[Git][security-tracker-team/security-tracker][master] Track fixed version for aom issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cc43565f by Salvatore Bonaccorso at 2021-11-02T06:17:40+01:00 Track fixed version for aom issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31939,17 +31939,17 @@ CVE-2021-3486 (GLPi 9.5.4 does not sanitize the metadata. This way its possible NOTE: https://github.com/Kitsun3Sec/exploits/tree/master/cms/GLPI/GLPI-stored-XSS CVE-2021-30475 (aom_dsp/noise_model.c in libaom in AOMedia before 2021-03-24 has a buf ...) [experimental] - aom 3.2.0-1~exp1 - - aom + - aom 3.2.0-1 NOTE: https://aomedia.googlesource.com/aom/+/12adc723acf02633595a4d8da8345742729f46c0 NOTE: https://bugs.chromium.org/p/aomedia/issues/detail?id=2999 CVE-2021-30474 (aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use ...) [experimental] - aom 3.2.0-1~exp1 - - aom + - aom 3.2.0-1 NOTE: https://aomedia.googlesource.com/aom/+/6e31957b6dc62dbc7d1bb70cd84902dd14c4bf2e NOTE: https://bugs.chromium.org/p/aomedia/issues/detail?id=3000 CVE-2021-30473 (aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that i ...) [experimental] - aom 3.2.0-1~exp1 - - aom (bug #988211) + - aom 3.2.0-1 (bug #988211) NOTE: https://aomedia.googlesource.com/aom/+/d0cac70b542c38accd916f8afd13592d34c48963%5E%21/ NOTE: https://bugs.chromium.org/p/aomedia/issues/detail?id=2998 CVE-2021-30472 (A flaw was found in PoDoFo 0.9.7. A stack-based buffer overflow in Pdf ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc43565ff363bf410b9df3116bbdb19158e4ab04 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc43565ff363bf410b9df3116bbdb19158e4ab04 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Re-claim openssh; will rollout the DLA soon(TM)
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f9f23b5 by Utkarsh Gupta at 2021-11-02T04:58:40+05:30 Re-claim openssh; will rollout the DLA soon(TM) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -73,7 +73,7 @@ nvidia-graphics-drivers openjdk-8 (Roberto C. Sánchez) NOTE: 20211101: coordinating with maribilos, waiting on upstream to finalize tags (roberto) -- -openssh +openssh (Utkarsh) NOTE: 20211003: a backporting error for CVE-2018-15473 was reported in NOTE: 20211003: Ubuntu (and can see the same code differences here); NOTE: 20211003: check if that needs to be fixed; talking to -security. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f9f23b547569b17322ff5114be532d91ec980c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f9f23b547569b17322ff5114be532d91ec980c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove no-dsa tag for CVE-2018-5740,bind9 in Stretch.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f1948010 by Markus Koschany at 2021-11-02T00:09:45+01:00 Remove no-dsa tag for CVE-2018-5740,bind9 in Stretch. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -234804,7 +234804,6 @@ CVE-2018-5741 (To provide fine-grained controls over the ability to use Dynamic CVE-2018-5740 ("deny-answer-aliases" is a little-used feature intended to help recurs ...) {DLA-1485-1} - bind9 1:9.11.4.P1+dfsg-1 (bug #905743) - [stretch] - bind9 (Can be fixed along in the next DSA) NOTE: https://kb.isc.org/article/AA-01639/74/CVE-2018-5740 NOTE: https://gitlab.isc.org/isc-projects/bind9/merge_requests/607/commits CVE-2018-5739 (An extension to hooks capabilities which debuted in Kea 1.4.0 introduc ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f194801083ff02aad353188147e0e06da55ebdea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f194801083ff02aad353188147e0e06da55ebdea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2807-1 for bind9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c9a407c by Markus Koschany at 2021-11-01T22:57:22+01:00 Reserve DLA-2807-1 for bind9 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Nov 2021] DLA-2807-1 bind9 - security update + {CVE-2018-5740 CVE-2021-25219} + [stretch] - bind9 1:9.10.3.dfsg.P4-12.3+deb9u10 [01 Nov 2021] DLA-2806-1 glusterfs - security update {CVE-2018-1088 CVE-2018-10841 CVE-2018-10904 CVE-2018-10907 CVE-2018-10911 CVE-2018-10913 CVE-2018-10914 CVE-2018-10923 CVE-2018-10926 CVE-2018-10927 CVE-2018-10928 CVE-2018-10929 CVE-2018-10930 CVE-2018-14652 CVE-2018-14653 CVE-2018-14654 CVE-2018-14659 CVE-2018-14660 CVE-2018-14661} [stretch] - glusterfs 3.8.8-1+deb9u1 = data/dla-needed.txt = @@ -18,8 +18,6 @@ ansible NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- -bind9 (Markus Koschany) --- botan1.10 (Anton Gladky) NOTE: 20211101: almost ready to be uploaded (gladk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c9a407c86d0b04230765708499582a1fcf1bdde -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c9a407c86d0b04230765708499582a1fcf1bdde You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2806-1 for glusterfs
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 627ef39a by Markus Koschany at 2021-11-01T22:55:02+01:00 Reserve DLA-2806-1 for glusterfs - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Nov 2021] DLA-2806-1 glusterfs - security update + {CVE-2018-1088 CVE-2018-10841 CVE-2018-10904 CVE-2018-10907 CVE-2018-10911 CVE-2018-10913 CVE-2018-10914 CVE-2018-10923 CVE-2018-10926 CVE-2018-10927 CVE-2018-10928 CVE-2018-10929 CVE-2018-10930 CVE-2018-14652 CVE-2018-14653 CVE-2018-14654 CVE-2018-14659 CVE-2018-14660 CVE-2018-14661} + [stretch] - glusterfs 3.8.8-1+deb9u1 [31 Oct 2021] DLA-2805-1 libmspack - security update {CVE-2019-1010305} [stretch] - libmspack 0.5-1+deb9u4 = data/dla-needed.txt = @@ -47,10 +47,6 @@ firmware-nonfree NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag -- -glusterfs (Markus Koschany) - NOTE: 20211029: 15 CVEs that were fixed in jessie in DLA-1510-1 and DLA-1565-1 - NOTE: 20211029: should also be fixed in stretch (bunk) --- gpac (Roberto C. Sánchez) NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/627ef39a1fd78797f8fbeba70775a1830364e0ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/627ef39a1fd78797f8fbeba70775a1830364e0ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for CVE-2020-12268 via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3944a272 by Salvatore Bonaccorso at 2021-11-01T22:20:30+01:00 Track proposed update for CVE-2020-12268 via buster-pu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -80,3 +80,5 @@ CVE-2020-28282 [buster] - node-getobject 0.1.0-2+deb10u1 CVE-2021-38714 [buster] - plib 1.8.5-8+deb10u1 +CVE-2020-12268 + [buster] - jbig2dec 0.16-1+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3944a272c4d9cfede2918c9d14d6d32932a3b1ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3944a272c4d9cfede2918c9d14d6d32932a3b1ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed updates for plib via {bullseye,buster}-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: faa5808f by Salvatore Bonaccorso at 2021-11-01T22:18:01+01:00 Track proposed updates for plib via {bullseye,buster}-pu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -78,3 +78,5 @@ CVE-2020-28599 [buster] - openscad 2019.01~RC2-2+deb10u1 CVE-2020-28282 [buster] - node-getobject 0.1.0-2+deb10u1 +CVE-2021-38714 + [buster] - plib 1.8.5-8+deb10u1 = data/next-point-update.txt = @@ -18,3 +18,5 @@ CVE-2021-3796 [bullseye] - vim 2:8.2.2434-3+deb11u1 CVE-2020-28282 [bullseye] - node-getobject 0.1.0-2+deb11u1 +CVE-2021-38714 + [bullseye] - plib 1.8.5-8+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/faa5808f31a92795efd9aea103f4eae1b398b49c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/faa5808f31a92795efd9aea103f4eae1b398b49c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f41cdf7e by Salvatore Bonaccorso at 2021-11-01T22:05:50+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51189,9 +51189,9 @@ CVE-2021-22566 CVE-2021-22565 RESERVED CVE-2021-22564 (For certain valid JPEG XL images with a size slightly larger than an i ...) - TODO: check + NOT-FOR-US: libjxl CVE-2021-22563 (Invalid JPEG XL images using libjxl can cause an out of bounds access ...) - TODO: check + NOT-FOR-US: libjxl CVE-2021-22562 RESERVED CVE-2021-22561 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f41cdf7e5017a2a43e3fad8895de406376d1d3ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f41cdf7e5017a2a43e3fad8895de406376d1d3ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7440c49c by Salvatore Bonaccorso at 2021-11-01T21:54:05+01:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43586,15 +43586,15 @@ CVE-2021-25880 CVE-2021-25879 RESERVED CVE-2021-25878 (AVideo/YouPHPTube 10.0 and prior is affected by multiple reflected Cro ...) - TODO: check + NOT-FOR-US: AVideo/YouPHPTube CVE-2021-25877 (AVideo/YouPHPTube 10.0 and prior is affected by Insecure file write. A ...) - TODO: check + NOT-FOR-US: AVideo/YouPHPTube CVE-2021-25876 (AVideo/YouPHPTube 10.0 and prior has multiple reflected Cross Script S ...) - TODO: check + NOT-FOR-US: AVideo/YouPHPTube CVE-2021-25875 (AVideo/YouPHPTube AVideo/YouPHPTube 10.0 and prior has multiple reflec ...) - TODO: check + NOT-FOR-US: AVideo/YouPHPTube CVE-2021-25874 (AVideo/YouPHPTube AVideo/YouPHPTube 10.0 and prior is affected by a SQ ...) - TODO: check + NOT-FOR-US: AVideo/YouPHPTube CVE-2021-25873 RESERVED CVE-2021-25872 @@ -46039,7 +46039,7 @@ CVE-2021-24815 CVE-2021-24814 RESERVED CVE-2021-24813 (The Events Made Easy WordPress plugin before 2.2.24 does not sanitise ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24812 RESERVED CVE-2021-24811 @@ -46047,9 +46047,9 @@ CVE-2021-24811 CVE-2021-24810 RESERVED CVE-2021-24809 (The BP Better Messages WordPress plugin before 1.9.9.41 does not check ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24808 (The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24807 RESERVED CVE-2021-24806 @@ -46067,7 +46067,7 @@ CVE-2021-24801 CVE-2021-24800 RESERVED CVE-2021-24799 (The Far Future Expiry Header WordPress plugin before 1.5 does not have ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24798 RESERVED CVE-2021-24797 @@ -46077,9 +46077,9 @@ CVE-2021-24796 CVE-2021-24795 RESERVED CVE-2021-24794 (The Connections Business Directory WordPress plugin before 10.4.3 does ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24793 (The WPeMatico RSS Feed Fetcher WordPress plugin before 2.6.12 does not ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24792 RESERVED CVE-2021-24791 @@ -46087,7 +46087,7 @@ CVE-2021-24791 CVE-2021-24790 RESERVED CVE-2021-24789 (The Flat Preloader WordPress plugin before 1.5.5 does not escape some ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24788 RESERVED CVE-2021-24787 @@ -46103,7 +46103,7 @@ CVE-2021-24783 CVE-2021-24782 RESERVED CVE-2021-24781 (The Image Source Control WordPress plugin before 2.3.1 allows users wi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24780 RESERVED CVE-2021-24779 (The WP Debugging WordPress plugin before 2.11.0 has its update_setting ...) @@ -46119,13 +46119,13 @@ CVE-2021-24775 CVE-2021-24774 (The Check Log Email WordPress plugin before 1.0.3 does not valid ...) NOT-FOR-US: WordPress plugin CVE-2021-24773 (The WordPress Download Manager WordPress plugin before 3.2.16 does not ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24772 RESERVED CVE-2021-24771 RESERVED CVE-2021-24770 (The Stylish Price List WordPress plugin before 6.9.1 does not perform ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24769 (The Permalink Manager Lite WordPress plugin before 2.2.13.1 does not v ...) NOT-FOR-US: WordPress plugin CVE-2021-24768 @@ -46151,7 +46151,7 @@ CVE-2021-24759 CVE-2021-24758 RESERVED CVE-2021-24757 (The Stylish Price List WordPress plugin before 6.9.0 does not perform ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24756 RESERVED CVE-2021-24755 @@ -46181,7 +46181,7 @@ CVE-2021-24744 (The WordPress Contact Forms by Cimatti WordPress plugin before 1 CVE-2021-24743 (The Podcast Subscribe Buttons WordPress plugin before 1.4.2 allows use ...) NOT-FOR-US: WordPress plugin CVE-2021-24742 (The Logo Slider and Showcase WordPress plugin before 1.3.37 allows Edi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24741 (The Support Board WordPress plugin before 3.3.4 does not escape multip ...) NOT-FOR-US: WordPress plugin CVE-2021-24740 (The Tutor LMS WordPress plugin before 1.9.9 does not escape some of it ...) @@ -46219,9 +46219,9 @@ CVE-2021-24725 (The Comment Link Remove and Other Comment Tools WordPress plugin CVE-2021-24724 (The Timetable and Event Schedule by MotoPress WordPress plugin before ...)
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b4c83d3e by Salvatore Bonaccorso at 2021-11-01T21:51:00+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -185,7 +185,7 @@ CVE-2021-43084 CVE-2021-3916 RESERVED CVE-2015-10001 (The WP-Stats WordPress plugin before 2.52 does not have CSRF check whe ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-43083 RESERVED CVE-2021-43082 @@ -193,9 +193,9 @@ CVE-2021-43082 CVE-2021-3915 RESERVED CVE-2020-36505 (The Delete All Comments Easily WordPress plugin through 1.3 is lacking ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2020-36504 (The WP-Pro-Quiz WordPress plugin through 0.37 does not have CSRF check ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-43081 RESERVED CVE-2021-43080 @@ -341,11 +341,11 @@ CVE-2021-3907 CVE-2021-3906 (bookstack is vulnerable to Unrestricted Upload of File with Dangerous ...) NOT-FOR-US: bookstack CVE-2018-25019 (The LearnDash LMS WordPress plugin before 2.5.4 does not have any auth ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2015-20067 (The WP Attachment Export WordPress plugin before 0.2.4 does not have p ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2015-20019 (The Content text slider on post WordPress plugin before 6.9 does not s ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-43032 RESERVED CVE-2021-43031 @@ -400,7 +400,7 @@ CVE-2021-3903 (vim is vulnerable to Heap-based Buffer Overflow ...) NOTE: https://github.com/vim/vim/commit/777e7c21b7627be80961848ac560cb0a9978ff43 NOTE: PoC crashes starting with https://github.com/vim/vim/commit/8a7d6542b33e5d2b352262305c3bfdb2d14e1cf8 (v8.2.0149) CVE-2020-36503 (The Connections Business Directory WordPress plugin before 9.7 does no ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-43010 RESERVED CVE-2021-43009 @@ -1381,7 +1381,7 @@ CVE-2021-42559 CVE-2021-42558 RESERVED CVE-2021-42557 (In Jeedom through 4.1.19, a bug allows a remote attacker to bypass API ...) - TODO: check + NOT-FOR-US: Jeedom CVE-2021-42556 (Rasa X before 0.42.4 allows Directory Traversal during archive extract ...) NOT-FOR-US: Rasa X CVE-2021-42555 @@ -3961,7 +3961,7 @@ CVE-2021-3858 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) ...) CVE-2021-3857 RESERVED CVE-2021-41973 (In Apache MINA, a specifically crafted, malformed HTTP request may cau ...) - TODO: check + NOT-FOR-US: Apache MINA CVE-2021-41972 RESERVED CVE-2021-41971 (Apache Superset up to and including 1.3.0 when configured with ENABLE_ ...) @@ -11290,7 +11290,7 @@ CVE-2021-38849 CVE-2021-38848 RESERVED CVE-2021-38847 (S-Cart v6.4.1 and below was discovered to contain an arbitrary file up ...) - TODO: check + NOT-FOR-US: S-Cart CVE-2021-38846 RESERVED CVE-2021-38845 @@ -11778,9 +11778,9 @@ CVE-2021-38616 (In Eigen NLP 3.10.1, a lack of access control on the /auth/v1/us CVE-2021-38615 (In Eigen NLP 3.10.1, a lack of access control on the /auth/v1/sso/conf ...) NOT-FOR-US: Eigen CVE-2021-3705 (Potential security vulnerabilities have been discovered on a certain H ...) - TODO: check + NOT-FOR-US: HP CVE-2021-3704 (Potential security vulnerabilities have been discovered on a certain H ...) - TODO: check + NOT-FOR-US: HP CVE-2021-38614 (** UNSUPPORTED WHEN ASSIGNED ** Polipo through 1.1.1, when NDEBUG is u ...) - polipo [buster] - polipo (Minor issue) @@ -35187,9 +35187,9 @@ CVE-2021-29215 CVE-2021-29214 RESERVED CVE-2021-29213 (A potential local bypass of security restrictions vulnerability has be ...) - TODO: check + NOT-FOR-US: HPE CVE-2021-29212 (A remote unauthenticated directory traversal security vulnerability ha ...) - TODO: check + NOT-FOR-US: HPE CVE-2021-29211 (A remote xss vulnerability was discovered in HPE Integrated Lights-Out ...) NOT-FOR-US: HPE CVE-2021-29210 (A remote dom xss, crlf injection vulnerability was discovered in HPE I ...) @@ -37534,7 +37534,7 @@ CVE-2021-28217 CVE-2021-3441 (A potential security vulnerability has been identified for the HP Offi ...) NOT-FOR-US: HP CVE-2021-3440 (HP Print and Scan Doctor, an application within the HP Smart App for W ...) - TODO: check + NOT-FOR-US: HP CVE-2021-3439 RESERVED CVE-2021-3438 (A potential buffer overflow in the software drivers for certain HP Las ...) @@ -39039,7 +39039,7 @@ CVE-2021-27645 (The nameserver caching daemon (nscd) in the GNU C Library (aka g NOTE: Introducing commit present in Debian since
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-41092
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 50c65477 by Salvatore Bonaccorso at 2021-11-01T21:43:33+01:00 Add Debian bug reference for CVE-2021-41092 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5957,10 +5957,9 @@ CVE-2021-41094 (Wire is an open source secure messenger. Users of Wire by Bund m CVE-2021-41093 (Wire is an open source secure messenger. In affected versions if the a ...) NOT-FOR-US: Wire iOS CVE-2021-41092 (Docker CLI is the command line interface for the docker container runt ...) - - docker.io + - docker.io (bug #998292) NOTE: https://github.com/docker/cli/security/advisories/GHSA-99pg-grm5-qq3v NOTE: https://github.com/docker/cli/commit/893e52cf4ba4b048d72e99748e0f86b2767c6c6b - NOTE: https://sources.debian.org/src/docker.io/20.10.8+dfsg1-2/cli/cli/command/registry.go/#L72 CVE-2021-41091 (Moby is an open-source project created by Docker to enable software co ...) - docker.io NOTE: https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50c65477ef7d13c895dd0067e431ff74032f8fff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50c65477ef7d13c895dd0067e431ff74032f8fff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Associate CVE-2021-22096 with libspring-java
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b3a2b928 by Salvatore Bonaccorso at 2021-11-01T21:34:00+01:00 Associate CVE-2021-22096 with libspring-java - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52214,7 +52214,7 @@ CVE-2021-22098 (UAA server versions prior to 75.4.0 are vulnerable to an open re CVE-2021-22097 (In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring ...) NOT-FOR-US: Spring AMQP CVE-2021-22096 (In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older ...) - NOT-FOR-US: Spring Framework + - libspring-java CVE-2021-22095 RESERVED CVE-2021-22094 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3a2b9281c40467fbfb474dc4ce059374d23a426 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3a2b9281c40467fbfb474dc4ce059374d23a426 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-27304 as unimportant
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 226f0955 by Salvatore Bonaccorso at 2021-11-01T21:29:59+01:00 Mark CVE-2020-27304 as unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71127,7 +71127,7 @@ CVE-2020-27306 CVE-2020-27305 RESERVED CVE-2020-27304 (The CivetWeb web library does not validate uploaded filepaths when run ...) - - civetweb 1.15+dfsg-1 + - civetweb 1.15+dfsg-1 (unimportant) NOTE: vulnerable code is an example, not packaged by Debian but present in source package NOTE: https://groups.google.com/g/civetweb/c/yPBxNXdGgJQ NOTE: https://github.com/civetweb/civetweb/commit/b2ed60c589172b37f3d705c69d84313eeb8348b1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/226f0955eb2d45523ea8668c55fc03f2c7b246a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/226f0955eb2d45523ea8668c55fc03f2c7b246a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Semi-automatic unclaim after two weeks of inactivity.
Jeremiah C. Foster pushed to branch master at Debian Security Tracker / security-tracker Commits: 37d42c9b by Jeremiah C. Foster at 2021-11-01T16:25:54-04:00 Semi-automatic unclaim after two weeks of inactivity. Signed-off-by: Jeremiah C. Foster jerem...@jeremiahfoster.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,7 +79,7 @@ nvidia-graphics-drivers openjdk-8 (Roberto C. Sánchez) NOTE: 20211101: coordinating with maribilos, waiting on upstream to finalize tags (roberto) -- -openssh (Utkarsh) +openssh NOTE: 20211003: a backporting error for CVE-2018-15473 was reported in NOTE: 20211003: Ubuntu (and can see the same code differences here); NOTE: 20211003: check if that needs to be fixed; talking to -security. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37d42c9b1b094406251ac9274fe1b3eb217e1013 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37d42c9b1b094406251ac9274fe1b3eb217e1013 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a307b4b by security tracker role at 2021-11-01T20:10:27+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2021-43174 + RESERVED +CVE-2021-43173 + RESERVED +CVE-2021-43172 + RESERVED +CVE-2021-3917 + RESERVED CVE-2021-43171 RESERVED CVE-2021-43170 @@ -176,18 +184,18 @@ CVE-2021-43084 RESERVED CVE-2021-3916 RESERVED -CVE-2015-10001 - RESERVED +CVE-2015-10001 (The WP-Stats WordPress plugin before 2.52 does not have CSRF check whe ...) + TODO: check CVE-2021-43083 RESERVED CVE-2021-43082 RESERVED CVE-2021-3915 RESERVED -CVE-2020-36505 - RESERVED -CVE-2020-36504 - RESERVED +CVE-2020-36505 (The Delete All Comments Easily WordPress plugin through 1.3 is lacking ...) + TODO: check +CVE-2020-36504 (The WP-Pro-Quiz WordPress plugin through 0.37 does not have CSRF check ...) + TODO: check CVE-2021-43081 RESERVED CVE-2021-43080 @@ -332,12 +340,12 @@ CVE-2021-3907 RESERVED CVE-2021-3906 (bookstack is vulnerable to Unrestricted Upload of File with Dangerous ...) NOT-FOR-US: bookstack -CVE-2018-25019 - RESERVED -CVE-2015-20067 - RESERVED -CVE-2015-20019 - RESERVED +CVE-2018-25019 (The LearnDash LMS WordPress plugin before 2.5.4 does not have any auth ...) + TODO: check +CVE-2015-20067 (The WP Attachment Export WordPress plugin before 0.2.4 does not have p ...) + TODO: check +CVE-2015-20019 (The Content text slider on post WordPress plugin before 6.9 does not s ...) + TODO: check CVE-2021-43032 RESERVED CVE-2021-43031 @@ -391,8 +399,8 @@ CVE-2021-3903 (vim is vulnerable to Heap-based Buffer Overflow ...) NOTE: https://huntr.dev/bounties/35738a4f-55ce-446c-b836-2fb0b39625f8 NOTE: https://github.com/vim/vim/commit/777e7c21b7627be80961848ac560cb0a9978ff43 NOTE: PoC crashes starting with https://github.com/vim/vim/commit/8a7d6542b33e5d2b352262305c3bfdb2d14e1cf8 (v8.2.0149) -CVE-2020-36503 - RESERVED +CVE-2020-36503 (The Connections Business Directory WordPress plugin before 9.7 does no ...) + TODO: check CVE-2021-43010 RESERVED CVE-2021-43009 @@ -579,8 +587,8 @@ CVE-2021-42919 RESERVED CVE-2021-42918 RESERVED -CVE-2021-42917 - RESERVED +CVE-2021-42917 (Buffer overflow vulnerability in Kodi xbmc up to 19.0, allows attacker ...) + TODO: check CVE-2021-42916 RESERVED CVE-2021-42915 @@ -1372,8 +1380,8 @@ CVE-2021-42559 RESERVED CVE-2021-42558 RESERVED -CVE-2021-42557 - RESERVED +CVE-2021-42557 (In Jeedom through 4.1.19, a bug allows a remote attacker to bypass API ...) + TODO: check CVE-2021-42556 (Rasa X before 0.42.4 allows Directory Traversal during archive extract ...) NOT-FOR-US: Rasa X CVE-2021-42555 @@ -3952,8 +3960,8 @@ CVE-2021-3858 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) ...) NOT-FOR-US: snipe-it CVE-2021-3857 RESERVED -CVE-2021-41973 - RESERVED +CVE-2021-41973 (In Apache MINA, a specifically crafted, malformed HTTP request may cau ...) + TODO: check CVE-2021-41972 RESERVED CVE-2021-41971 (Apache Superset up to and including 1.3.0 when configured with ENABLE_ ...) @@ -11282,8 +11290,8 @@ CVE-2021-38849 RESERVED CVE-2021-38848 RESERVED -CVE-2021-38847 - RESERVED +CVE-2021-38847 (S-Cart v6.4.1 and below was discovered to contain an arbitrary file up ...) + TODO: check CVE-2021-38846 RESERVED CVE-2021-38845 @@ -11770,10 +11778,10 @@ CVE-2021-38616 (In Eigen NLP 3.10.1, a lack of access control on the /auth/v1/us NOT-FOR-US: Eigen CVE-2021-38615 (In Eigen NLP 3.10.1, a lack of access control on the /auth/v1/sso/conf ...) NOT-FOR-US: Eigen -CVE-2021-3705 - RESERVED -CVE-2021-3704 - RESERVED +CVE-2021-3705 (Potential security vulnerabilities have been discovered on a certain H ...) + TODO: check +CVE-2021-3704 (Potential security vulnerabilities have been discovered on a certain H ...) + TODO: check CVE-2021-38614 (** UNSUPPORTED WHEN ASSIGNED ** Polipo through 1.1.1, when NDEBUG is u ...) - polipo [buster] - polipo (Minor issue) @@ -19030,6 +19038,7 @@ CVE-2021-35604 (Vulnerability in the MySQL Server product of Oracle MySQL (compo - mysql-8.0 - mysql-5.7 CVE-2021-35603 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition produc ...) + {DSA-5000-1} - openjdk-17 17.0.1+12-1 - openjdk-11 11.0.13+8-1 - openjdk-8 @@ -19066,6 +19075,7 @@ CVE-2021-35588 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition CVE-2021-35587
[Git][security-tracker-team/security-tracker][master] Update trackng for CVE-2011-412{4,5,6}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c83da5c by Salvatore Bonaccorso at 2021-11-01T21:09:33+01:00 Update trackng for CVE-2011-412{4,5,6} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -422613,14 +422613,20 @@ CVE-2011-4127 (The Linux kernel before 3.2.2 does not properly restrict SG_IO io - libguestfs 1:1.14.8-1 - linux-2.6 CVE-2011-4126 (Race condition issues were found in Calibre at devices/linux_mount_hel ...) - - calibre 0.6.54+dfsg-1 (bug #584915) - NOTE: Vulnerable code removed upstream at version 1.10, removed by Debian packaging prior to that. + - calibre 1.5.0+dfsg-1 (bug #584915) + NOTE: Vulnerable code removed upstream at version 1.4.0 + NOTE: https://github.com/kovidgoyal/calibre/commit/7d54d25844efebfb3d6de2bb2b9af77dbf72d8b8 (v1.4.0) + NOTE: Removed by Debian packaging in 0.6.54+dfsg-1. CVE-2011-4125 (A untrusted search path issue was found in Calibre at devices/linux_mo ...) - - calibre 0.6.54+dfsg-1 (bug #584915) - NOTE: Vulnerable code removed upstream at version 1.10, removed by Debian packaging prior to that. + - calibre 1.5.0+dfsg-1 (bug #584915) + NOTE: Vulnerable code removed upstream at version 1.4.0 + NOTE: https://github.com/kovidgoyal/calibre/commit/7d54d25844efebfb3d6de2bb2b9af77dbf72d8b8 (v1.4.0) + NOTE: Removed by Debian packaging in 0.6.54+dfsg-1. CVE-2011-4124 (Input validation issues were found in Calibre at devices/linux_mount_h ...) - - calibre 0.6.54+dfsg-1 (bug #584915) - NOTE: Vulnerable code removed upstream at version 1.10, removed by Debian packaging prior to that. + - calibre 1.5.0+dfsg-1 (bug #584915) + NOTE: Vulnerable code removed upstream at version 1.4.0 + NOTE: https://github.com/kovidgoyal/calibre/commit/7d54d25844efebfb3d6de2bb2b9af77dbf72d8b8 (v1.4.0) + NOTE: Removed by Debian packaging in 0.6.54+dfsg-1. CVE-2011-4123 REJECTED CVE-2011-4122 (Directory traversal vulnerability in openpam_configure.c in OpenPAM be ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c83da5c02ba451f27cbcb0c68fbcbbdab4b567c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c83da5c02ba451f27cbcb0c68fbcbbdab4b567c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: status update
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 738d7339 by Anton Gladky at 2021-11-01T20:59:57+01:00 LTS: status update - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,6 +21,7 @@ ansible bind9 (Markus Koschany) -- botan1.10 (Anton Gladky) + NOTE: 20211101: almost ready to be uploaded (gladk) -- debian-archive-keyring NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html @@ -38,6 +39,7 @@ ffmpeg (Anton Gladky) NOTE: probably wait until stuff is fixed in Buster NOTE: 20211010: WIP https://salsa.debian.org/lts-team/packages/ffmpeg NOTE: ffmpeg 3.2.16 has been released + NOTE: 20211101: preparing an update (gladk) -- firefox-esr (Emilio) -- @@ -68,6 +70,7 @@ linux (Ben Hutchings) linux-4.19 (Ben Hutchings) -- ntfs-3g (Anton Gladky) + NOTE: 20211101: too many CVEs (gladk) -- nvidia-graphics-drivers NOTE: package is in non-free but also in packages-to-support View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/738d73399ed1936d2ce10e7206e37a6f038571fa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/738d73399ed1936d2ce10e7206e37a6f038571fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream commit for CVE-2021-42574/rustc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4cded675 by Salvatore Bonaccorso at 2021-11-01T20:33:36+01:00 Add upstream commit for CVE-2021-42574/rustc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1337,6 +1337,7 @@ CVE-2021-42574 (An issue was discovered in the Bidirectional Algorithm in the Un [bullseye] - rustc (Minor issue) [buster] - rustc (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/11/01/1 + NOTE: https://github.com/rust-lang/rust/commit/dd61274930ec0cd17711fab52d2bc9ad3e9053de (1.56.1) CVE-2021-42573 RESERVED CVE-2021-42572 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cded6759a3c6fd27b856c7f208a9a6816aeb91c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cded6759a3c6fd27b856c7f208a9a6816aeb91c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Java n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c9de153e by Moritz Muehlenhoff at 2021-11-01T20:07:23+01:00 Java n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19128,7 +19128,7 @@ CVE-2021-35561 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition - openjdk-11 11.0.13+8-1 - openjdk-8 CVE-2021-35560 (Vulnerability in the Java SE product of Oracle Java SE (component: Dep ...) - TODO: doublecheck for more details, Deployment components not part of OpenJDK, only present in Oracle Java + - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2021-35559 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition produc ...) - openjdk-17 17.0.1+12-1 - openjdk-11 11.0.13+8-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9de153e9d494501ae706dafcaa01ad28d5edfea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9de153e9d494501ae706dafcaa01ad28d5edfea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] asterisk, openjdk-11 DSAs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f2c7ed57 by Moritz Mühlenhoff at 2021-11-01T19:54:55+01:00 asterisk, openjdk-11 DSAs - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,9 @@ +[01 Nov 2021] DSA-5000-1 openjdk-11 - security update + {CVE-2021-35550 CVE-2021-35556 CVE-2021-35559 CVE-2021-35561 CVE-2021-35564 CVE-2021-35565 CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 CVE-2021-35603} + [bullseye] - openjdk-11 11.0.13+8-1~deb11u1 +[01 Nov 2021] DSA-4999-1 asterisk - security update + {CVE-2021-32558 CVE-2021-32686} + [bullseye] - asterisk 1:16.16.1~dfsg-1+deb11u1 [31 Oct 2021] DSA-4998-1 ffmpeg - security update {CVE-2020-20446 CVE-2020-20450 CVE-2020-20453 CVE-2020-22037 CVE-2020-22042 CVE-2021-38114 CVE-2021-38171 CVE-2021-38291 CVE-2020-21697 CVE-2020-21688 CVE-2020-20445} [bullseye] - ffmpeg 7:4.3.3-0+deb11u1 = data/dsa-needed.txt = @@ -11,9 +11,6 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. --- -asterisk - Maintainer prepared update for bullseye, needs ping for buster -- condor -- @@ -35,8 +32,6 @@ ndpi/oldstable -- nodejs (jmm) -- -openjdk-11 (jmm) --- puppetdb (jmm) -- python-pysaml2 (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2c7ed571bf8f836cad635b52be2cb038ba72acd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2c7ed571bf8f836cad635b52be2cb038ba72acd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-41092/docker.io
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: a2a79030 by Neil Williams at 2021-11-01T14:45:15+00:00 CVE-2021-41092/docker.io - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5948,7 +5948,10 @@ CVE-2021-41094 (Wire is an open source secure messenger. Users of Wire by Bund m CVE-2021-41093 (Wire is an open source secure messenger. In affected versions if the a ...) NOT-FOR-US: Wire iOS CVE-2021-41092 (Docker CLI is the command line interface for the docker container runt ...) - TODO: check + - docker.io + NOTE: https://github.com/docker/cli/security/advisories/GHSA-99pg-grm5-qq3v + NOTE: https://github.com/docker/cli/commit/893e52cf4ba4b048d72e99748e0f86b2767c6c6b + NOTE: https://sources.debian.org/src/docker.io/20.10.8+dfsg1-2/cli/cli/command/registry.go/#L72 CVE-2021-41091 (Moby is an open-source project created by Docker to enable software co ...) - docker.io NOTE: https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2a79030fe0cf14bc4c9cc46ce22c793a0801c4d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2a79030fe0cf14bc4c9cc46ce22c793a0801c4d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-36513/freeswitch RFP
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 4276624b by Neil Williams at 2021-11-01T14:16:16+00:00 CVE-2021-36513/freeswitch RFP - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16888,7 +16888,7 @@ CVE-2021-36515 CVE-2021-36514 RESERVED CVE-2021-36513 (An issue was discovered in function sofia_handle_sip_i_notify in sofia ...) - TODO: check + - freeswitch (bug #389591) CVE-2021-36512 (An issue was discovered in function scanallsubs in src/sbbs3/scansubs. ...) NOT-FOR-US: Synchronet BBS CVE-2021-36511 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4276624bc6bed21bce14d7b60e5e963a250186e6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4276624bc6bed21bce14d7b60e5e963a250186e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b1746cb by Neil Williams at 2021-11-01T14:15:04+00:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19316,7 +19316,7 @@ CVE-2021-3620 CVE-2021-35500 RESERVED CVE-2021-35499 (The Web Reporting component of TIBCO Software Inc.'s TIBCO Nimbus cont ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2021-35498 (The TIBCO EBX Web Server component of TIBCO Software Inc.'s TIBCO EBX, ...) NOT-FOR-US: TIBCO CVE-2021-35497 (The FTL Server (tibftlserver) and Docker images containing tibftlserve ...) @@ -49032,15 +49032,16 @@ CVE-2021-23454 CVE-2021-23453 RESERVED CVE-2021-23452 (This affects all versions of package x-assign. The global proto object ...) - TODO: check + NOT-FOR-US: x-assign JS CVE-2021-23451 RESERVED CVE-2021-23450 RESERVED CVE-2021-23449 (This affects the package vm2 before 3.9.4 via a Prototype Pollution at ...) - TODO: check + NOT-FOR-US: vm2 JS + NOTE: https://github.com/patriksimek/vm2 CVE-2021-23448 (All versions of package config-handler are vulnerable to Prototype Pol ...) - TODO: check + NOT-FOR-US: config-handler JS CVE-2021-23447 (This affects the package teddy before 0.5.9. A type confusion vulnerab ...) NOT-FOR-US: teddy templating engine CVE-2021-23446 (The package handsontable before 10.0.0; the package handsontable from ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b1746cb0d0f8bbb0d0c05300918d98b34fcaa22 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b1746cb0d0f8bbb0d0c05300918d98b34fcaa22 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 9eab3c40 by Neil Williams at 2021-11-01T13:57:16+00:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49042,7 +49042,7 @@ CVE-2021-23449 (This affects the package vm2 before 3.9.4 via a Prototype Pollut CVE-2021-23448 (All versions of package config-handler are vulnerable to Prototype Pol ...) TODO: check CVE-2021-23447 (This affects the package teddy before 0.5.9. A type confusion vulnerab ...) - TODO: check + NOT-FOR-US: teddy templating engine CVE-2021-23446 (The package handsontable before 10.0.0; the package handsontable from ...) NOT-FOR-US: Node handsontable CVE-2021-23445 (This affects the package datatables.net before 1.11.3. If an array is ...) @@ -50084,9 +50084,9 @@ CVE-2021-22966 CVE-2021-22965 RESERVED CVE-2021-22964 (A redirect vulnerability in the `fastify-static` module version = ...) - TODO: check + NOT-FOR-US: fastify-static CVE-2021-22963 (A redirect vulnerability in the fastify-static module version 4.2 ...) - TODO: check + NOT-FOR-US: fastify-static CVE-2021-22962 RESERVED CVE-2021-22961 (A code injection vulnerability exists within the firewall software of ...) @@ -51180,7 +51180,7 @@ CVE-2021-22559 CVE-2021-22558 RESERVED CVE-2021-22557 (SLO generator allows for loading of YAML files that if crafted in a sp ...) - TODO: check + NOT-FOR-US: SLO generator CVE-2021-22556 RESERVED CVE-2021-22555 (A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was disco ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9eab3c403177c0023db94bf0dfa37b165147801d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9eab3c403177c0023db94bf0dfa37b165147801d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs & 1 removed pkg
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: d02e70a4 by Neil Williams at 2021-11-01T13:43:50+00:00 Process some NFUs 1 removed pkg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52188,9 +52188,9 @@ CVE-2021-22099 CVE-2021-22098 (UAA server versions prior to 75.4.0 are vulnerable to an open redirect ...) NOT-FOR-US: UAA server CVE-2021-22097 (In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring ...) - TODO: check + NOT-FOR-US: Spring AMQP CVE-2021-22096 (In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older ...) - TODO: check + NOT-FOR-US: Spring Framework CVE-2021-22095 RESERVED CVE-2021-22094 @@ -52288,13 +52288,13 @@ CVE-2021-22049 CVE-2021-22048 RESERVED CVE-2021-22047 (In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older ...) - TODO: check + NOT-FOR-US: Spring Data REST CVE-2021-22046 RESERVED CVE-2021-22045 RESERVED CVE-2021-22044 (In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to 2.2.9.RELEA ...) - TODO: check + NOT-FOR-US: Spring Cloud OpenFeign CVE-2021-22043 RESERVED CVE-2021-22042 @@ -55400,7 +55400,7 @@ CVE-2021-21321 (fastify-reply-from is an npm package which is a fastify plugin t CVE-2021-21320 (matrix-react-sdk is an npm package which is a Matrix SDK for React Jav ...) NOT-FOR-US: Node matrix-react-sdk CVE-2021-21319 (Galette is a membership management web application geared towards non ...) - TODO: check + - galette CVE-2021-21318 (Opencast is a free, open-source platform to support the management of ...) NOT-FOR-US: Opencast CVE-2021-21317 (uap-core in an open-source npm package which contains the core of Brow ...) @@ -56863,9 +56863,9 @@ CVE-2021-20841 CVE-2021-20840 RESERVED CVE-2021-20839 (Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and e ...) - TODO: check + NOT-FOR-US: Office Server Document Converter CVE-2021-20838 (Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and e ...) - TODO: check + NOT-FOR-US: Office Server Document Converter CVE-2021-20837 (Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Typ ...) - movabletype-opensource CVE-2021-20836 (Out-of-bounds read vulnerability in CX-Supervisor v4.0.0.13 and v4.0.0 ...) @@ -65590,7 +65590,7 @@ CVE-2021-1119 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU CVE-2021-1118 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...) NOT-FOR-US: NVIDIA CVE-2021-1117 (Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sy ...) - TODO: check + NOT-FOR-US: NVIDIA CVE-2021-1116 (NVIDIA GPU Display Driver for Windows contains a vulnerability in the ...) NOT-FOR-US: NVIDIA GPU Display Driver for Windows CVE-2021-1115 (NVIDIA GPU Display Driver for Windows contains a vulnerability in the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d02e70a487b6184ef246cc4c0b25348d4cb134ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d02e70a487b6184ef246cc4c0b25348d4cb134ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more aaptjs NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 73eff175 by Neil Williams at 2021-11-01T13:25:57+00:00 Process more aaptjs NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23380,17 +23380,17 @@ CVE-2021-33740 (Windows Media Remote Code Execution Vulnerability ...) CVE-2021-33739 (Microsoft DWM Core Library Elevation of Privilege Vulnerability ...) NOT-FOR-US: Microsoft CVE-2020-36381 (An issue was discovered in the singleCrunch function in shenzhim aaptj ...) - TODO: check + NOT-FOR-US: aaptjs CVE-2020-36380 (An issue was discovered in the crunch function in shenzhim aaptjs 1.3. ...) - TODO: check + NOT-FOR-US: aaptjs CVE-2020-36379 (An issue was discovered in the remove function in shenzhim aaptjs 1.3. ...) - TODO: check + NOT-FOR-US: aaptjs CVE-2020-36378 (An issue was discovered in the packageCmd function in shenzhim aaptjs ...) - TODO: check + NOT-FOR-US: aaptjs CVE-2020-36377 (An issue was discovered in the dump function in shenzhim aaptjs 1.3.1, ...) - TODO: check + NOT-FOR-US: aaptjs CVE-2020-36376 (An issue was discovered in the list function in shenzhim aaptjs 1.3.1, ...) - TODO: check + NOT-FOR-US: aaptjs CVE-2020-36375 (Stack overflow vulnerability in parse_equality Cesanta MJS 1.20.1, all ...) NOT-FOR-US: Cesanta MJS CVE-2020-36374 (Stack overflow vulnerability in parse_comparison Cesanta MJS 1.20.1, a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73eff17573052ce2c2fbdb55c4988f02e4fe0661 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73eff17573052ce2c2fbdb55c4988f02e4fe0661 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add notes on CVE-2020-27304/civetweb
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 83ee3132 by Neil Williams at 2021-11-01T12:05:30+00:00 Add notes on CVE-2020-27304/civetweb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71103,7 +71103,11 @@ CVE-2020-27306 CVE-2020-27305 RESERVED CVE-2020-27304 (The CivetWeb web library does not validate uploaded filepaths when run ...) - TODO: check + - civetweb 1.15+dfsg-1 + NOTE: vulnerable code is an example, not packaged by Debian but present in source package + NOTE: https://groups.google.com/g/civetweb/c/yPBxNXdGgJQ + NOTE: https://github.com/civetweb/civetweb/commit/b2ed60c589172b37f3d705c69d84313eeb8348b1 + NOTE: https://github.com/civetweb/civetweb/commit/e489ff4f05647126ffa62d3a54f50bf7b7380776#diff-da20af5c7c76edbce3228777f142173af544c0202af876e8d5618f839f9ab2ac CVE-2020-27303 RESERVED CVE-2020-27302 (A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83ee31326ef9a9df2fce4512b204e910f2069ee5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83ee31326ef9a9df2fce4512b204e910f2069ee5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process 2 NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 1003f654 by Neil Williams at 2021-11-01T11:55:00+00:00 Process 2 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -72489,11 +72489,11 @@ CVE-2020-26709 CVE-2020-26708 RESERVED CVE-2020-26707 (An issue was discovered in the add function in Shenzhim AAPTJS 1.3.1 w ...) - TODO: check + NOT-FOR-US: aaptjs CVE-2020-26706 RESERVED CVE-2020-26705 (The parseXML function in Easy-XML 0.5.0 was discovered to have a XML E ...) - TODO: check + NOT-FOR-US: python-easy_xml CVE-2020-26704 RESERVED CVE-2020-26703 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1003f65420151a860634ef8fdbfbe4777dab4b59 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1003f65420151a860634ef8fdbfbe4777dab4b59 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-3556/hhvm - pkg removed
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 56678c6b by Neil Williams at 2021-11-01T11:48:25+00:00 CVE-2019-3556/hhvm - pkg removed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -185662,7 +185662,7 @@ CVE-2019-3558 (Python Facebook Thrift servers would not error upon receiving mes CVE-2019-3557 (The implementations of streams for bz2 and php://output improperly imp ...) - hhvm CVE-2019-3556 (HHVM supports the use of an "admin" server which accepts administrativ ...) - TODO: check + - hhvm CVE-2019-3555 RESERVED CVE-2019-3554 (Wangle's AcceptRoutingHandler incorrectly casts a socket when acceptin ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56678c6b2949c05fba1ccd7c57c0ae71495b88ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56678c6b2949c05fba1ccd7c57c0ae71495b88ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-3903/vim: PoC note
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5466579a by Sylvain Beucler at 2021-11-01T12:43:55+01:00 CVE-2021-3903/vim: PoC note - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -390,6 +390,7 @@ CVE-2021-3903 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim 2:8.2.3565-1 NOTE: https://huntr.dev/bounties/35738a4f-55ce-446c-b836-2fb0b39625f8 NOTE: https://github.com/vim/vim/commit/777e7c21b7627be80961848ac560cb0a9978ff43 + NOTE: PoC crashes starting with https://github.com/vim/vim/commit/8a7d6542b33e5d2b352262305c3bfdb2d14e1cf8 (v8.2.0149) CVE-2020-36503 RESERVED CVE-2021-43010 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5466579abe438bb03d3b630d3f8c8fe7f34cb7f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5466579abe438bb03d3b630d3f8c8fe7f34cb7f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update notes on my claimed packages
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 61159905 by Roberto C. Sánchez at 2021-11-01T07:37:14-04:00 LTS: update notes on my claimed packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -50,6 +50,7 @@ glusterfs (Markus Koschany) NOTE: 20211029: should also be fixed in stretch (bunk) -- gpac (Roberto C. Sánchez) + NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto) -- libgit2 (Utkarsh) NOTE: 20211029: CVE-2018-10887/CVE-2018-10888/CVE-2018-15501 were fixed @@ -73,6 +74,7 @@ nvidia-graphics-drivers NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 -- openjdk-8 (Roberto C. Sánchez) + NOTE: 20211101: coordinating with maribilos, waiting on upstream to finalize tags (roberto) -- openssh (Utkarsh) NOTE: 20211003: a backporting error for CVE-2018-15473 was reported in @@ -97,6 +99,7 @@ rustc (Roberto C. Sánchez) NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable NOTE: https://bugs.debian.org/928422 NOTE: Perhaps fix with the next rustc update for a new Firefox? (bunk) + NOTE: 20211101: working on llvm-toolchain-11 update, which is needed by rustc (roberto) -- salt (Markus Koschany) NOTE: 20210329: WIP (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61159905e90fa35101f81e39accb48a28ef6bc7b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61159905e90fa35101f81e39accb48a28ef6bc7b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update 3 old CVEs for calibre - code removed
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 084bb13e by Neil Williams at 2021-11-01T11:34:56+00:00 Update 3 old CVEs for calibre - code removed Prior to 1.10, Debian packaging removed the vulnerable code (described in bug #584915), it was then removed upstream. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -422603,11 +422603,14 @@ CVE-2011-4127 (The Linux kernel before 3.2.2 does not properly restrict SG_IO io - libguestfs 1:1.14.8-1 - linux-2.6 CVE-2011-4126 (Race condition issues were found in Calibre at devices/linux_mount_hel ...) - TODO: check + - calibre 0.6.54+dfsg-1 (bug #584915) + NOTE: Vulnerable code removed upstream at version 1.10, removed by Debian packaging prior to that. CVE-2011-4125 (A untrusted search path issue was found in Calibre at devices/linux_mo ...) - TODO: check + - calibre 0.6.54+dfsg-1 (bug #584915) + NOTE: Vulnerable code removed upstream at version 1.10, removed by Debian packaging prior to that. CVE-2011-4124 (Input validation issues were found in Calibre at devices/linux_mount_h ...) - TODO: check + - calibre 0.6.54+dfsg-1 (bug #584915) + NOTE: Vulnerable code removed upstream at version 1.10, removed by Debian packaging prior to that. CVE-2011-4123 REJECTED CVE-2011-4122 (Directory traversal vulnerability in openpam_configure.c in OpenPAM be ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/084bb13e5321d8f27f6b241824abc7a41d82605a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/084bb13e5321d8f27f6b241824abc7a41d82605a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process an NFU
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 73c6ce19 by Neil Williams at 2021-11-01T11:00:33+00:00 Process an NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -422617,7 +422617,7 @@ CVE-2011-4121 (The OpenSSL extension of Ruby (Git trunk) versions after 2011-09- CVE-2011-4120 (Yubico PAM Module before 2.10 performed user authentication when 'use_ ...) - yubico-pam 2.10-1 CVE-2011-4119 (caml-light = 0.75 uses mktemp() insecurely, and also does unsafe t ...) - TODO: check + NOT-FOR-US: caml-light CVE-2011-4117 (The Batch::BatchRun module 1.03 for Perl does not properly handle temp ...) NOT-FOR-US: perl Batch::BatchRun CPAN module CVE-2011-4116 (_is_safe in the File::Temp module for Perl does not properly handle sy ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73c6ce19293400d9b57427689918c0919e5bf567 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73c6ce19293400d9b57427689918c0919e5bf567 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2011-2195/websvn: add notes
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: ac7a046a by Sylvain Beucler at 2021-11-01T11:12:49+01:00 CVE-2011-2195/websvn: add notes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -428430,6 +428430,8 @@ CVE-2011-2196 (jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, a NOT-FOR-US: JBoss Seam CVE-2011-2195 (A flaw was found in WebSVN 2.3.2. Without prior authentication, if the ...) - websvn + NOTE: Windows-specific + NOTE: mitigated by https://github.com/websvnphp/websvn/commit/50f02cf848c5bdebb66d9b017389c9d67d4f CVE-2011-2193 (Multiple buffer overflows in Terascale Open-Source Resource and Queue ...) {DSA-2329-1} - torque 2.4.15+dfsg-1 (bug #635342) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac7a046a7eab2f9471e8d8d0c55234ec95248e1d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac7a046a7eab2f9471e8d8d0c55234ec95248e1d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ccf0c358 by Moritz Muehlenhoff at 2021-11-01T09:35:51+01:00 NFUs remove TODO for libstd, codebases which embed it not security relevant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1043,16 +1043,14 @@ CVE-2021-3894 CVE-2021-42717 RESERVED CVE-2021-42716 (An issue was discovered in stb stb_image.h 2.27. The PNM loader incorr ...) - - libstb + - libstb NOTE: https://github.com/nothings/stb/issues/1166 NOTE: https://github.com/nothings/stb/issues/1225 NOTE: https://github.com/nothings/stb/pull/1223 - TODO: check libstb itself, and various packages embedd a copy CVE-2021-42715 (An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR ...) - - libstb + - libstb NOTE: https://github.com/nothings/stb/issues/1224 NOTE: https://github.com/nothings/stb/pull/1223 - TODO: check libstb itself, and various packages embedd a copy CVE-2021-42714 RESERVED CVE-2021-42713 @@ -1094,7 +1092,7 @@ CVE-2021-42696 CVE-2021-42695 RESERVED CVE-2021-42694 (An issue was discovered in the character definitions of the Unicode Sp ...) - TODO: check + NOT-FOR-US: Unicode spec CVE-2021-42693 RESERVED CVE-2021-42692 @@ -5438,7 +5436,7 @@ CVE-2021-3813 CVE-2021-41314 (Certain NETGEAR smart switches are affected by a \n injection in the w ...) NOT-FOR-US: NETGEAR CVE-2021-41313 (Affected versions of Atlassian Jira Server and Data Center allow authe ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2021-41312 RESERVED CVE-2021-41311 @@ -5712,7 +5710,7 @@ CVE-2021-41196 CVE-2021-41195 RESERVED CVE-2021-41194 (FirstUseAuthenticator is a JupyterHub authenticator that helps new use ...) - TODO: check + NOT-FOR-US: FirstUseAuthenticator for JupyterHub CVE-2021-41193 RESERVED CVE-2021-41192 @@ -5771,9 +5769,9 @@ CVE-2021-41170 CVE-2021-41169 (Sulu is an open-source PHP content management system based on the Symf ...) NOT-FOR-US: Sulu CVE-2021-41168 (Snudown is a reddit-specific fork of the Sundown Markdown parser used ...) - TODO: check + NOT-FOR-US: Snudown CVE-2021-41167 (modern-async is an open source JavaScript tooling library for asynchro ...) - TODO: check + NOT-FOR-US: modern-async CVE-2021-41166 RESERVED CVE-2021-41165 @@ -5819,9 +5817,9 @@ CVE-2021-41152 (OpenOlat is a web-based e-learning platform for teaching, learni CVE-2021-41151 (Backstage is an open platform for building developer portals. In affec ...) NOT-FOR-US: Backstage CVE-2021-41150 (Tough provides a set of Rust libraries and tools for using and generat ...) - TODO: check + NOT-FOR-US: Tough CVE-2021-41149 (Tough provides a set of Rust libraries and tools for using and generat ...) - TODO: check + NOT-FOR-US: Tough CVE-2021-41148 (Tuleap Open ALM is a libre and open source tool for end to end traceab ...) NOT-FOR-US: Tuleap CVE-2021-41147 (Tuleap Open ALM is a libre and open source tool for end to end traceab ...) @@ -12384,7 +12382,7 @@ CVE-2021-38380 (Live555 through 1.08 mishandles huge requests for the same MP3 s NOTE: http://lists.live555.com/pipermail/live-devel/2021-August/021954.html NOTE: http://www.live555.com/liveMedia/public/changelog.txt#[2021.08.04] CVE-2021-38379 (The Hub in CFEngine Enterprise 3.6.7 through 3.18.0 has Insecure Permi ...) - TODO: check + NOT-FOR-US: CFEngine Enterprise CVE-2021-38378 RESERVED CVE-2021-38377 @@ -16352,7 +16350,7 @@ CVE-2021-36758 (1Password Connect server before 1.2 is missing validation checks CVE-2021-36757 RESERVED CVE-2021-36756 (CFEngine Enterprise 3.15.0 through 3.15.4 has Missing SSL Certificate ...) - TODO: check + NOT-FOR-US: CFEngine Enterprise CVE-2021-36755 (Nightscout Web Monitor (aka cgm-remote-monitor) 14.2.2 allows XSS via ...) NOT-FOR-US: Nightscout Web Monitor CVE-2021-36754 (PowerDNS Authoritative Server 4.5.0 before 4.5.1 allows anybody to cra ...) @@ -122264,8 +122262,6 @@ CVE-2020-6619 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files CVE-2020-6618 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...) - libstb (unimportant; bug #949555) - [bullseye] - libstb (Minor issue) - [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/866 NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files CVE-2020-6617 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff ...) View it on GitLab:
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3dca5ce3 by security tracker role at 2021-11-01T08:10:42+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,181 @@ +CVE-2021-43171 + RESERVED +CVE-2021-43170 + RESERVED +CVE-2021-43169 + RESERVED +CVE-2021-43168 + RESERVED +CVE-2021-43167 + RESERVED +CVE-2021-43166 + RESERVED +CVE-2021-43165 + RESERVED +CVE-2021-43164 + RESERVED +CVE-2021-43163 + RESERVED +CVE-2021-43162 + RESERVED +CVE-2021-43161 + RESERVED +CVE-2021-43160 + RESERVED +CVE-2021-43159 + RESERVED +CVE-2021-43158 + RESERVED +CVE-2021-43157 + RESERVED +CVE-2021-43156 + RESERVED +CVE-2021-43155 + RESERVED +CVE-2021-43154 + RESERVED +CVE-2021-43153 + RESERVED +CVE-2021-43152 + RESERVED +CVE-2021-43151 + RESERVED +CVE-2021-43150 + RESERVED +CVE-2021-43149 + RESERVED +CVE-2021-43148 + RESERVED +CVE-2021-43147 + RESERVED +CVE-2021-43146 + RESERVED +CVE-2021-43145 + RESERVED +CVE-2021-43144 + RESERVED +CVE-2021-43143 + RESERVED +CVE-2021-43142 + RESERVED +CVE-2021-43141 + RESERVED +CVE-2021-43140 + RESERVED +CVE-2021-43139 + RESERVED +CVE-2021-43138 + RESERVED +CVE-2021-43137 + RESERVED +CVE-2021-43136 + RESERVED +CVE-2021-43135 + RESERVED +CVE-2021-43134 + RESERVED +CVE-2021-43133 + RESERVED +CVE-2021-43132 + RESERVED +CVE-2021-43131 + RESERVED +CVE-2021-43130 + RESERVED +CVE-2021-43129 + RESERVED +CVE-2021-43128 + RESERVED +CVE-2021-43127 + RESERVED +CVE-2021-43126 + RESERVED +CVE-2021-43125 + RESERVED +CVE-2021-43124 + RESERVED +CVE-2021-43123 + RESERVED +CVE-2021-43122 + RESERVED +CVE-2021-43121 + RESERVED +CVE-2021-43120 + RESERVED +CVE-2021-43119 + RESERVED +CVE-2021-43118 + RESERVED +CVE-2021-43117 + RESERVED +CVE-2021-43116 + RESERVED +CVE-2021-43115 + RESERVED +CVE-2021-43114 + RESERVED +CVE-2021-43113 + RESERVED +CVE-2021-43112 + RESERVED +CVE-2021-43111 + RESERVED +CVE-2021-43110 + RESERVED +CVE-2021-43109 + RESERVED +CVE-2021-43108 + RESERVED +CVE-2021-43107 + RESERVED +CVE-2021-43106 + RESERVED +CVE-2021-43105 + RESERVED +CVE-2021-43104 + RESERVED +CVE-2021-43103 + RESERVED +CVE-2021-43102 + RESERVED +CVE-2021-43101 + RESERVED +CVE-2021-43100 + RESERVED +CVE-2021-43099 + RESERVED +CVE-2021-43098 + RESERVED +CVE-2021-43097 + RESERVED +CVE-2021-43096 + RESERVED +CVE-2021-43095 + RESERVED +CVE-2021-43094 + RESERVED +CVE-2021-43093 + RESERVED +CVE-2021-43092 + RESERVED +CVE-2021-43091 + RESERVED +CVE-2021-43090 + RESERVED +CVE-2021-43089 + RESERVED +CVE-2021-43088 + RESERVED +CVE-2021-43087 + RESERVED +CVE-2021-43086 + RESERVED +CVE-2021-43085 + RESERVED +CVE-2021-43084 + RESERVED +CVE-2021-3916 + RESERVED CVE-2015-10001 RESERVED CVE-2021-43083 @@ -915,8 +1093,8 @@ CVE-2021-42696 RESERVED CVE-2021-42695 RESERVED -CVE-2021-42694 - RESERVED +CVE-2021-42694 (An issue was discovered in the character definitions of the Unicode Sp ...) + TODO: check CVE-2021-42693 RESERVED CVE-2021-42692 @@ -1155,8 +1333,7 @@ CVE-2021-42576 (The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 NOT-FOR-US: bluemonday sanitizer CVE-2021-42575 (The OWASP Java HTML Sanitizer before 20211018.1 does not properly enfo ...) NOT-FOR-US: OWASP HTML Sanitizer -CVE-2021-42574 - RESERVED +CVE-2021-42574 (An issue was discovered in the Bidirectional Algorithm in the Unicode ...) - rustc [bullseye] - rustc (Minor issue) [buster] - rustc (Minor issue) @@ -5260,8 +5437,8 @@ CVE-2021-3813 RESERVED CVE-2021-41314 (Certain NETGEAR smart switches are affected by a \n injection in the w ...) NOT-FOR-US: NETGEAR -CVE-2021-41313 - RESERVED +CVE-2021-41313 (Affected versions of Atlassian Jira Server and Data Center allow authe ...) + TODO: check CVE-2021-41312 RESERVED CVE-2021-41311 @@ -7534,8 +7711,7 @@ CVE-2021-40350 (webctrl.cgi.elf on Christie Digital DWU850-GS V06.46 devices all NOT-FOR-US: Christie Digital DWU850-GS V06.46 devices CVE-2021-40349 (e7d Speed Test (aka speedtest) 0.5.3 allows a path-traversal attack th ...) NOT-FOR-US: e7d Speed Test -CVE-2021-40348 - RESERVED +CVE-2021-40348 (Spacewalk 2.10, and derivatives such as Uyuni 2021.08, allows code inj ...) NOT-FOR-US: Uyuni / Spacewalk (Red Hat) CVE-2021-40347 (An issue was
[Git][security-tracker-team/security-tracker][master] new rustc issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 96846105 by Moritz Muehlenhoff at 2021-11-01T09:05:25+01:00 new rustc issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1157,6 +1157,10 @@ CVE-2021-42575 (The OWASP Java HTML Sanitizer before 20211018.1 does not properl NOT-FOR-US: OWASP HTML Sanitizer CVE-2021-42574 RESERVED + - rustc + [bullseye] - rustc (Minor issue) + [buster] - rustc (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2021/11/01/1 CVE-2021-42573 RESERVED CVE-2021-42572 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96846105f4e5c89e6ae4d6542023e1c7c3e8a18d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96846105f4e5c89e6ae4d6542023e1c7c3e8a18d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits