[Git][security-tracker-team/security-tracker][master] Trim additional whitespaces in NOTE
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2bffcecc by Salvatore Bonaccorso at 2022-09-26T07:31:15+02:00 Trim additional whitespaces in NOTE - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24116,7 +24116,7 @@ CVE-2022-32087 (MariaDB v10.2 to v10.7 was discovered to contain a segmentation - mariadb-10.5 - mariadb-10.3 NOTE: https://jira.mariadb.org/browse/MDEV-26437 - NOTE: Fixed in: 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4 + NOTE: Fixed in: 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4 CVE-2022-32086 (MariaDB v10.4 to v10.8 was discovered to contain a segmentation fault ...) - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2bffcecc11900eddc7a06a334018d8ee5dc76844 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2bffcecc11900eddc7a06a334018d8ee5dc76844 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-28200 ad ignored for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c7a7e4d by Anton Gladky at 2022-09-26T07:20:01+02:00 Mark CVE-2020-28200 ad ignored for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -137214,7 +137214,7 @@ CVE-2020-28201 CVE-2020-28200 (The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource ...) - dovecot 1:2.3.16+dfsg1-1 (bug #990566; bug #991323) [bullseye] - dovecot (Minor issue, fix along with next update) - [buster] - dovecot (Minor issue, fix along with next update) + [buster] - dovecot (Minor issue, backport is too disruptive) [stretch] - dovecot (Minor issue) NOTE: https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html NOTE: https://www.openwall.com/lists/oss-security/2021/06/28/3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c7a7e4debcab7ece80328ba3b4c8f5aee44d729 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c7a7e4debcab7ece80328ba3b4c8f5aee44d729 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixedversion for CVE-2022-32088/mariadb-10.6
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 05303965 by Salvatore Bonaccorso at 2022-09-26T07:16:30+02:00 Track fixedversion for CVE-2022-32088/mariadb-10.6 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24105,10 +24105,11 @@ CVE-2022-32089 (MariaDB v10.5 to v10.7 was discovered to contain a segmentation NOTE: https://jira.mariadb.org/browse/MDEV-26410 CVE-2022-32088 (MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault ...) {DLA-3114-1} - - mariadb-10.6 + - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 - mariadb-10.3 NOTE: https://jira.mariadb.org/browse/MDEV-26419 + NOTE: Fixed in: 10.2.44, 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4 CVE-2022-32087 (MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault ...) {DLA-3114-1} - mariadb-10.6 1:10.6.8-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05303965a2bad11cda817c3eeb15254eb564c297 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05303965a2bad11cda817c3eeb15254eb564c297 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove no-dsa tags for upcoming security update of poppler.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 96fe1f44 by Markus Koschany at 2022-09-26T00:12:08+02:00 Remove no-dsa tags for upcoming security update of poppler. - - - - - ca01099d by Markus Koschany at 2022-09-26T00:14:33+02:00 Reserve DLA-3120-1 for poppler - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -38160,7 +38160,6 @@ CVE-2022-27338 CVE-2022-27337 (A logic error in the Hints::Hints function of Poppler v22.03.0 allows ...) {DSA-5224-1} - poppler 22.08.0-2 (bug #1010695) - [buster] - poppler (Minor issue) [stretch] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1230 NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/commit/81044c64b9ed9a10ae82a28bac753060bdfdac74 (poppler-22.04.0) @@ -138532,7 +138531,6 @@ CVE-2020-27779 (A flaw was found in grub2 in versions prior to 2.06. The cutmem [stretch] - grub2 (No SecureBoot support in stretch) CVE-2020-27778 (A flaw was found in Poppler in the way certain PDF files were converte ...) - poppler 0.85.0-2 - [buster] - poppler (Minor issue) [stretch] - poppler (Minor issue; maybe worth fixing later) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/742 NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/commit/30c731b487190c02afff3f036736a392eb60cd9a (poppler-0.76.0) @@ -223240,7 +223238,6 @@ CVE-2019-14494 (An issue was discovered in Poppler through 0.78.0. There is a di {DLA-2440-1} [experimental] - poppler 0.81.0-1 - poppler 0.85.0-2 (bug #933812) - [buster] - poppler (Minor issue) [jessie] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/802 NOTE: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/317 @@ -237600,7 +237597,6 @@ CVE-2019-9959 (The JPXStream::init function in Poppler 0.78.0 and earlier doesn' {DLA-2440-1 DLA-1963-1} [experimental] - poppler 0.81.0-1 - poppler 0.85.0-2 (low; bug #941776) - [buster] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/805 NOTE: Patch: https://gitlab.freedesktop.org/poppler/poppler/commit/68ef84e5968a4249c2162b839ca6d7975048a557 (poppler-0.79.0) NOTE: Reproducer: https://gitlab.freedesktop.org/poppler/poppler/uploads/3f22837ebd503f87e730b51221b89742/raiter_issue5465.pdf @@ -237790,7 +237786,6 @@ CVE-2019-9904 (An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphv CVE-2019-9903 (PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict mark ...) [experimental] - poppler 0.81.0-1 - poppler 0.85.0-2 (low; bug #925264) - [buster] - poppler (Minor issue) [stretch] - poppler (Minor issue) [jessie] - poppler (Vulnerable code not present) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/741 @@ -255186,7 +255181,6 @@ CVE-2018-20650 (A reachable Object::dictLookup assertion in Poppler 0.72.0 allow {DLA-2440-1 DLA-1939-1} [experimental] - poppler 0.81.0-1 - poppler 0.85.0-2 (low; bug #917974) - [buster] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/de0c0b8324e776f0b851485e0fc9622fc35695b7 NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/704 CVE-2018-20649 @@ -267313,7 +267307,6 @@ CVE-2018-19058 (An issue was discovered in Poppler 0.71.0. There is a reachable {DLA-2440-1 DLA-1706-1} [experimental] - poppler 0.81.0-1 - poppler 0.85.0-2 (low; bug #913177) - [buster] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/659 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/6912e06d9ab19ba28991b5cab3319d61d856bd6d CVE-2018-19057 (SimpleMDE 1.11.2 has XSS via an onerror attribute of a crafted IMG ele ...) @@ -267692,7 +267685,6 @@ CVE-2018-18898 (The email-ingestion feature in Best Practical Request Tracker 4. CVE-2018-18897 (An issue was discovered in Poppler 0.71.0. There is a memory leak in G ...) [experimental] - poppler 0.81.0-1 - poppler 0.85.0-2 (low; bug #913164) - [buster] - poppler (Negligible security impact) [stretch] - poppler (Negligible security impact) [jessie] - poppler (Negligible security impact; memory leak) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/654 = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Sep 2022] DLA-3120-1 poppler - security update + {CVE-2018-18897 CVE-2018-19058 CVE-2018-20650 CVE-2019-9903 CVE-2019-9959 CVE-2019-14494 CVE-2020-27778
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a719ee83 by security tracker role at 2022-09-25T20:10:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2022-41343 (registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote f ...) + TODO: check +CVE-2022-36368 + RESERVED CVE-2022-41340 (The secp256k1-js package before 1.1.0 for Node.js implements ECDSA wit ...) TODO: check CVE-2022-41339 @@ -6,10 +10,9 @@ CVE-2022-41338 RESERVED CVE-2022-41337 RESERVED -CVE-2022-3297 - RESERVED -CVE-2022-3296 - RESERVED +CVE-2022-3297 (Use After Free in GitHub repository vim/vim prior to 9.0.0579. ...) + TODO: check +CVE-2022-3296 (Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. ...) - vim NOTE: https://huntr.dev/bounties/958866b8-526a-4979-9471-39392e0c9077 NOTE: https://github.com/vim/vim/commit/96b9bf8f74af8abf1e30054f996708db7dc285be (v9.0.0577) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a719ee832d4c8dd14e466384493f911133e26b11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a719ee832d4c8dd14e466384493f911133e26b11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3296
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ebd898b by Salvatore Bonaccorso at 2022-09-25T21:17:29+02:00 Add CVE-2022-3296 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10,6 +10,9 @@ CVE-2022-3297 RESERVED CVE-2022-3296 RESERVED + - vim + NOTE: https://huntr.dev/bounties/958866b8-526a-4979-9471-39392e0c9077 + NOTE: https://github.com/vim/vim/commit/96b9bf8f74af8abf1e30054f996708db7dc285be (v9.0.0577) CVE-2022-3295 RESERVED CVE-2022-3294 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ebd898b46450d3f1afe2f891a7f25749809ada4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ebd898b46450d3f1afe2f891a7f25749809ada4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed batik issues in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d69e0e9b by Salvatore Bonaccorso at 2022-09-25T17:07:11+02:00 Track fixed batik issues in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2851,7 +2851,7 @@ CVE-2022-40148 CVE-2022-40147 RESERVED CVE-2022-40146 (Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XM ...) - - batik (bug #1020589) + - batik 1.15+dfsg-1 (bug #1020589) [bullseye] - batik (Minor issue) [buster] - batik (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/3 @@ -6595,7 +6595,7 @@ CVE-2022-38650 CVE-2022-38649 RESERVED CVE-2022-38648 (Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XM ...) - - batik (bug #1020589) + - batik 1.15+dfsg-1 (bug #1020589) [bullseye] - batik (Minor issue) [buster] - batik (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/4 @@ -7324,7 +7324,7 @@ CVE-2020-36593 CVE-2020-36592 RESERVED CVE-2022-38398 (Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XM ...) - - batik (bug #1020589) + - batik 1.15+dfsg-1 (bug #1020589) [bullseye] - batik (Minor issue) [buster] - batik (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d69e0e9b0eb144fea2dbda9afa84466e9addf2a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d69e0e9b0eb144fea2dbda9afa84466e9addf2a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: mark CVE-2022-1325 as no-dsa for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: c02c32ab by Thorsten Alteholz at 2022-09-25T16:52:30+02:00 mark CVE-2022-1325 as no-dsa for Buster - - - - - 4fbc37db by Thorsten Alteholz at 2022-09-25T16:54:02+02:00 mark CVE-2022-36114 and CVE-2022-36113 as no-dsa for Buster - - - - - b1fe2a10 by Thorsten Alteholz at 2022-09-25T16:55:50+02:00 mark CVE-2022-24728 as no-dsa for Buster - - - - - 53735b97 by Thorsten Alteholz at 2022-09-25T16:56:49+02:00 mark CVE-2022-24729 as no-dsa for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13430,15 +13430,19 @@ CVE-2022-36115 (An issue was discovered in Blue Prism Enterprise 6.0 through 7.0 CVE-2022-36114 (Cargo is a package manager for the rust programming language. It was d ...) - cargo [bullseye] - cargo (Minor issue) + [buster] - cargo (Minor issue) - rust-cargo [bullseye] - rust-cargo (Minor issue) + [buster] - rust-cargo (Minor issue) NOTE: https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp NOTE: https://github.com/rust-lang/cargo/commit/d1f9553c825f6d7481453be8d58d0e7f117988a7 CVE-2022-36113 (Cargo is a package manager for the rust programming language. After a ...) - cargo [bullseye] - cargo (Minor issue) + [buster] - cargo (Minor issue) - rust-cargo [bullseye] - rust-cargo (Minor issue) + [buster] - rust-cargo (Minor issue) NOTE: https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j NOTE: https://github.com/rust-lang/cargo/commit/97b80919e404b0768ea31ae329c3b4da54bed05a CVE-2022-36112 (GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free ...) @@ -33077,6 +33081,7 @@ CVE-2022-1326 (The Form - Contact Form WordPress plugin through 1.2.0 does not s CVE-2022-1325 (A flaw was found in Clmg, where with the help of a maliciously crafted ...) - cimg (bug #1018941) [bullseye] - cimg (Minor issue) + [buster] - cimg (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2074549 NOTE: https://github.com/GreycLab/CImg/commit/619cb58dd90b4e03ac68286c70ed98acbefd1c90 (v3.1.0) NOTE: https://github.com/GreycLab/CImg/issues/343 @@ -45754,6 +45759,7 @@ CVE-2022-24730 (Argo CD is a declarative, GitOps continuous delivery tool for Ku CVE-2022-24729 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - ckeditor 4.19.0+dfsg-1 [bullseye] - ckeditor (Minor issue) + [buster] - ckeditor (Minor issue) - ckeditor3 (bug #1015217) [bullseye] - ckeditor3 (Minor issue) [buster] - ckeditor3 (No longer supported in LTS) @@ -45762,6 +45768,7 @@ CVE-2022-24729 (CKEditor4 is an open source what-you-see-is-what-you-get HTML ed CVE-2022-24728 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - ckeditor 4.19.0+dfsg-1 [bullseye] - ckeditor (Minor issue) + [buster] - ckeditor (Minor issue) - ckeditor3 (bug #1015217) [bullseye] - ckeditor3 (Minor issue) [buster] - ckeditor3 (No longer supported in LTS) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cdb9eaead2faa2f01f1067200e0e08d6c682eaa0...53735b97781f43e261687278822b33dc75e053a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cdb9eaead2faa2f01f1067200e0e08d6c682eaa0...53735b97781f43e261687278822b33dc75e053a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2022-25869 and CVE-2022-25844 as no-dsa for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 06844544 by Thorsten Alteholz at 2022-09-25T16:23:47+02:00 mark CVE-2022-25869 and CVE-2022-25844 as no-dsa for Buster - - - - - 835bdb50 by Thorsten Alteholz at 2022-09-25T16:31:04+02:00 follow sec team and mark three CVEs for batik as no-dsa - - - - - cdb9eaea by Thorsten Alteholz at 2022-09-25T16:37:15+02:00 add bind9 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2853,6 +2853,7 @@ CVE-2022-40147 CVE-2022-40146 (Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XM ...) - batik (bug #1020589) [bullseye] - batik (Minor issue) + [buster] - batik (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/3 NOTE: https://issues.apache.org/jira/browse/BATIK-1335 NOTE: http://svn.apache.org/viewvc?view=revision=1903910 @@ -6596,6 +6597,7 @@ CVE-2022-38649 CVE-2022-38648 (Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XM ...) - batik (bug #1020589) [bullseye] - batik (Minor issue) + [buster] - batik (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/4 NOTE: https://issues.apache.org/jira/browse/BATIK-1333 NOTE: http://svn.apache.org/viewvc?view=revision=1903625 @@ -7324,6 +7326,7 @@ CVE-2020-36592 CVE-2022-38398 (Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XM ...) - batik (bug #1020589) [bullseye] - batik (Minor issue) + [buster] - batik (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/2 NOTE: https://issues.apache.org/jira/browse/BATIK-1331 NOTE: http://svn.apache.org/viewvc?view=revision=1903462 @@ -42150,6 +42153,7 @@ CVE-2022-25871 (All versions of package querymen are vulnerable to Prototype Pol CVE-2022-25869 (All versions of package angular are vulnerable to Cross-site Scripting ...) - angular.js [bullseye] - angular.js (Minor issue) + [buster] - angular.js (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781 CVE-2022-25867 (The package io.socket:socket.io-client before 2.0.1 are vulnerable to ...) NOT-FOR-US: socket.io-client-java @@ -42206,6 +42210,7 @@ CVE-2022-25845 (The package com.alibaba:fastjson before 1.2.83 are vulnerable to CVE-2022-25844 (The package angular after 1.7.0 are vulnerable to Regular Expression D ...) - angular.js (bug #1014779) [bullseye] - angular.js (Minor issue) + [buster] - angular.js (Minor issue, probably even not-affected) [stretch] - angular.js (Nodejs in stretch not covered by security support) NOTE: https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735 CVE-2022-25843 = data/dla-needed.txt = @@ -18,6 +18,9 @@ asterisk NOTE: 20220829: Ongoing triaging work. Maybe we should think about syncing NOTE: 20220829: bullseye and buster. (apo) -- +bind9: + NOTE: 20220925: Programming language: C. +-- bluez NOTE: 20220902: Programming language: C. NOTE: 20220902: Consider synchronizing with Stretch. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d7f8f3d0648ba55c543088f90ceb18610d11773d...cdb9eaead2faa2f01f1067200e0e08d6c682eaa0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d7f8f3d0648ba55c543088f90ceb18610d11773d...cdb9eaead2faa2f01f1067200e0e08d6c682eaa0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take dovecot
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d7f8f3d0 by Anton Gladky at 2022-09-25T12:30:34+02:00 LTS: take dovecot - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -27,7 +27,7 @@ curl NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. -- -dovecot +dovecot (Anton) NOTE: 20220913: Programming language: C. NOTE: 20220913: VCS: https://salsa.debian.org/lts-team/packages/dovecot.git NOTE: 20220913: Harmonize with bullseye: 1 CVE fixed in Debian 11.5 + 2 other postponed CVEs (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7f8f3d0648ba55c543088f90ceb18610d11773d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7f8f3d0648ba55c543088f90ceb18610d11773d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2022-38528 as no-dsa for Buster (no fix yet; follow sec team)
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 74c7b448 by Thorsten Alteholz at 2022-09-25T10:51:13+02:00 mark CVE-2022-38528 as no-dsa for Buster (no fix yet; follow sec team) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6903,6 +6903,7 @@ CVE-2022-38529 (tinyexr commit 0647fb3 was discovered to contain a heap-buffer o CVE-2022-38528 (Open Asset Import Library (assimp) commit 3c253ca was discovered to co ...) - assimp [bullseye] - assimp (Minor issue) + [buster] - assimp (Minor issue) NOTE: https://github.com/assimp/assimp/issues/4662 CVE-2022-38527 (UCMS v1.6.0 was discovered to contain a cross-site scripting (XSS) vul ...) NOT-FOR-US: UCMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74c7b448d61183590a566342764a40954c549a41 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74c7b448d61183590a566342764a40954c549a41 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] sec team marked all CVEs as unimportant, so nothing to do here as well
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: e7f31c6a by Thorsten Alteholz at 2022-09-25T10:34:15+02:00 sec team marked all CVEs as unimportant, so nothing to do here as well - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -186,11 +186,6 @@ thunderbird (Emilio) trafficserver NOTE: 20220905: Programming language: C. -- -upx-ucl (Thorsten Alteholz) - NOTE: 20220820: Programming language: C. - NOTE: 20220820: CVE-2020-27787 may be not-affected. (Chris Lamb) - NOTE: 20220911: testing package --- vim NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/vim.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7f31c6abb72848c5c3fb66d9d6c8980e881340c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7f31c6abb72848c5c3fb66d9d6c8980e881340c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9321481f by security tracker role at 2022-09-25T08:10:10+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1615,7 +1615,7 @@ CVE-2022-30545 CVE-2020-36603 (The HoYoVerse (formerly miHoYo) Genshin Impact mhyprot2.sys 1.0.0.0 an ...) NOT-FOR-US: HoYoVerse (formerly miHoYo) Genshin Impact CVE-2022-40674 (libexpat before 2.4.9 has a use-after-free in the doContent function i ...) - {DSA-5236-1} + {DSA-5236-1 DLA-3119-1} - expat 2.4.8-2 (bug #1019761) NOTE: https://github.com/libexpat/libexpat/pull/629 NOTE: https://github.com/libexpat/libexpat/pull/640 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9321481f196328dbe101af9a8d0ee63441ec54c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9321481f196328dbe101af9a8d0ee63441ec54c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3119-1 for expat
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ecf83c5 by Thorsten Alteholz at 2022-09-25T09:04:17+02:00 Reserve DLA-3119-1 for expat - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Sep 2022] DLA-3119-1 expat - security update + {CVE-2022-40674} + [buster] - expat 2.2.6-2+deb10u5 [22 Sep 2022] DLA-3118-1 unzip - security update {CVE-2022-0529 CVE-2022-0530} [buster] - unzip 6.0-23+deb10u3 = data/dla-needed.txt = @@ -36,9 +36,6 @@ exiv2 NOTE: 20220819: Programming language: C++. NOTE: 20220819: https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292 does not directly apply, but a very quick glance suggests the earlier code may be equally vulnerable. (Chris Lamb) -- -expat (Thorsten Alteholz) - NOTE: 20220922: Programming language: C. --- firefox-esr (Emilio) -- firmware-nonfree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ecf83c5689e40ede8625980a64a79026b5dac0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ecf83c5689e40ede8625980a64a79026b5dac0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits