[Git][security-tracker-team/security-tracker][master] 2 commits: Add note for CVE-2023-28686/dino-im.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 55519123 by Chris Lamb at 2023-03-27T17:49:52+01:00 Add note for CVE-2023-28686/dino-im. - - - - - a0938fb2 by Chris Lamb at 2023-03-27T17:50:42+01:00 Triage CVE-2023-28686 in dino-im for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -659,10 +659,12 @@ CVE-2023-1544 (A flaw was found in the QEMU implementation of VMWare's paravirtu NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html CVE-2023-28686 (Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows a ...) - dino-im 0.4.2-1 (bug #1033370) + [buster] - dino-im (Vulnerable code added in v0.1.0) NOTE: https://dino.im/security/cve-2023-28686/ NOTE: Fixed by: https://github.com/dino/dino/commit/ef8fb0e94ce79d5fde2943e433ad0422eb7f70ec NOTE: Fixed by: https://github.com/dino/dino/commit/baf96d9d9fac7480fed777ac87d917f8dec8f0f6 (v0.4.2) NOTE: Fixed by: https://github.com/dino/dino/commit/e02a443a4eaf02f0ab860b41d0bc7081d4110ab4 (v0.2.3) + NOTE: Bookmark supported added in https://github.com/dino/dino/commit/74c29d4df19f97b9b67bbc3c1a963a8729be69fd (v0.1.0) CVE-2023-28685 (Jenkins AbsInt a Plugin 1.1.0 and earlier does not configure its ...) NOT-FOR-US: Jenkins plugin CVE-2023-28684 (Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not conf ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5a55272ef25f4207f4b89cad175f73167454548c...a0938fb250c6380b9991e94baf8b65a0c21d6519 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5a55272ef25f4207f4b89cad175f73167454548c...a0938fb250c6380b9991e94baf8b65a0c21d6519 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add note for ruby-rails-html-sanitizer
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 998b1e5e by Utkarsh Gupta at 2023-03-13T02:08:00+05:30 Add note for ruby-rails-html-sanitizer - - - - - 4dacbb52 by Utkarsh Gupta at 2023-03-13T02:08:55+05:30 Reserve DLA-3359-1 for libapache2-mod-auth-mellon - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -127080,7 +127080,6 @@ CVE-2021-3640 (A flaw use-after-free in function sco_sock_sendmsg() of the Linux CVE-2021-3639 (A flaw was found in mod_auth_mellon where it does not sanitize logout ...) - libapache2-mod-auth-mellon 0.18.0-1 (bug #991730) [bullseye] - libapache2-mod-auth-mellon 0.17.0-1+deb11u1 - [buster] - libapache2-mod-auth-mellon (Minor issue) [stretch] - libapache2-mod-auth-mellon (Minor issue) NOTE: https://github.com/latchset/mod_auth_mellon/commit/42a11261b9dad2e48d70bdff7c53dd57a12db6f5 CVE-2021-36350 (Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain an authenticati ...) @@ -270799,7 +270798,6 @@ CVE-2019-13039 RESERVED CVE-2019-13038 (mod_auth_mellon through 0.14.2 has an Open Redirect via the login?Retu ...) - libapache2-mod-auth-mellon 0.15.0-1 (low; bug #931265) - [buster] - libapache2-mod-auth-mellon (Minor issue) [stretch] - libapache2-mod-auth-mellon (Minor issue) [jessie] - libapache2-mod-auth-mellon (Open Redirect protection not implemented yet) NOTE: https://github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885 = data/DLA/list = @@ -1,3 +1,6 @@ +[13 Mar 2023] DLA-3359-1 libapache2-mod-auth-mellon - security update + {CVE-2019-13038 CVE-2021-3639} + [buster] - libapache2-mod-auth-mellon 0.14.2-1+deb10u1 [12 Mar 2023] DLA-3358-1 mpv - security update {CVE-2020-19824} [buster] - mpv 0.29.1-1+deb10u1 = data/dla-needed.txt = @@ -102,12 +102,6 @@ intel-microcode (tobi) NOTE: 20230310: will first fix unstable and stable, then proceed with LTS and ELTS, using the same new upstream version. (tobi) NOTE: 20230312: uploaded to DELAYED/5 for unstable. -- -libapache2-mod-auth-mellon (Utkarsh) - NOTE: 20230105: Programming language: C. - NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/libapache2-mod-auth-mellon.git - NOTE: 20230220: upload prepped, testing remains. (utkarsh) --- libreoffice NOTE: 20221012: Programming language: C++. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git @@ -263,6 +257,7 @@ ruby-loofah (Daniel Leidert) ruby-rails-html-sanitizer NOTE: 20221231: Programming language: Ruby. NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git + NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh) -- ruby-sidekiq (Utkarsh) NOTE: 20221231: Programming language: Ruby. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/23a9d48016bd0218a366177fd3cdd5051347ed17...4dacbb52b1761a042d3085dc122626e08b9288ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/23a9d48016bd0218a366177fd3cdd5051347ed17...4dacbb52b1761a042d3085dc122626e08b9288ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add note for CVE-2022-33981
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 42bf030f by Salvatore Bonaccorso at 2022-06-19T21:11:33+02:00 Add note for CVE-2022-33981 - - - - - c24aef55 by Salvatore Bonaccorso at 2022-06-19T21:12:51+02:00 Add note for CVE-2022-33981 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43,7 +43,7 @@ CVE-2022-29895 CVE-2022-29871 RESERVED CVE-2022-33981 (drivers/block/floppy.c in the Linux kernel before 5.17.6 is vulnerable ...) - TODO: check + NOTE: Duplicate of CVE-2022-1836, checking with MITRE for rejection CVE-2022-33980 RESERVED CVE-2022-2129 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3de83f8c1b2ede771a03b9d3b508acf8f4aeab0c...c24aef55dad70e8dcde9fc82b1be68893afb97e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3de83f8c1b2ede771a03b9d3b508acf8f4aeab0c...c24aef55dad70e8dcde9fc82b1be68893afb97e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add note for trafficserver in dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 562f6bfe by Salvatore Bonaccorso at 2022-05-22T11:01:28+02:00 Add note for trafficserver in dsa-needed list - - - - - 125fd853 by Salvatore Bonaccorso at 2022-05-22T11:02:18+02:00 Add note for firefox-esr in dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -25,6 +25,7 @@ curl epiphany-browser -- firefox-esr + Maintainer uploaded fixed packages -- freecad (aron) -- @@ -56,6 +57,7 @@ thunderbird -- trafficserver (jmm) wait until status for CVE-2021-38161 is clarified (upstream patch got reverted) + Maintainer prepared debdiffs for review for a set of CVEs -- unzip unclear information, initial report indicates writable memory corruption, but View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b16402025e874e87a9aeb83b371f8097b10a7638...125fd8539d5ca8a4e82595f6f21c04be7b49f6e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b16402025e874e87a9aeb83b371f8097b10a7638...125fd8539d5ca8a4e82595f6f21c04be7b49f6e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add note for debian-edu-config
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: bed94d3e by Utkarsh Gupta at 2022-02-06T14:30:08+05:30 Add note for debian-edu-config - - - - - 65922378 by Utkarsh Gupta at 2022-02-06T14:31:44+05:30 Take libphp-adodb; already on radar on Ubuntu - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,8 +31,9 @@ debian-archive-keyring NOTE: 20211018: Jonathan is prepping the branch; will work NOTE: 20211018: with him and upload and publish the DLA. (utkarsh) -- -debian-edu-config (Utkarsh) +debian-edu-config NOTE: 20220204: upcoming DSA (Beuc) + NOTE: 20220206: Mike told he'll take care of the DLA himself. (utkarsh) -- firmware-nonfree (Markus Koschany) NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree @@ -70,7 +71,7 @@ openjdk-8 (Emilio) pgbouncer NOTE: 20220104: maintainer might want to upload fixed version -- -libphp-adodb +libphp-adodb (Utkarsh) NOTE: 20220205: cf. huntr.dev link at mitre for impact on e.g. phppgadmin (Beuc) -- pjproject (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7e16d41e921ffeaf064991dd09d836d3723ab349...659223782720ca2ae3e901291672a1cc16dcd453 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7e16d41e921ffeaf064991dd09d836d3723ab349...659223782720ca2ae3e901291672a1cc16dcd453 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add note and attribution for grub2
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 81b22017 by Utkarsh Gupta at 2021-03-04T00:00:42+05:30 Add note and attribution for grub2 - - - - - 1b8629bd by Utkarsh Gupta at 2021-03-04T00:01:10+05:30 Take mupdf - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -57,8 +57,9 @@ golang-gogoprotobuf (Ola Lundqvist) NOTE: 20210218: If you have any idea why this is called the "skippy peanut butter" issue, I would be mildly interested. (lamby) -- grub2 - NOTE: Suggestion from Salvatore: Handle this in same way as for BootHole in stretch, there is no Secure Boot - NOTE: that is "[stretch] - grub2 (No SecureBoot support in stretch)" + NOTE: 20210303: Suggestion from Salvatore: Handle this in same way as for BootHole in stretch, there is no Secure Boot + NOTE: 20210303: that is "[stretch] - grub2 (No SecureBoot support in stretch)" + NOTE: 20210303: asked for further clarification from Salvatore. (utkarsh) -- gsoap -- @@ -78,7 +79,7 @@ linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- -mupdf +mupdf (Utkarsh) -- mqtt-client (Abhijith PA) NOTE: 20210303: fix for CVE-2019-0222 needed for activemq. I will upload along with activemq (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cf1f7a96ad4ffd740069c4132574fbcf2933e939...1b8629bdabadae252ae660329dad4b9c88356699 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cf1f7a96ad4ffd740069c4132574fbcf2933e939...1b8629bdabadae252ae660329dad4b9c88356699 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add note for lemonldap
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a754f5c by Utkarsh Gupta at 2020-12-07T14:39:16+05:30 Add note for lemonldap - - - - - 08fabb18 by Utkarsh Gupta at 2020-12-07T14:42:59+05:30 Reserve DLA-2484-1 for python-certbot - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[07 Dec 2020] DLA-2484-1 python-certbot - switch to ACMEv2 API + [stretch] - python-certbot 0.28.0-1~deb9u3 [05 Dec 2020] DLA-2483-1 linux-4.19 - security update {CVE-2019-19039 CVE-2019-19377 CVE-2019-19770 CVE-2019-19816 CVE-2020-0423 CVE-2020-4788 CVE-2020-8694 CVE-2020-14351 CVE-2020-25656 CVE-2020-25668 CVE-2020-25669 CVE-2020-25704 CVE-2020-25705 CVE-2020-27673 CVE-2020-27675 CVE-2020-2 CVE-2020-28941 CVE-2020-28974} [stretch] - linux-4.19 4.19.160-2~deb9u1 = data/dla-needed.txt = @@ -67,6 +67,7 @@ intel-microcode lemonldap-ng (Utkarsh) NOTE: 20200910: Released a DLA for CVE-2020-24660 a few days ago, so could defer. (lamby) NOTE: 20201122: still waiting to hear from upstream. (utkarsh) + NOTE: 20201207: wip, will process the upload soon™. (utkarsh) -- libhibernate3-java NOTE: 20201115: No patch yet; unsure if version in LTS is vulnerable. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0ca06ac161363d4c97de6b62429403d5475d1052...08fabb184bfa49617ebe2d679bd48506b5b24f65 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0ca06ac161363d4c97de6b62429403d5475d1052...08fabb184bfa49617ebe2d679bd48506b5b24f65 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add note for CVE-2020-24972 (kleopatra) regarding when the vulnerability was introduced.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 39cbd647 by Chris Lamb at 2020-09-22T12:28:10+01:00 Add note for CVE-2020-24972 (kleopatra) regarding when the vulnerability was introduced. - - - - - 4965ea94 by Chris Lamb at 2020-09-22T12:28:12+01:00 Triage CVE-2020-24973 in kleopatra for stretch LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1802,8 +1802,10 @@ CVE-2020-24973 CVE-2020-24972 (The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG ...) - kleopatra [buster] - kleopatra (Minor issue) + [stretch] - kleopatra (Vulnerable code added to Debian in version 4:18.07.90-1) NOTE: https://dev.gnupg.org/rKLEOPATRAb4bd63c1739900d94c04da03045e9445a5a5f54b NOTE: https://security.gentoo.org/glsa/202008-21 + NOTE: Added in https://dev.gnupg.org/rKLEOPATRAd1cd40bae47eb349e14750601223b6b5d9f71940 (v18.07.80+) CVE-2020-24971 RESERVED CVE-2020-24970 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a5ecbf1d299ab861d2395fee6e2be59857b22f41...4965ea94b92660c552e3d9349719ca0342c0281b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a5ecbf1d299ab861d2395fee6e2be59857b22f41...4965ea94b92660c552e3d9349719ca0342c0281b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add note for CVE-2018-9272 in jessie
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d2fc86b by Thorsten Alteholz at 2020-03-26T16:33:16+01:00 add note for CVE-2018-9272 in jessie - - - - - bb199c99 by Thorsten Alteholz at 2020-03-26T16:33:16+01:00 claim wireshark - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -110249,6 +110249,7 @@ CVE-2018-9272 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/ - wireshark 2.4.6-1 (low) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) + NOTE: applying patch in jessie/wheezy requires introduction of a new memory management system (wmem) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14487 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6e3b90824a82724f445a0374e99f0b76e4cf5e8b NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html = data/dla-needed.txt = @@ -81,6 +81,8 @@ squid3 (Markus Koschany) -- tika (Anton Gladky) -- +wireshark (Thorsten Alteholz) +-- xcftools NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle) NOTE: 20200316: still no activity on upstream's bug tracker (beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d150d7b4bd0550a1c4119d9b4cbc2fd8eaff6cc8...bb199c994011d7badc6ba0a53330f81eecfc9f11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d150d7b4bd0550a1c4119d9b4cbc2fd8eaff6cc8...bb199c994011d7badc6ba0a53330f81eecfc9f11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: d6cb71ec by Thorsten Alteholz at 2020-02-23T22:22:55+01:00 add note - - - - - 22e67324 by Thorsten Alteholz at 2020-02-23T22:26:15+01:00 add cacti - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -13,6 +13,9 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues ansible NOTE: 20200219: no upstream fixes yet -- +cacti + NOTE: 20200223: no patch found yet, but looks worth fixing +-- collabtive (Thorsten Alteholz) -- libapache2-mod-auth-openidc (Thorsten Alteholz) @@ -50,6 +53,7 @@ otrs2 (Sylvain Beucler) NOTE: issue already fixed in drupal7 and jquery -- php5 (Thorsten Alteholz) + NOTE: 20200223: testing package -- phppgadmin NOTE: 20200218: no fix yet; wide usage View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9b82662804c263ad4f4b6119a3984fa64b2c3bf8...22e67324405c72efb5f2af9c86739264662e2149 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9b82662804c263ad4f4b6119a3984fa64b2c3bf8...22e67324405c72efb5f2af9c86739264662e2149 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add note for CVE-2019-14889 breaking reverse dependencies
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b7269193 by Salvatore Bonaccorso at 2019-12-21T16:58:59Z Add note for CVE-2019-14889 breaking reverse dependencies - - - - - 4b3f9b52 by Salvatore Bonaccorso at 2019-12-21T17:00:38Z Mark CVE-2019-14889/libssh as no-dsa for buster and stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21315,8 +21315,12 @@ CVE-2019-14890 (A vulnerability was found in Ansible Tower before 3.6.1 where an CVE-2019-14889 (A flaw was found with the libssh API function ssh_scp_new() in version ...) {DLA-2038-1} - libssh 0.9.3-1 (bug #946548) + [buster] - libssh (Minor issue) + [stretch] - libssh (Minor issue) NOTE: https://www.libssh.org/security/advisories/CVE-2019-14889.txt NOTE: https://bugs.libssh.org/T181 + NOTE: The fix in libssh makes an update in x2goclient necessary: + NOTE: https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d163a943737fe4160f7233925df2eee1f9a CVE-2019-14888 RESERVED CVE-2019-14887 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/92b972822ed7e76da5e02a95391dd24ec1a3155d...4b3f9b52e8eb08aaebadf6d714a4945b72921a03 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/92b972822ed7e76da5e02a95391dd24ec1a3155d...4b3f9b52e8eb08aaebadf6d714a4945b72921a03 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add note for CVE-2019-5428/jquery
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a5d5d0e4 by Salvatore Bonaccorso at 2019-04-23T09:13:55Z Add note for CVE-2019-5428/jquery Already in contact with MITRE CNA to resolve the issue. This seems to be a duplicate of CVE-2019-11358 but maybe there is a scrict CNA rules reasoning for the two CVEs. As such we might then just track the fixed versions for src:jquery accordingly. - - - - - e25e1b30 by Salvatore Bonaccorso at 2019-04-23T09:13:55Z Wrap note - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5178,7 +5178,8 @@ CVE-2019-9619 [not enabled pam_systemd for non-interactive sessions] [jessie] - systemd (Too intrusive change for a stable release) NOTE: https://bugs.launchpad.net/bugs/1812316 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1756 - NOTE: for a stable release, activating pam_systemd for non-interactive sessions will likely have all sorts of unexpected/unwanted side-effects, so CAVE + NOTE: For a stable release, activating pam_systemd for non-interactive sessions will + NOTE: likely have all sorts of unexpected/unwanted side-effects. CVE-2019-9618 RESERVED CVE-2019-9617 (An issue was discovered in OFCMS before 1.1.3. Remote attackers can ex ...) @@ -15459,7 +15460,8 @@ CVE-2019-5430 CVE-2019-5429 RESERVED CVE-2019-5428 (A prototype pollution vulnerability exists in jQuery versions 3.4 ...) - TODO: check + NOTE: Duplicate of CVE-2019-11358 + TODO: check (MITRE already contacted) CVE-2019-5427 (c3p0 version 0.9.5.4 may be exploited by a billion laughs attack ...) TODO: check CVE-2019-5426 (In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, an unauthenticated ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ea484be4170b36da89bec294a5d2c1b299560535...e25e1b30ca7ce81c09878a9d21223bdc3707053a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ea484be4170b36da89bec294a5d2c1b299560535...e25e1b30ca7ce81c09878a9d21223bdc3707053a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add NOTE to openssl
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: cea64b64 by Thorsten Alteholz at 2018-11-20T13:02:00Z add NOTE to openssl - - - - - b296fa43 by Thorsten Alteholz at 2018-11-20T13:02:32Z claim poppler - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -61,10 +61,11 @@ openjpeg2 (Hugo Lefeuvre) NOTE: The rest will wait for upstream patches/no-dsa -- openssl (Thorsten Alteholz) + NOTE: 20181119: test package available at https://people.debian.org/~alteholz/packages/jessie-lts/openssl/ -- otrs2 -- -poppler +poppler (Thorsten Alteholz) -- qemu (Santiago) NOTE: 20181026: no fix yet for recent dsa issues, but start working on View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d662fb1db12cb5d2e5e3156d339bb67f8dec1d1b...b296fa437a0e7c0d800998ae38e59a90790932ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d662fb1db12cb5d2e5e3156d339bb67f8dec1d1b...b296fa437a0e7c0d800998ae38e59a90790932ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add note for mupdf that maintainer is preparing an update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ca72bbaf by Salvatore Bonaccorso at 2018-10-28T20:14:12Z Add note for mupdf that maintainer is preparing an update - - - - - f7c5a72a by Salvatore Bonaccorso at 2018-10-28T20:14:12Z Remove no-dsa tagged entries which will get an update - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -33039,7 +33039,6 @@ CVE-2018-6193 (A Cross-Site Scripting (XSS) vulnerability was found in Routers2 NOT-FOR-US: Routers2 CVE-2018-6192 (In Artifex MuPDF 1.12.0, the pdf_read_new_xref function in ...) - mupdf 1.13.0+ds1-1 (bug #888487) - [stretch] - mupdf (Minor issue) [jessie] - mupdf (Minor issue) [wheezy] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698916 @@ -33085,7 +33084,6 @@ CVE-2018-6188 (django.contrib.auth.forms.AuthenticationForm in Django 2.0 before NOTE: https://www.djangoproject.com/weblog/2018/feb/01/security-releases/ CVE-2018-6187 (In Artifex MuPDF 1.12.0, there is a heap-based buffer overflow ...) - mupdf 1.13.0+ds1-1 (bug #888464) - [stretch] - mupdf (Minor issue) [jessie] - mupdf (Minor issue) [wheezy] - mupdf (Most likely not affected, minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698908 @@ -35041,7 +35039,6 @@ CVE-2018-5687 (NewsBee allows XSS via the Company Name field in the Settings und NOT-FOR-US: NewsBee CMS CVE-2018-5686 (In MuPDF 1.12.0, there is an infinite loop vulnerability and ...) - mupdf 1.13.0+ds1-1 (bug #887130) - [stretch] - mupdf (Minor issue) [jessie] - mupdf (Minor issue) [wheezy] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698860 @@ -40807,7 +40804,6 @@ CVE-2017-17867 (Inteno iopsys 2.0-3.14 and 4.0 devices allow remote authenticate NOT-FOR-US: Inteno iopsys CVE-2017-17866 (pdf/pdf-write.c in Artifex MuPDF before 1.12.0 mishandles certain ...) - mupdf 1.12.0+ds1-1 (bug #885120) - [stretch] - mupdf (Minor issue) [jessie] - mupdf (Minor issue) [wheezy] - mupdf (Minor issue) NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=520cc26d18c9ee245b56e9e91f9d4fcae02be5f0 = data/dsa-needed.txt = @@ -53,6 +53,7 @@ mercurial -- mupdf leaf package, might be a candidate for simply moving to 1.13 in stretch + Maintainer (koster) is preparing an update -- openjpeg2 (luciano) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ecba9cd10797d80f238a279cf06cf8a0bc3f...f7c5a72a21779f56eec00230daf4d4a8d3379ab2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ecba9cd10797d80f238a279cf06cf8a0bc3f...f7c5a72a21779f56eec00230daf4d4a8d3379ab2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits