[Git][security-tracker-team/security-tracker][master] Add CVE-2020-8562/kubernetes
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c7011e2 by Salvatore Bonaccorso at 2021-05-05T07:22:58+02:00 Add CVE-2020-8562/kubernetes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -86710,6 +86710,8 @@ CVE-2020-8563 (In Kubernetes clusters using VSphere as a cloud provider, with a NOTE: https://github.com/kubernetes/kubernetes/issues/95621 CVE-2020-8562 RESERVED + - kubernetes + NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/8 CVE-2020-8561 RESERVED CVE-2020-8560 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c7011e2eb0256c045461e04771e1bf4acf259e0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c7011e2eb0256c045461e04771e1bf4acf259e0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 4509e67f by Henri Salo at 2021-05-05T07:55:27+03:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3087,6 +3087,10 @@ CVE-2021-30640 RESERVED CVE-2021-30639 RESERVED +CVE-2020-36334 + NOT-FOR-US: WordPress plugin themegrill-demo-importer +CVE-2020-36333 + NOT-FOR-US: WordPress plugin themegrill-demo-importer CVE-2020-36321 (Improper URL validation in development mode handler in com.vaadin:flow ...) NOT-FOR-US: Vaadin CVE-2020-36320 (Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-s ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4509e67f7937e10079be4f1fe0452814dda02dae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4509e67f7937e10079be4f1fe0452814dda02dae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim shiro, xmlbeans
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 086e6cfa by Roberto C. Sánchez at 2021-05-04T18:47:07-04:00 LTS: reclaim shiro, xmlbeans - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -131,7 +131,7 @@ salt (Utkarsh) -- samba (Abhijith PA) -- -shiro +shiro (Roberto C. Sánchez) NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) @@ -143,7 +143,7 @@ spotweb NOTE: 20210122: Upstream fix trivially bypassed, reported under CVE-2021-3286 NOTE: 20210127: Upstream says "we can fix this but it may take some time", revisit later (Beuc) -- -xmlbeans +xmlbeans (Roberto C. Sánchez) NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the NOTE: 20210222: upstream release with the fix). Trying to determine how to NOTE: 20210222: implement the changes without introducing too much new code. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/086e6cfa3b58b134e7cbd8bf7bd6dbf8740befaa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/086e6cfa3b58b134e7cbd8bf7bd6dbf8740befaa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track CVE-2021-3115{3,4,5}/rust-pleaser
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e11359a1 by Salvatore Bonaccorso at 2021-05-04T22:53:15+02:00
Track CVE-2021-3115{3,4,5}/rust-pleaser
With the unblock request, the CVE ids can be considered public, so start
trakcing them accordingly.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1988,10 +1988,13 @@ CVE-2021-31156
RESERVED
CVE-2021-31155
RESERVED
+ - rust-pleaser 0.4.1-1
CVE-2021-31154
RESERVED
+ - rust-pleaser 0.4.1-1
CVE-2021-31153
RESERVED
+ - rust-pleaser 0.4.1-1
CVE-2021-31152 (Multilaser Router AC1200 V02.03.01.45_pt contains a cross-site
request ...)
NOT-FOR-US: Multilaser Router AC1200
CVE-2021-31151
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e11359a1e6a4b1f9149f67f03a6e6e41d6b6cc71
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e11359a1e6a4b1f9149f67f03a6e6e41d6b6cc71
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim php-phpseclib phpseclib
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c47b3f5 by Abhijith PA at 2021-05-05T02:04:34+05:30 data/dla-needed.txt: Claim php-phpseclib phpseclib - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -82,10 +82,10 @@ nvidia-graphics-drivers NOTE: package is in non-free but also in packages-to-support NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 -- -php-phpseclib +php-phpseclib (Abhijith PA) NOTE: 20210503: unclear if 2.x is affected, double check (pochu) -- -phpseclib +phpseclib (Abhijith PA) NOTE: 20210503: apparently 1.x is not affected, but double check (pochu) -- python-django (Chris Lamb) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c47b3f5b829daf0a48c02443ff9871037159324 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c47b3f5b829daf0a48c02443ff9871037159324 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2649-1 for cgal
Anton Gladky pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5dfa6c07 by Anton Gladky at 2021-05-04T22:26:55+02:00
Reserve DLA-2649-1 for cgal
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[04 May 2021] DLA-2649-1 cgal - security update
+ {CVE-2020-28601 CVE-2020-28636 CVE-2020-35628 CVE-2020-35636}
+ [stretch] - cgal 4.9-1+deb9u1
[05 May 2021] DLA-2648-1 mediawiki - security update
{CVE-2021-20270 CVE-2021-27291 CVE-2021-30152 CVE-2021-30155
CVE-2021-30158 CVE-2021-30159}
[stretch] - mediawiki 1:1.27.7-1~deb9u8
=
data/dla-needed.txt
=
@@ -26,10 +26,6 @@ ceph
NOTE: 20200928: If someone know how to test the packages please take this
build and upload (after testing it).
NOTE: 20210118: wip (Emilio)
--
-cgal (Anton Gladky)
- NOTE: 20210404: https://salsa.debian.org/lts-team/packages/cgal WIP (gladk)
- NOTE: 20210502: Update is planned for CW19/2021
---
composer (Utkarsh)
--
condor
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dfa6c079a3c4af9309ea96e91144d27204e2f65
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dfa6c079a3c4af9309ea96e91144d27204e2f65
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-23383/node-handlebars
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a2712b9 by Salvatore Bonaccorso at 2021-05-04T22:18:16+02:00 Add CVE-2021-23383/node-handlebars - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20097,8 +20097,13 @@ CVE-2021-23385 RESERVED CVE-2021-23384 RESERVED -CVE-2021-23383 +CVE-2021-23383 [Prototype Pollution] RESERVED + - node-handlebars + [buster] - node-handlebars (Minor issue; can be fixed via point release) + - libjs-handlebars + NOTE: https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427 + NOTE: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029 CVE-2021-23382 (The package postcss before 8.2.13 are vulnerable to Regular Expression ...) - node-postcss 8.2.1+~cs5.3.23-7 NOTE: https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a2712b91538a392c034630e1d2c2ec3fded0702 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a2712b91538a392c034630e1d2c2ec3fded0702 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2648-1 for mediawiki
Abhijith PA pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f1be8852 by Abhijith PA at 2021-05-05T01:39:59+05:30
Reserve DLA-2648-1 for mediawiki
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[05 May 2021] DLA-2648-1 mediawiki - security update
+ {CVE-2021-20270 CVE-2021-27291 CVE-2021-30152 CVE-2021-30155
CVE-2021-30158 CVE-2021-30159}
+ [stretch] - mediawiki 1:1.27.7-1~deb9u8
[04 May 2021] DLA-2647-1 bind9 - security update
{CVE-2021-25214 CVE-2021-25215 CVE-2021-25216}
[stretch] - bind9 1:9.10.3.dfsg.P4-12.3+deb9u9
=
data/dla-needed.txt
=
@@ -82,10 +82,6 @@ linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
-mediawiki (Abhijith PA)
- NOTE: 20210412: Check ./extensions/SyntaxHighlight_GeSHi/pygments/pygmentize
(lamby)
- NOTE: 20210503: Working on update. (abhijith)
---
nvidia-graphics-drivers
NOTE: package is in non-free but also in packages-to-support
NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in
Stretch, no fix available for CVE-2021-1077
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1be8852cbc41dab2cbce51345d7d0cb24b12e39
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1be8852cbc41dab2cbce51345d7d0cb24b12e39
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-29951 for thunderbird and firefox-esr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3a08f1ed by Salvatore Bonaccorso at 2021-05-04T19:31:54+02:00
Add CVE-2021-29951 for thunderbird and firefox-esr
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -4672,6 +4672,10 @@ CVE-2021-29952
RESERVED
CVE-2021-29951
RESERVED
+ - firefox-esr (Only affects Windows)
+ - thunderbird (Only affects Windows)
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-18/#CVE-2021-29951
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-19/#CVE-2021-29951
CVE-2021-29950
RESERVED
{DSA-4876-1 DLA-2609-1}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a08f1ed0a881f37d477267ad3fb5295f6fba8d8
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a08f1ed0a881f37d477267ad3fb5295f6fba8d8
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark xen as unimportant
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 90ceb067 by Moritz Muehlenhoff at 2021-05-04T19:18:05+02:00 mark xen as unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7600,8 +7600,9 @@ CVE-2021-28690 RESERVED CVE-2021-28689 [x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests] RESERVED - - xen + - xen (unimportant) NOTE: https://xenbits.xen.org/xsa/advisory-370.html + NOTE: Unfixable design/architecture limitation, no fix planned CVE-2021-28688 (The fix for XSA-365 includes initialization of pointers such that subs ...) - linux 5.10.28-1 NOTE: https://xenbits.xen.org/xsa/advisory-371.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90ceb0678ca7aa12a8036bf9f53d09e819b8c9a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90ceb0678ca7aa12a8036bf9f53d09e819b8c9a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-28018 as fixed in 4.92-8+deb10u6
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 63c7b1f7 by Salvatore Bonaccorso at 2021-05-04T19:14:06+02:00 Mark CVE-2020-28018 as fixed in 4.92-8+deb10u6 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38870,6 +38870,7 @@ CVE-2020-28019 NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7 CVE-2020-28018 - exim4 4.94.2-1 (unimportant) + [buster] - exim4 4.92-8+deb10u6 [stretch] - exim4 (Vulnerable code introduced later) NOTE: Introduced by: https://git.exim.org/exim.git/commit/a5ffa9b475a426bc73366db01f7cc92a3811bc3a (exim-4_90_RC1) NOTE: Debian Exim is built with GnuTLS, not OpenSSL. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63c7b1f7926deeef1e7c1d8311511b51f3ad57c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63c7b1f7926deeef1e7c1d8311511b51f3ad57c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-28689/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cf00ada6 by Salvatore Bonaccorso at 2021-05-04T19:10:29+02:00 Add CVE-2021-28689/xen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7598,8 +7598,10 @@ CVE-2021-28691 RESERVED CVE-2021-28690 RESERVED -CVE-2021-28689 +CVE-2021-28689 [x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests] RESERVED + - xen + NOTE: https://xenbits.xen.org/xsa/advisory-370.html CVE-2021-28688 (The fix for XSA-365 includes initialization of pointers such that subs ...) - linux 5.10.28-1 NOTE: https://xenbits.xen.org/xsa/advisory-371.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf00ada6deeb2f2cd0d22672c81bdb8e2b13620d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf00ada6deeb2f2cd0d22672c81bdb8e2b13620d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-31542: Add references to upstream commits
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d05e6bf by Salvatore Bonaccorso at 2021-05-04T19:04:11+02:00 CVE-2021-31542: Add references to upstream commits - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1121,6 +1121,8 @@ CVE-2021-31542 RESERVED - python-django 2:2.2.21-1 (bug #988053) NOTE: https://www.djangoproject.com/weblog/2021/may/04/security-releases/ + NOTE: https://github.com/django/django/commit/0b79eb36915d178aef5c6a7bbce71b1e76d376d3 (main) + NOTE: https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d (2.2.21) CVE-2021-31541 RESERVED CVE-2021-31540 (Wowza Streaming Engine through 4.8.5 (in a default installation) has i ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d05e6bfd2f497603aebb54298b9a13158ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d05e6bfd2f497603aebb54298b9a13158ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-31542/python-django
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 87b5d37e by Salvatore Bonaccorso at 2021-05-04T19:02:31+02:00 Track fixed version for CVE-2021-31542/python-django - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1119,7 +1119,7 @@ CVE-2021-31543 RESERVED CVE-2021-31542 RESERVED - - python-django (bug #988053) + - python-django 2:2.2.21-1 (bug #988053) NOTE: https://www.djangoproject.com/weblog/2021/may/04/security-releases/ CVE-2021-31541 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87b5d37ebb6e9767b9a95dea963405d860ce31ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87b5d37ebb6e9767b9a95dea963405d860ce31ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream commit tag information additonally
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e3a345a by Salvatore Bonaccorso at 2021-05-04T18:59:11+02:00 Add upstream commit tag information additonally - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -465,8 +465,8 @@ CVE-2020-36326 (PHPMailer 6.1.8 through 6.4.0 allows object injection through Ph [buster] - libphp-phpmailer (Regression introduced in 6.1.8) [stretch] - libphp-phpmailer (Regression introduced in 6.1.8) NOTE: Introduced by: https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9 (6.1.8) - NOTE: Fixed by: https://github.com/PHPMailer/PHPMailer/commit/26f2848d3bbb57add5f34a467a1e3b2f9ce5cd2a - NOTE: Also backport: https://github.com/PHPMailer/PHPMailer/commit/7f267fb4aadfcf62e3ddc50494c469c6b9c4405a + NOTE: Fixed by: https://github.com/PHPMailer/PHPMailer/commit/26f2848d3bbb57add5f34a467a1e3b2f9ce5cd2a (v6.4.1) + NOTE: Also backport: https://github.com/PHPMailer/PHPMailer/commit/7f267fb4aadfcf62e3ddc50494c469c6b9c4405a (v6.4.1) CVE-2021-3518 [use-after-free in xmlXIncludeDoProcess() in xinclude.c] RESERVED [experimental] - libxml2 2.9.10+dfsg-6.4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e3a345ae3ef56744dcf40c71db8dddff892725a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e3a345ae3ef56744dcf40c71db8dddff892725a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "CVE-2021-28165/jetty9: stretch not-affected"
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: ed434dea by Sylvain Beucler at 2021-05-04T18:50:28+02:00 Revert CVE-2021-28165/jetty9: stretch not-affected This reverts commit 369b750e0e56ae70a90f5aa1435f91e5ece6e342. Requires further examination. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8768,10 +8768,8 @@ CVE-2021-28166 (In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=572608 CVE-2021-28165 (In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0. ...) - jetty9 9.4.39-1 - [stretch] - jetty9 (Vulnerable code introduced later) NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w NOTE: https://github.com/eclipse/jetty.project/issues/6072 - NOTE: Introduced by https://github.com/eclipse/jetty.project/commit/17b6eee5aca00460913a2b7847325b6e3df39fd2 (v9.4.12) CVE-2021-28164 (In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default com ...) - jetty9 9.4.39-1 NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed434deac9236c8be0bb0300adaeaff2b70f8036 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed434deac9236c8be0bb0300adaeaff2b70f8036 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2021-28163,CVE-2021-28164,CVE-2021-28165/jetty: add references
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: ac53d842 by Sylvain Beucler at 2021-05-04T17:57:32+02:00 CVE-2021-28163,CVE-2021-28164,CVE-2021-28165/jetty: add references - - - - - 369b750e by Sylvain Beucler at 2021-05-04T18:41:31+02:00 CVE-2021-28165/jetty9: stretch not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8768,13 +8768,18 @@ CVE-2021-28166 (In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=572608 CVE-2021-28165 (In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0. ...) - jetty9 9.4.39-1 + [stretch] - jetty9 (Vulnerable code introduced later) NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w + NOTE: https://github.com/eclipse/jetty.project/issues/6072 + NOTE: Introduced by https://github.com/eclipse/jetty.project/commit/17b6eee5aca00460913a2b7847325b6e3df39fd2 (v9.4.12) CVE-2021-28164 (In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default com ...) - jetty9 9.4.39-1 NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5 + NOTE: https://github.com/eclipse/jetty.project/commit/e412c8a15b3334b30193f40412c0fbc47e478e83 CVE-2021-28163 (In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0. ...) - jetty9 9.4.39-1 NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq + NOTE: https://github.com/eclipse/jetty.project/commit/37fffb1722604da1763d8a096ec5c5fb41ea0633 CVE-2021-28162 (In Eclipse Theia versions up to and including 0.16.0, in the notificat ...) NOT-FOR-US: Eclipse Theia CVE-2021-28161 (In Eclipse Theia versions up to and including 1.8.0, in the debug cons ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/654d4e517e3067c7a807a695a261b0ec6740c4fc...369b750e0e56ae70a90f5aa1435f91e5ece6e342 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/654d4e517e3067c7a807a695a261b0ec6740c4fc...369b750e0e56ae70a90f5aa1435f91e5ece6e342 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2019-10241/jetty: reference issue with patches
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d0b31b1 by Sylvain Beucler at 2021-05-04T17:03:12+02:00 CVE-2019-10241/jetty: reference issue with patches - - - - - 1bbb4b03 by Sylvain Beucler at 2021-05-04T17:03:13+02:00 CVE-2018-12536/jetty: more references - - - - - 654d4e51 by Sylvain Beucler at 2021-05-04T17:03:14+02:00 CVE-2019-17632/jetty: none affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -113356,13 +113356,15 @@ CVE-2019-17633 (For Eclipse Che versions 6.16 to 7.3.0, with both authentication NOT-FOR-US: Eclipse Che CVE-2019-17632 (In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4. ...) - jetty9 9.4.26-1 - [buster] - jetty9 (Minor issue) - [stretch] - jetty9 (Minor issue) + [buster] - jetty9 (vulnerable code introduced later) + [stretch] - jetty9 (vulnerable code introduced later) - jetty8 [jessie] - jetty8 (vulnerable code introduced later) - jetty [jessie] - jetty (vulnerable code introduced later) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=553443 + NOTE: https://github.com/eclipse/jetty.project/issues/4334 + NOTE: Introduced by https://github.com/eclipse/jetty.project/commit/bde86467f4e5df595773ab11ed5e80c615b741f3 (jetty-9.4.21.v20190926) CVE-2019-17631 (From Eclipse OpenJ9 0.15 to 0.16, access to diagnostic operations such ...) NOT-FOR-US: Eclipse OpenJ9 CVE-2019-17630 (CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a cra ...) @@ -136459,6 +136461,7 @@ CVE-2019-10241 (In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and - jetty [jessie] - jetty (Minor issue) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121 + NOTE: https://github.com/eclipse/jetty.project/issues/3319#issuecomment-567918620 CVE-2019-10240 (Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifac ...) NOT-FOR-US: Eclipse hawkBit CVE-2017-18365 (The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a d ...) @@ -184244,6 +184247,9 @@ CVE-2018-12536 (In Eclipse Jetty Server, all 9.x versions, on webapps deployed u - jetty [jessie] - jetty (Harmless information leak) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670 + NOTE: https://github.com/eclipse/jetty.project/issues/2560 + NOTE: Introduced by https://github.com/eclipse/jetty.project/commit/9f844383cdb528d67ec69895dd8c6117b6e36e13 (v9.3) + NOTE: Marked as fixed by 9.2.25 at https://www.eclipse.org/jetty/security_reports.php but no related commit found for 9.2.x CVE-2018-12535 RESERVED CVE-2018-12534 (A SQL injection issue was discovered in the Quick Chat plugin before 4 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cbe16ef5d2b1906a4910c01fbb204eff795eb890...654d4e517e3067c7a807a695a261b0ec6740c4fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cbe16ef5d2b1906a4910c01fbb204eff795eb890...654d4e517e3067c7a807a695a261b0ec6740c4fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add exim4 to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
cbe16ef5 by Markus Koschany at 2021-05-04T16:53:04+02:00
Add exim4 to dla-needed.txt
Embargo for exim4 was lifted. Update will follow soon.
- - - - -
1 changed file:
- data/dla-needed.txt
Changes:
=
data/dla-needed.txt
=
@@ -47,6 +47,8 @@ curl
NOTE: 20210405: namely CURLU, CURLUPART_{URL,FRAGMENT,USER,PASSWORD}.
(utkarsh)
NOTE: 20210405: see
https://lists.debian.org/debian-lts/2021/04/msg2.html. (utkarsh)
--
+exim4 (Thorsten Alteholz and Markus Koschany)
+--
firmware-nonfree
NOTE: 20201207: wait for the update in buster and backport that (Emilio)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbe16ef5d2b1906a4910c01fbb204eff795eb890
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbe16ef5d2b1906a4910c01fbb204eff795eb890
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add reference to qualys advisory
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f4d9f7a2 by Moritz Muehlenhoff at 2021-05-04T16:00:47+02:00
add reference to qualys advisory
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -11039,6 +11039,7 @@ CVE-2021-27216
[buster] - exim4 (Vulnerable code introduced later)
[stretch] - exim4 (Vulnerable code introduced later)
NOTE: Introduced by:
https://git.exim.org/exim.git/commit/01446a56c76aa5ac3213a86f8992a2371a8301f3
(exim-4_94_RC0)
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2021-27215 (An issue was discovered in genua genugate before 9.0 Z p19,
9.1.x thro ...)
NOT-FOR-US: genua genugate
CVE-2021-27214 (A Server-side request forgery (SSRF) vulnerability in the
ProductConfi ...)
@@ -38833,57 +38834,77 @@ CVE-2020-28027
RESERVED
CVE-2020-28026
- exim4 4.94.2-1
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28025
- exim4 4.94.2-1
NOTE: Introduced by:
https://git.exim.org/exim.git/commit/80a47a2c9633437d4ceebd214cd44abfbd4f4543
(exim-4_70_RC3)
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28024
- exim4 4.94.2-1
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28023
- exim4 4.94.2-1
NOTE: Introduced by:
https://git.exim.org/exim.git/commit/18481de384caecff421f23f715be916403f5d0ee
(exim-4_88_RC1)
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28022
- exim4 4.94.2-1
NOTE: Introduced by:
https://git.exim.org/exim.git/commit/d7a2c8337f7b615763d4429ab27653862756b6fb
(exim-4_89_RC1)
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28021
- exim4 4.94.2-1
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28020
- exim4 4.92~RC5-1
NOTE: Fixed by:
https://git.exim.org/exim.git/commit/56ac062a3ff94fc4e1bbfc2293119c079a4e980b
(exim-4.92-RC5)
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28019
- exim4 4.94.2-1
NOTE: Introduced by:
https://git.exim.org/exim.git/commit/7e3ce68e68ab9b8906a637d352993abf361554e2
(exim-4_88_RC1)
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28018
- exim4 4.94.2-1 (unimportant)
[stretch] - exim4 (Vulnerable code introduced later)
NOTE: Introduced by:
https://git.exim.org/exim.git/commit/a5ffa9b475a426bc73366db01f7cc92a3811bc3a
(exim-4_90_RC1)
NOTE: Debian Exim is built with GnuTLS, not OpenSSL.
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28017
- exim4 4.94.2-1
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28016
- exim4 4.94.2-1
[buster] - exim4 (Vulnerable code introduced later)
[stretch] - exim4 (Vulnerable code introduced later)
NOTE: Introduced by:
https://git.exim.org/exim.git/commit/3c90bbcdc7cf73298156f7bcd5f5e750e7814e72
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28015
- exim4 4.94.2-1
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28014
- exim4 4.94.2-1
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28013
- exim4 4.94.2-1
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28012
- exim4 4.94.2-1
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28011
- exim4 4.94.2-1
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28010
- exim4 4.94.2-1
[stretch] - exim4 (Vulnerable code introduced later)
NOTE: Introduced by:
https://git.exim.org/exim.git/commit/805fd869d551c36d1d77ab2b292a7008d643ca79
(exim-4.92-RC1)
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28009
- exim4 4.94.2-1
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28008
- exim4 4.94.2-1
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-28007
- exim4 4.94.2-1
+ NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/7
CVE-2020-25692 (A NULL pointer dereference was found in OpenLDAP server and
was fixed ...)
{DSA-4782-1 DLA-2425-1}
- openldap 2.4.55+dfsg-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4d9f7a2ca3850a8b1fa55d2f789d04a0371e9fe
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4d9f7a2ca3850a8b1fa55d2f789d04a0371e9fe
You're receiving this email because of
[Git][security-tracker-team/security-tracker][master] Track fixed version for exim4 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
bccc92c1 by Salvatore Bonaccorso at 2021-05-04T15:57:34+02:00
Track fixed version for exim4 via unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -11035,7 +11035,7 @@ CVE-2021-27220 (An issue was discovered in PRTG Network
Monitor before 21.1.66.1
CVE-2021-27217 (An issue was discovered in the _send_secure_msg() function of
Yubico y ...)
NOT-FOR-US: YubiHSM 2 SDK
CVE-2021-27216
- - exim4
+ - exim4 4.94.2-1
[buster] - exim4 (Vulnerable code introduced later)
[stretch] - exim4 (Vulnerable code introduced later)
NOTE: Introduced by:
https://git.exim.org/exim.git/commit/01446a56c76aa5ac3213a86f8992a2371a8301f3
(exim-4_94_RC0)
@@ -38832,58 +38832,58 @@ CVE-2020-28028
CVE-2020-28027
RESERVED
CVE-2020-28026
- - exim4
+ - exim4 4.94.2-1
CVE-2020-28025
- - exim4
+ - exim4 4.94.2-1
NOTE: Introduced by:
https://git.exim.org/exim.git/commit/80a47a2c9633437d4ceebd214cd44abfbd4f4543
(exim-4_70_RC3)
CVE-2020-28024
- - exim4
+ - exim4 4.94.2-1
CVE-2020-28023
- - exim4
+ - exim4 4.94.2-1
NOTE: Introduced by:
https://git.exim.org/exim.git/commit/18481de384caecff421f23f715be916403f5d0ee
(exim-4_88_RC1)
CVE-2020-28022
- - exim4
+ - exim4 4.94.2-1
NOTE: Introduced by:
https://git.exim.org/exim.git/commit/d7a2c8337f7b615763d4429ab27653862756b6fb
(exim-4_89_RC1)
CVE-2020-28021
- - exim4
+ - exim4 4.94.2-1
CVE-2020-28020
- exim4 4.92~RC5-1
NOTE: Fixed by:
https://git.exim.org/exim.git/commit/56ac062a3ff94fc4e1bbfc2293119c079a4e980b
(exim-4.92-RC5)
CVE-2020-28019
- - exim4
+ - exim4 4.94.2-1
NOTE: Introduced by:
https://git.exim.org/exim.git/commit/7e3ce68e68ab9b8906a637d352993abf361554e2
(exim-4_88_RC1)
CVE-2020-28018
- - exim4 (unimportant)
+ - exim4 4.94.2-1 (unimportant)
[stretch] - exim4 (Vulnerable code introduced later)
NOTE: Introduced by:
https://git.exim.org/exim.git/commit/a5ffa9b475a426bc73366db01f7cc92a3811bc3a
(exim-4_90_RC1)
NOTE: Debian Exim is built with GnuTLS, not OpenSSL.
CVE-2020-28017
- - exim4
+ - exim4 4.94.2-1
CVE-2020-28016
- - exim4
+ - exim4 4.94.2-1
[buster] - exim4 (Vulnerable code introduced later)
[stretch] - exim4 (Vulnerable code introduced later)
NOTE: Introduced by:
https://git.exim.org/exim.git/commit/3c90bbcdc7cf73298156f7bcd5f5e750e7814e72
CVE-2020-28015
- - exim4
+ - exim4 4.94.2-1
CVE-2020-28014
- - exim4
+ - exim4 4.94.2-1
CVE-2020-28013
- - exim4
+ - exim4 4.94.2-1
CVE-2020-28012
- - exim4
+ - exim4 4.94.2-1
CVE-2020-28011
- - exim4
+ - exim4 4.94.2-1
CVE-2020-28010
- - exim4
+ - exim4 4.94.2-1
[stretch] - exim4 (Vulnerable code introduced later)
NOTE: Introduced by:
https://git.exim.org/exim.git/commit/805fd869d551c36d1d77ab2b292a7008d643ca79
(exim-4.92-RC1)
CVE-2020-28009
- - exim4
+ - exim4 4.94.2-1
CVE-2020-28008
- - exim4
+ - exim4 4.94.2-1
CVE-2020-28007
- - exim4
+ - exim4 4.94.2-1
CVE-2020-25692 (A NULL pointer dereference was found in OpenLDAP server and
was fixed ...)
{DSA-4782-1 DLA-2425-1}
- openldap 2.4.55+dfsg-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bccc92c1bcae36f491a812d7959d8e89125d922e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bccc92c1bcae36f491a812d7959d8e89125d922e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for exim4 update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b4d4dc05 by Salvatore Bonaccorso at 2021-05-04T15:41:58+02:00
Reserve DSA number for exim4 update
- - - - -
1 changed file:
- data/DSA/list
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[04 May 2021] DSA-4912-1 exim4 - security update
+ {CVE-2020-28007 CVE-2020-28008 CVE-2020-28009 CVE-2020-28010
CVE-2020-28011 CVE-2020-28012 CVE-2020-28013 CVE-2020-28014 CVE-2020-28015
CVE-2020-28017 CVE-2020-28019 CVE-2020-28021 CVE-2020-28022 CVE-2020-28023
CVE-2020-28024 CVE-2020-28025 CVE-2020-28026}
+ [buster] - exim4 4.92-8+deb10u6
[03 May 2021] DSA-4911-1 chromium - security update
{CVE-2021-21227 CVE-2021-21228 CVE-2021-21229 CVE-2021-21230
CVE-2021-21231 CVE-2021-21232 CVE-2021-21233}
[buster] - chromium 90.0.4430.93-1~deb10u1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4d4dc054885d6ae25c1faea9e470d07291d865c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4d4dc054885d6ae25c1faea9e470d07291d865c
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track new exim4 issues from Qualys report
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c577ab46 by Salvatore Bonaccorso at 2021-05-04T15:40:27+02:00
Track new exim4 issues from Qualys report
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -11035,7 +11035,10 @@ CVE-2021-27220 (An issue was discovered in PRTG
Network Monitor before 21.1.66.1
CVE-2021-27217 (An issue was discovered in the _send_secure_msg() function of
Yubico y ...)
NOT-FOR-US: YubiHSM 2 SDK
CVE-2021-27216
- RESERVED
+ - exim4
+ [buster] - exim4 (Vulnerable code introduced later)
+ [stretch] - exim4 (Vulnerable code introduced later)
+ NOTE: Introduced by:
https://git.exim.org/exim.git/commit/01446a56c76aa5ac3213a86f8992a2371a8301f3
(exim-4_94_RC0)
CVE-2021-27215 (An issue was discovered in genua genugate before 9.0 Z p19,
9.1.x thro ...)
NOT-FOR-US: genua genugate
CVE-2021-27214 (A Server-side request forgery (SSRF) vulnerability in the
ProductConfi ...)
@@ -38829,45 +38832,58 @@ CVE-2020-28028
CVE-2020-28027
RESERVED
CVE-2020-28026
- RESERVED
+ - exim4
CVE-2020-28025
- RESERVED
+ - exim4
+ NOTE: Introduced by:
https://git.exim.org/exim.git/commit/80a47a2c9633437d4ceebd214cd44abfbd4f4543
(exim-4_70_RC3)
CVE-2020-28024
- RESERVED
+ - exim4
CVE-2020-28023
- RESERVED
+ - exim4
+ NOTE: Introduced by:
https://git.exim.org/exim.git/commit/18481de384caecff421f23f715be916403f5d0ee
(exim-4_88_RC1)
CVE-2020-28022
- RESERVED
+ - exim4
+ NOTE: Introduced by:
https://git.exim.org/exim.git/commit/d7a2c8337f7b615763d4429ab27653862756b6fb
(exim-4_89_RC1)
CVE-2020-28021
- RESERVED
+ - exim4
CVE-2020-28020
- RESERVED
+ - exim4 4.92~RC5-1
+ NOTE: Fixed by:
https://git.exim.org/exim.git/commit/56ac062a3ff94fc4e1bbfc2293119c079a4e980b
(exim-4.92-RC5)
CVE-2020-28019
- RESERVED
+ - exim4
+ NOTE: Introduced by:
https://git.exim.org/exim.git/commit/7e3ce68e68ab9b8906a637d352993abf361554e2
(exim-4_88_RC1)
CVE-2020-28018
- RESERVED
+ - exim4 (unimportant)
+ [stretch] - exim4 (Vulnerable code introduced later)
+ NOTE: Introduced by:
https://git.exim.org/exim.git/commit/a5ffa9b475a426bc73366db01f7cc92a3811bc3a
(exim-4_90_RC1)
+ NOTE: Debian Exim is built with GnuTLS, not OpenSSL.
CVE-2020-28017
- RESERVED
+ - exim4
CVE-2020-28016
- RESERVED
+ - exim4
+ [buster] - exim4 (Vulnerable code introduced later)
+ [stretch] - exim4 (Vulnerable code introduced later)
+ NOTE: Introduced by:
https://git.exim.org/exim.git/commit/3c90bbcdc7cf73298156f7bcd5f5e750e7814e72
CVE-2020-28015
- RESERVED
+ - exim4
CVE-2020-28014
- RESERVED
+ - exim4
CVE-2020-28013
- RESERVED
+ - exim4
CVE-2020-28012
- RESERVED
+ - exim4
CVE-2020-28011
- RESERVED
+ - exim4
CVE-2020-28010
- RESERVED
+ - exim4
+ [stretch] - exim4 (Vulnerable code introduced later)
+ NOTE: Introduced by:
https://git.exim.org/exim.git/commit/805fd869d551c36d1d77ab2b292a7008d643ca79
(exim-4.92-RC1)
CVE-2020-28009
- RESERVED
+ - exim4
CVE-2020-28008
- RESERVED
+ - exim4
CVE-2020-28007
- RESERVED
+ - exim4
CVE-2020-25692 (A NULL pointer dereference was found in OpenLDAP server and
was fixed ...)
{DSA-4782-1 DLA-2425-1}
- openldap 2.4.55+dfsg-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c577ab46f602153dd4fd02140e5910a2639b2b32
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c577ab46f602153dd4fd02140e5910a2639b2b32
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Correct ordering
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 242e563d by Chris Lamb at 2021-05-04T14:38:01+01:00 data/dla-needed.txt: Correct ordering - - - - - 54eab290 by Chris Lamb at 2021-05-04T14:38:28+01:00 data/dla-needed.txt: Claim python-django. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -94,7 +94,7 @@ php-phpseclib phpseclib NOTE: 20210503: apparently 1.x is not affected, but double check (pochu) -- -python-django +python-django (Chris Lamb) NOTE: 20210504: possibly postponed, but double check (pochu) -- ring (Thorsten Alteholz) @@ -132,11 +132,11 @@ ruby-nokogiri NOTE: 20210403: CVE-2020-26247: Java-level API not included in stretch but CVE also affects C/Ruby-level APIs; NOTE: 20210403: check if default change (trust -> don't trust external schemas) possibly breaks compatibility (Beuc) -- -samba (Abhijith PA) --- salt (Utkarsh) NOTE: 20210329: WIP (utkarsh) -- +samba (Abhijith PA) +-- shiro NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/26d7f9e7e1488cf30bc961239917850f0471e65f...54eab290f48b7994573188e38d5490306540eb73 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/26d7f9e7e1488cf30bc961239917850f0471e65f...54eab290f48b7994573188e38d5490306540eb73 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Code affecting in CVE-2021-30154 is introduced by...
Abhijith PA pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
26d7f9e7 by Abhijith PA at 2021-05-04T18:45:22+05:30
Code affecting in CVE-2021-30154 is introduced by
https://phabricator.wikimedia.org/rMW2647cbc4a456b0154bdafe70386ae0ef04d997a1
which is done after 1.27x release. For CVE-2021-30157 rcfilters-filter-*-label
messages are not present in 1.27
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -4207,6 +4207,7 @@ CVE-2021-30158 (An issue was discovered in MediaWiki
before 1.31.12 and 1.32.x t
CVE-2021-30157 (An issue was discovered in MediaWiki before 1.31.12 and 1.32.x
through ...)
{DSA-4889-1}
- mediawiki 1:1.35.2-1
+ [stretch] - mediawiki (Vulnerable code not present)
NOTE: https://phabricator.wikimedia.org/T278058
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/674085
CVE-2021-30156 (An issue was discovered in MediaWiki before 1.31.12 and 1.32.x
through ...)
@@ -4221,6 +4222,7 @@ CVE-2021-30155 (An issue was discovered in MediaWiki
before 1.31.12 and 1.32.x t
CVE-2021-30154 (An issue was discovered in MediaWiki before 1.31.12 and 1.32.x
through ...)
{DSA-4889-1}
- mediawiki 1:1.35.2-1
+ [stretch] - mediawiki (Vulnerable code introduced later)
NOTE: https://phabricator.wikimedia.org/T278014
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/674083/
CVE-2021-30153
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26d7f9e7e1488cf30bc961239917850f0471e65f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26d7f9e7e1488cf30bc961239917850f0471e65f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage python-django for stretch
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: a350b6ef by Emilio Pozuelo Monfort at 2021-05-04T14:24:14+02:00 Triage python-django for stretch - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -94,6 +94,9 @@ php-phpseclib phpseclib NOTE: 20210503: apparently 1.x is not affected, but double check (pochu) -- +python-django + NOTE: 20210504: possibly postponed, but double check (pochu) +-- ring (Thorsten Alteholz) -- ruby-actionpack-page-caching View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a350b6ef1020a6a9899db7629247578b59f28ffa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a350b6ef1020a6a9899db7629247578b59f28ffa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-31829/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a0ba8d3 by Salvatore Bonaccorso at 2021-05-04T14:20:39+02:00 Add CVE-2021-31829/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -496,6 +496,8 @@ CVE-2021-3514 [sync_repl NULL pointer dereference in sync_create_state_control() NOTE: https://github.com/389ds/389-ds-base/issues/4711 CVE-2021-31829 RESERVED + - linux + NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/4 CVE-2021-31828 RESERVED CVE-2021-31827 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a0ba8d33d3d7c7d42e0867b50bd89ff580511f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a0ba8d33d3d7c7d42e0867b50bd89ff580511f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new python-django issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ddd8007e by Salvatore Bonaccorso at 2021-05-04T13:31:47+02:00 Add new python-django issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1117,6 +1117,8 @@ CVE-2021-31543 RESERVED CVE-2021-31542 RESERVED + - python-django (bug #988053) + NOTE: https://www.djangoproject.com/weblog/2021/may/04/security-releases/ CVE-2021-31541 RESERVED CVE-2021-31540 (Wowza Streaming Engine through 4.8.5 (in a default installation) has i ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddd8007e453c32ebe53f1f950d9018f7b30a4de5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddd8007e453c32ebe53f1f950d9018f7b30a4de5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] redis n/a in oldstable/stable
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b5cf2914 by Moritz Muehlenhoff at 2021-05-04T12:46:35+02:00 redis n/a in oldstable/stable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5745,11 +5745,17 @@ CVE-2021-29479 CVE-2021-29478 RESERVED - redis 5:6.0.13-1 (bug #988045) + [buster] - redis (Vulnerable code not present) + [stretch] - redis (Vulnerable code not present) NOTE: https://groups.google.com/g/redis-db/c/6GSWzTW0PR8/m/8FbdIEEoBAAJ + NOTE: https://github.com/redis/redis/commit/29900d4e6bccdf3691bedf0ea9a5d84863fa3592 CVE-2021-29477 RESERVED - redis 5:6.0.13-1 (bug #988045) + [buster] - redis (Vulnerable code not present) + [stretch] - redis (Vulnerable code not present) NOTE: https://groups.google.com/g/redis-db/c/6GSWzTW0PR8/m/8FbdIEEoBAAJ + NOTE: https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 CVE-2021-29476 (Requests is a HTTP library written in PHP. Requests mishandles deseria ...) - wordpress 5.5.3+dfsg1-1 [buster] - wordpress 5.0.11+dfsg1-0+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5cf29145597562ca4bb11cc70ad66b5beab7367 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5cf29145597562ca4bb11cc70ad66b5beab7367 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2021-2947{7,8}/redis
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2b9567b5 by Salvatore Bonaccorso at 2021-05-04T12:37:25+02:00
Track fixed version via unstable for CVE-2021-2947{7,8}/redis
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -5744,11 +5744,11 @@ CVE-2021-29479
RESERVED
CVE-2021-29478
RESERVED
- - redis (bug #988045)
+ - redis 5:6.0.13-1 (bug #988045)
NOTE: https://groups.google.com/g/redis-db/c/6GSWzTW0PR8/m/8FbdIEEoBAAJ
CVE-2021-29477
RESERVED
- - redis (bug #988045)
+ - redis 5:6.0.13-1 (bug #988045)
NOTE: https://groups.google.com/g/redis-db/c/6GSWzTW0PR8/m/8FbdIEEoBAAJ
CVE-2021-29476 (Requests is a HTTP library written in PHP. Requests mishandles
deseria ...)
- wordpress 5.5.3+dfsg1-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b9567b5dbc0682bc77263405e6afcbc7f8f5177
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b9567b5dbc0682bc77263405e6afcbc7f8f5177
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2647-1 for bind9
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8626fa1b by Emilio Pozuelo Monfort at 2021-05-04T12:18:45+02:00
Reserve DLA-2647-1 for bind9
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[04 May 2021] DLA-2647-1 bind9 - security update
+ {CVE-2021-25214 CVE-2021-25215 CVE-2021-25216}
+ [stretch] - bind9 1:9.10.3.dfsg.P4-12.3+deb9u9
[03 May 2021] DLA-2646-1 subversion - security update
{CVE-2020-17525}
[stretch] - subversion 1.9.5-1+deb9u6
=
data/dla-needed.txt
=
@@ -18,8 +18,6 @@ ansible (Markus Koschany)
NOTE: 20210411: after that LTS. (apo)
NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
--
-bind9 (Emilio)
---
ceph
NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
NOTE: 20200707: Some discussion regarding removal
(lamby)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8626fa1b59f8bc6bb43699bd6f64db19f23d7e34
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8626fa1b59f8bc6bb43699bd6f64db19f23d7e34
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim samba
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 97ca822e by Abhijith PA at 2021-05-04T14:54:18+05:30 data/dla-needed.txt: Claim samba - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -131,7 +131,7 @@ ruby-nokogiri NOTE: 20210403: CVE-2020-26247: Java-level API not included in stretch but CVE also affects C/Ruby-level APIs; NOTE: 20210403: check if default change (trust -> don't trust external schemas) possibly breaks compatibility (Beuc) -- -samba +samba (Abhijith PA) -- salt (Utkarsh) NOTE: 20210329: WIP (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97ca822ed19c9df6b0372ce04fd12b3142fa15d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97ca822ed19c9df6b0372ce04fd12b3142fa15d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference to upstream announce for CVE-2021-2947{7,8}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
880c1f38 by Salvatore Bonaccorso at 2021-05-04T10:56:45+02:00
Add reference to upstream announce for CVE-2021-2947{7,8}
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -5745,9 +5745,11 @@ CVE-2021-29479
CVE-2021-29478
RESERVED
- redis (bug #988045)
+ NOTE: https://groups.google.com/g/redis-db/c/6GSWzTW0PR8/m/8FbdIEEoBAAJ
CVE-2021-29477
RESERVED
- redis (bug #988045)
+ NOTE: https://groups.google.com/g/redis-db/c/6GSWzTW0PR8/m/8FbdIEEoBAAJ
CVE-2021-29476 (Requests is a HTTP library written in PHP. Requests mishandles
deseria ...)
- wordpress 5.5.3+dfsg1-1
[buster] - wordpress 5.0.11+dfsg1-0+deb10u1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/880c1f382a0dbd6a5593cb3f376a963975d0955a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/880c1f382a0dbd6a5593cb3f376a963975d0955a
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track two new redis issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 26da5402 by Salvatore Bonaccorso at 2021-05-04T10:55:25+02:00 Track two new redis issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5744,8 +5744,10 @@ CVE-2021-29479 RESERVED CVE-2021-29478 RESERVED + - redis (bug #988045) CVE-2021-29477 RESERVED + - redis (bug #988045) CVE-2021-29476 (Requests is a HTTP library written in PHP. Requests mishandles deseria ...) - wordpress 5.5.3+dfsg1-1 [buster] - wordpress 5.0.11+dfsg1-0+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26da540216743674995d377efdb14fb2838aa25e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26da540216743674995d377efdb14fb2838aa25e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c1cbb5d8 by Salvatore Bonaccorso at 2021-05-04T10:19:09+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,7 +15,7 @@ CVE-2021-32022 CVE-2021-32021 RESERVED CVE-2021-32020 (The kernel in Amazon Web Services FreeRTOS before 10.4.3 has insuffici ...) - TODO: check + NOT-FOR-US: kernel in Amazon Web Services FreeRTOS CVE-2021-32019 RESERVED CVE-2021-32018 @@ -25180,13 +25180,13 @@ CVE-2020-35760 CVE-2020-35759 RESERVED CVE-2020-35758 (An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. The ...) - TODO: check + NOT-FOR-US: Libre Wireless LS9 LS1.5/p7040 devices CVE-2020-35757 (An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. The ...) - TODO: check + NOT-FOR-US: Libre Wireless LS9 LS1.5/p7040 devices CVE-2020-35756 (An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. The ...) - TODO: check + NOT-FOR-US: Libre Wireless LS9 LS1.5/p7040 devices CVE-2020-35755 (An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. The ...) - TODO: check + NOT-FOR-US: Libre Wireless LS9 LS1.5/p7040 devices CVE-2020-35754 (OpenSolution Quick.CMS 6.7 and Quick.Cart 6.7 allow an authe ...) NOT-FOR-US: OpenSolution Quick.CMS CVE-2020-35753 (The job posting recommendation form in Persis Human Resource Managemen ...) @@ -34009,7 +34009,7 @@ CVE-2020-28947 (In MISP 2.4.134, XSS exists in the template element index view b CVE-2020-28946 (An improper webserver configuration on Plum IK-401 devices with firmwa ...) NOT-FOR-US: Plum IK-401 devices CVE-2020-28945 (OX App Suite 7.10.4 and earlier allows XSS via crafted content to reac ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2020-28944 (OX Guard 2.10.4 and earlier allows a Denial of Service via a WKS serve ...) NOT-FOR-US: OX Guard CVE-2020-28943 (OX App Suite 7.10.4 and earlier allows SSRF via a snippet. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1cbb5d83f2e34c235495fc4fb3fc69538590b4d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1cbb5d83f2e34c235495fc4fb3fc69538590b4d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
42273d1a by security tracker role at 2021-05-04T08:10:19+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,37 @@
+CVE-2021-3534
+ RESERVED
+CVE-2021-3533
+ RESERVED
+CVE-2021-32026
+ RESERVED
+CVE-2021-32025
+ RESERVED
+CVE-2021-32024
+ RESERVED
+CVE-2021-32023
+ RESERVED
+CVE-2021-32022
+ RESERVED
+CVE-2021-32021
+ RESERVED
+CVE-2021-32020 (The kernel in Amazon Web Services FreeRTOS before 10.4.3 has
insuffici ...)
+ TODO: check
+CVE-2021-32019
+ RESERVED
+CVE-2021-32018
+ RESERVED
+CVE-2021-32017
+ RESERVED
+CVE-2021-32016
+ RESERVED
+CVE-2021-32015
+ RESERVED
+CVE-2021-32014
+ RESERVED
+CVE-2021-32013
+ RESERVED
+CVE-2021-32012
+ RESERVED
CVE-2021-3532
RESERVED
CVE-2021-3531
@@ -1926,8 +1960,8 @@ CVE-2021-31166
RESERVED
CVE-2021-31165
RESERVED
-CVE-2021-31164
- RESERVED
+CVE-2021-31164 (Apache Unomi prior to version 1.5.5 allows CRLF log injection
because ...)
+ TODO: check
CVE-2021-31163
RESERVED
CVE-2021-31162 (In the standard library in Rust before 1.53.0, a double free
can occur ...)
@@ -25145,14 +25179,14 @@ CVE-2020-35760
RESERVED
CVE-2020-35759
RESERVED
-CVE-2020-35758
- RESERVED
-CVE-2020-35757
- RESERVED
-CVE-2020-35756
- RESERVED
-CVE-2020-35755
- RESERVED
+CVE-2020-35758 (An issue was discovered on Libre Wireless LS9 LS1.5/p7040
devices. The ...)
+ TODO: check
+CVE-2020-35757 (An issue was discovered on Libre Wireless LS9 LS1.5/p7040
devices. The ...)
+ TODO: check
+CVE-2020-35756 (An issue was discovered on Libre Wireless LS9 LS1.5/p7040
devices. The ...)
+ TODO: check
+CVE-2020-35755 (An issue was discovered on Libre Wireless LS9 LS1.5/p7040
devices. The ...)
+ TODO: check
CVE-2020-35754 (OpenSolution Quick.CMS 6.7 and Quick.Cart 6.7 allow
an authe ...)
NOT-FOR-US: OpenSolution Quick.CMS
CVE-2020-35753 (The job posting recommendation form in Persis Human Resource
Managemen ...)
@@ -26043,24 +26077,31 @@ CVE-2021-21234 (spring-boot-actuator-logview in a
library that adds a simple log
CVE-2020-35627 (Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file
upload vul ...)
NOT-FOR-US: Ultimate WooCommerce Gift Cards
CVE-2021-21233 (Heap buffer overflow in ANGLE in Google Chrome on Windows
prior to 90. ...)
+ {DSA-4911-1}
- chromium 90.0.4430.93-1 (bug #987715)
[stretch] - chromium (see DSA 4562)
CVE-2021-21232 (Use after free in Dev Tools in Google Chrome prior to
90.0.4430.93 all ...)
+ {DSA-4911-1}
- chromium 90.0.4430.93-1 (bug #987715)
[stretch] - chromium (see DSA 4562)
CVE-2021-21231 (Insufficient data validation in V8 in Google Chrome prior to
90.0.4430 ...)
+ {DSA-4911-1}
- chromium 90.0.4430.93-1 (bug #987715)
[stretch] - chromium (see DSA 4562)
CVE-2021-21230 (Type confusion in V8 in Google Chrome prior to 90.0.4430.93
allowed a ...)
+ {DSA-4911-1}
- chromium 90.0.4430.93-1 (bug #987715)
[stretch] - chromium (see DSA 4562)
CVE-2021-21229 (Incorrect security UI in downloads in Google Chrome on Android
prior t ...)
+ {DSA-4911-1}
- chromium 90.0.4430.93-1 (bug #987715)
[stretch] - chromium (see DSA 4562)
CVE-2021-21228 (Insufficient policy enforcement in extensions in Google Chrome
prior t ...)
+ {DSA-4911-1}
- chromium 90.0.4430.93-1 (bug #987715)
[stretch] - chromium (see DSA 4562)
CVE-2021-21227 (Insufficient data validation in V8 in Google Chrome prior to
90.0.4430 ...)
+ {DSA-4911-1}
- chromium 90.0.4430.93-1 (bug #987715)
[stretch] - chromium (see DSA 4562)
CVE-2021-21226 (Use after free in navigation in Google Chrome prior to
90.0.4430.85 al ...)
@@ -33967,8 +34008,8 @@ CVE-2020-28947 (In MISP 2.4.134, XSS exists in the
template element index view b
NOT-FOR-US: MISP
CVE-2020-28946 (An improper webserver configuration on Plum IK-401 devices
with firmwa ...)
NOT-FOR-US: Plum IK-401 devices
-CVE-2020-28945
- RESERVED
+CVE-2020-28945 (OX App Suite 7.10.4 and earlier allows XSS via crafted content
to reac ...)
+ TODO: check
CVE-2020-28944 (OX Guard 2.10.4 and earlier allows a Denial of Service via a
WKS serve ...)
NOT-FOR-US: OX Guard
CVE-2020-28943 (OX App Suite 7.10.4 and earlier allows SSRF via a snippet. ...)
@@ -50821,8 +50862,8 @@ CVE-2020-23085
RESERVED
CVE-2020-23084
RESERVED
-CVE-2020-23083
- RESERVED
+CVE-2020-23083 (Unrestricted File Upload in JEECG v4.0 and earlier allows
remote attac ...)
+ TODO: check
CVE-2020-23082
RESERVED
[Git][security-tracker-team/security-tracker][master] CVE-2020-36326: add fixing commit
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d6987ab by Emilio Pozuelo Monfort at 2021-05-04T09:43:43+02:00 CVE-2020-36326: add fixing commit And mark as n/a on buster stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -428,8 +428,11 @@ CVE-2021-31830 RESERVED CVE-2020-36326 (PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Des ...) - libphp-phpmailer + [buster] - libphp-phpmailer (Regression introduced in 6.1.8) + [stretch] - libphp-phpmailer (Regression introduced in 6.1.8) NOTE: Introduced by: https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9 (6.1.8) - TODO: check if the code change eliminated the code that blocked addAttachment independent on Windows plattform/UNC paths + NOTE: Fixed by: https://github.com/PHPMailer/PHPMailer/commit/26f2848d3bbb57add5f34a467a1e3b2f9ce5cd2a + NOTE: Also backport: https://github.com/PHPMailer/PHPMailer/commit/7f267fb4aadfcf62e3ddc50494c469c6b9c4405a CVE-2021-3518 [use-after-free in xmlXIncludeDoProcess() in xinclude.c] RESERVED [experimental] - libxml2 2.9.10+dfsg-6.4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d6987ab162f6d797550a061935db3d830bb1047 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d6987ab162f6d797550a061935db3d830bb1047 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3527/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fa0b724c by Salvatore Bonaccorso at 2021-05-04T08:35:06+02:00 Add CVE-2021-3527/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -189,8 +189,10 @@ CVE-2021-31922 CVE-2021-3528 RESERVED NOT-FOR-US: noobaa -CVE-2021-3527 +CVE-2021-3527 [usb: unbounded stack allocation in usbredir] RESERVED + - qemu + NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg00564.html CVE-2021-3526 RESERVED CVE-2021-3525 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa0b724c9ebea535a48f437b622817bcecdd9303 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa0b724c9ebea535a48f437b622817bcecdd9303 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-20204/libgetdata
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
4717e666 by Salvatore Bonaccorso at 2021-05-04T08:34:04+02:00
Add CVE-2021-20204/libgetdata
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -28836,8 +28836,11 @@ CVE-2021-20205 (Libjpeg-turbo versions 2.0.91 and
2.0.90 is vulnerable to a deni
- libjpeg-turbo (Vulnerable code introduced later)
NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/493
NOTE:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/1719d12e51641cce5c77e259516649ba5ef6303c
-CVE-2021-20204
+CVE-2021-20204 [Use after free in _GD_Supports() in encoding.c]
RESERVED
+ - libgetdata
+ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1956348
+ TODO: check details
CVE-2021-20203 (An integer overflow issue was found in the vmxnet3 NIC
emulator of the ...)
{DLA-2623-1}
- qemu (bug #984452)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4717e666f4c8a6365a3225b937f70ed6343d2817
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4717e666f4c8a6365a3225b937f70ed6343d2817
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
