[Git][security-tracker-team/security-tracker][master] Trim additional whitespaces in NOTE
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2bffcecc by Salvatore Bonaccorso at 2022-09-26T07:31:15+02:00 Trim additional whitespaces in NOTE - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24116,7 +24116,7 @@ CVE-2022-32087 (MariaDB v10.2 to v10.7 was discovered to contain a segmentation - mariadb-10.5 - mariadb-10.3 NOTE: https://jira.mariadb.org/browse/MDEV-26437 - NOTE: Fixed in: 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4 + NOTE: Fixed in: 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4 CVE-2022-32086 (MariaDB v10.4 to v10.8 was discovered to contain a segmentation fault ...) - mariadb-10.6 1:10.6.8-1 - mariadb-10.5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2bffcecc11900eddc7a06a334018d8ee5dc76844 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2bffcecc11900eddc7a06a334018d8ee5dc76844 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-28200 ad ignored for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c7a7e4d by Anton Gladky at 2022-09-26T07:20:01+02:00 Mark CVE-2020-28200 ad ignored for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -137214,7 +137214,7 @@ CVE-2020-28201 CVE-2020-28200 (The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource ...) - dovecot 1:2.3.16+dfsg1-1 (bug #990566; bug #991323) [bullseye] - dovecot (Minor issue, fix along with next update) - [buster] - dovecot (Minor issue, fix along with next update) + [buster] - dovecot (Minor issue, backport is too disruptive) [stretch] - dovecot (Minor issue) NOTE: https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html NOTE: https://www.openwall.com/lists/oss-security/2021/06/28/3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c7a7e4debcab7ece80328ba3b4c8f5aee44d729 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c7a7e4debcab7ece80328ba3b4c8f5aee44d729 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixedversion for CVE-2022-32088/mariadb-10.6
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
05303965 by Salvatore Bonaccorso at 2022-09-26T07:16:30+02:00
Track fixedversion for CVE-2022-32088/mariadb-10.6
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -24105,10 +24105,11 @@ CVE-2022-32089 (MariaDB v10.5 to v10.7 was discovered
to contain a segmentation
NOTE: https://jira.mariadb.org/browse/MDEV-26410
CVE-2022-32088 (MariaDB v10.2 to v10.7 was discovered to contain a
segmentation fault ...)
{DLA-3114-1}
- - mariadb-10.6
+ - mariadb-10.6 1:10.6.8-1
- mariadb-10.5
- mariadb-10.3
NOTE: https://jira.mariadb.org/browse/MDEV-26419
+ NOTE: Fixed in: 10.2.44, 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4
CVE-2022-32087 (MariaDB v10.2 to v10.7 was discovered to contain a
segmentation fault ...)
{DLA-3114-1}
- mariadb-10.6 1:10.6.8-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05303965a2bad11cda817c3eeb15254eb564c297
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05303965a2bad11cda817c3eeb15254eb564c297
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove no-dsa tags for upcoming security update of poppler.
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
96fe1f44 by Markus Koschany at 2022-09-26T00:12:08+02:00
Remove no-dsa tags for upcoming security update of poppler.
- - - - -
ca01099d by Markus Koschany at 2022-09-26T00:14:33+02:00
Reserve DLA-3120-1 for poppler
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -38160,7 +38160,6 @@ CVE-2022-27338
CVE-2022-27337 (A logic error in the Hints::Hints function of Poppler v22.03.0
allows ...)
{DSA-5224-1}
- poppler 22.08.0-2 (bug #1010695)
- [buster] - poppler (Minor issue)
[stretch] - poppler (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1230
NOTE:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/81044c64b9ed9a10ae82a28bac753060bdfdac74
(poppler-22.04.0)
@@ -138532,7 +138531,6 @@ CVE-2020-27779 (A flaw was found in grub2 in versions
prior to 2.06. The cutmem
[stretch] - grub2 (No SecureBoot support in stretch)
CVE-2020-27778 (A flaw was found in Poppler in the way certain PDF files were
converte ...)
- poppler 0.85.0-2
- [buster] - poppler (Minor issue)
[stretch] - poppler (Minor issue; maybe worth fixing later)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/742
NOTE:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/30c731b487190c02afff3f036736a392eb60cd9a
(poppler-0.76.0)
@@ -223240,7 +223238,6 @@ CVE-2019-14494 (An issue was discovered in Poppler
through 0.78.0. There is a di
{DLA-2440-1}
[experimental] - poppler 0.81.0-1
- poppler 0.85.0-2 (bug #933812)
- [buster] - poppler (Minor issue)
[jessie] - poppler (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/802
NOTE: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/317
@@ -237600,7 +237597,6 @@ CVE-2019-9959 (The JPXStream::init function in
Poppler 0.78.0 and earlier doesn'
{DLA-2440-1 DLA-1963-1}
[experimental] - poppler 0.81.0-1
- poppler 0.85.0-2 (low; bug #941776)
- [buster] - poppler (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/805
NOTE: Patch:
https://gitlab.freedesktop.org/poppler/poppler/commit/68ef84e5968a4249c2162b839ca6d7975048a557
(poppler-0.79.0)
NOTE: Reproducer:
https://gitlab.freedesktop.org/poppler/poppler/uploads/3f22837ebd503f87e730b51221b89742/raiter_issue5465.pdf
@@ -237790,7 +237786,6 @@ CVE-2019-9904 (An issue was discovered in
lib\cdt\dttree.c in libcdt.a in graphv
CVE-2019-9903 (PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles
dict mark ...)
[experimental] - poppler 0.81.0-1
- poppler 0.85.0-2 (low; bug #925264)
- [buster] - poppler (Minor issue)
[stretch] - poppler (Minor issue)
[jessie] - poppler (Vulnerable code not present)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/741
@@ -255186,7 +255181,6 @@ CVE-2018-20650 (A reachable Object::dictLookup
assertion in Poppler 0.72.0 allow
{DLA-2440-1 DLA-1939-1}
[experimental] - poppler 0.81.0-1
- poppler 0.85.0-2 (low; bug #917974)
- [buster] - poppler (Minor issue)
NOTE:
https://gitlab.freedesktop.org/poppler/poppler/commit/de0c0b8324e776f0b851485e0fc9622fc35695b7
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/704
CVE-2018-20649
@@ -267313,7 +267307,6 @@ CVE-2018-19058 (An issue was discovered in Poppler
0.71.0. There is a reachable
{DLA-2440-1 DLA-1706-1}
[experimental] - poppler 0.81.0-1
- poppler 0.85.0-2 (low; bug #913177)
- [buster] - poppler (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/659
NOTE:
https://gitlab.freedesktop.org/poppler/poppler/commit/6912e06d9ab19ba28991b5cab3319d61d856bd6d
CVE-2018-19057 (SimpleMDE 1.11.2 has XSS via an onerror attribute of a crafted
IMG ele ...)
@@ -267692,7 +267685,6 @@ CVE-2018-18898 (The email-ingestion feature in Best
Practical Request Tracker 4.
CVE-2018-18897 (An issue was discovered in Poppler 0.71.0. There is a memory
leak in G ...)
[experimental] - poppler 0.81.0-1
- poppler 0.85.0-2 (low; bug #913164)
- [buster] - poppler (Negligible security impact)
[stretch] - poppler (Negligible security impact)
[jessie] - poppler (Negligible security impact; memory leak)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/654
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[26 Sep 2022] DLA-3120-1 poppler - security update
+ {CVE-2018-18897 CVE-2018-19058 CVE-2018-20650 CVE-2019-9903
CVE-2019-9959 CVE-2019-14494 CVE-2020-27778
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a719ee83 by security tracker role at 2022-09-25T20:10:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2022-41343 (registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote f ...) + TODO: check +CVE-2022-36368 + RESERVED CVE-2022-41340 (The secp256k1-js package before 1.1.0 for Node.js implements ECDSA wit ...) TODO: check CVE-2022-41339 @@ -6,10 +10,9 @@ CVE-2022-41338 RESERVED CVE-2022-41337 RESERVED -CVE-2022-3297 - RESERVED -CVE-2022-3296 - RESERVED +CVE-2022-3297 (Use After Free in GitHub repository vim/vim prior to 9.0.0579. ...) + TODO: check +CVE-2022-3296 (Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. ...) - vim NOTE: https://huntr.dev/bounties/958866b8-526a-4979-9471-39392e0c9077 NOTE: https://github.com/vim/vim/commit/96b9bf8f74af8abf1e30054f996708db7dc285be (v9.0.0577) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a719ee832d4c8dd14e466384493f911133e26b11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a719ee832d4c8dd14e466384493f911133e26b11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3296
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ebd898b by Salvatore Bonaccorso at 2022-09-25T21:17:29+02:00 Add CVE-2022-3296 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10,6 +10,9 @@ CVE-2022-3297 RESERVED CVE-2022-3296 RESERVED + - vim + NOTE: https://huntr.dev/bounties/958866b8-526a-4979-9471-39392e0c9077 + NOTE: https://github.com/vim/vim/commit/96b9bf8f74af8abf1e30054f996708db7dc285be (v9.0.0577) CVE-2022-3295 RESERVED CVE-2022-3294 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ebd898b46450d3f1afe2f891a7f25749809ada4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ebd898b46450d3f1afe2f891a7f25749809ada4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed batik issues in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d69e0e9b by Salvatore Bonaccorso at 2022-09-25T17:07:11+02:00 Track fixed batik issues in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2851,7 +2851,7 @@ CVE-2022-40148 CVE-2022-40147 RESERVED CVE-2022-40146 (Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XM ...) - - batik (bug #1020589) + - batik 1.15+dfsg-1 (bug #1020589) [bullseye] - batik (Minor issue) [buster] - batik (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/3 @@ -6595,7 +6595,7 @@ CVE-2022-38650 CVE-2022-38649 RESERVED CVE-2022-38648 (Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XM ...) - - batik (bug #1020589) + - batik 1.15+dfsg-1 (bug #1020589) [bullseye] - batik (Minor issue) [buster] - batik (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/4 @@ -7324,7 +7324,7 @@ CVE-2020-36593 CVE-2020-36592 RESERVED CVE-2022-38398 (Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XM ...) - - batik (bug #1020589) + - batik 1.15+dfsg-1 (bug #1020589) [bullseye] - batik (Minor issue) [buster] - batik (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d69e0e9b0eb144fea2dbda9afa84466e9addf2a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d69e0e9b0eb144fea2dbda9afa84466e9addf2a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: mark CVE-2022-1325 as no-dsa for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: c02c32ab by Thorsten Alteholz at 2022-09-25T16:52:30+02:00 mark CVE-2022-1325 as no-dsa for Buster - - - - - 4fbc37db by Thorsten Alteholz at 2022-09-25T16:54:02+02:00 mark CVE-2022-36114 and CVE-2022-36113 as no-dsa for Buster - - - - - b1fe2a10 by Thorsten Alteholz at 2022-09-25T16:55:50+02:00 mark CVE-2022-24728 as no-dsa for Buster - - - - - 53735b97 by Thorsten Alteholz at 2022-09-25T16:56:49+02:00 mark CVE-2022-24729 as no-dsa for Buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13430,15 +13430,19 @@ CVE-2022-36115 (An issue was discovered in Blue Prism Enterprise 6.0 through 7.0 CVE-2022-36114 (Cargo is a package manager for the rust programming language. It was d ...) - cargo [bullseye] - cargo (Minor issue) + [buster] - cargo (Minor issue) - rust-cargo [bullseye] - rust-cargo (Minor issue) + [buster] - rust-cargo (Minor issue) NOTE: https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp NOTE: https://github.com/rust-lang/cargo/commit/d1f9553c825f6d7481453be8d58d0e7f117988a7 CVE-2022-36113 (Cargo is a package manager for the rust programming language. After a ...) - cargo [bullseye] - cargo (Minor issue) + [buster] - cargo (Minor issue) - rust-cargo [bullseye] - rust-cargo (Minor issue) + [buster] - rust-cargo (Minor issue) NOTE: https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j NOTE: https://github.com/rust-lang/cargo/commit/97b80919e404b0768ea31ae329c3b4da54bed05a CVE-2022-36112 (GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free ...) @@ -33077,6 +33081,7 @@ CVE-2022-1326 (The Form - Contact Form WordPress plugin through 1.2.0 does not s CVE-2022-1325 (A flaw was found in Clmg, where with the help of a maliciously crafted ...) - cimg (bug #1018941) [bullseye] - cimg (Minor issue) + [buster] - cimg (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2074549 NOTE: https://github.com/GreycLab/CImg/commit/619cb58dd90b4e03ac68286c70ed98acbefd1c90 (v3.1.0) NOTE: https://github.com/GreycLab/CImg/issues/343 @@ -45754,6 +45759,7 @@ CVE-2022-24730 (Argo CD is a declarative, GitOps continuous delivery tool for Ku CVE-2022-24729 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - ckeditor 4.19.0+dfsg-1 [bullseye] - ckeditor (Minor issue) + [buster] - ckeditor (Minor issue) - ckeditor3 (bug #1015217) [bullseye] - ckeditor3 (Minor issue) [buster] - ckeditor3 (No longer supported in LTS) @@ -45762,6 +45768,7 @@ CVE-2022-24729 (CKEditor4 is an open source what-you-see-is-what-you-get HTML ed CVE-2022-24728 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - ckeditor 4.19.0+dfsg-1 [bullseye] - ckeditor (Minor issue) + [buster] - ckeditor (Minor issue) - ckeditor3 (bug #1015217) [bullseye] - ckeditor3 (Minor issue) [buster] - ckeditor3 (No longer supported in LTS) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cdb9eaead2faa2f01f1067200e0e08d6c682eaa0...53735b97781f43e261687278822b33dc75e053a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cdb9eaead2faa2f01f1067200e0e08d6c682eaa0...53735b97781f43e261687278822b33dc75e053a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2022-25869 and CVE-2022-25844 as no-dsa for Buster
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 06844544 by Thorsten Alteholz at 2022-09-25T16:23:47+02:00 mark CVE-2022-25869 and CVE-2022-25844 as no-dsa for Buster - - - - - 835bdb50 by Thorsten Alteholz at 2022-09-25T16:31:04+02:00 follow sec team and mark three CVEs for batik as no-dsa - - - - - cdb9eaea by Thorsten Alteholz at 2022-09-25T16:37:15+02:00 add bind9 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2853,6 +2853,7 @@ CVE-2022-40147 CVE-2022-40146 (Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XM ...) - batik (bug #1020589) [bullseye] - batik (Minor issue) + [buster] - batik (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/3 NOTE: https://issues.apache.org/jira/browse/BATIK-1335 NOTE: http://svn.apache.org/viewvc?view=revision=1903910 @@ -6596,6 +6597,7 @@ CVE-2022-38649 CVE-2022-38648 (Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XM ...) - batik (bug #1020589) [bullseye] - batik (Minor issue) + [buster] - batik (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/4 NOTE: https://issues.apache.org/jira/browse/BATIK-1333 NOTE: http://svn.apache.org/viewvc?view=revision=1903625 @@ -7324,6 +7326,7 @@ CVE-2020-36592 CVE-2022-38398 (Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XM ...) - batik (bug #1020589) [bullseye] - batik (Minor issue) + [buster] - batik (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/2 NOTE: https://issues.apache.org/jira/browse/BATIK-1331 NOTE: http://svn.apache.org/viewvc?view=revision=1903462 @@ -42150,6 +42153,7 @@ CVE-2022-25871 (All versions of package querymen are vulnerable to Prototype Pol CVE-2022-25869 (All versions of package angular are vulnerable to Cross-site Scripting ...) - angular.js [bullseye] - angular.js (Minor issue) + [buster] - angular.js (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781 CVE-2022-25867 (The package io.socket:socket.io-client before 2.0.1 are vulnerable to ...) NOT-FOR-US: socket.io-client-java @@ -42206,6 +42210,7 @@ CVE-2022-25845 (The package com.alibaba:fastjson before 1.2.83 are vulnerable to CVE-2022-25844 (The package angular after 1.7.0 are vulnerable to Regular Expression D ...) - angular.js (bug #1014779) [bullseye] - angular.js (Minor issue) + [buster] - angular.js (Minor issue, probably even not-affected) [stretch] - angular.js (Nodejs in stretch not covered by security support) NOTE: https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735 CVE-2022-25843 = data/dla-needed.txt = @@ -18,6 +18,9 @@ asterisk NOTE: 20220829: Ongoing triaging work. Maybe we should think about syncing NOTE: 20220829: bullseye and buster. (apo) -- +bind9: + NOTE: 20220925: Programming language: C. +-- bluez NOTE: 20220902: Programming language: C. NOTE: 20220902: Consider synchronizing with Stretch. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d7f8f3d0648ba55c543088f90ceb18610d11773d...cdb9eaead2faa2f01f1067200e0e08d6c682eaa0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d7f8f3d0648ba55c543088f90ceb18610d11773d...cdb9eaead2faa2f01f1067200e0e08d6c682eaa0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take dovecot
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d7f8f3d0 by Anton Gladky at 2022-09-25T12:30:34+02:00 LTS: take dovecot - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -27,7 +27,7 @@ curl NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. -- -dovecot +dovecot (Anton) NOTE: 20220913: Programming language: C. NOTE: 20220913: VCS: https://salsa.debian.org/lts-team/packages/dovecot.git NOTE: 20220913: Harmonize with bullseye: 1 CVE fixed in Debian 11.5 + 2 other postponed CVEs (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7f8f3d0648ba55c543088f90ceb18610d11773d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7f8f3d0648ba55c543088f90ceb18610d11773d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2022-38528 as no-dsa for Buster (no fix yet; follow sec team)
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 74c7b448 by Thorsten Alteholz at 2022-09-25T10:51:13+02:00 mark CVE-2022-38528 as no-dsa for Buster (no fix yet; follow sec team) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6903,6 +6903,7 @@ CVE-2022-38529 (tinyexr commit 0647fb3 was discovered to contain a heap-buffer o CVE-2022-38528 (Open Asset Import Library (assimp) commit 3c253ca was discovered to co ...) - assimp [bullseye] - assimp (Minor issue) + [buster] - assimp (Minor issue) NOTE: https://github.com/assimp/assimp/issues/4662 CVE-2022-38527 (UCMS v1.6.0 was discovered to contain a cross-site scripting (XSS) vul ...) NOT-FOR-US: UCMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74c7b448d61183590a566342764a40954c549a41 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74c7b448d61183590a566342764a40954c549a41 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] sec team marked all CVEs as unimportant, so nothing to do here as well
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: e7f31c6a by Thorsten Alteholz at 2022-09-25T10:34:15+02:00 sec team marked all CVEs as unimportant, so nothing to do here as well - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -186,11 +186,6 @@ thunderbird (Emilio) trafficserver NOTE: 20220905: Programming language: C. -- -upx-ucl (Thorsten Alteholz) - NOTE: 20220820: Programming language: C. - NOTE: 20220820: CVE-2020-27787 may be not-affected. (Chris Lamb) - NOTE: 20220911: testing package --- vim NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/vim.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7f31c6abb72848c5c3fb66d9d6c8980e881340c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7f31c6abb72848c5c3fb66d9d6c8980e881340c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9321481f by security tracker role at 2022-09-25T08:10:10+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1615,7 +1615,7 @@ CVE-2022-30545
CVE-2020-36603 (The HoYoVerse (formerly miHoYo) Genshin Impact mhyprot2.sys
1.0.0.0 an ...)
NOT-FOR-US: HoYoVerse (formerly miHoYo) Genshin Impact
CVE-2022-40674 (libexpat before 2.4.9 has a use-after-free in the doContent
function i ...)
- {DSA-5236-1}
+ {DSA-5236-1 DLA-3119-1}
- expat 2.4.8-2 (bug #1019761)
NOTE: https://github.com/libexpat/libexpat/pull/629
NOTE: https://github.com/libexpat/libexpat/pull/640
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9321481f196328dbe101af9a8d0ee63441ec54c0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9321481f196328dbe101af9a8d0ee63441ec54c0
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3119-1 for expat
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3ecf83c5 by Thorsten Alteholz at 2022-09-25T09:04:17+02:00
Reserve DLA-3119-1 for expat
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[25 Sep 2022] DLA-3119-1 expat - security update
+ {CVE-2022-40674}
+ [buster] - expat 2.2.6-2+deb10u5
[22 Sep 2022] DLA-3118-1 unzip - security update
{CVE-2022-0529 CVE-2022-0530}
[buster] - unzip 6.0-23+deb10u3
=
data/dla-needed.txt
=
@@ -36,9 +36,6 @@ exiv2
NOTE: 20220819: Programming language: C++.
NOTE: 20220819:
https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292
does not directly apply, but a very quick glance suggests the earlier code may
be equally vulnerable. (Chris Lamb)
--
-expat (Thorsten Alteholz)
- NOTE: 20220922: Programming language: C.
---
firefox-esr (Emilio)
--
firmware-nonfree
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ecf83c5689e40ede8625980a64a79026b5dac0b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ecf83c5689e40ede8625980a64a79026b5dac0b
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
