[Git][security-tracker-team/security-tracker][master] Reserve DLA-3808-1 for intel-microcode
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: b2394717 by Tobias Frost at 2024-05-04T17:15:59+02:00 Reserve DLA-3808-1 for intel-microcode - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -17884,35 +17884,30 @@ CVE-2023-43490 (Incorrect calculation in microcode keying mechanism for some Int - intel-microcode 3.20240312.1 (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) - [buster] - intel-microcode (Decide after exposure on unstable for update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01045.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 CVE-2023-39368 (Protection mechanism failure of bus lock regulator for some Intel(R) P ...) - intel-microcode 3.20240312.1 (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) - [buster] - intel-microcode (Decide after exposure on unstable for update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00972.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 CVE-2023-38575 (Non-transparent sharing of return predictor targets between contexts i ...) - intel-microcode 3.20240312.1 (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) - [buster] - intel-microcode (Decide after exposure on unstable for update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00982.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 CVE-2023-22655 (Protection mechanism failure in some 3rd and 4th Generation Intel(R) X ...) - intel-microcode 3.20240312.1 (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) - [buster] - intel-microcode (Decide after exposure on unstable for update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00960.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 CVE-2023-28746 (Information exposure through microarchitectural state after transient ...) - intel-microcode 3.20240312.1 (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) - [buster] - intel-microcode (Decide after exposure on unstable for update) - linux 6.7.9-2 [bookworm] - linux 6.1.82-1 - xen = data/DLA/list = @@ -1,3 +1,6 @@ +[04 May 2024] DLA-3808-1 intel-microcode - security update + {CVE-2023-22655 CVE-2023-28746 CVE-2023-38575 CVE-2023-39368 CVE-2023-43490} + [buster] - intel-microcode 3.20240312.1~deb10u1 [04 May 2024] DLA-3807-1 glibc - security update {CVE-2024-2961} [buster] - glibc 2.28-10+deb10u3 = data/dla-needed.txt = @@ -105,12 +105,6 @@ i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 -- -intel-microcode (tobi) - NOTE: 20240502: Added by Front-Desk (Beuc) - NOTE: 20240502: Update being tested in unstable, - NOTE: 20240502: (CVE-2023-22655 CVE-2023-28746 CVE-2023-38575 CVE-2023-39368 CVE-2023-43490) - NOTE: 20240502: Follow PU: #1068082 and #1068084 (Beuc/front-desk) --- jenkins-htmlunit-core-js NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: Needs checking that this is definitely vulnerable: a quick glance View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b23947176c7ede9a9b9260cbea8ad041a135fe44 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b23947176c7ede9a9b9260cbea8ad041a135fe44 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3797-1 for frr
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 60da1161 by Tobias Frost at 2024-04-28T08:09:24+02:00 Reserve DLA-3797-1 for frr - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -129198,7 +129198,6 @@ CVE-2022-37036 CVE-2022-37035 (An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_ ...) - frr 8.4.1-1 (bug #1016978) [bullseye] - frr (Minor issue) - [buster] - frr (Minor issue) NOTE: https://github.com/FRRouting/frr/issues/11698 NOTE: https://github.com/FRRouting/frr/pull/11926 NOTE: https://github.com/FRRouting/frr/commit/71ca5b09bc71e8cbe38177cf41e83fe164e52eee @@ -160582,31 +160581,26 @@ CVE-2020-36516 (An issue was discovered in the Linux kernel through 5.16.11. The CVE-2022-26129 (Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due t ...) - frr 8.4.1-1 (bug #1008010) [bullseye] - frr (Minor issue) - [buster] - frr (Minor issue) NOTE: https://github.com/FRRouting/frr/issues/10503 NOTE: Fixed by https://github.com/FRRouting/frr/issues/10504 (together with CVE-2022-26128) CVE-2022-26128 (A buffer overflow vulnerability exists in FRRouting through 8.1.0 due ...) - frr 8.4.1-1 (bug #1008010) [bullseye] - frr (Minor issue) - [buster] - frr (Minor issue) NOTE: https://github.com/FRRouting/frr/issues/10502 NOTE: Fixed by https://github.com/FRRouting/frr/issues/10504 (together with CVE-2022-26129) CVE-2022-26127 (A buffer overflow vulnerability exists in FRRouting through 8.1.0 due ...) - frr 8.4.1-1 (bug #1008010) [bullseye] - frr (Minor issue) - [buster] - frr (Minor issue) NOTE: https://github.com/FRRouting/frr/issues/10487 NOTE: Fixed by https://github.com/FRRouting/frr/pull/10494 CVE-2022-26126 (Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due t ...) - frr 8.4.1-1 (bug #1008010) [bullseye] - frr (Minor issue) - [buster] - frr (Minor issue) NOTE: https://github.com/FRRouting/frr/issues/10505 NOTE: Fixed by https://github.com/FRRouting/frr/pull/10566 CVE-2022-26125 (Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due t ...) - frr 8.4.1-1 (bug #1008010) [bullseye] - frr (Minor issue) - [buster] - frr (Minor issue) NOTE: https://github.com/FRRouting/frr/issues/10507 NOTE: Fix (8.2): https://github.com/FRRouting/frr/pull/10542 NOTE: Fix (8.3): https://github.com/FRRouting/frr/pull/10517 = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Apr 2024] DLA-3797-1 frr - security update + {CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128 CVE-2022-26129 CVE-2022-37035 CVE-2023-38406 CVE-2023-38407 CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235 CVE-2024-31948 CVE-2024-31949} + [buster] - frr 7.5.1-1.1+deb10u2 [27 Apr 2024] DLA-3796-1 mediawiki - security update {CVE-2023-51704} [buster] - mediawiki 1:1.31.16-1+deb10u8 = data/dla-needed.txt = @@ -98,11 +98,6 @@ freeimage NOTE: 20240412: ELTS also have a need to update this package. NOTE: 20240412: We should open upstream bug reports and push fixes. See above email discussion. (ola) -- -frr (tobi) - NOTE: 20231119: Added by Front-Desk (apo) - NOTE: 20240206: Continuing fixing the remaining issues (abhijith) - NOTE: 20240301: continue work (abhijith) --- glibc (Adrian Bunk) NOTE: 20240419: Added by coordinator (santiago) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60da116140b9f4d3feddb3db505704a7f53b544a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60da116140b9f4d3feddb3db505704a7f53b544a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-31951/frr buster and bullseye is not affected
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: dff6b48e by Tobias Frost at 2024-04-27T18:00:31+02:00 CVE-2024-31951/frr buster and bullseye is not affected Vulnerable feature (Link State Data Base) has been introduced in 8.0 (first version containing commit f173deb35206a0) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5961,8 +5961,11 @@ CVE-2024-3430 (A vulnerability was found in QKSMS up to 3.9.4 on Android. It has NOT-FOR-US: QKSMS CVE-2024-31951 (In the Opaque LSA Extended Link parser in FRRouting (FRR) through 9.1, ...) - frr + [bullseye] - frr (Vulnerable code not present) + [buster] - frr (Vulnerable code not present) NOTE: https://github.com/FRRouting/frr/pull/15674/ NOTE: Proposed fix: https://github.com/FRRouting/frr/pull/15674/commits/344fb4be2bc27316c74b17003c05ea40be395836 + NOTE: vulnerable feature introduced in https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5 (first shipped with 8.0) CVE-2024-31950 (In FRRouting (FRR) through 9.1, there can be a buffer overflow and dae ...) - frr [bullseye] - frr (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dff6b48ec9a1809716df457fe97ed989cfb533b0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dff6b48ec9a1809716df457fe97ed989cfb533b0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-31950/frr buster and bullseye is not affected
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 0fad262c by Tobias Frost at 2024-04-27T12:17:47+02:00 CVE-2024-31950/frr buster and bullseye is not affected Vulnerable feature (Link State Data Base) has been introduced in 8.0 (first version containing commit f173deb35206a0) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5965,8 +5965,11 @@ CVE-2024-31951 (In the Opaque LSA Extended Link parser in FRRouting (FRR) throug NOTE: Proposed fix: https://github.com/FRRouting/frr/pull/15674/commits/344fb4be2bc27316c74b17003c05ea40be395836 CVE-2024-31950 (In FRRouting (FRR) through 9.1, there can be a buffer overflow and dae ...) - frr + [bullseye] - frr (Vulnerable code not present) + [buster] - frr (Vulnerable code not present) NOTE: https://github.com/FRRouting/frr/pull/15674/ NOTE: Proposed fix: https://github.com/FRRouting/frr/pull/15674/commits/6b84541df71772f697a7f9e6b2aaf72536aab775 + NOTE: vulnerable feature introduced in https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5 (first shipped with 8.0) CVE-2024-31949 (In FRRouting (FRR) through 9.1, an infinite loop can occur when receiv ...) - frr NOTE: https://github.com/FRRouting/frr/pull/15640 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fad262cd443e115aa0cb853829adda60229f5d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fad262cd443e115aa0cb853829adda60229f5d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-27913/frr buster and bullseye is not affected
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fe826e2 by Tobias Frost at 2024-04-27T10:56:43+02:00 CVE-2024-27913/frr buster and bullseye is not affected Vulnerable feature has been introduced in 8.0 (first version containing commit f173deb35206a0) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17485,8 +17485,11 @@ CVE-2023-51786 (An issue was discovered in Lustre versions 2.13.x, 2.14.x, and 2 NOTE: http://lists.lustre.org/pipermail/lustre-announce-lustre.org/2024/000270.html CVE-2024-27913 (ospf_te_parse_te in ospfd/ospf_te.c in FRRouting (FRR) through 9.1 all ...) - frr 9.1-0.1 (bug #1065144) + [bullseye] - frr (Vulnerable code not present) + [buster] - frr (Vulnerable code not present) NOTE: https://github.com/FRRouting/frr/pull/15431 - NOTE: stable/9.0: https://github.com/FRRouting/frr/commit/aae54e20498974cb026bd0e2649ca3e753090492 ( + NOTE: stable/9.0: https://github.com/FRRouting/frr/commit/aae54e20498974cb026bd0e2649ca3e753090492 + NOTE: vulnerable feature introduced in https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5 (first shipped with 8.0) CVE-2024-26542 (Cross Site Scripting vulnerability in Bonitasoft, S.A v.7.14. and fixe ...) NOT-FOR-US: Bonitasoft CVE-2024-26302 (A vulnerability in the web-based management interface of ClearPass Pol ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fe826e21eab6cef321cb83c6d10cd44eb65271e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fe826e21eab6cef321cb83c6d10cd44eb65271e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-47235/frr add reference to upstream pull requests.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d557633 by Tobias Frost at 2024-04-27T10:21:11+02:00 CVE-2023-47235/frr add reference to upstream pull requests. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39748,6 +39748,9 @@ CVE-2023-47272 (Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS v CVE-2023-47235 (An issue was discovered in FRRouting FRR through 9.0.1. A crash can oc ...) - frr 9.1-0.1 (bug #1055852) NOTE: https://github.com/FRRouting/frr/commit/6814f2e0138a6ea5e1f83bdd9085d9a7700b + NOTE: https://github.com/FRRouting/frr/pull/14716 + NOTE: https://github.com/FRRouting/frr/pull/14861 (backport to 9.0) + NOTE: https://github.com/FRRouting/frr/pull/14735 (backport to 9.1) CVE-2023-47234 (An issue was discovered in FRRouting FRR through 9.0.1. A crash can oc ...) - frr 9.1-0.1 (bug #1055852) NOTE: https://github.com/FRRouting/frr/commit/c37119df45bbf4ef713bc10475af2ee06e12f3bf View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d557633cfd15b3bcffe40cf15806501bf4eb729 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d557633cfd15b3bcffe40cf15806501bf4eb729 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add MR reference for CVE-2022-26128/frr and CVE-2022-26129/frr
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c8638eb by Tobias Frost at 2024-04-21T20:33:05+02:00 Add MR reference for CVE-2022-26128/frr and CVE-2022-26129/frr They are both fixed by the same patch. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -159231,11 +159231,13 @@ CVE-2022-26129 (Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 [bullseye] - frr (Minor issue) [buster] - frr (Minor issue) NOTE: https://github.com/FRRouting/frr/issues/10503 + NOTE: Fixed by https://github.com/FRRouting/frr/issues/10504 (together with CVE-2022-26128) CVE-2022-26128 (A buffer overflow vulnerability exists in FRRouting through 8.1.0 due ...) - frr 8.4.1-1 (bug #1008010) [bullseye] - frr (Minor issue) [buster] - frr (Minor issue) NOTE: https://github.com/FRRouting/frr/issues/10502 + NOTE: Fixed by https://github.com/FRRouting/frr/issues/10504 (together with CVE-2022-26129) CVE-2022-26127 (A buffer overflow vulnerability exists in FRRouting through 8.1.0 due ...) - frr 8.4.1-1 (bug #1008010) [bullseye] - frr (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c8638ebfd548cf541488bf514cbfe71bf21b223 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c8638ebfd548cf541488bf514cbfe71bf21b223 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-26127/frr add PR that fixes the issue.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: e7d6304e by Tobias Frost at 2024-04-21T20:09:56+02:00 CVE-2022-26127/frr add PR that fixes the issue. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -159241,6 +159241,7 @@ CVE-2022-26127 (A buffer overflow vulnerability exists in FRRouting through 8.1. [bullseye] - frr (Minor issue) [buster] - frr (Minor issue) NOTE: https://github.com/FRRouting/frr/issues/10487 + NOTE: Fixed by https://github.com/FRRouting/frr/pull/10494 CVE-2022-26126 (Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due t ...) - frr 8.4.1-1 (bug #1008010) [bullseye] - frr (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7d6304ec3af44ab86027662c593c2e116330def -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7d6304ec3af44ab86027662c593c2e116330def You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-26126/frr - add upstream PR fix.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 3556f07b by Tobias Frost at 2024-04-21T19:55:30+02:00 CVE-2022-26126/frr - add upstream PR fix. This time adding to the correct CVE, c49e7ebcbdc95ccda3200e3831b29b84d4f5ef38 accidentially added it to CVE-2022-2612*7*, which is obviously wrong (as it did not match the commit message. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -159223,6 +159223,7 @@ CVE-2022-26126 (Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 [bullseye] - frr (Minor issue) [buster] - frr (Minor issue) NOTE: https://github.com/FRRouting/frr/issues/10505 + NOTE: Fixed by https://github.com/FRRouting/frr/pull/10566 CVE-2022-26125 (Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due t ...) - frr 8.4.1-1 (bug #1008010) [bullseye] - frr (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3556f07b235e814ddc044c2bd0ce0d64185e2574 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3556f07b235e814ddc044c2bd0ce0d64185e2574 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-26126/frr - add upstream PR fix.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: c49e7ebc by Tobias Frost at 2024-04-21T10:18:29+02:00 CVE-2022-26126/frr - add upstream PR fix. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -159213,6 +159213,7 @@ CVE-2022-26127 (A buffer overflow vulnerability exists in FRRouting through 8.1. [bullseye] - frr (Minor issue) [buster] - frr (Minor issue) NOTE: https://github.com/FRRouting/frr/issues/10487 + NOTE: Fixed by https://github.com/FRRouting/frr/pull/10566 CVE-2022-26126 (Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due t ...) - frr 8.4.1-1 (bug #1008010) [bullseye] - frr (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c49e7ebcbdc95ccda3200e3831b29b84d4f5ef38 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c49e7ebcbdc95ccda3200e3831b29b84d4f5ef38 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-26125/frr add link to PR fixing issue.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 797a96c1 by Tobias Frost at 2024-04-20T17:16:52+02:00 CVE-2022-26125/frr add link to PR fixing issue. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -159198,6 +159198,8 @@ CVE-2022-26125 (Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 [bullseye] - frr (Minor issue) [buster] - frr (Minor issue) NOTE: https://github.com/FRRouting/frr/issues/10507 + NOTE: Fix (8.2): https://github.com/FRRouting/frr/pull/10542 + NOTE: Fix (8.3): https://github.com/FRRouting/frr/pull/10517 CVE-2022-26122 (An insufficient verification of data authenticity vulnerability [CWE-3 ...) NOT-FOR-US: FortiGuard CVE-2022-26121 (An exposure of resource to wrong sphere vulnerability [CWE-668] in For ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/797a96c1b3c51416374081e6428a7d7a9138e5d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/797a96c1b3c51416374081e6428a7d7a9138e5d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim frr in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 1cf89abb by Tobias Frost at 2024-04-13T17:46:24+02:00 LTS: claim frr in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -87,7 +87,7 @@ freeimage NOTE: 20240412: ELTS also have a need to update this package. NOTE: 20240412: We should open upstream bug reports and push fixes. See above email discussion. (ola) -- -frr +frr (tobi) NOTE: 20231119: Added by Front-Desk (apo) NOTE: 20240206: Continuing fixing the remaining issues (abhijith) NOTE: 20240301: continue work (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cf89abbe30d34b3284f931400cf77596ccfb643 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cf89abbe30d34b3284f931400cf77596ccfb643 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3783-1 for expat
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 22b0e152 by Tobias Frost at 2024-04-07T09:14:11+02:00 Reserve DLA-3783-1 for expat - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Apr 2024] DLA-3783-1 expat - security update + {CVE-2023-52425} + [buster] - expat 2.2.6-2+deb10u7 [07 Apr 2024] DLA-3782-1 util-linux - security update {CVE-2021-37600 CVE-2024-28085} [buster] - util-linux 2.33.1-0.1+deb10u1 = data/dla-needed.txt = @@ -75,10 +75,6 @@ emacs (Sean Whitton) NOTE: 20240403: for example, CVE-2024-30202. But I think it is vulnerable NOTE: 20240403: to CVE-2024-30203. (lamby) -- -expat (tobi) - NOTE: 20240306: Added by Front-Desk (opal) - NOTE: 20230324: slowly making progress, seems that I've just defeated CVE-2023-52425 :) (tobi) --- freeimage NOTE: 20240320: Added by Front-Desk (ta) NOTE: 20240320: lots of postponed issue could be fixed as well View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22b0e152708267c9c1136ca94b0bb6a09662d17c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22b0e152708267c9c1136ca94b0bb6a09662d17c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2013-0340/expat add upstream reference to PR fixing the issue.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: a5496f2d by Tobias Frost at 2024-03-27T07:08:16+01:00 CVE-2013-0340/expat add upstream reference to PR fixing the issue. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -581688,6 +581688,7 @@ CVE-2013-0340 (expat 2.1.0 and earlier does not properly handle entities expansi - expat 2.4.1-2 (unimportant; bug #1001864) NOTE: Expat provides API to mitigate expansion attacks, ultimately under control of the app using Expat NOTE: https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0340.html + NOTE: Fixed by https://github.com/libexpat/libexpat/pull/466 and https://github.com/libexpat/libexpat/pull/484 CVE-2013-0339 (libxml2 through 2.9.1 does not properly handle external entities expan ...) {DSA-2652-1} - libxml2 2.8.0+dfsg1-7+nmu1 (bug #702260) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5496f2dd9d757844bc337afbfa65ca9b0c549df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5496f2dd9d757844bc337afbfa65ca9b0c549df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Progress note on expat.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 94412bd7 by Tobias Frost at 2024-03-25T17:29:25+01:00 Progress note on expat. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,6 +74,7 @@ edk2 -- expat (tobi) NOTE: 20240306: Added by Front-Desk (opal) + NOTE: 20230324: slowly making progress, seems that I've just defeated CVE-2023-52425 :) (tobi) -- freeimage NOTE: 20240320: Added by Front-Desk (ta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94412bd75f775feff9c839750a08fc3ef769f1e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94412bd75f775feff9c839750a08fc3ef769f1e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim expat in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 60343264 by Tobias Frost at 2024-03-10T20:13:31+01:00 LTS: claim expat in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,7 +74,7 @@ edk2 NOTE: 20231230: Added by Front-Desk (lamby) NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release (lamby) -- -expat +expat (tobi) NOTE: 20240306: Added by Front-Desk (opal) -- freeipa (Chris Lamb) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60343264de9b5ae2294112b1a1605b5fa3e4f495 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60343264de9b5ae2294112b1a1605b5fa3e4f495 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: release claim on nss in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 62d36b43 by Tobias Frost at 2024-03-10T18:59:30+01:00 LTS: release claim on nss in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -164,7 +164,7 @@ nova NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby) -- -nss (tobi) +nss NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240310: CVE-2023-6135: Upstream suggests to wait until they have a patch for 3.90 (their LTS version) available and backport from there. NOTE: 20230310: see also: Message-ID: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62d36b4369c4fa2b2d3d7076c9a9d534a2b5b01d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62d36b4369c4fa2b2d3d7076c9a9d534a2b5b01d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3757-1 for nss.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: e494cd25 by Tobias Frost at 2024-03-10T18:58:45+01:00 Reserve DLA-3757-1 for nss. - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -27496,7 +27496,6 @@ CVE-2023-5388 - nss 2:3.98-1 (bug #1056284) [bookworm] - nss (Minor issue) [bullseye] - nss (Minor issue) - [buster] - nss (Minor issue) NOTE: https://people.redhat.com/~hkario/marvin/ NOTE: Vendor patch (Rocky Linux, not upstreamed): https://git.rockylinux.org/staging/rpms/nss/-/commit/1f7f7523b61a2ada2f461548c4160fbbf979c5dd NOTE: Fixed by: https://hg.mozilla.org/projects/nss/rev/196716d8377ab427e326f20bff2d026e90ac69e2 = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Mar 2024] DLA-3757-1 nss - security update + {CVE-2023-5388 CVE-2024-0743} + [buster] - nss 2:3.42.1-1+deb10u8 [10 Mar 2024] DLA-3756-1 wordpress - security update [buster] - wordpress 5.0.21+dfsg1-0+deb10u1 [09 Mar 2024] DLA-3755-1 tar - security update = data/dla-needed.txt = @@ -166,12 +166,8 @@ nova -- nss (tobi) NOTE: 20240121: Added by Front-Desk (apo) - NOTE: 20240209: There is currently no (public) patch for CVE-2023-5388 - RedHat seems to have one in privateā¦ (tobi) - NOTE: 20240209: Tried to backport patches for CVE-2023-6135, however it is unclear which bits are required or if the - NOTE: 20240209: fix would be to backport nss to utilize HACL*. The version in buster does not have the NIST ciphers - NOTE: 20240209: in the files touched by the upstream patch. TL;DR: I'm unsure if the prepared patches are fixing the vulnerabilty. - NOTE: 20240209: The backported patches are in the LTS repository, CVE-2023-6135*.patch - NOTE: 20230227: Upstream suggests to wait until they have a patch for 3.90 (their LTS version) available and backport from there. + NOTE: 20240310: CVE-2023-6135: Upstream suggests to wait until they have a patch for 3.90 (their LTS version) available and backport from there. + NOTE: 20230310: see also: Message-ID: -- nvidia-graphics-drivers NOTE: 20240303: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e494cd253be892f0ab8bd86e86074788f6b9cc01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e494cd253be892f0ab8bd86e86074788f6b9cc01 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Add upstream response for CVE-2023-6135/nss
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ed4d895 by Tobias Frost at 2024-02-27T21:19:17+01:00 dla-needed.txt: Add upstream response for CVE-2023-6135/nss - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -194,6 +194,7 @@ nss (tobi) NOTE: 20240209: fix would be to backport nss to utilize HACL*. The version in buster does not have the NIST ciphers NOTE: 20240209: in the files touched by the upstream patch. TL;DR: I'm unsure if the prepared patches are fixing the vulnerabilty. NOTE: 20240209: The backported patches are in the LTS repository, CVE-2023-6135*.patch + NOTE: 20230227: Upstream suggests to wait until they have a patch for 3.90 (their LTS version) available and backport from there. -- nvidia-cuda-toolkit NOTE: 20230514: Added by Front-Desk (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ed4d89534cc8c01ed5827301a86b32a29fd96b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ed4d89534cc8c01ed5827301a86b32a29fd96b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim nss in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e5b31b1 by Tobias Frost at 2024-02-27T06:24:25+01:00 LTS: claim nss in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -188,7 +188,7 @@ nova NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby) -- -nss +nss (tobi) NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240209: There is currently no (public) patch for CVE-2023-5388 - RedHat seems to have one in privateā¦ (tobi) NOTE: 20240209: Tried to backport patches for CVE-2023-6135, however it is unclear which bits are required or if the View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e5b31b1d336c29d5c71a96d7e86ceea1db24982 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e5b31b1d336c29d5c71a96d7e86ceea1db24982 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-5388/nss Add upstream patch reference.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: dcbb8807 by Tobias Frost at 2024-02-19T20:56:17+01:00 CVE-2023-5388/nss Add upstream patch reference. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21838,6 +21838,7 @@ CVE-2023-5388 [buster] - nss (Minor issue) NOTE: https://people.redhat.com/~hkario/marvin/ NOTE: Vendor patch (Rocky Linux, not upstreamed): https://git.rockylinux.org/staging/rpms/nss/-/commit/1f7f7523b61a2ada2f461548c4160fbbf979c5dd + NOTE: Upstream patch: https://hg.mozilla.org/projects/nss/rev/196716d8377ab427e326f20bff2d026e90ac69e2 CVE-2023-5551 (Separate Groups mode restrictions were not honoured in the forum summa ...) - moodle CVE-2023-5550 (In a shared hosting environment that has been misconfigured to allow a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcbb8807d29463a00abc65b5e8d85a626f94d2fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcbb8807d29463a00abc65b5e8d85a626f94d2fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3734-1 for openvswitch
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 3926f7c1 by Tobias Frost at 2024-02-17T16:13:47+01:00 Reserve DLA-3734-1 for openvswitch - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -24970,7 +24970,6 @@ CVE-2023-5366 (A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Adve - openvswitch 3.1.2-1 [bookworm] - openvswitch (Minor issue) [bullseye] - openvswitch (Minor issue) - [buster] - openvswitch (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2006347 NOTE: https://github.com/openvswitch/ovs/commit/694c7b4e097c4d89e23ea9b3c7b677b4fcbe0459 (v3.1.2) NOTE: https://github.com/openvswitch/ovs/commit/489553b1c21692063931a9f50b6849b23128443c (v3.2.0) = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Feb 2024] DLA-3734-1 openvswitch - security update + {CVE-2023-5366} + [buster] - openvswitch 2.10.7+ds1-0+deb10u5 [03 Feb 2024] DLA-3733-1 rear - security update {CVE-2024-23301} [buster] - rear 2.4+dfsg-1+deb10u1 = data/dla-needed.txt = @@ -193,9 +193,6 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -openvswitch (tobi) - NOTE: 20240209: Added by Front-Desk (utkarsh) --- putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3926f7c1b720db3bdf27bc746f1a2b231f775878 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3926f7c1b720db3bdf27bc746f1a2b231f775878 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-22563/openvswitch buster is not vulnerable.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: f508ab99 by Tobias Frost at 2024-02-10T09:35:14+01:00 CVE-2024-22563/openvswitch buster is not vulnerable. The memory leak was introduced with commit https://github.com/openvswitch/ovs/commit/b6e840aed03e3f6d1aa726b482140d895f60f90f, first appearing in tag v2.11.0. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3912,9 +3912,10 @@ CVE-2024-22876 (StrangeBee TheHive 5.1.0 to 5.1.9 and 5.2.0 to 5.2.8 is vulnerab CVE-2024-22563 (openvswitch 2.17.8 was discovered to contain a memory leak via the fun ...) - openvswitch 2.17.2-4 [bullseye] - openvswitch (Minor issue) - [buster] - openvswitch (Minor issue, memory leak) + [buster] - openvswitch (Vulnerable code introduced later) NOTE: https://github.com/openvswitch/ovs-issues/issues/315 NOTE: https://github.com/openvswitch/ovs/commit/3168f328c78cf6e4b3022940452673b0e49f7620 (v2.17.0) + NOTE: Introduced with: https://github.com/openvswitch/ovs/commit/b6e840aed03e3f6d1aa726b482140d895f60f90f (v2.11.0) CVE-2024-22562 (swftools 0.9.2 was discovered to contain a Stack Buffer Underflow via ...) - swftools NOTE: https://github.com/matthiaskramm/swftools/issues/210 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f508ab997796385f4abb5fc9ed80250d15cc6ffc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f508ab997796385f4abb5fc9ed80250d15cc6ffc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3966/openvswitch - buster is not affected
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: abbf2a15 by Tobias Frost at 2024-02-10T08:49:58+01:00 CVE-2023-3966/openvswitch - buster is not affected Vulnerable code introduced in 2.11.0, buster is at 2.10.7. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -203,6 +203,7 @@ CVE-2023-4639 [Cookie Smuggling/Spoofing] NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2166022 CVE-2023-3966 [Invalid memory access in Geneve with HW offload] - openvswitch (bug #1063492) + [buster] - openvswitch (Vulnerable feature introduced later) NOTE: https://www.openwall.com/lists/oss-security/2024/02/08/3 NOTE: Introduced by: https://github.com/openvswitch/ovs/commit/a468645c6d330943dbe0c8d466e05b9af2d7df0c (v2.11.0) NOTE: Fixed by: https://github.com/openvswitch/ovs/commit/2cfbcd5247ed0fd941c1ebb9f4adb952b67fe13a (v3.2.2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abbf2a1514bb0ddd3d9fe721665a44f91172e883 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abbf2a1514bb0ddd3d9fe721665a44f91172e883 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim openvswitch in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 367677e5 by Tobias Frost at 2024-02-10T07:47:30+01:00 LTS: claim openvswitch in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -178,7 +178,7 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -openvswitch +openvswitch (tobi) NOTE: 20240209: Added by Front-Desk (utkarsh) -- putty (santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/367677e55c7fbf8b83c2834885a1b4c22a08eb86 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/367677e55c7fbf8b83c2834885a1b4c22a08eb86 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Document progress on nss:
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 19b117a2 by Tobias Frost at 2024-02-09T20:25:59+01:00 Document progress on nss: NOTE: 20240209: Tried to backport patches for CVE-2023-6135, however it is unclear which bits are required or if the NOTE: 20240209: fix would be to backport nss to utilize HACL*. The version in buster does not have the NIST ciphers NOTE: 20240209: in the files touched by the upstream patch. TL;DR: Im unsure if the prepared patches are fixing the vulnerabilty. NOTE: 20240209: The backported patches are in the LTS repository, CVE-2023-6135*.patch /tobi - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -165,6 +165,11 @@ nova -- nss (tobi) NOTE: 20240121: Added by Front-Desk (apo) + NOTE: 20240209: There is currently no (public) patch for CVE-2023-5388 - RedHat seems to have one in privateā¦ (tobi) + NOTE: 20240209: Tried to backport patches for CVE-2023-6135, however it is unclear which bits are required or if the + NOTE: 20240209: fix would be to backport nss to utilize HACL*. The version in buster does not have the NIST ciphers + NOTE: 20240209: in the files touched by the upstream patch. TL;DR: I'm unsure if the prepared patches are fixing the vulnerabilty. + NOTE: 20240209: The backported patches are in the LTS repository, CVE-2023-6135*.patch -- nvidia-cuda-toolkit NOTE: 20230514: Added by Front-Desk (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19b117a202dea1a2def53936ef1b42a498c46f84 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19b117a202dea1a2def53936ef1b42a498c46f84 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim nss in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: e643f071 by Tobias Frost at 2024-02-04T11:42:15+01:00 LTS: claim nss in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -159,7 +159,7 @@ nova NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby) -- -nss +nss (tobi) NOTE: 20240121: Added by Front-Desk (apo) -- nvidia-cuda-toolkit View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e643f07164a4f2ddd60d3f729c078424acbb2e68 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e643f07164a4f2ddd60d3f729c078424acbb2e68 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3717-1 for zabbix
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 7eaa9a46 by Tobias Frost at 2024-01-24T22:06:55+01:00 Reserve DLA-3717-1 for zabbix - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Jan 2024] DLA-3717-1 zabbix - security update + {CVE-2023-32721 CVE-2023-32723 CVE-2023-32726} + [buster] - zabbix 1:4.0.4+dfsg-1+deb10u4 [23 Jan 2024] DLA-3716-1 ruby-httparty - security update {CVE-2024-22049} [buster] - ruby-httparty 0.16.2+dfsg1-3+deb10u1 = data/dla-needed.txt = @@ -310,9 +310,6 @@ wireshark xorg-server (Markus Koschany) NOTE: 20240117: Added by Front-Desk (lamby) -- -zabbix (tobi) - NOTE: 20231015: Added by Front-Desk (ta) --- zfs-linux (Utkarsh) NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20240801: the fix for other CVE wasn't obvious but about to be ready; D/ELA to be out soon. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eaa9a46676b26bec145429e8fb1437060cfa791 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eaa9a46676b26bec145429e8fb1437060cfa791 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] s/ttps/https
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 016eb657 by Tobias Frost at 2024-01-23T20:14:20+01:00 s/ttps/https - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6435,7 +6435,7 @@ CVE-2023-32727 (An attacker who has the privilege to configure Zabbix items can NOTE: https://support.zabbix.com/browse/ZBX-23857 NOTE: https://github.com/zabbix/zabbix/commit/93e090592fc6de7ec5d3d42c1bb9074ad1f3ba34 (6.0.23rc1) NOTE: https://github.com/zabbix/zabbix/commit/610f9fdbb86667f4094972547deb936c6cdfc6d5 (6.0.23rc1) -NOTE: introduced in ttps://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464 (4.4.0alpha3) +NOTE: introduced in https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464 (4.4.0alpha3) CVE-2023-32726 (The vulnerability is caused by improper check for check if RDLENGTH do ...) - zabbix 1:6.0.24+dfsg-1 NOTE: https://support.zabbix.com/browse/ZBX-23855 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/016eb657b4453e3becdfa55ebbdfa411c0f313f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/016eb657b4453e3becdfa55ebbdfa411c0f313f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-32727/zabbix - buster is not affected.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 36e9a771 by Tobias Frost at 2024-01-23T20:13:31+01:00 CVE-2023-32727/zabbix - buster is not affected. The vulnerability is a format-string vulnerability, a user provided input (dst - intented to be a target host for fping) is passed to a shell without saniziting. the key line for the patch for CVE-2023-32727 is in function get_interval_option(): - zbx_snprintf(tmp, sizeof(tmp), %s -c1 -t50 -i%u %s, fping, intervals[j], dst); + zbx_snprintf(tmp, sizeof(tmp), %s -c1 -t50 -i%u, fping, intervals[j]); dst is the ping target, and the resulting tmp is the complete command to be executed in the vulnerable version. (via execl(/bin/sh, sh, -c, command, (char *)NULL); in zbx_execute()) Bisecting upstream brings the following commits introducing this: Commit: 57abe5a1f2c208d05cc59029026098c2f13ed464 [1] + zbx_snprintf(tmp, sizeof(tmp), %s -c1 -t50 -i0 %s, fping, dst); [1] https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464#src/libs/zbxicmpping/icmpping.c line 102 List of affected versions, where the commit is seen first time: git tag --contains 57abe5a1f2c208d05cc59029026098c2f13ed464 (manually filtered to show only first tag of every affected version) 4.4.0alpha3 5.0.0alpha1 5.2.0alpha1 5.4.0alpha1 6.0.0alpha1 6.2.0alpha1 6.4.0alpha1 7.0.0alpha1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6428,12 +6428,14 @@ CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize its NOTE: https://github.com/zabbix/zabbix/commit/09fa80bb16b094e4c17c036868c817f411efe4a0 (6.0.24rc1) NOTE: https://github.com/zabbix/zabbix/commit/7c00b48ab998066962e5275efa50007cb72ea1ac (6.0.24rc1) NOTE: https://github.com/zabbix/zabbix/commit/245fbae6039ebfbd720ab33c0349c82bae242fc9 (6.0.24rc1) -NOTE: Vulnerable feature introduced with version 5.0.9rc1 resp. 5.4.0alpha2 https://support.zabbix.com/browse/ZBXNEXT-6339 +NOTE: Vulnerable feature introduced with versions 5.0.9rc1, 5.3.5rc1 and 5.4.0alpha2 https://support.zabbix.com/browse/ZBXNEXT-6339 CVE-2023-32727 (An attacker who has the privilege to configure Zabbix items can use fu ...) - zabbix 1:6.0.23+dfsg-1 +[buster] - zabbix (Vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-23857 NOTE: https://github.com/zabbix/zabbix/commit/93e090592fc6de7ec5d3d42c1bb9074ad1f3ba34 (6.0.23rc1) NOTE: https://github.com/zabbix/zabbix/commit/610f9fdbb86667f4094972547deb936c6cdfc6d5 (6.0.23rc1) +NOTE: introduced in ttps://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464 (4.4.0alpha3) CVE-2023-32726 (The vulnerability is caused by improper check for check if RDLENGTH do ...) - zabbix 1:6.0.24+dfsg-1 NOTE: https://support.zabbix.com/browse/ZBX-23855 @@ -6442,7 +6444,7 @@ CVE-2023-32725 (The website configured in the URL widget will receive a session - zabbix 1:6.0.23+dfsg-1 [bullseye] - zabbix (Vulnerable code not present) [buster] - zabbix (vulnerable code introduced later) - NOTE: https://support.zabbix.com/browse/ZBX-23854 + NOTE: https://support.zabbix.com/browse/ZBX-2354 NOTE: https://github.com/zabbix/zabbix/commit/89e0cd6ea93a097671d6bcfbfa674047a3096b26 (6.0.22rc1) NOTE: report_manager introduced with: https://github.com/zabbix/zabbix/commit/a06a08111546081e8256267bc0062cbd74dc3309 (6.0.0alpha1) CVE-2023-32230 (An improper handling of a malformed API request to an API server in Bo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36e9a77145dd28bbc338686e27d75ada2c9f7279 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36e9a77145dd28bbc338686e27d75ada2c9f7279 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-32728/zabbix (buster) vulnerable code introduced later.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: c7631825 by Tobias Frost at 2024-01-23T18:59:00+01:00 CVE-2023-32728/zabbix (buster) vulnerable code introduced later. Vulnerable feature was introduced with this ticket: https://support.zabbix.com/browse/ZBXNEXT-6339 Quote: Available in: 5.0.9rc1 1ee48854146 5.2.5rc1 68cf640f12d 5.4.0alpha2 (master) 434243ef35a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6419,6 +6419,7 @@ CVE-2023-33214 (Cross-Site Request Forgery (CSRF) vulnerability in Tagbox Tagbox NOT-FOR-US: WordPress plugin CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize its param ...) - zabbix 1:6.0.24+dfsg-1 +[buster] - zabbix (Vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-23858 NOTE: https://github.com/zabbix/zabbix/commit/51ee1af626f93c1656ee2e37aa3d611b0292c1d8 (6.0.24rc1) NOTE: https://github.com/zabbix/zabbix/commit/f4557473616f455eefe8f303721b4cec473ece4c (6.0.24rc1) @@ -6427,6 +6428,7 @@ CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize its NOTE: https://github.com/zabbix/zabbix/commit/09fa80bb16b094e4c17c036868c817f411efe4a0 (6.0.24rc1) NOTE: https://github.com/zabbix/zabbix/commit/7c00b48ab998066962e5275efa50007cb72ea1ac (6.0.24rc1) NOTE: https://github.com/zabbix/zabbix/commit/245fbae6039ebfbd720ab33c0349c82bae242fc9 (6.0.24rc1) +NOTE: Vulnerable feature introduced with version 5.0.9rc1 resp. 5.4.0alpha2 https://support.zabbix.com/browse/ZBXNEXT-6339 CVE-2023-32727 (An attacker who has the privilege to configure Zabbix items can use fu ...) - zabbix 1:6.0.23+dfsg-1 NOTE: https://support.zabbix.com/browse/ZBX-23857 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7631825c06eb9331e5fcc22abdf7fe9e749b7cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7631825c06eb9331e5fcc22abdf7fe9e749b7cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim zabbix in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: a116f30b by Tobias Frost at 2024-01-22T20:09:30+01:00 LTS: claim zabbix in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -314,7 +314,7 @@ wireshark xorg-server (Markus Koschany) NOTE: 20240117: Added by Front-Desk (lamby) -- -zabbix +zabbix (tobi) NOTE: 20231015: Added by Front-Desk (ta) -- zfs-linux (Utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a116f30bb7aec9b67f2405de65dacc46d3604f90 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a116f30bb7aec9b67f2405de65dacc46d3604f90 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-32725/zabbix not affecting buster
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 43cb8dd4 by Tobias Frost at 2024-01-21T17:36:17+01:00 CVE-2023-32725/zabbix not affecting buster The vulnerable report_manager has been first part of a release with version 6.0.0alpha, The buster version does not have the go implentations. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6100,8 +6100,10 @@ CVE-2023-32726 (The vulnerability is caused by improper check for check if RDLEN NOTE: https://github.com/zabbix/zabbix/commit/53ef2b7119f57f4140e6bd9c5cd2d3c6af228179 (6.0.24rc1) CVE-2023-32725 (The website configured in the URL widget will receive a session cookie ...) - zabbix 1:6.0.23+dfsg-1 +[buster] - zabbix (vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-23854 NOTE: https://github.com/zabbix/zabbix/commit/89e0cd6ea93a097671d6bcfbfa674047a3096b26 (6.0.22rc1) +NOTE: report_manager introduced with commit https://github.com/zabbix/zabbix/commit/a06a0811154 (first released with 6.0.0alpha1) CVE-2023-32230 (An improper handling of a malformed API request to an API server in Bo ...) NOT-FOR-US: Bosch CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, found in O ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43cb8dd43a8e9544383107231fb22c91c2a42f4f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43cb8dd43a8e9544383107231fb22c91c2a42f4f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove paramiko from dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 1cb1b17e by Tobias Frost at 2024-01-16T06:03:39+01:00 Remove paramiko from dla-needed.txt CVE-2023-48795/paramiko buster is not vulnerable. Confirmed by upstream: https://github.com/paramiko/paramiko/issues/2337#issuecomment-1880185735 paramiko 2.4.2 does neither implement ETM-Mac modes nor ChaCha20. It also has no EXT_INFO support, which might be a factor for exploitability. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -165,9 +165,6 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -paramiko (tobi) - NOTE: 20231225: Added by Front-Desk (ta) --- php-phpseclib (guilhem) NOTE: 20240114: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cb1b17e6728cb9da9a0a3a77f80bb3a18f9d1ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cb1b17e6728cb9da9a0a3a77f80bb3a18f9d1ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix entry for CVE-2023-36464/pypdf (bookworm)
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: ee075469 by Tobias Frost at 2024-01-16T06:01:28+01:00 Fix entry for CVE-2023-36464/pypdf (bookworm) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32179,7 +32179,7 @@ CVE-2023-3327 REJECTED CVE-2023-36464 (pypdf is an open source, pure-python PDF library. In affected versions ...) - pypdf 3.17.4-1 (bug #1040338) - [bookworm] - pypdf 3.4.1-1+deb12u1 (Minor issue) + [bookworm] - pypdf 3.4.1-1+deb12u1 - pypdf2 (bug #1040339) [bookworm] - pypdf2 (Minor issue) [bullseye] - pypdf2 (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee075469a408af6e89d222ba3ffcff79d9c03f23 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee075469a408af6e89d222ba3ffcff79d9c03f23 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-48795/paramiko buster is not vulnerable.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: ff3a5576 by Tobias Frost at 2024-01-14T17:29:22+01:00 CVE-2023-48795/paramiko buster is not vulnerable. Confirmed by upstream: https://github.com/paramiko/paramiko/issues/2337#issuecomment-1880185735 paramiko 2.4.2 does neither implement ETM-Mac modes nor ChaCha20. It also has no EXT_INFO support, which might be a factor for exploitability. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4829,6 +4829,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - paramiko (bug #1059006) [bookworm] - paramiko (Minor issue) [bullseye] - paramiko (Minor issue) +[buster] - paramiko (ChaCha20-Poly1305 and CBC-EtM support not present) - phpseclib 1.0.22-1 - php-phpseclib 2.0.46-1 - php-phpseclib3 3.0.35-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff3a5576ad64f41ba1a5fd2d07492c582ef5aa80 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff3a5576ad64f41ba1a5fd2d07492c582ef5aa80 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim paramiko in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: ad1739ca by Tobias Frost at 2024-01-07T08:42:12+01:00 LTS: claim paramiko in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -163,7 +163,7 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -paramiko +paramiko (tobi) NOTE: 20231225: Added by Front-Desk (ta) -- postfix (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad1739ca1ee620cf686e6a64ca171f0f31241c79 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad1739ca1ee620cf686e6a64ca171f0f31241c79 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim zabbix in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 94b52c9f by Tobias Frost at 2024-01-07T08:42:23+01:00 LTS: claim zabbix in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -268,7 +268,7 @@ wireshark (Adrian Bunk) NOTE: 20231204: DLA pending (bunk) NOTE: 20231218: Debugging a problem with the update. (bunk) -- -zabbix +zabbix (tobi) NOTE: 20231015: Added by Front-Desk (ta) -- zfs-linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94b52c9f8f1b9f59a964f13cdf60fe0c506188b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94b52c9f8f1b9f59a964f13cdf60fe0c506188b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim haproxy in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: edcd64ff by Tobias Frost at 2023-12-24T12:05:17+01:00 LTS: claim haproxy in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,7 +79,7 @@ frr golang-go.crypto NOTE: 20231219: Added by Front-Desk (ta) -- -haproxy +haproxy (tobi) NOTE: 20231217: Added by Front-Desk (utkarsh) -- i2p View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edcd64ff395e3353a68e0a1909c77429d961720a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edcd64ff395e3353a68e0a1909c77429d961720a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3693-1 for osslsigncode
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b3918fb by Tobias Frost at 2023-12-23T08:34:22+01:00 Reserve DLA-3693-1 for osslsigncode - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Dec 2023] DLA-3693-1 osslsigncode - security update + {CVE-2023-36377} + [buster] - osslsigncode 2.0+really2.5-4+deb10u1 [19 Dec 2023] DLA-3692-1 curl - security update {CVE-2023-28322 CVE-2023-46218} [buster] - curl 7.64.0-4+deb10u8 = data/dla-needed.txt = @@ -161,10 +161,6 @@ nvidia-cuda-toolkit openssh (santiago) NOTE: 20231219: Added by Front-Desk (ta) -- -osslsigncode (tobi) - NOTE: 20230925: Added by Front-Desk (apo) - NOTE: 20230925: Maybe a new upstream release should just do the trick here. --- python-django (Chris Lamb) NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b3918fb8d76ce9eda1bb3b5228351e4b669261b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b3918fb8d76ce9eda1bb3b5228351e4b669261b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim osslsigncode in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: f0ad6d03 by Tobias Frost at 2023-12-21T20:42:27+01:00 LTS: claim osslsigncode in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -161,7 +161,7 @@ nvidia-cuda-toolkit openssh NOTE: 20231219: Added by Front-Desk (ta) -- -osslsigncode +osslsigncode (tobi) NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0ad6d0317828680ed3414843a1a08b85c748c9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0ad6d0317828680ed3414843a1a08b85c748c9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3690-1 for intel-microcode
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 966fb609 by Tobias Frost at 2023-12-16T18:29:35+01:00 Reserve DLA-3690-1 for intel-microcode - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -6105,7 +6105,6 @@ CVE-2023-5528 (A security issue was discovered in Kubernetes where a user that c CVE-2023-23583 (Sequence of processor instructions leads to unexpected behavior for so ...) {DSA-5563-1} - intel-microcode 3.20231114.1 (bug #1055962) - [buster] - intel-microcode (Minor issue for older releases. Affects only newer CPU features.) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00950.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20231114 NOTE: https://lock.cmpxchg8b.com/reptar.html = data/DLA/list = @@ -1,3 +1,6 @@ +[16 Dec 2023] DLA-3690-1 intel-microcode - security update + {CVE-2023-23583} + [buster] - intel-microcode 3.20231114.1~deb10u1 [14 Dec 2023] DLA-3689-1 bluez - security update {CVE-2023-45866} [buster] - bluez 5.50-1.2~deb10u4 = data/dla-needed.txt = @@ -82,10 +82,6 @@ imagemagick NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) NOTE: 20231014: Some work under git branch debian/buster but unease -- -intel-microcode (tobi) - NOTE: 20231201: Added by Front-Desk (Beuc) - NOTE: 20231201: Follow DSA-5563-1 (1 CVE) (Beuc/front-desk) --- keystone NOTE: 20231102: Added by Front-Desk (lamby) NOTE: 20231102: Sync (eg. CVE-2021-38155) with stable etc. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/966fb6094966c82600c698486bc4df449d808ef3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/966fb6094966c82600c698486bc4df449d808ef3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim intel-microcode in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: a48de1ef by Tobias Frost at 2023-12-16T09:24:00+01:00 LTS: claim intel-microcode in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -82,7 +82,7 @@ imagemagick NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) NOTE: 20231014: Some work under git branch debian/buster but unease -- -intel-microcode +intel-microcode (tobi) NOTE: 20231201: Added by Front-Desk (Beuc) NOTE: 20231201: Follow DSA-5563-1 (1 CVE) (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a48de1ef8cbcde225409b21afc331b41565b93b4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a48de1ef8cbcde225409b21afc331b41565b93b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3681-1 for amanda
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: ad87ff39 by Tobias Frost at 2023-12-03T10:45:09+01:00 Reserve DLA-3681-1 for amanda - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -91381,7 +91381,6 @@ CVE-2022-37706 (enlightenment_sys in Enlightenment before 0.25.4 allows local us CVE-2022-37705 (A privilege escalation flaw was found in Amanda 3.5.1 in which the bac ...) - amanda 1:3.5.1-10 (bug #1029829) [bullseye] - amanda (Minor issue) - [buster] - amanda (Minor issue) NOTE: https://github.com/MaherAzzouzi/CVE-2022-37705 NOTE: https://github.com/zmanda/amanda/issues/192 NOTE: https://marc.info/?l=amanda-hackers=167437716918603=2 @@ -91400,7 +91399,6 @@ CVE-2022-37704 (Amanda 3.5.1 allows privilege escalation from the regular user b CVE-2022-37703 (In Amanda 3.5.1, an information leak vulnerability was found in the ca ...) - amanda 1:3.5.1-10 (bug #1021017) [bullseye] - amanda (Minor issue) - [buster] - amanda (Minor issue) NOTE: https://github.com/MaherAzzouzi/CVE-2022-37703 NOTE: https://github.com/zmanda/amanda/issues/192 NOTE: https://github.com/zmanda/amanda/pull/198 = data/DLA/list = @@ -1,3 +1,6 @@ +[03 Dec 2023] DLA-3681-1 amanda - security update + {CVE-2022-37703 CVE-2022-37705 CVE-2023-30577} + [buster] - amanda 1:3.5.1-2+deb10u2 [03 Dec 2023] DLA-3680-1 opendkim - security update {CVE-2022-48521} [buster] - opendkim 2.11.0~alpha-12+deb10u1 = data/dla-needed.txt = @@ -20,9 +20,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. --- -amanda (tobi) - NOTE: 20230730: Added by Front-Desk (apo) -- ansible NOTE: 20231202: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad87ff395b6f6ef97070cd9d94b344de2127586f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad87ff395b6f6ef97070cd9d94b344de2127586f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2016-10729/amanda fixed with 1:3.3.9-1
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: ccd23215 by Tobias Frost at 2023-12-03T10:42:18+01:00 CVE-2016-10729/amanda fixed with 1:3.3.9-1 This vulnerability was fixed with the introduction of the security file, (man amanda-security.conf). The said version is the first version in Debian that has this feature. Verfified on buster and stretch that the PoC does not work, but bail out with: e.g security file /etc/amanda-security.conf do not allow to run /tmp/runme.sh as root for amstar:star_path when trying to run /usr/lib/amanda/application/amstar restore --star-path=/tmp/runme.sh (PoC is from https://www.exploit-db.com/exploits/39217/, as linked already in the tracker.) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -352270,7 +352270,7 @@ CVE-2016-10730 (An issue was discovered in Amanda 3.3.1. A user with backup priv NOTE: /usr/lib/amanda/application/amstar can only be run by members of the backup NOTE: group (which is root-equivalent due to being able to perform restores e.g.) CVE-2016-10729 (An issue was discovered in Amanda 3.3.1. A user with backup privileges ...) - - amanda (unimportant) + - amanda 1:3.3.9-1 (unimportant) NOTE: https://www.exploit-db.com/exploits/39217/ NOTE: /usr/lib/amanda/runtar can only be run by members of the backup NOTE: group (which is root-equivalent due to being able to perform restores e.g.) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccd232156b6a0011e6b43973dd827cf74f5700d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccd232156b6a0011e6b43973dd827cf74f5700d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2016-10730/amanda fixed with 1:3.3.9-1
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 4198326a by Tobias Frost at 2023-12-03T10:40:00+01:00 CVE-2016-10730/amanda fixed with 1:3.3.9-1 This vulnerability was fixed with the introduction of the security file, (man amanda-security.conf). The said version is the first version in Debian that has this feature. Verfified on buster and stretch that the PoC does not work, but bail out with: e.g security file /etc/amanda-security.conf do not allow to run /tmp/runme.sh as root for amstar:star_path when trying to run /usr/lib/amanda/application/amstar restore --star-path=/tmp/runme.sh (PoC is from https://www.exploit-db.com/exploits/39244/, as linked already in the tracker.) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -352265,7 +352265,7 @@ CVE-2018-18633 CVE-2018-18632 RESERVED CVE-2016-10730 (An issue was discovered in Amanda 3.3.1. A user with backup privileges ...) - - amanda (unimportant) + - amanda 1:3.3.9-1 (unimportant) NOTE: https://www.exploit-db.com/exploits/39244/ NOTE: /usr/lib/amanda/application/amstar can only be run by members of the backup NOTE: group (which is root-equivalent due to being able to perform restores e.g.) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4198326a4f1dcfd8ab5329eddc25042fe190b9b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4198326a4f1dcfd8ab5329eddc25042fe190b9b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3680-1 for opendkim
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 392af420 by Tobias Frost at 2023-12-03T09:29:06+01:00 Reserve DLA-3680-1 for opendkim - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[03 Dec 2023] DLA-3680-1 opendkim - security update + {CVE-2022-48521} + [buster] - opendkim 2.11.0~alpha-12+deb10u1 [30 Nov 2023] DLA-3679-1 vlc - security update {CVE-2023-47359 CVE-2023-47360} [buster] - vlc 3.0.20-0+deb10u1 = data/dla-needed.txt = @@ -143,11 +143,6 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -opendkim (tobi) - NOTE: 20230821: Added by Front-Desk (ta) - NOTE: 20231006: Unfixed upstream as of today. (spwhitton) - NOTE: 20231125: RFS with fix #1056285 - asked sponsoree about quality of patch. (tobi) --- osslsigncode NOTE: 20230925: Added by Front-Desk (apo) NOTE: 20230925: Maybe a new upstream release should just do the trick here. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/392af4206af14da776f038fba6fa00d78aef197b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/392af4206af14da776f038fba6fa00d78aef197b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] opendkim has a RFS fixing the CVE - asked sponsoree details about confidence.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c2de437 by Tobias Frost at 2023-11-25T15:49:07+01:00 opendkim has a RFS fixing the CVE - asked sponsoree details about confidence. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -152,6 +152,7 @@ nvidia-cuda-toolkit opendkim (tobi) NOTE: 20230821: Added by Front-Desk (ta) NOTE: 20231006: Unfixed upstream as of today. (spwhitton) + NOTE: 20231125: RFS with fix #1056285 - asked sponsoree about quality of patch. (tobi) -- opensc (guilhem) NOTE: 20231119: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c2de4371b59e440db456084bb2922c0374b418c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c2de4371b59e440db456084bb2922c0374b418c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim opendkim in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: e3ef3824 by Tobias Frost at 2023-11-25T15:35:22+01:00 LTS: claim opendkim in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -104,7 +104,7 @@ libstb NOTE: 20231029: A lot of open CVEs. Maybe duplicates. NOTE: 20231029: If you take a package, please evaluate it as well as its importance. NOTE: 20221119: None of the new CVE fixes has been reviewed by upstream so far, - NOTE: 20221119: and in the past CVE fixes have caused regressions. + NOTE: 20221119: and in the past CVE fixes have caused regressions. NOTE: 20221119: Wait for upstream merge of fixes (and fixing in unstable). (bunk) -- linux (Ben Hutchings) @@ -149,7 +149,7 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -opendkim +opendkim (tobi) NOTE: 20230821: Added by Front-Desk (ta) NOTE: 20231006: Unfixed upstream as of today. (spwhitton) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3ef3824bebce20c2f92839136dd73912a1ae6c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3ef3824bebce20c2f92839136dd73912a1ae6c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim amanda in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: a63f0bd4 by Tobias Frost at 2023-11-19T20:26:07+01:00 LTS: claim amanda in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,7 +21,7 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -amanda +amanda (tobi) NOTE: 20230730: Added by Front-Desk (apo) -- bind9 (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a63f0bd4c850a26163e9b075a8c3f5894a7eeaf5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a63f0bd4c850a26163e9b075a8c3f5894a7eeaf5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3655-1 for lwip
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e7c4ebe by Tobias Frost at 2023-11-18T22:38:14+01:00 Reserve DLA-3655-1 for lwip - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -233674,7 +233674,6 @@ CVE-2020-22284 (A buffer overflow vulnerability in the zepif_linkoutput() functi CVE-2020-22283 (A buffer overflow vulnerability in the icmp6_send_response_with_addrs_ ...) - lwip 2.1.3+dfsg1-1 (bug #991645) [bullseye] - lwip 2.1.2+dfsg1-8+deb11u1 - [buster] - lwip (Minor issue) NOTE: https://savannah.nongnu.org/bugs/index.php?58553 NOTE: Pre-requisite: http://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=d843e47a1d65451bd7f7aaa5017b408bd108be88 (master) NOTE: Fixed by: https://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=489405839ae0fea8b99c4896f632eb688dc8a19a (master) = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Nov 2023] DLA-3655-1 lwip - security update + {CVE-2020-22283} + [buster] - lwip 2.0.3-3+deb10u2 [17 Nov 2023] DLA-3654-1 freerdp2 - security update {CVE-2021-41160 CVE-2022-24883 CVE-2022-39282 CVE-2022-39283 CVE-2022-39316 CVE-2022-39318 CVE-2022-39319 CVE-2022-39347 CVE-2022-41877} [buster] - freerdp2 2.3.0+dfsg1-2+deb10u4 = data/dla-needed.txt = @@ -125,10 +125,6 @@ linux (Ben Hutchings) linux-5.10 NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- -lwip (tobi) - NOTE: 20231101: Added by Front-Desk (lamby) - NOTE: 20231101: Sync with bullseye (CVE-2020-22283 & CVE-2020-22284). (lamby) --- mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e7c4ebee2fc91d6ba8f647454321230491e2474 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e7c4ebee2fc91d6ba8f647454321230491e2474 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-22284/lwip buster not affected
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: db650aba by Tobias Frost at 2023-11-18T18:06:18+01:00 CVE-2020-22284/lwip buster not affected The vulnerable code is in the 6LowPAN encapsulation for ZEP (ZigBee Enxapsulation Protocol), which as been introduced with commit 43a55003da622851b1c1677c8e7cb75e9430300f, first seen in tag STABLE-2_1_0_RC1. Buster does not have that feature. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -233657,10 +233657,11 @@ CVE-2020-22285 CVE-2020-22284 (A buffer overflow vulnerability in the zepif_linkoutput() function of ...) - lwip 2.1.3+dfsg1-1 (bug #991646) [bullseye] - lwip 2.1.2+dfsg1-8+deb11u1 - [buster] - lwip (Minor issue) + [buster] - lwip (vulnerable code is not present) NOTE: https://savannah.nongnu.org/bugs/index.php?58554 NOTE: https://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=8363c24e45a32728e385cfc2c3c36d88a8a9e70b (master) NOTE: https://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=379d55044e9181533f1fd4d0e0cf89bc01cb9b8b (STABLE-2_1_3_RC1) + NOTE: Vulnerable feature introduced with https://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=43a55003da622851b1c1677c8e7cb75e9430300f (first contained in STABLE-2_1_0_RC1) CVE-2020-22283 (A buffer overflow vulnerability in the icmp6_send_response_with_addrs_ ...) - lwip 2.1.3+dfsg1-1 (bug #991645) [bullseye] - lwip 2.1.2+dfsg1-8+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db650aba4558a355d1cf9ab82dd2212622b63d78 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db650aba4558a355d1cf9ab82dd2212622b63d78 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim lwip in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: f8f15618 by Tobias Frost at 2023-11-18T13:11:58+01:00 LTS: claim lwip in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -125,7 +125,7 @@ linux (Ben Hutchings) linux-5.10 NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- -lwip +lwip (tobi) NOTE: 20231101: Added by Front-Desk (lamby) NOTE: 20231101: Sync with bullseye (CVE-2020-22283 & CVE-2020-22284). (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8f15618ac2f01dfa9c56e8d3de82809445124e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8f15618ac2f01dfa9c56e8d3de82809445124e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix typo in list of affected CVEs for DLA-3654-1
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 9cdaaddf by Tobias Frost at 2023-11-17T18:28:16+01:00 Fix typo in list of affected CVEs for DLA-3654-1 - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,5 +1,5 @@ [17 Nov 2023] DLA-3654-1 freerdp2 - security update - {CVE-2021-41160 CVE-2022-24883 CVE-2022-39282 CVE-2022-39316 CVE-2022-39318 CVE-2022-39319 CVE-2022-39347 CVE-2022-41877 CVE-2023-39283} + {CVE-2021-41160 CVE-2022-24883 CVE-2022-39282 CVE-2022-39283 CVE-2022-39316 CVE-2022-39318 CVE-2022-39319 CVE-2022-39347 CVE-2022-41877} [buster] - freerdp2 2.3.0+dfsg1-2+deb10u4 [15 Nov 2023] DLA-3653-1 libclamunrar - security update {CVE-2023-40477} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9cdaaddff6245cce3d06259a0079896f98227d8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9cdaaddff6245cce3d06259a0079896f98227d8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3654-1 for freerdp2
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: a1595abf by Tobias Frost at 2023-11-17T18:17:04+01:00 Reserve DLA-3654-1 for freerdp2 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -77973,7 +77973,6 @@ CVE-2022-41878 (Parse Server is an open source backend that can be deployed to a CVE-2022-41877 (FreeRDP is a free remote desktop protocol library and clients. Affecte ...) - freerdp2 2.9.0+dfsg1-1 (bug #1024511) [bullseye] - freerdp2 (Minor issue) - [buster] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-pmv3-wpw4-pw5h NOTE: https://github.com/FreeRDP/FreeRDP/commit/6655841cf2a00b764f855040aecb8803cfc5eaba CVE-2022-41876 (ezplatform-graphql is a GraphQL server implementation for Ibexa DXP an ...) @@ -84411,7 +84410,6 @@ CVE-2022-39348 (Twisted is an event-based framework for internet applications. S CVE-2022-39347 (FreeRDP is a free remote desktop protocol library and clients. Affecte ...) - freerdp2 2.9.0+dfsg1-1 (bug #1024511) [bullseye] - freerdp2 (Minor issue) - [buster] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg NOTE: https://github.com/FreeRDP/FreeRDP/commit/027424c2c6c0991cb9c22f9511478229c9b17e5d CVE-2022-39346 (Nextcloud server is an open source personal cloud server. Affected ver ...) @@ -84501,13 +84499,11 @@ CVE-2022-39320 (FreeRDP is a free remote desktop protocol library and clients. A CVE-2022-39319 (FreeRDP is a free remote desktop protocol library and clients. Affecte ...) - freerdp2 2.9.0+dfsg1-1 (bug #1024511) [bullseye] - freerdp2 (Minor issue) - [buster] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvxm-wfj2-5fvh NOTE: https://github.com/FreeRDP/FreeRDP/commit/11555828d2cf289b350baba5ad1f462f10b80b76 CVE-2022-39318 (FreeRDP is a free remote desktop protocol library and clients. Affecte ...) - freerdp2 2.9.0+dfsg1-1 (bug #1024511) [bullseye] - freerdp2 (Minor issue) - [buster] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-387j-8j96-7q35 NOTE: https://github.com/FreeRDP/FreeRDP/commit/80adde17ddc4b596ed1dae0922a0c54ab3d4b8ea CVE-2022-39317 (FreeRDP is a free remote desktop protocol library and clients. Affecte ...) @@ -84518,7 +84514,6 @@ CVE-2022-39317 (FreeRDP is a free remote desktop protocol library and clients. A CVE-2022-39316 (FreeRDP is a free remote desktop protocol library and clients. In affe ...) - freerdp2 2.9.0+dfsg1-1 (bug #1024511) [bullseye] - freerdp2 (Minor issue) - [buster] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5w4j-mrrh-jjrm NOTE: https://github.com/FreeRDP/FreeRDP/commit/e865c24efc40ebc52e75979c94cdd4ee2c1495b0 CVE-2022-39315 (Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6 ...) @@ -84613,7 +84608,6 @@ CVE-2022-39283 (FreeRDP is a free remote desktop protocol library and clients. A CVE-2022-39282 (FreeRDP is a free remote desktop protocol library and clients. FreeRDP ...) - freerdp2 2.8.1+dfsg1-1 (bug #1021659) [bullseye] - freerdp2 (Minor issue) - [buster] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c45q-wcpg-mxjq NOTE: patch likely: https://github.com/FreeRDP/FreeRDP/commit/60aac2abf0740dd36b62712fba91498fd6e055fe (not confirmed by upstream) CVE-2022-39281 (fat_free_crm is a an open source, Ruby on Rails customer relationship ...) @@ -126065,7 +126059,6 @@ CVE-2022-24884 (ecdsautils is a tiny collection of programs used for ECDSA (keyg CVE-2022-24883 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). ...) - freerdp2 2.7.0+dfsg1-1 [bullseye] - freerdp2 (Minor issue) - [buster] - freerdp2 (Minor issue) - freerdp NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qxm3-v2r6-vmwf NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/4661492e5a617199457c8074bad22f766a116cdc @@ -154250,7 +154243,6 @@ CVE-2021-41161 (Combodo iTop is a web based IT Service Management tool. In versi CVE-2021-41160 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.4.1+dfsg1-1 (bug #1001062) [bullseye] - freerdp2 (Minor issue) - [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7c9r-6r2q-93qg =
[Git][security-tracker-team/security-tracker][master] CVE-2022-39282 and CVE-2022-39283 (freerdp2) - link to likely patch
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 818ee323 by Tobias Frost at 2023-11-12T12:47:57+01:00 CVE-2022-39282 and CVE-2022-39283 (freerdp2) - link to likely patch Note: It has not been confirmed if this is the correct patch, but comparing 2.8.0 and 2.8.1 identifies this commit as the very likely patch. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -83283,11 +83283,13 @@ CVE-2022-39283 (FreeRDP is a free remote desktop protocol library and clients. A [bullseye] - freerdp2 (Minor issue) [buster] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6cf9-3328-qrvh + NOTE: patch likely: https://github.com/FreeRDP/FreeRDP/commit/be793c3bb776c1bbda9156b427408d5a5eb00f70 (not confirmed by upstream) CVE-2022-39282 (FreeRDP is a free remote desktop protocol library and clients. FreeRDP ...) - freerdp2 2.8.1+dfsg1-1 (bug #1021659) [bullseye] - freerdp2 (Minor issue) [buster] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c45q-wcpg-mxjq + NOTE: patch likely: https://github.com/FreeRDP/FreeRDP/commit/60aac2abf0740dd36b62712fba91498fd6e055fe (not confirmed by upstream) CVE-2022-39281 (fat_free_crm is a an open source, Ruby on Rails customer relationship ...) NOT-FOR-US: fat_free_crm CVE-2022-39280 (dparse is a parser for Python dependency files. dparse in versions bef ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/818ee3236b99ff1208e49754ca1793ea72a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/818ee3236b99ff1208e49754ca1793ea72a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-41160/freerdp2 - buster backport is not feasible, setting to ignored.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 54629370 by Tobias Frost at 2023-11-12T11:57:42+01:00 CVE-2021-41160/freerdp2 - buster backport is not feasible, setting to ignored. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -152928,10 +152928,11 @@ CVE-2021-41160 (FreeRDP is a free implementation of the Remote Desktop Protocol CVE-2021-41159 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.4.1+dfsg1-1 (bug #1001061) [bullseye] - freerdp2 (Minor issue) - [buster] - freerdp2 (Minor issue) + [buster] - freerdp2 (Patch is too instrusive to backport) - freerdp NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vh34-m9h7-95xq NOTE: https://github.com/FreeRDP/FreeRDP/commit/d39a7ba5c38e3ba3b99b1558dc2ab0970cbfb0c5 (Stable 2.0 backports) + NOTE: The RFC gateway parsing code has been completly refactored, backporting to 2.3.x is not feasible. NOTE: https://github.com/FreeRDP/FreeRDP/commit/f0b44da67c09488178000725ff9f2729ccfdf9fe CVE-2021-41158 (FreeSWITCH is a Software Defined Telecom Stack enabling the digital tr ...) - freeswitch (bug #389591) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54629370e010f1a589026e4e865bad921b90f933 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54629370e010f1a589026e4e865bad921b90f933 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] relcaim freerdp2, update status.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: ca3230ff by Tobias Frost at 2023-11-07T07:16:37+01:00 relcaim freerdp2, update status. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -72,11 +72,12 @@ freeimage (gladk) NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll NOTE: 20230826: out the DLA/ELA now. (utkarsh) -- -freerdp2 +freerdp2 (tobi) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo) NOTE: 20231007: First round done, unfortunatly missed a few CVES while updating, will do an follow up. NOTE: 20231023: Will continue working on package next weekend. (tobi) + NOTE: 20231107: 80% ready, waiting for upstream feedback about remaining CVEs which have not indicated the patch needed. (tobi) -- galera-3 (Adrian Bunk) NOTE: 20231028: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca3230ffcc6005fd7c628e1d74e28699a05598c5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca3230ffcc6005fd7c628e1d74e28699a05598c5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] document embedded-code copy of enet in assaultcube.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: f9985ab0 by Tobias Frost at 2023-11-01T08:19:49+01:00 document embedded-code copy of enet in assaultcube. - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -1473,6 +1473,7 @@ libparagui1.1 enet - sauerbraten (embed; #497194) + - assaultcube (embed; #1018947, uses version 1.3.6, slightly modified) eglibc - glibc (old-version) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9985ab0a4f983544996e7a5ac50017a1cfe461f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9985ab0a4f983544996e7a5ac50017a1cfe461f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note that I'm still wokring on the package.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: c8f919ca by Tobias Frost at 2023-10-22T10:55:04+02:00 Add note that Im still wokring on the package. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -80,6 +80,7 @@ freerdp2 (tobi) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo) NOTE: 20231007: First round done, unfortunatly missed a few CVES while updating, will do an follow up. + NOTE: 20231023: Will continue working on package next weekend. (tobi) -- gst-plugins-bad1.0 (Thorsten Alteholz) NOTE: 20230928: Added by Frond-Desk (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8f919caea4dda6d416f9be30ab0e3788d45 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8f919caea4dda6d416f9be30ab0e3788d45 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-29454/zabbix - buster does not have the affected Go agent.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e3e9192 by Tobias Frost at 2023-10-22T10:28:58+02:00 CVE-2023-29454/zabbix - buster does not have the affected Go agent. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27422,6 +27422,7 @@ CVE-2023-29454 (Stored or persistent cross-site scripting (XSS) is a type of XSS NOTE: https://support.zabbix.com/browse/ZBX-22985 CVE-2023-29453 (Templates do not properly consider backticks (`) as Javascript string ...) - zabbix + [buster] - zabbix (buster does not have the Go agent) NOTE: https://support.zabbix.com/browse/ZBX-23388 CVE-2023-29452 (Currently, geomap configuration (Administration -> General -> Geograph ...) - zabbix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e3e91925055b29316040bded4f041f767d4dab0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e3e91925055b29316040bded4f041f767d4dab0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-32721/zabbix, add potential upstream fix.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a359dd4 by Tobias Frost at 2023-10-22T10:18:13+02:00 CVE-2023-32721/zabbix, add potential upstream fix. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1550,6 +1550,7 @@ CVE-2023-32722 (The zabbix/src/libs/zbxjson module is vulnerable to a buffer ove CVE-2023-32721 (A stored XSS has been found in the Zabbix web application in the Maps ...) - zabbix (bug #1053877) NOTE: https://support.zabbix.com/browse/ZBX-23389 + NOTE: possible upstream fix (4.0.x) https://github.com/zabbix/zabbix/commit/d05854bc0e638bbc0c2077ded09797648dba0911 CVE-2023-5535 (Use After Free in GitHub repository vim/vim prior to v9.0.2010.) - vim 2:9.0.2018-1 (unimportant) NOTE: https://huntr.dev/bounties/2c2d85a7-1171-4014-bf7f-a2451745861f View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a359dd453e99b677ae2846c8f7af413f4de8361 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a359dd453e99b677ae2846c8f7af413f4de8361 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-32723/zabbix, identified upstream fix.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 7661cd41 by Tobias Frost at 2023-10-22T09:52:56+02:00 CVE-2023-32723/zabbix, identified upstream fix. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1525,6 +1525,7 @@ CVE-2023-32724 (Memory pointer is in a property of the Ducktape object. This lea CVE-2023-32723 (Request to LDAP is sent before user permissions are checked.) - zabbix (bug #1053877) NOTE: https://support.zabbix.com/browse/ZBX-23230 + NOTE: very likely commit https://github.com/zabbix/zabbix/commit/3576afe9b87d8ad1ba92a13c28ba904671087688 (for 4.0.x) CVE-2023-32722 (The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow ...) - zabbix (bug #1053877) [buster] - zabbix (vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7661cd41edc8758ba26754e32d6c3a2da902ace4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7661cd41edc8758ba26754e32d6c3a2da902ace4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add version for DLA-3538-2
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b1225ec by Tobias Frost at 2023-10-21T12:25:50+02:00 Add version for DLA-3538-2 - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,4 +1,5 @@ [21 Oct 2023] DLA-3538-2 zabbix - regression update + [buster] - zabbix 1:4.0.4+dfsg-1+deb10u3 [20 Oct 2023] DLA-3624-1 zookeeper - security update {CVE-2023-44981} [buster] - zookeeper 3.4.13-2+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b1225ec4d0dc92b32b91231b4aa414ac729fbcf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b1225ec4d0dc92b32b91231b4aa414ac729fbcf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] DLA-3538-2 zabbix - regression update.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 2fff31fc by Tobias Frost at 2023-10-21T12:09:11+02:00 DLA-3538-2 zabbix - regression update. - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,4 @@ +[21 Oct 2023] DLA-3538-2 zabbix - regression update [20 Oct 2023] DLA-3624-1 zookeeper - security update {CVE-2023-44981} [buster] - zookeeper 3.4.13-2+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fff31fc5df89b601421ee65398dba3af5f2ac1c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fff31fc5df89b601421ee65398dba3af5f2ac1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Readd freerdp2, missed a few CVEs.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 3444d5a6 by Tobias Frost at 2023-10-07T20:14:56+02:00 Readd freerdp2, missed a few CVEs. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -83,6 +83,11 @@ freeimage (gladk) NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll NOTE: 20230826: out the DLA/ELA now. (utkarsh) -- +freerdp2 (tobi) + NOTE: 20230924: Added by Front-Desk (apo) + NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo) + NOTE: 20231007: First round done, unfortunatly missed a few CVES while updating, will do an follow up. +-- gst-plugins-bad1.0 (Thorsten Alteholz) NOTE: 20230928: Added by Frond-Desk (ola) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3444d5a6def9296e8850bbd238a395e894d40930 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3444d5a6def9296e8850bbd238a395e894d40930 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] DLA-3606-1 Fix wrong number in CVE, paste error
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: a2b73022 by Tobias Frost at 2023-10-07T20:12:43+02:00 DLA-3606-1 Fix wrong number in CVE, paste error s/CVE-2023-39357/CVE-2023-40567/ - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -3,7 +3,7 @@ [07 Oct 2023] DLA-3607-1 gnome-boxes - security update [buster] - gnome-boxes 3.30.3-2+deb10u1 [07 Oct 2023] DLA-3606-1 freerdp2 - security update - {CVE-2020-4030 CVE-2020-4031 CVE-2020-4032 CVE-2020-4033 CVE-2020-11017 CVE-2020-11018 CVE-2020-11019 CVE-2020-11038 CVE-2020-11039 CVE-2020-11040 CVE-2020-11041 CVE-2020-11042 CVE-2020-11043 CVE-2020-11044 CVE-2020-11045 CVE-2020-11046 CVE-2020-11047 CVE-2020-11048 CVE-2020-11049 CVE-2020-11058 CVE-2020-11085 CVE-2020-11086 CVE-2020-11087 CVE-2020-11088 CVE-2020-11089 CVE-2020-11095 CVE-2020-11096 CVE-2020-11097 CVE-2020-11098 CVE-2020-11099 CVE-2020-13396 CVE-2020-13397 CVE-2020-13398 CVE-2020-15103 CVE-2023-39350 CVE-2023-39351 CVE-2023-39352 CVE-2023-39353 CVE-2023-39354 CVE-2023-39355 CVE-2023-39356 CVE-2023-39357 CVE-2023-40181 CVE-2023-40186 CVE-2023-40188 CVE-2023-40569 CVE-2023-40589} + {CVE-2020-4030 CVE-2020-4031 CVE-2020-4032 CVE-2020-4033 CVE-2020-11017 CVE-2020-11018 CVE-2020-11019 CVE-2020-11038 CVE-2020-11039 CVE-2020-11040 CVE-2020-11041 CVE-2020-11042 CVE-2020-11043 CVE-2020-11044 CVE-2020-11045 CVE-2020-11046 CVE-2020-11047 CVE-2020-11048 CVE-2020-11049 CVE-2020-11058 CVE-2020-11085 CVE-2020-11086 CVE-2020-11087 CVE-2020-11088 CVE-2020-11089 CVE-2020-11095 CVE-2020-11096 CVE-2020-11097 CVE-2020-11098 CVE-2020-11099 CVE-2020-13396 CVE-2020-13397 CVE-2020-13398 CVE-2020-15103 CVE-2023-39350 CVE-2023-39351 CVE-2023-39352 CVE-2023-39353 CVE-2023-39354 CVE-2023-39355 CVE-2023-39356 CVE-2023-40567 CVE-2023-40181 CVE-2023-40186 CVE-2023-40188 CVE-2023-40569 CVE-2023-40589} [buster] - freerdp2 2.3.0+dfsg1-2+deb10u3 [06 Oct 2023] DLA-3605-1 grub2 - security update {CVE-2023-4692 CVE-2023-4693} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2b73022165519a316d238c97c4edd2e0bf1952c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2b73022165519a316d238c97c4edd2e0bf1952c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3608-1 for vinagre
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: c0436bd8 by Tobias Frost at 2023-10-07T19:35:16+02:00 Reserve DLA-3608-1 for vinagre - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[07 Oct 2023] DLA-3608-1 vinagre - security update + [buster] - vinagre 3.22.0-6+deb10u1 [07 Oct 2023] DLA-3607-1 gnome-boxes - security update [buster] - gnome-boxes 3.30.3-2+deb10u1 [07 Oct 2023] DLA-3606-1 freerdp2 - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0436bd84fdbee04476a2e3ee22cf1cb8ff043e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0436bd84fdbee04476a2e3ee22cf1cb8ff043e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3607-1 for gnome-boxes
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fad6642 by Tobias Frost at 2023-10-07T19:34:57+02:00 Reserve DLA-3607-1 for gnome-boxes - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[07 Oct 2023] DLA-3607-1 gnome-boxes - security update + [buster] - gnome-boxes 3.30.3-2+deb10u1 [07 Oct 2023] DLA-3606-1 freerdp2 - security update {CVE-2020-4030 CVE-2020-4031 CVE-2020-4032 CVE-2020-4033 CVE-2020-11017 CVE-2020-11018 CVE-2020-11019 CVE-2020-11038 CVE-2020-11039 CVE-2020-11040 CVE-2020-11041 CVE-2020-11042 CVE-2020-11043 CVE-2020-11044 CVE-2020-11045 CVE-2020-11046 CVE-2020-11047 CVE-2020-11048 CVE-2020-11049 CVE-2020-11058 CVE-2020-11085 CVE-2020-11086 CVE-2020-11087 CVE-2020-11088 CVE-2020-11089 CVE-2020-11095 CVE-2020-11096 CVE-2020-11097 CVE-2020-11098 CVE-2020-11099 CVE-2020-13396 CVE-2020-13397 CVE-2020-13398 CVE-2020-15103 CVE-2023-39350 CVE-2023-39351 CVE-2023-39352 CVE-2023-39353 CVE-2023-39354 CVE-2023-39355 CVE-2023-39356 CVE-2023-39357 CVE-2023-40181 CVE-2023-40186 CVE-2023-40188 CVE-2023-40569 CVE-2023-40589} [buster] - freerdp2 2.3.0+dfsg1-2+deb10u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fad6642f5b4c4f089948350d5cce45e2302f0d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fad6642f5b4c4f089948350d5cce45e2302f0d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3606-1 for freerdp2
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 39e68e24 by Tobias Frost at 2023-10-07T19:34:11+02:00 Reserve DLA-3606-1 for freerdp2 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -242062,7 +242062,6 @@ CVE-2020-15104 (In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when - envoyproxy (bug #987544) CVE-2020-15103 (In FreeRDP less than or equal to 2.1.2, an integer overflow exists due ...) - freerdp2 2.2.0+dfsg1-1 (bug #965979) - [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Vulnerable gfx code not present) NOTE: https://github.com/FreeRDP/FreeRDP/pull/6381 @@ -246924,19 +246923,16 @@ CVE-2020-13399 CVE-2020-13398 (An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB ...) {DLA-2356-1} - freerdp2 2.1.1+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp NOTE: https://github.com/FreeRDP/FreeRDP/commit/8305349a943c68b1bc8c158f431dc607655aadea CVE-2020-13397 (An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB ...) {DLA-2356-1} - freerdp2 2.1.1+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp NOTE: https://github.com/FreeRDP/FreeRDP/commit/d6cd14059b257318f176c0ba3ee0a348826a9ef8 CVE-2020-13396 (An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB ...) {DLA-2356-1} - freerdp2 2.1.1+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp NOTE: https://github.com/FreeRDP/FreeRDP/commit/48361c411e50826cb602c7aab773a8a20e1da6bc CVE-2020-13395 @@ -254026,29 +254022,24 @@ CVE-2016-11023 (odata4j 0.7.0 allows ExecuteCountQueryCommand.java SQL injection NOT-FOR-US: odata4j CVE-2020-11099 (In FreeRDP before version 2.1.2, there is an out of bounds read in lic ...) - freerdp2 2.1.2+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-977w-866x-4v5h CVE-2020-11098 (In FreeRDP before version 2.1.2, there is an out-of-bound read in glyp ...) - freerdp2 2.1.2+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-jr57-f58x-hjmv CVE-2020-11097 (In FreeRDP before version 2.1.2, an out of bounds read occurs resultin ...) - freerdp2 2.1.2+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c8x2-c3c9-9r3f CVE-2020-11096 (In FreeRDP before version 2.1.2, there is a global OOB read in update_ ...) - freerdp2 2.1.2+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mjw7-3mq2-996x CVE-2020-11095 (In FreeRDP before version 2.1.2, an out of bound reads occurs resultin ...) - freerdp2 2.1.2+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-563r-pvh7-4fw2 @@ -254064,30 +254055,25 @@ CVE-2020-11090 (In Indy Node 1.12.2, there is an Uncontrolled Resource Consumpti NOT-FOR-US: Indy Node CVE-2020-11089 (In FreeRDP before 2.1.0, there is an out-of-bound read in irp function ...) - freerdp2 2.1.1+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hfc7-c5gv-8c2h CVE-2020-11088 (In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read ...) - freerdp2 2.1.1+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xh4f-fh87-43hp CVE-2020-11087 (In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read ...) - freerdp2 2.1.1+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-84vj-g73m-chw7 CVE-2020-11086 (In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read ...) - freerdp2 2.1.1+dfsg1-1 - [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fg8v-w34r-c974 CVE-2020-11085 (In FreeRDP before 2.1.0, there is an out-of-bounds read in cliprdr_rea ...) - freerdp2 2.1.1+dfsg1-1 -
[Git][security-tracker-team/security-tracker][master] Fix typo in version for CVE-2023-39356/freerdp2
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 04a56826 by Tobias Frost at 2023-10-07T12:15:20+02:00 Fix typo in version for CVE-2023-39356/freerdp2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5208,7 +5208,7 @@ CVE-2023-39356 (FreeRDP is a free implementation of the Remote Desktop Protocol - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5v5-qhj5-mh6m NOTE: https://github.com/FreeRDP/FreeRDP/commit/889348a86e49bc8f1351ed6496d847b32db5f86e (2.11.0) - NOTE: https://github.com/FreeRDP/FreeRDP/commit/23db2f4e6ba71f1c10c543f24de595d7340adb46 (2.11.1) + NOTE: https://github.com/FreeRDP/FreeRDP/commit/23db2f4e6ba71f1c10c543f24de595d7340adb46 (2.11.0) CVE-2023-39355 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 (Vulnerable code not present) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hvwj-vmg6-2f5h View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04a568264120bc97b1ca29977b4ed8f15f22ed95 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04a568264120bc97b1ca29977b4ed8f15f22ed95 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] swap order of patches for CVE-2023-39353, as they have to be applied in that order.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 54c94596 by Tobias Frost at 2023-10-07T12:12:59+02:00 swap order of patches for CVE-2023-39353, as they have to be applied in that order. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5210,8 +5210,8 @@ CVE-2023-39354 (FreeRDP is a free implementation of the Remote Desktop Protocol CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f - NOTE: https://github.com/FreeRDP/FreeRDP/commit/9ed6d6baede27d5006e0e4c9bec8e506f695cb6a (2.11.0) NOTE: https://github.com/FreeRDP/FreeRDP/commit/efa0567c027239b901ccdc590b9e229e0111c68b (2.11.0) + NOTE: https://github.com/FreeRDP/FreeRDP/commit/9ed6d6baede27d5006e0e4c9bec8e506f695cb6a (2.11.0) CVE-2023-39352 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whwr-qcf2-2mvj View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54c945966670557a4e3d7310a23e52e417dd6fde -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54c945966670557a4e3d7310a23e52e417dd6fde You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] freerdp2: Add patches fixing CVEs (see complete commit message for details)
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 677ea8f5 by Tobias Frost at 2023-10-04T19:35:11+02:00 freerdp2: Add patches fixing CVEs (see complete commit message for details) Asked Upstream to associate CVEs with commit ids (via IRC, #debian-remote), received the following information: CVE-2023-39350 7ece410ce5b5660b9191e1ccb6835158afa11822 CVE-2023-39351 99e243cdbc31f66b5c917452c8fed3276e8bdcd5 CVE-2023-39352 6a63441e4ee8e2bf61f5d24156a183b14ecd CVE-2023-39353 9ed6d6baede27d5006e0e4c9bec8e506f695cb6a efa0567c027239b901ccdc590b9e229e0111c68b CVE-2023-39354 82ac0164f330c08ddd9a6ef6f3dbf846c4b79def 9a1ee1bae5a9561f5031a7b69129f10458b62d4a CVE-2023-39356 23db2f4e6ba71f1c10c543f24de595d7340adb46 889348a86e49bc8f1351ed6496d847b32db5f86e CVE-2023-40567 bacb8c016ef72aa767760b6b01d15500aee9d59a CVE-2023-40569 23c3daeca1598393f8c93f563f7847a4d67919f1 CVE-2023-40181 c23cbdc4a5756bd723223c7139654de7439fdcc0 CVE-2023-40186 d8a1ac342ae375644c70579c33b5cf38fb43b083 CVE-2023-40188 bdb3909a7713fb0b3d94c9676fe44d19de80eb4b CVE-2023-40589 c659973bb4cd65c065f2fe1a807dbc6805c684c6 (Information available on: https://salsa.debian.org/-/snippets/662) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4736,10 +4736,13 @@ CVE-2023-41034 (Eclipse Leshan is a device management server and client Java imp CVE-2023-40589 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-gc34-mw6m-g42x - NOTE: https://github.com/FreeRDP/FreeRDP/commit/16141a30f983dd6f7a6e5b0356084171942c9416 + NOTE: https://github.com/FreeRDP/FreeRDP/commit/16141a30f983dd6f7a6e5b0356084171942c9416 (3.0.0-beta3) + NOTE: https://github.com/FreeRDP/FreeRDP/commit/c659973bb4cd65c065f2fe1a807dbc6805c684c6 (2.11.0) CVE-2023-39356 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5v5-qhj5-mh6m + NOTE: https://github.com/FreeRDP/FreeRDP/commit/23db2f4e6ba71f1c10c543f24de595d7340adb46 (2.11.0) + NOTE: https://github.com/FreeRDP/FreeRDP/commit/889348a86e49bc8f1351ed6496d847b32db5f86e (2.11.0) CVE-2023-39355 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hvwj-vmg6-2f5h @@ -4747,21 +4750,25 @@ CVE-2023-39355 (FreeRDP is a free implementation of the Remote Desktop Protocol CVE-2023-39354 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c3r2-pxxp-f8r6 - NOTE: https://github.com/FreeRDP/FreeRDP/commit/cd1da25a87358eb3b5512fd259310e95b19a05ec + NOTE: https://github.com/FreeRDP/FreeRDP/commit/82ac0164f330c08ddd9a6ef6f3dbf846c4b79def (2.11.0) + NOTE: https://github.com/FreeRDP/FreeRDP/commit/9a1ee1bae5a9561f5031a7b69129f10458b62d4a (2.11.0) CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f + NOTE: https://github.com/FreeRDP/FreeRDP/commit/9ed6d6baede27d5006e0e4c9bec8e506f695cb6a (2.11.0) + NOTE: https://github.com/FreeRDP/FreeRDP/commit/efa0567c027239b901ccdc590b9e229e0111c68b (2.11.0) CVE-2023-39352 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whwr-qcf2-2mvj + NOTE: https://github.com/FreeRDP/FreeRDP/commit/6a63441e4ee8e2bf61f5d24156a183b14ecd (2.11.0) CVE-2023-39351 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q9x9-cqjc-rgwq - NOTE: Potential patch: https://github.com/FreeRDP/FreeRDP/commit/99e243cdbc31f66b5c917452c8fed3276e8bdcd5 (2.11.0) + NOTE: https://github.com/FreeRDP/FreeRDP/commit/99e243cdbc31f66b5c917452c8fed3276e8bdcd5 (2.11.0) CVE-2023-39350 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrrv-3w42-pffh - NOTE: https://github.com/FreeRDP/FreeRDP/commit/e204fc8be5a372626b13f66daf2abafe71dbc2dc + NOTE:
[Git][security-tracker-team/security-tracker][master] Revert "identified potential patch for CVE-2023-39353/freerdp2"
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 35c2267b by Tobias Frost at 2023-10-03T13:01:28+02:00 Revert identified potential patch for CVE-2023-39353/freerdp2 This reverts commit e345b33f305d9f11ad03283806e743dc8039e7a5. (I think this was a wrong callā¦) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4484,7 +4484,6 @@ CVE-2023-39354 (FreeRDP is a free implementation of the Remote Desktop Protocol CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f - NOTE: likely this patch: https://github.com/FreeRDP/FreeRDP/commit/efa0567c02 CVE-2023-39352 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whwr-qcf2-2mvj View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35c2267b5f2aa4d267ebaa6bdb8a5d5bc49d8dcc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35c2267b5f2aa4d267ebaa6bdb8a5d5bc49d8dcc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: identified potential patch for CVE-2023-39353/freerdp2
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: e345b33f by Tobias Frost at 2023-10-03T12:42:05+02:00 identified potential patch for CVE-2023-39353/freerdp2 - - - - - 21a3763b by Tobias Frost at 2023-10-03T12:48:48+02:00 Potential patch for CVE-2023-39350/freerdp2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4484,12 +4484,14 @@ CVE-2023-39354 (FreeRDP is a free implementation of the Remote Desktop Protocol CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f + NOTE: likely this patch: https://github.com/FreeRDP/FreeRDP/commit/efa0567c02 CVE-2023-39352 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whwr-qcf2-2mvj CVE-2023-39351 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q9x9-cqjc-rgwq + NOTE: Potential patch: https://github.com/FreeRDP/FreeRDP/commit/99e243c CVE-2023-39350 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.11.2+dfsg1-1 (bug #1051638) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrrv-3w42-pffh View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c2b71f3c44137ae6d6ac58d22dbfcb84c574dae7...21a3763b73989d103f2ed6d6b4524bfa8a9c98d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c2b71f3c44137ae6d6ac58d22dbfcb84c574dae7...21a3763b73989d103f2ed6d6b4524bfa8a9c98d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-29654 the same at its duplicate, CVE-2022-44370
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e4431cb by Tobias Frost at 2023-10-01T20:59:15+02:00 Mark CVE-2022-29654 the same at its duplicate, CVE-2022-44370 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -103395,6 +103395,7 @@ CVE-2022-29656 (Wedding Management System v1.0 was discovered to contain a SQL i CVE-2022-29655 (An arbitrary file upload vulnerability in the Upload Photos module of ...) NOT-FOR-US: Wedding Management System CVE-2022-29654 (Buffer overflow vulnerability in quote_for_pmake in asm/nasm.c in nasm ...) + - nasm 2.16.01-1 (unimportant) NOTE: Duplicate of CVE-2022-44370 CVE-2022-29653 (OFCMS v1.1.4 was discovered to contain a cross-site scripting (XSS) vu ...) NOT-FOR-US: OFCMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e4431cb118b3814724bdbb5c1efea0d8accb8ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e4431cb118b3814724bdbb5c1efea0d8accb8ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-40626/zabbix : Mark no-dsa for buster as well, for consitency.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: c85b6e56 by Tobias Frost at 2023-10-01T20:19:43+02:00 CVE-2022-40626/zabbix : Mark no-dsa for buster as well, for consitency. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -72738,6 +72738,7 @@ CVE-2022-40627 CVE-2022-40626 (An unauthenticated user can create a link with reflected Javascript co ...) - zabbix 1:6.0.7+dfsg-2 [bullseye] - zabbix (Minor issue) + [buster] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-21350 NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/55eb14d0a394b362d5df00ed9e06a3918472deec (6.0.7rc1) CVE-2022-40625 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c85b6e5685c1c71f0c58f48da0845a4249246f64 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c85b6e5685c1c71f0c58f48da0845a4249246f64 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Unclaim and remove nasm from dla-needed.txt, as suggested by rouca to me via...
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: ede66f4a by Tobias Frost at 2023-10-01T11:29:48+02:00 Unclaim and remove nasm from dla-needed.txt, as suggested by rouca to me via IRC. (documenation part) - - - - - 4234bbc9 by Tobias Frost at 2023-10-01T11:29:59+02:00 Unclaim and remove nasm from dla-needed.txt, as suggested by rouca to me via IRC. (removal from dla-needed.txt part) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -101,11 +101,6 @@ linux (Ben Hutchings) mosquitto (Markus Koschany) NOTE: 20230924: Added by Front-Desk (apo) -- -nasm (tobi) - NOTE: 20230907: Added by Front-Desk (lamby) - NOTE: 20230907: Added due to CVE-2020-18780, CVE-2020-21685 & CVE-2020-21686, - NOTE: 20230907: but some of these may require some investigation. (lamby) --- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/07563feb18f75f9418760697b1ebd4737ed3c2e9...4234bbc989cb18697f70d80ffeb68079d8803f24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/07563feb18f75f9418760697b1ebd4737ed3c2e9...4234bbc989cb18697f70d80ffeb68079d8803f24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim freerdp2 in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 7bc895d4 by Tobias Frost at 2023-09-30T21:58:31+02:00 LTS: claim freerdp2 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -69,7 +69,7 @@ freeimage (gladk) NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll NOTE: 20230826: out the DLA/ELA now. (utkarsh) -- -freerdp2 +freerdp2 (tobi) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bc895d43aeeb1ef5b5728a8fd27dec13606a7e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bc895d43aeeb1ef5b5728a8fd27dec13606a7e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3596-1 for firmware-nonfree
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b749e7e by Tobias Frost at 2023-09-30T21:09:40+02:00 Reserve DLA-3596-1 for firmware-nonfree - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Sep 2023] DLA-3596-1 firmware-nonfree - security update + {CVE-2022-27635 CVE-2022-36351 CVE-2022-38076 CVE-2022-40964 CVE-2022-46329} + [buster] - firmware-nonfree 20190114+really20220913-0+deb10u2 [30 Sep 2023] DLA-3595-1 trafficserver - security update {CVE-2022-47185 CVE-2023-33934} [buster] - trafficserver 8.1.7-0+deb10u2 = data/dla-needed.txt = @@ -63,9 +63,6 @@ dogecoin exim4 NOTE: 20230928: Added by Front-Desk (ola) -- -firmware-nonfree (tobi) - NOTE: 20230820: Added by Front-Desk (ta) --- freeimage (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b749e7e1fd7df332c64f5a41a1d676eedcdd393 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b749e7e1fd7df332c64f5a41a1d676eedcdd393 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim firmware-nonfree in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: a6ae9e9c by Tobias Frost at 2023-09-24T13:44:30+02:00 LTS: claim firmware-nonfree in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -63,7 +63,7 @@ exempi exiv2 NOTE: 20230906: Added by Front-Desk (lamby) -- -firmware-nonfree +firmware-nonfree (tobi) NOTE: 20230820: Added by Front-Desk (ta) -- flac (Sean Whitton) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6ae9e9ccb364d49fb2f3f50f53252b441200ec7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6ae9e9ccb364d49fb2f3f50f53252b441200ec7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim nasm in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 487d8afa by Tobias Frost at 2023-09-24T09:41:12+02:00 LTS: claim nasm in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -109,7 +109,7 @@ libreswan linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- -nasm +nasm (tobi) NOTE: 20230907: Added by Front-Desk (lamby) NOTE: 20230907: Added due to CVE-2020-18780, CVE-2020-21685 & CVE-2020-21686, NOTE: 20230907: but some of these may require some investigation. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/487d8afa73415d6174d8ddfaa2579693846af098 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/487d8afa73415d6174d8ddfaa2579693846af098 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim suricata in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: d5b5bbc0 by Tobias Frost at 2023-09-24T09:40:46+02:00 LTS: claim suricata in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,7 +74,7 @@ freeimage (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll - NOTE: 20230826: out the DLA/ELA now. (utkarsh) + NOTE: 20230826: out the DLA/ELA now. (utkarsh) -- gerbv (Adrian Bunk) NOTE: 20230903: Added by Front-Desk (gladk) @@ -200,7 +200,7 @@ salt samba NOTE: 20230918: Added by Front-Desk (apo) -- -suricata +suricata (tobi) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5b5bbc0161a3a47e70496f93f9fd9fa95096aca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5b5bbc0161a3a47e70496f93f9fd9fa95096aca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert 535390052, CVE-2022-40626/zabbix after revisting patch for jessie I'm...
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 74756a30 by Tobias Frost at 2023-09-10T16:16:23+02:00 Revert 535390052, CVE-2022-40626/zabbix after revisting patch for jessie Im not sure anymore if it has been introduced later and re-evaluation for buster might be necessary. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -69658,7 +69658,6 @@ CVE-2022-40627 CVE-2022-40626 (An unauthenticated user can create a link with reflected Javascript co ...) - zabbix 1:6.0.7+dfsg-2 [bullseye] - zabbix (Minor issue) - [buster] - zabbix (Vulnerable backurl code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-21350 NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/55eb14d0a394b362d5df00ed9e06a3918472deec (6.0.7rc1) CVE-2022-40625 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74756a30740aaf3e164057f406b5076e65e0b2d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74756a30740aaf3e164057f406b5076e65e0b2d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop CVE-2022-35229 from data/DLA/list, as it had been fixed (security wise)...
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 70191a27 by Tobias Frost at 2023-08-23T10:23:08+02:00 Drop CVE-2022-35229 from data/DLA/list, as it had been fixed (security wise) in the previous upload already. - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -5,7 +5,7 @@ {CVE-2021-3481 CVE-2021-45930 CVE-2023-32573 CVE-2023-32763 CVE-2023-34410 CVE-2023-37369 CVE-2023-38197} [buster] - qt4-x11 4:4.8.7+dfsg-18+deb10u2 [22 Aug 2023] DLA-3538-1 zabbix - security update - {CVE-2013-7484 CVE-2019-17382 CVE-2022-35229 CVE-2022-43515 CVE-2023-29450 CVE-2023-29451 CVE-2023-29454 CVE-2023-29455 CVE-2023-29456 CVE-2023-29457} + {CVE-2013-7484 CVE-2019-17382 CVE-2022-43515 CVE-2023-29450 CVE-2023-29451 CVE-2023-29454 CVE-2023-29455 CVE-2023-29456 CVE-2023-29457} [buster] - zabbix 1:4.0.4+dfsg-1+deb10u2 [22 Aug 2023] DLA-3537-1 intel-microcode - security update {CVE-2022-40982 CVE-2022-41804 CVE-2023-23908} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70191a27fe054c9db2be786b3aa144c425a4762c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70191a27fe054c9db2be786b3aa144c425a4762c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3538-1 for zabbix
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: ef3a2751 by Tobias Frost at 2023-08-22T15:20:30+02:00 Reserve DLA-3538-1 for zabbix - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -58556,7 +58556,6 @@ CVE-2022-43516 (A Firewall Rule which allows all incoming TCP connections to all CVE-2022-43515 (Zabbix Frontend provides a feature that allows admins to maintain the ...) - zabbix 1:6.0.13+dfsg-1 (bug #1026847) [bullseye] - zabbix (Minor issue) - [buster] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-22050 NOTE: Fixed by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa58889ba54b2350e211a5f315baabbaf7228045 (4.0.45rc1) NOTE: Fixed by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/50668e9d64af32cdc67a45082c556699ff86565e (5.0.30rc1) @@ -272022,7 +272021,6 @@ CVE-2019-19395 RESERVED CVE-2013-7484 (Zabbix before 5.0 represents passwords in the users table with unsalte ...) - zabbix 1:5.0.0+dfsg-1 - [buster] - zabbix (Minor issue) [stretch] - zabbix (Minor issue) [jessie] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-16551 @@ -281206,7 +281204,6 @@ CVE-2019-17383 (The netaddr gem before 2.0.4 for Ruby has misconfigured file per - ruby-netaddr (Upstream packaging issue) CVE-2019-17382 (An issue was discovered in zabbix.php?action=dashboard.view ...) - zabbix 1:5.0.0+dfsg-1 - [buster] - zabbix (Minor issue, no patch, guest accounts can be disabled) [stretch] - zabbix (Minor issue, no patch, guest accounts can be disabled) [jessie] - zabbix (Minor issue, guest accounts can be disabled) NOTE: https://support.zabbix.com/browse/ZBX-16789 = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Aug 2023] DLA-3538-1 zabbix - security update + {CVE-2013-7484 CVE-2019-17382 CVE-2022-35229 CVE-2022-43515 CVE-2023-29450 CVE-2023-29451 CVE-2023-29454 CVE-2023-29455 CVE-2023-29456 CVE-2023-29457} + [buster] - zabbix 1:4.0.4+dfsg-1+deb10u2 [22 Aug 2023] DLA-3537-1 intel-microcode - security update {CVE-2022-40982 CVE-2022-41804 CVE-2023-23908} [buster] - intel-microcode 3.20230808.1~deb10u1 = data/dla-needed.txt = @@ -230,7 +230,3 @@ w3m (Sylvain Beucler) NOTE: 20230812: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) NOTE: 20230819: No ASAN errors with the PoCs, but the backported fixes do bring some (!), more testing needed. (Beuc) -- -zabbix (tobi) - NOTE: 20230731: Added by Front-Desk (apo) - NOTE: 20230812: WIP, patches backported but largerly untested. Will continue after VAC. (tobi) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef3a2751215bea0070824c5f96a3630a465170ff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef3a2751215bea0070824c5f96a3630a465170ff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Document zabbix state before VAC.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 81868f3b by Tobias Frost at 2023-08-12T07:09:05+02:00 Document zabbix state before VAC. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -237,4 +237,5 @@ unrar-nonfree (Markus Koschany) -- zabbix (tobi) NOTE: 20230731: Added by Front-Desk (apo) + NOTE: 20230812: WIP, patches backported but largerly untested. Will continue after VAC. (tobi) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81868f3b11d3aee9f678151589af329adb78c33e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81868f3b11d3aee9f678151589af329adb78c33e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add links to patches for CVE-2023-29450/zabbix
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: ffcfffec by Tobias Frost at 2023-08-11T10:38:36+02:00 Add links to patches for CVE-2023-29450/zabbix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16818,6 +16818,8 @@ CVE-2023-29451 (Specially crafted string can cause a buffer overrun in the JSON CVE-2023-29450 (JavaScript pre-processing can be used by the attacker to gain access t ...) - zabbix NOTE: https://support.zabbix.com/browse/ZBX-22588 + NOTE: Patch for 5.0.32rc1: https://github.com/zabbix/zabbix/commit/c3f1543e4 + NOTE: Patch for 6.0.14rc2: https://github.com/zabbix/zabbix/commit/76f6a80cb CVE-2023-29449 (JavaScript preprocessing, webhooks and global scripts can cause uncont ...) - zabbix [buster] - zabbix (vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffcfffec048a36ea8886e04511bfea1301a09da0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffcfffec048a36ea8886e04511bfea1301a09da0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-29449/zabbix does not affect buster.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: df2eb1ce by Tobias Frost at 2023-08-11T09:35:28+02:00 CVE-2023-29449/zabbix does not affect buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16738,7 +16738,11 @@ CVE-2023-29450 (JavaScript pre-processing can be used by the attacker to gain ac NOTE: https://support.zabbix.com/browse/ZBX-22588 CVE-2023-29449 (JavaScript preprocessing, webhooks and global scripts can cause uncont ...) - zabbix + [buster] - zabbix (vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-22589 + NOTE: Upstream patch for 5.0.32: https://github.com/zabbix/zabbix/commit/e90b8a3c62 + NOTE: applied in upstream release/5.0 branch: https://github.com/zabbix/zabbix/commit/c21cf2fa656b75733e3abc09d8f20690735b3f22 + NOTE: vulnerable module introduced in https://github.com/zabbix/zabbix/commit/18d2abfc40 (5.0.0alpha1) CVE-2023-29448 RESERVED CVE-2023-29447 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df2eb1ce7c1a337f6b1fb91ff5706afac8865501 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df2eb1ce7c1a337f6b1fb91ff5706afac8865501 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triaging zabbix with focus LTS/buster
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b21c5fb by Tobias Frost at 2023-08-09T18:42:38+02:00 Triaging zabbix with focus LTS/buster CVE-2023-29458: duktape library only introduced in 5.0.0alpha1 CVE-2023-29452: geomap widget only introduced in 6.0.0alpha6 add links to patch for: CVE-2023-29451 CVE-2013-7484 CVE-2019-17382 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16321,8 +16321,10 @@ CVE-2023-29459 (The laola.redbull application through 5.1.9-R for Android expose NOT-FOR-US: laola.redbull CVE-2023-29458 (Duktape is an 3rd-party embeddable JavaScript engine, with a focus on ...) - zabbix + [buster] - zabbix (vulnerable code introduced later) NOTE: This appears to be bug in Zabbix's use of duktape, not an issue in src:duktape per se NOTE: https://support.zabbix.com/browse/ZBX-22989 + NOTE: duktape library introduced with https://github.com/zabbix/zabbix/commit/d43b04665c1ade5b4a9f49db750b8ca6c82e9de2 (5.0.0alpha1) CVE-2023-29457 (Reflected XSS attacks, occur when a malicious script is reflected off ...) - zabbix NOTE: https://support.zabbix.com/browse/ZBX-22988 @@ -16339,8 +16341,11 @@ CVE-2023-29453 RESERVED CVE-2023-29452 (Currently, geomap configuration (Administration -> General -> Geograph ...) - zabbix - [bullseye] - zabbix (5.x not affected) + [bullseye] - zabbix (vulnerable code introduced later) + [buster] - zabbix (vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-22981 + NOTE: Patches links: https://support.zabbix.com/browse/ZBX-22720 + NOTE: vulnerable geopmap widget introduced in version 6.0.0alpha6 with https://github.com/zabbix/zabbix/commit/7e6a91149533b17b12c0317968b485e0c98d4ac2 CVE-2023-29451 (Specially crafted string can cause a buffer overrun in the JSON parser ...) - zabbix [bullseye] - zabbix (5.x not affected) @@ -56908,6 +56913,8 @@ CVE-2022-43515 (Zabbix Frontend provides a feature that allows admins to maintai [bullseye] - zabbix (Minor issue) [buster] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-22050 + NOTE: Patches: for 4.0.45rc1 https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa58889ba54b2350e211a5f315baabbaf7228045 + NOTE: for 5.0.30rc1 https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/50668e9d64af32cdc67a45082c556699ff86565e CVE-2022-43514 (A vulnerability has been identified in Automation License Manager V5 ( ...) NOT-FOR-US: Automation License Manager CVE-2022-43513 (A vulnerability has been identified in Automation License Manager V5 ( ...) @@ -270306,6 +270313,7 @@ CVE-2013-7484 (Zabbix before 5.0 represents passwords in the users table with un NOTE: https://support.zabbix.com/browse/ZBX-16551 NOTE: https://support.zabbix.com/browse/ZBXNEXT-1898 NOTE: https://www.zabbix.com/documentation/5.0/manual/introduction/whatsnew500#stronger_cryptography_for_passwords + NOTE: patch for 5.0.0: https://github.com/zabbix/zabbix/commit/3c4b81c66da CVE-2020-1784 RESERVED CVE-2020-1783 @@ -279482,6 +279490,8 @@ CVE-2019-17382 (An issue was discovered in zabbix.php?action=dashboard.view NOTE: Disputed by upstream, closed as not a security bug. NOTE: Guest account is disabled by default starting in 4.0.15rc1, 4.4.2rc1 and NOTE: 5.0.0alpha1 (Cf. https://support.zabbix.com/browse/ZBXNEXT-5532) + NOTE: Patch to disable default user by default, for 5.0.0alpha1: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/9fd6f1c35 + NOTE: and for 4.0.15rc: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/cd3921882 CVE-2019-17381 RESERVED CVE-2019-17380 (cPanel before 82.0.15 allows self XSS in the WHM Update Preferences in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b21c5fbfaebdf2d20fc5eb1d3de973f86bcdf5e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b21c5fbfaebdf2d20fc5eb1d3de973f86bcdf5e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim zabbix in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 01ca788f by Tobias Frost at 2023-08-02T15:31:55+02:00 LTS: claim zabbix in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -202,6 +202,6 @@ xqilla NOTE: 20230706: Added by Front-Desk (gladk) NOTE: 20230715: not vulnerable, the embedded yajl is ancient (around 0.2.2), not having the vulnerable code. -- -zabbix +zabbix (tobi) NOTE: 20230731: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01ca788ffc89e06c0baeffe96c7a834e5a753696 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01ca788ffc89e06c0baeffe96c7a834e5a753696 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3501-1 for renderdoc
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 061d1368 by Tobias Frost at 2023-07-25T06:51:25+02:00 Reserve DLA-3501-1 for renderdoc - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -5511,7 +5511,6 @@ CVE-2020-36705 (The Adning Advertising plugin for WordPress is vulnerable to arb NOT-FOR-US: Adning Advertising plugin for WordPress CVE-2023-33865 (RenderDoc before 1.27 allows local privilege escalation via a symlink ...) - renderdoc (bug #1037208) - [buster] - renderdoc (Can wait for next update) NOTE: https://www.openwall.com/lists/oss-security/2023/06/06/3 NOTE: https://github.com/baldurk/renderdoc/commit/601ed56111ce3803d8476d438ade1c92d6092856 (v1.27) NOTE: https://github.com/baldurk/renderdoc/commit/e0464fea4f9a7f149c4ee1d84e5ac57839a4a862 (v1.27) = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Jul 2023] DLA-3501-1 renderdoc - security update + {CVE-2023-33863 CVE-2023-33864 CVE-2023-33865} + [buster] - renderdoc 1.2+dfsg-2+deb10u1 [19 Jul 2023] DLA-3500-1 python-django - security update {CVE-2023-36053} [buster] - python-django 1:1.11.29-1+deb10u9 = data/dla-needed.txt = @@ -154,12 +154,6 @@ rails NOTE: 20221024: to break thrice in less than 2 month. NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) -- -renderdoc (tobi) - NOTE: 20230620: Added by Front-Desk (Beuc) - NOTE: 20230620: See discussion at https://lists.debian.org/debian-lts/2023/06/msg00049.html - NOTE: 20230620: Summary: try to backport fixes; otherwise, since this is a end-user app with no rdeps, - NOTE: 20230620: coordinate with maintainer to try and bump to 1.27 across all dists (Beuc/front-desk) --- ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) NOTE: 20230507: testing package View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/061d1368bc35dd7b325d02e35e660cfad3879a08 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/061d1368bc35dd7b325d02e35e660cfad3879a08 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] xqilla's embedded yajl is not affected by CVE-2017-16516 and CVE-2022-24795
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: d9e204ad by Tobias Frost at 2023-07-19T15:58:31+02:00 xqillas embedded yajl is not affected by CVE-2017-16516 and CVE-2022-24795 (The embedded yajl version is around 0.2.2.) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -106924,6 +106924,8 @@ CVE-2022-24795 (yajl-ruby is a C binding to the YAJL JSON parsing and generation [bookworm] - r-cran-jsonlite (Minor issue) [bullseye] - r-cran-jsonlite (Minor issue) [buster] - r-cran-jsonlite (Minor issue) + - xqilla (Vulnerable code not present; embeds not-affected ancientyajl version) + NOTE: xqilla's embedded yajl is ancient (around 0.2.2), not having the vulnerable code NOTE: https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm NOTE: https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6 NOTE: https://github.com/brianmario/yajl-ruby/commit/e8de283a6d64f0902740fd09e858fc3d7d803161 @@ -384692,6 +384694,8 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is [bookworm] - r-cran-jsonlite (Minor issue) [bullseye] - r-cran-jsonlite (Minor issue) [buster] - r-cran-jsonlite (Minor issue) + - xqilla (Vulnerable code not present; embeds not-affected ancientyajl version) + NOTE: xqilla's embedded yajl is ancient (around 0.2.2), not having the vulnerable code NOTE: https://github.com/brianmario/yajl-ruby/issues/176 NOTE: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce CVE-2017-16515 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9e204ad0cc182762985067e31d8ccfe6bec689c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9e204ad0cc182762985067e31d8ccfe6bec689c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fix data/dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 860b1155 by Tobias Frost at 2023-07-18T16:50:04+02:00 fix data/dla-needed.txt stray ^S broke lts tool. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -208,4 +208,4 @@ tiff (Adrian Bunk) xqilla (tobi) NOTE: 20230706: Added by Front-Desk (gladk) NOTE: 20230715: not vulnerable, the embedded yajl is ancient (around 0.2.2), not having the vulnerable code. --- +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/860b115593876887543ab0a3320e1856ee39ef85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/860b115593876887543ab0a3320e1856ee39ef85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Document xqilla triage for buster. (embedded yajl ancient, not vulnerable to this CVEs.)
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 2172c314 by Tobias Frost at 2023-07-15T15:25:50+02:00 Document xqilla triage for buster. (embedded yajl ancient, not vulnerable to this CVEs.) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -202,4 +202,5 @@ tiff (Adrian Bunk) -- xqilla (tobi) NOTE: 20230706: Added by Front-Desk (gladk) --- + NOTE: 20230715: not vulnerable, the embedded yajl is ancient (around 0.2.2), not having the vulnerable code. +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2172c314d144f7659d02a6866ef932a9208c6e24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2172c314d144f7659d02a6866ef932a9208c6e24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] xqilla's yajl is ancienct, around 0.2.2 and is not vulnerable to CVE-2017-16516 and CVE-2022-24795.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: c254af04 by Tobias Frost at 2023-07-15T15:23:12+02:00 xqillas yajl is ancienct, around 0.2.2 and is not vulnerable to CVE-2017-16516 and CVE-2022-24795. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -106402,12 +106402,13 @@ CVE-2022-24795 (yajl-ruby is a C binding to the YAJL JSON parsing and generation [bookworm] - r-cran-jsonlite (Minor issue) [bullseye] - r-cran-jsonlite (Minor issue) [buster] - r-cran-jsonlite (Minor issue) - - xqilla (bug #1040164) + - xqilla (embeds ancient yajl without the vulnerable code) [bullseye] - xqilla (Minor issue) NOTE: https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm NOTE: https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6 NOTE: https://github.com/brianmario/yajl-ruby/commit/e8de283a6d64f0902740fd09e858fc3d7d803161 NOTE: https://github.com/lloyd/yajl/issues/239 + NOTE: xquilla embeds ancient yail, likely 0.2.2 https://github.com/lloyd/yajl/tree/6efc79a CVE-2022-24794 (Express OpenID Connect is an Express JS middleware implementing sign o ...) NOT-FOR-US: Express OpenID Connect CVE-2022-24793 (PJSIP is a free and open source multimedia communication library writt ...) @@ -384163,11 +384164,11 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is [bookworm] - r-cran-jsonlite (Minor issue) [bullseye] - r-cran-jsonlite (Minor issue) [buster] - r-cran-jsonlite (Minor issue) - - xqilla (bug #1040164) + - xqilla (embeds ancient yajl without the vulnerable code) [bullseye] - xqilla (Minor issue) NOTE: https://github.com/brianmario/yajl-ruby/issues/176 NOTE: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce - NOTE: yail: https://github.com/lloyd/yajl/issues/248 + NOTE: xquilla embeds ancient yail, likely 0.2.2 https://github.com/lloyd/yajl/tree/6efc79a CVE-2017-16515 RESERVED CVE-2017-16514 (Multiple persistent stored Cross-Site-Scripting (XSS) vulnerabilities ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c254af048d08433624f3c634462f0450aa2ce9a1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c254af048d08433624f3c634462f0450aa2ce9a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3492-1 for yajl
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 51e0b152 by Tobias Frost at 2023-07-11T19:45:57+02:00 Reserve DLA-3492-1 for yajl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[11 Jul 2023] DLA-3492-1 yajl - security update + {CVE-2017-16516 CVE-2022-24795 CVE-2023-33460} + [buster] - yajl 2.1.0-3+deb10u2 [11 Jul 2023] DLA-3491-1 erlang - security update {CVE-2022-37026} [buster] - erlang 1:22.2.7+dfsg-1+deb10u1 = data/dla-needed.txt = @@ -217,6 +217,3 @@ tiff (Adrian Bunk) xqilla (tobi) NOTE: 20230706: Added by Front-Desk (gladk) -- -yajl (tobi) - NOTE: 20230702: Added by Front-Desk (ta) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51e0b1521dc827d30e3dd99db12ac26d0fe12d16 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51e0b1521dc827d30e3dd99db12ac26d0fe12d16 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim xqilla in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 579fcfc2 by Tobias Frost at 2023-07-11T18:29:14+02:00 LTS: claim xqilla in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -214,7 +214,7 @@ symfony (guilhem) tiff (Adrian Bunk) NOTE: 20230702: Added by Front-Desk (ta) -- -xqilla +xqilla (tobi) NOTE: 20230706: Added by Front-Desk (gladk) -- yajl (tobi) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/579fcfc2e7a3125b6b826ddb75c344629d9186f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/579fcfc2e7a3125b6b826ddb75c344629d9186f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3487-1 for fusiondirectory
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 13fdba2a by Tobias Frost at 2023-07-08T15:51:42+02:00 Reserve DLA-3487-1 for fusiondirectory - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[08 Jul 2023] DLA-3487-1 fusiondirectory - security update + {CVE-2022-36179 CVE-2022-36180} + [buster] - fusiondirectory 1.2.3-4+deb10u2 [08 Jul 2023] DLA-3486-1 ocsinventory-server - security update [buster] - ocsinventory-server 2.5+dfsg1-1+deb10u1 [08 Jul 2023] DLA-3485-1 php-cas - security update = data/dla-needed.txt = @@ -54,16 +54,6 @@ flatpak NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) -- -fusiondirectory (Abhijith PA) - NOTE: 20221203: Added by Front-Desk (gladk) - NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk). - NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk). - NOTE: 20221203: Also the package was removed from sid recently (gladk). - NOTE: 20221203: Feel free to marke both CVEs as , if they are not too serious (gladk). - NOTE: 20230523: Added upstream commit references to security tracker. Patched our version, testing (abhijith) - NOTE: 20230627: Coordinate with upload of php-cas as php-cas will break fusiondirectory. (tobi) - NOTE: 20230627: See: https://lists.debian.org/debian-lts/2023/06/msg00058.html --- glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13fdba2af151853d5ea27c5b872fd51bb81e746a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13fdba2af151853d5ea27c5b872fd51bb81e746a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3486-1 for ocsinventory-server
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: e352c46c by Tobias Frost at 2023-07-08T15:47:39+02:00 Reserve DLA-3486-1 for ocsinventory-server - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[08 Jul 2023] DLA-3486-1 ocsinventory-server - security update + [buster] - ocsinventory-server 2.5+dfsg1-1+deb10u1 [08 Jul 2023] DLA-3485-1 php-cas - security update {CVE-2022-39369} [buster] - php-cas 1.3.6-1+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e352c46c7138113fe549e2e9029ddaf6a5721570 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e352c46c7138113fe549e2e9029ddaf6a5721570 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits