[Git][security-tracker-team/security-tracker][master] LTS: Add CVE-2021-38171 to be announced in DLA-2818-1
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 443b0985 by Anton Gladky at 2021-11-13T22:06:41+01:00 LTS: Add CVE-2021-38171 to be announced in DLA-2818-1 - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -15267,7 +15267,6 @@ CVE-2021-38172 CVE-2021-38171 (adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not ...) {DSA-4998-1 DSA-4990-1} - ffmpeg 7:4.4.1-1 - [stretch] - ffmpeg (Wait to be fixed in buster first) NOTE: https://github.com/FFmpeg/FFmpeg/commit/9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6 CVE-2021-38170 RESERVED = data/DLA/list = @@ -1,5 +1,5 @@ [13 Nov 2021] DLA-2818-1 ffmpeg - security update - {CVE-2020-20445 CVE-2020-20446 CVE-2020-20451 CVE-2020-20453 CVE-2020-22037 CVE-2020-22041 CVE-2020-22044 CVE-2020-22046 CVE-2020-22048 CVE-2020-22049 CVE-2020-22054 CVE-2021-38291} + {CVE-2020-20445 CVE-2020-20446 CVE-2020-20451 CVE-2020-20453 CVE-2020-22037 CVE-2020-22041 CVE-2020-22044 CVE-2020-22046 CVE-2020-22048 CVE-2020-22049 CVE-2020-22054 CVE-2021-38171 CVE-2021-38291} [stretch] - ffmpeg 7:3.2.16-1+deb9u1 [12 Nov 2021] DLA-2817-1 postgresql-9.6 - security update {CVE-2021-23214 CVE-2021-23222} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/443b0985410fa18819fa69e8353857e355291b2f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/443b0985410fa18819fa69e8353857e355291b2f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5dd0b8b2 by Salvatore Bonaccorso at 2021-11-13T21:20:05+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -277,7 +277,7 @@ CVE-2021-43522 CVE-2021-3939 RESERVED CVE-2021-3938 (snipe-it is vulnerable to Improper Neutralization of Input During Web ...) - TODO: check + NOT-FOR-US: snipe-it CVE-2021-3937 RESERVED CVE-2021-3936 @@ -544,7 +544,7 @@ CVE-2021-43402 CVE-2021-43401 RESERVED CVE-2021-3931 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) ...) - TODO: check + NOT-FOR-US: snipe-it CVE-2021-3930 [off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c] RESERVED - qemu @@ -1997,7 +1997,7 @@ CVE-2021-43205 CVE-2021-43204 RESERVED CVE-2021-3921 (firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) ...) - TODO: check + NOT-FOR-US: firefly-iii CVE-2021-3920 RESERVED CVE-2021-3919 @@ -2265,7 +2265,7 @@ CVE-2021-43082 (Buffer Copy without Checking Size of Input ('Classic Buffer Over NOTE: CVE description is wrong, this doesn't affect 8.1, only 9.x/master: NOTE: Introduced with https://github.com/apache/trafficserver/commit/5e2385b666b4176be0f64fbadfbfae42094db396 (9.1.0-rc0) CVE-2021-3915 (bookstack is vulnerable to Unrestricted Upload of File with Dangerous ...) - TODO: check + NOT-FOR-US: bookstack CVE-2020-36505 (The Delete All Comments Easily WordPress plugin through 1.3 is lacking ...) NOT-FOR-US: WordPress plugin CVE-2020-36504 (The WP-Pro-Quiz WordPress plugin through 0.37 does not have CSRF check ...) @@ -6870,7 +6870,7 @@ CVE-2021-41655 CVE-2021-41654 RESERVED CVE-2021-41653 (The PING function on the TP-Link TL-WR840N EU v5 router with firmware ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2021-41652 RESERVED CVE-2021-41651 (A blind SQL injection vulnerability exists in the Raymart DG / Ahmed H ...) @@ -9498,9 +9498,9 @@ CVE-2021-40526 (Incorrect calculation of buffer size vulnerability in Peleton TT CVE-2021-40525 RESERVED CVE-2021-3776 (showdoc is vulnerable to Cross-Site Request Forgery (CSRF) ...) - TODO: check + NOT-FOR-US: showdoc CVE-2021-3775 (showdoc is vulnerable to Cross-Site Request Forgery (CSRF) ...) - TODO: check + NOT-FOR-US: showdoc CVE-2021-3774 (Meross Smart Wi-Fi 2 Way Wall Switch (MSS550X), on its 3.1.3 version a ...) NOT-FOR-US: Meross Smart Wi-Fi 2 Way Wall Switch CVE-2021-3773 @@ -15423,7 +15423,7 @@ CVE-2021-3685 CVE-2021-3684 RESERVED CVE-2021-3683 (showdoc is vulnerable to Cross-Site Request Forgery (CSRF) ...) - TODO: check + NOT-FOR-US: showdoc CVE-2021-38113 (In addBouquet in js/bqe.js in OpenWebif (aka e2openplugin-OpenWebif) t ...) NOT-FOR-US: OpenWebif (aka e2openplugin-OpenWebif) CVE-2021-38112 (In the Amazon AWS WorkSpaces client 3.0.10 through 3.1.8 on Windows, a ...) @@ -87680,7 +87680,7 @@ CVE-2020-21143 CVE-2020-21142 (Cross Site Scripting (XSS) vulnerabilty in IPFire 2.23 via the IPfire ...) NOT-FOR-US: IPFire CVE-2020-21141 (iCMS v7.0.15 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: iCMS CVE-2020-21140 RESERVED CVE-2020-21139 (EC Cloud E-Commerce System v1.3 was discovered to contain a Cross-Site ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dd0b8b211eecc2c4fa51ad500919f60c81fccc0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dd0b8b211eecc2c4fa51ad500919f60c81fccc0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-43616/npm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f4c16fa7 by Salvatore Bonaccorso at 2021-11-13T21:16:45+01:00 Add CVE-2021-43616/npm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2021-43616 (The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an i ...) - TODO: check + - npm + NOTE: https://github.com/npm/cli/issues/2701 CVE-2021-43615 RESERVED CVE-2021-43614 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4c16fa7d8dc9401f37a0932a11948cd8ced960a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4c16fa7d8dc9401f37a0932a11948cd8ced960a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2898dc82 by security tracker role at 2021-11-13T20:10:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2021-43616 (The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an i ...) + TODO: check CVE-2021-43615 RESERVED CVE-2021-43614 @@ -141,8 +143,8 @@ CVE-2021-3947 [NVME: Arbitrary Memory Read] NOTE: https://lore.kernel.org/qemu-devel/2021153125.2258176-1-phi...@redhat.com/ CVE-2021-3946 RESERVED -CVE-2021-3945 - RESERVED +CVE-2021-3945 (django-helpdesk is vulnerable to Improper Neutralization of Input Duri ...) + TODO: check CVE-2002-20001 (The Diffie-Hellman Key Agreement Protocol allows remote attackers (fro ...) TODO: check CVE-2021-3944 @@ -273,8 +275,8 @@ CVE-2021-43522 RESERVED CVE-2021-3939 RESERVED -CVE-2021-3938 - RESERVED +CVE-2021-3938 (snipe-it is vulnerable to Improper Neutralization of Input During Web ...) + TODO: check CVE-2021-3937 RESERVED CVE-2021-3936 @@ -520,8 +522,8 @@ CVE-2021-43411 (An issue was discovered in GNU Hurd before 0.9 20210404-9. When - hurd 1:0.9.git20210404-9 CVE-2021-43410 RESERVED -CVE-2021-3932 - RESERVED +CVE-2021-3932 (twill is vulnerable to Cross-Site Request Forgery (CSRF) ...) + TODO: check CVE-2021-43409 RESERVED CVE-2021-43408 @@ -540,8 +542,8 @@ CVE-2021-43402 RESERVED CVE-2021-43401 RESERVED -CVE-2021-3931 - RESERVED +CVE-2021-3931 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) ...) + TODO: check CVE-2021-3930 [off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c] RESERVED - qemu @@ -1993,8 +1995,8 @@ CVE-2021-43205 RESERVED CVE-2021-43204 RESERVED -CVE-2021-3921 - RESERVED +CVE-2021-3921 (firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) ...) + TODO: check CVE-2021-3920 RESERVED CVE-2021-3919 @@ -2057,8 +2059,8 @@ CVE-2021-43176 RESERVED CVE-2021-43175 RESERVED -CVE-2021-3918 - RESERVED +CVE-2021-3918 (json-schema is vulnerable to Improperly Controlled Modification of Obj ...) + TODO: check CVE-2021-43174 (NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, suppo ...) - routinator (bug #929024) NOTE: https://www.nlnetlabs.nl/downloads/routinator/CVE-2021-43172_CVE-2021-43173_CVE-2021-43174.txt @@ -2261,8 +2263,8 @@ CVE-2021-43082 (Buffer Copy without Checking Size of Input ('Classic Buffer Over NOTE: https://github.com/apache/trafficserver/commit/02b17dbe3cff71ffd31577d872e077531124d207 (master) NOTE: CVE description is wrong, this doesn't affect 8.1, only 9.x/master: NOTE: Introduced with https://github.com/apache/trafficserver/commit/5e2385b666b4176be0f64fbadfbfae42094db396 (9.1.0-rc0) -CVE-2021-3915 - RESERVED +CVE-2021-3915 (bookstack is vulnerable to Unrestricted Upload of File with Dangerous ...) + TODO: check CVE-2020-36505 (The Delete All Comments Easily WordPress plugin through 1.3 is lacking ...) NOT-FOR-US: WordPress plugin CVE-2020-36504 (The WP-Pro-Quiz WordPress plugin through 0.37 does not have CSRF check ...) @@ -6866,8 +6868,8 @@ CVE-2021-41655 RESERVED CVE-2021-41654 RESERVED -CVE-2021-41653 - RESERVED +CVE-2021-41653 (The PING function on the TP-Link TL-WR840N EU v5 router with firmware ...) + TODO: check CVE-2021-41652 RESERVED CVE-2021-41651 (A blind SQL injection vulnerability exists in the Raymart DG / Ahmed H ...) @@ -9494,10 +9496,10 @@ CVE-2021-40526 (Incorrect calculation of buffer size vulnerability in Peleton TT NOT-FOR-US: Peleton CVE-2021-40525 RESERVED -CVE-2021-3776 - RESERVED -CVE-2021-3775 - RESERVED +CVE-2021-3776 (showdoc is vulnerable to Cross-Site Request Forgery (CSRF) ...) + TODO: check +CVE-2021-3775 (showdoc is vulnerable to Cross-Site Request Forgery (CSRF) ...) + TODO: check CVE-2021-3774 (Meross Smart Wi-Fi 2 Way Wall Switch (MSS550X), on its 3.1.3 version a ...) NOT-FOR-US: Meross Smart Wi-Fi 2 Way Wall Switch CVE-2021-3773 @@ -14878,7 +14880,7 @@ CVE-2021-38293 CVE-2021-38292 RESERVED CVE-2021-38291 (FFmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) s ...) - {DSA-4998-1 DSA-4990-1} + {DSA-4998-1 DSA-4990-1 DLA-2818-1} - ffmpeg 7:4.4.1-1 (unimportant) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=e01d306c647b5827102260b885faa223b646d2d1 NOTE: https://trac.ffmpeg.org/ticket/9312 @@ -15419,8 +15421,8 @@ CVE-2021-3685 RESERVED CVE-2021-3684 RESERVED -CVE-2021-3683 - RESERVED
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-43612/lldpd and track fixed version via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 771d4842 by Salvatore Bonaccorso at 2021-11-13T21:08:27+01:00 Add CVE-2021-43612/lldpd and track fixed version via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4,8 +4,12 @@ CVE-2021-43614 RESERVED CVE-2021-43613 RESERVED -CVE-2021-43612 +CVE-2021-43612 [crash in SONMP decoder] RESERVED + - lldpd 1.0.13-1 + [bullseye] - lldpd (Minor issue) + [buster] - lldpd (Minor issue) + NOTE: https://github.com/lldpd/lldpd/commit/73d42680fce8598324364dbb31b9bc3b8320adf7 (1.0.13) CVE-2021-43611 (Belledonne Belle-sip before 5.0.20 can crash applications such as Linp ...) NOT-FOR-US: Belledonne Belle-sip CVE-2021-43610 (Belledonne Belle-sip before 5.0.20 can crash applications such as Linp ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/771d4842226a3299be68ff4b6dca7688975ef81c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/771d4842226a3299be68ff4b6dca7688975ef81c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-3828/nltk via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d8645f6 by Salvatore Bonaccorso at 2021-11-13T21:05:34+01:00 Track fixed version for CVE-2021-3828/nltk via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7013,7 +7013,7 @@ CVE-2021-41587 (In Gradle Enterprise before 2021.1.3, an attacker with the abili CVE-2021-41586 (In Gradle Enterprise before 2021.1.3, an attacker with the ability to ...) NOT-FOR-US: Gradle Enterprise CVE-2021-3828 (nltk is vulnerable to Inefficient Regular Expression Complexity ...) - - nltk (bug #995226) + - nltk 3.6.5-1 (bug #995226) [bullseye] - nltk (Minor issue) [buster] - nltk (Minor issue) [stretch] - nltk (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d8645f655d789c7a41dd3800d8364c37d9955e6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d8645f655d789c7a41dd3800d8364c37d9955e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2818-1 for ffmpeg
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 11708225 by Anton Gladky at 2021-11-13T20:45:40+01:00 Reserve DLA-2818-1 for ffmpeg - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[13 Nov 2021] DLA-2818-1 ffmpeg - security update + {CVE-2020-20445 CVE-2020-20446 CVE-2020-20451 CVE-2020-20453 CVE-2020-22037 CVE-2020-22041 CVE-2020-22044 CVE-2020-22046 CVE-2020-22048 CVE-2020-22049 CVE-2020-22054 CVE-2021-38291} + [stretch] - ffmpeg 7:3.2.16-1+deb9u1 [12 Nov 2021] DLA-2817-1 postgresql-9.6 - security update {CVE-2021-23214 CVE-2021-23222} [stretch] - postgresql-9.6 9.6.24-0+deb9u1 = data/dla-needed.txt = @@ -36,12 +36,6 @@ debian-archive-keyring exiv2 (Thorsten Alteholz) NOTE: 20211109: testing package -- -ffmpeg (Anton Gladky) - NOTE: probably wait until stuff is fixed in Buster - NOTE: 20211010: WIP https://salsa.debian.org/lts-team/packages/ffmpeg - NOTE: ffmpeg 3.2.16 has been released - NOTE: 20211101: preparing an update (gladk) --- firefox-esr (Emilio) -- firmware-nonfree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1170822547df23d3426fd6813e07aa2ac83af5a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1170822547df23d3426fd6813e07aa2ac83af5a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update busybox status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 59745d2b by Sylvain Beucler at 2021-11-13T12:16:31+01:00 dla: update busybox status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -22,6 +22,7 @@ busybox (Sylvain Beucler) NOTE: 2021: dos issues are low impact and could be ignored, awk issues seem NOTE: 2021: only serious if executing untrusted code, so perhaps postpone, NOTE: 2021: but double-check (pochu) + NOTE: 2023: waiting for further maintainer feedback & commit info (Beuc) -- debian-archive-keyring NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59745d2b812a600895af49099415b8be5a631dd3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59745d2b812a600895af49099415b8be5a631dd3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-42374/busybox: precise impact
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 42249245 by Sylvain Beucler at 2021-11-13T12:10:11+01:00 CVE-2021-42374/busybox: precise impact - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4925,7 +4925,7 @@ CVE-2021-42374 - busybox (unimportant; bug #999567) [stretch] - busybox (Vulnerable code introduced later) NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/ - NOTE: Crash in CLI tool, no security impact + NOTE: Crash in CLI tool with information leak NOTE: Introduced by https://git.busybox.net/busybox/commit/?id=3989e5adf454a3ab98412b249c2c9bd2a3175ae0 (1_27_0) NOTE: https://git.busybox.net/busybox/commit/?id=04f052c56ded5ab6a904e3a264a73dc0412b2e78 CVE-2021-42373 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/42249245aebf3254147cb2ee45ab00c82e1157f2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/42249245aebf3254147cb2ee45ab00c82e1157f2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-41229/bluez
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e8263af2 by Salvatore Bonaccorso at 2021-11-13T11:02:46+01:00 Add CVE-2021-41229/bluez - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7831,7 +7831,10 @@ CVE-2021-41231 CVE-2021-41230 (Pomerium is an open source identity-aware access proxy. In affected ve ...) NOT-FOR-US: Pomerium CVE-2021-41229 (BlueZ is a Bluetooth protocol stack for Linux. In affected versions a ...) - TODO: check + - bluez + [bullseye] - bluez (Minor issue) + [buster] - bluez (Minor issue) + NOTE: https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq CVE-2021-41228 (TensorFlow is an open source platform for machine learning. In affecte ...) - tensorflow (bug #804612) CVE-2021-41227 (TensorFlow is an open source platform for machine learning. In affecte ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8263af2a93a3a983be3b854d464a53bd3ef5896 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8263af2a93a3a983be3b854d464a53bd3ef5896 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-4333{1,2}/mailman
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f3e3e08 by Salvatore Bonaccorso at 2021-11-13T09:46:50+01:00 Add CVE-2021-4333{1,2}/mailman - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -701,9 +701,15 @@ CVE-2021-43334 CVE-2021-4 RESERVED CVE-2021-43332 (In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py ad ...) - TODO: check + - mailman + [buster] - mailman (Minor issue) + NOTE: https://mail.python.org/archives/list/mailman-annou...@python.org/message/I2X7PSFXIEPLM3UMKZMGOEO3UFYETGRL/ + NOTE: https://bugs.launchpad.net/mailman/+bug/1949403 CVE-2021-43331 (In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user ...) - TODO: check + - mailman + [buster] - mailman (Minor issue) + NOTE: https://mail.python.org/archives/list/mailman-annou...@python.org/message/I2X7PSFXIEPLM3UMKZMGOEO3UFYETGRL/ + NOTE: https://bugs.launchpad.net/mailman/+bug/1949401 CVE-2021-43330 RESERVED CVE-2021-43329 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f3e3e08af130a27252a38f9e84fe1b6a6bdfb07 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f3e3e08af130a27252a38f9e84fe1b6a6bdfb07 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2761e697 by Salvatore Bonaccorso at 2021-11-13T09:28:18+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,9 +7,9 @@ CVE-2021-43613 CVE-2021-43612 RESERVED CVE-2021-43611 (Belledonne Belle-sip before 5.0.20 can crash applications such as Linp ...) - TODO: check + NOT-FOR-US: Belledonne Belle-sip CVE-2021-43610 (Belledonne Belle-sip before 5.0.20 can crash applications such as Linp ...) - TODO: check + NOT-FOR-US: Belledonne Belle-sip CVE-2021-43609 RESERVED CVE-2021-43608 @@ -3451,7 +3451,7 @@ CVE-2021-42565 (myfactory.FMS before 7.1-912 allows XSS via the UID parameter. . CVE-2021-42564 RESERVED CVE-2021-42563 (There is an Unquoted Service Path in NI Service Locator (nisvcloc.exe) ...) - TODO: check + NOT-FOR-US: NI Service Locator CVE-2021-3893 RESERVED CVE-2021-42562 @@ -6433,7 +6433,7 @@ CVE-2021-41830 (It is possible for an attacker to manipulate signed documents an CVE-2021-3844 RESERVED CVE-2021-3843 (A potential vulnerability in the SMI function to access EEPROM in some ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2021-3842 RESERVED CVE-2021-3841 @@ -6538,7 +6538,7 @@ CVE-2021-41789 CVE-2021-41788 RESERVED CVE-2021-3840 (A dependency confusion vulnerability was reported in the Antilles open ...) - TODO: check + NOT-FOR-US: Antilles CVE-2021-41787 RESERVED CVE-2021-41786 @@ -8792,21 +8792,21 @@ CVE-2021-40820 CVE-2021-40819 RESERVED CVE-2021-3793 (An improper access control vulnerability was reported in some Motorola ...) - TODO: check + NOT-FOR-US: Binatone CVE-2021-3792 (Some device communications in some Motorola-branded Binatone Hubble Ca ...) - TODO: check + NOT-FOR-US: Binatone CVE-2021-3791 (An information disclosure vulnerability was reported in some Motorola- ...) - TODO: check + NOT-FOR-US: Binatone CVE-2021-3790 (A buffer overflow was reported in the local web server of some Motorol ...) - TODO: check + NOT-FOR-US: Binatone CVE-2021-3789 (An information disclosure vulnerability was reported in some Motorola- ...) - TODO: check + NOT-FOR-US: Binatone CVE-2021-3788 (An exposed debug interface was reported in some Motorola-branded Binat ...) - TODO: check + NOT-FOR-US: Binatone CVE-2021-3787 (A vulnerability was reported in some Motorola-branded Binatone Hubble ...) - TODO: check + NOT-FOR-US: Binatone CVE-2021-3786 (A potential vulnerability in the SMI callback function used in CSME co ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2021-3785 (yourls is vulnerable to Improper Neutralization of Input During Web Pa ...) NOT-FOR-US: yourls CVE-2021-3784 @@ -12384,11 +12384,11 @@ CVE-2021-3722 CVE-2021-3721 RESERVED CVE-2021-3720 (An information disclosure vulnerability was reported in the Time Weath ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2021-3719 (A potential vulnerability in the SMI callback function that saves and ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2021-3718 (A denial of service vulnerability was reported in some ThinkPad models ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2021-39291 (Certain NetModule devices allow credentials via GET parameters to CLI- ...) NOT-FOR-US: NetModule devices CVE-2021-39290 (Certain NetModule devices allow Limited Session Fixation via PHPSESSID ...) @@ -13849,7 +13849,7 @@ CVE-2021-38686 CVE-2021-38685 RESERVED CVE-2021-38684 (A stack buffer overflow vulnerability has been reported to affect QNAP ...) - TODO: check + NOT-FOR-US: QNAP CVE-2021-38683 RESERVED CVE-2021-38682 @@ -19575,11 +19575,11 @@ CVE-2021-36327 CVE-2021-36326 RESERVED CVE-2021-36325 (Dell BIOS contains an improper input validation vulnerability. A local ...) - TODO: check + NOT-FOR-US: Dell CVE-2021-36324 (Dell BIOS contains an improper input validation vulnerability. A local ...) - TODO: check + NOT-FOR-US: Dell CVE-2021-36323 (Dell BIOS contains an improper input validation vulnerability. A local ...) - TODO: check + NOT-FOR-US: Dell CVE-2021-36322 RESERVED CVE-2021-36321 @@ -19615,7 +19615,7 @@ CVE-2021-36307 CVE-2021-36306 RESERVED CVE-2021-36305 (Dell PowerScale OneFS contains an Unsynchronized Access to Shared Data ...) - TODO: check + NOT-FOR-US: Dell CVE-2021-36304 RESERVED CVE-2021-36303 @@ -23470,7 +23470,7 @@ CVE-2021-3600 NOTE: https://git.kernel.org/linus/e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90 NOTE: https://www.openwall.com/lists/oss-security/2021/06/23/1
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 88a4ed1d by Salvatore Bonaccorso at 2021-11-13T09:17:04+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12378,7 +12378,7 @@ CVE-2021-39293 CVE-2021-39292 RESERVED CVE-2021-3723 (A command injection vulnerability was reported in the Integrated Manag ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-3722 RESERVED CVE-2021-3721 @@ -19595,7 +19595,7 @@ CVE-2021-36317 CVE-2021-36316 RESERVED CVE-2021-36315 (Dell EMC PowerScale Nodes contain a hardware design flaw. This may all ...) - TODO: check + NOT-FOR-US: EMC CVE-2021-36314 RESERVED CVE-2021-36313 @@ -55920,7 +55920,7 @@ CVE-2021-21530 (Dell OpenManage Enterprise-Modular (OME-M) versions prior to 1.3 CVE-2021-21529 (Dell System Update (DSU) 1.9 and earlier versions contain a denial of ...) NOT-FOR-US: Dell System Update (DSU) CVE-2021-21528 (Dell EMC PowerScale OneFS versions 9.1.0, 9.2.0.x, 9.2.1.x contain an ...) - TODO: check + NOT-FOR-US: EMC CVE-2021-21527 (Dell PowerScale OneFS 8.1.0-9.1.0 contain an improper neutralization o ...) NOT-FOR-US: Dell CVE-2021-21526 (Dell PowerScale OneFS 8.1.0 - 9.1.0 contains a privilege escalation in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88a4ed1d6f9ff5dba9d1635322f4127b7621de65 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88a4ed1d6f9ff5dba9d1635322f4127b7621de65 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cf217137 by security tracker role at 2021-11-13T08:10:11+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,81 @@ +CVE-2021-43615 + RESERVED +CVE-2021-43614 + RESERVED +CVE-2021-43613 + RESERVED +CVE-2021-43612 + RESERVED +CVE-2021-43611 (Belledonne Belle-sip before 5.0.20 can crash applications such as Linp ...) + TODO: check +CVE-2021-43610 (Belledonne Belle-sip before 5.0.20 can crash applications such as Linp ...) + TODO: check +CVE-2021-43609 + RESERVED +CVE-2021-43608 + RESERVED +CVE-2021-43607 + RESERVED +CVE-2021-43606 + RESERVED +CVE-2021-43605 + RESERVED +CVE-2021-43604 + RESERVED +CVE-2021-43603 + RESERVED +CVE-2021-43602 + RESERVED +CVE-2021-43601 + RESERVED +CVE-2021-43600 + RESERVED +CVE-2021-43599 + RESERVED +CVE-2021-43598 + RESERVED +CVE-2021-43597 + RESERVED +CVE-2021-43596 + RESERVED +CVE-2021-43595 + RESERVED +CVE-2021-43594 + RESERVED +CVE-2021-43593 + RESERVED +CVE-2021-43592 + RESERVED +CVE-2021-43591 + RESERVED +CVE-2021-43590 + RESERVED +CVE-2021-43589 + RESERVED +CVE-2021-43588 + RESERVED +CVE-2021-43587 + RESERVED +CVE-2021-43586 + RESERVED +CVE-2021-43585 + RESERVED +CVE-2021-43584 + RESERVED +CVE-2021-43583 + RESERVED +CVE-2021-3956 + RESERVED +CVE-2021-3955 + RESERVED +CVE-2021-3954 + RESERVED +CVE-2021-3953 + RESERVED +CVE-2021-3952 + RESERVED +CVE-2021-3951 + RESERVED CVE-2021-43582 RESERVED CVE-2021-43581 @@ -622,10 +700,10 @@ CVE-2021-43334 RESERVED CVE-2021-4 RESERVED -CVE-2021-43332 - RESERVED -CVE-2021-43331 - RESERVED +CVE-2021-43332 (In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py ad ...) + TODO: check +CVE-2021-43331 (In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user ...) + TODO: check CVE-2021-43330 RESERVED CVE-2021-43329 @@ -3372,8 +3450,8 @@ CVE-2021-42565 (myfactory.FMS before 7.1-912 allows XSS via the UID parameter. . NOT-FOR-US: myfactory.FMS CVE-2021-42564 RESERVED -CVE-2021-42563 - RESERVED +CVE-2021-42563 (There is an Unquoted Service Path in NI Service Locator (nisvcloc.exe) ...) + TODO: check CVE-2021-3893 RESERVED CVE-2021-42562 @@ -6354,8 +6432,8 @@ CVE-2021-41830 (It is possible for an attacker to manipulate signed documents an NOT-FOR-US: Apache OpenOffice CVE-2021-3844 RESERVED -CVE-2021-3843 - RESERVED +CVE-2021-3843 (A potential vulnerability in the SMI function to access EEPROM in some ...) + TODO: check CVE-2021-3842 RESERVED CVE-2021-3841 @@ -6459,8 +6537,8 @@ CVE-2021-41789 RESERVED CVE-2021-41788 RESERVED -CVE-2021-3840 - RESERVED +CVE-2021-3840 (A dependency confusion vulnerability was reported in the Antilles open ...) + TODO: check CVE-2021-41787 RESERVED CVE-2021-41786 @@ -7746,8 +7824,8 @@ CVE-2021-41231 RESERVED CVE-2021-41230 (Pomerium is an open source identity-aware access proxy. In affected ve ...) NOT-FOR-US: Pomerium -CVE-2021-41229 - RESERVED +CVE-2021-41229 (BlueZ is a Bluetooth protocol stack for Linux. In affected versions a ...) + TODO: check CVE-2021-41228 (TensorFlow is an open source platform for machine learning. In affecte ...) - tensorflow (bug #804612) CVE-2021-41227 (TensorFlow is an open source platform for machine learning. In affecte ...) @@ -8713,22 +8791,22 @@ CVE-2021-40820 RESERVED CVE-2021-40819 RESERVED -CVE-2021-3793 - RESERVED -CVE-2021-3792 - RESERVED -CVE-2021-3791 - RESERVED -CVE-2021-3790 - RESERVED -CVE-2021-3789 - RESERVED -CVE-2021-3788 - RESERVED -CVE-2021-3787 - RESERVED -CVE-2021-3786 - RESERVED +CVE-2021-3793 (An improper access control vulnerability was reported in some Motorola ...) + TODO: check +CVE-2021-3792 (Some device communications in some Motorola-branded Binatone Hubble Ca ...) + TODO: check +CVE-2021-3791 (An information disclosure vulnerability was reported in some Motorola- ...) + TODO: check +CVE-2021-3790 (A buffer overflow was reported in the local web server of some Motorol ...) + TODO: check +CVE-2021-3789 (An information disclosure vulnerability was reported in some Motorola- ...) + TODO: check +CVE-2021-3788 (An exposed debug interface was reported in some Motorola-branded Binat ...) + TODO: check +CVE-2021-3787 (A vulnerability was reported in some Motorola-branded Binatone Hubble ...) + TODO: check +CVE-2021-3786 (A potential