[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Claim filezilla
Andreas Rönnquist pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f7f1ad1 by Andreas Rönnquist at 2022-05-23T23:53:56+02:00 dla-needed.txt: Claim filezilla - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -61,7 +61,7 @@ exempi NOTE: 20220517: A lot of packages reverse depends on libexmpi8. Further analysis NOTE: 20220517: is needed. -- -filezilla +filezilla (Andreas Rönnquist) NOTE: 20220523: Harmonize with Debian 10.4 (1 CVE) (Beuc/front-desk) -- firefox-esr (Emilio) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f7f1ad10334c85687488b2a995fe9781e05ce49 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f7f1ad10334c85687488b2a995fe9781e05ce49 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d81c0d46 by Anton Gladky at 2022-05-23T23:01:19+02:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -95,7 +95,7 @@ icingaweb2 (Abhijith PA) NOTE: 20220522: Pinged upstream for missing patches. Will write an detail NOTE: 20220522: email about situation (abhijith) -- -intel-microcode (Stefano Rivera) +intel-microcode NOTE: 20220213: please recheck -- irssi @@ -188,7 +188,7 @@ puppet-module-puppetlabs-firewall redis NOTE: 20220510: Chris Lamb is the maintainer. Programming language C. (apo) -- -ring (Abhijith PA) +ring NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc NOTE: 20220404: package in archive is faulty. New regs can't be done due (abhijith) NOTE: 20220404: a network error (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d81c0d46289469c1403e0725ead82070d01035db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d81c0d46289469c1403e0725ead82070d01035db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-4258{5,6}/libredwg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c9d6b35 by Salvatore Bonaccorso at 2022-05-23T22:36:29+02:00 Add CVE-2021-4258{5,6}/libredwg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41004,9 +41004,9 @@ CVE-2021-42588 CVE-2021-42587 RESERVED CVE-2021-42586 (A heap buffer overflow was discovered in copy_bytes in decode_r2007.c ...) - TODO: check + - libredwg (bug #595191) CVE-2021-42585 (A heap buffer overflow was discovered in copy_compressed_bytes in deco ...) - TODO: check + - libredwg (bug #595191) CVE-2021-42584 (A Stored Cross Site Scripting (XSS) issue exists in Convos-Chat before ...) NOT-FOR-US: Convos-Chat CVE-2021-42583 (A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c9d6b35ed10f38cd0b876784f125b5abd3d7928 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c9d6b35ed10f38cd0b876784f125b5abd3d7928 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0517d408 by Salvatore Bonaccorso at 2022-05-23T22:35:54+02:00 Process some more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6833,9 +6833,9 @@ CVE-2022-29007 (Multiple SQL injection vulnerabilities via the username and pass CVE-2022-29006 (Multiple SQL injection vulnerabilities via the username and password p ...) NOT-FOR-US: Directory Management System CVE-2022-29005 (Multiple cross-site scripting (XSS) vulnerabilities in the component / ...) - TODO: check + NOT-FOR-US: Online Birth Certificate System CVE-2022-29004 (Diary Management System v1.0 was discovered to contain a cross-site sc ...) - TODO: check + NOT-FOR-US: Diary Management System CVE-2022-29003 RESERVED CVE-2022-29002 @@ -6847,9 +6847,9 @@ CVE-2022-29000 CVE-2022-28999 RESERVED CVE-2022-28998 (Xlight FTP v3.9.3.2 was discovered to contain a stack-based buffer ove ...) - TODO: check + NOT-FOR-US: Xlight FTP CVE-2022-28997 (CSZCMS v1.3.0 allows attackers to execute a Server-Side Request Forger ...) - TODO: check + NOT-FOR-US: CSZCMS CVE-2022-28996 RESERVED CVE-2022-28995 (Rengine v1.0.2 was discovered to contain a remote code execution (RCE) ...) @@ -6996,7 +6996,7 @@ CVE-2022-28934 CVE-2022-28933 RESERVED CVE-2022-28932 (D-Link DSL-G2452DG HW:T1\\tFW:ME_2.00 was discovered to contain insecu ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-28931 RESERVED CVE-2022-28930 (ERP-Pro v3.7.5 was discovered to contain a SQL injection vulnerability ...) @@ -7140,7 +7140,7 @@ CVE-2022-28876 CVE-2022-28875 RESERVED CVE-2022-28874 (Multiple Denial-of-Service vulnerabilities was discovered in the F-Sec ...) - TODO: check + NOT-FOR-US: F-Secure CVE-2022-28873 (A vulnerability affecting F-Secure SAFE browser was discovered. An att ...) NOT-FOR-US: F-Secure CVE-2022-28872 (A vulnerability affecting F-Secure SAFE browser was discovered. A mali ...) @@ -41099,7 +41099,7 @@ CVE-2021-23225 (Cacti 1.1.38 allows authenticated users with User Management per CVE-2022-0005 (Sensitive information accessible by physical probing of JTAG interface ...) NOT-FOR-US: Intel CVE-2022-0004 (Hardware debug modes and processor INIT setting that allow override of ...) - TODO: check + NOT-FOR-US: Intel CVE-2022-0003 RESERVED CVE-2022-0002 (Non-transparent sharing of branch predictor within a context in some I ...) @@ -43130,7 +43130,7 @@ CVE-2021-42235 (SQL injection in osTicket before 1.14.8 and 1.15.4 login and pas CVE-2021-42234 RESERVED CVE-2021-42233 (The Simple Blog plugin in Wondercms 3.4.1 is vulnerable to stored cros ...) - TODO: check + NOT-FOR-US: Simple Blog plugin in Wondercms CVE-2021-42232 RESERVED CVE-2021-42231 @@ -66121,7 +66121,7 @@ CVE-2021-32943 (The affected product is vulnerable to a stack-based buffer overf CVE-2021-32942 (The vulnerability could expose cleartext credentials from AVEVA InTouc ...) NOT-FOR-US: AVEVA InTouch Runtime CVE-2021-32941 (Annke N48PBB (Network Video Recorder) products of version 3.4.106 buil ...) - TODO: check + NOT-FOR-US: Annke N48PBB (Network Video Recorder) products CVE-2021-32940 (An out-of-bounds read issue exists in the DWG file-recovering procedur ...) NOT-FOR-US: Open Design Alliance CVE-2021-32939 (FATEK Automation FvDesigner, Versions 1.5.88 and prior is vulnerable t ...) @@ -66133,7 +66133,7 @@ CVE-2021-32937 (An attacker can gain knowledge of a session temporary working fo CVE-2021-32936 (An out-of-bounds write issue exists in the DXF file-recovering procedu ...) NOT-FOR-US: Open Design Alliance CVE-2021-32935 (The affected Cognex product, the In-Sight OPC Server versions v5.7.4 ( ...) - TODO: check + NOT-FOR-US: Cognex CVE-2021-32934 (The affected ThroughTek P2P products (SDKs using versions before 3.1.5 ...) NOT-FOR-US: ThroughTek P2P SDK CVE-2021-32933 (An attacker could leverage an API to pass along a malicious file that ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0517d4088e40bc80aee9da9c2249ae5029f5192e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0517d4088e40bc80aee9da9c2249ae5029f5192e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop notes for CVE-2022-1588 (was incorrectly assigned)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c1e1a7c1 by Salvatore Bonaccorso at 2022-05-23T22:26:43+02:00 Drop notes for CVE-2022-1588 (was incorrectly assigned) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3163,7 +3163,6 @@ CVE-2022-30260 RESERVED CVE-2022-1588 REJECTED - NOT-FOR-US: Contao CVE-2022-1587 (An out-of-bounds read vulnerability was discovered in the PCRE2 librar ...) - pcre2 10.40-1 NOTE: https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0 (pcre2-10.40) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1e1a7c1d403cfd9deb2416c36b4037c0ef06981 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1e1a7c1d403cfd9deb2416c36b4037c0ef06981 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 69cf35a1 by Salvatore Bonaccorso at 2022-05-23T22:24:43+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,9 +5,9 @@ CVE-2022-31469 CVE-2022-31468 RESERVED CVE-2022-31467 (Quick Heal Total Security before 12.1.1.27 allows DLL hijacking during ...) - TODO: check + NOT-FOR-US: Quick Heal Total Security CVE-2022-31466 (Quick Heal Total Security before 12.1.1.27 has a TOCTOU race condition ...) - TODO: check + NOT-FOR-US: Quick Heal Total Security CVE-2022-31465 RESERVED CVE-2022-31464 @@ -447,9 +447,9 @@ CVE-2022-1819 CVE-2022-1818 RESERVED CVE-2022-1817 (A vulnerability, which was classified as problematic, was found in Bad ...) - TODO: check + NOT-FOR-US: Badminton Center Management System CVE-2022-1816 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: Zoo Management System CVE-2022-1815 RESERVED CVE-2022-1814 @@ -465,9 +465,9 @@ CVE-2022-1813 (OS Command Injection in GitHub repository yogeshojha/rengine prio CVE-2022-1812 RESERVED CVE-2022-1811 (Unrestricted Upload of File with Dangerous Type in GitHub repository p ...) - TODO: check + NOT-FOR-US: Publify CVE-2022-1810 (Improper Access Control in GitHub repository publify/publify prior to ...) - TODO: check + NOT-FOR-US: Publify CVE-2022-31269 RESERVED CVE-2022-31268 (A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading we ...) @@ -3798,13 +3798,13 @@ CVE-2022-30019 CVE-2022-30018 (Mobotix Control Center (MxCC) through 2.5.4.5 has Insufficiently Prote ...) NOT-FOR-US: Mobotix Control Center (MxCC) CVE-2022-30017 (Rescue Dispatch Management System 1.0 suffers from Stored XSS, leading ...) - TODO: check + NOT-FOR-US: Rescue Dispatch Management System CVE-2022-30016 (Rescue Dispatch Management System 1.0 is vulnerable to Incorrect Acces ...) - TODO: check + NOT-FOR-US: Rescue Dispatch Management System CVE-2022-30015 RESERVED CVE-2022-30014 (Lumidek Associates Simple Food Website 1.0 is vulnerable to Cross Site ...) - TODO: check + NOT-FOR-US: Lumidek Associates Simple Food Website CVE-2022-30013 (A stored cross-site scripting (XSS) vulnerability in the upload functi ...) NOT-FOR-US: totaljs CMS CVE-2022-30012 (In the POST request of the appointment.php page of HMS v.0, there are ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69cf35a199b1381a40067d822ef727a28c9f5f88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69cf35a199b1381a40067d822ef727a28c9f5f88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fdf487ff by Salvatore Bonaccorso at 2022-05-23T22:20:20+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3531,7 +3531,7 @@ CVE-2022-1560 (The Amministrazione Aperta WordPress plugin through 3.7.3 does no CVE-2022-1559 (The Clipr WordPress plugin through 1.2.3 does not sanitise and escape ...) NOT-FOR-US: WordPress plugin CVE-2022-1558 (The Curtain WordPress plugin through 1.0.2 does not sanitise and escap ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1557 (The ULeak Security Monitoring WordPress plugin through 1.2.3 doe ...) NOT-FOR-US: WordPress plugin CVE-2022-1556 @@ -3596,7 +3596,7 @@ CVE-2022-1549 CVE-2022-1548 (Mattermost Playbooks plugin 1.25 and earlier fails to properly restric ...) NOT-FOR-US: Mattermost Playbooks plugin CVE-2022-1547 (The Check Log Email WordPress plugin before 1.0.6 does not sanit ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1546 RESERVED CVE-2022-30114 @@ -6556,7 +6556,7 @@ CVE-2022-1322 CVE-2022-1321 RESERVED CVE-2022-1320 (The Sliderby10Web WordPress plugin before 1.2.52 does not properly san ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-29081 (Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pr ...) NOT-FOR-US: ZOHO ManageEngine CVE-2022-29080 (The npm-dependency-versions package through 0.3.0 for Node.js allows c ...) @@ -6762,7 +6762,7 @@ CVE-2022-1300 (Multiple Version of TRUMPF TruTops products expose a service func CVE-2022-1299 RESERVED CVE-2022-1298 (The Tabs WordPress plugin before 2.2.8 does not sanitise and escape Ta ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1297 (Out-of-bounds Read in r_bin_ne_get_entrypoints function in GitHub repo ...) - radare2 NOTE: https://huntr.dev/bounties/ec538fa4-06c6-4050-a141-f60153ddeaac @@ -6973,7 +6973,7 @@ CVE-2022-28946 (An issue in the component ast/parser.go of Open Policy Agent v0. CVE-2022-28945 RESERVED CVE-2022-28944 (Certain EMCO Software products are affected by: CWE-494: Download of C ...) - TODO: check + NOT-FOR-US: EMCO CVE-2022-28943 RESERVED CVE-2022-28942 @@ -7623,7 +7623,7 @@ CVE-2022-1270 CVE-2022-1269 (The Fast Flow WordPress plugin before 1.2.11 does not sanitise and esc ...) NOT-FOR-US: WordPress plugin CVE-2022-1268 (The Donate Extra WordPress plugin through 2.02 does not sanitise and e ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1267 (The BMI BMR Calculator WordPress plugin through 1.3 does not sanitise ...) NOT-FOR-US: WordPress plugin CVE-2022-1266 @@ -7877,13 +7877,13 @@ CVE-2022-1222 (Inf loop in GitHub repository gpac/gpac prior to 2.1.0-DEV. ...) NOTE: https://huntr.dev/bounties/f8cb85b8-7ff3-47f1-a9a6-7080eb371a3d NOTE: https://github.com/gpac/gpac/commit/7f060bbb72966cae80d6fee338d0b07fa3fc06e1 CVE-2022-1221 (The Gwyn's Imagemap Selector WordPress plugin through 0.3.3 does not s ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1220 RESERVED CVE-2022-1219 (SQL injection in RecyclebinController.php in GitHub repository pimcore ...) NOT-FOR-US: pimcore CVE-2022-1218 (The Domain Replace WordPress plugin through 1.3.8 does not sanitise an ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1217 (The Custom TinyMCE Shortcode Button WordPress plugin through 1.1 does ...) NOT-FOR-US: WordPress plugin CVE-2022-1216 (The Advanced Image Sitemap WordPress plugin through 1.2 does not sanit ...) @@ -8751,7 +8751,7 @@ CVE-2022-1194 CVE-2022-1193 (Improper access control in GitLab CE/EE versions 10.7 prior to 14.7.7, ...) - gitlab CVE-2022-1192 (The Turn off all comments WordPress plugin through 1.0 does not saniti ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-46779 RESERVED CVE-2021-46778 @@ -10139,7 +10139,7 @@ CVE-2022-1095 CVE-2022-1094 (The amr users WordPress plugin before 4.59.4 does not sanitise and esc ...) NOT-FOR-US: WordPress plugin CVE-2022-1093 (The WP Meta SEO WordPress plugin before 4.4.7 does not sanitise or esc ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1092 (The myCred WordPress plugin before 2.4.4 does not have authorisation a ...) NOT-FOR-US: WordPress plugin CVE-2022-1091 (The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 c ...) @@ -11855,7 +11855,7 @@ CVE-2022-1015 (A flaw was found in the Linux kernel in linux/net/netfilter/nf_ta NOTE: Exploitable after: https://git.kernel.org/linus/345023b0db315648ccc3c1a36aee88304a8b4d91 (5.12-rc1)
[Git][security-tracker-team/security-tracker][master] Add upstream commits for CVE-2022-3097{4,5}/mujs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 18141a62 by Salvatore Bonaccorso at 2022-05-23T22:18:18+02:00 Add upstream commits for CVE-2022-3097{4,5}/mujs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1150,9 +1150,13 @@ CVE-2022-30976 (GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed gf_utf CVE-2022-30975 (In Artifex MuJS through 1.2.0, jsP_dumpsyntax in jsdump.c has a NULL p ...) - mujs NOTE: https://github.com/ccxvii/mujs/issues/161 + NOTE: https://github.com/ccxvii/mujs/commit/910acc807c3c057e1c0726160808f3a9f37b40ec + NOTE: https://github.com/ccxvii/mujs/commit/f5b3c703e18725e380b83427004632e744f85a6f CVE-2022-30974 (compile in regexp.c in Artifex MuJS through 1.2.0 results in stack con ...) - mujs NOTE: https://github.com/ccxvii/mujs/issues/162 + NOTE: https://github.com/ccxvii/mujs/commit/160ae29578054dc09fd91e5401ef040d52797e61 + NOTE: https://github.com/ccxvii/mujs/commit/799b62bf065b006e2bcb1c80044eab2b10412ecf CVE-2022-1775 (Weak Password Requirements in GitHub repository polonel/trudesk prior ...) NOT-FOR-US: Trudesk CVE-2022-1774 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18141a62c408498c62381ceb387bb253f3f89c96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18141a62c408498c62381ceb387bb253f3f89c96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 673fc2da by security tracker role at 2022-05-23T20:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,459 @@ +CVE-2022-31470 + RESERVED +CVE-2022-31469 + RESERVED +CVE-2022-31468 + RESERVED +CVE-2022-31467 (Quick Heal Total Security before 12.1.1.27 allows DLL hijacking during ...) + TODO: check +CVE-2022-31466 (Quick Heal Total Security before 12.1.1.27 has a TOCTOU race condition ...) + TODO: check +CVE-2022-31465 + RESERVED +CVE-2022-31464 + RESERVED +CVE-2022-31463 + RESERVED +CVE-2022-31462 + RESERVED +CVE-2022-31461 + RESERVED +CVE-2022-31460 + RESERVED +CVE-2022-31459 + RESERVED +CVE-2022-31458 + RESERVED +CVE-2022-31457 + RESERVED +CVE-2022-31456 + RESERVED +CVE-2022-31455 + RESERVED +CVE-2022-31454 + RESERVED +CVE-2022-31453 + RESERVED +CVE-2022-31452 + RESERVED +CVE-2022-31451 + RESERVED +CVE-2022-31450 + RESERVED +CVE-2022-31449 + RESERVED +CVE-2022-31448 + RESERVED +CVE-2022-31447 + RESERVED +CVE-2022-31446 + RESERVED +CVE-2022-31445 + RESERVED +CVE-2022-31444 + RESERVED +CVE-2022-31443 + RESERVED +CVE-2022-31442 + RESERVED +CVE-2022-31441 + RESERVED +CVE-2022-31440 + RESERVED +CVE-2022-31439 + RESERVED +CVE-2022-31438 + RESERVED +CVE-2022-31437 + RESERVED +CVE-2022-31436 + RESERVED +CVE-2022-31435 + RESERVED +CVE-2022-31434 + RESERVED +CVE-2022-31433 + RESERVED +CVE-2022-31432 + RESERVED +CVE-2022-31431 + RESERVED +CVE-2022-31430 + RESERVED +CVE-2022-31429 + RESERVED +CVE-2022-31428 + RESERVED +CVE-2022-31427 + RESERVED +CVE-2022-31426 + RESERVED +CVE-2022-31425 + RESERVED +CVE-2022-31424 + RESERVED +CVE-2022-31423 + RESERVED +CVE-2022-31422 + RESERVED +CVE-2022-31421 + RESERVED +CVE-2022-31420 + RESERVED +CVE-2022-31419 + RESERVED +CVE-2022-31418 + RESERVED +CVE-2022-31417 + RESERVED +CVE-2022-31416 + RESERVED +CVE-2022-31415 + RESERVED +CVE-2022-31414 + RESERVED +CVE-2022-31413 + RESERVED +CVE-2022-31412 + RESERVED +CVE-2022-31411 + RESERVED +CVE-2022-31410 + RESERVED +CVE-2022-31409 + RESERVED +CVE-2022-31408 + RESERVED +CVE-2022-31407 + RESERVED +CVE-2022-31406 + RESERVED +CVE-2022-31405 + RESERVED +CVE-2022-31404 + RESERVED +CVE-2022-31403 + RESERVED +CVE-2022-31402 + RESERVED +CVE-2022-31401 + RESERVED +CVE-2022-31400 + RESERVED +CVE-2022-31399 + RESERVED +CVE-2022-31398 + RESERVED +CVE-2022-31397 + RESERVED +CVE-2022-31396 + RESERVED +CVE-2022-31395 + RESERVED +CVE-2022-31394 + RESERVED +CVE-2022-31393 + RESERVED +CVE-2022-31392 + RESERVED +CVE-2022-31391 + RESERVED +CVE-2022-31390 + RESERVED +CVE-2022-31389 + RESERVED +CVE-2022-31388 + RESERVED +CVE-2022-31387 + RESERVED +CVE-2022-31386 + RESERVED +CVE-2022-31385 + RESERVED +CVE-2022-31384 + RESERVED +CVE-2022-31383 + RESERVED +CVE-2022-31382 + RESERVED +CVE-2022-31381 + RESERVED +CVE-2022-31380 + RESERVED +CVE-2022-31379 + RESERVED +CVE-2022-31378 + RESERVED +CVE-2022-31377 + RESERVED +CVE-2022-31376 + RESERVED +CVE-2022-31375 + RESERVED +CVE-2022-31374 + RESERVED +CVE-2022-31373 + RESERVED +CVE-2022-31372 + RESERVED +CVE-2022-31371 + RESERVED +CVE-2022-31370 + RESERVED +CVE-2022-31369 + RESERVED +CVE-2022-31368 + RESERVED +CVE-2022-31367 + RESERVED +CVE-2022-31366 + RESERVED +CVE-2022-31365 + RESERVED +CVE-2022-31364 + RESERVED +CVE-2022-31363 + RESERVED +CVE-2022-31362 + RESERVED +CVE-2022-31361 + RESERVED +CVE-2022-31360 + RESERVED +CVE-2022-31359 + RESERVED +CVE-2022-31358 + RESERVED +CVE-2022-31357 + RESERVED +CVE-2022-31356 + RESERVED +CVE-2022-31355 + RESERVED +CVE-2022-31354 + RESERVED +CVE-2022-31353 + RESERVED +CVE-2022-31352 + RESERVED +CVE-2022-31351 + RESERVED +CVE-2022-31350 + RESERVED +CVE-2022-31349 + RESERVED +CVE-2022-31348 + RESERVED +CVE-2022-31347 + RESERVED +CVE-2022-31346 + RESERVED +CVE-2022-31345 + RESERVED +CVE-2022-31344 + RESERVED +CVE-2022-31343 + RESERVED +CVE-2022-31342 + RESERVED +CVE-2022-31341 + RESERVED +CVE-2022-31340 + RESERVED +CVE-2022-31339 + RESERVED +CVE-2022-31338 + RESERVED +CVE-2022-31337 + RESERVED +CVE-2022-31336 + RESERVED +CVE-2022-31335 +
[Git][security-tracker-team/security-tracker][master] dla: add libjpeg-turbo
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 02b03478 by Sylvain Beucler at 2022-05-23T18:32:53+02:00 dla: add libjpeg-turbo - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -143792,7 +143792,7 @@ CVE-2020-13790 (libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer {DLA-2302-1} - libjpeg-turbo 1:2.0.5-1 (bug #962829) [buster] - libjpeg-turbo 1:1.5.2-2+deb10u1 - [jessie] - libjpeg-turbo (No package in Debian jessie uses the TurboJPEG API) + [jessie] - libjpeg-turbo (No other package in Debian jessie uses the TurboJPEG API or the TurboJPEG CLI tools) NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/433 NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/1bfb0b5247f4fc8f6677639781ce468543490216 (1.5.x) NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a (2.0.x) = data/dla-needed.txt = @@ -112,9 +112,13 @@ lemonldap-ng NOTE: 20220523: Harmonize with Debian 10.4 (1 CVE) and 10.5 (regression fix) (Beuc/front-desk) -- libdbi-perl - NOTE: 20220523: Harmonize with Debian 10.8 (CVE-2014-10402 is a follow-up to CVE-2014-10401 (Beuc/front-desk) + NOTE: 20220523: Harmonize with Debian 10.8 (CVE-2014-10402 is a follow-up to CVE-2014-10401 NOTE: 20220523: which was fixed before stretch, buster's debian/changelog is incorrect) (Beuc/front-desk) -- +libjpeg-turbo + NOTE: 20220523: Harmonize with Debian 10.7 (only 1 CVE but last + NOTE: 20220523: stretch update back in 2020 and possible RCE) (Beuc/front-desk) +-- liblouis NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN NOTE: 20220320: and POC. Consider fixing CVE-2018-17294 too. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02b034786cdc32eaec3a87cd3cb1a155f034da2e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02b034786cdc32eaec3a87cd3cb1a155f034da2e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one ATS issue fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ac6ae16 by Moritz Muehlenhoff at 2022-05-23T18:19:44+02:00 one ATS issue fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34515,7 +34515,7 @@ CVE-2021-3983 (kimai2 is vulnerable to Improper Neutralization of Input During W CVE-2022-21742 RESERVED CVE-2021-44040 (Improper Input Validation vulnerability in request line parsing of Apa ...) - - trafficserver + - trafficserver 9.1.2+ds-1 NOTE: https://lists.apache.org/thread/zblwzcfs9ryhwjr89wz4osw55pxm6dx6 NOTE: https://github.com/apache/trafficserver/commit/85c319a7f7c0537bee408ea25df6f1a5ed0a4071 NOTE: https://github.com/apache/trafficserver/commit/c4e6661a5a205b1f60279f0e66aa496023185967 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ac6ae1698dee8626addd189792300fb6a53ff65 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ac6ae1698dee8626addd189792300fb6a53ff65 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add manila
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: cef7f5f0 by Sylvain Beucler at 2022-05-23T17:56:50+02:00 dla: add manila - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -88,6 +88,7 @@ haproxy -- horizon NOTE: 20220523: Harmonize with DSA-4820-1 (1 CVE) (Beuc/front-desk) + NOTE: 20220523: part of OpenStack (Beuc/front-desk) -- icingaweb2 (Abhijith PA) NOTE: https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.4.1-1+deb9u2.dsc (abhijith) @@ -130,6 +131,10 @@ linux-4.19 (Ben Hutchings) mailman NOTE: 20220523: Harmonize with Debian 10.12 (3 CVEs, regression fixes) (Beuc/front-desk) -- +manila + NOTE: 20220523: Harmonize with Debian 10.4 (1 CVE) (Beuc/front-desk) + NOTE: 20220523: part of OpenStack (Beuc/front-desk) +-- mariadb-10.1 NOTE: 20220222: Can be risky. Please consider backporting mariadb-10.3. See discussion https://lists.debian.org/debian-lts/2022/02/msg5.html and coordinate with maintainer (Anton) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cef7f5f0be103bf796e26ffdf58aeb6c390c610a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cef7f5f0be103bf796e26ffdf58aeb6c390c610a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add libdbi-perl
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e5d0646d by Sylvain Beucler at 2022-05-23T17:40:59+02:00 dla: add libdbi-perl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -110,6 +110,10 @@ kvmtool lemonldap-ng NOTE: 20220523: Harmonize with Debian 10.4 (1 CVE) and 10.5 (regression fix) (Beuc/front-desk) -- +libdbi-perl + NOTE: 20220523: Harmonize with Debian 10.8 (CVE-2014-10402 is a follow-up to CVE-2014-10401 (Beuc/front-desk) + NOTE: 20220523: which was fixed before stretch, buster's debian/changelog is incorrect) (Beuc/front-desk) +-- liblouis NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN NOTE: 20220320: and POC. Consider fixing CVE-2018-17294 too. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e5d0646de3def8aac46c7256298c6dffb9345042 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e5d0646de3def8aac46c7256298c6dffb9345042 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add lemonldap-ng
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a668723 by Sylvain Beucler at 2022-05-23T17:15:54+02:00 dla: add lemonldap-ng - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -107,6 +107,9 @@ kvmtool NOTE: 20220402: stretch-specific, orphaned package (Beuc/front-desk) NOTE: 20220402: CVE-2021-45464 looks critical, check with upstream for acknowledgments/fixes (Beuc/front-desk) -- +lemonldap-ng + NOTE: 20220523: Harmonize with Debian 10.4 (1 CVE) and 10.5 (regression fix) (Beuc/front-desk) +-- liblouis NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN NOTE: 20220320: and POC. Consider fixing CVE-2018-17294 too. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a66872309420cb8d77a92405a5d1fd49b4e70b1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a66872309420cb8d77a92405a5d1fd49b4e70b1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add isync
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d5f4ee68 by Sylvain Beucler at 2022-05-23T16:58:00+02:00 dla: add isync - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -100,6 +100,9 @@ intel-microcode (Stefano Rivera) irssi NOTE: 20220523: Harmonize with Debian 10.11 (1 CVE) (Beuc/front-desk) -- +isync + NOTE: 20220523: Harmonize with Debian 10.10 and possibly 11.2 (3 CVEs) (Beuc/front-desk) +-- kvmtool NOTE: 20220402: stretch-specific, orphaned package (Beuc/front-desk) NOTE: 20220402: CVE-2021-45464 looks critical, check with upstream for acknowledgments/fixes (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5f4ee68ca306eb826238538a1fb1da5a10ec084 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5f4ee68ca306eb826238538a1fb1da5a10ec084 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add irssi
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 18e6e036 by Sylvain Beucler at 2022-05-23T16:51:32+02:00 dla: add irssi - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -97,6 +97,9 @@ icingaweb2 (Abhijith PA) intel-microcode (Stefano Rivera) NOTE: 20220213: please recheck -- +irssi + NOTE: 20220523: Harmonize with Debian 10.11 (1 CVE) (Beuc/front-desk) +-- kvmtool NOTE: 20220402: stretch-specific, orphaned package (Beuc/front-desk) NOTE: 20220402: CVE-2021-45464 looks critical, check with upstream for acknowledgments/fixes (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18e6e0366fef8bb2ce16551f61fa4a9480ff873d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18e6e0366fef8bb2ce16551f61fa4a9480ff873d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mariadb-10.6 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ff225a9 by Moritz Muehlenhoff at 2022-05-23T16:45:31+02:00 mariadb-10.6 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10709,25 +10709,25 @@ CVE-2022-27460 CVE-2022-27459 RESERVED CVE-2022-27458 (MariaDB Server v10.6.3 and below was discovered to contain an use-afte ...) - - mariadb-10.6 + - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 - mariadb-10.3 - mariadb-10.1 NOTE: https://jira.mariadb.org/browse/MDEV-28099 CVE-2022-27457 (MariaDB Server v10.6.3 and below was discovered to contain an use-afte ...) - - mariadb-10.6 + - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 - mariadb-10.3 - mariadb-10.1 NOTE: https://jira.mariadb.org/browse/MDEV-28098 CVE-2022-27456 (MariaDB Server v10.6.3 and below was discovered to contain an use-afte ...) - - mariadb-10.6 + - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 - mariadb-10.3 - mariadb-10.1 NOTE: https://jira.mariadb.org/browse/MDEV-28093 CVE-2022-27455 (MariaDB Server v10.6.3 and below was discovered to contain an use-afte ...) - - mariadb-10.6 + - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 - mariadb-10.3 - mariadb-10.1 @@ -10737,13 +10737,13 @@ CVE-2022-27454 CVE-2022-27453 RESERVED CVE-2022-27452 (MariaDB Server v10.9 and below was discovered to contain a segmentatio ...) - - mariadb-10.6 + - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 - mariadb-10.3 - mariadb-10.1 NOTE: https://jira.mariadb.org/browse/MDEV-28090 CVE-2022-27451 (MariaDB Server v10.9 and below was discovered to contain a segmentatio ...) - - mariadb-10.6 + - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 - mariadb-10.3 - mariadb-10.1 @@ -10751,38 +10751,38 @@ CVE-2022-27451 (MariaDB Server v10.9 and below was discovered to contain a segme CVE-2022-27450 RESERVED CVE-2022-27449 (MariaDB Server v10.9 and below was discovered to contain a segmentatio ...) - - mariadb-10.6 + - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 - mariadb-10.3 - mariadb-10.1 NOTE: https://jira.mariadb.org/browse/MDEV-28089 CVE-2022-27448 (There is an Assertion failure in MariaDB Server v10.9 and below via 'n ...) - - mariadb-10.6 + - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 - mariadb-10.3 - mariadb-10.1 NOTE: https://jira.mariadb.org/browse/MDEV-28095 CVE-2022-27447 (MariaDB Server v10.9 and below was discovered to contain a use-after-f ...) - - mariadb-10.6 + - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 - mariadb-10.3 - mariadb-10.1 NOTE: https://jira.mariadb.org/browse/MDEV-28099 CVE-2022-27446 (MariaDB Server v10.9 and below was discovered to contain a segmentatio ...) - - mariadb-10.6 + - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 - mariadb-10.3 - mariadb-10.1 NOTE: https://jira.mariadb.org/browse/MDEV-28082 CVE-2022-27445 (MariaDB Server v10.9 and below was discovered to contain a segmentatio ...) - - mariadb-10.6 + - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 - mariadb-10.3 - mariadb-10.1 NOTE: https://jira.mariadb.org/browse/MDEV-28081 NOTE: https://jira.mariadb.org/browse/MDEV-19398 CVE-2022-27444 (MariaDB Server v10.9 and below was discovered to contain a segmentatio ...) - - mariadb-10.6 + - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 - mariadb-10.3 - mariadb-10.1 @@ -10930,73 +10930,73 @@ CVE-2022-27389 CVE-2022-27388 RESERVED CVE-2022-27387 (MariaDB Server v10.7 and below was discovered to contain a global buff ...) - - mariadb-10.6 + - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 - mariadb-10.3 - mariadb-10.1 NOTE: https://jira.mariadb.org/browse/MDEV-26422 CVE-2022-27386 (MariaDB Server v10.7 and below was discovered to contain a segmentatio ...) - - mariadb-10.6 + - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 - mariadb-10.3 - mariadb-10.1 NOTE: https://jira.mariadb.org/browse/MDEV-26406 CVE-2022-27385 (An issue in the component Used_tables_and_const_cache::used_tables_and ...) - - mariadb-10.6 + - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 - mariadb-10.3 - mariadb-10.1 NOTE: https://jira.mariadb.org/browse/MDEV-26415 CVE-2022-27384 (An issue in the component Item_subselect::init_expr_cache_tracker of M ...) - - mariadb-10.6 + - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 -
[Git][security-tracker-team/security-tracker][master] one grafana issue n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 665760cf by Moritz Muehlenhoff at 2022-05-23T16:42:08+02:00 one grafana issue n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5825,7 +5825,7 @@ CVE-2022-29172 (Auth0 is an authentication broker that supports both social and CVE-2022-29171 (Sourcegraph is a fast and featureful code search and navigation engine ...) NOT-FOR-US: Sourcegraph CVE-2022-29170 (Grafana is an open-source platform for monitoring and observability. I ...) - - grafana + - grafana (Specific to Grafana Enterprise) CVE-2022-29169 RESERVED CVE-2022-29168 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/665760cf91946cfb46f02930af2ad55dd3cd3a6f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/665760cf91946cfb46f02930af2ad55dd3cd3a6f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla: clarify comments made with front-desk hat
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 65a38eda by Sylvain Beucler at 2022-05-23T16:31:18+02:00 dla: clarify comments made with front-desk hat - - - - - 501d40bc by Sylvain Beucler at 2022-05-23T16:37:02+02:00 dla: add horizon - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -36,6 +36,7 @@ ckeditor (Sylvain Beucler) NOTE: 20220510: no rdeps, no sponsors, most CVEs require following upstream stable 4.x, NOTE: 20220510: considering either ignoring, or mass-bumping all dists, NOTE: 20220510: waiting for ckeditor_3_ discussion to close up first (Beuc) + NOTE: 20220510: https://lists.debian.org/debian-lts/2022/05/msg00018.html -- clamav (Emilio) NOTE: 20220510: Programming language C. (apo) @@ -47,9 +48,9 @@ cyrus-imapd NOTE: 20220523: Harmonize with DSA-4590-1 and Debian 10.11 (2 CVEs) (Beuc/front-desk) -- debian-security-support (Utkarsh) - NOTE: 20220402: need to update the list of unsupported packages (Beuc) - NOTE: 20220402: check debian/README.source, sync with h01ger, and announce EOL'd packages (Beuc) - NOTE: 20220402: context: https://lists.debian.org/debian-lts/2022/04/msg0.html (Beuc) + NOTE: 20220402: need to update the list of unsupported packages (Beuc/front-desk) + NOTE: 20220402: check debian/README.source, sync with h01ger, and announce EOL'd packages (Beuc/front-desk) + NOTE: 20220402: context: https://lists.debian.org/debian-lts/2022/04/msg0.html (Beuc/front-desk) NOTE: 20220502: backport prepped, will contact Holger for more details. (utkarsh) NOTE: 20220516: in review, will also co-help Holger to maintain this. (utkarsh) -- @@ -80,11 +81,14 @@ glib2.0 NOTE: 20220523: Harmonize with Debian 10.10 (3 CVEs) (Beuc/front-desk) -- golang-go.crypto - NOTE: 20220331: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1; also check buster status (Beuc) + NOTE: 20220331: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1; also check buster status (Beuc/front-desk) -- haproxy NOTE: 20220523: Harmonize with Debian 10.0 and 10.6 (3 CVEs) (Beuc/front-desk) -- +horizon + NOTE: 20220523: Harmonize with DSA-4820-1 (1 CVE) (Beuc/front-desk) +-- icingaweb2 (Abhijith PA) NOTE: https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.4.1-1+deb9u2.dsc (abhijith) NOTE: 20220522: Pinged upstream for missing patches. Will write an detail @@ -94,8 +98,8 @@ intel-microcode (Stefano Rivera) NOTE: 20220213: please recheck -- kvmtool - NOTE: 20220402: stretch-specific, orphaned package (Beuc) - NOTE: 20220402: CVE-2021-45464 looks critical, check with upstream for acknowledgments/fixes (Beuc) + NOTE: 20220402: stretch-specific, orphaned package (Beuc/front-desk) + NOTE: 20220402: CVE-2021-45464 looks critical, check with upstream for acknowledgments/fixes (Beuc/front-desk) -- liblouis NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN @@ -132,15 +136,15 @@ ntfs-3g NOTE: available. (apo) -- nvidia-cuda-toolkit - NOTE: 20220331: package is in non-free but also in packages-to-support (Beuc) + NOTE: 20220331: package is in non-free but also in packages-to-support (Beuc/front-desk) -- nvidia-graphics-drivers - NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc) + NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc/front-desk) NOTE: 20220209: monitor nvidia-graphics-drivers-legacy-390xx for a potential NOTE: 20220209: backport (apo) -- pdns - NOTE: 20220402: harmonize with buster/10.8 (Beuc) + NOTE: 20220402: harmonize with buster/10.8 (Beuc/front-desk) NOTE: 20220506: buster patches backported in https://salsa.debian.org/enrico/pdns/-/tree/stretch NOTE: 20220506: and #debian-dns notified (enrico) NOTE: 20220506: the patch for https://security-tracker.debian.org/tracker/CVE-2022-27227 @@ -157,7 +161,7 @@ postgresql-9.6 puma (Markus Koschany) -- puppet-module-puppetlabs-firewall - NOTE: 20220402: no Debian maintainers activity since 2018 (Beuc) + NOTE: 20220402: no Debian maintainers activity since 2018 (Beuc/front-desk) -- redis NOTE: 20220510: Chris Lamb is the maintainer. Programming language C. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/96fa9a9eb38765e58a241dd0e5090c1d3e1691d2...501d40bc5efb1821bd5c88011dbc79b170d74a67 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/96fa9a9eb38765e58a241dd0e5090c1d3e1691d2...501d40bc5efb1821bd5c88011dbc79b170d74a67 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-c
[Git][security-tracker-team/security-tracker][master] dla: add haproxy
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 96fa9a9e by Sylvain Beucler at 2022-05-23T15:43:51+02:00 dla: add haproxy - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -82,6 +82,9 @@ glib2.0 golang-go.crypto NOTE: 20220331: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1; also check buster status (Beuc) -- +haproxy + NOTE: 20220523: Harmonize with Debian 10.0 and 10.6 (3 CVEs) (Beuc/front-desk) +-- icingaweb2 (Abhijith PA) NOTE: https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.4.1-1+deb9u2.dsc (abhijith) NOTE: 20220522: Pinged upstream for missing patches. Will write an detail View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96fa9a9eb38765e58a241dd0e5090c1d3e1691d2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96fa9a9eb38765e58a241dd0e5090c1d3e1691d2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add glib2.0
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 93e69d19 by Sylvain Beucler at 2022-05-23T15:26:05+02:00 dla: add glib2.0 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -76,6 +76,9 @@ gerbv NOTE: 20220326: CVE-2021-40401 is fixed https://salsa.debian.org/lts-team/packages/gerbv/-/blob/debian/stretch/debian/patches/CVE-2021-40401.patch (Anton) NOTE: 20220326: CVE-2021-4040{0,2,3} do not have confirmed upstream fixes yet. (Anton) -- +glib2.0 + NOTE: 20220523: Harmonize with Debian 10.10 (3 CVEs) (Beuc/front-desk) +-- golang-go.crypto NOTE: 20220331: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1; also check buster status (Beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93e69d19a6cebd83ed64592885980186da8513ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93e69d19a6cebd83ed64592885980186da8513ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-1000825/freecol: stretch end-of-life
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 90e8ed4c by Sylvain Beucler at 2022-05-23T15:21:48+02:00 CVE-2018-1000825/freecol: stretch end-of-life - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -228602,7 +228602,7 @@ CVE-2018-1000826 (Microweber version = 1.0.7 contains a Cross Site Scripting CVE-2018-1000825 (FreeCol version = nightly-2018-08-22 contains a XML External Entit ...) - freecol 0.11.6+dfsg2-3 (bug #917023; low) [buster] - freecol 0.11.6+dfsg2-2+deb10u1 - [stretch] - freecol (Minor issue) + [stretch] - freecol (Games are not supported) [jessie] - freecol (Games are not supported) NOTE: https://github.com/FreeCol/freecol/issues/26 NOTE: https://github.com/FreeCol/freecol/commit/8963506897e3270a75b062f28486934bcb79b1e3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90e8ed4c5db2cbc1b7d264da61b17ca45f73adde -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90e8ed4c5db2cbc1b7d264da61b17ca45f73adde You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add filezilla
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 79df5705 by Sylvain Beucler at 2022-05-23T15:17:32+02:00 dla: add filezilla - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -60,6 +60,9 @@ exempi NOTE: 20220517: A lot of packages reverse depends on libexmpi8. Further analysis NOTE: 20220517: is needed. -- +filezilla + NOTE: 20220523: Harmonize with Debian 10.4 (1 CVE) (Beuc/front-desk) +-- firefox-esr (Emilio) NOTE: 20220522: From the description this looks criticial. Did not check whether the code is vulnerable or not. Leaving that to someone else. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79df5705162c84e70942e17c9e8b0040d012d71e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79df5705162c84e70942e17c9e8b0040d012d71e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-20196/faad2: drop postponed entry for stretch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 93fe2045 by Sylvain Beucler at 2022-05-23T15:09:05+02:00 CVE-2018-20196/faad2: drop postponed entry for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -228915,7 +228915,6 @@ CVE-2018-20197 (There is a stack-based buffer underflow in the third instance of CVE-2018-20196 (There is a stack-based buffer overflow in the third instance of the ca ...) {DSA-5109-1 DLA-1899-1} - faad2 2.8.8-3.1 (low) - [stretch] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/19 NOTE: https://github.com/knik0/faad2/commit/6aeeaa1af0caf986daf22852a97f7c13c5edd879 CVE-2018-20195 (A NULL pointer dereference was discovered in ic_predict of libfaad/ic_ ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93fe20451ab70689bb8fdfc96121b3b08c8ee85b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93fe20451ab70689bb8fdfc96121b3b08c8ee85b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-20902/ffmpeg: fixed through DLA-3010-1
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e4353990 by Sylvain Beucler at 2022-05-23T15:05:21+02:00 CVE-2020-20902/ffmpeg: fixed through DLA-3010-1 - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -126991,13 +126991,15 @@ CVE-2020-20903 CVE-2020-20902 (A CWE-125: Out-of-bounds read vulnerability exists in long_term_filter ...) {DSA-4722-1} - ffmpeg 7:4.2.2-1 - [stretch] - ffmpeg (Minor issue; can be fixed in next update) NOTE: https://trac.ffmpeg.org/ticket/8176 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=5f0acc5064ed501cb40d4aaccae2b3ce5c4552fd (4.3) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=2c78a76cb0443f8a12a5eadc3b58373aa2f4ab22 (4.3) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=b97aaf791f6ea3506a6252ecef6a1a0e9a542e04 (4.2.2) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=81672bf00f3b5a3c025034f4b2e33d67b72f3839 (4.2.2) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a0c91fb0f0641f9f35f650281a176657907097cf (4.1.5) + NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=abf9627f70ed8467b1646d56205e61f965f11468 (4.1.9) + NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=1cff89a11fa051696109565b3bf88c94479374eb (3.2.15) + NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=abf9627f70ed8467b1646d56205e61f965f11468 (3.2.17) CVE-2020-20901 REJECTED CVE-2020-20900 = data/DLA/list = @@ -29,6 +29,7 @@ {CVE-2022-0261 CVE-2022-0351 CVE-2022-0413 CVE-2022-0443 CVE-2022-0572 CVE-2022-1154 CVE-2022-1616 CVE-2022-1619 CVE-2022-1621} [stretch] - vim 2:8.0.0197-4+deb9u6 [16 May 2022] DLA-3010-1 ffmpeg - security update + {CVE-2020-20902} [stretch] - ffmpeg 7:3.2.18-0+deb9u1 [16 May 2022] DLA-3009-1 cifs-utils - security update {CVE-2022-27239 CVE-2022-29869} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e43539900385b40beedb6bad656f72a8bf7cb8f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e43539900385b40beedb6bad656f72a8bf7cb8f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-20196/faad2: fixed through DSA-4522-1
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 6abf09a9 by Sylvain Beucler at 2022-05-23T14:37:23+02:00 CVE-2018-20196/faad2: fixed through DSA-4522-1 - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -2115,7 +2115,7 @@ [stretch] - thunderbird 1:60.9.0-1~deb9u1 [buster] - thunderbird 1:60.9.0-1~deb10u1 [15 Sep 2019] DSA-4522-1 faad2 - security update - {CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2018-20194 CVE-2018-20195 CVE-2018-20197 CVE-2018-20198 CVE-2018-20357 CVE-2018-20358 CVE-2018-20359 CVE-2018-20361 CVE-2018-20362 CVE-2019-15296} + {CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2018-20194 CVE-2018-20195 CVE-2018-20196 CVE-2018-20197 CVE-2018-20198 CVE-2018-20357 CVE-2018-20358 CVE-2018-20359 CVE-2018-20361 CVE-2018-20362 CVE-2019-15296} [stretch] - faad2 2.8.0~cvs20161113-1+deb9u2 [09 Sep 2019] DSA-4521-1 docker.io - security update {CVE-2019-13139 CVE-2019-13509 CVE-2019-14271} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6abf09a9f796e84bc5693a794db9488750ceb02e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6abf09a9f796e84bc5693a794db9488750ceb02e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-28181,CVE-2022-28185/nvidia-graphics-drivers-legacy-340xx: stretch ignored
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d98e18b7 by Sylvain Beucler at 2022-05-23T14:18:48+02:00 CVE-2022-28181,CVE-2022-28185/nvidia-graphics-drivers-legacy-340xx: stretch ignored - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8672,6 +8672,7 @@ CVE-2022-28185 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne [buster] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #1011141) [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) + [stretch] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia anymore) - nvidia-graphics-drivers-legacy-390xx 390.151-1 (bug #1011142) [bullseye] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) @@ -8713,6 +8714,7 @@ CVE-2022-28181 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne [buster] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (bug #1011141) [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) + [stretch] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia anymore) - nvidia-graphics-drivers-legacy-390xx 390.151-1 (bug #1011142) [bullseye] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d98e18b7a09680b913509f7197c9b13fee6b7674 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d98e18b7a09680b913509f7197c9b13fee6b7674 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-29222/snowflake unfixed 1011458
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 43f35b06 by Neil Williams at 2022-05-23T12:20:28+01:00 CVE-2022-29222/snowflake unfixed 1011458 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5706,7 +5706,10 @@ CVE-2022-29224 CVE-2022-29223 RESERVED CVE-2022-29222 (Pion DTLS is a Go implementation of Datagram Transport Layer Security. ...) - TODO: check + - snowflake (bug #1011458) + NOTE: https://github.com/pion/dtls/security/advisories/GHSA-w45j-f832-hxvh + NOTE: https://github.com/pion/dtls/commit/d2f797183a9f044ce976e6df6f362662ca722412 (v2.1.5) + NOTE: https://github.com/pion/dtls/releases/tag/v2.1.5 CVE-2022-29221 RESERVED CVE-2022-29220 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43f35b0672d30b4f4e158ac19bd7e1ed1b12a647 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43f35b0672d30b4f4e158ac19bd7e1ed1b12a647 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Unclaim cgal
Andreas Rönnquist pushed to branch master at Debian Security Tracker / security-tracker Commits: eb4c43e8 by Andreas Rönnquist at 2022-05-23T12:49:20+02:00 dla-needed.txt: Unclaim cgal - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -28,7 +28,7 @@ atftp avahi NOTE: 20220523: Harmonize with Debian 10.9 (1 Debian-specific CVE) (Beuc/front-desk) -- -cgal (Andreas Rönnquist) +cgal NOTE: 20220421: many no-dsa issues, please check, whether it is possible to fix them without uploading a new upstream release (Anton) -- ckeditor (Sylvain Beucler) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb4c43e89ad782612978692a487d970bf82d29cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb4c43e89ad782612978692a487d970bf82d29cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-29189-90/snowflake unfixed 1011457
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: d8a6cd24 by Neil Williams at 2022-05-23T11:18:00+01:00 CVE-2022-29189-90/snowflake unfixed 1011457 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5770,9 +5770,15 @@ CVE-2022-29192 (TensorFlow is an open source platform for machine learning. Prio CVE-2022-29191 (TensorFlow is an open source platform for machine learning. Prior to v ...) - tensorflow (bug #804612) CVE-2022-29190 (Pion DTLS is a Go implementation of Datagram Transport Layer Security. ...) - TODO: check + - snowflake (bug #1011457) + NOTE: https://github.com/pion/dtls/security/advisories/GHSA-cm8f-h6j3-p25c + NOTE: https://github.com/pion/dtls/commit/e0b2ce3592e8e7d73713ac67b363a2e192a4cecf (v2.1.4) + NOTE: https://github.com/pion/dtls/releases/tag/v2.1.4 CVE-2022-29189 (Pion DTLS is a Go implementation of Datagram Transport Layer Security. ...) - TODO: check + - snowflake (bug #1011457) + NOTE: https://github.com/pion/dtls/security/advisories/GHSA-cx94-mrg9-rq4j + NOTE: https://github.com/pion/dtls/commit/a6397ff7282bc56dc37a68ea9211702edb4de1de (v2.1.4) + NOTE: https://github.com/pion/dtls/releases/tag/v2.1.4 CVE-2022-29188 (Smokescreen is an HTTP proxy. The primary use case for Smokescreen is ...) NOT-FOR-US: Smokescreen CVE-2022-29187 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8a6cd2427b34a48069a60bab8626a9c6b657f72 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8a6cd2427b34a48069a60bab8626a9c6b657f72 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: aeaf4251 by Neil Williams at 2022-05-23T11:02:36+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5774,11 +5774,11 @@ CVE-2022-29190 (Pion DTLS is a Go implementation of Datagram Transport Layer Sec CVE-2022-29189 (Pion DTLS is a Go implementation of Datagram Transport Layer Security. ...) TODO: check CVE-2022-29188 (Smokescreen is an HTTP proxy. The primary use case for Smokescreen is ...) - TODO: check + NOT-FOR-US: Smokescreen CVE-2022-29187 RESERVED CVE-2022-29186 (Rundeck is an open source automation service with a web console, comma ...) - TODO: check + NOT-FOR-US: Rundeck CVE-2022-29185 (totp-rs is a Rust library that permits the creation of 2FA authentific ...) TODO: check CVE-2022-29184 (GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0 ...) @@ -5840,7 +5840,7 @@ CVE-2022-29162 (runc is a CLI tool for spawning and running containers on Linux CVE-2022-29161 (XWiki Platform is a generic wiki platform offering runtime services fo ...) NOT-FOR-US: XWiki CVE-2022-29160 (Nextcloud Android is the Android client for Nextcloud, a self-hosted p ...) - TODO: check + NOT-FOR-US: Nextcloud Android app CVE-2022-29159 (Nextcloud Deck is a Kanban-style project personal management too ...) NOT-FOR-US: Nextcloud Deck CVE-2022-29158 @@ -7268,7 +7268,7 @@ CVE-2022-1237 (Improper Validation of Array Index in GitHub repository radareorg CVE-2022-1236 (Weak Password Requirements in GitHub repository weseek/growi prior to ...) NOT-FOR-US: GROWI CVE-2022-28660 (The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x b ...) - TODO: check + NOT-FOR-US: Grafana Enterprise Logs CVE-2022-28659 RESERVED CVE-2022-28658 @@ -17021,7 +17021,7 @@ CVE-2022-25226 (ThinVNC version 1.0b1 allows an unauthenticated user to bypass t CVE-2022-25225 (Network Olympus version 1.8.0 allows an authenticated admin user to in ...) NOT-FOR-US: Network Olympus CVE-2022-25224 (Proton v0.2.0 allows an attacker to create a malicious link inside a m ...) - TODO: check + NOT-FOR-US: steventhanna/proton CVE-2022-25223 (Money Transfer Management System Version 1.0 allows an authenticated u ...) NOT-FOR-US: Money Transfer Management System CVE-2022-25222 (Money Transfer Management System Version 1.0 allows an unauthenticated ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aeaf425195fdf419423ae89273143645448137e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aeaf425195fdf419423ae89273143645448137e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-24434/node-superagent not-affected, vulnerable code in added test support
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 1cce431c by Neil Williams at 2022-05-23T10:29:10+01:00 CVE-2022-24434/node-superagent not-affected, vulnerable code in added test support - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15125,7 +15125,11 @@ CVE-2022-24438 CVE-2022-24437 (The package git-pull-or-clone before 2.0.2 are vulnerable to Command I ...) NOT-FOR-US: Node git-pull-or-clone CVE-2022-24434 (This affects all versions of package dicer. A malicious attacker can s ...) - TODO: check + - node-superagent (Vulnerable code only exists in Debian autopkgtest support) + NOTE: https://github.com/mscdex/busboy/issues/250 + NOTE: https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac + NOTE: https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865 + NOTE: https://snyk.io/vuln/SNYK-JS-DICER-2311764 CVE-2022-24433 (The package simple-git before 3.3.0 are vulnerable to Command Injectio ...) NOT-FOR-US: simple-git CVE-2022-24431 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cce431c11a936cf7e965e89882c7f6a4af29e31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cce431c11a936cf7e965e89882c7f6a4af29e31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 533234ea by Neil Williams at 2022-05-23T10:10:40+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,7 @@ CVE-2022-29524 CVE-2022-29506 RESERVED CVE-2022-1813 (OS Command Injection in GitHub repository yogeshojha/rengine prior to ...) - TODO: check + NOT-FOR-US: yogeshojha/rengine CVE-2022-1812 RESERVED CVE-2022-1811 @@ -5782,11 +5782,11 @@ CVE-2022-29186 (Rundeck is an open source automation service with a web console, CVE-2022-29185 (totp-rs is a Rust library that permits the creation of 2FA authentific ...) TODO: check CVE-2022-29184 (GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0 ...) - TODO: check + NOT-FOR-US: ThoughtWorks GoCD CVE-2022-29183 (GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4. ...) - TODO: check + NOT-FOR-US: ThoughtWorks GoCD CVE-2022-29182 (GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21 ...) - TODO: check + NOT-FOR-US: ThoughtWorks GoCD CVE-2022-29181 (Nokogiri is an open source XML and HTML library for Ruby. Nokogiri pri ...) - ruby-nokogiri (unimportant) NOTE: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m @@ -6384,7 +6384,7 @@ CVE-2022-28997 CVE-2022-28996 RESERVED CVE-2022-28995 (Rengine v1.0.2 was discovered to contain a remote code execution (RCE) ...) - TODO: check + NOT-FOR-US: reNgine CVE-2022-28994 (Small HTTP Server version 3.06 suffers from a remote buffer overflow v ...) NOT-FOR-US: Small HTTP Server CVE-2022-28993 (Multi Store Inventory Management System v1.0 allows attackers to perfo ...) @@ -12991,7 +12991,7 @@ CVE-2022-0885 CVE-2022-0884 (The Profile Builder WordPress plugin before 3.6.8 does not sanitise an ...) NOT-FOR-US: WordPress plugin CVE-2022-0883 (SLM has an issue with Windows Unquoted/Trusted Service Paths Security ...) - TODO: check + NOT-FOR-US: SnowGlobe Licence Manager CVE-2022-0882 (A bug exists where an attacker can read the kernel log through exposed ...) NOT-FOR-US: Google fuchsia CVE-2022-0881 (Insecure Storage of Sensitive Information in GitHub repository chocobo ...) @@ -15211,7 +15211,7 @@ CVE-2022-21211 CVE-2022-21208 RESERVED CVE-2022-21195 (All versions of package url-regex are vulnerable to Regular Expression ...) - TODO: check + NOT-FOR-US: AlexFlipnote/url_regex CVE-2022-21192 RESERVED CVE-2022-21191 @@ -17317,7 +17317,7 @@ CVE-2021-45721 CVE-2021-45074 (JFrog Artifactory before 7.29.3 and 6.23.38, is vulnerable to Broken A ...) NOT-FOR-US: JFrog Artifactory CVE-2021-41834 (JFrog Artifactory prior to version 7.28.0 and 6.23.38, is vulnerable t ...) - TODO: check + NOT-FOR-US: JFrog Artifactory CVE-2021-23163 RESERVED CVE-2022-25146 (The Remote App module in Liferay Portal through v7.4.3.8 and Liferay D ...) @@ -19552,7 +19552,7 @@ CVE-2022-0487 (A use-after-free vulnerability was found in rtsx_usb_ms_drv_remov NOTE: https://git.kernel.org/linus/bd2db32e7c3e35bd4d9b8bbff689434a50893546 (5.17-rc4) NOTE: CONFIG_MMC_MOXART is not set in Debian. CVE-2022-0486 (Improper file permissions in the CommandPost, Collector, Sensor, and S ...) - TODO: check + NOT-FOR-US: Fidelis CVE-2022-0485 [nbdcopy: missing error handling may create corrupted destination image] RESERVED - libnbd 1.10.5-1 (bug #1005307) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/533234ea0e0c5463b5194724076cda36475d60da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/533234ea0e0c5463b5194724076cda36475d60da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-1311/xerces-c: harmonize triaging with buster
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e3c133e by Sylvain Beucler at 2022-05-23T11:03:03+02:00 CVE-2018-1311/xerces-c: harmonize triaging with buster - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -288636,11 +288636,10 @@ CVE-2018-1312 (In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest a CVE-2018-1311 (The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-fre ...) {DSA-4814-1} - xerces-c 3.2.3+debian-2 (bug #947431) - [stretch] - xerces-c (Minor issue, revisit when fixed upstream, fixed with memory leak in DLA 2498-1) [jessie] - xerces-c (slow upstream interest, proper fix likely to break ABI compatibility) NOTE: http://xerces.apache.org/xerces-c/secadv/CVE-2018-1311.txt NOTE: https://issues.apache.org/jira/browse/XERCESC-2188 - NOTE: http://vault.centos.org/7.7.1908/updates/Source/SPackages/xerces-c-3.1.1-10.el7_7.src.rpm (fix with memory leak) + NOTE: http://vault.centos.org/7.7.1908/updates/Source/SPackages/xerces-c-3.1.1-10.el7_7.src.rpm (fix with memory leak, applied in DLA-2498-1 and DSA-4814-1) NOTE: Mitigation by setting the XERCES_DISABLE_DTD environment variable CVE-2018-1310 (Apache NiFi JMS Deserialization issue because of ActiveMQ client vulne ...) NOT-FOR-US: Apache NiFi = data/DLA/list = @@ -1590,6 +1590,7 @@ {CVE-2020-29668} [stretch] - sympa 6.2.16~dfsg-3+deb9u5 [17 Dec 2020] DLA-2498-1 xerces-c - security update + {CVE-2018-1311} [stretch] - xerces-c 3.1.4+debian-2+deb9u2 [17 Dec 2020] DLA-2497-1 thunderbird - security update {CVE-2020-16042 CVE-2020-26971 CVE-2020-26973 CVE-2020-26974 CVE-2020-26978 CVE-2020-35111 CVE-2020-35113} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e3c133e06bce7137843010446b2f778fdce8b8e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e3c133e06bce7137843010446b2f778fdce8b8e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add dpdk
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 732a513b by Sylvain Beucler at 2022-05-23T10:56:30+02:00 dla: add dpdk - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -53,6 +53,9 @@ debian-security-support (Utkarsh) NOTE: 20220502: backport prepped, will contact Holger for more details. (utkarsh) NOTE: 20220516: in review, will also co-help Holger to maintain this. (utkarsh) -- +dpdk + NOTE: 20220523: Harmonize with Debian 10.7 (5 CVEs) (Beuc/front-desk) +-- exempi NOTE: 20220517: A lot of packages reverse depends on libexmpi8. Further analysis NOTE: 20220517: is needed. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/732a513bae92b2c995228f984f23830e2fe0e42d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/732a513bae92b2c995228f984f23830e2fe0e42d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add cyrus-imapd
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 09199456 by Sylvain Beucler at 2022-05-23T10:49:25+02:00 dla: add cyrus-imapd - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -43,6 +43,9 @@ clamav (Emilio) curl (Emilio) NOTE: 20220510: Programming language C. -- +cyrus-imapd + NOTE: 20220523: Harmonize with DSA-4590-1 and Debian 10.11 (2 CVEs) (Beuc/front-desk) +-- debian-security-support (Utkarsh) NOTE: 20220402: need to update the list of unsupported packages (Beuc) NOTE: 20220402: check debian/README.source, sync with h01ger, and announce EOL'd packages (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/091994561f7799479d51cee2746d81fb7e169190 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/091994561f7799479d51cee2746d81fb7e169190 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: dla: add mailman
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: df339ba3 by Sylvain Beucler at 2022-05-23T10:23:59+02:00 dla: add mailman - - - - - 916c912b by Sylvain Beucler at 2022-05-23T10:23:59+02:00 dla: add atftp - - - - - 63c04e9c by Sylvain Beucler at 2022-05-23T10:23:59+02:00 dla: add avahi - - - - - 8c681fb5 by Sylvain Beucler at 2022-05-23T10:23:59+02:00 dla: unassign postgresql-9.6 following e-mail exchange - - - - - 2 changed files: - data/dla-needed.txt - data/packages/lts-do-call-me Changes: = data/dla-needed.txt = @@ -22,6 +22,12 @@ amd64-microcode asterisk (Abhijith PA) NOTE: 20220424: programming language C -- +atftp + NOTE: 20220523: Harmonize with Debian 10.12 (1 CVE) (Beuc/front-desk) +-- +avahi + NOTE: 20220523: Harmonize with Debian 10.9 (1 Debian-specific CVE) (Beuc/front-desk) +-- cgal (Andreas Rönnquist) NOTE: 20220421: many no-dsa issues, please check, whether it is possible to fix them without uploading a new upstream release (Anton) -- @@ -89,6 +95,9 @@ linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- +mailman + NOTE: 20220523: Harmonize with Debian 10.12 (3 CVEs, regression fixes) (Beuc/front-desk) +-- mariadb-10.1 NOTE: 20220222: Can be risky. Please consider backporting mariadb-10.3. See discussion https://lists.debian.org/debian-lts/2022/02/msg5.html and coordinate with maintainer (Anton) -- @@ -124,8 +133,11 @@ pdns NOTE: 20220506: package builds but does not run a test suite, and I lack the NOTE: 20220506: know-how for testing manually (enrico) -- -postgresql-9.6 (Christoph Berg) +postgresql-9.6 NOTE: 20220523: cf. DSA-5135-1/DSA-5136-1 (Beuc/front-desk) + NOTE: 20220523: 9.6 is EOL'd upstream (Beuc/front-desk) + NOTE: 20220523: Christoph Berg won't handle this update (Beuc/front-desk) + NOTE: 20220523: https://lists.debian.org/debian-lts/2022/05/msg00054.html -- puma (Markus Koschany) -- = data/packages/lts-do-call-me = @@ -10,6 +10,8 @@ busybox DebConf19 conversation with apo # Christoph Berg (credativ) postgresql* (Christoph will always take care of updates, no need to contact him) +# However Christoph won't update EOL'd 9.6 for stretch +# https://lists.debian.org/debian-lts/2022/05/msg00054.html # Peter Palfrader tor View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/475f3a04a115f43b6e13f8473362e900a8800888...8c681fb59f3eb12f47ead7d053767ff9d530d663 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/475f3a04a115f43b6e13f8473362e900a8800888...8c681fb59f3eb12f47ead7d053767ff9d530d663 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove postponed entry for CVE-2021-33515/dovecot in bullseye
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 475f3a04 by Salvatore Bonaccorso at 2022-05-23T10:10:55+02:00 Remove postponed entry for CVE-2021-33515/dovecot in bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -64238,7 +64238,6 @@ CVE-2021-33516 (An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2. NOTE: https://gitlab.gnome.org/GNOME/gupnp/-/commit/ca6ec9dcb26fd7a2a630eb6a68118659b589afac (master) CVE-2021-33515 (The submission service in Dovecot before 2.3.15 allows STARTTLS comman ...) - dovecot 1:2.3.13+dfsg1-2 (bug #990566) - [bullseye] - dovecot (Minor issue, fix along with next update) [buster] - dovecot (Minor issue, fix along with next update) [stretch] - dovecot (Vulnerable code (smtp_server_command queue) introduced later) NOTE: https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/475f3a04a115f43b6e13f8473362e900a8800888 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/475f3a04a115f43b6e13f8473362e900a8800888 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f6fa7cda by security tracker role at 2022-05-23T08:10:14+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2022-30549 + RESERVED +CVE-2022-29524 + RESERVED +CVE-2022-29506 + RESERVED CVE-2022-1813 (OS Command Injection in GitHub repository yogeshojha/rengine prior to ...) TODO: check CVE-2022-1812 @@ -2437,6 +2443,7 @@ CVE-2022-1621 (Heap buffer overflow in vim_strncpy find_word in GitHub repositor NOTE: https://huntr.dev/bounties/520ce714-bfd2-4646-9458-f52cd22bb2fb NOTE: https://github.com/vim/vim/commit/7c824682d2028432ee082703ef0ab399867a089b (v8.2.4919) CVE-2018-25033 (ADMesh through 0.98.4 has a heap-based buffer over-read in stl_update_ ...) + {DLA-3019-1} - admesh 0.98.4-2 (bug #1010770) [bullseye] - admesh (Minor issue; can be fixed via point release) [buster] - admesh (Minor issue; can be fixed via point release) @@ -3547,7 +3554,7 @@ CVE-2022-29918 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-16/#CVE-2022-29918 CVE-2022-29917 RESERVED - {DSA-5141-1 DSA-5129-1 DLA-2994-1} + {DSA-5141-1 DSA-5129-1 DLA-3020-1 DLA-2994-1} - firefox 100.0-1 - firefox-esr 91.9.0esr-1 - thunderbird 1:91.9.0-1 @@ -3556,7 +3563,7 @@ CVE-2022-29917 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-18/#CVE-2022-29917 CVE-2022-29916 RESERVED - {DSA-5141-1 DSA-5129-1 DLA-2994-1} + {DSA-5141-1 DSA-5129-1 DLA-3020-1 DLA-2994-1} - firefox 100.0-1 - firefox-esr 91.9.0esr-1 - thunderbird 1:91.9.0-1 @@ -3569,7 +3576,7 @@ CVE-2022-29915 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-16/#CVE-2022-29915 CVE-2022-29914 RESERVED - {DSA-5141-1 DSA-5129-1 DLA-2994-1} + {DSA-5141-1 DSA-5129-1 DLA-3020-1 DLA-2994-1} - firefox 100.0-1 - firefox-esr 91.9.0esr-1 - thunderbird 1:91.9.0-1 @@ -3578,12 +3585,12 @@ CVE-2022-29914 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-18/#CVE-2022-29914 CVE-2022-29913 RESERVED - {DSA-5141-1} + {DSA-5141-1 DLA-3020-1} - thunderbird 1:91.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-18/#CVE-2022-29913 CVE-2022-29912 RESERVED - {DSA-5141-1 DSA-5129-1 DLA-2994-1} + {DSA-5141-1 DSA-5129-1 DLA-3020-1 DLA-2994-1} - firefox 100.0-1 - firefox-esr 91.9.0esr-1 - thunderbird 1:91.9.0-1 @@ -3592,7 +3599,7 @@ CVE-2022-29912 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-18/#CVE-2022-29912 CVE-2022-29911 RESERVED - {DSA-5141-1 DSA-5129-1 DLA-2994-1} + {DSA-5141-1 DSA-5129-1 DLA-3020-1 DLA-2994-1} - firefox 100.0-1 - firefox-esr 91.9.0esr-1 - thunderbird 1:91.9.0-1 @@ -3605,7 +3612,7 @@ CVE-2022-29910 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-16/#CVE-2022-29910 CVE-2022-29909 RESERVED - {DSA-5141-1 DSA-5129-1 DLA-2994-1} + {DSA-5141-1 DSA-5129-1 DLA-3020-1 DLA-2994-1} - firefox 100.0-1 - firefox-esr 91.9.0esr-1 - thunderbird 1:91.9.0-1 @@ -3767,7 +3774,7 @@ CVE-2022-1521 RESERVED CVE-2022-1520 RESERVED - {DSA-5141-1} + {DSA-5141-1 DLA-3020-1} - thunderbird 1:91.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-18/#CVE-2022-1520 CVE-2022-1519 @@ -17309,8 +17316,8 @@ CVE-2021-45721 RESERVED CVE-2021-45074 (JFrog Artifactory before 7.29.3 and 6.23.38, is vulnerable to Broken A ...) NOT-FOR-US: JFrog Artifactory -CVE-2021-41834 - RESERVED +CVE-2021-41834 (JFrog Artifactory prior to version 7.28.0 and 6.23.38, is vulnerable t ...) + TODO: check CVE-2021-23163 RESERVED CVE-2022-25146 (The Remote App module in Liferay Portal through v7.4.3.8 and Liferay D ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6fa7cda3b5459290f3ce71478193926953aa895 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6fa7cda3b5459290f3ce71478193926953aa895 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f590002 by Emilio Pozuelo Monfort at 2022-05-23T09:50:27+02:00 lts: take firefox-esr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -48,7 +48,7 @@ exempi NOTE: 20220517: A lot of packages reverse depends on libexmpi8. Further analysis NOTE: 20220517: is needed. -- -firefox-esr +firefox-esr (Emilio) NOTE: 20220522: From the description this looks criticial. Did not check whether the code is vulnerable or not. Leaving that to someone else. -- firmware-nonfree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f590002a31bd1d06267cf6aee7181ae59267a69 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f590002a31bd1d06267cf6aee7181ae59267a69 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3020-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: d049c4ca by Emilio Pozuelo Monfort at 2022-05-23T09:44:36+02:00 Reserve DLA-3020-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 May 2022] DLA-3020-1 thunderbird - security update + {CVE-2022-1520 CVE-2022-29909 CVE-2022-29911 CVE-2022-29912 CVE-2022-29913 CVE-2022-29914 CVE-2022-29916 CVE-2022-29917} + [stretch] - thunderbird 1:91.9.0-1~deb9u1 [22 May 2022] DLA-3019-1 admesh - security update {CVE-2018-25033} [stretch] - admesh 0.98.2-3+deb9u1 = data/dla-needed.txt = @@ -173,8 +173,6 @@ subversion (Roberto C. Sánchez) NOTE: 20220422: and, once applied manually, appears to break multiple and possibly unrelated parts of the testsuite. (lamby) NOTE: 20220501: Done some analysis, worked on a patch, cannot find a way to test it, mailed results to Roberto C. Sánchez (enrico) -- -thunderbird (Emilio) --- tiff (Utkarsh) NOTE: 20220404: jessie upload at https://salsa.debian.org/lts-team/packages/tiff. NOTE: 20220404: if that works out well, I'll roll the same for stretch. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d049c4cadf937d0be2be547ab4682d0f652563f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d049c4cadf937d0be2be547ab4682d0f652563f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 209bdb15 by Moritz Muehlenhoff at 2022-05-23T09:39:23+02:00 buster/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -626,10 +626,10 @@ CVE-2022-30977 CVE-2022-29496 RESERVED CVE-2022-1796 (Use After Free in GitHub repository vim/vim prior to 8.2.4979. ...) - - vim - [stretch] - vim (Minor issue) + - vim (unimportant) NOTE: https://huntr.dev/bounties/f6739b58-49f9-4056-a843-bf76bbc1253e NOTE: https://github.com/vim/vim/commit/28d032cc688ccfda18c5bbcab8b50aba6e18cde5 (v8.2.4979) + NOTE: Crash in CLI tool, no security impact CVE-2022-1795 (Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV. ...) - gpac [stretch] - gpac (No longer supported in LTS) @@ -657,6 +657,8 @@ CVE-2022-1786 RESERVED CVE-2022-1785 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977. ...) - vim + [bullseye] - vim (Minor issue) + [buster] - vim (Minor issue) [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/8c969cba-eef2-4943-b44a-4e3089599109 NOTE: https://github.com/vim/vim/commit/e2bd8600b873d2cd1f9d667c28cba8b1dba18839 (v8.2.4977) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/209bdb150e515717c4bc003ff75a5638aa46aae3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/209bdb150e515717c4bc003ff75a5638aa46aae3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: assign postgresql-9.6 to Christoph Berg as per data/packages/lts-do-call-me
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 87be6155 by Sylvain Beucler at 2022-05-23T09:33:39+02:00 dla: assign postgresql-9.6 to Christoph Berg as per data/packages/lts-do-call-me - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -124,7 +124,7 @@ pdns NOTE: 20220506: package builds but does not run a test suite, and I lack the NOTE: 20220506: know-how for testing manually (enrico) -- -postgresql-9.6 +postgresql-9.6 (Christoph Berg) NOTE: 20220523: cf. DSA-5135-1/DSA-5136-1 (Beuc/front-desk) -- puma (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87be61558c056a5ce89b5d85ea941f83da171c44 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87be61558c056a5ce89b5d85ea941f83da171c44 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add postgresql-9.6
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: f0f0522f by Sylvain Beucler at 2022-05-23T09:24:37+02:00 dla: add postgresql-9.6 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -124,6 +124,9 @@ pdns NOTE: 20220506: package builds but does not run a test suite, and I lack the NOTE: 20220506: know-how for testing manually (enrico) -- +postgresql-9.6 + NOTE: 20220523: cf. DSA-5135-1/DSA-5136-1 (Beuc/front-desk) +-- puma (Markus Koschany) -- puppet-module-puppetlabs-firewall View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0f0522f101ca41346a279d243b17a13ab343a2a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0f0522f101ca41346a279d243b17a13ab343a2a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust source package name in CVE-2022-23639
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f83f29fa by Salvatore Bonaccorso at 2022-05-23T08:07:40+02:00 Adjust source package name in CVE-2022-23639 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22490,7 +22490,7 @@ CVE-2022-23641 (Discourse is an open source discussion platform. In versions pri CVE-2022-23640 (Excel-Streaming-Reader is an easy-to-use implementation of a streaming ...) NOT-FOR-US: Excel-Streaming-Reader CVE-2022-23639 (crossbeam-utils provides atomics, synchronization primitives, scoped t ...) - - rust-crossbeam + - rust-crossbeam-utils - rust-crossbeam-utils-0.7 NOTE: https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-qc84-gqf4-9926 NOTE: https://github.com/crossbeam-rs/crossbeam/pull/781 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f83f29fad8e779453ef1ac68e833ddf9493f43bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f83f29fad8e779453ef1ac68e833ddf9493f43bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits