmp/sarg allows privilege escalation / RESERVED - sarg NOTE: https://www.openwall.com/lists/oss-security/2020/01/20/6 + NOTE: The sarg-reports as shipped in Debian has already safe use of mktemp for + NOTE: use of temporary files and directories. CVE-2019-18931 (Western Digital My Cloud EX2 Ultra firmware 2.31.195 allows a Buffer O ...) NOT-FOR-US: Western Digital My Cloud EX2 Ultra firmware CVE-2019-18930 (Western Digital My Cloud EX2 Ultra firmware 2.31.183 allows web users ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b776f7494a515d8dda29a7625cf0131f69bf8398 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b776f7494a515d8dda29a7625cf0131f69bf8398 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-14888/undertow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 37e3e4b3 by Salvatore Bonaccorso at 2020-01-21T07:59:52+01:00 Add CVE-2019-14888/undertow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29598,6 +29598,8 @@ CVE-2019-14889 (A flaw was found with the libssh API function ssh_scp_new() in v NOTE: https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d163a943737fe4160f7233925df2eee1f9a CVE-2019-14888 RESERVED + - undertow + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1772464 CVE-2019-14887 RESERVED CVE-2019-14886 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/37e3e4b3b9abdb03f3b47033407f36341e80b23d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/37e3e4b3b9abdb03f3b47033407f36341e80b23d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Some more CVE fixes were cherry-picked for 4.9.210-1 upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b1114183 by Salvatore Bonaccorso at 2020-01-21T07:51:29+01:00 Some more CVE fixes were cherry-picked for 4.9.210-1 upload - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -130,8 +130,14 @@ CVE-2016-10894 [stretch] - xtrlock 2.8+deb9u1 CVE-2019-16275 [stretch] - wpa 2:2.4-1+deb9u5 +CVE-2018-13093 + [stretch] - linux 4.9.210-1 +CVE-2018-13094 + [stretch] - linux 4.9.210-1 CVE-2018-20976 [stretch] - linux 4.9.210-1 +CVE-2018-21008 + [stretch] - linux 4.9.210-1 CVE-2019-0136 [stretch] - linux 4.9.210-1 CVE-2019-10220 @@ -146,10 +152,18 @@ CVE-2019-14816 [stretch] - linux 4.9.210-1 CVE-2019-14895 [stretch] - linux 4.9.210-1 +CVE-2019-14896 + [stretch] - linux 4.9.210-1 +CVE-2019-14897 + [stretch] - linux 4.9.210-1 +CVE-2019-14901 + [stretch] - linux 4.9.210-1 CVE-2019-15030 [stretch] - linux 4.9.210-1 CVE-2019-15098 [stretch] - linux 4.9.210-1 +CVE-2019-15217 + [stretch] - linux 4.9.210-1 CVE-2019-15291 [stretch] - linux 4.9.210-1 CVE-2019-15505 @@ -188,6 +202,8 @@ CVE-2019-19037 [stretch] - linux 4.9.210-1 CVE-2019-19049 [stretch] - linux 4.9.210-1 +CVE-2019-19051 + [stretch] - linux 4.9.210-1 CVE-2019-19052 [stretch] - linux 4.9.210-1 CVE-2019-19056 @@ -232,8 +248,14 @@ CVE-2019-19536 [stretch] - linux 4.9.210-1 CVE-2019-19537 [stretch] - linux 4.9.210-1 +CVE-2019-19767 + [stretch] - linux 4.9.210-1 +CVE-2019-19947 + [stretch] - linux 4.9.210-1 CVE-2019-19965 [stretch] - linux 4.9.210-1 +CVE-2019-20096 + [stretch] - linux 4.9.210-1 CVE-2019-2215 [stretch] - linux 4.9.210-1 CVE-2019-12614 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1114183693ab7fc8e84b33116aef79c3c954be8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1114183693ab7fc8e84b33116aef79c3c954be8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-18932/sarg
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 66a5c1e2 by Henri Salo at 2020-01-21T08:46:12+02:00 CVE-2019-18932/sarg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15090,8 +15090,10 @@ CVE-2019-18934 (Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec NOTE: https://nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt CVE-2019-18933 (In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new ...) NOT-FOR-US: Zulip -CVE-2019-18932 +CVE-2019-18932 [sarg: insecure usage of /tmp/sarg allows privilege escalation / DoS attack vector] RESERVED + - sarg + NOTE: https://www.openwall.com/lists/oss-security/2020/01/20/6 CVE-2019-18931 (Western Digital My Cloud EX2 Ultra firmware 2.31.195 allows a Buffer O ...) NOT-FOR-US: Western Digital My Cloud EX2 Ultra firmware CVE-2019-18930 (Western Digital My Cloud EX2 Ultra firmware 2.31.183 allows web users ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/66a5c1e251f8fc01e532eaa9f895f0310a6c2943 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/66a5c1e251f8fc01e532eaa9f895f0310a6c2943 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track pending CVEs for linux via stretch-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7337fb94 by Salvatore Bonaccorso at 2020-01-21T07:24:57+01:00 Track pending CVEs for linux via stretch-pu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -130,3 +130,111 @@ CVE-2016-10894 [stretch] - xtrlock 2.8+deb9u1 CVE-2019-16275 [stretch] - wpa 2:2.4-1+deb9u5 +CVE-2018-20976 + [stretch] - linux 4.9.210-1 +CVE-2019-0136 + [stretch] - linux 4.9.210-1 +CVE-2019-10220 + [stretch] - linux 4.9.210-1 +CVE-2019-14615 + [stretch] - linux 4.9.210-1 +CVE-2019-14814 + [stretch] - linux 4.9.210-1 +CVE-2019-14815 + [stretch] - linux 4.9.210-1 +CVE-2019-14816 + [stretch] - linux 4.9.210-1 +CVE-2019-14895 + [stretch] - linux 4.9.210-1 +CVE-2019-15030 + [stretch] - linux 4.9.210-1 +CVE-2019-15098 + [stretch] - linux 4.9.210-1 +CVE-2019-15291 + [stretch] - linux 4.9.210-1 +CVE-2019-15505 + [stretch] - linux 4.9.210-1 +CVE-2019-15917 + [stretch] - linux 4.9.210-1 +CVE-2019-16746 + [stretch] - linux 4.9.210-1 +CVE-2019-17052 + [stretch] - linux 4.9.210-1 +CVE-2019-17053 + [stretch] - linux 4.9.210-1 +CVE-2019-17054 + [stretch] - linux 4.9.210-1 +CVE-2019-17055 + [stretch] - linux 4.9.210-1 +CVE-2019-17056 + [stretch] - linux 4.9.210-1 +CVE-2019-17075 + [stretch] - linux 4.9.210-1 +CVE-2019-17133 + [stretch] - linux 4.9.210-1 +CVE-2019-17666 + [stretch] - linux 4.9.210-1 +CVE-2019-18282 + [stretch] - linux 4.9.210-1 +CVE-2019-18660 + [stretch] - linux 4.9.210-1 +CVE-2019-18683 + [stretch] - linux 4.9.210-1 +CVE-2019-18806 + [stretch] - linux 4.9.210-1 +CVE-2019-18809 + [stretch] - linux 4.9.210-1 +CVE-2019-19037 + [stretch] - linux 4.9.210-1 +CVE-2019-19049 + [stretch] - linux 4.9.210-1 +CVE-2019-19052 + [stretch] - linux 4.9.210-1 +CVE-2019-19056 + [stretch] - linux 4.9.210-1 +CVE-2019-19057 + [stretch] - linux 4.9.210-1 +CVE-2019-19062 + [stretch] - linux 4.9.210-1 +CVE-2019-19063 + [stretch] - linux 4.9.210-1 +CVE-2019-19066 + [stretch] - linux 4.9.210-1 +CVE-2019-19068 + [stretch] - linux 4.9.210-1 +CVE-2019-19227 + [stretch] - linux 4.9.210-1 +CVE-2019-19332 + [stretch] - linux 4.9.210-1 +CVE-2019-19447 + [stretch] - linux 4.9.210-1 +CVE-2019-19523 + [stretch] - linux 4.9.210-1 +CVE-2019-19524 + [stretch] - linux 4.9.210-1 +CVE-2019-19525 + [stretch] - linux 4.9.210-1 +CVE-2019-19527 + [stretch] - linux 4.9.210-1 +CVE-2019-19530 + [stretch] - linux 4.9.210-1 +CVE-2019-19531 + [stretch] - linux 4.9.210-1 +CVE-2019-19532 + [stretch] - linux 4.9.210-1 +CVE-2019-19533 + [stretch] - linux 4.9.210-1 +CVE-2019-19534 + [stretch] - linux 4.9.210-1 +CVE-2019-19535 + [stretch] - linux 4.9.210-1 +CVE-2019-19536 + [stretch] - linux 4.9.210-1 +CVE-2019-19537 + [stretch] - linux 4.9.210-1 +CVE-2019-19965 + [stretch] - linux 4.9.210-1 +CVE-2019-2215 + [stretch] - linux 4.9.210-1 +CVE-2019-12614 + [stretch] - linux 4.9.210-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7337fb9472bb084fba0687a3354c117516e4b5fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7337fb9472bb084fba0687a3354c117516e4b5fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-16239/openconnect
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 662fe38a by Salvatore Bonaccorso at 2020-01-21T06:42:23+01:00 Add fixed version for CVE-2019-16239/openconnect - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25381,7 +25381,7 @@ CVE-2019-16240 RESERVED CVE-2019-16239 (process_http_response in OpenConnect before 8.05 has a Buffer Overflow ...) {DLA-1945-1} - - openconnect (bug #940871) + - openconnect 8.02-1.1 (bug #940871) NOTE: http://lists.infradead.org/pipermail/openconnect-devel/2019-September/005412.html NOTE: https://github.com/openconnect/openconnect/commit/875f0a65ab73f4fb581ca870fd3a901bd278f8e8 CVE-2019-16378 (OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 is prone to a si ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/662fe38a427fab87d0987cf7d9c9ad6f92fade6d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/662fe38a427fab87d0987cf7d9c9ad6f92fade6d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added information about the squid3 patch analysis made.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 570671f5 by Ola Lundqvist at 2020-01-20T22:27:53+01:00 Added information about the squid3 patch analysis made. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -113,12 +113,18 @@ sqlite3 (Thorsten Alteholz) NOTE: 20200112: WIP -- squid3 - NOTE: 20191210: Requires new API SBuf. + NOTE: 20191210: CVE-2019-12523 and CVE-2019-18676 Requires new API SBuf. NOTE: 20200116: Researched other distros to see if any had backported the fixes. No luck. NOTE: 20200116: Tried for some time to reproduce the vulnerabilities, but did not succeed. NOTE: 20200116: The change is rather involved when considering the new SBuf API, so not NOTE: 20200116: being able to reproduce makes it impossible isolate the minimal change that NOTE: 20200116: addresses the vulnerabilities. (roberto) + NOTE: 20200120: CVE-2019-12523 It looks like the only new checks is the introduction of NID + NOTE: 20200120: checks in parseUrn. This function replaces parseFinish. It should be easy + NOTE: 20200120: to add those checks without introducing SBuf. (Ola) + NOTE: 20200120: CVE-2019-18676 however is more complicated to locate. Potentially the // skipping + NOTE: 20200120: or the absolute function is the issue but it is hard to tell without more + NOTE: 20200120: details on the intention. (Ola) -- storebackup (Utkarsh Gupta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/570671f57054d4cb93b5100a0e3e5f0f54686a88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/570671f57054d4cb93b5100a0e3e5f0f54686a88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for openconnect update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f4f38592 by Salvatore Bonaccorso at 2020-01-20T21:25:19+01:00 Reserve DSA number for openconnect update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[20 Jan 2020] DSA-4607-1 openconnect - security update + {CVE-2019-16239} + [stretch] - openconnect 7.08-1+deb9u1 + [buster] - openconnect 8.02-1+deb10u1 [20 Jan 2020] DSA-4606-1 chromium - security update {CVE-2019-13725 CVE-2019-13726 CVE-2019-13727 CVE-2019-13728 CVE-2019-13729 CVE-2019-13730 CVE-2019-13732 CVE-2019-13734 CVE-2019-13735 CVE-2019-13736 CVE-2019-13737 CVE-2019-13738 CVE-2019-13739 CVE-2019-13740 CVE-2019-13741 CVE-2019-13742 CVE-2019-13743 CVE-2019-13744 CVE-2019-13745 CVE-2019-13746 CVE-2019-13747 CVE-2019-13748 CVE-2019-13749 CVE-2019-13750 CVE-2019-13751 CVE-2019-13752 CVE-2019-13753 CVE-2019-13754 CVE-2019-13755 CVE-2019-13756 CVE-2019-13757 CVE-2019-13758 CVE-2019-13759 CVE-2019-13761 CVE-2019-13762 CVE-2019-13763 CVE-2019-13764 CVE-2019-13767 CVE-2020-6377 CVE-2020-6378 CVE-2020-6379 CVE-2020-6380} [buster] - chromium 79.0.3945.130-1~deb10u1 = data/dsa-needed.txt = @@ -36,8 +36,6 @@ nodejs nss/oldstable (jmm) Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508 -- -openconnect (carnil) --- openjdk-8 (jmm) -- php7.0 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f4f38592fa3ff97c17e8640ad99e0cf47b9fc104 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f4f38592fa3ff97c17e8640ad99e0cf47b9fc104 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d6638748 by security tracker role at 2020-01-20T20:10:24+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2019-20382 + RESERVED CVE-2020-7238 RESERVED CVE-2020-7237 (Cacti 1.2.8 allows Remote Code Execution (by privileged users) via she ...) @@ -1855,14 +1857,18 @@ CVE-2020-6381 RESERVED CVE-2020-6380 RESERVED + {DSA-4606-1} - chromium 79.0.3945.130-1 CVE-2020-6379 RESERVED + {DSA-4606-1} - chromium 79.0.3945.130-1 CVE-2020-6378 RESERVED + {DSA-4606-1} - chromium 79.0.3945.130-1 CVE-2020-6377 (Use after free in audio in Google Chrome prior to 79.0.3945.117 allowe ...) + {DSA-4606-1} - chromium 79.0.3945.130-1 CVE-2020-6376 RESERVED @@ -4637,6 +4643,7 @@ CVE-2019-20210 (The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and E CVE-2019-20209 (The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBoo ...) NOT-FOR-US: themes for WordPress CVE-2019-20208 (dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a stack-based ...) + {DLA-2072-1} - gpac [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) @@ -4833,11 +4840,13 @@ CVE-2019-20173 CVE-2019-20172 (Kernel/VM/MemoryManager.cpp in SerenityOS before 2019-12-30 does not r ...) NOT-FOR-US: SerenityOS CVE-2019-20171 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) + {DLA-2072-1} - gpac NOTE: https://github.com/gpac/gpac/issues/1337 NOTE: https://github.com/gpac/gpac/commit/72cdc5048dead86bb1df7d21e0b9975e49cf2d97 NOTE: https://github.com/gpac/gpac/commit/2bcca3f1d4605100bb27d3ed7be25b53cddbc75c CVE-2019-20170 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) + {DLA-2072-1} - gpac NOTE: https://github.com/gpac/gpac/issues/1328 NOTE: https://github.com/gpac/gpac/commit/16856430287cc10f495eb241910b4dc45b193e03 @@ -4861,6 +4870,7 @@ CVE-2019-20166 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm NOTE: https://github.com/gpac/gpac/issues/1331 NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #2) CVE-2019-20165 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) + {DLA-2072-1} - gpac NOTE: https://github.com/gpac/gpac/issues/1338 NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #1) @@ -4869,14 +4879,17 @@ CVE-2019-20164 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm NOTE: https://github.com/gpac/gpac/issues/1332 NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #2) CVE-2019-20163 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) + {DLA-2072-1} - gpac NOTE: https://github.com/gpac/gpac/issues/1335 NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #4) CVE-2019-20162 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) + {DLA-2072-1} - gpac NOTE: https://github.com/gpac/gpac/issues/1327 NOTE: https://github.com/gpac/gpac/commit/3c0ba42546c8148c51169c3908e845c308746c77 CVE-2019-20161 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) + {DLA-2072-1} - gpac NOTE: https://github.com/gpac/gpac/issues/1320 NOTE: https://github.com/gpac/gpac/commit/7a09732d4978586e6284e84caa9c301b2fa5e956 @@ -23058,7 +23071,7 @@ CVE-2019-17027 RESERVED CVE-2019-17026 RESERVED - {DSA-4603-1 DSA-4600-1 DLA-2061-1} + {DSA-4603-1 DSA-4600-1 DLA-2071-1 DLA-2061-1} - firefox 72.0.1-1 (bug #948452) - firefox-esr 68.4.1esr-1 - thunderbird 1:68.4.1-1 @@ -23068,7 +23081,7 @@ CVE-2019-17025 (Mozilla developers reported memory safety bugs present in Firefo - firefox 72.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17025 CVE-2019-17024 (Mozilla developers reported memory safety bugs present in Firefox 71 a ...) - {DSA-4603-1 DSA-4600-1 DLA-2061-1} + {DSA-4603-1 DSA-4600-1 DLA-2071-1 DLA-2061-1} - firefox 72.0-1 - firefox-esr 68.4.0esr-1 - thunderbird 1:68.4.1-1 @@ -23082,7 +23095,7 @@ CVE-2019-17023 (After a HelloRetryRequest has been sent, the client may negotiat NOTE: https://hg.mozilla.org/projects/nss/rev/d64102b76a437f24d98a20480dcc9f1655143e7c NOTE:
[Git][security-tracker-team/security-tracker][master] still working on tomcat8 in jessie
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 7bfe0afe by Abhijith PA at 2020-01-21T00:48:49+05:30 still working on tomcat8 in jessie - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -128,7 +128,7 @@ tomcat7 (Markus Koschany) NOTE: 20200115: https://people.debian.org/~apo/tomcat7/ NOTE: 20200115: waiting for sunweaver's review -- -tomcat8 +tomcat8 (Abhijith PA) NOTE: 20200106: Almost done. Working on failing testcase. -- transfig (Dylan Aïssi) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7bfe0afe53862951bcb0b12aab096ef5b74099db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7bfe0afe53862951bcb0b12aab096ef5b74099db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-18899/apt-cacher-ng
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d8a230f by Salvatore Bonaccorso at 2020-01-20T19:03:16+01:00 Add CVE-2019-18899/apt-cacher-ng - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15149,6 +15149,7 @@ CVE-2019-18900 RESERVED CVE-2019-18899 RESERVED + - apt-cacher-ng (openSUSE specific systemd service unit configuration) CVE-2019-18898 RESERVED NOT-FOR-US: SUSE specific packaging issue in %posttrans section in src:trousers View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9d8a230f0143dfc1bb190e5b61bb2ba6ca045b16 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9d8a230f0143dfc1bb190e5b61bb2ba6ca045b16 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: 9125a615 by Holger Levsen at 2020-01-20T18:57:30+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Holger Levsen hol...@layer-acht.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -128,7 +128,7 @@ tomcat7 (Markus Koschany) NOTE: 20200115: https://people.debian.org/~apo/tomcat7/ NOTE: 20200115: waiting for sunweaver's review -- -tomcat8 (Abhijith PA) +tomcat8 NOTE: 20200106: Almost done. Working on failing testcase. -- transfig (Dylan Aïssi) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9125a61536a4399947a38dc5d3a7aa1a1d72b2db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9125a61536a4399947a38dc5d3a7aa1a1d72b2db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add and claim storebackup
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 41693fa2 by Utkarsh Gupta at 2020-01-20T23:23:38+05:30 Add and claim storebackup - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -120,8 +120,10 @@ squid3 NOTE: 20200116: being able to reproduce makes it impossible isolate the minimal change that NOTE: 20200116: addresses the vulnerabilities. (roberto) -- +storebackup (Utkarsh Gupta) +-- suricata (Mike Gabriel) +-- tomcat7 (Markus Koschany) NOTE: 20200115: https://people.debian.org/~apo/tomcat7/ NOTE: 20200115: waiting for sunweaver's review View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/41693fa297eb01e86892e3c7db4352966039a1b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/41693fa297eb01e86892e3c7db4352966039a1b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-7040/storebackup
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: caf07d44 by Salvatore Bonaccorso at 2020-01-20T17:36:55+01:00 Add Debian bug reference for CVE-2020-7040/storebackup - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -426,7 +426,7 @@ CVE-2020-7041 RESERVED CVE-2020-7040 [storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock] RESERVED - - storebackup + - storebackup (bug #949393) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1156767 NOTE: https://www.openwall.com/lists/oss-security/2020/01/20/3 NOTE: SuSE provided patch: https://www.openwall.com/lists/oss-security/2020/01/20/3/1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/caf07d4443f83ddbb8f5a4e7de232668ecd49c39 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/caf07d4443f83ddbb8f5a4e7de232668ecd49c39 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-7040/storebackup
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61cdcd7d by Salvatore Bonaccorso at 2020-01-20T17:21:53+01:00 Add CVE-2020-7040/storebackup - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -424,8 +424,12 @@ CVE-2020-7042 RESERVED CVE-2020-7041 RESERVED -CVE-2020-7040 +CVE-2020-7040 [storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock] RESERVED + - storebackup + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1156767 + NOTE: https://www.openwall.com/lists/oss-security/2020/01/20/3 + NOTE: SuSE provided patch: https://www.openwall.com/lists/oss-security/2020/01/20/3/1 CVE-2020-7039 (tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, misman ...) - libslirp 4.1.0-2 (bug #949084) - qemu 1:4.1-2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/61cdcd7dca1e1f69e76559aac333d02411f4581e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/61cdcd7dca1e1f69e76559aac333d02411f4581e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2019-5477/rexical
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 55ab601d by Salvatore Bonaccorso at 2020-01-20T17:13:18+01:00 Add fixed version via unstable for CVE-2019-5477/rexical - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -57643,7 +57643,7 @@ CVE-2019-5478 (A weakness was found in Encrypt Only boot mode in Zynq UltraScale NOT-FOR-US: Encrypt Only boot mode in Zynq UltraScale+ devices CVE-2019-5477 (A command injection vulnerability in Nokogiri v1.10.3 and earlier allo ...) {DLA-1933-1} - - rexical (bug #940905) + - rexical 1.0.7-1 (bug #940905) [buster] - rexical (Minor issue, can be fixed via point release) [stretch] - rexical (Minor issue, can be fixed via point release) - ruby-nokogiri 1.10.4+dfsg1-1 (bug #934802) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/55ab601d91d1d288facfdd693c4747907cd4d81b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/55ab601d91d1d288facfdd693c4747907cd4d81b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference commits for CVE-2019-1579{5,6}/python-apt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 477e90c4 by Salvatore Bonaccorso at 2020-01-20T16:22:16+01:00 Reference commits for CVE-2019-1579{5,6}/python-apt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26577,9 +26577,12 @@ CVE-2019-15797 CVE-2019-15796 [python-apt: Check that repository is trusted before downloading from it] RESERVED - python-apt 1.8.5 + NOTE: https://salsa.debian.org/apt-team/python-apt/commit/b4eef110b7ba4fb21cc0dd92585756f50e0100c9 (1.8.5) + NOTE: https://salsa.debian.org/apt-team/python-apt/commit/e3321eb9792bf3b4cace4cee47dc6da00fbee929 (1.8.5) CVE-2019-15795 [python-apt: Do not use MD5 for verifying downloads] RESERVED - python-apt 1.8.5 + NOTE: https://salsa.debian.org/apt-team/python-apt/commit/e175130e51c2b0424f3dfeb825e3dc598fec1a24 (1.8.5) CVE-2019-15794 RESERVED CVE-2019-15793 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/477e90c4bbaeb1197f46bdb64fecdfc3865e9fb3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/477e90c4bbaeb1197f46bdb64fecdfc3865e9fb3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove no-dsa tagged entries which got an update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d5def294 by Salvatore Bonaccorso at 2020-01-20T16:15:05+01:00 Remove no-dsa tagged entries which got an update According to 27cacdce393d (DLA-2072-1: fix fixed CVEs) those three CVEs were fixed as well in the recent DLA-2072-1, thus removing the no-dsa/postponed tags. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24980,14 +24980,12 @@ CVE-2018-21016 (audio_sample_entry_AddBox() at isomedia/box_code_base.c in GPAC - gpac (bug #940882) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) - [jessie] - gpac (Minor issue, local DoS in function 'mp4a_AddBox') NOTE: https://github.com/gpac/gpac/issues/1180 NOTE: https://github.com/gpac/gpac/commit/ea13945f3c2dc2c21e30e2731bf2782384307a13 CVE-2018-21015 (AVC_DuplicateConfig() at isomedia/avc_ext.c in GPAC 0.7.1 allows remot ...) - gpac (bug #940882) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) - [jessie] - gpac (Minor issue, local DoS) NOTE: https://github.com/gpac/gpac/issues/1179 NOTE: https://github.com/gpac/gpac/commit/0545bb0a01bfac6764c43bd5074e9c2d1eae495f CVE-2019-16342 @@ -33640,7 +33638,6 @@ CVE-2019-13618 (In GPAC before 0.8.0, isomedia/isom_read.c in libgpac.a has a he - gpac (low; bug #932242) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) - [jessie] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1250 NOTE: https://github.com/gpac/gpac/commit/c23d54ed15a70b4543e3191e6ead5097cda0878b CVE-2019-13617 (njs through 0.3.3, used in NGINX, has a heap-based buffer over-read in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5def2948a22bf4d3e50da1fc1fe6a9e23d9f9b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5def2948a22bf4d3e50da1fc1fe6a9e23d9f9b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add python-apt
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: bc6dd14e by Thorsten Alteholz at 2020-01-20T15:23:00+01:00 add python-apt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,6 +74,8 @@ openjpeg2 (Mike Gabriel) -- otrs2 (Abhijith PA) -- +python-apt +-- python-pysaml2 (Abhijith PA) -- python-reportlab (Hugo Lefeuvre) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bc6dd14ee7f2905b6c00d43bee0f23bfc2b17128 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bc6dd14ee7f2905b6c00d43bee0f23bfc2b17128 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] DLA-2072-1: fix fixed CVEs
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 27cacdce by Sylvain Beucler at 2020-01-20T14:34:34+01:00 DLA-2072-1: fix fixed CVEs - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,5 +1,5 @@ [20 Jan 2020] DLA-2072-1 gpac - security update - {CVE-2019-20161 CVE-2019-20162 CVE-2019-20163 CVE-2019-20165 CVE-2019-20168 CVE-2019-20169 CVE-2019-20170 CVE-2019-20171 CVE-2019-20208} + {CVE-2018-21015 CVE-2018-21016 CVE-2019-13618 CVE-2019-20161 CVE-2019-20162 CVE-2019-20163 CVE-2019-20165 CVE-2019-20170 CVE-2019-20171 CVE-2019-20208} [jessie] - gpac 0.5.0+svn5324~dfsg1-1+deb8u5 [20 Jan 2020] DLA-2071-1 thunderbird - security update {CVE-2019-17016 CVE-2019-17017 CVE-2019-17022 CVE-2019-17024 CVE-2019-17026} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/27cacdce393d377bdd9fd6ffd806cdb0d8878253 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/27cacdce393d377bdd9fd6ffd806cdb0d8878253 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] wpa ospu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ea4847fd by Moritz Muehlenhoff at 2020-01-20T14:12:39+01:00 wpa ospu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -128,3 +128,5 @@ CVE-2017-14062 [stretch] - libidn 1.33-1+deb9u1 CVE-2016-10894 [stretch] - xtrlock 2.8+deb9u1 +CVE-2019-16275 + [stretch] - wpa 2:2.4-1+deb9u5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea4847fd4fbd383e4593442a56ffada2a72a5fbe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea4847fd4fbd383e4593442a56ffada2a72a5fbe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new python-apt issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 42fe9ba9 by Moritz Muehlenhoff at 2020-01-20T14:10:43+01:00 new python-apt issues otrs fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13686,20 +13686,20 @@ CVE-2020-1769 CVE-2020-1768 RESERVED CVE-2020-1767 (Agent A is able to save a draft (i.e. for customer reply). Then Agent ...) - - otrs2 + - otrs2 6.0.25-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-03/ NOTE: https://github.com/OTRS/otrs/commit/5f488fd6c809064ee49def3a432030258d211570 CVE-2020-1766 (Due to improper handling of uploaded images it is possible in very unl ...) - - otrs2 + - otrs2 6.0.25-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-02/ NOTE: https://github.com/OTRS/otrs/commit/128078b0bb30f601ed97d4a13906644264ee6013 (OTRS6) NOTE: https://github.com/OTRS/otrs/commit/b7d80f9000fc9a435743d8d1d7d44d9a17483a9a (OTRS5) CVE-2020-1765 (An improper control of parameters allows the spoofing of the from fiel ...) - - otrs2 + - otrs2 6.0.25-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-01/ @@ -26576,10 +26576,12 @@ CVE-2019-15798 RESERVED CVE-2019-15797 RESERVED -CVE-2019-15796 +CVE-2019-15796 [python-apt: Check that repository is trusted before downloading from it] RESERVED -CVE-2019-15795 + - python-apt 1.8.5 +CVE-2019-15795 [python-apt: Do not use MD5 for verifying downloads] RESERVED + - python-apt 1.8.5 CVE-2019-15794 RESERVED CVE-2019-15793 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/42fe9ba99f31733c2b89fc6d5cf36c023b26608f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/42fe9ba99f31733c2b89fc6d5cf36c023b26608f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2072-1 for gpac
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: f6732248 by Sylvain Beucler at 2020-01-20T13:53:22+01:00 Reserve DLA-2072-1 for gpac - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Jan 2020] DLA-2072-1 gpac - security update + {CVE-2019-20161 CVE-2019-20162 CVE-2019-20163 CVE-2019-20165 CVE-2019-20168 CVE-2019-20169 CVE-2019-20170 CVE-2019-20171 CVE-2019-20208} + [jessie] - gpac 0.5.0+svn5324~dfsg1-1+deb8u5 [20 Jan 2020] DLA-2071-1 thunderbird - security update {CVE-2019-17016 CVE-2019-17017 CVE-2019-17022 CVE-2019-17024 CVE-2019-17026} [jessie] - thunderbird 1:68.4.1-1~deb8u1 = data/dla-needed.txt = @@ -17,10 +17,6 @@ clamav (Hugo Lefeuvre) NOTE: team would like to wait for an init script for the new clamonacc NOTE: binary, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946557 -- -gpac (Sylvain Beucler) - NOTE: 20200105: All open issues are unfixed. Adding it here for future - NOTE: triaging when more information are available. (apo) --- graphicsmagick (Thorsten Alteholz) NOTE: 20200119: WIP -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f67322484453980d793c35c5252482f46dc5c205 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f67322484453980d793c35c5252482f46dc5c205 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-6630,CVE-2020-6631/gpac: jessie triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: baf11202 by Sylvain Beucler at 2020-01-20T13:30:25+01:00 CVE-2020-6630,CVE-2020-6631/gpac: jessie triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1303,11 +1303,13 @@ CVE-2020-6632 (In PrestaShop 1.7.6.2, XSS can occur during addition or removal o NOT-FOR-US: PrestaShop CVE-2020-6631 (An issue was discovered in GPAC version 0.8.0. There is a NULL pointer ...) - gpac + [jessie] - gpac (Minor issue, clean crash, MP42TS not shipped, incomplete patch) NOTE: https://github.com/gpac/gpac/issues/1378 NOTE: https://github.com/gpac/gpac/commit/c7e46e948ebe2d4a532539c7e714cdf655b84521 NOTE: fix considered "ugly" by upstream and introduces abort(3)-based DoS CVE-2020-6630 (An issue was discovered in GPAC version 0.8.0. There is a NULL pointer ...) - gpac + [jessie] - gpac (Minor issue, clean crash, MP42TS not shipped, incomplete patch) NOTE: https://github.com/gpac/gpac/issues/1377 NOTE: https://github.com/gpac/gpac/commit/c7e46e948ebe2d4a532539c7e714cdf655b84521 NOTE: fix considered "ugly" by upstream and introduces abort(3)-based DoS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/baf112021aa00f296f8b027eec0ddf13467f1827 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/baf112021aa00f296f8b027eec0ddf13467f1827 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium dsa
Michael Gilbert pushed to branch master at Debian Security Tracker / security-tracker Commits: 5aaa66ac by Michael Gilbert at 2020-01-20T11:55:54+00:00 chromium dsa - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[20 Jan 2020] DSA-4606-1 chromium - security update + {CVE-2019-13725 CVE-2019-13726 CVE-2019-13727 CVE-2019-13728 CVE-2019-13729 CVE-2019-13730 CVE-2019-13732 CVE-2019-13734 CVE-2019-13735 CVE-2019-13736 CVE-2019-13737 CVE-2019-13738 CVE-2019-13739 CVE-2019-13740 CVE-2019-13741 CVE-2019-13742 CVE-2019-13743 CVE-2019-13744 CVE-2019-13745 CVE-2019-13746 CVE-2019-13747 CVE-2019-13748 CVE-2019-13749 CVE-2019-13750 CVE-2019-13751 CVE-2019-13752 CVE-2019-13753 CVE-2019-13754 CVE-2019-13755 CVE-2019-13756 CVE-2019-13757 CVE-2019-13758 CVE-2019-13759 CVE-2019-13761 CVE-2019-13762 CVE-2019-13763 CVE-2019-13764 CVE-2019-13767 CVE-2020-6377 CVE-2020-6378 CVE-2020-6379 CVE-2020-6380} + [buster] - chromium 79.0.3945.130-1~deb10u1 [19 Jan 2020] DSA-4605-1 openjdk-11 - security update {CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601 CVE-2020-2604 CVE-2020-2654 CVE-2020-2655} [buster] - openjdk-11 11.0.6+10-1~deb10u1 = data/dsa-needed.txt = @@ -11,8 +11,6 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. --- -chromium -- curl (ghedo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5aaa66ac7553e1ca0d2b7d9c0eb6f362564ce717 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5aaa66ac7553e1ca0d2b7d9c0eb6f362564ce717 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2071-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 193ad34f by Emilio Pozuelo Monfort at 2020-01-20T11:52:03+01:00 Reserve DLA-2071-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Jan 2020] DLA-2071-1 thunderbird - security update + {CVE-2019-17016 CVE-2019-17017 CVE-2019-17022 CVE-2019-17024 CVE-2019-17026} + [jessie] - thunderbird 1:68.4.1-1~deb8u1 [19 Jan 2020] DLA-2070-1 ruby-excon - security update {CVE-2019-16779} [jessie] - ruby-excon 0.33.0-2+deb8u1 = data/dla-needed.txt = @@ -124,8 +124,6 @@ squid3 -- suricata (Mike Gabriel) --- -thunderbird (Emilio) --- tomcat7 (Markus Koschany) NOTE: 20200115: https://people.debian.org/~apo/tomcat7/ NOTE: 20200115: waiting for sunweaver's review View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/193ad34f087359589a209e60dc4cdd7796e63768 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/193ad34f087359589a209e60dc4cdd7796e63768 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b4552a3 by Salvatore Bonaccorso at 2020-01-20T09:34:00+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,17 +3,17 @@ CVE-2020-7238 CVE-2020-7237 (Cacti 1.2.8 allows Remote Code Execution (by privileged users) via she ...) TODO: check CVE-2020-7236 (UHP UHP-100 3.4.1.15, 3.4.2.4, and 3.4.3 devices allow XSS via cw2?td= ...) - TODO: check + NOT-FOR-US: UHP UHP-100 devices CVE-2020-7235 (UHP UHP-100 3.4.1.15, 3.4.2.4, and 3.4.3 devices allow XSS via cB3?ta= ...) - TODO: check + NOT-FOR-US: UHP UHP-100 devices CVE-2020-7234 (Ruckus ZoneFlex R310 104.0.0.0.1347 devices allow Stored XSS via the S ...) - TODO: check + NOT-FOR-US: Ruckus ZoneFlex R310 devices CVE-2020-7233 (KMS Controls BAC-A1616BC BACnet devices have a cleartext password of s ...) - TODO: check + NOT-FOR-US: KMS Controls BAC-A1616BC BACnet devices CVE-2020-7232 (Evoko Home 1.31 devices allow remote attackers to obtain sensitive inf ...) - TODO: check + NOT-FOR-US: Evoko Home devices CVE-2020-7231 (Evoko Home 1.31 devices provide different error messages for failed lo ...) - TODO: check + NOT-FOR-US: Evoko Home devices CVE-2019-20381 (TestLink before 1.9.20 allows XSS via non-lowercase javascript: in the ...) TODO: check CVE-2016-11018 @@ -49,7 +49,7 @@ CVE-2020-7217 CVE-2020-7216 RESERVED CVE-2020-7215 (An issue was discovered in Gallagher Command Centre 7.x before 7.90.99 ...) - TODO: check + NOT-FOR-US: Gallagher Command Centre CVE-2020-7214 RESERVED CVE-2020-7213 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2b4552a303c5b76e12ed327dc1370dde7e542363 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2b4552a303c5b76e12ed327dc1370dde7e542363 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fdc16fb7 by security tracker role at 2020-01-20T08:10:28+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,23 @@ +CVE-2020-7238 + RESERVED +CVE-2020-7237 (Cacti 1.2.8 allows Remote Code Execution (by privileged users) via she ...) + TODO: check +CVE-2020-7236 (UHP UHP-100 3.4.1.15, 3.4.2.4, and 3.4.3 devices allow XSS via cw2?td= ...) + TODO: check +CVE-2020-7235 (UHP UHP-100 3.4.1.15, 3.4.2.4, and 3.4.3 devices allow XSS via cB3?ta= ...) + TODO: check +CVE-2020-7234 (Ruckus ZoneFlex R310 104.0.0.0.1347 devices allow Stored XSS via the S ...) + TODO: check +CVE-2020-7233 (KMS Controls BAC-A1616BC BACnet devices have a cleartext password of s ...) + TODO: check +CVE-2020-7232 (Evoko Home 1.31 devices allow remote attackers to obtain sensitive inf ...) + TODO: check +CVE-2020-7231 (Evoko Home 1.31 devices provide different error messages for failed lo ...) + TODO: check +CVE-2019-20381 (TestLink before 1.9.20 allows XSS via non-lowercase javascript: in the ...) + TODO: check +CVE-2016-11018 + RESERVED CVE-2020-7230 RESERVED CVE-2020-7229 @@ -28,8 +48,8 @@ CVE-2020-7217 RESERVED CVE-2020-7216 RESERVED -CVE-2020-7215 - RESERVED +CVE-2020-7215 (An issue was discovered in Gallagher Command Centre 7.x before 7.90.99 ...) + TODO: check CVE-2020-7214 RESERVED CVE-2020-7213 @@ -11018,9 +11038,11 @@ CVE-2020-2657 (Vulnerability in the Oracle CRM Technical Foundation product of O CVE-2020-2656 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2020-2655 (Vulnerability in the Java SE product of Oracle Java SE (component: JSS ...) + {DSA-4605-1} - openjdk-13 13.0.2+8-1 - openjdk-11 11.0.6+10-1 CVE-2020-2654 (Vulnerability in the Java SE product of Oracle Java SE (component: Lib ...) + {DSA-4605-1} - openjdk-13 13.0.2+8-1 - openjdk-11 11.0.6+10-1 - openjdk-8 @@ -11125,6 +11147,7 @@ CVE-2020-2606 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of CVE-2020-2605 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2020-2604 (Vulnerability in the Oracle GraalVM Enterprise Edition product of Orac ...) + {DSA-4605-1} - openjdk-13 13.0.2+8-1 - openjdk-11 11.0.6+10-1 - openjdk-8 @@ -11134,6 +11157,7 @@ CVE-2020-2603 (Vulnerability in the Oracle Field Service product of Oracle E-Bus CVE-2020-2602 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2601 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) + {DSA-4605-1} - openjdk-13 13.0.2+8-1 - openjdk-11 11.0.6+10-1 - openjdk-8 @@ -11153,6 +11177,7 @@ CVE-2020-2595 (Vulnerability in the Oracle GraalVM Enterprise Edition product of CVE-2020-2594 RESERVED CVE-2020-2593 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) + {DSA-4605-1} - openjdk-13 13.0.2+8-1 - openjdk-11 11.0.6+10-1 - openjdk-8 @@ -11162,6 +11187,7 @@ CVE-2020-2592 (Vulnerability in the Oracle AutoVue product of Oracle Supply Chai CVE-2020-2591 (Vulnerability in the Oracle Web Applications Desktop Integrator produc ...) NOT-FOR-US: Oracle CVE-2020-2590 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) + {DSA-4605-1} - openjdk-13 13.0.2+8-1 - openjdk-11 11.0.6+10-1 - openjdk-8 @@ -11182,6 +11208,7 @@ CVE-2020-2584 (Vulnerability in the MySQL Server product of Oracle MySQL (compon - mysql-5.7 NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL CVE-2020-2583 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) + {DSA-4605-1} - openjdk-13 13.0.2+8-1 - openjdk-11 11.0.6+10-1 - openjdk-8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fdc16fb7ac4b8e93f5d55e21ad94d588d48848b4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fdc16fb7ac4b8e93f5d55e21ad94d588d48848b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits