[Git][security-tracker-team/security-tracker][master] The uploaded jupyterlab version is fixed already
Jochen Sprickerhof pushed to branch master at Debian Security Tracker / security-tracker Commits: c2eb8927 by Jochen Sprickerhof at 2023-11-12T08:38:02+01:00 The uploaded jupyterlab version is fixed already - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -174050,7 +174050,7 @@ CVE-2021-32798 (The Jupyter notebook is a web-based notebook environment for int NOTE: https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797 NOTE: https://github.com/jupyter/notebook/commit/79fc76e890a8ec42f73a3d009e44ef84c14ef0d5 CVE-2021-32797 (JupyterLab is a user interface for Project Jupyter which will eventual ...) - - jupyterlab (bug #934258) + - jupyterlab 4.0.8+ds1-1 CVE-2021-32796 (xmldom is an open source pure JavaScript W3C standard-based (XML DOM L ...) - node-xmldom 0.7.3-1 (bug #991612) [bullseye] - node-xmldom (Minor issue, too intrusive to backport) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2eb892748dcb6ddd09f817006b38edc3fa3ead7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2eb892748dcb6ddd09f817006b38edc3fa3ead7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Properly fix DLA-3511-1
Jochen Sprickerhof pushed to branch master at Debian Security Tracker / security-tracker Commits: 9261a21b by Jochen Sprickerhof at 2023-07-31T16:52:32+02:00 Properly fix DLA-3511-1 Use sbuild --debbuildopt=-vversion to generate the correct changes file. - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -302052,7 +302052,6 @@ CVE-2019-9837 (Doorkeeper::OpenidConnect (aka the OpenID Connect extension for D CVE-2019-9836 (Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) ...) - amd64-microcode 3.20220411.1 (bug #970395) [bullseye] - amd64-microcode 3.20230719.1~deb11u1 - [buster] - amd64-microcode (Minor issue) NOTE: https://seclists.org/fulldisclosure/2019/Jun/46 CVE-2019-9835 (The receiver (aka bridge) component of Fujitsu Wireless Keyboard Set L ...) NOT-FOR-US: Fujitsu Wireless Keyboard Set LX901 GK900 devices = data/DLA/list = @@ -1,5 +1,5 @@ [31 Jul 2023] DLA-3511-1 amd64-microcode - security update - {CVE-2023-20593} + {CVE-2019-9836 CVE-2023-20593} [buster] - amd64-microcode 3.20230719.1~deb10u1 [31 Jul 2023] DLA-3510-1 thunderbird - security update {CVE-2023-3417} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9261a21b181ab264e7006e65a5e39c3f147cccba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9261a21b181ab264e7006e65a5e39c3f147cccba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] amd64-microcode add missing CVE
Jochen Sprickerhof pushed to branch master at Debian Security Tracker / security-tracker Commits: 43bfd382 by Jochen Sprickerhof at 2023-07-31T16:38:45+02:00 amd64-microcode add missing CVE Thanks Beuc. - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,4 +1,5 @@ [31 Jul 2023] DLA-3511-1 amd64-microcode - security update + {CVE-2023-20593} [buster] - amd64-microcode 3.20230719.1~deb10u1 [31 Jul 2023] DLA-3510-1 thunderbird - security update {CVE-2023-3417} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43bfd3826f1d69f266711e4221dd3c437957bdbf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43bfd3826f1d69f266711e4221dd3c437957bdbf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix amd64-microcode version
Jochen Sprickerhof pushed to branch master at Debian Security Tracker / security-tracker Commits: bbb0f49d by Jochen Sprickerhof at 2023-07-31T16:37:24+02:00 Fix amd64-microcode version - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,5 +1,5 @@ [31 Jul 2023] DLA-3511-1 amd64-microcode - security update - [buster] - amd64-microcode 3.20230719.1+deb10u1 + [buster] - amd64-microcode 3.20230719.1~deb10u1 [31 Jul 2023] DLA-3510-1 thunderbird - security update {CVE-2023-3417} [buster] - thunderbird 1:102.13.1-1~deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbb0f49dbf822de437b0c562ece7989b59482780 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbb0f49dbf822de437b0c562ece7989b59482780 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3511-1 for amd64-microcode
Jochen Sprickerhof pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ae00408 by Jochen Sprickerhof at 2023-07-31T14:09:50+02:00 Reserve DLA-3511-1 for amd64-microcode - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[31 Jul 2023] DLA-3511-1 amd64-microcode - security update + [buster] - amd64-microcode 3.20230719.1+deb10u1 [31 Jul 2023] DLA-3510-1 thunderbird - security update {CVE-2023-3417} [buster] - thunderbird 1:102.13.1-1~deb10u1 = data/dla-needed.txt = @@ -24,9 +24,6 @@ rather than remove/replace existing ones. amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) -- -amd64-microcode (jspricke) - NOTE: 20230731: Added by Front-Desk (apo) --- cairosvg (gladk) NOTE: 20230323: Added by Front-Desk (gladk) NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ae004084cc845bb7d750365a642552313f8f999 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ae004084cc845bb7d750365a642552313f8f999 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim amd64-microcode
Jochen Sprickerhof pushed to branch master at Debian Security Tracker / security-tracker Commits: ab7284dc by Jochen Sprickerhof at 2023-07-31T10:58:55+02:00 Claim amd64-microcode - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -24,7 +24,7 @@ rather than remove/replace existing ones. amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) -- -amd64-microcode +amd64-microcode (jspricke) NOTE: 20230731: Added by Front-Desk (apo) -- cairosvg (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab7284dc7471705899bfb237746ad13efdd2b06b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab7284dc7471705899bfb237746ad13efdd2b06b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3482-1 for debian-archive-keyring
Jochen Sprickerhof pushed to branch master at Debian Security Tracker / security-tracker Commits: 490c5b82 by Jochen Sprickerhof at 2023-07-07T08:43:07+02:00 Reserve DLA-3482-1 for debian-archive-keyring - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[07 Jul 2023] DLA-3482-1 debian-archive-keyring - security update + [buster] - debian-archive-keyring 2019.1+deb10u2 [06 Jul 2023] DLA-3481-1 libusrsctp - security update {CVE-2019-20503} [buster] - libusrsctp 0.9.3.0+20190127-2+deb10u1 = data/dla-needed.txt = @@ -33,11 +33,6 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -debian-archive-keyring (jspricke) - NOTE: 20230619: Added by Front-Desk (Beuc) - NOTE: 20230619: Add bookworm keys as in #1033157; see DLA-2948-1 for a similar update - NOTE: 20230619: See also https://lists.debian.org/debian-lts/2021/08/msg00037.html for context (Beuc/front-desk) --- docker.io (rouca) NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/490c5b820d4b0f0c9549860e0c20d1fb4fe9738b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/490c5b820d4b0f0c9549860e0c20d1fb4fe9738b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: unclaim python-glance-store
Jochen Sprickerhof pushed to branch master at Debian Security Tracker / security-tracker Commits: 3794aa30 by Jochen Sprickerhof at 2023-07-05T20:18:35+02:00 dla: unclaim python-glance-store As discussed with Roberto - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -176,9 +176,11 @@ php-dompdf pypdf2 (Adrian Bunk) NOTE: 20230705: Added by Front-Desk (gladk) -- -python-glance-store (jspricke) +python-glance-store NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. + NOTE: 20230705: JS: pushed a patched version to: https://salsa.debian.org/lts-team/packages/python-glance-store + NOTE: 20230705: JS: upstream patch looks fine to me but should probably be tested and released together with the other affected packages. -- python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3794aa30bd489dc2fa769a07d54ee4ed616a315b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3794aa30bd489dc2fa769a07d54ee4ed616a315b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim python-glance-store
Jochen Sprickerhof pushed to branch master at Debian Security Tracker / security-tracker Commits: 09159b63 by Jochen Sprickerhof at 2023-06-22T17:32:04+02:00 dla: claim python-glance-store - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -168,7 +168,7 @@ php-dompdf NOTE: 20230618: Added by Front-Desk (opal) NOTE: 20230618: Low priority but higher than to not fix it. -- -python-glance-store +python-glance-store (jspricke) NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09159b635cb277fe58a2d9b0a99482f016b7e3d2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09159b635cb277fe58a2d9b0a99482f016b7e3d2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim debian-archive-keyring
Jochen Sprickerhof pushed to branch master at Debian Security Tracker / security-tracker Commits: e664dab6 by Jochen Sprickerhof at 2023-06-22T16:27:00+02:00 dla: claim debian-archive-keyring - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -33,7 +33,7 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -debian-archive-keyring +debian-archive-keyring (jspricke) NOTE: 20230619: Added by Front-Desk (Beuc) NOTE: 20230619: Add bookworm keys as in #1033157; see DLA-2948-1 for a similar update NOTE: 20230619: See also https://lists.debian.org/debian-lts/2021/08/msg00037.html for context (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e664dab66ec5a79e6dcff9350bb8ac52116fb0f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e664dab66ec5a79e6dcff9350bb8ac52116fb0f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add notes to python-reportlab
Jochen Sprickerhof pushed to branch master at Debian Security Tracker / security-tracker Commits: fee82ec4 by Jochen Sprickerhof at 2023-06-22T13:47:16+02:00 Add notes to python-reportlab - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1788,6 +1788,8 @@ CVE-2023-33733 (Reportlab up to v3.6.12 allows attackers to execute arbitrary co NOTE: https://docs.reportlab.com/releases/notes/whats-new-3613/ NOTE: https://github.com/c53elyas/CVE-2023-33733 NOTE: Introduced by: https://hg.reportlab.com/hg-public/reportlab/rev/51a521ad7dd3 (3.5.34) + NOTE: This was introduced when fixing CVE-2019-17626. The version in Debian Buster + NOTE: uses a simpler fix in 3.5.13-1+deb10u1 and is not affected. CVE-2023-33693 (A buffer overflow in EasyPlayerPro-Win v3.2.19.0106 to v3.6.19.0823 al ...) NOT-FOR-US: EasyPlayerPro-Win CVE-2023-33690 (SonicJS up to v0.7.0 allows attackers to execute an authenticated path ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fee82ec435a785de23475f8482fdcad543cd426f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fee82ec435a785de23475f8482fdcad543cd426f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage python-reportlab for buster
Jochen Sprickerhof pushed to branch master at Debian Security Tracker / security-tracker Commits: 3dd4ddd5 by Jochen Sprickerhof at 2023-06-22T09:36:55+02:00 Triage python-reportlab for buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1762,8 +1762,10 @@ CVE-2023-33956 (Kanboard is open source project management software that focuses NOTE: https://github.com/kanboard/kanboard/commit/437b141fa2267df36976814e704517f30d2424bd (v1.2.30) CVE-2023-33733 (Reportlab up to v3.6.12 allows attackers to execute arbitrary code via ...) - python-reportlab 3.6.13-1 + [buster] - python-reportlab (Vulnerable code not present) NOTE: https://docs.reportlab.com/releases/notes/whats-new-3613/ NOTE: https://github.com/c53elyas/CVE-2023-33733 + NOTE: Introduced by: https://hg.reportlab.com/hg-public/reportlab/rev/51a521ad7dd3 (3.5.34) CVE-2023-33693 (A buffer overflow in EasyPlayerPro-Win v3.2.19.0106 to v3.6.19.0823 al ...) NOT-FOR-US: EasyPlayerPro-Win CVE-2023-33690 (SonicJS up to v0.7.0 allows attackers to execute an authenticated path ...) = data/dla-needed.txt = @@ -177,9 +177,6 @@ python-oslo.privsep NOTE: 20230525: CVE-2022-38065 has been marked as Won't-fix/Hardening opportunity. NOTE: 20230525: It was mentioned the fix was easy but tedious. It is consumer design flaw issue. (sgmoore) -- -python-reportlab - NOTE: 20230612: Added by Front-Desk (apo) --- python3.7 (Adrian Bunk) NOTE: 20230220: Added by Front-Desk (ola) NOTE: 20230228: Waiting for actual upstream fix for CVE-2023-24329. (bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dd4ddd597c8d38f274ab018c419199e631d0374 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dd4ddd597c8d38f274ab018c419199e631d0374 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits