[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add sox to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 021f3208 by Anton Gladky at 2023-03-13T06:16:29+01:00 LTS: add sox to dla-needed.txt - - - - - 5b85a46f by Anton Gladky at 2023-03-13T06:18:31+01:00 LTS: assign sox to Helmut. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -298,6 +298,10 @@ samba NOTE: 20220904: Special attention: High popcon! Used in many servers. NOTE: 20220904: Many postponed or open CVE in general. (apo) -- +sox (Helmut Grohne) + NOTE: 20230313: Programming language: C. + NOTE: 20230313: VCS: https://salsa.debian.org/lts-team/packages/sox.git +-- sssd (Dominik George) NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2688047f171735c53f928803b7de4d837d65a79c...5b85a46f9368e1eb5237414c321e5f6960a18b32 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2688047f171735c53f928803b7de4d837d65a79c...5b85a46f9368e1eb5237414c321e5f6960a18b32 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 2688047f by Anton Gladky at 2023-03-13T06:06:55+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -117,7 +117,7 @@ libreoffice linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- -man2html (gladk) +man2html NOTE: 20221004: Programming language: C. NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . @@ -178,7 +178,7 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20230103: https://lists.debian.org/debian-lts/2023/01/msg5.html NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/nvidia-graphics-drivers-legacy-390xx.git -- -openimageio (Markus Koschany) +openimageio NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git -- @@ -262,7 +262,7 @@ ring NOTE: 20221120: Programming language: C. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ring.git -- -ruby-loofah (Daniel Leidert) +ruby-loofah NOTE: 20221231: Programming language: Ruby. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/ruby-loofah.git -- @@ -292,7 +292,7 @@ salt NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/salt.html NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/salt.git -- -samba (Lee Garrett) +samba NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/samba.git NOTE: 20220904: Special attention: High popcon! Used in many servers. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2688047f171735c53f928803b7de4d837d65a79c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2688047f171735c53f928803b7de4d837d65a79c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take go
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 7707875b by Anton Gladky at 2023-03-13T06:06:37+01:00 LTS: take go - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -38,7 +38,7 @@ consul NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git -- -docker.io +docker.io (gladk) NOTE: 20230303: Programming language: Go. NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7707875beff34242158dbd57d637577abebf6ed7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7707875beff34242158dbd57d637577abebf6ed7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track as well rust-lock-api-0.1 for RUSTSEC-2020-0070
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cb0d4a68 by Salvatore Bonaccorso at 2023-03-13T05:55:07+01:00 Track as well rust-lock-api-0.1 for RUSTSEC-2020-0070 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -174484,30 +174484,35 @@ CVE-2020-35914 (An issue was discovered in the lock_api crate before 0.4.2 for R - rust-lock-api 0.4.5-1 (bug #975319) [bullseye] - rust-lock-api (Minor issue) [buster] - rust-lock-api (Minor issue) + - rust-lock-api-0.1 (bug #1032854) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html NOTE: https://github.com/Amanieu/parking_lot/pull/262 CVE-2020-35913 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...) - rust-lock-api 0.4.5-1 (bug #975319) [bullseye] - rust-lock-api (Minor issue) [buster] - rust-lock-api (Minor issue) + - rust-lock-api-0.1 (bug #1032854) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html NOTE: https://github.com/Amanieu/parking_lot/pull/262 CVE-2020-35912 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...) - rust-lock-api 0.4.5-1 (bug #975319) [bullseye] - rust-lock-api (Minor issue) [buster] - rust-lock-api (Minor issue) + - rust-lock-api-0.1 (bug #1032854) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html NOTE: https://github.com/Amanieu/parking_lot/pull/262 CVE-2020-35911 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...) - rust-lock-api 0.4.5-1 (bug #975319) [bullseye] - rust-lock-api (Minor issue) [buster] - rust-lock-api (Minor issue) + - rust-lock-api-0.1 (bug #1032854) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html NOTE: https://github.com/Amanieu/parking_lot/pull/262 CVE-2020-35910 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...) - rust-lock-api 0.4.5-1 (bug #975319) [bullseye] - rust-lock-api (Minor issue) [buster] - rust-lock-api (Minor issue) + - rust-lock-api-0.1 (bug #1032854) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html NOTE: https://github.com/Amanieu/parking_lot/pull/262 CVE-2020-28971 (An issue was discovered on Western Digital My Cloud OS 5 devices befor ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb0d4a68b50fc9c5fd1b3a96179145c6a11f7127 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb0d4a68b50fc9c5fd1b3a96179145c6a11f7127 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-1350: Add followup commit and clarify status of feature
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e7aa9abb by Salvatore Bonaccorso at 2023-03-13T05:51:42+01:00 CVE-2023-1350: Add followup commit and clarify status of feature - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56,6 +56,8 @@ CVE-2023-1350 (A vulnerability was found in liferea. It has been rated as critic NOTE: Introduced by: https://github.com/lwindolf/liferea/commit/b8288389820a3f510ef4b21684b22439c41d95a5 (v1.12.0) NOTE: introduced by: https://github.com/lwindolf/liferea/commit/b67dbba73443ab7b36fcd3c78aa803e974c0f23e (v1.12.0) NOTE: Fixed by: https://github.com/lwindolf/liferea/commit/8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59 (v1.14.1) + NOTE: Followup: https://github.com/lwindolf/liferea/commit/1981e1e161cde4896592ebca40fa3b115f0053ef (v1.14.1) + NOTE: Feature is always off-by default and not not advertised in the documentation. CVE-2023-1349 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: Hsycms CVE-2016-15028 (A vulnerability was found in ICEPAY REST-API-NET 0.9. It has been decl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7aa9abb7fc7e115bd71e80eeb413de1fc8942a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7aa9abb7fc7e115bd71e80eeb413de1fc8942a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-1350/liferea
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d15d3ae9 by Salvatore Bonaccorso at 2023-03-13T05:49:25+01:00 Track fixed version for CVE-2023-1350/liferea - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52,7 +52,7 @@ CVE-2023-1352 (A vulnerability, which was classified as critical, has been found CVE-2023-1351 (A vulnerability classified as critical has been found in SourceCodeste ...) NOT-FOR-US: SourceCodester Computer Parts Sales and Inventory System CVE-2023-1350 (A vulnerability was found in liferea. It has been rated as critical. A ...) - - liferea (bug #1032822) + - liferea 1.14.1-1 (bug #1032822) NOTE: Introduced by: https://github.com/lwindolf/liferea/commit/b8288389820a3f510ef4b21684b22439c41d95a5 (v1.12.0) NOTE: introduced by: https://github.com/lwindolf/liferea/commit/b67dbba73443ab7b36fcd3c78aa803e974c0f23e (v1.12.0) NOTE: Fixed by: https://github.com/lwindolf/liferea/commit/8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59 (v1.14.1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d15d3ae9133c55a8b2598700bded1a434c5b6548 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d15d3ae9133c55a8b2598700bded1a434c5b6548 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5372-1 for rails
Aron Xu pushed to branch master at Debian Security Tracker / security-tracker Commits: 069f696a by Aron Xu at 2023-03-13T10:59:44+08:00 Reserve DSA-5372-1 for rails - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -160805,7 +160805,6 @@ CVE-2021-22943 (A vulnerability found in UniFi Protect application V1.18.1 and e CVE-2021-22942 (A possible open redirect vulnerability in the Host Authorization middl ...) [experimental] - rails 2:6.1.4.1+dfsg-1 - rails 2:6.1.4.1+dfsg-3 (bug #992586) - [bullseye] - rails (Minor issue) [buster] - rails (Vulnerable code not present) [stretch] - rails (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2021/08/20/1 = data/DSA/list = @@ -1,3 +1,6 @@ +[13 Mar 2023] DSA-5372-1 rails - security update + {CVE-2021-22942 CVE-2021-44528 CVE-2022-21831 CVE-2022-22577 CVE-2022-23633 CVE-2022-2 CVE-2023-22792 CVE-2023-22794 CVE-2023-22795 CVE-2023-22796} + [bullseye] - rails 2:6.0.3.7+dfsg-2+deb11u1 [09 Mar 2023] DSA-5371-1 chromium - security update {CVE-2023-1213 CVE-2023-1214 CVE-2023-1215 CVE-2023-1216 CVE-2023-1217 CVE-2023-1218 CVE-2023-1219 CVE-2023-1220 CVE-2023-1221 CVE-2023-1222 CVE-2023-1223 CVE-2023-1224 CVE-2023-1225 CVE-2023-1226 CVE-2023-1227 CVE-2023-1228 CVE-2023-1229 CVE-2023-1230 CVE-2023-1231 CVE-2023-1232 CVE-2023-1233 CVE-2023-1234 CVE-2023-1235 CVE-2023-1236} [bullseye] - chromium 111.0.5563.64-1~deb11u1 = data/dsa-needed.txt = @@ -37,8 +37,6 @@ php-horde-turba -- py7zr -- -rails (aron) --- ring might make sense to rebase to current version -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/069f696a6c6326073e6f85aa6fd93f27280c0592 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/069f696a6c6326073e6f85aa6fd93f27280c0592 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 10 commits: LTS: add apache2 to dla-needed.txt
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 5119 by Thorsten Alteholz at 2023-03-12T23:55:29+01:00 LTS: add apache2 to dla-needed.txt - - - - - 98184fc7 by Thorsten Alteholz at 2023-03-13T00:01:28+01:00 LTS: add ruby-racks to dla-needed.txt - - - - - a92e695d by Thorsten Alteholz at 2023-03-13T00:03:12+01:00 Revert LTS: add ruby-racks to dla-needed.txt This reverts commit 98184fc75622fb669ea31ef6b2dab480d30d2af2. - - - - - 7bf298af by Thorsten Alteholz at 2023-03-13T00:04:21+01:00 LTS: add ruby-rack to dla-needed.txt - - - - - 7b32c923 by Thorsten Alteholz at 2023-03-13T00:06:03+01:00 LTS: add libmicrohttpd to dla-needed.txt - - - - - 88a111f9 by Thorsten Alteholz at 2023-03-13T00:08:05+01:00 mark CVE-2021-33367 as no-dsa for Buster - - - - - 83fe56dd by Thorsten Alteholz at 2023-03-13T00:09:05+01:00 mark CVE-2022-3213 as no-dsa for Buster - - - - - 6fd1fd35 by Thorsten Alteholz at 2023-03-13T00:14:48+01:00 mark CVE-2021-37519 as not-affected for Buster - - - - - 1bdc1a56 by Thorsten Alteholz at 2023-03-13T00:22:00+01:00 claim libmicrohttpd - - - - - f36b5073 by Thorsten Alteholz at 2023-03-13T00:27:09+01:00 LTS: add redis to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -42329,6 +42329,7 @@ CVE-2022-3214 (Delta Industrial Automation's DIAEnergy, an industrial energy man CVE-2022-3213 (A heap buffer overflow issue was found in ImageMagick. When an applica ...) - imagemagick (bug #1021141) [bullseye] - imagemagick (Minor issue) + [buster] - imagemagick (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2126824 NOTE: https://github.com/ImageMagick/ImageMagick/commit/30ccf9a0da1f47161b5935a95be854fe84e6c2a2 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/1aea203eb36409ce6903b9e41fe7cb70030e8750 @@ -124337,6 +124338,7 @@ CVE-2021-37520 CVE-2021-37519 (Buffer Overflow vulnerability in authfile.c memcached 1.6.9 allows att ...) - memcached 1.6.10+dfsg-1 [bullseye] - memcached (Minor issue) + [buster] - memcached (Vulnerable code not present) NOTE: https://github.com/memcached/memcached/issues/805 NOTE: https://github.com/memcached/memcached/commit/ddee3e27a031be22f5f28c160be18fd3cb9bc63d (1.6.10) CVE-2021-37518 (Universal Cross Site Scripting (UXSS) vulnerability in Vimium Extensio ...) @@ -134362,6 +134364,7 @@ CVE-2021-33367 (Buffer Overflow vulnerability in Freeimage v3.18.0 allows attack - freeimage (bug #1032666) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/discussion/36109/thread/1a4db03d58/ CVE-2021-33366 (Memory leak in the gf_isom_oinf_read_entry function in MP4Box in GPAC ...) - gpac (unimportant) = data/dla-needed.txt = @@ -18,6 +18,11 @@ rather than remove/replace existing ones. NOTE: 20221231: Few users. Low prio. (opal). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/389-ds-base.git -- +apache2 + NOTE: 20230312: Programming language: C. + NOTE: 20230312: VCS: https://salsa.debian.org/lts-team/packages/apache2.git + NOTE: 20230312: Special attention: Double check an update! Package is used by many customers and users!. +-- ceph NOTE: 20221031: Programming language: C++. NOTE: 20221031: To be checked further. Not clear whether the vulnerability can be exploited in a Debian system. @@ -102,6 +107,9 @@ intel-microcode (tobi) NOTE: 20230310: will first fix unstable and stable, then proceed with LTS and ELTS, using the same new upstream version. (tobi) NOTE: 20230312: uploaded to DELAYED/5 for unstable. -- +libmicrohttpd (Thorsten Alteholz) + NOTE: 20230313: Programming language: C. +-- libreoffice NOTE: 20221012: Programming language: C++. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git @@ -246,6 +254,10 @@ rainloop NOTE: 20220913: Evaluate the situation and decide whether we should support or EOL this package (Beuc/front-desk) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/rainloop.git -- +redis + NOTE: 20230313: Programming language: C. + NOTE: 20230313: VCS: https://salsa.debian.org/lamby/pkg-redis.git +-- ring NOTE: 20221120: Programming language: C. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ring.git @@ -254,6 +266,10 @@ ruby-loofah (Daniel Leidert) NOTE: 20221231: Programming language: Ruby. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/ruby-loofah.git -- +ruby-rack + NOTE: 20230313: Programming language: Ruby. + NOTE: 20230313: VCS: https://salsa.debian.org/lts-team
[Git][security-tracker-team/security-tracker][master] LTS: take 389-ds-base
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 392ff630 by Anton Gladky at 2023-03-12T21:52:23+01:00 LTS: take 389-ds-base - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -13,7 +13,7 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -389-ds-base +389-ds-base (gladk) NOTE: 20221231: Programming language: C. NOTE: 20221231: Few users. Low prio. (opal). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/389-ds-base.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/392ff63012d3b582d96f91198a57d66731325a92 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/392ff63012d3b582d96f91198a57d66731325a92 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3360-1 for ruby-sidekiq
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 63a9de7a by Utkarsh Gupta at 2023-03-13T02:10:30+05:30 Reserve DLA-3360-1 for ruby-sidekiq - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -143137,7 +143137,6 @@ CVE-2021-30151 (Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the q {DLA-2943-1} - ruby-sidekiq 6.3.1+dfsg-1 (bug #987354) [bullseye] - ruby-sidekiq (Minor issue) - [buster] - ruby-sidekiq (Minor issue) NOTE: https://github.com/mperham/sidekiq/issues/4852 NOTE: https://github.com/mperham/sidekiq/commit/64f70339d1dcf50a55c00d36bfdb61d97ec63ed8 (v6.2.1) CVE-2021-30150 (Composr 10.0.36 allows XSS in an XML script. ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[13 Mar 2023] DLA-3360-1 ruby-sidekiq - security update + {CVE-2021-30151 CVE-2022-23837} + [buster] - ruby-sidekiq 5.2.3+dfsg-1+deb10u1 [13 Mar 2023] DLA-3359-1 libapache2-mod-auth-mellon - security update {CVE-2019-13038 CVE-2021-3639} [buster] - libapache2-mod-auth-mellon 0.14.2-1+deb10u1 = data/dla-needed.txt = @@ -259,12 +259,6 @@ ruby-rails-html-sanitizer NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh) -- -ruby-sidekiq (Utkarsh) - NOTE: 20221231: Programming language: Ruby. - NOTE: 20221231: CVE-2022-23837 was fixed in stretch so should be fixed in buster for consistency even though it is not that severe. (opal). - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/ruby-sidekiq.git - NOTE: 20230220: almost done-ish. Will roll out the DLA this week. (utkarsh) --- runc (Sylvain Beucler) NOTE: 20220905: Programming language: Go. NOTE: 20220905: Special attention: Sync with Bullseye. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63a9de7a3f01e7fb42aadea5f5b70aa575a0d605 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63a9de7a3f01e7fb42aadea5f5b70aa575a0d605 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add note for ruby-rails-html-sanitizer
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 998b1e5e by Utkarsh Gupta at 2023-03-13T02:08:00+05:30 Add note for ruby-rails-html-sanitizer - - - - - 4dacbb52 by Utkarsh Gupta at 2023-03-13T02:08:55+05:30 Reserve DLA-3359-1 for libapache2-mod-auth-mellon - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -127080,7 +127080,6 @@ CVE-2021-3640 (A flaw use-after-free in function sco_sock_sendmsg() of the Linux CVE-2021-3639 (A flaw was found in mod_auth_mellon where it does not sanitize logout ...) - libapache2-mod-auth-mellon 0.18.0-1 (bug #991730) [bullseye] - libapache2-mod-auth-mellon 0.17.0-1+deb11u1 - [buster] - libapache2-mod-auth-mellon (Minor issue) [stretch] - libapache2-mod-auth-mellon (Minor issue) NOTE: https://github.com/latchset/mod_auth_mellon/commit/42a11261b9dad2e48d70bdff7c53dd57a12db6f5 CVE-2021-36350 (Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain an authenticati ...) @@ -270799,7 +270798,6 @@ CVE-2019-13039 RESERVED CVE-2019-13038 (mod_auth_mellon through 0.14.2 has an Open Redirect via the login?Retu ...) - libapache2-mod-auth-mellon 0.15.0-1 (low; bug #931265) - [buster] - libapache2-mod-auth-mellon (Minor issue) [stretch] - libapache2-mod-auth-mellon (Minor issue) [jessie] - libapache2-mod-auth-mellon (Open Redirect protection not implemented yet) NOTE: https://github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885 = data/DLA/list = @@ -1,3 +1,6 @@ +[13 Mar 2023] DLA-3359-1 libapache2-mod-auth-mellon - security update + {CVE-2019-13038 CVE-2021-3639} + [buster] - libapache2-mod-auth-mellon 0.14.2-1+deb10u1 [12 Mar 2023] DLA-3358-1 mpv - security update {CVE-2020-19824} [buster] - mpv 0.29.1-1+deb10u1 = data/dla-needed.txt = @@ -102,12 +102,6 @@ intel-microcode (tobi) NOTE: 20230310: will first fix unstable and stable, then proceed with LTS and ELTS, using the same new upstream version. (tobi) NOTE: 20230312: uploaded to DELAYED/5 for unstable. -- -libapache2-mod-auth-mellon (Utkarsh) - NOTE: 20230105: Programming language: C. - NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/libapache2-mod-auth-mellon.git - NOTE: 20230220: upload prepped, testing remains. (utkarsh) --- libreoffice NOTE: 20221012: Programming language: C++. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git @@ -263,6 +257,7 @@ ruby-loofah (Daniel Leidert) ruby-rails-html-sanitizer NOTE: 20221231: Programming language: Ruby. NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git + NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh) -- ruby-sidekiq (Utkarsh) NOTE: 20221231: Programming language: Ruby. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/23a9d48016bd0218a366177fd3cdd5051347ed17...4dacbb52b1761a042d3085dc122626e08b9288ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/23a9d48016bd0218a366177fd3cdd5051347ed17...4dacbb52b1761a042d3085dc122626e08b9288ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 23a9d480 by Salvatore Bonaccorso at 2023-03-12T21:28:29+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,11 @@ CVE-2023-1360 (A vulnerability was found in SourceCodester Employee Payslip Generator ...) - TODO: check + NOT-FOR-US: SourceCodester Employee Payslip Generator with Sending Mail CVE-2023-1359 (A vulnerability has been found in SourceCodester Gadget Works Online O ...) - TODO: check + NOT-FOR-US: SourceCodester Gadget Works Online Ordering System CVE-2023-1358 (A vulnerability, which was classified as critical, was found in Source ...) - TODO: check + NOT-FOR-US: SourceCodester Gadget Works Online Ordering System CVE-2023-1357 (A vulnerability, which was classified as critical, has been found in S ...) - TODO: check + NOT-FOR-US: SourceCodester Simple Bakery Shop Management System CVE-2023-28153 RESERVED CVE-2023-28152 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23a9d48016bd0218a366177fd3cdd5051347ed17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23a9d48016bd0218a366177fd3cdd5051347ed17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream tag for CVE-2023-1350
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a7074c77 by Salvatore Bonaccorso at 2023-03-12T21:17:39+01:00 Reference upstream tag for CVE-2023-1350 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -55,7 +55,7 @@ CVE-2023-1350 (A vulnerability was found in liferea. It has been rated as critic - liferea (bug #1032822) NOTE: Introduced by: https://github.com/lwindolf/liferea/commit/b8288389820a3f510ef4b21684b22439c41d95a5 (v1.12.0) NOTE: introduced by: https://github.com/lwindolf/liferea/commit/b67dbba73443ab7b36fcd3c78aa803e974c0f23e (v1.12.0) - NOTE: Fixed by: https://github.com/lwindolf/liferea/commit/8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59 + NOTE: Fixed by: https://github.com/lwindolf/liferea/commit/8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59 (v1.14.1) CVE-2023-1349 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: Hsycms CVE-2016-15028 (A vulnerability was found in ICEPAY REST-API-NET 0.9. It has been decl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7074c776bbd26688914a6e7a92b95432a716259 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7074c776bbd26688914a6e7a92b95432a716259 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 949c44e5 by security tracker role at 2023-03-12T20:10:18+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2023-1360 (A vulnerability was found in SourceCodester Employee Payslip Generator ...) + TODO: check +CVE-2023-1359 (A vulnerability has been found in SourceCodester Gadget Works Online O ...) + TODO: check +CVE-2023-1358 (A vulnerability, which was classified as critical, was found in Source ...) + TODO: check +CVE-2023-1357 (A vulnerability, which was classified as critical, has been found in S ...) + TODO: check CVE-2023-28153 RESERVED CVE-2023-28152 @@ -50,8 +58,8 @@ CVE-2023-1350 (A vulnerability was found in liferea. It has been rated as critic NOTE: Fixed by: https://github.com/lwindolf/liferea/commit/8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59 CVE-2023-1349 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: Hsycms -CVE-2016-15028 - RESERVED +CVE-2016-15028 (A vulnerability was found in ICEPAY REST-API-NET 0.9. It has been decl ...) + TODO: check CVE-2023-28143 RESERVED CVE-2023-28142 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/949c44e53a4817d9eb1b1af3d16b804bdb738ab4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/949c44e53a4817d9eb1b1af3d16b804bdb738ab4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Document approach to intel-microcode.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: c8114c8f by Tobias Frost at 2023-03-12T19:07:05+01:00 Document approach to intel-microcode. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -99,6 +99,8 @@ golang-yaml.v2 intel-microcode (tobi) NOTE: 20230219: Programming language: Binary blob. NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/intel-microcode.git + NOTE: 20230310: will first fix unstable and stable, then proceed with LTS and ELTS, using the same new upstream version. (tobi) + NOTE: 20230312: uploaded to DELAYED/5 for unstable. -- libapache2-mod-auth-mellon (Utkarsh) NOTE: 20230105: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8114c8f32ecca5412d385a66698a5d06e30c7f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8114c8f32ecca5412d385a66698a5d06e30c7f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e32d387 by Salvatore Bonaccorso at 2023-03-12T14:09:40+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26,15 +26,15 @@ CVE-2023-1355 (NULL Pointer Dereference in GitHub repository vim/vim prior to 9. NOTE: https://github.com/vim/vim/commit/d13dd30240e32071210f55b587182ff48757ea46 (v9.0.1402) NOTE: Crash in CLI tool, no security impact CVE-2022-48367 (An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Acce ...) - TODO: check + NOT-FOR-US: Ibexa CVE-2022-48366 (An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It ...) - TODO: check + NOT-FOR-US: Ibexa CVE-2022-48365 (An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The ...) - TODO: check + NOT-FOR-US: Ibexa CVE-2021-46876 (An issue was discovered in eZ Publish Ibexa Kernel before 7.5.15.1. Th ...) - TODO: check + NOT-FOR-US: Ibexa CVE-2021-46875 (An issue was discovered in eZ Platform Ibexa Kernel before 1.3.1.1. An ...) - TODO: check + NOT-FOR-US: Ibexa CVE-2023-1354 (A vulnerability has been found in SourceCodester Design and Implementa ...) NOT-FOR-US: SourceCodester Design and Implementation of Covid-19 Directory on Vaccination System CVE-2023-1353 (A vulnerability, which was classified as problematic, was found in Sou ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e32d387aa9f8db2fb48f1f85a4b10caecbb70df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e32d387aa9f8db2fb48f1f85a4b10caecbb70df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-1355/vim
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 91287b71 by Salvatore Bonaccorso at 2023-03-12T14:06:13+01:00 Add CVE-2023-1355/vim - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,7 +21,10 @@ CVE-2023-28144 CVE-2023-1356 RESERVED CVE-2023-1355 (NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.140 ...) - TODO: check + - vim (unimportant) + NOTE: https://huntr.dev/bounties/4d0a9615-d438-4f5c-8dd6-aa22f4b716d9 + NOTE: https://github.com/vim/vim/commit/d13dd30240e32071210f55b587182ff48757ea46 (v9.0.1402) + NOTE: Crash in CLI tool, no security impact CVE-2022-48367 (An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Acce ...) TODO: check CVE-2022-48366 (An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91287b7166d189004ab007bc4a0a1861344c5c51 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91287b7166d189004ab007bc4a0a1861344c5c51 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 98644e0f by security tracker role at 2023-03-12T08:10:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,37 @@ +CVE-2023-28153 + RESERVED +CVE-2023-28152 + RESERVED +CVE-2023-28151 + RESERVED +CVE-2023-28150 + RESERVED +CVE-2023-28149 + RESERVED +CVE-2023-28148 + RESERVED +CVE-2023-28147 + RESERVED +CVE-2023-28146 + RESERVED +CVE-2023-28145 + RESERVED +CVE-2023-28144 + RESERVED +CVE-2023-1356 + RESERVED +CVE-2023-1355 (NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.140 ...) + TODO: check +CVE-2022-48367 (An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Acce ...) + TODO: check +CVE-2022-48366 (An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It ...) + TODO: check +CVE-2022-48365 (An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The ...) + TODO: check +CVE-2021-46876 (An issue was discovered in eZ Publish Ibexa Kernel before 7.5.15.1. Th ...) + TODO: check +CVE-2021-46875 (An issue was discovered in eZ Platform Ibexa Kernel before 1.3.1.1. An ...) + TODO: check CVE-2023-1354 (A vulnerability has been found in SourceCodester Design and Implementa ...) NOT-FOR-US: SourceCodester Design and Implementation of Covid-19 Directory on Vaccination System CVE-2023-1353 (A vulnerability, which was classified as problematic, was found in Sou ...) @@ -333,8 +367,8 @@ CVE-2023-1309 (A vulnerability classified as critical was found in SourceCodeste NOT-FOR-US: SourceCodester Online Graduate Tracer System CVE-2023-1308 (A vulnerability classified as critical has been found in SourceCodeste ...) NOT-FOR-US: SourceCodester Online Graduate Tracer System -CVE-2013-10021 - RESERVED +CVE-2013-10021 (A vulnerability was found in dd32 Debug Bar Plugin up to 0.8. It has b ...) + TODO: check CVE-2023-28025 RESERVED CVE-2023-28024 @@ -199087,6 +199121,7 @@ CVE-2020-19826 CVE-2020-19825 (Cross Site Scripting (XSS) vulnerability in kevinpapst kimai2 1.30.0 i ...) NOT-FOR-US: kevinpapst kimai2 CVE-2020-19824 (An issue in MPV v.0.29.1 fixed in v0.30 allows attackers to execute ar ...) + {DLA-3358-1} - mpv 0.30.0-1 NOTE: https://github.com/mpv-player/mpv/issues/6808 NOTE: https://github.com/mpv-player/mpv/commit/5858e3cdbd6fbae3ed80366912dd5df0af4fa126 (v0.30.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98644e0f1c8ebeae056ff62f79a02445ca294bce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98644e0f1c8ebeae056ff62f79a02445ca294bce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits