[Git][security-tracker-team/security-tracker][master] Fix CVE for underscore in data/DLA/list
Yadd pushed to branch master at Debian Security Tracker / security-tracker Commits: ceb532ad by Yadd at 2021-03-31T22:56:55+02:00 Fix CVE for underscore in data/DLA/list - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,4 +1,5 @@ [31 Mar 2021] DLA-2613-1 underscore - security update + {CVE-2021-23358} [stretch] - underscore 1.8.3~dfsg-1+deb9u1 [31 Mar 2021] DLA-2612-1 leptonlib - security update {CVE-2020-36277 CVE-2020-36278 CVE-2020-36279 CVE-2020-36281} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceb532ad558d24000a32d721c4eb82f6bc76156c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceb532ad558d24000a32d721c4eb82f6bc76156c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2613-1 for underscore
Yadd pushed to branch master at Debian Security Tracker / security-tracker Commits: f23d9bcb by Yadd at 2021-03-31T22:52:37+02:00 Reserve DLA-2613-1 for underscore - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[31 Mar 2021] DLA-2613-1 underscore - security update + [stretch] - underscore 1.8.3~dfsg-1+deb9u1 [31 Mar 2021] DLA-2612-1 leptonlib - security update {CVE-2020-36277 CVE-2020-36278 CVE-2020-36279 CVE-2020-36281} [stretch] - leptonlib 1.74.1-1+deb9u1 = data/dla-needed.txt = @@ -154,8 +154,6 @@ spotweb subversion (Emilio) NOTE: 20210322: have a look at #985556 and #948834 -- -underscore (Yadd) --- xmlbeans NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the NOTE: 20210222: upstream release with the fix). Trying to determine how to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f23d9bcb2eb59cdcb18724d156be3f99666510cc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f23d9bcb2eb59cdcb18724d156be3f99666510cc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim underscore in dla-needed.txt
Yadd pushed to branch master at Debian Security Tracker / security-tracker Commits: 24496549 by Yadd at 2021-03-31T22:45:16+02:00 Claim underscore in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -154,6 +154,8 @@ spotweb subversion (Emilio) NOTE: 20210322: have a look at #985556 and #948834 -- +underscore (Yadd) +-- xmlbeans NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the NOTE: 20210222: upstream release with the fix). Trying to determine how to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24496549beb4141cbe0979802911edf019bdb8a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24496549beb4141cbe0979802911edf019bdb8a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 726391e7 by Salvatore Bonaccorso at 2021-03-31T22:44:20+02:00 Process some more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2021-29663 (CourseMS (aka Course Registration Management System) 2.1 is affected b ...) - TODO: check + NOT-FOR-US: CourseMS (aka Course Registration Management System) CVE-2021-29661 RESERVED CVE-2021-29660 @@ -7,7 +7,7 @@ CVE-2021-29660 CVE-2021-29659 RESERVED CVE-2021-29658 (The unofficial vscode-rufo extension before 0.0.4 for Visual Studio Co ...) - TODO: check + NOT-FOR-US: vscode-rufo extension for Visual Studio Code CVE-2021-29657 RESERVED CVE-2021-29656 @@ -3086,7 +3086,7 @@ CVE-2021-28247 (** UNSUPPORTED WHEN ASSIGNED ** CA eHealth Performance Manager t CVE-2021-28246 (** UNSUPPORTED WHEN ASSIGNED ** CA eHealth Performance Manager through ...) NOT-FOR-US: CA eHealth Performance Manager CVE-2021-28245 (PbootCMS 3.0.4 contains a SQL injection vulnerability through index.ph ...) - TODO: check + NOT-FOR-US: PbootCMS CVE-2021-28244 RESERVED CVE-2021-28243 @@ -41645,7 +41645,7 @@ CVE-2020-24638 (Multiple authenticated remote command executions are possible in CVE-2020-24637 (Two vulnerabilities in ArubaOS GRUB2 implementation allows for an atta ...) NOT-FOR-US: ArubaOS GRUB2 implementation (CVE specific to ArubaOS) CVE-2020-24636 (A remote execution of arbitrary commands vulnerability was discovered ...) - TODO: check + NOT-FOR-US: Aruba CVE-2020-24635 (A remote execution of arbitrary commands vulnerability was discovered ...) NOT-FOR-US: Aruba CVE-2020-24634 (An attacker is able to remotely inject arbitrary commands by sending e ...) @@ -49973,7 +49973,7 @@ CVE-2020-20547 CVE-2020-20546 RESERVED CVE-2020-20545 (Cross-Site Scripting (XSS) vulnerability in Zhiyuan G6 Government Coll ...) - TODO: check + NOT-FOR-US: Zhiyuan G6 Government Collaboration System CVE-2020-20544 RESERVED CVE-2020-20543 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/726391e75810fd1e8b0e822e2cc0db84e2bdb046 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/726391e75810fd1e8b0e822e2cc0db84e2bdb046 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some more F5 related NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d17d162 by Salvatore Bonaccorso at 2021-03-31T22:40:54+02:00 Process some more F5 related NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15215,9 +15215,9 @@ CVE-2021-23008 CVE-2021-23007 (On BIG-IP versions 14.1.4 and 16.0.1.1, when the Traffic Management Mi ...) NOT-FOR-US: F5 BIG-IP CVE-2021-23006 (On all 7.x and 6.x versions (fixed in 8.0.0), undisclosed BIG-IQ pages ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-23005 (On all 7.x and 6.x versions (fixed in 8.0.0), when using a Quorum devi ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-23004 (On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1. ...) NOT-FOR-US: F5 BIG-IP CVE-2021-23003 (On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1. ...) @@ -15233,11 +15233,11 @@ CVE-2021-22999 (On versions 15.0.x before 15.1.0 and 14.1.x before 14.1.4, the B CVE-2021-22998 (On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14. ...) NOT-FOR-US: F5 BIG-IP CVE-2021-22997 (On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ HA ElasticSearch ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-22996 (On all 7.x versions (fixed in 8.0.0), when set up for auto failover, a ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-22995 (On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ high availability ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-22994 (On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14. ...) NOT-FOR-US: F5 BIG-IP CVE-2021-22993 (On BIG-IP Advanced WAF and BIG-IP ASM versions 16.0.x before 16.0.1.1, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d17d1621f3bb4a4a951ec5ea1a420bbda01608b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d17d1621f3bb4a4a951ec5ea1a420bbda01608b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-347{7,8}/openexr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a5b7167f by Salvatore Bonaccorso at 2021-03-31T22:38:54+02:00 Add CVE-2021-347{7,8}/openexr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54,8 +54,14 @@ CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in version NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d007ae80a162bf257ec291612c NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/830 CVE-2021-3478 (There's a flaw in OpenEXR's scanline input file functionality in versi ...) + - openexr + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27409 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939160 TODO: check CVE-2021-3477 (There's a flaw in OpenEXR's deep tile sample size calculations in vers ...) + - openexr + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26956 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939159 TODO: check CVE-2021-29645 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5b7167fb2567d7bf4b460a172eaa33c5bccd171 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5b7167fb2567d7bf4b460a172eaa33c5bccd171 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 09c666bd by Salvatore Bonaccorso at 2021-03-31T22:14:44+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15207,25 +15207,25 @@ CVE-2021-23009 CVE-2021-23008 RESERVED CVE-2021-23007 (On BIG-IP versions 14.1.4 and 16.0.1.1, when the Traffic Management Mi ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-23006 (On all 7.x and 6.x versions (fixed in 8.0.0), undisclosed BIG-IQ pages ...) TODO: check CVE-2021-23005 (On all 7.x and 6.x versions (fixed in 8.0.0), when using a Quorum devi ...) TODO: check CVE-2021-23004 (On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1. ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-23003 (On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1. ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-23002 (When using BIG-IP APM 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-23001 (On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x bef ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-23000 (On BIG-IP versions 13.1.3.4-13.1.3.6 and 12.1.5.2, if the tmm.http.rfc ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-22999 (On versions 15.0.x before 15.1.0 and 14.1.x before 14.1.4, the BIG-IP ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-22998 (On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14. ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-22997 (On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ HA ElasticSearch ...) TODO: check CVE-2021-22996 (On all 7.x versions (fixed in 8.0.0), when set up for auto failover, a ...) @@ -15233,23 +15233,23 @@ CVE-2021-22996 (On all 7.x versions (fixed in 8.0.0), when set up for auto failo CVE-2021-22995 (On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ high availability ...) TODO: check CVE-2021-22994 (On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14. ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-22993 (On BIG-IP Advanced WAF and BIG-IP ASM versions 16.0.x before 16.0.1.1, ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-22992 (On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14. ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-22991 (On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14. ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-22990 (On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14. ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-22989 (On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14. ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-22988 (On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14. ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-22987 (On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14. ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-22986 (On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14. ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2021-22985 (On BIG-IP APM version 16.0.x before 16.0.1.1, under certain conditions ...) NOT-FOR-US: F5 BIG-IP CVE-2021-22984 (On BIG-IP Advanced WAF and ASM version 15.1.x before 15.1.0.2, 15.0.x ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09c666bdc9491b7ea1a6f1015cbbc5707755daba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09c666bdc9491b7ea1a6f1015cbbc5707755daba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add second commit for CVE-2021-23980/python-bleach
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: afa738dd by Salvatore Bonaccorso at 2021-03-31T22:12:21+02:00 Add second commit for CVE-2021-23980/python-bleach - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13095,6 +13095,7 @@ CVE-2021-23980 [mutation XSS via allowed math or svg; p or br; and style, title, NOTE: https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1689399 NOTE: https://github.com/mozilla/bleach/commit/79b7a3c5e56a09d1d323a5006afa59b56162eb13 + NOTE: https://github.com/mozilla/bleach/commit/d398c89e54ced6b1039d3677689707456ba42dec CVE-2021-23979 (Mozilla developers reported memory safety bugs present in Firefox 85. ...) - firefox 86.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-07/#CVE-2021-23979 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afa738dd091b834e92e62a77e634c282db233bcb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afa738dd091b834e92e62a77e634c282db233bcb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cc2e0356 by security tracker role at 2021-03-31T20:10:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,21 @@ +CVE-2021-29663 (CourseMS (aka Course Registration Management System) 2.1 is affected b ...) + TODO: check +CVE-2021-29661 + RESERVED +CVE-2021-29660 + RESERVED +CVE-2021-29659 + RESERVED +CVE-2021-29658 (The unofficial vscode-rufo extension before 0.0.4 for Visual Studio Co ...) + TODO: check +CVE-2021-29657 + RESERVED +CVE-2021-29656 + RESERVED +CVE-2021-29655 + RESERVED +CVE-2021-29654 + RESERVED CVE-2021-29653 RESERVED CVE-2021-29652 @@ -29,17 +47,16 @@ CVE-2020-36284 RESERVED CVE-2021-3480 RESERVED -CVE-2021-3479 [Out-of-memory caused by allocation of a very large buffer] - RESERVED +CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in versions bef ...) - openexr [buster] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25370 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d007ae80a162bf257ec291612c NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/830 -CVE-2021-3478 - RESERVED -CVE-2021-3477 - RESERVED +CVE-2021-3478 (There's a flaw in OpenEXR's scanline input file functionality in versi ...) + TODO: check +CVE-2021-3477 (There's a flaw in OpenEXR's deep tile sample size calculations in vers ...) + TODO: check CVE-2021-29645 RESERVED CVE-2021-29644 @@ -497,7 +514,7 @@ CVE-2021-3474 (There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafte [buster] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24831 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f -CVE-2021-29662 +CVE-2021-29662 (The Data::Validate::IP module through 0.29 for Perl does not properly ...) - libdata-validate-ip-perl NOTE: Documentation update: https://github.com/houseabsolute/Data-Validate-IP/commit/3bba13c819d616514a75e089badd75002fd4f14e CVE-2021-29424 (The Net::Netmask module before 2. for Perl does not properly consi ...) @@ -853,8 +870,7 @@ CVE-2021-29263 RESERVED CVE-2021-3471 RESERVED -CVE-2021-3470 [potential heap overflow when using a heap allocator other than jemalloc or glibc's malloc] - RESERVED +CVE-2021-3470 (A heap overflow issue was found in Redis in versions before 5.0.10, be ...) - redis 5:6.0.9-1 (unimportant) NOTE: https://github.com/redis/redis/pull/7963 NOTE: https://github.com/redis/redis/commit/9824fe3e392caa04dc1b4071886e9ac402dd6d95 @@ -2178,8 +2194,7 @@ CVE-2021-28659 RESERVED CVE-2021-28658 RESERVED -CVE-2021-28657 [Infinite loop] - RESERVED +CVE-2021-28657 (A carefully crafted or corrupt file may trigger an infinite loop in Ti ...) - tika NOTE: https://www.openwall.com/lists/oss-security/2021/03/30/3 CVE-2021-28656 @@ -3064,8 +3079,8 @@ CVE-2021-28247 (** UNSUPPORTED WHEN ASSIGNED ** CA eHealth Performance Manager t NOT-FOR-US: CA eHealth Performance Manager CVE-2021-28246 (** UNSUPPORTED WHEN ASSIGNED ** CA eHealth Performance Manager through ...) NOT-FOR-US: CA eHealth Performance Manager -CVE-2021-28245 - RESERVED +CVE-2021-28245 (PbootCMS 3.0.4 contains a SQL injection vulnerability through index.ph ...) + TODO: check CVE-2021-28244 RESERVED CVE-2021-28243 @@ -3287,6 +3302,7 @@ CVE-2021-28146 (The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 CVE-2020-36282 (JMS Client for RabbitMQ 1.x before 1.15.2 and 2.x before 2.2.0 is vuln ...) NOT-FOR-US: JMS Client for RabbitMQ CVE-2020-36281 (Leptonica before 1.80.0 allows a heap-based buffer over-read in pixFew ...) + {DLA-2612-1} - leptonlib (bug #985089) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22140 NOTE: https://github.com/DanBloomberg/leptonica/commit/5ee24b398bb67666f6d173763eaaedd9c36fb1e5 @@ -3296,14 +3312,17 @@ CVE-2020-36280 (Leptonica before 1.80.0 allows a heap-based buffer over-read in NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23654 NOTE: https://github.com/DanBloomberg/leptonica/commit/5ba34b1fe741d69d43a6c8cf767756997eadd87c CVE-2020-36279 (Leptonica before 1.80.0 allows a heap-based buffer over-read in raster ...) + {DLA-2612-1} - leptonlib (bug #985089) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22512 NOTE:
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-3470/redis unimportant
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cbc4befc by Salvatore Bonaccorso at 2021-03-31T21:41:32+02:00 Mark CVE-2021-3470/redis unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -855,9 +855,10 @@ CVE-2021-3471 RESERVED CVE-2021-3470 [potential heap overflow when using a heap allocator other than jemalloc or glibc's malloc] RESERVED - - redis 5:6.0.9-1 + - redis 5:6.0.9-1 (unimportant) NOTE: https://github.com/redis/redis/pull/7963 NOTE: https://github.com/redis/redis/commit/9824fe3e392caa04dc1b4071886e9ac402dd6d95 + NOTE: Only an issue if not using a heap allocator other than jemalloc or glibc's malloc CVE-2021-3469 RESERVED - foreman (bug #663101) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbc4befcab87c768c25e1684e80a111bdd53ea6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbc4befcab87c768c25e1684e80a111bdd53ea6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3470/redis
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 702ed7d8 by Salvatore Bonaccorso at 2021-03-31T21:37:54+02:00 Add CVE-2021-3470/redis - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -853,8 +853,11 @@ CVE-2021-29263 RESERVED CVE-2021-3471 RESERVED -CVE-2021-3470 +CVE-2021-3470 [potential heap overflow when using a heap allocator other than jemalloc or glibc's malloc] RESERVED + - redis 5:6.0.9-1 + NOTE: https://github.com/redis/redis/pull/7963 + NOTE: https://github.com/redis/redis/commit/9824fe3e392caa04dc1b4071886e9ac402dd6d95 CVE-2021-3469 RESERVED - foreman (bug #663101) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/702ed7d81c71a7fcbec42936d346978f15e8cff3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/702ed7d81c71a7fcbec42936d346978f15e8cff3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-29662/libdata-validate-ip-perl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d24538bb by Salvatore Bonaccorso at 2021-03-31T21:32:18+02:00 Add CVE-2021-29662/libdata-validate-ip-perl Im not sure yet here if the documentation update will be the only fix or if it will go to be handled as well on source level. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -497,6 +497,9 @@ CVE-2021-3474 (There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafte [buster] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24831 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f +CVE-2021-29662 + - libdata-validate-ip-perl + NOTE: Documentation update: https://github.com/houseabsolute/Data-Validate-IP/commit/3bba13c819d616514a75e089badd75002fd4f14e CVE-2021-29424 (The Net::Netmask module before 2. for Perl does not properly consi ...) - libnet-netmask-perl (bug #986135) NOTE: https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d24538bb8a4b9246e42c6b7ccc9a23f7ad9045ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d24538bb8a4b9246e42c6b7ccc9a23f7ad9045ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-21409/netty
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1da4c9fc by Salvatore Bonaccorso at 2021-03-31T21:27:38+02:00 Add Debian bug reference for CVE-2021-21409/netty - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19879,7 +19879,7 @@ CVE-2021-21411 (OAuth2-Proxy is an open source reverse proxy that provides authe CVE-2021-21410 RESERVED CVE-2021-21409 (Netty is an open-source, asynchronous event-driven network application ...) - - netty + - netty (bug #986217) NOTE: Fixed by: https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432 NOTE: https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32 NOTE: Is a followup to: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1da4c9fce7c15db542d06410cc4352cdeb5db5b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1da4c9fce7c15db542d06410cc4352cdeb5db5b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d48ec47c by Moritz Muehlenhoff at 2021-03-31T21:09:56+02:00 buster triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -32,6 +32,7 @@ CVE-2021-3480 CVE-2021-3479 [Out-of-memory caused by allocation of a very large buffer] RESERVED - openexr + [buster] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25370 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d007ae80a162bf257ec291612c NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/830 @@ -483,14 +484,17 @@ CVE-2021-29425 RESERVED CVE-2021-3476 (A flaw was found in OpenEXR's B44 uncompression functionality in versi ...) - openexr + [buster] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24787 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/eec0dba242bedd2778c973ae4af112107b33d9c9 CVE-2021-3475 (There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker ...) - openexr + [buster] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25297 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/2a18ed424a854598c2a20b5dd7e782b436a1e753 CVE-2021-3474 (There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted inp ...) - openexr + [buster] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24831 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f CVE-2021-29424 (The Net::Netmask module before 2. for Perl does not properly consi ...) @@ -13072,6 +13076,7 @@ CVE-2021-23980 [mutation XSS via allowed math or svg; p or br; and style, title, - python-bleach NOTE: https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1689399 + NOTE: https://github.com/mozilla/bleach/commit/79b7a3c5e56a09d1d323a5006afa59b56162eb13 CVE-2021-23979 (Mozilla developers reported memory safety bugs present in Firefox 85. ...) - firefox 86.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-07/#CVE-2021-23979 @@ -22540,6 +22545,7 @@ CVE-2021-20297 [Setting match.path and activating a profiles crashes NetworkMana CVE-2021-20296 RESERVED - openexr + [buster] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24854 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/b0c63c0b96eb9b0d3998f603e12f9f414fb0d44a CVE-2021-20295 [Regression of CVE-2020-10756 fix in virt:rhel/qemu-kvm in Red Hat Enterprise Linux 8.3] = data/dsa-needed.txt = @@ -33,6 +33,8 @@ netty -- openjpeg2 (jmm) -- +python-bleach +-- python-pysaml2 (jmm) -- salt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d48ec47cfb0b6467d56c4b5e0e78a1aad595c029 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d48ec47cfb0b6467d56c4b5e0e78a1aad595c029 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for CVE-2021-29376/{ircii,scrollz}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7023b816 by Salvatore Bonaccorso at 2021-03-31T21:05:16+02:00 Add Debian bug references for CVE-2021-29376/{ircii,scrollz} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -603,8 +603,8 @@ CVE-2021-29377 RESERVED CVE-2021-29376 (ircII before 20210314 allows remote attackers to cause a denial of ser ...) - ircii-pana - - ircii - - scrollz + - ircii (bug #986214) + - scrollz (bug #986215) NOTE: https://www.openwall.com/lists/oss-security/2021/03/24/2 CVE-2021-29375 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7023b816796ebd4d8422f3e8f93979c791f026fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7023b816796ebd4d8422f3e8f93979c791f026fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two more source package references for CVE-2021-29376
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dc8d6c90 by Salvatore Bonaccorso at 2021-03-31T20:54:26+02:00 Add two more source package references for CVE-2021-29376 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -602,7 +602,9 @@ CVE-2021-29378 CVE-2021-29377 RESERVED CVE-2021-29376 (ircII before 20210314 allows remote attackers to cause a denial of ser ...) + - ircii-pana - ircii + - scrollz NOTE: https://www.openwall.com/lists/oss-security/2021/03/24/2 CVE-2021-29375 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc8d6c90ec4c29b6e92e7674c2630d420773b6cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc8d6c90ec4c29b6e92e7674c2630d420773b6cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new chromium issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d18f5f8c by Moritz Muehlenhoff at 2021-03-31T20:46:58+02:00 new chromium issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20403,16 +20403,28 @@ CVE-2021-21200 RESERVED CVE-2021-21199 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-21198 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-21197 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-21196 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-21195 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-21194 RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-21193 (Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed ...) - chromium 89.0.4389.90-1 (bug #985142) [stretch] - chromium (see DSA 4562) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d18f5f8cbaeff675efffc36dd87db56e2e30708a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d18f5f8cbaeff675efffc36dd87db56e2e30708a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-28688: Add upstream commit reference
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c219ba5 by Salvatore Bonaccorso at 2021-03-31T20:43:05+02:00 CVE-2021-28688: Add upstream commit reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2086,6 +2086,7 @@ CVE-2021-28688 [blkback driver may leak persistent grants] RESERVED - linux NOTE: https://xenbits.xen.org/xsa/advisory-371.html + NOTE: https://git.kernel.org/linus/a846738f8c3788d846ed1f587270d2f2e3d32432 CVE-2021-28686 RESERVED CVE-2021-28685 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c219ba5b9ac95ecfa71201802d8e9c370107d35 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c219ba5b9ac95ecfa71201802d8e9c370107d35 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] take underscore
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 227199a2 by Moritz Muehlenhoff at 2021-03-31T19:23:23+02:00 take underscore - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -39,7 +39,7 @@ salt -- tomcat9 -- -underscore +underscore (jmm) -- webkit2gtk -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/227199a2722c93be4cfbcd7e74408090096c306c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/227199a2722c93be4cfbcd7e74408090096c306c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new ircii issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 54627e3e by Moritz Muehlenhoff at 2021-03-31T19:22:55+02:00 new ircii issue NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -46,7 +46,7 @@ CVE-2021-29644 CVE-2021-29643 RESERVED CVE-2021-29642 (GistPad before 0.2.7 allows a crafted workspace folder to change the U ...) - TODO: check + NOT-FOR-US: GistPad CVE-2021-29641 RESERVED CVE-2021-29640 @@ -522,7 +522,7 @@ CVE-2021-29418 (The netmask package before 2.0.1 for Node.js mishandles certain CVE-2021-29417 (gitjacker before 0.1.0 allows remote attackers to execute arbitrary co ...) TODO: check CVE-2021-29416 (An issue was discovered in PortSwigger Burp Suite before 2021.2. Durin ...) - TODO: check + NOT-FOR-US: Burp Suite (different from src:burp) CVE-2021-29415 RESERVED CVE-2021-29414 @@ -602,7 +602,8 @@ CVE-2021-29378 CVE-2021-29377 RESERVED CVE-2021-29376 (ircII before 20210314 allows remote attackers to cause a denial of ser ...) - TODO: check + - ircii + NOTE: https://www.openwall.com/lists/oss-security/2021/03/24/2 CVE-2021-29375 RESERVED CVE-2021-29374 @@ -826,7 +827,7 @@ CVE-2021-29269 CVE-2021-29268 RESERVED CVE-2021-29267 (Sherlock SherlockIM through 2021-03-29 allows Cross Site Scripting (XS ...) - TODO: check + NOT-FOR-US: SherlockIM CVE-2021-29266 (An issue was discovered in the Linux kernel before 5.11.9. drivers/vho ...) - linux 5.10.26-1 (unimportant) [buster] - linux (Vulnerable code introduced later) @@ -5417,15 +5418,15 @@ CVE-2021-27246 CVE-2021-27245 (This vulnerability allows a firewall bypass on affected installations ...) NOT-FOR-US: TP-Link CVE-2021-27244 (This vulnerability allows local attackers to disclose sensitive inform ...) - TODO: check + NOT-FOR-US: Parallels CVE-2021-27243 (This vulnerability allows local attackers to escalate privileges on af ...) - TODO: check + NOT-FOR-US: Parallels CVE-2021-27242 (This vulnerability allows local attackers to escalate privileges on af ...) - TODO: check + NOT-FOR-US: Parallels CVE-2021-27241 (This vulnerability allows local attackers to delete arbitrary director ...) - TODO: check + NOT-FOR-US: Avast CVE-2021-27240 (This vulnerability allows local attackers to escalate privileges on af ...) - TODO: check + NOT-FOR-US: SolarWinds CVE-2021-27239 (This vulnerability allows network-adjacent attackers to execute arbitr ...) NOT-FOR-US: Netgear CVE-2021-27238 @@ -6978,7 +6979,7 @@ CVE-2021-26581 CVE-2021-26580 RESERVED CVE-2021-26579 (A security vulnerability in HPE Unified Data Management (UDM) could al ...) - TODO: check + NOT-FOR-US: HPE CVE-2021-26578 (A potential security vulnerability has been identified in HPE Network ...) NOT-FOR-US: HPE Network Orchestrator (NetO) CVE-2021-26577 (The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 Sy ...) @@ -16982,7 +16983,7 @@ CVE-2021-22196 CVE-2021-22195 RESERVED CVE-2021-22194 (In all versions of GitLab starting from 13.7, marshalled session keys ...) - TODO: check + - gitlab CVE-2021-22193 (An issue has been discovered in GitLab affecting all versions starting ...) - gitlab CVE-2021-22192 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) @@ -17011,7 +17012,7 @@ CVE-2021-22185 (Insufficient input sanitization in wikis in GitLab version 13.8 - gitlab (Only affects 13.8) NOTE: https://about.gitlab.com/releases/2021/03/04/security-release-gitlab-13-9-2-released/ CVE-2021-22184 (An information disclosure issue in GitLab starting from version 12.8 a ...) - TODO: check + - gitlab CVE-2021-22183 (An issue has been discovered in GitLab affecting all versions starting ...) [experimental] - gitlab 13.6.6-1 - gitlab @@ -17021,7 +17022,7 @@ CVE-2021-22182 (An issue has been discovered in GitLab affecting all versions st CVE-2021-22181 RESERVED CVE-2021-22180 (An issue has been discovered in GitLab affecting all versions starting ...) - TODO: check + - gitlab CVE-2021-22179 (A vulnerability was discovered in GitLab versions before 12.2. GitLab ...) - gitlab CVE-2021-22178 (An issue has been discovered in GitLab affecting all versions starting ...) @@ -19864,9 +19865,9 @@ CVE-2021-21414 CVE-2021-21413 (isolated-vm is a library for nodejs which gives you access to v8's Iso ...) TODO: check CVE-2021-21412 (Potential for arbitrary code execution in npm package @thi.ng/egf `#gp ...) - TODO: check + NOT-FOR-US: Node @thi.ng/egf CVE-2021-21411 (OAuth2-Proxy is an open source reverse proxy
[Git][security-tracker-team/security-tracker][master] Add underscore to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d6d41ae by Salvatore Bonaccorso at 2021-03-31T17:48:35+02:00 Add underscore to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -39,6 +39,8 @@ salt -- tomcat9 -- +underscore +-- webkit2gtk -- xen (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d6d41ae8a1254fa7b6ea4de2972a30a23e4f535 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d6d41ae8a1254fa7b6ea4de2972a30a23e4f535 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-28918 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 31907b0e by Salvatore Bonaccorso at 2021-03-31T17:47:04+02:00 Mark CVE-2021-28918 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1610,7 +1610,7 @@ CVE-2021-28919 RESERVED CVE-2021-28918 RESERVED - TODO: check + NOT-FOR-US: netmask nodejs module NOTE: https://sick.codes/sick-2021-011 NOTE: https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/ CVE-2021-28917 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31907b0e6ac89cbbb1a94cd66b6c743ed3872de5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31907b0e6ac89cbbb1a94cd66b6c743ed3872de5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-28918
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: b7acc4f6 by Henri Salo at 2021-03-31T18:41:50+03:00 CVE-2021-28918 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1610,6 +1610,9 @@ CVE-2021-28919 RESERVED CVE-2021-28918 RESERVED + TODO: check + NOTE: https://sick.codes/sick-2021-011 + NOTE: https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/ CVE-2021-28917 RESERVED CVE-2021-28916 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7acc4f643dd39e3e1e866da3fcdd6368fab88ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7acc4f643dd39e3e1e866da3fcdd6368fab88ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove no-dsa tagged entries for curl which got an update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 19f5babd by Salvatore Bonaccorso at 2021-03-31T12:43:43+02:00 Remove no-dsa tagged entries for curl which got an update - - - - - b2476b53 by Salvatore Bonaccorso at 2021-03-31T12:44:06+02:00 Remove curl from dsa-needed as DSA released - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -81212,20 +81212,17 @@ CVE-2020-8287 (Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow t CVE-2020-8286 (curl 7.41.0 through 7.73.0 is vulnerable to an improper check for cert ...) {DLA-2500-1} - curl 7.74.0-1 (bug #977161) - [buster] - curl (Minor issue) NOTE: https://curl.se/docs/CVE-2020-8286.html NOTE: https://github.com/curl/curl/commit/d9d01672785b8ac04aab1abb6de95fe3072ae199 (curl-7_74_0) CVE-2020-8285 (curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recu ...) {DLA-2500-1} - curl 7.74.0-1 (bug #977162) - [buster] - curl (Minor issue) NOTE: https://curl.se/docs/CVE-2020-8285.html NOTE: https://github.com/curl/curl/issues/6255 NOTE: https://github.com/curl/curl/commit/69a358f2186e04cf44698b5100332cbf1ee7f01d (curl-7_74_0) CVE-2020-8284 (A malicious server can use the FTP PASV response to trick curl 7.73.0 ...) {DLA-2500-1} - curl 7.74.0-1 (bug #977163) - [buster] - curl (Minor issue) NOTE: https://curl.se/docs/CVE-2020-8284.html NOTE: https://github.com/curl/curl/commit/ec9cc725d598ac77de7b6df8afeec292b3c8ad46 (curl-7_74_0) CVE-2020-8283 (An authorised user on a Windows host running Citrix Universal Print Se ...) @@ -81362,7 +81359,6 @@ CVE-2020-8232 (An information disclosure vulnerability exists in EdgeMax EdgeSwi CVE-2020-8231 (Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can us ...) {DLA-2382-1} - curl 7.72.0-1 (bug #968831) - [buster] - curl (Minor issue) NOTE: https://curl.haxx.se/docs/CVE-2020-8231.html NOTE: https://github.com/curl/curl/pull/5824 NOTE: https://github.com/curl/curl/commit/3c9e021f86872baae412a427e807fbfa2f3e8 @@ -81501,7 +81497,6 @@ CVE-2020-8178 (Insufficient input validation in npm package `jison` = 0.4.18 CVE-2020-8177 (curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of na ...) {DLA-2295-1} - curl 7.72.0-1 (bug #965281) - [buster] - curl (Minor issue) NOTE: https://curl.haxx.se/docs/CVE-2020-8177.html NOTE: https://github.com/curl/curl/commit/8236aba58542c5f89f1d41ca09d84579efb05e22 (7.71.0) CVE-2020-8176 (A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.6 ...) @@ -81525,7 +81520,6 @@ CVE-2020-8170 (We have recently released new version of AirMax AirOS firmware v6 NOT-FOR-US: AirMax AirOS CVE-2020-8169 (curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure ...) - curl 7.72.0-1 (bug #965280) - [buster] - curl (Minor issue) [stretch] - curl (Vulnerable code introduced later) [jessie] - curl (Vulnerable code introduced later) NOTE: https://curl.haxx.se/docs/CVE-2020-8169.html = data/dsa-needed.txt = @@ -17,8 +17,6 @@ condor chromium Package was prepared by Michel Le Bihan (already uploaded), needd review for DSA release -- -curl (ghedo) --- knot-resolver Santiago Ruano Rincón proposed a debdiff for review -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/181f199879bcf5afe56df80f6996927503512301...b2476b5300c0a0dbe2cedfb2aac1a6d62cb1472b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/181f199879bcf5afe56df80f6996927503512301...b2476b5300c0a0dbe2cedfb2aac1a6d62cb1472b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2612-1 for leptonlib
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 181f1998 by Thorsten Alteholz at 2021-03-31T12:07:42+02:00 Reserve DLA-2612-1 for leptonlib - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Mar 2021] DLA-2612-1 leptonlib - security update + {CVE-2020-36277 CVE-2020-36278 CVE-2020-36279 CVE-2020-36281} + [stretch] - leptonlib 1.74.1-1+deb9u1 [31 Mar 2021] DLA-2611-1 ldb - security update {CVE-2020-27840 CVE-2021-20277} [stretch] - ldb 2:1.1.27-1+deb9u2 = data/dla-needed.txt = @@ -67,8 +67,6 @@ golang-gogoprotobuf -- gsoap -- -leptonlib (Thorsten Alteholz) --- libebml (Thorsten Alteholz) NOTE: 20210307: testing package NOTE: 20210321: preparing buster debdiff as well View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/181f199879bcf5afe56df80f6996927503512301 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/181f199879bcf5afe56df80f6996927503512301 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2611-1 for ldb
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: dc9d3f53 by Thorsten Alteholz at 2021-03-31T11:21:01+02:00 Reserve DLA-2611-1 for ldb - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Mar 2021] DLA-2611-1 ldb - security update + {CVE-2020-27840 CVE-2021-20277} + [stretch] - ldb 2:1.1.27-1+deb9u2 [29 Mar 2021] DLA-2610-1 linux-4.19 - security update {CVE-2020-27170 CVE-2020-27171 CVE-2021-3348 CVE-2021-3428 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-28038 CVE-2021-28660} [stretch] - linux-4.19 4.19.181-1~deb9u1 = data/dla-needed.txt = @@ -67,8 +67,6 @@ golang-gogoprotobuf -- gsoap -- -ldb (Thorsten Alteholz) --- leptonlib (Thorsten Alteholz) -- libebml (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc9d3f5343b8ec8c5ae6fbc8f821b373c0f01e2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc9d3f5343b8ec8c5ae6fbc8f821b373c0f01e2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for curl
Alessandro Ghedini pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ca8c2ab by Alessandro Ghedini at 2021-03-31T10:05:34+01:00 Reserve DSA number for curl - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[30 Mar 2021] DSA-4881-1 curl - security update + {CVE-2020-8169 CVE-2020-8177 CVE-2020-8231 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2021-22876 CVE-2021-22890} + [buster] - curl 7.64.0-4+deb10u2 [29 Mar 2021] DSA-4880-1 lxml - security update {CVE-2021-28957} [buster] - lxml 4.3.2-1+deb10u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ca8c2ab3ce94868950a0883e29dd11470c57b19 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ca8c2ab3ce94868950a0883e29dd11470c57b19 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2021-29649
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c5552231 by Salvatore Bonaccorso at 2021-03-31T10:48:12+02:00 Update status for CVE-2021-29649 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,6 +9,8 @@ CVE-2021-29650 (An issue was discovered in the Linux kernel before 5.11.11. The NOTE: https://git.kernel.org/linus/175e476b8cdf2a4de7432583b49c871345e4f8a1 CVE-2021-29649 (An issue was discovered in the Linux kernel before 5.11.11. The user m ...) - linux + [buster] - linux (Vulnerable code introduced later) + [stretch] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/f60a85cad677c4f9bb4cadd764f1d106c38c7cf8 CVE-2021-29648 (An issue was discovered in the Linux kernel before 5.11.11. The BPF su ...) - linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5552231014695e75e7be693a72b30e92677daef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5552231014695e75e7be693a72b30e92677daef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-29646/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3640f129 by Salvatore Bonaccorso at 2021-03-31T10:38:30+02:00 Add CVE-2021-29646/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,7 +17,10 @@ CVE-2021-29647 (An issue was discovered in the Linux kernel before 5.11.11. qrtr - linux NOTE: https://git.kernel.org/linus/50535249f624d0072cd885bcdce4e4b6fb770160 CVE-2021-29646 (An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_re ...) - TODO: check + - linux + [buster] - linux (Vulnerable code introduced later) + [stretch] - linux (Vulnerable code introduced later) + NOTE: https://git.kernel.org/linus/0217ed2848e8538bcf9172d97ed2eeb4a26041bb CVE-2020-36285 RESERVED CVE-2020-36284 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3640f129e3e48b87710eb018a30523eeff86c682 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3640f129e3e48b87710eb018a30523eeff86c682 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-29647/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 32e4c410 by Salvatore Bonaccorso at 2021-03-31T10:34:21+02:00 Add CVE-2021-29647/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14,7 +14,8 @@ CVE-2021-29648 (An issue was discovered in the Linux kernel before 5.11.11. The - linux NOTE: https://git.kernel.org/linus/350a5c4dd2452ea999cc5e1d4a8dbf12de2f97ef CVE-2021-29647 (An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvm ...) - TODO: check + - linux + NOTE: https://git.kernel.org/linus/50535249f624d0072cd885bcdce4e4b6fb770160 CVE-2021-29646 (An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_re ...) TODO: check CVE-2020-36285 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32e4c410dd438b2d054c0acf87e4e88ad0fa7b20 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32e4c410dd438b2d054c0acf87e4e88ad0fa7b20 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-29648/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e37e51f by Salvatore Bonaccorso at 2021-03-31T10:31:49+02:00 Add CVE-2021-29648/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,8 @@ CVE-2021-29649 (An issue was discovered in the Linux kernel before 5.11.11. The - linux NOTE: https://git.kernel.org/linus/f60a85cad677c4f9bb4cadd764f1d106c38c7cf8 CVE-2021-29648 (An issue was discovered in the Linux kernel before 5.11.11. The BPF su ...) - TODO: check + - linux + NOTE: https://git.kernel.org/linus/350a5c4dd2452ea999cc5e1d4a8dbf12de2f97ef CVE-2021-29647 (An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvm ...) TODO: check CVE-2021-29646 (An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_re ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e37e51f9de2498af97c47ff93d5ad4282bf7503 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e37e51f9de2498af97c47ff93d5ad4282bf7503 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-29649/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a90014b by Salvatore Bonaccorso at 2021-03-31T10:28:39+02:00 Add CVE-2021-29649/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8,7 +8,8 @@ CVE-2021-29650 (An issue was discovered in the Linux kernel before 5.11.11. The - linux NOTE: https://git.kernel.org/linus/175e476b8cdf2a4de7432583b49c871345e4f8a1 CVE-2021-29649 (An issue was discovered in the Linux kernel before 5.11.11. The user m ...) - TODO: check + - linux + NOTE: https://git.kernel.org/linus/f60a85cad677c4f9bb4cadd764f1d106c38c7cf8 CVE-2021-29648 (An issue was discovered in the Linux kernel before 5.11.11. The BPF su ...) TODO: check CVE-2021-29647 (An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvm ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a90014bb273a6294ee375b04ccdb1ac9ae77fea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a90014bb273a6294ee375b04ccdb1ac9ae77fea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2021-29650/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e185ca81 by Salvatore Bonaccorso at 2021-03-31T10:24:55+02:00 Add CVE-2021-29650/linux - - - - - 250da95e by Salvatore Bonaccorso at 2021-03-31T10:25:24+02:00 Cleanup traling whitespaces - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,8 @@ CVE-2021-29652 CVE-2021-29651 RESERVED CVE-2021-29650 (An issue was discovered in the Linux kernel before 5.11.11. The netfil ...) - TODO: check + - linux + NOTE: https://git.kernel.org/linus/175e476b8cdf2a4de7432583b49c871345e4f8a1 CVE-2021-29649 (An issue was discovered in the Linux kernel before 5.11.11. The user m ...) TODO: check CVE-2021-29648 (An issue was discovered in the Linux kernel before 5.11.11. The BPF su ...) @@ -19952,7 +19953,7 @@ CVE-2021-21367 (Switchboard Bluetooth Plug for elementary OS from version 2.3.0 CVE-2021-21366 (xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) ...) - node-xmldom NOTE: https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv - NOTE: https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135 + NOTE: https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135 CVE-2021-21365 RESERVED CVE-2021-21364 (swagger-codegen is an open-source project which contains a template-dr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4e809321207b9eb83545759afae904fc246e4d1c...250da95e017ef3b08f581bc212fe12d1a862d355 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4e809321207b9eb83545759afae904fc246e4d1c...250da95e017ef3b08f581bc212fe12d1a862d355 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e809321 by security tracker role at 2021-03-31T08:10:28+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,23 @@ +CVE-2021-29653 + RESERVED +CVE-2021-29652 + RESERVED +CVE-2021-29651 + RESERVED +CVE-2021-29650 (An issue was discovered in the Linux kernel before 5.11.11. The netfil ...) + TODO: check +CVE-2021-29649 (An issue was discovered in the Linux kernel before 5.11.11. The user m ...) + TODO: check +CVE-2021-29648 (An issue was discovered in the Linux kernel before 5.11.11. The BPF su ...) + TODO: check +CVE-2021-29647 (An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvm ...) + TODO: check +CVE-2021-29646 (An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_re ...) + TODO: check +CVE-2020-36285 + RESERVED +CVE-2020-36284 + RESERVED CVE-2021-3480 RESERVED CVE-2021-3479 [Out-of-memory caused by allocation of a very large buffer] @@ -19829,8 +19849,8 @@ CVE-2021-21415 RESERVED CVE-2021-21414 RESERVED -CVE-2021-21413 - RESERVED +CVE-2021-21413 (isolated-vm is a library for nodejs which gives you access to v8's Iso ...) + TODO: check CVE-2021-21412 (Potential for arbitrary code execution in npm package @thi.ng/egf `#gp ...) TODO: check CVE-2021-21411 (OAuth2-Proxy is an open source reverse proxy that provides authenticat ...) @@ -40775,8 +40795,8 @@ CVE-2020-24997 CVE-2020-24996 (There is an invalid memory access in the function TextString::~TextStr ...) - xpdf (xpdf in Debian uses poppler, which is fixed) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3=42028 -CVE-2020-24995 - RESERVED +CVE-2020-24995 (Buffer overflow vulnerability in sniff_channel_order function in aacde ...) + TODO: check CVE-2020-24994 (Stack overflow in the parse_tag function in libass/ass_parse.c in liba ...) - libass 1:0.15.0-1 [buster] - libass (Minor issue) @@ -42109,8 +42129,8 @@ CVE-2020-24392 (In voloko twitter-stream 0.1.10, missing TLS hostname validation [buster] - ruby-twitter-stream (Minor issue) [stretch] - ruby-twitter-stream (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2020-097-voloko-twitter-stream -CVE-2020-24391 - RESERVED +CVE-2020-24391 (mongo-express before 1.0.0 offers support for certain advanced syntax ...) + TODO: check CVE-2020-24390 (eonweb in EyesOfNetwork before 5.3-7 does not properly escape the user ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2020-24389 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e809321207b9eb83545759afae904fc246e4d1c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e809321207b9eb83545759afae904fc246e4d1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2021-20297/network-manager
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 72700f36 by Salvatore Bonaccorso at 2021-03-31T09:13:37+02:00 Update information for CVE-2021-20297/network-manager - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22484,7 +22484,11 @@ CVE-2021-20298 CVE-2021-20297 [Setting match.path and activating a profiles crashes NetworkManager] RESERVED - network-manager - NOTE: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/420784e342da4883f6debdfe10cde68507b10d27 + [buster] - network-manager (Vulnerable code introduced later) + [stretch] - network-manager (Vulnerable code introduced later) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1942741 (not yet public) + NOTE: Introduced by: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/3ced486f4162edcd03ff42fa27535130aff0c86c (1.26-rc2) + NOTE: Fixed by: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/420784e342da4883f6debdfe10cde68507b10d27 CVE-2021-20296 RESERVED - openexr View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72700f36fe95e4d749561c2dee2bc11e9699edbb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72700f36fe95e4d749561c2dee2bc11e9699edbb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20296/openexr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f8734154 by Salvatore Bonaccorso at 2021-03-31T09:09:22+02:00 Add CVE-2021-20296/openexr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22487,6 +22487,9 @@ CVE-2021-20297 [Setting match.path and activating a profiles crashes NetworkMana NOTE: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/420784e342da4883f6debdfe10cde68507b10d27 CVE-2021-20296 RESERVED + - openexr + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24854 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/b0c63c0b96eb9b0d3998f603e12f9f414fb0d44a CVE-2021-20295 [Regression of CVE-2020-10756 fix in virt:rhel/qemu-kvm in Red Hat Enterprise Linux 8.3] RESERVED - qemu (RHEL 8.3 specific security regression) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f87341543068a24ed81a9bad168c03e3303662d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f87341543068a24ed81a9bad168c03e3303662d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20297/network-manager
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 53f73af4 by Salvatore Bonaccorso at 2021-03-31T09:08:04+02:00 Add CVE-2021-20297/network-manager - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22481,8 +22481,10 @@ CVE-2021-20299 RESERVED CVE-2021-20298 RESERVED -CVE-2021-20297 +CVE-2021-20297 [Setting match.path and activating a profiles crashes NetworkManager] RESERVED + - network-manager + NOTE: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/420784e342da4883f6debdfe10cde68507b10d27 CVE-2021-20296 RESERVED CVE-2021-20295 [Regression of CVE-2020-10756 fix in virt:rhel/qemu-kvm in Red Hat Enterprise Linux 8.3] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53f73af49e2e1fda3f80fab69e7d06be6025d734 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53f73af49e2e1fda3f80fab69e7d06be6025d734 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-21409/netty
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c0e91f0f by Salvatore Bonaccorso at 2021-03-31T09:04:25+02:00 Add CVE-2021-21409/netty - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19838,7 +19838,10 @@ CVE-2021-21411 (OAuth2-Proxy is an open source reverse proxy that provides authe CVE-2021-21410 RESERVED CVE-2021-21409 (Netty is an open-source, asynchronous event-driven network application ...) - TODO: check + - netty + NOTE: Fixed by: https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432 + NOTE: https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32 + NOTE: Is a followup to: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj CVE-2021-21408 RESERVED CVE-2021-21407 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0e91f0f0320af464f760e72e1f7a8844f9026ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0e91f0f0320af464f760e72e1f7a8844f9026ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-23980/python-bleach
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 87be9317 by Salvatore Bonaccorso at 2021-03-31T09:01:45+02:00 Add CVE-2021-23980/python-bleach - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13031,8 +13031,11 @@ CVE-2021-23981 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-10/#CVE-2021-23981 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-11/#CVE-2021-23981 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-12/#CVE-2021-23981 -CVE-2021-23980 +CVE-2021-23980 [mutation XSS via allowed math or svg; p or br; and style, title, noscript, script, textarea, noframes, iframe, or xmp tags with strip_comments=False] RESERVED + - python-bleach + NOTE: https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq + NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1689399 CVE-2021-23979 (Mozilla developers reported memory safety bugs present in Firefox 85. ...) - firefox 86.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-07/#CVE-2021-23979 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87be93177176533576cddaa13661ec3d154d1ef3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87be93177176533576cddaa13661ec3d154d1ef3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3474/openexr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 396a5e5e by Salvatore Bonaccorso at 2021-03-31T08:56:28+02:00 Add CVE-2021-3474/openexr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -461,7 +461,9 @@ CVE-2021-3475 (There is a flaw in OpenEXR in versions before 3.0.0-beta. An atta NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25297 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/2a18ed424a854598c2a20b5dd7e782b436a1e753 CVE-2021-3474 (There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted inp ...) - TODO: check + - openexr + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24831 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f CVE-2021-29424 (The Net::Netmask module before 2. for Perl does not properly consi ...) - libnet-netmask-perl (bug #986135) NOTE: https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/396a5e5ec731bc37f118dcf45824cd6d5ce655aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/396a5e5ec731bc37f118dcf45824cd6d5ce655aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3475/openexr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d418aedb by Salvatore Bonaccorso at 2021-03-31T08:55:03+02:00 Add CVE-2021-3475/openexr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -457,7 +457,9 @@ CVE-2021-3476 (A flaw was found in OpenEXR's B44 uncompression functionality in NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24787 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/eec0dba242bedd2778c973ae4af112107b33d9c9 CVE-2021-3475 (There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker ...) - TODO: check + - openexr + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25297 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/2a18ed424a854598c2a20b5dd7e782b436a1e753 CVE-2021-3474 (There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted inp ...) TODO: check CVE-2021-29424 (The Net::Netmask module before 2. for Perl does not properly consi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d418aedb3bdcac10e1bd08ec1a4c32e39c3e0f4a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d418aedb3bdcac10e1bd08ec1a4c32e39c3e0f4a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3476/openexr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dc79f885 by Salvatore Bonaccorso at 2021-03-31T08:45:05+02:00 Add CVE-2021-3476/openexr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -453,7 +453,9 @@ CVE-2021-29426 CVE-2021-29425 RESERVED CVE-2021-3476 (A flaw was found in OpenEXR's B44 uncompression functionality in versi ...) - TODO: check + - openexr + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24787 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/eec0dba242bedd2778c973ae4af112107b33d9c9 CVE-2021-3475 (There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker ...) TODO: check CVE-2021-3474 (There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted inp ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc79f8854e5d845de78664ec3da1e44ed7908367 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc79f8854e5d845de78664ec3da1e44ed7908367 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3479/openexr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 640c4fc3 by Salvatore Bonaccorso at 2021-03-31T08:43:29+02:00 Add CVE-2021-3479/openexr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,11 @@ CVE-2021-3480 RESERVED -CVE-2021-3479 +CVE-2021-3479 [Out-of-memory caused by allocation of a very large buffer] RESERVED + - openexr + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25370 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d007ae80a162bf257ec291612c + NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/830 CVE-2021-3478 RESERVED CVE-2021-3477 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/640c4fc335f692e7c63621b751334139764461bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/640c4fc335f692e7c63621b751334139764461bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add curl to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b8ed5d8 by Salvatore Bonaccorso at 2021-03-31T08:21:44+02:00 Add curl to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -17,6 +17,8 @@ condor chromium Package was prepared by Michel Le Bihan (already uploaded), needd review for DSA release -- +curl (ghedo) +-- knot-resolver Santiago Ruano Rincón proposed a debdiff for review -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b8ed5d810868e786a64f99d9926a8549b3d9eba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b8ed5d810868e786a64f99d9926a8549b3d9eba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-22890/curl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f07db6f by Salvatore Bonaccorso at 2021-03-31T08:20:45+02:00 Add CVE-2021-22890/curl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15367,8 +15367,11 @@ CVE-2021-22892 RESERVED CVE-2021-22891 RESERVED -CVE-2021-22890 +CVE-2021-22890 [TLS 1.3 session ticket proxy host mixup] RESERVED + - curl + NOTE: https://curl.se/docs/CVE-2021-22890.html + NOTE: Fixed by: https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844 CVE-2021-22889 (Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnera ...) NOT-FOR-US: Revive Adserver CVE-2021-22888 (Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnera ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f07db6f59e72eaef0aaadeccc0f08574ba4fd3d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f07db6f59e72eaef0aaadeccc0f08574ba4fd3d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-22876/curl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f3d945eb by Salvatore Bonaccorso at 2021-03-31T08:19:06+02:00 Add CVE-2021-22876/curl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15411,8 +15411,11 @@ CVE-2021-22878 (Nextcloud Server prior to 20.0.6 is vulnerable to reflected cros - nextcloud-server (bug #941708) CVE-2021-22877 (A missing user check in Nextcloud prior to 20.0.6 inadvertently popula ...) - nextcloud-server (bug #941708) -CVE-2021-22876 +CVE-2021-22876 [Automatic referer leaks credentials] RESERVED + - curl + NOTE: https://curl.se/docs/CVE-2021-22876.html + NOTE: Fixed by: https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c CVE-2021-22875 (Revive Adserver before 5.1.1 is vulnerable to a reflected XSS vulnerab ...) NOT-FOR-US: Revive Adserver CVE-2021-22874 (Revive Adserver before 5.1.1 is vulnerable to a reflected XSS vulnerab ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3d945ebfd62f99f6b2d16ffbc957f9c01631c68 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3d945ebfd62f99f6b2d16ffbc957f9c01631c68 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits