[Git][security-tracker-team/security-tracker][master] 3 commits: follow security team and mark CVE-2021-37620 as ignored
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: fd58dbe7 by Thorsten Alteholz at 2021-11-21T23:35:07+01:00 follow security team and mark CVE-2021-37620 as ignored - - - - - 0c88fae0 by Thorsten Alteholz at 2021-11-21T23:37:26+01:00 mark CVE-2021-34334 as no-dsa for Stretch - - - - - df8498d3 by Thorsten Alteholz at 2021-11-21T23:41:24+01:00 nothing todo - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -18742,6 +18742,7 @@ CVE-2021-37620 (Exiv2 is a command-line utility and C++ library for reading, wri - exiv2 [bullseye] - exiv2 (Minor issue) [buster] - exiv2 (Minor issue) + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-v5g7-46xf-h728 NOTE: https://github.com/Exiv2/exiv2/pull/1769 CVE-2021-37619 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) @@ -26457,6 +26458,7 @@ CVE-2021-34335 (Exiv2 is a command-line utility and C++ library for reading, wri NOTE: https://github.com/Exiv2/exiv2/pull/1750 CVE-2021-34334 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - exiv2 (bug #992706) + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-hqjh-hpv8-8r9p NOTE: https://github.com/Exiv2/exiv2/pull/1766 CVE-2021-34333 (A vulnerability has been identified in JT2Go (All versions V13.2) ...) = data/dla-needed.txt = @@ -27,9 +27,6 @@ debian-archive-keyring NOTE: 20211018: Jonathan is prepping the branch; will work NOTE: 20211018: with him and upload and publish the DLA. (utkarsh) -- -exiv2 (Thorsten Alteholz) - NOTE: 20211109: testing package --- firefox-esr (Emilio) NOTE: 2026: blocked on toolchain backports (pochu) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6a5905630de347de72873c2070b8c532e89d5b3d...df8498d3771f53dc94bf2998b2d04fe333d227d3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6a5905630de347de72873c2070b8c532e89d5b3d...df8498d3771f53dc94bf2998b2d04fe333d227d3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] For now drop source for mariadb-10.6 from CVE-2021-35604 listing
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a590563 by Salvatore Bonaccorso at 2021-11-21T22:22:03+01:00 For now drop source for mariadb-10.6 from CVE-2021-35604 listing - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23442,7 +23442,6 @@ CVE-2021-35606 (Vulnerability in the PeopleSoft Enterprise CS Campus Community p CVE-2021-35605 RESERVED CVE-2021-35604 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mariadb-10.6 - mariadb-10.5 [bullseye] - mariadb-10.5 (Minor issue) - mariadb-10.3 @@ -23450,6 +23449,7 @@ CVE-2021-35604 (Vulnerability in the MySQL Server product of Oracle MySQL (compo - mysql-8.0 - mysql-5.7 NOTE: Fixed in MariaDB: 10.5.13, 10.3.32 + TODO: clarify MariaDB 10.6 status CVE-2021-35603 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition produc ...) {DSA-5000-1 DLA-2814-1} - openjdk-17 17.0.1+12-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a5905630de347de72873c2070b8c532e89d5b3d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a5905630de347de72873c2070b8c532e89d5b3d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track mariadb proposed updates via {bullseye,buster}-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 014cf15e by Salvatore Bonaccorso at 2021-11-21T22:20:54+01:00 Track mariadb proposed updates via {bullseye,buster}-pu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -86,3 +86,5 @@ CVE-2019-1010317 [buster] - wavpack 5.1.0-6+deb10u1 CVE-2019-1010319 [buster] - wavpack 5.1.0-6+deb10u1 +CVE-2021-35604 + [buster] - mariadb-10.3 1:10.3.32-0+deb10u1 = data/next-point-update.txt = @@ -32,3 +32,5 @@ CVE-2021-40985 [bullseye] - htmldoc 1.9.11-4+deb11u1 CVE-2021-43579 [bullseye] - htmldoc 1.9.11-4+deb11u1 +CVE-2021-35604 + [bullseye] - mariadb-10.5 1:10.5.13-0+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/014cf15e463793882d972d4b3b9952b454e06faf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/014cf15e463793882d972d4b3b9952b454e06faf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track mariadb sources for CVE-2021-35604
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b57b6109 by Salvatore Bonaccorso at 2021-11-21T22:19:23+01:00 Track mariadb sources for CVE-2021-35604 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23442,8 +23442,14 @@ CVE-2021-35606 (Vulnerability in the PeopleSoft Enterprise CS Campus Community p CVE-2021-35605 RESERVED CVE-2021-35604 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mariadb-10.6 + - mariadb-10.5 + [bullseye] - mariadb-10.5 (Minor issue) + - mariadb-10.3 + [buster] - mariadb-10.3 (Minor issue) - mysql-8.0 - mysql-5.7 + NOTE: Fixed in MariaDB: 10.5.13, 10.3.32 CVE-2021-35603 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition produc ...) {DSA-5000-1 DLA-2814-1} - openjdk-17 17.0.1+12-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b57b61095cd5e581df53a5bdabdd40a7513cf50f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b57b61095cd5e581df53a5bdabdd40a7513cf50f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Status update
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 803cf5ce by Anton Gladky at 2021-11-21T21:45:27+01:00 LTS: Status update - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -38,9 +38,10 @@ firmware-nonfree (Markus Koschany) NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag -- gerbv (Anton) - NOTE: 20210711: The fix has only one-line! But... be sure that the fix will help. (Anton) - NOTE: 20210711: Please take the package if you can reproduce the issue with valgrind/AddressSanitizer/Leaksanitizer (Anton) - NOTE: 20210711: The simple fix will unlikely help. (Anton) + NOTE: 20211107: The fix has only one-line! But... be sure that the fix will help. (Anton) + NOTE: 20211107: Please take the package if you can reproduce the issue with valgrind/AddressSanitizer/Leaksanitizer (Anton) + NOTE: 20211107: The simple fix will unlikely help. (Anton) + NOTE: 20211121: Still needs to be investigated with extra-tool. (Anton) -- gmp (Anton) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/803cf5ce7671144a41f12f31e44ebce2d62dcdef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/803cf5ce7671144a41f12f31e44ebce2d62dcdef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-39358/gfbgraph via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d45df0e by Salvatore Bonaccorso at 2021-11-21T21:16:03+01:00 Track fixed version for CVE-2021-39358/gfbgraph via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14339,7 +14339,7 @@ CVE-2021-39359 (In GNOME libgda through 6.0.0, gda-web-provider.c does not enabl NOTE: https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/ NOTE: https://gitlab.gnome.org/GNOME/libgda/-/issues/249 CVE-2021-39358 (In GNOME libgfbgraph through 0.2.4, gfbgraph-photo.c does not enable T ...) - - gfbgraph (bug #993537) + - gfbgraph 0.2.5-1 (bug #993537) [bullseye] - gfbgraph (Minor issue) [buster] - gfbgraph (Minor issue) [stretch] - gfbgraph (Minor issue, revisit when/if fixed upstream) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d45df0ea4deb5aee786eb215b8bd1ffd00c7170 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d45df0ea4deb5aee786eb215b8bd1ffd00c7170 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-3701/ansible-runner via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1bb1b2d6 by Salvatore Bonaccorso at 2021-11-21T21:15:08+01:00 Track fixed version for CVE-2021-3701/ansible-runner via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16276,7 +16276,7 @@ CVE-2021-3702 NOTE: Introduced in https://github.com/ansible/ansible-runner/commit/93e95a3df9021a38010386d07df121392d249253 CVE-2021-3701 RESERVED - - ansible-runner + - ansible-runner 2.1.1-1 NOTE: https://github.com/ansible/ansible-runner/issues/738 NOTE: https://github.com/ansible/ansible-runner/pull/742/commits/60b059f00409224acae1e417153a241c8591ad89 CVE-2021-3700 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1bb1b2d6b6230a017a421150bbfcfb6b9f6a5f28 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1bb1b2d6b6230a017a421150bbfcfb6b9f6a5f28 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a756eb5 by security tracker role at 2021-11-21T20:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2021-3992 + RESERVED CVE-2021-44078 RESERVED CVE-2021-44077 @@ -40780,8 +40782,7 @@ CVE-2021-28712 RESERVED CVE-2021-28711 RESERVED -CVE-2021-28710 [certain VT-d IOMMUs may not work in shared page table mode] - RESERVED +CVE-2021-28710 (certain VT-d IOMMUs may not work in shared page table mode For efficie ...) - xen (Only affects 4.15 series) NOTE: https://www.openwall.com/lists/oss-security/2021/11/19/9 NOTE: https://xenbits.xen.org/xsa/advisory-390.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a756eb5b2c87ccc9783fd8a2417e085b285fde9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a756eb5b2c87ccc9783fd8a2417e085b285fde9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Postpone CVE-2021-42917 for stretch
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: a5ffd413 by Adrian Bunk at 2021-11-21T21:22:14+02:00 Postpone CVE-2021-42917 for stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -4767,6 +4767,7 @@ CVE-2021-42917 (Buffer overflow vulnerability in Kodi xbmc up to 19.0, allows at - kodi 2:19.3+dfsg1-1 (bug #998419) [bullseye] - kodi (Minor issue) [buster] - kodi (Minor issue) + [stretch] - kodi (no point in fixing this when the more severe CVE-2017-5982 is ignored) - xbmc NOTE: https://github.com/xbmc/xbmc/commit/80c8138c09598e88b4ddb6dbb279fa193bbb3237 NOTE: https://github.com/xbmc/xbmc/issues/20305 = data/dla-needed.txt = @@ -48,8 +48,6 @@ gpac (Roberto C. Sánchez) NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto) NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto) -- -kodi (Adrian Bunk) --- libgit2 (Utkarsh) NOTE: 20211029: CVE-2018-10887/CVE-2018-10888/CVE-2018-15501 were fixed NOTE: 20211029: for jessie in DLA-1477-1 and should also be fixed in stretch View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5ffd41309bff2d509ef6bb600a2032a360f8fa5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5ffd41309bff2d509ef6bb600a2032a360f8fa5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits