[Git][security-tracker-team/security-tracker][master] Reserve DLA-3676-1 for libde265

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
808dc32e by Anton Gladky at 2023-11-30T17:39:19+01:00
Reserve DLA-3676-1 for libde265

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -41871,14 +41871,12 @@ CVE-2023-27103 (Libde265 v1.0.11 was discovered to 
contain a heap buffer overflo
- libde265 1.0.12-1 (bug #1033257)
[bookworm] - libde265  (Minor issue)
[bullseye] - libde265  (Minor issue)
-   [buster] - libde265  (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/394
NOTE: 
https://github.com/strukturag/libde265/commit/d6bf73e765b7a23627bfd7a8645c143fd9097995
 (v1.0.12)
 CVE-2023-27102 (Libde265 v1.0.11 was discovered to contain a segmentation 
violation vi ...)
- libde265 1.0.12-1 (bug #1033257)
[bookworm] - libde265  (Minor issue)
[bullseye] - libde265  (Minor issue)
-   [buster] - libde265  (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/393
NOTE: 
https://github.com/strukturag/libde265/commit/0b1752abff97cb542941d317a0d18aa50cb199b1
 (v1.0.12)
 CVE-2023-27101


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[30 Nov 2023] DLA-3676-1 libde265 - security update
+   {CVE-2023-27102 CVE-2023-27103 CVE-2023-43887 CVE-2023-47471}
+   [buster] - libde265 1.0.11-0+deb10u5
 [30 Nov 2023] DLA-3675-1 zbar - security update
{CVE-2023-40889 CVE-2023-40890}
[buster] - zbar 0.22-1+deb10u1


=
data/dla-needed.txt
=
@@ -89,10 +89,6 @@ keystone
 knot-resolver
   NOTE: 20231029: Added by Front-Desk (gladk)
 --
-libde265 (gladk)
-  NOTE: 20231119: Added by Front-Desk (apo)
-  NOTE: 20231119: Fix along with postponed issues.
---
 libreswan
   NOTE: 20230817: Added by Front-Desk (ta)
   NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/808dc32e5e7fbd049a8faf0570941fe689e19210

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/808dc32e5e7fbd049a8faf0570941fe689e19210
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-21428 as not-affected for stretch

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6619bfa5 by Anton Gladky at 2023-11-28T06:52:43+01:00
Mark CVE-2020-21428 as not-affected for stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -236803,6 +236803,7 @@ CVE-2020-21429
 CVE-2020-21428 (Buffer Overflow vulnerability in function LoadRGB in 
PluginDDS.cpp in  ...)
{DLA-3662-1}
- freeimage 3.18.0+ds2-10 (bug #1051738)
+   [stretch] - freeimage  (vulnerable code is not present)
NOTE: https://sourceforge.net/p/freeimage/bugs/299/
NOTE: Fixed with r1877 from 
http://svn.code.sf.net/p/freeimage/svn/FreeImage/
 CVE-2020-21427 (Buffer Overflow vulnerability in function LoadPixelDataRLE8 in 
PluginB ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6619bfa58413f9d3459f33f21a696aa0da67fb3b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6619bfa58413f9d3459f33f21a696aa0da67fb3b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3662-1 for freeimage

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
22ea11b5 by Anton Gladky at 2023-11-24T06:51:27+01:00
Reserve DLA-3662-1 for freeimage

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[24 Nov 2023] DLA-3662-1 freeimage - security update
+   {CVE-2020-21427 CVE-2020-21428 CVE-2020-22524}
+   [buster] - freeimage 3.18.0+ds2-1+deb10u2
 [23 Nov 2023] DLA-3661-1 firefox-esr - security update
{CVE-2023-6204 CVE-2023-6205 CVE-2023-6206 CVE-2023-6207 CVE-2023-6208 
CVE-2023-6209 CVE-2023-6212}
[buster] - firefox-esr 115.5.0esr-1~deb10u1


=
data/dla-needed.txt
=
@@ -65,13 +65,6 @@ flatpak
   NOTE: 20231006: Added by Front-Desk (Beuc)
   NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk)
 --
-freeimage (gladk)
-  NOTE: 20230826: Added by Front-Desk (utkarsh)
-  NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about 
the
-  NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should 
roll
-  NOTE: 20230826: out the DLA/ELA now. (utkarsh)
-  NOTE: 20231120: many CVEs, check with ASAN is needed. (gladk)
---
 frr
   NOTE: 20231119: Added by Front-Desk (apo)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22ea11b5c0e68482bfcb0169a846d12f3eff2ee2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22ea11b5c0e68482bfcb0169a846d12f3eff2ee2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update notes for outstanding freeimage issues

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8e1308ad by Anton Gladky at 2023-11-24T06:15:04+01:00
Update notes for outstanding freeimage issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -157555,26 +157555,31 @@ CVE-2021-40266 (FreeImage before 1.18.0, 
ReadPalette function in PluginTIFF.cpp
- freeimage  (bug #1055305)
[bookworm] - freeimage  (Minor issue)
[bullseye] - freeimage  (Minor issue)
+   [buster] - freeimage  (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/334/
 CVE-2021-40265 (A heap overflow bug exists FreeImage before 1.18.0 via ofLoad 
function ...)
- freeimage  (bug #1055304)
[bookworm] - freeimage  (Minor issue)
[bullseye] - freeimage  (Minor issue)
+   [buster] - freeimage  (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/337/
 CVE-2021-40264 (NULL pointer dereference vulnerability in FreeImage before 
1.18.0 via  ...)
- freeimage  (bug #1055303)
[bookworm] - freeimage  (Minor issue)
[bullseye] - freeimage  (Minor issue)
+   [buster] - freeimage  (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/335/
 CVE-2021-40263 (A heap overflow vulnerability in FreeImage 1.18.0 via the 
ofLoad funct ...)
- freeimage  (bug #1055302)
[bookworm] - freeimage  (Minor issue)
[bullseye] - freeimage  (Minor issue)
+   [buster] - freeimage  (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/336/
 CVE-2021-40262 (A stack exhaustion issue was discovered in FreeImage before 
1.18.0 via ...)
- freeimage  (bug #1055301)
[bookworm] - freeimage  (Minor issue)
[bullseye] - freeimage  (Minor issue)
+   [buster] - freeimage  (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/338/
 CVE-2021-40261 (Multiple Cross Site Scripting (XSS) vulnerabilities exist in 
SourceCod ...)
NOT-FOR-US: SourceCodester
@@ -236524,6 +236529,7 @@ CVE-2020-21427 (Buffer Overflow vulnerability in 
function LoadPixelDataRLE8 in P
 CVE-2020-21426 (Buffer Overflow vulnerability in function C_IStream::read in 
PluginEXR ...)
- freeimage  (bug #1051736)
NOTE: https://sourceforge.net/p/freeimage/bugs/300/
+   NOTE: it looks like the issue is in openexr. No relevant patches in 
freeimage are detected
 CVE-2020-21425
RESERVED
 CVE-2020-21424



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e1308ad75a56bf0dd66cb4d1ec18df92aff30ab

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e1308ad75a56bf0dd66cb4d1ec18df92aff30ab
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: note in dla_neded

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
16e6f3b6 by Anton Gladky at 2023-11-20T07:02:25+01:00
LTS: note in dla_neded

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -73,6 +73,7 @@ freeimage (gladk)
   NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about 
the
   NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should 
roll
   NOTE: 20230826: out the DLA/ELA now. (utkarsh)
+  NOTE: 20231120: many CVEs, check with ASAN is needed. (gladk)
 --
 frr
   NOTE: 20231119: Added by Front-Desk (apo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16e6f3b6512b453ff0939ec5f3289d8b7bca143b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16e6f3b6512b453ff0939ec5f3289d8b7bca143b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Take netatalk and libde265

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0473ca78 by Anton Gladky at 2023-11-20T06:31:00+01:00
Take netatalk and libde265

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -106,7 +106,7 @@ keystone
 knot-resolver
   NOTE: 20231029: Added by Front-Desk (gladk)
 --
-libde265
+libde265 (gladk)
   NOTE: 20231119: Added by Front-Desk (apo)
   NOTE: 20231119: Fix along with postponed issues.
 --
@@ -138,7 +138,7 @@ mediawiki (guilhem)
 minizip (Thorsten Alteholz)
   NOTE: 20231117: Added by Front-Desk (apo)
 --
-netatalk
+netatalk (gladk)
   NOTE: 20231119: Added by Front-Desk (apo)
 --
 node-json5 (rouca)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0473ca7857001389e12bf070d7a9189be3c5b6f6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0473ca7857001389e12bf070d7a9189be3c5b6f6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add Thorsten as FD 18-12 to 24-12

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
da44dab4 by Anton Gladky at 2023-11-12T20:50:04+01:00
LTS: add Thorsten as FD 18-12 to 24-12

- - - - -


1 changed file:

- org/lts-frontdesk.2023.txt


Changes:

=
org/lts-frontdesk.2023.txt
=
@@ -48,5 +48,5 @@ From 20-11 to 26-11:Ola Lundqvist 
 From 27-11 to 03-12:Sylvain Beucler 
 From 04-12 to 10-12:Thorsten Alteholz 
 From 11-12 to 17-12:Utkarsh Gupta 
-From 18-12 to 24-12:Anton Gladky 
+From 18-12 to 24-12:Thorsten Alteholz 
 From 25-12 to 31-12:Chris Lamb 



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da44dab4615cce4ded1eb0909ed4e75eebc15d03

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da44dab4615cce4ded1eb0909ed4e75eebc15d03
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take freeimage

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ce2e749f by Anton Gladky at 2023-11-02T06:13:42+01:00
LTS: take freeimage

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -62,7 +62,7 @@ flatpak
   NOTE: 20231006: Added by Front-Desk (Beuc)
   NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk)
 --
-freeimage
+freeimage (gladk)
   NOTE: 20230826: Added by Front-Desk (utkarsh)
   NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about 
the
   NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should 
roll



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce2e749f378fb03929164cf665a4e30f232c2d9c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce2e749f378fb03929164cf665a4e30f232c2d9c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3638-1 for h2o

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
afc552e0 by Anton Gladky at 2023-10-29T21:57:19+01:00
Reserve DLA-3638-1 for h2o

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[29 Oct 2023] DLA-3638-1 h2o - security update
+   {CVE-2023-44487}
+   [buster] - h2o 2.2.5+dfsg2-2+deb10u2
 [29 Oct 2023] DLA-3637-1 thunderbird - security update
{CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728 CVE-2023-5730 
CVE-2023-5732}
[buster] - thunderbird 1:115.4.1-1~deb10u1


=
data/dla-needed.txt
=
@@ -78,9 +78,6 @@ galera-3 (Adrian Bunk)
   NOTE: 20231028: Added by Front-Desk (gladk)
   NOTE: 20231028: Acc. to CVE notes the open issue is fixed in 26.4.12. 
Please, try to find a corresponding commit and try to backport it. Otherwise - 
no-dsa. (gladk)
 --
-h2o (gladk)
-  NOTE: 20231013: Added by Front-Desk (ta)
---
 i2p
   NOTE: 20230809: Added by Front-Desk (Beuc)
   NOTE: 20230809: Experimental issue-based workflow: please self-assign and 
follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afc552e00ddc08e5828739a01f7712cfcd48663e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afc552e00ddc08e5828739a01f7712cfcd48663e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS add memcached

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ba968ee5 by Anton Gladky at 2023-10-29T20:55:01+01:00
LTS add memcached

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -121,6 +121,9 @@ linux-5.10
 mediawiki (guilhem)
   NOTE: 20231011: Added by Front-Desk (ta)
 --
+memcached
+  NOTE: 20231029: Added by Front-Desk (gladk)
+--
 mosquitto
   NOTE: 20230924: Added by Front-Desk (apo)
   NOTE: 20231009: Waiting for upstream clarification how to proceed with open 
CVE. (apo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba968ee5aed1ee863489a7a7a58afb3116878b11

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba968ee5aed1ee863489a7a7a58afb3116878b11
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 3 commits: Mark CVE-2023-42445 as no-dsa for buster

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a6540828 by Anton Gladky at 2023-10-29T20:49:01+01:00
Mark CVE-2023-42445 as no-dsa for buster

- - - - -
2ae22b88 by Anton Gladky at 2023-10-29T20:49:45+01:00
LTS add knot-resolver

- - - - -
8be5dbb5 by Anton Gladky at 2023-10-29T20:53:46+01:00
LTS add libstb

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -4080,6 +4080,7 @@ CVE-2023-42445 (Gradle is a build tool with a focus on 
build automation and supp
- gradle 
[bookworm] - gradle  (Minor issue)
[bullseye] - gradle  (Minor issue)
+   [buster] - gradle  (Minor issue)
NOTE: 
https://github.com/gradle/gradle/security/advisories/GHSA-mrff-q8qj-xvg8
 CVE-2023-41950 (Cross-Site Request Forgery (CSRF) vulnerability in Laposta - 
Roel Bous ...)
NOT-FOR-US: WordPress plugin


=
data/dla-needed.txt
=
@@ -93,6 +93,9 @@ imagemagick
 jetty9 (Markus Koschany)
   NOTE: 20231011: Added by Front-Desk (ta)
 --
+knot-resolver
+  NOTE: 20231029: Added by Front-Desk (gladk)
+--
 libreswan
   NOTE: 20230817: Added by Front-Desk (ta)
   NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to
@@ -104,6 +107,11 @@ libreswan
 libspf2 (Thorsten Alteholz)
   NOTE: 20231016: Added by Front-Desk (ta)
 --
+libstb
+  NOTE: 20231029: Added by Front-Desk (gladk)
+  NOTE: 20231029: A lot of open CVEs. Maybe duplicates.
+  NOTE: 20231029: If you take a package, please evaluate it as well as its 
importance.
+--
 linux (Ben Hutchings)
   NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f92b09c1de83c27ee21cdebc8c88710e2c0fdff8...8be5dbb500f0a3c0220487b9ed7b96b7cba78fc5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f92b09c1de83c27ee21cdebc8c88710e2c0fdff8...8be5dbb500f0a3c0220487b9ed7b96b7cba78fc5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add galera-3

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e801f1a0 by Anton Gladky at 2023-10-28T21:06:08+02:00
LTS: add galera-3

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -74,6 +74,10 @@ freerdp2 (tobi)
   NOTE: 20231007: First round done, unfortunatly missed a few CVES while 
updating, will do an follow up.
   NOTE: 20231023: Will continue working on package next weekend. (tobi)
 --
+galera-3
+  NOTE: 20231028: Added by Front-Desk (gladk)
+  NOTE: 20231028: Acc. to CVE notes the open issue is fixed in 26.4.12. 
Please, try to find a corresponding commit and try to backport it. Otherwise - 
no-dsa. (gladk)
+--
 h2o (gladk)
   NOTE: 20231013: Added by Front-Desk (ta)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e801f1a04ddb617cd411eaf499ba786e5261373f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e801f1a04ddb617cd411eaf499ba786e5261373f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add python-urllib3 and assign to spwhitton

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3cb7d3aa by Anton Gladky at 2023-10-28T20:57:51+02:00
LTS: add python-urllib3 and assign to spwhitton

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -169,6 +169,9 @@ python-os-brick
   NOTE: 20230525: Added by Front-Desk (lamby)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, 
python-os-brick, nova and cinder.
 --
+python-urllib3 (spwhitton)
+  NOTE: 20231028: Added by Front-Desk (gladk)
+--
 rails
   NOTE: 20220909: Re-added due to regression (abhijith)
   NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb7d3aa1a20579cf4b92eb1590ecad18d328cae

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb7d3aa1a20579cf4b92eb1590ecad18d328cae
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 5 commits: Mark CVE-2023-{5586,5595} as EOL for LTS (gpac)

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e794e0ed by Anton Gladky at 2023-10-24T21:20:34+02:00
Mark CVE-2023-{5586,5595} as EOL for LTS (gpac)

- - - - -
b60ef744 by Anton Gladky at 2023-10-24T21:38:01+02:00
Mark CVE-2023-41914 as EOL for buster (slurm-llnl)

- - - - -
c594f8a6 by Anton Gladky at 2023-10-24T21:40:21+02:00
Add firefox-esr

- - - - -
944e210f by Anton Gladky at 2023-10-24T21:43:09+02:00
LTS: Add pmix

- - - - -
b6e80ee3 by Anton Gladky at 2023-10-24T21:49:32+02:00
LTS: add request-tracker4

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -1207,6 +1207,7 @@ CVE-2011-10004 (A vulnerability was found in reciply 
Plugin up to 1.1.7 on WordP
NOT-FOR-US: WordPress plugin
 CVE-2023-5595 (Denial of Service in GitHub repository gpac/gpac prior to 
2.3.0-DEV.)
- gpac 
+   [buster] - gpac  (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/0064cf76-ece1-495d-82b4-e4a1bebeb28e
NOTE: 
https://github.com/gpac/gpac/commit/7a6f636db3360bb16d18078d51e8c596f31302a1
 CVE-2023-5575 (Improper access control in the permission inheritance in 
Devolutions S ...)
@@ -1508,6 +1509,7 @@ CVE-2018-25091 (urllib3 before 1.24.2 does not remove the 
authorization HTTP hea
NOTE: Fixed by 
https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc
 (1.25)
 CVE-2023-5586 (NULL Pointer Dereference in GitHub repository gpac/gpac prior 
to 2.3.0 ...)
- gpac 
+   [buster] - gpac  (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/d2a6ea71-3555-47a6-9b18-35455d103740
NOTE: 
https://github.com/gpac/gpac/commit/ca1b48f0abe71bf81a58995d7d75dc27f5a17ddc
 CVE-2023-5585 (A vulnerability was found in SourceCodester Online Motorcycle 
Rental S ...)
@@ -1548,6 +1550,7 @@ CVE-2023-41914
- slurm-wlm 23.02.6-1
[bullseye] - slurm-wlm  (Very intrusive patch and upstream 
does not release patches for unsupported versions)
- slurm-llnl 
+   [buster] - slurm-llnl  (EOL in buster LTS)
NOTE: https://groups.google.com/g/slurm-users/c/N9WHFVefSHA
NOTE: slurm-wlm-contrib also changed, but actual security issue is in 
slurm-wlm
 CVE-2023-4263 (Potential buffer overflow vulnerability in the Zephyr IEEE 
802.15.4 nR ...)


=
data/dla-needed.txt
=
@@ -58,6 +58,9 @@ dogecoin
   NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
   NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the 
initiatives. (Beuc/front-desk)
 --
+firefox-esr
+  NOTE: 20231024: Added by Front-Desk (gladk)
+--
 flatpak
   NOTE: 20231006: Added by Front-Desk (Beuc)
   NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk)
@@ -159,6 +162,9 @@ osslsigncode
 phppgadmin (Chris Lamb)
   NOTE: 20230925: Added by Front-Desk (apo)
 --
+pmix
+  NOTE: 20231024: Added by Front-Desk (gladk)
+--
 python-django (Chris Lamb)
   NOTE: 20231006: Added by Front-Desk (Beuc)
   NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists 
(Beuc/front-desk)
@@ -189,6 +195,11 @@ rails
   NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the 
possible path forward. (utkarsh)
   NOTE: 20230828: want to rollout ruby-rack first. (utkarsh)
 --
+request-tracker4
+  NOTE: 20231024: Added by Front-Desk (gladk)
+  NOTE: 20231024: Please check the commit: 
https://github.com/bestpractical/rt/commit/a7a83dfdf591cd4d9f547048e89a5a310eeef32d
+  NOTE: 20231024: Please check the commit: 
https://github.com/bestpractical/rt/commit/afb7dcded721e27028e47b62e7e5ed8ffc492beb
+--
 ring
   NOTE: 20230903: Added by Front-Desk (gladk)
   NOTE: 20230928: will be likely hard to fix see 
https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cf08268df07488cd908bcfeeda4b0dff8ad6c346...b6e80ee32afc2cdb18397cc1b3984781cecb9387

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cf08268df07488cd908bcfeeda4b0dff8ad6c346...b6e80ee32afc2cdb18397cc1b3984781cecb9387
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add roundcube and assign to maintainer

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
48b0cbf9 by Anton Gladky at 2023-10-24T18:35:36+02:00
LTS: add roundcube and assign to maintainer

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -193,6 +193,9 @@ ring
   NOTE: 20230903: Added by Front-Desk (gladk)
   NOTE: 20230928: will be likely hard to fix see 
https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca)
 --
+roundcube (guilhem)
+  NOTE: 20231024: Added by Front-Desk (gladk)
+--
 salt
   NOTE: 20220814: Added by Front-Desk (gladk)
   NOTE: 20220814: I am not sure, whether it is possible to fix issues



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48b0cbf9c2541e3f71ca3a5bbc4ba31157fa50ad

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48b0cbf9c2541e3f71ca3a5bbc4ba31157fa50ad
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take h2o

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a3bd8eea by Anton Gladky at 2023-10-21T09:47:45+02:00
LTS: take h2o

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -84,7 +84,7 @@ gst-plugins-bad1.0 (Thorsten Alteholz)
   NOTE: 20230928: Added by Frond-Desk (ola)
   NOTE: 20231013: testing package
 --
-h2o (Abhijith PA)
+h2o (gladk)
   NOTE: 20231013: Added by Front-Desk (ta)
 --
 i2p



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3bd8eea71ddba0835e3da46384c0475eb6bc230

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3bd8eea71ddba0835e3da46384c0475eb6bc230
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-30847 as not-affected in Debian

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2e7dd3e1 by Anton Gladky at 2023-10-20T06:51:42+02:00
Mark CVE-2023-30847 as not-affected in Debian

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -23110,15 +23110,13 @@ CVE-2023-30849 (Pimcore is an open source data and 
experience management platfor
 CVE-2023-30848 (Pimcore is an open source data and experience management 
platform. Pri ...)
NOT-FOR-US: Pimcore
 CVE-2023-30847 (H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when 
the rev ...)
-   - h2o 
-   [bookworm] - h2o  (Minor issue)
-   [bullseye] - h2o  (Minor issue)
-   [buster] - h2o  (Minor issue)
+   - h2o  (versions up to 2.2.6 not affected)
NOTE: Fixed by: 
https://github.com/h2o/h2o/commit/a70af675328dda438ecd9d8a1673c1715fd93cc7
NOTE: Fixed by: 
https://github.com/h2o/h2o/commit/5f57d505514e937d13787b1f408837cb9197e2b2
NOTE: https://github.com/h2o/h2o/pull/3229
NOTE: https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx
NOTE: 
https://github.com/h2o/h2o/commit/f2d9056ba5004000755a5a7adccd27d0d79d83da has 
done a major refactoring, but issue possibly present before
+   NOTE: versions up to 2.2.6 not affected (May 15 2023). Never been in 
Debian. https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx
 CVE-2023-30846 (typed-rest-client is a library for Node Rest and Http Clients 
with typ ...)
NOT-FOR-US: typed-rest-client
 CVE-2023-30845 (ESPv2 is a service proxy that provides API management 
capabilities usi ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e7dd3e160822a7a4e9a7c4c4915c62579c33154

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e7dd3e160822a7a4e9a7c4c4915c62579c33154
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take freeimage

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7eaec764 by Anton Gladky at 2023-10-14T21:13:52+02:00
LTS: take freeimage

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -79,7 +79,7 @@ flatpak
   NOTE: 20231006: Added by Front-Desk (Beuc)
   NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk)
 --
-freeimage
+freeimage (gladk)
   NOTE: 20230826: Added by Front-Desk (utkarsh)
   NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about 
the
   NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should 
roll



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eaec764449d7cded838abbe46955ae73dff8dc1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eaec764449d7cded838abbe46955ae73dff8dc1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3567-1 for c-ares

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f7d87040 by Anton Gladky at 2023-09-15T07:36:26+02:00
Reserve DLA-3567-1 for c-ares

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[15 Sep 2023] DLA-3567-1 c-ares - security update
+   {CVE-2020-22217}
+   [buster] - c-ares 1.14.0-1+deb10u4
 [13 Sep 2023] DLA-3566-1 ruby-rails-html-sanitizer - security update
{CVE-2022-23517 CVE-2022-23518 CVE-2022-23519 CVE-2022-23520}
[buster] - ruby-rails-html-sanitizer 1.0.4-1+deb10u2


=
data/dla-needed.txt
=
@@ -25,10 +25,6 @@ amanda (Thorsten Alteholz)
   NOTE: 20230730: Added by Front-Desk (apo)
   NOTE: 20230910: still testing package (ta)
 --
-c-ares (gladk)
-  NOTE: 20230826: Added by Front-Desk (utkarsh)
-  NOTE: 20230826: it's a heap buffer overflow. Have mixed feelings about this 
one. Will look thoroughly. (utkarsh)
---
 cacti
   NOTE: 20230906: Added by Front-Desk (lamby)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7d87040c1a130e91637598eb091cf494791e913

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7d87040c1a130e91637598eb091cf494791e913
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take freeimage

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
59a480aa by Anton Gladky at 2023-09-14T04:55:59+02:00
LTS: take freeimage

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -73,7 +73,7 @@ flac
   NOTE: 20230827: Added by Front-Desk (utkarsh)
   NOTE: 20230827: incoming DSA
 --
-freeimage
+freeimage (gladk)
   NOTE: 20230826: Added by Front-Desk (utkarsh)
   NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about 
the
   NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should 
roll



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59a480aa246d00c144e9f84f1d70d79f569d0a85

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59a480aa246d00c144e9f84f1d70d79f569d0a85
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3562-1 for orthanc

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b315e37b by Anton Gladky at 2023-09-12T06:41:50+02:00
Reserve DLA-3562-1 for orthanc

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -9853,7 +9853,6 @@ CVE-2023-34486 (itsourcecode Online Hotel Management 
System Project In PHP v1.0.
 CVE-2023-33466 (Orthanc before 1.12.0 allows authenticated users with access 
to the Or ...)
{DSA-5473-1}
- orthanc 1.12.1+dfsg-1 (bug #1040597)
-   [buster] - orthanc  (Requires new configuration variable)
NOTE: 
https://discourse.orthanc-server.org/t/security-advisory-for-orthanc-deployments-running-versions-before-1-12-0/3568
NOTE: Requires the addition of a new RestApiWriteToFileSystemEnabled 
configuration and
NOTE: a check in ExportInstanceFile (OrthancRestResources.cpp); the 
default value


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[12 Sep 2023] DLA-3562-1 orthanc - security update
+   {CVE-2023-33466}
+   [buster] - orthanc 1.5.6+dfsg-1+deb10u1
 [11 Sep 2023] DLA-3561-1 node-cookiejar - security update
{CVE-2022-25901}
[buster] - node-cookiejar 2.0.1-1+deb10u1


=
data/dla-needed.txt
=
@@ -156,11 +156,6 @@ openjdk-11 (Emilio)
   NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking
   NOTE: 20230802: whether to change jtreg version (pochu)
 --
-orthanc (gladk)
-  NOTE: 20230812: Added by Front-Desk (Beuc)
-  NOTE: 20230812: Experimental issue-based workflow: please self-assign and 
follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41
-  NOTE: 20230812: Check DSA-5473-1 (Beuc/front-desk)
---
 poppler
   NOTE: 20230908: Added by Front-Desk (lamby)
   NOTE: 20230908: Added due to CVE-2020-23804. However, please check 
CVE-2020-18839



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b315e37b22361d185fcb3974d805fc81871bd5c8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b315e37b22361d185fcb3974d805fc81871bd5c8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[med-svn] [Git][med-team/orthanc] Pushed new tag debian/1.5.6+dfsg-1+deb10u1

[Anton Gladky (@gladk)]

Anton Gladky pushed new tag debian/1.5.6+dfsg-1+deb10u1 at Debian Med / orthanc

-- 
View it on GitLab: 
https://salsa.debian.org/med-team/orthanc/-/tree/debian/1.5.6+dfsg-1+deb10u1
You're receiving this email because of your account on salsa.debian.org.


___
debian-med-commit mailing list
debian-med-com...@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-commit

[med-svn] [Git][med-team/orthanc] Pushed new branch debian/buster

[Anton Gladky (@gladk)]

Anton Gladky pushed new branch debian/buster at Debian Med / orthanc

-- 
View it on GitLab: 
https://salsa.debian.org/med-team/orthanc/-/tree/debian/buster
You're receiving this email because of your account on salsa.debian.org.


___
debian-med-commit mailing list
debian-med-com...@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-commit

[Git][security-tracker-team/security-tracker][master] LTS: take c-ares

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
29d1a721 by Anton Gladky at 2023-09-11T14:21:32+02:00
LTS: take c-ares

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -25,7 +25,7 @@ amanda (Thorsten Alteholz)
   NOTE: 20230730: Added by Front-Desk (apo)
   NOTE: 20230910: still testing package (ta)
 --
-c-ares
+c-ares (gladk)
   NOTE: 20230826: Added by Front-Desk (utkarsh)
   NOTE: 20230826: it's a heap buffer overflow. Have mixed feelings about this 
one. Will look thoroughly. (utkarsh)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29d1a7215d0d7fd2f1ae7376144e2f491f36dccf

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29d1a7215d0d7fd2f1ae7376144e2f491f36dccf
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add elfutils to dla-needed

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b29cbb45 by Anton Gladky at 2023-09-03T21:25:34+02:00
LTS: add elfutils to dla-needed

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -54,6 +54,9 @@ dogecoin
   NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
   NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the 
initiatives. (Beuc/front-desk)
 --
+elfutils
+  NOTE: 20230903: Added by Front-Desk (gladk)
+--
 file
   NOTE: 20230901: Added by Front-Desk (gladk)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b29cbb455f01623885c8ef502dafe6089ac2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b29cbb455f01623885c8ef502dafe6089ac2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add some packages into the dla-needed.txt

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ceae6e23 by Anton Gladky at 2023-09-03T21:14:46+02:00
LTS: add some packages into the dla-needed.txt

- - - - -
dec5bf52 by Anton Gladky at 2023-09-03T21:19:47+02:00
LTS: mark CVE-2020-22217 as not-affected for jessie and stretch

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -220872,6 +220872,8 @@ CVE-2020-22218 (An issue was discovered in function 
_libssh2_packet_add in libss
NOTE: 
https://github.com/libssh2/libssh2/commit/642eec48ff3adfdb7a9e562b6d7fc865d1733f45
 (libssh2-1.10.0)
 CVE-2020-22217 (Buffer overflow vulnerability in c-ares before 1_16_1 thru 
1_17_0 via  ...)
- c-ares 1.17.1-1
+   [jessie] - c-ares  (vulnerable code is not present)
+   [stretch] - c-ares  (vulnerable code is not present)
NOTE: https://github.com/c-ares/c-ares/issues/333
NOTE: https://github.com/c-ares/c-ares/pull/332
NOTE: Fixed by: 
https://github.com/c-ares/c-ares/commit/1b98172b141fe874ad43e679e67506f9b2139043
 (c-ares-1_17_0)


=
data/dla-needed.txt
=
@@ -73,6 +73,9 @@ freeimage
 frr
   NOTE: 20230901: Added by Front-Desk (gladk)
 --
+gerbv
+  NOTE: 20230903: Added by Front-Desk (gladk)
+--
 glib2.0 (santiago)
   NOTE: 20230612: Added by Front-Desk (apo)
   NOTE: 20230710: WIP (santiago)
@@ -80,6 +83,9 @@ glib2.0 (santiago)
   NOTE: 20230807: idem.
   NOTE: 20230820: asked for review/test.
 --
+gsl
+  NOTE: 20230903: Added by Front-Desk (gladk)
+--
 i2p
   NOTE: 20230809: Added by Front-Desk (Beuc)
   NOTE: 20230809: Experimental issue-based workflow: please self-assign and 
follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28
@@ -91,6 +97,9 @@ imagemagick
 libreswan (Markus Koschany)
   NOTE: 20230817: Added by Front-Desk (ta)
 --
+libssh2
+  NOTE: 20230903: Added by Front-Desk (gladk)
+--
 linux (Ben Hutchings)
   NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
 --
@@ -167,6 +176,9 @@ rails (utkarsh)
   NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the 
possible path forward. (utkarsh)
   NOTE: 20230828: want to rollout ruby-rack first. (utkarsh)
 --
+ring
+  NOTE: 20230903: Added by Front-Desk (gladk)
+--
 ruby-loofah
   NOTE: 20221231: Added by Front-Desk (ola)
   NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f2cbdbbbd71480032bd068740a244e3cae0520c...dec5bf5248e2327a541604610f3c040bdf072f31

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f2cbdbbbd71480032bd068740a244e3cae0520c...dec5bf5248e2327a541604610f3c040bdf072f31
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add file and frr

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fdc54d79 by Anton Gladky at 2023-09-01T18:55:27+02:00
LTS: add file and frr

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -54,6 +54,9 @@ dogecoin
   NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
   NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the 
initiatives. (Beuc/front-desk)
 --
+file
+  NOTE: 20230901: Added by Front-Desk (gladk)
+--
 firmware-nonfree
   NOTE: 20230820: Added by Front-Desk (ta)
 --
@@ -67,6 +70,9 @@ freeimage
   NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should 
roll
   NOTE: 20230826: out the DLA/ELA now. (utkarsh)  
 --
+frr
+  NOTE: 20230901: Added by Front-Desk (gladk)
+--
 glib2.0 (santiago)
   NOTE: 20230612: Added by Front-Desk (apo)
   NOTE: 20230710: WIP (santiago)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdc54d79b47bcfaf9ab433057f1f095504075ec4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdc54d79b47bcfaf9ab433057f1f095504075ec4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: mark gpac CVEs as end-of-life for buster

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2b02951f by Anton Gladky at 2023-09-01T18:52:11+02:00
LTS: mark gpac CVEs as end-of-life for buster

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -61,20 +61,24 @@ CVE-2023-39912 (Zoho ManageEngine ADManager Plus through 
7202 allows admin users
 CVE-2023-4683 (NULL Pointer Dereference in GitHub repository gpac/gpac prior 
to 2.3-D ...)
- gpac 
[bullseye] - gpac  (Minor issue)
+   [buster] - gpac  (EOL in buster LTS)
NOTE: 
https://github.com/gpac/gpac/commit/112767e8b178fc82dec3cf82a1ca14d802cdb8ec
NOTE: https://huntr.dev/bounties/7852e4d2-af4e-4421-a39e-db23e0549922
 CVE-2023-4682 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior 
to 2.3 ...)
- gpac 
+   [buster] - gpac  (EOL in buster LTS)
NOTE: 
https://github.com/gpac/gpac/commit/b1042c3eefca87c4bc32afb404ed6518d693e5be
NOTE: https://huntr.dev/bounties/15232a74-e3b8-43f0-ae8a-4e89d56c474c
 CVE-2023-4681 (NULL Pointer Dereference in GitHub repository gpac/gpac prior 
to 2.3-D ...)
- gpac 
[bullseye] - gpac  (Minor issue)
+   [buster] - gpac  (EOL in buster LTS)
NOTE: 
https://github.com/gpac/gpac/commit/4bac19ad854159b21ba70d8ab7c4e1cd1db8ea1c
NOTE: https://huntr.dev/bounties/d67c5619-ab36-41cc-93b7-04828e25f60e
 CVE-2023-4678 (Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV.)
- gpac 
[bullseye] - gpac  (Minor issue)
+   [buster] - gpac  (EOL in buster LTS)
NOTE: 
https://github.com/gpac/gpac/commit/4607052c482a51dbdacfe1ade10645c181d07b07
NOTE: https://huntr.dev/bounties/688a4a01-8c18-469d-8cbe-a2e79e80c877
 CVE-2023-41748 (Remote command execution due to improper input validation. The 
followi ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b02951f0c92dd615f9995398d293bf8a0fa1f32

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b02951f0c92dd615f9995398d293bf8a0fa1f32
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: take orthanc and tiff

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ac555012 by Anton Gladky at 2023-08-29T18:49:24+02:00
LTS: take orthanc and tiff

- - - - -
de4dd34a by Anton Gladky at 2023-08-29T18:50:54+02:00
Update email

- - - - -


2 changed files:

- data/dla-needed.txt
- org/lts-frontdesk.2023.txt


Changes:

=
data/dla-needed.txt
=
@@ -126,7 +126,7 @@ openjdk-11 (Emilio)
   NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking
   NOTE: 20230802: whether to change jtreg version (pochu)
 --
-orthanc
+orthanc (gladk)
   NOTE: 20230812: Added by Front-Desk (Beuc)
   NOTE: 20230812: Experimental issue-based workflow: please self-assign and 
follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41
   NOTE: 20230812: Check DSA-5473-1 (Beuc/front-desk)
@@ -233,7 +233,7 @@ suricata (Adrian Bunk)
 thunderbird (Emilio)
   NOTE: 20230829: Added by pochu
 --
-tiff
+tiff (gladk)
   NOTE: 20230826: Added by Front-Desk (utkarsh)
 --
 trafficserver


=
org/lts-frontdesk.2023.txt
=
@@ -24,15 +24,15 @@ From 05-06 to 11-06:Markus Koschany 
 From 12-06 to 18-06:Ola Lundqvist 
 From 19-06 to 25-06:Sylvain Beucler 
 From 26-06 to 02-07:Thorsten Alteholz 
-From 03-07 to 09-07:Anton Gladky 
+From 03-07 to 09-07:Anton Gladky 
 From 10-07 to 16-07:Chris Lamb 
 From 17-07 to 23-07:Emilio Pozuelo Monfort 
 From 24-07 to 30-07:Markus Koschany 
-From 31-07 to 06-08:Anton Gladky 
+From 31-07 to 06-08:Anton Gladky 
 From 07-08 to 13-08:Sylvain Beucler 
 From 14-08 to 20-08:Thorsten Alteholz 
 From 21-08 to 27-08:Utkarsh Gupta 
-From 28-08 to 03-09:Anton Gladky 
+From 28-08 to 03-09:Anton Gladky 
 From 04-09 to 10-09:Chris Lamb 
 From 11-09 to 17-09:Emilio Pozuelo Monfort 
 From 18-09 to 24-09:Markus Koschany 
@@ -40,7 +40,7 @@ From 25-09 to 01-10:Ola Lundqvist 
 From 02-10 to 08-10:Sylvain Beucler 
 From 09-10 to 15-10:Thorsten Alteholz 
 From 16-10 to 22-10:Utkarsh Gupta 
-From 23-10 to 29-10:Anton Gladky 
+From 23-10 to 29-10:Anton Gladky 
 From 30-10 to 05-11:Chris Lamb 
 From 06-11 to 12-11:Emilio Pozuelo Monfort 
 From 13-11 to 19-11:Markus Koschany 
@@ -48,5 +48,5 @@ From 20-11 to 26-11:Ola Lundqvist 
 From 27-11 to 03-12:Sylvain Beucler 
 From 04-12 to 10-12:Thorsten Alteholz 
 From 11-12 to 17-12:Utkarsh Gupta 
-From 18-12 to 24-12:Anton Gladky 
+From 18-12 to 24-12:Anton Gladky 
 From 25-12 to 31-12:Chris Lamb 



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fdb067e1a312feac5be29e31047dac80828d1552...de4dd34a68381a1344af5927547073b1b104c0b9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fdb067e1a312feac5be29e31047dac80828d1552...de4dd34a68381a1344af5927547073b1b104c0b9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3530-1 for openssl

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
07413911 by Anton Gladky at 2023-08-15T21:55:34+02:00
Reserve DLA-3530-1 for openssl

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[15 Aug 2023] DLA-3530-1 openssl - security update
+   {CVE-2023-3446 CVE-2023-3817}
+   [buster] - openssl 1.1.1n-0+deb10u6
 [15 Aug 2023] DLA-3529-1 datatables.js - security update
{CVE-2021-23445}
[buster] - datatables.js 1.10.19+dfsg-1+deb10u1


=
data/dla-needed.txt
=
@@ -139,10 +139,6 @@ openjdk-11 (Emilio)
 openssh
   NOTE: 20230814: Added by Front-Desk (ta)
 --
-openssl (gladk)
-  NOTE: 20230731: Added by Front-Desk (apo)
-  NOTE: 20230814: ready to be uploaded
---
 orthanc (gladk)
   NOTE: 20230812: Added by Front-Desk (Beuc)
   NOTE: 20230812: Experimental issue-based workflow: please self-assign and 
follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/074139111dfba9e192df3014f1f26261ae9990c2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/074139111dfba9e192df3014f1f26261ae9990c2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take openssl again, it will be uploaded today

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c0675d07 by Anton Gladky at 2023-08-14T20:09:51+02:00
LTS: take openssl again, it will be uploaded today

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -141,8 +141,9 @@ openjdk-11 (Emilio)
   NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking
   NOTE: 20230802: whether to change jtreg version (pochu)
 --
-openssl
+openssl (gladk)
   NOTE: 20230731: Added by Front-Desk (apo)
+  NOTE: 20230814: ready to be uploaded
 --
 orthanc (gladk)
   NOTE: 20230812: Added by Front-Desk (Beuc)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0675d07f033f09cfc930e286b19407ba71a8f7f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0675d07f033f09cfc930e286b19407ba71a8f7f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take orthanc

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
55e76921 by Anton Gladky at 2023-08-13T17:53:16+02:00
LTS: take orthanc

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -153,7 +153,7 @@ openjdk-11 (Emilio)
 openssl (gladk)
   NOTE: 20230731: Added by Front-Desk (apo)
 --
-orthanc
+orthanc (gladk)
   NOTE: 20230812: Added by Front-Desk (Beuc)
   NOTE: 20230812: Experimental issue-based workflow: please self-assign and 
follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41
   NOTE: 20230812: Check DSA-5473-1 (Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55e76921bad76df0b69bd533d9bebd92b41b2d5d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55e76921bad76df0b69bd533d9bebd92b41b2d5d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add gawk

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d9c15ff2 by Anton Gladky at 2023-08-06T22:34:53+02:00
LTS: add gawk

- - - - -
1da15071 by Anton Gladky at 2023-08-06T22:37:52+02:00
LTS: add libhtmlcleaner-java

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -49,6 +49,11 @@ dogecoin
 firefox-esr (Emilio)
   NOTE: 20230802: Added by pochu
 --
+gawk
+  NOTE: 20230806: Added by Front-Desk (gladk)
+  NOTE: 20230806: Please, check, whether CVE is applicable for buster
+  NOTE: 20230806: poc are available in the mailing list (gladk)
+--
 ghostscript (Adrian Bunk)
   NOTE: 20230803: Added by Front-Desk (gladk)
 --
@@ -73,6 +78,11 @@ imagemagick
   NOTE: 20230622: Added by Front-Desk (Beuc)
   NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs 
(Beuc/front-desk)
 --
+libhtmlcleaner-java
+  NOTE: 20230806: Added by Front-Desk (gladk)
+  NOTE: 20230806: 
https://github.com/amplafi/htmlcleaner/issues/13#issuecomment-1597626510
+  NOTE: 20230806: Please, check the upper link, whether the patch can be got 
(gladk)
+--
 libreoffice
   NOTE: 20230530: Added by Front-Desk (pochu)
   NOTE: 20230718: http://people.debian.org/~abhijith/upload/lo (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fcf9282efdb89459070b0d18c2db15bc5264d3ef...1da15071a3d33dd9831419435ba35e6a1a49e6f7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fcf9282efdb89459070b0d18c2db15bc5264d3ef...1da15071a3d33dd9831419435ba35e6a1a49e6f7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark new CVEs for webkit2gtk as end-of-line for buster

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d4af5b20 by Anton Gladky at 2023-08-05T21:20:50+02:00
Mark new CVEs for webkit2gtk as end-of-line for buster

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -950,6 +950,7 @@ CVE-2023-38601 (This issue was addressed by removing the 
vulnerable code. This i
NOT-FOR-US: Apple
 CVE-2023-38599 (A logic issue was addressed with improved state management. 
This issue ...)
- webkit2gtk 2.40.5-1
+  [buster] - webkit2gtk  (webkit2gtk EOL in buster)
- wpewebkit 2.40.5-1
[bookworm] - wpewebkit  (wpewebkit not covered by security 
support in Bookworm)
NOTE: https://webkitgtk.org/security/WSA-2023-0007.html
@@ -957,6 +958,7 @@ CVE-2023-38598 (A use-after-free issue was addressed with 
improved memory manage
NOT-FOR-US: Apple
 CVE-2023-38592 (A logic issue was addressed with improved restrictions. This 
issue is  ...)
- webkit2gtk 2.40.5-1
+   [buster] - webkit2gtk  (webkit2gtk EOL in buster)
- wpewebkit 2.40.5-1
[bookworm] - wpewebkit  (wpewebkit not covered by security 
support in Bookworm)
NOTE: https://webkitgtk.org/security/WSA-2023-0007.html
@@ -1071,6 +1073,7 @@ CVE-2023-3451
REJECTED
 CVE-2023-38611 (The issue was addressed with improved memory handling. This 
issue is f ...)
- webkit2gtk 2.40.5-1
+   [buster] - webkit2gtk  (webkit2gtk EOL in buster)
- wpewebkit 2.40.5-1
[bookworm] - wpewebkit  (wpewebkit not covered by security 
support in Bookworm)
NOTE: https://webkitgtk.org/security/WSA-2023-0007.html
@@ -1084,21 +1087,25 @@ CVE-2023-38602 (A permissions issue was addressed with 
additional restrictions.
NOT-FOR-US: Apple
 CVE-2023-38600 (The issue was addressed with improved checks. This issue is 
fixed in i ...)
- webkit2gtk 2.40.5-1
+   [buster] - webkit2gtk  (webkit2gtk EOL in buster)
- wpewebkit 2.40.5-1
[bookworm] - wpewebkit  (wpewebkit not covered by security 
support in Bookworm)
NOTE: https://webkitgtk.org/security/WSA-2023-0007.html
 CVE-2023-38597 (The issue was addressed with improved checks. This issue is 
fixed in i ...)
- webkit2gtk 2.40.5-1
+   [buster] - webkit2gtk  (webkit2gtk EOL in buster)
- wpewebkit 2.40.5-1
[bookworm] - wpewebkit  (wpewebkit not covered by security 
support in Bookworm)
NOTE: https://webkitgtk.org/security/WSA-2023-0007.html
 CVE-2023-38595 (The issue was addressed with improved checks. This issue is 
fixed in i ...)
- webkit2gtk 2.40.5-1
+   [buster] - webkit2gtk  (webkit2gtk EOL in buster)
- wpewebkit 2.40.5-1
[bookworm] - wpewebkit  (wpewebkit not covered by security 
support in Bookworm)
NOTE: https://webkitgtk.org/security/WSA-2023-0007.html
 CVE-2023-38594 (The issue was addressed with improved checks. This issue is 
fixed in i ...)
- webkit2gtk 2.40.5-1
+   [buster] - webkit2gtk  (webkit2gtk EOL in buster)
- wpewebkit 2.40.5-1
[bookworm] - wpewebkit  (wpewebkit not covered by security 
support in Bookworm)
NOTE: https://webkitgtk.org/security/WSA-2023-0007.html
@@ -1108,6 +1115,7 @@ CVE-2023-38580 (The issue was addressed with improved 
memory handling. This issu
NOT-FOR-US: Apple
 CVE-2023-38572 (The issue was addressed with improved checks. This issue is 
fixed in i ...)
- webkit2gtk 2.40.5-1
+   [buster] - webkit2gtk  (webkit2gtk EOL in buster)
- wpewebkit 2.40.5-1
[bookworm] - wpewebkit  (wpewebkit not covered by security 
support in Bookworm)
NOTE: https://webkitgtk.org/security/WSA-2023-0007.html
@@ -1136,6 +1144,7 @@ CVE-2023-38136 (The issue was addressed with improved 
memory handling. This issu
NOT-FOR-US: Apple
 CVE-2023-38133 (The issue was addressed with improved checks. This issue is 
fixed in i ...)
- webkit2gtk 2.40.5-1
+   [buster] - webkit2gtk  (webkit2gtk EOL in buster)
- wpewebkit 2.40.5-1
[bookworm] - wpewebkit  (wpewebkit not covered by security 
support in Bookworm)
NOTE: https://webkitgtk.org/security/WSA-2023-0007.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4af5b202196a67e6599e5e8fbd6476c653b6409

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4af5b202196a67e6599e5e8fbd6476c653b6409
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add burp, poppler, thunderbird

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9db40c66 by Anton Gladky at 2023-08-04T21:55:46+02:00
LTS: add burp, poppler, thunderbird

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -24,6 +24,9 @@ rather than remove/replace existing ones.
 amanda (Thorsten Alteholz)
   NOTE: 20230730: Added by Front-Desk (apo)
 --
+burp
+  NOTE: 20230804: Added by Front-Desk (gladk)
+--
 cairosvg (gladk)
   NOTE: 20230323: Added by Front-Desk (gladk)
   NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport 
the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive)
@@ -124,6 +127,9 @@ openssl (gladk)
 pdfcrack (Adrian Bunk)
   NOTE: 20230731: Added by Front-Desk (apo)
 --
+poppler
+  NOTE: 20230804: Added by Front-Desk (gladk)
+--
 python-glance-store
   NOTE: 20230525: Added by Front-Desk (lamby)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, 
python-os-brick, nova and cinder.
@@ -194,6 +200,9 @@ suricata (Adrian Bunk)
   NOTE: 20230714: Still reviewing+testing CVEs. (bunk)
   NOTE: 20230731: Still reviewing+testing CVEs. (bunk)
 --
+thunderbird
+  NOTE: 20230804: Added by Front-Desk (gladk)
+--
 zabbix (tobi)
   NOTE: 20230731: Added by Front-Desk (apo)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9db40c661345d17a5d8878affb46fdc5c2f6f8ad

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9db40c661345d17a5d8878affb46fdc5c2f6f8ad
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add ghostscript

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
61ad503e by Anton Gladky at 2023-08-03T22:44:45+02:00
LTS: add ghostscript

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -52,6 +52,9 @@ dogecoin
 firefox-esr (Emilio)
   NOTE: 20230802: Added by pochu
 --
+ghostscript
+  NOTE: 20230803: Added by Front-Desk (gladk)
+--
 glib2.0 (santiago)
   NOTE: 20230612: Added by Front-Desk (apo)
   NOTE: 20230710: WIP (santiago)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ad503edf06a0cac65995f5cb084447c726104c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ad503edf06a0cac65995f5cb084447c726104c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: CVE-2023-34478 mark as no-dsa

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
16b66fa0 by Anton Gladky at 2023-08-03T22:38:57+02:00
LTS: CVE-2023-34478 mark as no-dsa

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1552,6 +1552,7 @@ CVE-2023-34478 (Apache Shiro, before 1.12.0 or 
2.0.0-alpha-3, may be susceptible
- shiro 
[bookworm] - shiro  (Minor issue)
[bullseye] - shiro  (Minor issue)
+   [buster] - shiro  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/07/24/4
 CVE-2023-34429 (Weintek Weincloud v0.13.6 could allow an attacker to cause 
a denia ...)
NOT-FOR-US: Weincloud



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16b66fa05d33782cb17cf1ffb8569b1e7e1712ed

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16b66fa05d33782cb17cf1ffb8569b1e7e1712ed
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2020-22402: mark as not-affected for buster

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b285cbab by Anton Gladky at 2023-07-31T19:04:58+02:00
CVE-2020-22402: mark as not-affected for buster

- - - - -
20387165 by Anton Gladky at 2023-07-31T19:04:59+02:00
LTS: add bouncycastle

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -214874,7 +214874,9 @@ CVE-2020-22403 (Cross Site Request Forgery (CSRF) 
vulnerability in Express cart
NOT-FOR-US: Node express-cart
 CVE-2020-22402 (Cross Site Scripting (XSS) vulnerability in SOGo Web Mail 
before 4.3.1 ...)
- sogo 4.3.2-1
+   [buster] - sogo  (Vulnerable code added later)
NOTE: https://bugs.sogo.nu//view.php?id=4979
+   NOTE: 
https://github.com/Alinto/sogo/commit/d1dbceb407b37aff6563d06194189965af39cf3e
 CVE-2020-22401
RESERVED
 CVE-2020-22400


=
data/dla-needed.txt
=
@@ -24,6 +24,9 @@ rather than remove/replace existing ones.
 amanda (Thorsten Alteholz)
   NOTE: 20230730: Added by Front-Desk (apo)
 --
+bouncycastle
+  NOTE: 20230731: Added by Front-Desk (gladk)
+--
 cairosvg (gladk)
   NOTE: 20230323: Added by Front-Desk (gladk)
   NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport 
the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/abfb15aa3b763450b48fc626260a925efd9a79e8...203871654dfc7032aa83961ac891d40daea608a4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/abfb15aa3b763450b48fc626260a925efd9a79e8...203871654dfc7032aa83961ac891d40daea608a4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take openssl

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
15ad4339 by Anton Gladky at 2023-07-31T18:37:51+02:00
LTS: take openssl

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -116,7 +116,7 @@ openjdk-11 (Emilio)
   NOTE: 20230612: sid updated, preparing backport (pochu)
   NOTE: 20230717: waiting for DSA, might wait for next CPU (pochu)
 --
-openssl
+openssl (gladk)
   NOTE: 20230731: Added by Front-Desk (apo)
 --
 orthanc (Chris Lamb)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15ad4339f85321b3f8bc0154a0671aecf3d5f4b8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15ad4339f85321b3f8bc0154a0671aecf3d5f4b8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: set myself as a FD for next week

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5ed8ad67 by Anton Gladky at 2023-07-30T14:46:33+02:00
LTS: set myself as a FD for next week

- - - - -


1 changed file:

- org/lts-frontdesk.2023.txt


Changes:

=
org/lts-frontdesk.2023.txt
=
@@ -28,7 +28,7 @@ From 03-07 to 09-07:Anton Gladky 
 From 10-07 to 16-07:Chris Lamb 
 From 17-07 to 23-07:Emilio Pozuelo Monfort 
 From 24-07 to 30-07:Markus Koschany 
-From 31-07 to 06-08:Ola Lundqvist 
+From 31-07 to 06-08:Anton Gladky 
 From 07-08 to 13-08:Sylvain Beucler 
 From 14-08 to 20-08:Thorsten Alteholz 
 From 21-08 to 27-08:Utkarsh Gupta 
@@ -49,4 +49,4 @@ From 27-11 to 03-12:Sylvain Beucler 
 From 04-12 to 10-12:Thorsten Alteholz 
 From 11-12 to 17-12:Utkarsh Gupta 
 From 18-12 to 24-12:Anton Gladky 
-From 25-12 to 31-12:Chris Lamb 
\ No newline at end of file
+From 25-12 to 31-12:Chris Lamb 



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ed8ad67a02055e382e0f06a11adc9bfa89af0e7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ed8ad67a02055e382e0f06a11adc9bfa89af0e7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take cairosvg

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
62ba6ed8 by Anton Gladky at 2023-07-25T22:10:09+02:00
LTS: take cairosvg

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -21,7 +21,7 @@ To make it easier to see the entire history of an update, 
please append notes
 rather than remove/replace existing ones.
 
 --
-cairosvg
+cairosvg (gladk)
   NOTE: 20230323: Added by Front-Desk (gladk)
   NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport 
the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62ba6ed8bcc720692a5e6c87a235144dd7f42416

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62ba6ed8bcc720692a5e6c87a235144dd7f42416
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 3 commits: Mark CVE-2023-36201 as ignored for buster

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
53d95b27 by Anton Gladky at 2023-07-09T20:45:19+02:00
Mark CVE-2023-36201 as ignored for buster

- - - - -
ebd698e1 by Anton Gladky at 2023-07-09T20:45:19+02:00
Mark CVE-2023-3523 as EOL for buster (gpac)

- - - - -
2533cd69 by Anton Gladky at 2023-07-09T20:45:19+02:00
LTS: Add node-tough-cookie

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -109,6 +109,7 @@ CVE-2023-36256 (The Online Examination System Project 1.0 
version is vulnerable
 CVE-2023-36201 (An issue in JerryscriptProject jerryscript v.3.0.0 allows an 
attacker  ...)
- iotjs 
[bullseye] - iotjs  (Minor issue)
+   [buster] - iotjs  (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5026
 CVE-2023-34197 (Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk 
Plus MSP  ...)
NOT-FOR-US: Zoho
@@ -160,6 +161,7 @@ CVE-2023-3523 (Out-of-bounds Read in GitHub repository 
gpac/gpac prior to 2.2.2.
- gpac 
NOTE: https://huntr.dev/bounties/57e0be03-8484-415e-8b5c-c1fe4546eaac/
NOTE: 
https://github.com/gpac/gpac/commit/64201a26476c12a7dbd7ffb5757743af6954db96
+   [buster] - gpac  (EOL in buster LTS)
 CVE-2023-3456 (Vulnerability of kernel raw address leakage in the  hang 
detector modu ...)
NOT-FOR-US: Huawei
 CVE-2023-37454 (An issue was discovered in the Linux kernel through 6.4.2. A 
crafted U ...)


=
data/dla-needed.txt
=
@@ -103,6 +103,9 @@ linux (Ben Hutchings)
 mediawiki (Markus Koschany)
   NOTE: 20230701: Added by Front-Desk (ta)
 --
+node-tough-cookie
+  NOTE: 20230709: Added by Front-Desk (gladk)
+--
 nova
   NOTE: 20230302: Re-add, request by maintainer (Beuc)
   NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific 
CVE-2022-47951 backport that introduces regression
@@ -132,6 +135,9 @@ openjdk-11 (Emilio)
   NOTE: 20230612: sid updated, preparing backport (pochu)
   NOTE: 20230627: waiting for DSA (pochu)
 --
+pandoc
+  NOTE: 20230709: Added by Front-Desk (gladk)
+--
 php-dompdf (rouca)
   NOTE: 20230618: Added by Front-Desk (opal)
   NOTE: 20230618: Low priority but higher than to not fix it.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/00404a33424169134995001a541dfecc28fd17a8...2533cd69dae703e8ebb5ec18e44b2b682bcf950d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/00404a33424169134995001a541dfecc28fd17a8...2533cd69dae703e8ebb5ec18e44b2b682bcf950d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add xqilla

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3cd9e307 by Anton Gladky at 2023-07-06T06:54:41+02:00
LTS: add xqilla

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -268,6 +268,9 @@ webkit2gtk (Emilio)
   NOTE: 20230606: https://lists.debian.org/debian-lts/2023/06/msg5.html 
(pochu)
   NOTE: 20230627: will likely hold the update and mark as not-supported due to 
feedback (pochu)
 --
+xqilla
+  NOTE: 20230706: Added by Front-Desk (gladk)
+--
 yajl (tobi)
   NOTE: 20230702: Added by Front-Desk (ta)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cd9e30762c0c123604902006e71b399d27d2359

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cd9e30762c0c123604902006e71b399d27d2359
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add pypdf2

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8bf22648 by Anton Gladky at 2023-07-05T06:59:05+02:00
LTS: add pypdf2

- - - - -
544d1f55 by Anton Gladky at 2023-07-05T06:59:39+02:00
Mark ruby-yajl as no-dsa for buster

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -3010,6 +3010,7 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with 
use of yajl_tree_parse
- ruby-yajl 
[bookworm] - ruby-yajl  (Minor issue)
[bullseye] - ruby-yajl  (Minor issue)
+   [buster] - ruby-yajl  (Minor issue)
 CVE-2023-33457 (In Sogou Workflow v0.10.6, memcpy a negtive size in 
URIParser::parse , ...)
NOT-FOR-US: Sogou Workflow
 CVE-2023-33381 (A command injection vulnerability was found in the ping 
functionality  ...)


=
data/dla-needed.txt
=
@@ -173,6 +173,9 @@ php-dompdf
   NOTE: 20230618: Added by Front-Desk (opal)
   NOTE: 20230618: Low priority but higher than to not fix it.
 --
+pypdf2
+  NOTE: 20230705: Added by Front-Desk (gladk)
+--
 python-glance-store (jspricke)
   NOTE: 20230525: Added by Front-Desk (lamby)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, 
python-os-brick, nova and cinder.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6870f195eca3236b18912c607f24f0f89da9dba9...544d1f55ffdf81d721dc6b756d6a122d5b70def0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6870f195eca3236b18912c607f24f0f89da9dba9...544d1f55ffdf81d721dc6b756d6a122d5b70def0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add nsis

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6870f195 by Anton Gladky at 2023-07-05T06:30:01+02:00
LTS: add nsis

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -141,6 +141,9 @@ nova
   NOTE: 20230302: zigo currently has no time and requests the LTS team to do 
it (IRC #debian-lts 2023-03-02). (Beuc/front-desk)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, 
python-os-brick, nova and cinder. (lamby)
 --
+nsis
+  NOTE: 20230705: Added by Front-Desk (gladk)
+--
 nvidia-cuda-toolkit
   NOTE: 20230514: Added by Front-Desk (utkarsh)
   NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6870f195eca3236b18912c607f24f0f89da9dba9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6870f195eca3236b18912c607f24f0f89da9dba9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take openimageio

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
787f91d4 by Anton Gladky at 2023-07-02T18:47:46+02:00
LTS: take openimageio

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -136,7 +136,7 @@ nvidia-cuda-toolkit
   NOTE: 20230610: Details: 
https://lists.debian.org/debian-lts/2023/06/msg00032.html
   NOTE: 20230610: my recommendation would be to put the package on the 
"not-supported" list. (tobi)
 --
-openimageio
+openimageio (gladk)
   NOTE: 20230406: Re-added due to regressions (apo)
   NOTE: 20230612: Backporting is mostly done, but still some failures.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/787f91d43baff9798ed5c3f6cab8e1e00212d451

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/787f91d43baff9798ed5c3f6cab8e1e00212d451
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take libapache2-mod-auth-openidc

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3a751704 by Anton Gladky at 2023-06-26T21:58:26+02:00
LTS: take libapache2-mod-auth-openidc

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -101,7 +101,7 @@ lemonldap-ng
   NOTE: 20230620: Added by Front-Desk (Beuc)
   NOTE: 20230620: Follow 2 fixes from bullseye 11.7 (CVE-2023-28862 + 
unreferenced URL validation bypass) (Beuc/front-desk)
 --
-libapache2-mod-auth-openidc
+libapache2-mod-auth-openidc (gladk)
   NOTE: 20230620: Added by Front-Desk (Beuc)
   NOTE: 20230620: Follow fix from bullseye 11.7 (CVE-2022-23527) + 1 postponed 
CVE-2021-39191 (Beuc/front-desk)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a7517046ac19feb90f3f8a069f7799f01967011

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a7517046ac19feb90f3f8a069f7799f01967011
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3471-1 for c-ares

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b49472f7 by Anton Gladky at 2023-06-26T06:54:50+02:00
Reserve DLA-3471-1 for c-ares

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[26 Jun 2023] DLA-3471-1 c-ares - security update
+   {CVE-2023-31130 CVE-2023-32067}
+   [buster] - c-ares 1.14.0-1+deb10u3
 [25 Jun 2023] DLA-3470-1 owslib - security update
{CVE-2023-27476}
[buster] - owslib 0.17.1-1+deb10u1


=
data/dla-needed.txt
=
@@ -25,10 +25,6 @@ bind9 (Chris Lamb)
   NOTE: 20230623: Added by Front-Desk (Beuc)
   NOTE: 20230623: Upcoming DSA prepared by maintainer (Beuc/front-desk)
 --
-c-ares (gladk)
-  NOTE: 20230523: Added by Front-Desk (lamby)
-  NOTE: 20230612: WIP. Work also on not-important issues (gladk)
---
 cairosvg
   NOTE: 20230323: Added by Front-Desk (gladk)
   NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport 
the --unsafe switch, introduced in 1.0.21, might work (dleidert)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b49472f7c98951a09aa9de1fd966607ef92c3e1d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b49472f7c98951a09aa9de1fd966607ef92c3e1d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Status update

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ebca59de by Anton Gladky at 2023-06-12T07:25:26+02:00
Status update

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -21,6 +21,7 @@ rather than remove/replace existing ones.
 --
 c-ares (gladk)
   NOTE: 20230523: Added by Front-Desk (lamby)
+  NOTE: 20230612: WIP. Work also on not-important issues (gladk)
 --
 cairosvg
   NOTE: 20230323: Added by Front-Desk (gladk)
@@ -103,7 +104,7 @@ nvidia-cuda-toolkit (tobi)
 --
 openimageio (gladk)
   NOTE: 20230406: Re-added due to regressions (apo)
-  NOTE: 20230508: WIP
+  NOTE: 20230612: Backporting is mostly done, but still some failures.
 --
 openjdk-11 (Emilio)
   NOTE: 20230419: Added by Front-Desk (ola)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebca59de004a3062951cd5f4cfcb92c13ba89ed9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebca59de004a3062951cd5f4cfcb92c13ba89ed9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker] Deleted branch fix_987283

[Anton Gladky (@gladk)]

Anton Gladky deleted branch fix_987283 at Debian Security Tracker / 
security-tracker

-- 

You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][fix_987283] Add verbose change

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch fix_987283 at Debian Security Tracker / 
security-tracker


Commits:
547f1afc by Anton Gladky at 2023-05-25T16:06:19+02:00
Add verbose change

- - - - -


1 changed file:

- lib/python/security_db.py


Changes:

=
lib/python/security_db.py
=
@@ -932,7 +932,8 @@ class DB:
 if self.verbose:
 print(f"Table {table} does not exist")
 continue
-print (f"Clearing table {table}")
+if self.verbose:
+print (f"Clearing table {table}")
 cursor.execute(f"DELETE FROM {table}")
 # The *_status tables are regenerated anyway, no need to
 # delete them here.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/547f1afc5197685b9e72673e2da22b5e96d4788f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/547f1afc5197685b9e72673e2da22b5e96d4788f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker] Deleted branch add_removed_files_to_DB

[Anton Gladky (@gladk)]

Anton Gladky deleted branch add_removed_files_to_DB at Debian Security Tracker 
/ security-tracker

-- 

You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Add file print of the removed_packages into DB

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b232fb0b by Anton Gladky at 2023-05-25T13:51:43+02:00
Add file print of the removed_packages into DB

- - - - -
704ed519 by Anton Gladky at 2023-05-25T13:01:23+00:00
Merge branch add_removed_files_to_DB into master

Add file print of the removed_packages into DB

See merge request security-tracker-team/security-tracker!134
- - - - -


1 changed file:

- lib/python/security_db.py


Changes:

=
lib/python/security_db.py
=
@@ -963,14 +963,19 @@ class DB:
 source_paths = [src["path"] for src in sources]
 
 unchanged = True
+changed_source = None
 for filename in source_paths + [source_removed_packages]:
 if has_changed(path + filename):
 unchanged = False
+changed_source = path + filename
 break
 if unchanged:
 if self.verbose:
 print("  finished (no changes)")
 return
+else:
+if self.verbose:
+print(f"  clearing database, because some files have changed 
({changed_source})")
 
 clear_db()
 
@@ -1992,6 +1997,14 @@ class DB:
 cursor.executemany(
 "INSERT OR IGNORE INTO removed_packages (name) VALUES (?)", gen())
 
+
+# Add file print to database for removed packages
+current_print = self.filePrint(filename)
+cursor.execute(
+"""INSERT OR REPLACE INTO inodeprints (inodeprint, file)
+VALUES (?, ?)""", (current_print, filename))
+
+
 def getUnknownPackages(self, cursor):
 """Returns a generator for a list of unknown packages.
 Each entry has the form (PACKAGE, BUG-LIST)."""



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8c27ceb23a1fb7f06dc717f560846b4b6b0fa2a8...704ed519f6cfb075bf6932b4e0888098f7b7bba3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8c27ceb23a1fb7f06dc717f560846b4b6b0fa2a8...704ed519f6cfb075bf6932b4e0888098f7b7bba3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker] Pushed new branch add_removed_files_to_DB

[Anton Gladky (@gladk)]

Anton Gladky pushed new branch add_removed_files_to_DB at Debian Security 
Tracker / security-tracker

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/tree/add_removed_files_to_DB
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][fix_987283] 2 commits: Remove one more print

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch fix_987283 at Debian Security Tracker / 
security-tracker


Commits:
aff4d306 by Anton Gladky at 2023-05-24T17:31:27+02:00
Remove one more print

- - - - -
351ff96d by Anton Gladky at 2023-05-24T18:16:58+02:00
Fix failure

- - - - -


1 changed file:

- lib/python/security_db.py


Changes:

=
lib/python/security_db.py
=
@@ -910,6 +910,8 @@ class DB:
 print("readBugs:")
 
 def clear_db(cleared=[False]):
+if self.verbose:
+print("  clearing database")
 # Avoid clearing the database multiple times.
 if cleared[0]:
 return
@@ -922,9 +924,11 @@ class DB:
 for table in tables:
 # check first, whether the table exists
 try:
-cursor.execute(f"SELECT 1 FROM sqlite_schema WHERE type = 
'table' AND name = {table}")
+cursor.execute(f"SELECT * FROM {table} LIMIT 1")
 except:
 # table does not exist
+if self.verbose:
+print(f"Table {table} does not exist")
 continue
 cursor.execute(f"DELETE FROM {table}")
 
@@ -966,15 +970,13 @@ class DB:
 return True
 
 source_removed_packages = '/packages/removed-packages'
-source_ignored_unreported = 'data/packages/ignored-debian-bug-packages'
+source_ignored_unreported = '/packages/ignored-debian-bug-packages'
 sources = self.getSources()
 source_paths = [src["path"] for src in sources]
 
 unchanged = True
 
-
 for filename in source_paths + [source_removed_packages, 
source_ignored_unreported]:
-print (path + filename)
 if has_changed(path + filename):
 unchanged = False
 break
@@ -1005,9 +1007,8 @@ class DB:
 print("  update removed packages")
 self.readRemovedAndIgnoredPackages(cursor, path + 
source_removed_packages, table = "removed_packages")
 
-
 # Add file print to database for ignored packages
-current_print = self.filePrint(source_ignored_unreported)
+current_print = self.filePrint(path + source_ignored_unreported)
 cursor.execute(
 """INSERT OR REPLACE INTO inodeprints (inodeprint, file)
 VALUES (?, ?)""", (current_print, source_ignored_unreported))
@@ -1016,7 +1017,7 @@ class DB:
 print("  update ignored packages")
 
 # Read list of packages, which should be ignored for the 
status/unreported
-self.readRemovedAndIgnoredPackages(cursor, source_ignored_unreported, 
table = "ignored_packages")
+self.readRemovedAndIgnoredPackages(cursor, path + 
source_ignored_unreported, table = "ignored_packages")
 
 
 errors = []
@@ -1993,7 +1994,7 @@ class DB:
 yield bug_name
 
 def readRemovedAndIgnoredPackages(self, cursor, filename, 
table='removed_packages'):
-"""Reads a file of removed packages and stores it in the database.
+"""Reads a file of removed or ignored packages and stores it in the 
database.
 For that the table parameter must be set to 'removed_packages'.
 This is the default value.
 The original contents of the removed_packages table is preserved.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bac5fccf07af52fc6a3085cd6be7f829283d6ed8...351ff96d1b9e172d4908521e6f7f12fecb5bd656

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bac5fccf07af52fc6a3085cd6be7f829283d6ed8...351ff96d1b9e172d4908521e6f7f12fecb5bd656
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][fix_987283] Simplify the code

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch fix_987283 at Debian Security Tracker / 
security-tracker


Commits:
bac5fccf by Anton Gladky at 2023-05-24T16:58:34+02:00
Simplify the code

- - - - -


1 changed file:

- lib/python/security_db.py


Changes:

=
lib/python/security_db.py
=
@@ -966,20 +966,19 @@ class DB:
 return True
 
 source_removed_packages = '/packages/removed-packages'
+source_ignored_unreported = 'data/packages/ignored-debian-bug-packages'
 sources = self.getSources()
 source_paths = [src["path"] for src in sources]
 
 unchanged = True
-for filename in source_paths + [source_removed_packages]:
+
+
+for filename in source_paths + [source_removed_packages, 
source_ignored_unreported]:
+print (path + filename)
 if has_changed(path + filename):
 unchanged = False
 break
 
-# Check if the ignored packages file has changed
-source_ignore_unreported = "data/packages/ignored-debian-bug-packages"
-if has_changed(path + filename):
-unchanged = False
-
 if unchanged:
 if self.verbose:
 print("  finished (no changes)")
@@ -1008,16 +1007,16 @@ class DB:
 
 
 # Add file print to database for ignored packages
-current_print = self.filePrint(source_ignore_unreported)
+current_print = self.filePrint(source_ignored_unreported)
 cursor.execute(
 """INSERT OR REPLACE INTO inodeprints (inodeprint, file)
-VALUES (?, ?)""", (current_print, source_ignore_unreported))
+VALUES (?, ?)""", (current_print, source_ignored_unreported))
 
 if self.verbose:
 print("  update ignored packages")
 
 # Read list of packages, which should be ignored for the 
status/unreported
-self.readRemovedAndIgnoredPackages(cursor, source_ignore_unreported, 
table = "ignored_packages")
+self.readRemovedAndIgnoredPackages(cursor, source_ignored_unreported, 
table = "ignored_packages")
 
 
 errors = []



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bac5fccf07af52fc6a3085cd6be7f829283d6ed8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bac5fccf07af52fc6a3085cd6be7f829283d6ed8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take c-ares and openimageio)

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
65bd13ae by Anton Gladky at 2023-05-24T13:58:05+02:00
LTS: take c-ares and openimageio)

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -13,7 +13,7 @@ To make it easier to see the entire history of an update, 
please append notes
 rather than remove/replace existing ones.
 
 --
-c-ares
+c-ares (gladk)
   NOTE: 20230523: Programming language: C.
   NOTE: 20230523: VCS: https://salsa.debian.org/lts-team/packages/c-ares.git
 --
@@ -114,7 +114,7 @@ nvidia-cuda-toolkit
   NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have
   NOTE: 20230514: piled up. (utkarsh)
 --
-openimageio
+openimageio (gladk)
   NOTE: 20230406: Programming language: C.
   NOTE: 20230406: VCS: 
https://salsa.debian.org/lts-team/packages/openimageio.git
   NOTE: 20230508: WIP



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65bd13ae703aaf873f760b5edb6b7cf5f72b657a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65bd13ae703aaf873f760b5edb6b7cf5f72b657a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add libssh to dla-needed.txt

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4fd52af7 by Anton Gladky at 2023-05-20T09:29:32+02:00
LTS: add libssh to dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -75,6 +75,10 @@ libraw
   NOTE: 20230520: Programming language: C++.
   NOTE: 20230520: VCS: https://salsa.debian.org/lts-team/packages/libraw.git
 --
+libssh
+  NOTE: 20230520: Programming language: C.
+  NOTE: 20230520: VCS: https://salsa.debian.org/lts-team/packages/libssh.git
+--
 linux (Ben Hutchings)
   NOTE: 20230111: Programming language: C
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fd52af7b00ac065c63243fc69461ebfd3933a06

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fd52af7b00ac065c63243fc69461ebfd3933a06
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add libraw to dla-needed.txt

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0cf00fb8 by Anton Gladky at 2023-05-20T09:26:02+02:00
LTS: add libraw to dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -71,6 +71,10 @@ libfastjson (Thorsten Alteholz)
   NOTE: 20230507: Programming language: C.
   NOTE: 20230507: the CVE was fixed in json-c already
 --
+libraw
+  NOTE: 20230520: Programming language: C++.
+  NOTE: 20230520: VCS: https://salsa.debian.org/lts-team/packages/libraw.git
+--
 linux (Ben Hutchings)
   NOTE: 20230111: Programming language: C
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cf00fb891ba75ad19b8047f3e862b753c81a522

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cf00fb891ba75ad19b8047f3e862b753c81a522
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Revert "LTS: add libpcap to dla-needed.txt"

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4449ecac by Anton Gladky at 2023-05-17T23:11:08+02:00
Revert LTS: add libpcap to dla-needed.txt

This reverts commit 5b2bcfaa20e12d0c90eb3999fba8b6e942e201ab.

- - - - -
7f3ee2c5 by Anton Gladky at 2023-05-17T23:11:42+02:00
LTS: add libcap2 to dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -62,14 +62,14 @@ hdf5 (tobi)
   NOTE: 20230506: tried to triage… seems to be that only sensible way forward 
would be to update to a newer version in the 1.10.x
   NOTE: 20230506: line. Still then, state of CVEs are unknown if they have 
been fixed. 1.10.11 is scheduled for September. (tobi)
 --
+libcap2
+  NOTE: 20230517: Programming language: C.
+  NOTE: 20230517: VCS: https://salsa.debian.org/lts-team/packages/libcap2.git
+--
 libfastjson (Thorsten Alteholz)
   NOTE: 20230507: Programming language: C.
   NOTE: 20230507: the CVE was fixed in json-c already
 --
-libpcap
-  NOTE: 20230516: Programming language: C.
-  NOTE: 20230516: VCS: https://salsa.debian.org/lts-team/packages/libpcap.git
---
 linux (Ben Hutchings)
   NOTE: 20230111: Programming language: C
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9df0780563e09ac014a0740faab922481a1c2999...7f3ee2c5ddd26950afec90eb94a93d639ba5209b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9df0780563e09ac014a0740faab922481a1c2999...7f3ee2c5ddd26950afec90eb94a93d639ba5209b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add libpcap to dla-needed.txt

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5b2bcfaa by Anton Gladky at 2023-05-16T22:39:34+02:00
LTS: add libpcap to dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -63,6 +63,10 @@ libfastjson (Thorsten Alteholz)
   NOTE: 20230507: Programming language: C.
   NOTE: 20230507: the CVE was fixed in json-c already
 --
+libpcap
+  NOTE: 20230516: Programming language: C.
+  NOTE: 20230516: VCS: https://salsa.debian.org/lts-team/packages/libpcap.git
+--
 linux (Ben Hutchings)
   NOTE: 20230111: Programming language: C
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b2bcfaa20e12d0c90eb3999fba8b6e942e201ab

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b2bcfaa20e12d0c90eb3999fba8b6e942e201ab
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: status update

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
736c6dd3 by Anton Gladky at 2023-05-08T06:37:55+02:00
LTS: status update

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -144,6 +144,7 @@ nvidia-graphics-drivers-legacy-390xx (tobi)
 openimageio (gladk)
   NOTE: 20230406: Programming language: C.
   NOTE: 20230406: VCS: 
https://salsa.debian.org/lts-team/packages/openimageio.git
+  NOTE: 20230508: WIP
 --
 openjdk-11 (Emilio)
   NOTE: 20230419: Programming language: Java.
@@ -236,6 +237,7 @@ sqlparse (guilhem)
 sssd (gladk)
   NOTE: 20230131: Programming language: C.
   NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git
+  NOTE: 20230508: WIP
 --
 webkit2gtk (Emilio)
   NOTE: 20230503: Programming language: C++.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/736c6dd358bc522f22d220848f635e54cdc4983a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/736c6dd358bc522f22d220848f635e54cdc4983a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take openimageio

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f9c17a67 by Anton Gladky at 2023-04-30T23:21:17+02:00
LTS: take openimageio

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -153,7 +153,7 @@ nvidia-graphics-drivers-legacy-390xx
   NOTE: 20230103: https://lists.debian.org/debian-lts/2023/01/msg5.html
   NOTE: 20230111: VCS: 
https://salsa.debian.org/lts-team/packages/nvidia-graphics-drivers-legacy-390xx.git
 --
-openimageio
+openimageio (gladk)
   NOTE: 20230406: Programming language: C.
   NOTE: 20230406: VCS: 
https://salsa.debian.org/lts-team/packages/openimageio.git
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9c17a6758cac3e85c5bc325a5780de769411358

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9c17a6758cac3e85c5bc325a5780de769411358
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: update notes on docker

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
aa52fed0 by Anton Gladky at 2023-04-24T06:51:20+02:00
LTS: update notes on docker

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -44,7 +44,7 @@ docker.io (gladk)
   NOTE: 20230303: Programming language: Go.
   NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk)
   NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git
-  NOTE: 20230410: WIP
+  NOTE: 20230424: Is in preparation.
 --
 emacs
   NOTE: 20230223: Programming language: Lisp.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa52fed0da18d50ad4178c3c127106b70c4f379f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa52fed0da18d50ad4178c3c127106b70c4f379f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take sssd

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ae250c31 by Anton Gladky at 2023-04-24T06:45:30+02:00
LTS: take sssd

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -287,7 +287,7 @@ sniproxy (Thorsten Alteholz)
   NOTE: 20230423: Programming language: C.
   NOTE: 20230423: Rather severe issue but very few users. (opal).
 --
-sssd
+sssd (gladk)
   NOTE: 20230131: Programming language: C.
   NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae250c31b4ef95926bf34a25ac5f5df8a8dcef17

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae250c31b4ef95926bf34a25ac5f5df8a8dcef17
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3399-1 for 389-ds-base

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b660147b by Anton Gladky at 2023-04-24T06:28:47+02:00
Reserve DLA-3399-1 for 389-ds-base

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -135609,7 +135609,6 @@ CVE-2021-36768
 CVE-2021-3652 (A flaw was found in 389-ds-base. If an asterisk is imported as 
passwor ...)
- 389-ds-base 1.4.4.17-1 (bug #991405)
[bullseye] - 389-ds-base  (Minor issue)
-   [buster] - 389-ds-base  (Minor issue)
[stretch] - 389-ds-base  (Minor issue)
NOTE: https://github.com/389ds/389-ds-base/issues/4817
NOTE: 
https://github.com/389ds/389-ds-base/commit/aeb90eb0c41fc48541d983f323c627b2e6c328c7
 (master)
@@ -148060,7 +148059,6 @@ CVE-2021-3515 (A shell injection flaw was found in 
pglogical in versions before
NOTE: 
https://github.com/2ndQuadrant/pglogical/commit/95c0e8981485e09efab6821cf55a4e27b086efe5
 CVE-2021-3514 (When using a sync_repl client in 389-ds-base, an authenticated 
attacke ...)
- 389-ds-base 1.4.4.11-2 (bug #988727)
-   [buster] - 389-ds-base  (Minor issue)
[stretch] - 389-ds-base  (Minor issue)
NOTE: https://github.com/389ds/389-ds-base/issues/4711
 CVE-2021-31829 (kernel/bpf/verifier.c in the Linux kernel through 5.12.1 
performs unde ...)
@@ -273758,7 +273756,6 @@ CVE-2019-14825 (A cleartext password storage issue 
was discovered in Katello, ve
 CVE-2019-14824 (A flaw was found in the 'deref' plugin of 389-ds-base where it 
could u ...)
{DLA-2004-1}
- 389-ds-base 1.4.2.4-1 (bug #944150)
-   [buster] - 389-ds-base  (Minor issue)
[stretch] - 389-ds-base  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1747448
NOTE: https://pagure.io/freeipa/issue/8050
@@ -288164,7 +288161,6 @@ CVE-2019-10225 (A flaw was found in atomic-openshift 
of openshift-4.2 where the
NOT-FOR-US: OpenShift
 CVE-2019-10224 (A flaw has been found in 389-ds-base versions 1.4.x.x before 
1.4.1.3.  ...)
- 389-ds-base 1.4.1.5-1
-   [buster] - 389-ds-base  (Minor issue)
[stretch] - 389-ds-base  (vulnerable code not present)
[jessie] - 389-ds-base  (vulnerable code not present)
- python-lib389 
@@ -305557,7 +305553,6 @@ CVE-2019-3884 (A vulnerability exists in the garbage 
collection mechanism of ato
 CVE-2019-3883 (In 389-ds-base up to version 1.4.1.2, requests are handled by 
workers  ...)
{DLA-1779-1}
- 389-ds-base 1.4.1.5-1 (bug #927939)
-   [buster] - 389-ds-base  (Minor issue)
[stretch] - 389-ds-base  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1693612
NOTE: https://pagure.io/389-ds-base/issue/50329


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[24 Apr 2023] DLA-3399-1 389-ds-base - security update
+   {CVE-2019-3883 CVE-2019-10224 CVE-2019-14824 CVE-2021-3514 
CVE-2021-3652 CVE-2021-4091 CVE-2022-0918 CVE-2022-0996 CVE-2022-2850}
+   [buster] - 389-ds-base 1.4.0.21-1+deb10u1
 [21 Apr 2023] DLA-3398-1 curl - security update
{CVE-2023-27533 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538}
[buster] - curl 7.64.0-4+deb10u6


=
data/dla-needed.txt
=
@@ -12,13 +12,6 @@ 
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 To make it easier to see the entire history of an update, please append notes
 rather than remove/replace existing ones.
 
---
-389-ds-base (gladk)
-  NOTE: 20221231: Programming language: C.
-  NOTE: 20221231: Few users. Low prio. (opal).
-  NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/389-ds-base.git
-  NOTE: 20230327: test new CI
-  NOTE: 20230410: WIP
 --
 apache2 (rouca)
   NOTE: 20230312: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b660147bd0488607a08ede7cbfb06fd807991db3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b660147bd0488607a08ede7cbfb06fd807991db3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add link to github issue of CVE-2019-14824

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d1d13493 by Anton Gladky at 2023-04-21T06:34:25+02:00
Add link to github issue of CVE-2019-14824

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -273340,6 +273340,7 @@ CVE-2019-14824 (A flaw was found in the 'deref' 
plugin of 389-ds-base where it c
[stretch] - 389-ds-base  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1747448
NOTE: https://pagure.io/freeipa/issue/8050
+  NOTE: https://github.com/389ds/389-ds-base/issues/3771
 CVE-2019-14823 (A flaw was found in the "Leaf and Chain" OCSP policy 
implementation in ...)
- jss 4.6.2-1 (bug #942463)
[buster] - jss  (Vulnerable code backported only in 4.5.3 
onwards)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1d1349352aab7381e2169372959e2dcc81299e0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1d1349352aab7381e2169372959e2dcc81299e0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2022-1949 mark as ignored for buster

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4d0d4bd4 by Anton Gladky at 2023-04-19T06:45:22+02:00
CVE-2022-1949 mark as ignored for buster

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -74312,6 +74312,7 @@ CVE-2022-1950 (The Youzify WordPress plugin before 
1.2.0 does not sanitise and e
NOT-FOR-US: WordPress plugin
 CVE-2022-1949 (An access control bypass vulnerability found in 389-ds-base. 
That mish ...)
- 389-ds-base 2.3.1-1 (bug #1016446)
+   [buster] - 389-ds-base  (Too intrusive too backport)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2091781
NOTE: https://github.com/389ds/389-ds-base/issues/5170
NOTE: Fixed by: 
https://github.com/389ds/389-ds-base/commit/a444d3454bd719ac161c30d638983ab0ff66f1b8
 (389-ds-base-2.0.16)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d0d4bd47c6264bed5e67d9f88353328fbb71264

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d0d4bd47c6264bed5e67d9f88353328fbb71264
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: WIP two packages

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bf957a88 by Anton Gladky at 2023-04-10T16:39:45+02:00
LTS: WIP two packages

- - - - -
261cacf9 by Anton Gladky at 2023-04-10T16:40:41+02:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Anton Gladky gl...@debian.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -17,7 +17,8 @@ rather than remove/replace existing ones.
   NOTE: 20221231: Programming language: C.
   NOTE: 20221231: Few users. Low prio. (opal).
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/389-ds-base.git
-  NOTE: 20230227: test new CI
+  NOTE: 20230327: test new CI
+  NOTE: 20230410: WIP
 --
 apache2 (rouca)
   NOTE: 20230312: Programming language: C.
@@ -25,7 +26,7 @@ apache2 (rouca)
   NOTE: 20230312: Special attention: Double check an update! Package is used 
by many customers and users!.
   NOTE: 20230326: VCS: https://salsa.debian.org/apache-team/apache2. Yadd is 
ok for using apache2 salsa tree
 --
-cairosvg (Chris Lamb)
+cairosvg
   NOTE: 20230323: Programming language: Python.
 --
 ceph
@@ -44,7 +45,7 @@ consul (Abhijith PA)
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git
   NOTE: 20230423: WIP, Fixed CVE-2018-19653 (abhijith)
 --
-curl (holger)
+curl
   NOTE: 20230321: Programming language: C.
   NOTE: 20230321: VCS: https://salsa.debian.org/lts-team/packages/curl.git
   NOTE: 20230321: Testsuite: 
https://lts-team.pages.debian.net/wiki/TestSuites/curl.html
@@ -54,8 +55,9 @@ docker.io (gladk)
   NOTE: 20230303: Programming language: Go.
   NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk)
   NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git
+  NOTE: 20230410: WIP
 --
-emacs (Adrian Bunk)
+emacs
   NOTE: 20230223: Programming language: Lisp.
   NOTE: 20230223: VCS: https://salsa.debian.org/lts-team/packages/emacs.git
   NOTE: 20230228: Waiting for confirmation that CVE-2022-48337 regression
@@ -219,7 +221,7 @@ python-oslo.privsep
   NOTE: 20221231: Programming language: Python.
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/python-oslo.privsep.git
 --
-python3.7 (Adrian Bunk)
+python3.7
   NOTE: 20230220: Programming language: Python.
   NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/python3.7.git
   NOTE: 20230220: Testsuite: 
https://lts-team.pages.debian.net/wiki/TestSuites/python.html
@@ -281,7 +283,7 @@ salt
   NOTE: 20221209: Testsuite: 
https://lts-team.pages.debian.net/wiki/TestSuites/salt.html
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/salt.git
 --
-samba (Lee Garrett)
+samba
   NOTE: 20220904: Programming language: C.
   NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/samba.git
   NOTE: 20220904: Special attention: High popcon! Used in many servers.
@@ -296,7 +298,7 @@ tinymce
   NOTE: 20221227: Programming language: PHP.
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/tinymce.git
 --
-wordpress (guilhem)
+wordpress
   NOTE: 20230302: Programming language: PHP.
   NOTE: 20230302: Testsuite: 
https://lts-team.pages.debian.net/wiki/TestSuites/wordpress.html
   NOTE: 20230302: buster is 6 CVEs behind bullseye (Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cd9c051a662d88b75596fa739e93e04d580ac831...261cacf9eec8bce9783622b3a4a46fea5ea4fa5c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cd9c051a662d88b75596fa739e93e04d580ac831...261cacf9eec8bce9783622b3a4a46fea5ea4fa5c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3b248745 by Anton Gladky at 2023-04-03T07:31:51+02:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Anton Gladky gl...@debian.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -38,7 +38,7 @@ ceph
   NOTE: 20230102:   [buster] - ceph  (ceph-crash service added 
in Ceph 14) (stefanor)
   NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ceph.git
 --
-consul (Abhijith PA)
+consul
   NOTE: 20221031: Programming language: Go.
   NOTE: 20221031: Concluded that the package should be fixed by the CVE 
description. Source code not analyzed in detail.
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git
@@ -170,7 +170,7 @@ nvidia-graphics-drivers-legacy-390xx
   NOTE: 20230103: https://lists.debian.org/debian-lts/2023/01/msg5.html
   NOTE: 20230111: VCS: 
https://salsa.debian.org/lts-team/packages/nvidia-graphics-drivers-legacy-390xx.git
 --
-openimageio (Markus Koschany)
+openimageio
   NOTE: 20221225: Programming language: C.
   NOTE: 20221225: VCS: 
https://salsa.debian.org/lts-team/packages/openimageio.git
   NOTE: 20220313: will be released today (apo)
@@ -240,7 +240,7 @@ ring
   NOTE: 20221120: Programming language: C.
   NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ring.git
 --
-ruby-loofah (Daniel Leidert)
+ruby-loofah
   NOTE: 20221231: Programming language: Ruby.
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/ruby-loofah.git
   NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b248745145a36b5dcfee154245d4ee0436cb713

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b248745145a36b5dcfee154245d4ee0436cb713
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2019-6245 and CVE-2019-6247 as fixed in 1.3.0+dfsg1-5

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
de9e9f62 by Anton Gladky at 2023-03-31T21:36:03+02:00
Mark CVE-2019-6245 and CVE-2019-6247 as fixed in 1.3.0+dfsg1-5

- - - - -
6feb617f by Anton Gladky at 2023-03-31T21:37:10+02:00
Reserve DLA-3376-1 for svgpp

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -104104,7 +104104,6 @@ CVE-2021-44961 (A memory leakage flaw exists in the 
class PerimeterGenerator of
 CVE-2021-44960 (In SVGPP SVG++ library 1.3.0, the XMLDocument::getRoot 
function in the ...)
- svgpp 1.3.0+dfsg1-5 (bug #1014599)
[bullseye] - svgpp  (Minor issue)
-   [buster] - svgpp  (Minor issue)
NOTE: https://github.com/svgpp/svgpp/issues/101
NOTE: 
https://github.com/svgpp/svgpp/commit/0bc57f2cc6d9d86a0fa1ce73e508c2b5994b4b91
 CVE-2021-44959
@@ -293893,7 +293892,7 @@ CVE-2019-6250 (A pointer overflow, with code 
execution, was discovered in ZeroMQ
 CVE-2019-6248 (PHP Scripts Mall Citysearch / Hotfrog / Gelbeseiten Clone 
Script 2.0.1 ...)
NOT-FOR-US: PHP Scripts Mall Citysearch / Hotfrog / Gelbeseiten Clone 
Script
 CVE-2019-6247 (An issue was discovered in Anti-Grain Geometry (AGG) 2.4 as 
used in SV ...)
-   - svgpp  (unimportant; bug #919321)
+   - svgpp 1.3.0+dfsg1-5 (unimportant; bug #919321)
NOTE: https://github.com/svgpp/svgpp/issues/70
NOTE: Issue only in src:svgpp which does not call the AGG-API in 
correct way.
NOTE: No security impact, only used to build examples, see #921097
@@ -293903,7 +293902,7 @@ CVE-2019-6246 (An issue was discovered in SVG++ (aka 
svgpp) 1.2.3. After calling
 CVE-2019-6245 (An issue was discovered in Anti-Grain Geometry (AGG) 2.4 as 
used in SV ...)
{DLA-2872-1 DLA-1656-1}
- agg 1:2.4-r127+dfsg1-1 (low; bug #919322)
-   - svgpp  (unimportant; bug #919321)
+   - svgpp 1.3.0+dfsg1-5 (unimportant; bug #919321)
NOTE: https://github.com/svgpp/svgpp/issues/70
NOTE: Fixed in src:agg with: https://sourceforge.net/p/agg/svn/119/
NOTE: and possibly already fixed with the inclusion of 
05-fix-recursion-crash.patch


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[31 Mar 2023] DLA-3376-1 svgpp - security update
+   {CVE-2019-6245 CVE-2019-6247 CVE-2021-44960}
+   [buster] - svgpp 1.2.3+dfsg1-6+deb10u1
 [31 Mar 2023] DLA-3375-1 xrdp - security update
{CVE-2022-23480 CVE-2022-23481 CVE-2022-23482}
[buster] - xrdp 0.9.9-1+deb10u3


=
data/dla-needed.txt
=
@@ -291,10 +291,6 @@ sssd
   NOTE: 20230131: Programming language: C.
   NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git
 --
-svgpp (gladk)
-  NOTE: 20230322: Programming language: C++.
-  NOTE: 20230322: VCS: https://salsa.debian.org/debian/svgpp.git
---
 systemd (Adrian Bunk)
   NOTE: 20230304: Programming language: C.
   NOTE: 20230304: VCS: https://salsa.debian.org/lts-team/packages/systemd.git



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6e99681b66d193025dcb6c7bec6eefe7e84118c3...6feb617f5b61d124076a91a5fa1d2de356fcaf62

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6e99681b66d193025dcb6c7bec6eefe7e84118c3...6feb617f5b61d124076a91a5fa1d2de356fcaf62
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 3 commits: LTS: add hotspot to dla-needed.txt

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b483632b by Anton Gladky at 2023-03-27T06:01:55+02:00
LTS: add hotspot to dla-needed.txt

- - - - -
189be72a by Anton Gladky at 2023-03-27T06:01:55+02:00
LTS: add json-smart to dla-needed.txt

- - - - -
20d75842 by Anton Gladky at 2023-03-27T06:40:01+02:00
LTS: update notes for 389-ds-base

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -17,6 +17,7 @@ rather than remove/replace existing ones.
   NOTE: 20221231: Programming language: C.
   NOTE: 20221231: Few users. Low prio. (opal).
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/389-ds-base.git
+  NOTE: 20230227: test new CI
 --
 apache2
   NOTE: 20230312: Programming language: C.
@@ -120,6 +121,9 @@ hdf5
   NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, 
probably
   NOTE: 20230318: sync w/ him. (utkarsh)
 --
+hotspot
+  NOTE: 20230324: Programming language: C++.
+--
 intel-microcode (tobi)
   NOTE: 20230219: Programming language: Binary blob.
   NOTE: 20230219: VCS: 
https://salsa.debian.org/lts-team/packages/intel-microcode.git
@@ -127,6 +131,9 @@ intel-microcode (tobi)
   NOTE: 20230312: uploaded to DELAYED/5 for unstable.
   NOTE: 20230317: now in unstable. prepared SPU for bullseye (#1033079), 
prepared update for buster, stretch and jessie, available in LTS repo. (tobi)
 --
+json-smart
+  NOTE: 20230324: Programming language: Java.
+--
 libmicrohttpd (Thorsten Alteholz)
   NOTE: 20230313: Programming language: C.
   NOTE: 20230326: testing package



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fc28cbbea8b9ba52d5b8952a979ce95979363c38...20d7584284af7e241629d731c16f387e043141c0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fc28cbbea8b9ba52d5b8952a979ce95979363c38...20d7584284af7e241629d731c16f387e043141c0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add cairosvg to dla-needed.txt

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d9a4b6ef by Anton Gladky at 2023-03-23T06:35:18+01:00
LTS: add cairosvg to dla-needed.txt

- - - - -
4eb3147e by Anton Gladky at 2023-03-23T06:39:48+01:00
Mark CVE-2023-1289 as postponed for buster

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -2536,6 +2536,7 @@ CVE-2023-1289
RESERVED
- imagemagick  (bug #1033254)
[bullseye] - imagemagick  (Minor issue)
+   [buster] - imagemagick  (Should be fixed together with some 
other CVEs)
NOTE: 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j96m-mjp6-99xr
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4
 CVE-2023-1288 (An XML External Entity injection (XXE) vulnerability in ENOVIA 
Live Co ...)


=
data/dla-needed.txt
=
@@ -23,6 +23,9 @@ apache2
   NOTE: 20230312: VCS: https://salsa.debian.org/lts-team/packages/apache2.git
   NOTE: 20230312: Special attention: Double check an update! Package is used 
by many customers and users!.
 --
+cairosvg
+  NOTE: 20230323: Programming language: Python.
+--
 ceph
   NOTE: 20221031: Programming language: C++.
   NOTE: 20221031: To be checked further. Not clear whether the vulnerability 
can be exploited in a Debian system.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ed43841f38719e4bc2339a4b3daf89f5bf9b47a7...4eb3147efe322b3bd57a98dc2736db546cda8fe7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ed43841f38719e4bc2339a4b3daf89f5bf9b47a7...4eb3147efe322b3bd57a98dc2736db546cda8fe7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add svgpp to dla-needed.txt

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
17bb2f30 by Anton Gladky at 2023-03-22T07:11:00+01:00
LTS: add svgpp to dla-needed.txt

- - - - -
fe799dff by Anton Gladky at 2023-03-22T07:11:49+01:00
LTS: assign svgpp to myself (maintainer)

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -305,6 +305,10 @@ sssd
   NOTE: 20230131: Programming language: C.
   NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git
 --
+svgpp (gladk)
+  NOTE: 20230322: Programming language: C++.
+  NOTE: 20230322: VCS: https://salsa.debian.org/debian/svgpp.git
+--
 systemd (Adrian Bunk)
   NOTE: 20230304: Programming language: C.
   NOTE: 20230304: VCS: https://salsa.debian.org/lts-team/packages/systemd.git



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c470665c346af3b9508c7e109bde5873652a1aa0...fe799dff9e776c98e6e051f21bee347c8b318ae6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c470665c346af3b9508c7e109bde5873652a1aa0...fe799dff9e776c98e6e051f21bee347c8b318ae6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Mark 3 gpac CVEs as EOL for buster

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e1df97c1 by Anton Gladky at 2023-03-21T06:35:41+01:00
Mark 3 gpac CVEs as EOL for buster

- - - - -
e8a8f822 by Anton Gladky at 2023-03-21T06:36:40+01:00
LTS: add curl to dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -502,6 +502,7 @@ CVE-2023-1453 (A vulnerability was found in Watchdog 
Anti-Virus 1.4.214.0. It ha
NOT-FOR-US: Watchdog Anti-Virus
 CVE-2023-1452 (A vulnerability was found in GPAC 
2.3-DEV-rev35-gbbca86917-master. It  ...)
- gpac 
+   [buster] - gpac  (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2386
NOTE: 
https://github.com/gpac/gpac/commit/a5efec8187de02d1f0a412140b0bf030a6747d3f
 CVE-2023-1451 (A vulnerability was found in MP4v2 2.1.2. It has been 
classified as pr ...)
@@ -510,10 +511,12 @@ CVE-2023-1450 (A vulnerability was found in MP4v2 2.1.2 
and classified as proble
NOT-FOR-US: MP4v2
 CVE-2023-1449 (A vulnerability has been found in GPAC 
2.3-DEV-rev35-gbbca86917-master ...)
- gpac 
+   [buster] - gpac  (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2387
NOTE: 
https://github.com/gpac/gpac/commit/8ebbfd61c73d61a2913721a492e5a81fb8d9f9a9
 CVE-2023-1448 (A vulnerability, which was classified as problematic, was found 
in GPA ...)
- gpac 
+   [buster] - gpac  (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2388
NOTE: 
https://github.com/gpac/gpac/commit/8db20cb634a546c536c31caac94e1f74b778b463
 CVE-2023-1447 (A vulnerability, which was classified as problematic, has been 
found i ...)


=
data/dla-needed.txt
=
@@ -38,6 +38,12 @@ consul (Abhijith PA)
   NOTE: 20221031: Concluded that the package should be fixed by the CVE 
description. Source code not analyzed in detail.
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git
 --
+curl
+  NOTE: 20230321: Programming language: C.
+  NOTE: 20230321: VCS: https://salsa.debian.org/lts-team/packages/curl.git
+  NOTE: 20230321: Testsuite: 
https://lts-team.pages.debian.net/wiki/TestSuites/curl.html
+  NOTE: 20230321: Special attention: High popcon! Roberto has some experience 
with the package..
+--
 docker.io (gladk)
   NOTE: 20230303: Programming language: Go.
   NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f5a4f2c3e631fe6577ae35f57f400d907c83f9ee...e8a8f822978be6c1491f202a03e7122b827bb87e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f5a4f2c3e631fe6577ae35f57f400d907c83f9ee...e8a8f822978be6c1491f202a03e7122b827bb87e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: Add VCS for docker

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9f81daa3 by Anton Gladky at 2023-03-21T06:21:29+01:00
LTS: Add VCS for docker

- - - - -
004bec61 by Anton Gladky at 2023-03-21T06:21:29+01:00
LTS: swap FDs

- - - - -


2 changed files:

- data/dla-needed.txt
- org/lts-frontdesk.2023.txt


Changes:

=
data/dla-needed.txt
=
@@ -41,6 +41,7 @@ consul (Abhijith PA)
 docker.io (gladk)
   NOTE: 20230303: Programming language: Go.
   NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk)
+  NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git
 --
 duktape (Thorsten Alteholz, maintainer)
   NOTE: 20230311: Programming language: C.


=
org/lts-frontdesk.2023.txt
=
@@ -11,10 +11,10 @@ From 06-03 to 12-03:Thorsten Alteholz 

 From 13-03 to 19-03:Utkarsh Gupta 
 From 20-03 to 26-03:Anton Gladky 
 From 27-03 to 02-04:Chris Lamb 
-From 03-04 to 09-04:Emilio Pozuelo Monfort 
+From 03-04 to 09-04:Sylvain Beucler 
 From 10-04 to 16-04:Markus Koschany 
 From 17-04 to 23-04:Ola Lundqvist 
-From 24-04 to 30-04:Sylvain Beucler 
+From 24-04 to 30-04:Emilio Pozuelo Monfort 
 From 01-05 to 07-05:Thorsten Alteholz 
 From 08-05 to 14-05:Utkarsh Gupta 
 From 15-05 to 21-05:Anton Gladky 
@@ -49,4 +49,4 @@ From 27-11 to 03-12:
 From 04-12 to 10-12:
 From 11-12 to 17-12:
 From 18-12 to 24-12:
-From 25-12 to 31-12:
\ No newline at end of file
+From 25-12 to 31-12:



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fcd20a665c3042f779bc3e215fb16ace6dff1c29...004bec61aedcc2f263a0ce3dac8cfc7599e6cd93

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fcd20a665c3042f779bc3e215fb16ace6dff1c29...004bec61aedcc2f263a0ce3dac8cfc7599e6cd93
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ea5ad6b5 by Anton Gladky at 2023-03-20T06:28:06+01:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Anton Gladky gl...@debian.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -46,7 +46,7 @@ duktape (Thorsten Alteholz, maintainer)
   NOTE: 20230311: Programming language: C.
   NOTE: 20230311: Maintainer notes: Maintainer prepares o-o-s updates.
 --
-emacs (Adrian Bunk)
+emacs
   NOTE: 20230223: Programming language: Lisp.
   NOTE: 20230223: VCS: https://salsa.debian.org/lts-team/packages/emacs.git
   NOTE: 20230228: Waiting for confirmation that CVE-2022-48337 regression
@@ -58,7 +58,7 @@ erlang
   NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang
   NOTE: 20230111: Maintainer notes: Coordinate with maintainer, whether their 
VCS can be used.
 --
-firmware-nonfree (tobi)
+firmware-nonfree
   NOTE: 20220906: Consider to check the severity of the issues again and judge 
whether a correction is worth it.
   NOTE: 20221204: Coming soon in the first week of December. (apo)
   NOTE: 20221211: Programming language: Binary blob
@@ -133,7 +133,7 @@ man2html
   NOTE: 20230226: I would prefer to fix it instead of ignoring. (gladk)
   NOTE: 20230226: It looks like upstream is dead. Patch needs to be written. 
(gladk)
 --
-mariadb-10.3 (Emilio)
+mariadb-10.3
   NOTE: 20230225: Programming language: C.
   NOTE: 20230225: VCS: 
https://salsa.debian.org/mariadb-team/mariadb-10.3/-/commits/buster
   NOTE: 20230225: Testsuite: 
https://lists.debian.org/debian-lts/2019/07/msg00049.html
@@ -145,7 +145,7 @@ netatalk
   NOTE: 20221212: VCS: https://salsa.debian.org/lts-team/packages/netatalk
   NOTE: 20221212: Work is ongoing. CVE-2022-0194 is probably too intrusive. 
(gladk)
 --
-nheko (Dominik George)
+nheko
   NOTE: 20230101: Programming language: C++.
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/nheko.git
 --
@@ -217,7 +217,7 @@ python-oslo.privsep
   NOTE: 20221231: Programming language: Python.
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/python-oslo.privsep.git
 --
-python3.7 (Adrian Bunk)
+python3.7
   NOTE: 20230220: Programming language: Python.
   NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/python3.7.git
   NOTE: 20230220: Testsuite: 
https://lts-team.pages.debian.net/wiki/TestSuites/python.html
@@ -270,7 +270,7 @@ ruby-rails-html-sanitizer
   NOTE: 20221231: VCS: 
https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git
   NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with 
appropriate methods. (utkarsh)
 --
-runc (Sylvain Beucler)
+runc
   NOTE: 20220905: Programming language: Go.
   NOTE: 20220905: Special attention: Sync with Bullseye.
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/runc.git
@@ -297,11 +297,11 @@ sox (Helmut Grohne)
   NOTE: 20230313: Programming language: C.
   NOTE: 20230313: VCS: https://salsa.debian.org/lts-team/packages/sox.git
 --
-sssd (Dominik George)
+sssd
   NOTE: 20230131: Programming language: C.
   NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git
 --
-systemd (Adrian Bunk)
+systemd
   NOTE: 20230304: Programming language: C.
   NOTE: 20230304: VCS: https://salsa.debian.org/lts-team/packages/systemd.git
   NOTE: 20230304: Special attention: High popcon! Used almost by all systems!.
@@ -321,12 +321,12 @@ trafficserver
NOTE: 20230209: could find informatin for CVE-2022-31779, might be the same 
fix as CVE-2022-31778 (marked as to be ignored), but no proof on that…
NOTE: 20230209: not sure, maybe the safest way would be to update to 8.1.6. 

 --
-wordpress (guilhem)
+wordpress
   NOTE: 20230302: Programming language: PHP.
   NOTE: 20230302: Testsuite: 
https://lts-team.pages.debian.net/wiki/TestSuites/wordpress.html
   NOTE: 20230302: buster is 6 CVEs behind bullseye (Beuc/front-desk)
 --
-xrdp (Dominik George)
+xrdp
   NOTE: 20221225: Programming language: C.
   NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git
   NOTE: 20230117: Fixed 6 out 10 CVEs. Testing (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea5ad6b559a41d46891e4000a20edf8a9597c43f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea5ad6b559a41d46891e4000a20edf8a9597c43f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add sox to dla-needed.txt

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
021f3208 by Anton Gladky at 2023-03-13T06:16:29+01:00
LTS: add sox to dla-needed.txt

- - - - -
5b85a46f by Anton Gladky at 2023-03-13T06:18:31+01:00
LTS: assign sox to Helmut.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -298,6 +298,10 @@ samba
   NOTE: 20220904: Special attention: High popcon! Used in many servers.
   NOTE: 20220904: Many postponed or open CVE in general. (apo)
 --
+sox (Helmut Grohne)
+  NOTE: 20230313: Programming language: C.
+  NOTE: 20230313: VCS: https://salsa.debian.org/lts-team/packages/sox.git
+--
 sssd (Dominik George)
   NOTE: 20230131: Programming language: C.
   NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2688047f171735c53f928803b7de4d837d65a79c...5b85a46f9368e1eb5237414c321e5f6960a18b32

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2688047f171735c53f928803b7de4d837d65a79c...5b85a46f9368e1eb5237414c321e5f6960a18b32
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2688047f by Anton Gladky at 2023-03-13T06:06:55+01:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Anton Gladky gl...@debian.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -117,7 +117,7 @@ libreoffice
 linux (Ben Hutchings)
   NOTE: 20230111: Programming language: C
 --
-man2html (gladk)
+man2html
   NOTE: 20221004: Programming language: C.
   NOTE: 20221004: It looks like not patch is available.
   NOTE: 20221004: Please evalulate, whether the issue can be marked as 
.
@@ -178,7 +178,7 @@ nvidia-graphics-drivers-legacy-390xx
   NOTE: 20230103: https://lists.debian.org/debian-lts/2023/01/msg5.html
   NOTE: 20230111: VCS: 
https://salsa.debian.org/lts-team/packages/nvidia-graphics-drivers-legacy-390xx.git
 --
-openimageio (Markus Koschany)
+openimageio
   NOTE: 20221225: Programming language: C.
   NOTE: 20221225: VCS: 
https://salsa.debian.org/lts-team/packages/openimageio.git
 --
@@ -262,7 +262,7 @@ ring
   NOTE: 20221120: Programming language: C.
   NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ring.git
 --
-ruby-loofah (Daniel Leidert)
+ruby-loofah
   NOTE: 20221231: Programming language: Ruby.
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/ruby-loofah.git
 --
@@ -292,7 +292,7 @@ salt
   NOTE: 20221209: Testsuite: 
https://lts-team.pages.debian.net/wiki/TestSuites/salt.html
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/salt.git
 --
-samba (Lee Garrett)
+samba
   NOTE: 20220904: Programming language: C.
   NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/samba.git
   NOTE: 20220904: Special attention: High popcon! Used in many servers.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2688047f171735c53f928803b7de4d837d65a79c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2688047f171735c53f928803b7de4d837d65a79c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take go

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7707875b by Anton Gladky at 2023-03-13T06:06:37+01:00
LTS: take go

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -38,7 +38,7 @@ consul
   NOTE: 20221031: Concluded that the package should be fixed by the CVE 
description. Source code not analyzed in detail.
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git
 --
-docker.io
+docker.io (gladk)
   NOTE: 20230303: Programming language: Go.
   NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7707875beff34242158dbd57d637577abebf6ed7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7707875beff34242158dbd57d637577abebf6ed7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take 389-ds-base

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
392ff630 by Anton Gladky at 2023-03-12T21:52:23+01:00
LTS: take 389-ds-base

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -13,7 +13,7 @@ To make it easier to see the entire history of an update, 
please append notes
 rather than remove/replace existing ones.
 
 --
-389-ds-base
+389-ds-base (gladk)
   NOTE: 20221231: Programming language: C.
   NOTE: 20221231: Few users. Low prio. (opal).
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/389-ds-base.git



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/392ff63012d3b582d96f91198a57d66731325a92

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/392ff63012d3b582d96f91198a57d66731325a92
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3353-1 for xfig

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a06b1e53 by Anton Gladky at 2023-03-05T11:08:21+01:00
Reserve DLA-3353-1 for xfig

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[05 Mar 2023] DLA-3353-1 xfig - security update
+   {CVE-2021-40241}
+   [buster] - xfig 1:3.2.7a-3+deb10u1
 [04 Mar 2023] DLA-3352-1 libde265 - security update
{CVE-2023-24751 CVE-2023-24752 CVE-2023-24754 CVE-2023-24755 
CVE-2023-24756 CVE-2023-24757 CVE-2023-24758 CVE-2023-25221}
[buster] - libde265 1.0.11-0+deb10u4


=
data/dla-needed.txt
=
@@ -333,13 +333,6 @@ wordpress (guilhem)
   NOTE: 20230302: Testsuite: 
https://lts-team.pages.debian.net/wiki/TestSuites/wordpress.html
   NOTE: 20230302: buster is 6 CVEs behind bullseye (Beuc/front-desk)
 --
-xfig (gladk)
-  NOTE: 20230105: Programming language: C.
-  NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk)
-  NOTE: 20230206: VCS: https://salsa.debian.org/debian/xfig
-  NOTE: 20230213: ddCommunication with the maintainer.
-  NOTE: 20230226: CVE-2021-4024 is prepared by maintainer.
---
 xrdp (Dominik George)
   NOTE: 20221225: Programming language: C.
   NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a06b1e53448ac233c51c63409f7d8551d42b3245

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a06b1e53448ac233c51c63409f7d8551d42b3245
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2009-4228 as not-affected

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4ad5997f by Anton Gladky at 2023-03-05T10:43:14+01:00
Mark CVE-2009-4228 as not-affected

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -558863,7 +558863,7 @@ CVE-2009-4226 (Race condition in the IP module in the 
kernel in Sun OpenSolaris
 CVE-2009-4225 (Stack-based buffer overflow in the PestPatrol ActiveX control 
(ppctl.d ...)
NOT-FOR-US: PestPatrol
 CVE-2009-4228 (Stack consumption vulnerability in u_bound.c in Xfig 3.2.5b and 
earlie ...)
-   - xfig  (unimportant)
+   - xfig  (all available versions in archive are newer, 
than 3.2.5b)
 CVE-2009-4227 (Stack-based buffer overflow in the read_1_3_textobject function 
in f_r ...)
- xfig 1:3.2.5.b-1 (low; bug #559274)
[lenny] - xfig  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ad5997f64d9ab9dde81235c1bdcf8a26e16c4a7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ad5997f64d9ab9dde81235c1bdcf8a26e16c4a7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update note on man2html

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c8e9681c by Anton Gladky at 2023-02-26T22:22:34+01:00
Update note on man2html

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -129,6 +129,8 @@ man2html (gladk)
   NOTE: 20221004: It looks like not patch is available.
   NOTE: 20221004: Please evalulate, whether the issue can be marked as 
.
   NOTE: 20230213: VCS: https://salsa.debian.org/debian/man2html.git
+  NOTE: 20230226: I would prefer to fix it instead of ignoring. (gladk)
+  NOTE: 20230226: It looks like upstream is dead. Patch needs to be written. 
(gladk)
 --
 mariadb-10.3
   NOTE: 20230225: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8e9681c8f1a007062e562b78fba2b998a3b98aa

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8e9681c8f1a007062e562b78fba2b998a3b98aa
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add missing meta-info

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
075e163f by Anton Gladky at 2023-02-26T21:44:49+01:00
LTS: add missing meta-info

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -189,6 +189,7 @@ php-cas
 php7.3 (guilhem)
   NOTE: 20230225: Programming language: C.
   NOTE: 20230225: Testsuite: 
https://lts-team.pages.debian.net/wiki/TestSuites/php.html
+  NOTE: 20230226: VCS: https://salsa.debian.org/lts-team/packages/php.git
 --
 pluxml
   NOTE: 20220913: Programming language: PHP.
@@ -305,6 +306,7 @@ sssd
 syslog-ng
   NOTE: 20230226: Programming language: C.
   NOTE: 20230226: No patch available and therefore we cannot fully determine 
whether the problem is applicable to the version in buster. (opal).
+  NOTE: 20230226: VCS: https://salsa.debian.org/lts-team/packages/syslog-ng.git
 --
 tinymce
   NOTE: 20221227: Programming language: PHP.
@@ -323,8 +325,9 @@ trafficserver
 xfig (gladk)
   NOTE: 20230105: Programming language: C.
   NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk)
-  NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/xfig.git
-  NOTE: 20230213: Communication with the maintainer.
+  NOTE: 20230206: VCS: https://salsa.debian.org/debian/xfig
+  NOTE: 20230213: ddCommunication with the maintainer.
+  NOTE: 20230226: CVE-2021-4024 is prepared by maintainer.
 --
 xrdp
   NOTE: 20221225: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/075e163f61072319ff4c1cb8491b7666f80f89da

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/075e163f61072319ff4c1cb8491b7666f80f89da
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][fix_987283] Check whether the ignored-debian-bug-packages is changed

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch fix_987283 at Debian Security Tracker / 
security-tracker


Commits:
32e39839 by Anton Gladky at 2023-02-25T23:26:12+01:00
Check whether the ignored-debian-bug-packages is changed

- - - - -


1 changed file:

- lib/python/security_db.py


Changes:

=
lib/python/security_db.py
=
@@ -967,6 +967,12 @@ class DB:
 if has_changed(path + filename):
 unchanged = False
 break
+
+# Check if the ignored packages file has changed
+source_ignore_unreported = "data/packages/ignored-debian-bug-packages"
+if has_changed(path + filename):
+unchanged = False
+
 if unchanged:
 if self.verbose:
 print("  finished (no changes)")
@@ -993,6 +999,20 @@ class DB:
 print("  update removed packages")
 self.readRemovedAndIgnoredPackages(cursor, path + 
source_removed_packages, table = "removed_packages")
 
+
+# Add file print to database for ignored packages
+current_print = self.filePrint(source_ignore_unreported)
+cursor.execute(
+"""INSERT OR REPLACE INTO inodeprints (inodeprint, file)
+VALUES (?, ?)""", (current_print, source_ignore_unreported))
+
+if self.verbose:
+print("  update ignored packages")
+
+# Read list of packages, which should be ignored for the 
status/unreported
+self.readRemovedAndIgnoredPackages(cursor, source_ignore_unreported, 
table = "ignored_packages")
+
+
 errors = []
 
 if self.verbose:
@@ -1330,10 +1350,6 @@ class DB:
 alias = config.get_release_alias(release)
 self._calcTesting(c, bug_name, alias, release)
 
-# Read list of packages, which should be ignored for the 
status/unreported
-source_ignore_unreported = "data/packages/ignored-debian-bug-packages"
-self.readRemovedAndIgnoredPackages(cursor, source_ignore_unreported, 
table = "ignored_packages")
-
 return result
 
 def _calcUnstable(self, cursor, bug_name):



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32e398392b522bbe5184dfe1a44ca0dbfa82f6cf

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32e398392b522bbe5184dfe1a44ca0dbfa82f6cf
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][fix_987283] Simplify DELETE FROM functions

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch fix_987283 at Debian Security Tracker / 
security-tracker


Commits:
0b6fc947 by Anton Gladky at 2023-02-25T22:45:48+01:00
Simplify DELETE FROM functions

- - - - -


1 changed file:

- lib/python/security_db.py


Changes:

=
lib/python/security_db.py
=
@@ -916,15 +916,10 @@ class DB:
 else:
 cleared[0] = True
 
-cursor.execute("DELETE FROM debian_bugs")
-cursor.execute("DELETE FROM bugs")
-cursor.execute("DELETE FROM package_notes")
-cursor.execute("DELETE FROM bugs_notes")
-cursor.execute("DELETE FROM bugs_xref")
-cursor.execute("DELETE FROM package_notes_nodsa")
-cursor.execute("DELETE FROM ignored_packages")
-cursor.execute("DELETE FROM removed_packages")
-cursor.execute("DELETE FROM next_point_update")
+tables = ['debian_bugs', 'bugs', 'package_notes', 'bugs_notes', 
'bugs_xref', 'package_notes_nodsa', 'ignored_packages', 'removed_packages', 
'next_point_update']
+
+for table in tables:
+cursor.execute(f"DELETE FROM {table}")
 
 # The *_status tables are regenerated anyway, no need to
 # delete them here.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b6fc947c144ed57f38949cfe9c7cb3bccc48460

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b6fc947c144ed57f38949cfe9c7cb3bccc48460
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: semi-automatic unclaim after 2 weeks of inactivity

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
53f57d61 by Anton Gladky at 2023-02-20T08:26:17+01:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Anton Gladky gl...@debian.org

- - - - -
d2693455 by Anton Gladky at 2023-02-20T08:33:49+01:00
LTS: assign libgit2 to Tobias

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -23,7 +23,7 @@ amanda
   NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/amanda.git
   NOTE: 20230219: Special attention: Privilege escalation.
 --
-apache2 (Lee Garrett)
+apache2
   NOTE: 20221227: Programming language: C.
   NOTE: 20221227: VCS: https://salsa.debian.org/lts-team/packages/apache2.git
   NOTE: 20221227: Special attention: Double check an update! Package is used 
by many customers and users!.
@@ -32,7 +32,7 @@ apr-util (Adrian Bunk)
   NOTE: 20230207: Programming language: C.
   NOTE: 20230208: VCS: https://salsa.debian.org/lts-team/packages/apr-util.git
 --
-asterisk (Lee Garrett)
+asterisk
   NOTE: 20221211: Programming language: C.
   NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git
 --
@@ -117,7 +117,7 @@ golang-yaml.v2
   NOTE: 20230125: VCS: 
https://salsa.debian.org/lts-team/packages/golang-yaml.v2.git
   NOTE: 20230125: Special attention: limited support; requires rebuilding 
reverse build dependencies (though recent bullseye updates didn't).
 --
-imagemagick (Roberto C. Sánchez)
+imagemagick
   NOTE: 20220904: Programming language: C.
   NOTE: 20220904: VCS: 
https://salsa.debian.org/lts-team/packages/imagemagick.git
   NOTE: 20220904: Should be synced with Stretch. (apo)
@@ -138,7 +138,7 @@ libapache2-mod-auth-mellon (Utkarsh)
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/libapache2-mod-auth-mellon.git
   NOTE: 20230220: upload prepped, testing remains. (utkarsh)
 --
-libgit2 (gladk)
+libgit2 (tobi)
   NOTE: 20230126: Programming language: C.
   NOTE: 20230126: VCS: https://salsa.debian.org/debian/libgit2.git
   NOTE: 20230126: Please fix also CVE-2020* (gladk).
@@ -167,7 +167,7 @@ nextcloud-desktop
   NOTE: 20221128: VCS: https://salsa.debian.org/owncloud-team/nextcloud-desktop
   NOTE: 20221128: Please coordinate with maintainer the usage of their 
git-repo (gladk).
 --
-nheko (Abhijith PA)
+nheko
   NOTE: 20230101: Programming language: C++.
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/nheko.git
 --
@@ -188,7 +188,7 @@ node-nth-check
   NOTE: 20221223: Module has been rewritten in Typescript since Buster 
released (lamby).
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/node-nth-check.git
 --
-node-url-parse (guilhem)
+node-url-parse
   NOTE: 2022: Programming language: JavaScript.
   NOTE: 2022: Follow fixes from bullseye 11.4 + check postponed issues 
(Beuc/front-desk)
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/node-url-parse.git
@@ -355,7 +355,7 @@ sssd
   NOTE: 20230131: Programming language: C.
   NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git
 --
-thunderbird (Emilio)
+thunderbird
   NOTE: 20230123: Programming language: C++
   NOTE: 20230205: VCS: https://salsa.debian.org/mozilla-team/thunderbird.git
   NOTE: 20230205: Maintainer notes: Coordinate with maintainer
@@ -390,7 +390,7 @@ xrdp
   NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git
   NOTE: 20230117: Fixed 6 out 10 CVEs. Testing (abhijith)
 --
-zabbix (Adrian Bunk)
+zabbix
   NOTE: 20220911: At least CVE-2022-23134 was fixed in stretch so it should be 
fixed in buster too.
   NOTE: 20221209: Programming language: C.
   NOTE: 20221209: Testsuite: 
https://lts-team.pages.debian.net/wiki/TestSuites/zabbix.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/39aeedb1ddfe0c6bfd5efe0e459dbf900ccb0393...d2693455f1a83e058d61de02116ba0d5ce94964a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/39aeedb1ddfe0c6bfd5efe0e459dbf900ccb0393...d2693455f1a83e058d61de02116ba0d5ce94964a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: Update VCS and note

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2f7c73c1 by Anton Gladky at 2023-02-13T20:08:18+01:00
LTS: Update VCS and note

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -134,7 +134,7 @@ man2html (gladk)
   NOTE: 20221004: Programming language: C.
   NOTE: 20221004: It looks like not patch is available.
   NOTE: 20221004: Please evalulate, whether the issue can be marked as 
.
-  NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/man2html.git
+  NOTE: 20230213: VCS: https://salsa.debian.org/debian/man2html.git
 --
 netatalk
   NOTE: 20220816: Programming language: C.
@@ -341,6 +341,7 @@ xfig (gladk)
   NOTE: 20230105: Programming language: C.
   NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk)
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/xfig.git
+  NOTE: 20230213: Communication with the maintainer.
 --
 xrdp
   NOTE: 20221225: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f7c73c1a78a23a2a296a8186852e8a3fe2fae02

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f7c73c1a78a23a2a296a8186852e8a3fe2fae02
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: Add meta-ifnrormation

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0e30ea9a by Anton Gladky at 2023-02-08T21:39:39+01:00
LTS: Add meta-ifnrormation

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -201,6 +201,8 @@ openimageio
 --
 openssl
   NOTE: 20230208: Programming language: C.
+  NOTE: 20230208: Special attention: Very high popcon!
+  NOTE: 20230208: VCS: https://salsa.debian.org/lts-team/packages/openssl.git
 --
 php-cas
   NOTE: 20221105: Programming language: PHP.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e30ea9a0994990bf3668b5c3293d5ef735683a7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e30ea9a0994990bf3668b5c3293d5ef735683a7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: Add VCS to apr-util

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2ead1eea by Anton Gladky at 2023-02-08T06:16:57+01:00
LTS: Add VCS to apr-util

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -25,6 +25,7 @@ apache2 (Lee Garrett)
 --
 apr-util (Adrian Bunk)
   NOTE: 20230207: Programming language: C.
+  NOTE: 20230208: VCS: https://salsa.debian.org/lts-team/packages/apr-util.git
 --
 asterisk (Lee Garrett)
   NOTE: 20221211: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ead1eeae9495089dca0f33eec71f45cccba9d64

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ead1eeae9495089dca0f33eec71f45cccba9d64
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: Add meta-information

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3dcbc257 by Anton Gladky at 2023-02-06T22:15:14+01:00
LTS: Add meta-information

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -94,6 +94,9 @@ golang-yaml.v2
   NOTE: 20230125: Special attention: limited support; requires rebuilding 
reverse build dependencies (though recent bullseye updates didn't).
 --
 heimdal (Helmut Grohne)
+  NOTE: 20230206: Programming language: C
+  NOTE: 20230206: Special attention: Do review patches, even those, coming 
from upstream.
+  NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/heimdal/
 --
 imagemagick (Roberto C. Sánchez)
   NOTE: 20220904: Programming language: C.
@@ -312,6 +315,8 @@ sox (Helmut Grohne)
 --
 spip
   NOTE: 20230206: Programming language: PHP.
+  NOTE: 20230206: Special attention: Please contact maintainer regarding VCS 
usage
+  NOTE: 20230206: VCS: https://salsa.debian.org/debian/spip.git
 --
 sssd
   NOTE: 20230131: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dcbc2571082ea43963d86a583445ef8abf6a1c6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dcbc2571082ea43963d86a583445ef8abf6a1c6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add missing meta-information

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f17072bd by Anton Gladky at 2023-02-05T20:46:49+01:00
LTS: add missing meta-information

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -286,9 +286,12 @@ sox (Helmut Grohne)
 --
 sssd
   NOTE: 20230131: Programming language: C.
+  NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git
 --
 thunderbird (Emilio)
   NOTE: 20230123: Programming language: C++
+  NOTE: 20230205: VCS: https://salsa.debian.org/mozilla-team/thunderbird.git
+  NOTE: 20230205: Maintainer notes: Coordinate with maintainer
 --
 tinymce
   NOTE: 20221227: Programming language: PHP.
@@ -307,6 +310,7 @@ webkit2gtk
 wireshark (tobi)
   NOTE: 20230123: Programming language: C.
   NOTE: 20230123: 7 new CVEs + 3 postponed ones. Would be good to not let them 
pile up like last time. (utkarsh).
+  NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/wireshark.git
 --
 xfig (gladk)
   NOTE: 20230105: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f17072bdaf3d5796c7e2e4d8585d2c552661b133

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f17072bdaf3d5796c7e2e4d8585d2c552661b133
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Meta-Information to some newly added packages

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ff9a66bf by Anton Gladky at 2023-01-30T21:30:39+01:00
Add Meta-Information to some newly added packages

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -42,6 +42,8 @@ ceph
 --
 cinder
   NOTE: 20230130: Same issue in cinder, glance and nova packages: claim all 
three? (lamby)
+  NOTE: 20230130: Programming language: Python
+  NOTE: 20230130: VCS: https://salsa.debian.org/lts-team/packages/cinder.git
 --
 consul
   NOTE: 20221031: Programming language: Go.
@@ -72,6 +74,8 @@ fusiondirectory
 --
 glance
   NOTE: 20230130: Same issue in cinder, glance and nova packages: claim all 
three? (lamby)
+  NOTE: 20230130: Programming language: Python
+  NOTE: 20230130: VCS: https://salsa.debian.org/lts-team/packages/glance.git
 --
 golang-1.11
   NOTE: 20220916: Programming language: Go.
@@ -194,6 +198,10 @@ nodejs
 --
 nova
   NOTE: 20230130: Same issue in cinder, glance and nova packages: claim all 
three? (lamby)
+  NOTE: 20230130: Programming language: Python
+  NOTE: 20230130: VCS: https://salsa.debian.org/openstack-team/services/nova
+  NOTE: 20230130: Testsuite: 
https://lts-team.pages.debian.net/wiki/TestSuites/OpenStack.html
+  NOTE: 20230130: Maintainer notes: Contact original maintainer: zigo
 --
 nvidia-graphics-drivers
   NOTE: 20221225: Programming language: binary blob.
@@ -266,6 +274,8 @@ rainloop
   NOTE: 20220913: Evaluate the situation and decide whether we should support 
or EOL this package (Beuc/front-desk)
 --
 redis (Chris Lamb)
+  NOTE: 20230130: Programming language: C
+  NOTE: 20230130: VCS: https://salsa.debian.org/lts-team/packages/redis.git
 --
 ring
   NOTE: 20221120: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff9a66bfa3272007f9804a46a3cc689c4e24feed

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff9a66bfa3272007f9804a46a3cc689c4e24feed
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Change VCS for libgit2

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
de321af1 by Anton Gladky at 2023-01-30T19:54:25+01:00
Change VCS for libgit2

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -120,7 +120,7 @@ libapache2-mod-auth-mellon
 --
 libgit2 (gladk)
   NOTE: 20230126: Programming language: C.
-  NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/libgit2.git
+  NOTE: 20230126: VCS: https://salsa.debian.org/debian/libgit2.git
   NOTE: 20230126: Please fix also CVE-2020* (gladk).
 --
 libhtml-stripscripts-perl (Utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de321af1d50353da1b7bb3b747c8da4b441ead12

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de321af1d50353da1b7bb3b747c8da4b441ead12
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
95472c99 by Anton Gladky at 2023-01-30T06:50:17+01:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Anton Gladky gl...@debian.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -31,7 +31,7 @@ bind9 (Emilio)
   NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/bind9.git
   NOTE: 20230126: Special attention: Package is used in many cases. Please be 
very carefull with fix and upload!.
 --
-ceph (Stefano Rivera)
+ceph
   NOTE: 20221031: Programming language: C++.
   NOTE: 20221031: To be checked further. Not clear whether the vulnerability 
can be exploited in a Debian system.
   NOTE: 20221031: What should be checked is whether any user with ceph 
permission can do the actions described in the exploit. (ola/front-desk)
@@ -140,7 +140,7 @@ man2html (gladk)
   NOTE: 20221004: It looks like not patch is available.
   NOTE: 20221004: Please evalulate, whether the issue can be marked as 
.
 --
-modsecurity-crs (Tobias Frost)
+modsecurity-crs
   NOTE: 20221006: Programming language: Other.
   NOTE: 20221006: Maintainer notes: Please contact maintainer. Consider 
uploading of newer version.
   NOTE: 20230111: VCS: 
https://salsa.debian.org/lts-team/packages/modsecurity-crs.git
@@ -168,7 +168,7 @@ node-got
   NOTE: 2022: Follow fixes from bullseye 11.4 (Beuc/front-desk)
   NOTE: 20221223: Module has been rewritten in Typescript since Buster 
released (lamby).
 --
-node-moment (Utkarsh)
+node-moment
   NOTE: 2022: Programming language: JavaScript.
   NOTE: 2022: Follow fixes from bullseye 11.4 and 11.5 (Beuc/front-desk)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95472c998f3a42ea346fd2e2c92b3c92e86d6c8f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95472c998f3a42ea346fd2e2c92b3c92e86d6c8f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add ruby-rack to dla-needed.txt

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4a75521a by Anton Gladky at 2023-01-29T20:51:06+01:00
LTS: add ruby-rack to dla-needed.txt

- - - - -
b7512050 by Anton Gladky at 2023-01-29T20:55:40+01:00
LTS: add tmux to dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -268,6 +268,10 @@ ring
 ruby-loofah
   NOTE: 20221231: Programming language: Ruby.
 --
+ruby-rack
+  NOTE: 20230129: Programming language: Ruby.
+  NOTE: 20230129: VCS: https://salsa.debian.org/lts-team/packages/ruby-rack.git
+--
 ruby-rails-html-sanitizer
   NOTE: 20221231: Programming language: Ruby.
   NOTE: 20221231: VCS: 
https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git
@@ -327,6 +331,10 @@ tiff (Utkarsh)
 tinymce
   NOTE: 20221227: Programming language: PHP.
 --
+tmux
+  NOTE: 20230129: Programming language: C.
+  NOTE: 20230129: VCS: https://salsa.debian.org/lts-team/packages/tmux.git
+--
 wireshark
   NOTE: 20230123: Programming language: C.
   NOTE: 20230123: 7 new CVEs + 3 postponed ones. Would be good to not let them 
pile up like last time. (utkarsh).



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d135f1805bbdc3ce352b4b113f59df9920a5eff...b7512050abddcfa78497aca3d00f5f6b13c0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d135f1805bbdc3ce352b4b113f59df9920a5eff...b7512050abddcfa78497aca3d00f5f6b13c0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: take libgit2

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c570f946 by Anton Gladky at 2023-01-29T18:23:14+01:00
LTS: take libgit2

- - - - -
2d135f18 by Anton Gladky at 2023-01-29T18:23:41+01:00
LTS: take man2html

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -112,7 +112,7 @@ libapache2-mod-auth-mellon
   NOTE: 20230105: Programming language: C.
   NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk)
 --
-libgit2
+libgit2 (gladk)
   NOTE: 20230126: Programming language: C.
   NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/libgit2.git
   NOTE: 20230126: Please fix also CVE-2020* (gladk).
@@ -135,7 +135,7 @@ libstb (Adrian Bunk)
 linux (Ben Hutchings)
   NOTE: 20230111: Programming language: C
 --
-man2html
+man2html (gladk)
   NOTE: 20221004: Programming language: C.
   NOTE: 20221004: It looks like not patch is available.
   NOTE: 20221004: Please evalulate, whether the issue can be marked as 
.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/86672ee355229f340c3fa92a00d7ba7903893d1d...2d135f1805bbdc3ce352b4b113f59df9920a5eff

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/86672ee355229f340c3fa92a00d7ba7903893d1d...2d135f1805bbdc3ce352b4b113f59df9920a5eff
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 3 commits: LTS: add tiff to dla-needed.txt

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ce7e10d8 by Anton Gladky at 2023-01-26T06:25:25+01:00
LTS: add tiff to dla-needed.txt

- - - - -
9247fe01 by Anton Gladky at 2023-01-26T06:28:22+01:00
LTS: add bind9 to dla-needed.txt

- - - - -
a3f38955 by Anton Gladky at 2023-01-26T06:30:36+01:00
LTS: add libgit2 to dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -26,6 +26,11 @@ asterisk
   NOTE: 20221211: Programming language: C.
   NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git
 --
+bind9
+  NOTE: 20230126: Programming language: C.
+  NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/bind9.git
+  NOTE: 20230126: Special attention: Package is used in many cases. Please be 
very carefull with fix and upload!.
+--
 ceph (Stefano Rivera)
   NOTE: 20221031: Programming language: C++.
   NOTE: 20221031: To be checked further. Not clear whether the vulnerability 
can be exploited in a Debian system.
@@ -127,6 +132,11 @@ libapache2-mod-auth-mellon (Adrian Bunk)
   NOTE: 20230105: Programming language: C.
   NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk)
 --
+libgit2
+  NOTE: 20230126: Programming language: C.
+  NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/libgit2.git
+  NOTE: 20230126: Please fix also CVE-2020* (gladk).
+--
 libhtml-stripscripts-perl (Utkarsh)
   NOTE: 20230125: Programming language: Perl.
   NOTE: 20230125: VCS: 
https://salsa.debian.org/lts-team/packages/libhtml-stripscripts-perl.git
@@ -347,6 +357,11 @@ sox
 thunderbird (Emilio)
   NOTE: 20230123: Programming language: C++
 --
+tiff
+  NOTE: 20230126: Programming language: C.
+  NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/tiff.git
+  NOTE: 20230126: Testsuite: 
https://lts-team.pages.debian.net/wiki/TestSuites/tiff.html
+--
 tinymce
   NOTE: 20221227: Programming language: PHP.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0e06eda544305a780ac64c0ef55cdc4ba01311ae...a3f389554e3c95532d90e382713cccfe15177029

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0e06eda544305a780ac64c0ef55cdc4ba01311ae...a3f389554e3c95532d90e382713cccfe15177029
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 4 commits: Add fix link to the libhtml-stripscripts-perl

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4a16069d by Anton Gladky at 2023-01-25T06:24:14+01:00
Add fix link to the libhtml-stripscripts-perl

- - - - -
ffc35fcd by Anton Gladky at 2023-01-25T06:28:55+01:00
LTS: add libhtml-stripscripts-perl to dla-needed.txt

- - - - -
6c96ab38 by Anton Gladky at 2023-01-25T06:39:18+01:00
LTS: add golang-yaml.v2 to dla-needed.txt

- - - - -
f5bd72e6 by Anton Gladky at 2023-01-25T06:45:04+01:00
LTS: add sofia-sip to dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -1071,6 +1071,7 @@ CVE-2023-24039 (** UNSUPPORTED WHEN ASSIGNED ** A 
stack-based buffer overflow in
 CVE-2023-24038 (The HTML-StripScripts module through 1.06 for Perl allows 
_hss_attval_ ...)
- libhtml-stripscripts-perl 1.06-4 (bug #1029400)
NOTE: https://github.com/clintongormley/perl-html-stripscripts/issues/3
+   NOTE: https://github.com/clintongormley/perl-html-stripscripts/pull/4
 CVE-2023-24037
RESERVED
 CVE-2023-24036


=
data/dla-needed.txt
=
@@ -101,6 +101,11 @@ golang-websocket
   NOTE: 20220915: 1 CVE fixed in stretch and bullseye 
(golang-github-gorilla-websocket) (Beuc/front-desk)
   NOTE: 20220915: Special attention: limited support; requires rebuilding 
reverse dependencies
 --
+golang-yaml.v2
+  NOTE: 20230125: Programming language: Go.
+  NOTE: 20230125: VCS: 
https://salsa.debian.org/lts-team/packages/golang-yaml.v2.git
+  NOTE: 20230125: Special attention: limited support; requires rebuilding 
reverse build dependencies (though recent bullseye updates didn't).
+--
 graphite-web
   NOTE: 20221229: Programming language: Python.
 --
@@ -122,6 +127,10 @@ libapache2-mod-auth-mellon
   NOTE: 20230105: Programming language: C.
   NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk)
 --
+libhtml-stripscripts-perl
+  NOTE: 20230125: Programming language: Perl.
+  NOTE: 20230125: VCS: 
https://salsa.debian.org/lts-team/packages/libhtml-stripscripts-perl.git
+--
 libreoffice
   NOTE: 20221012: Programming language: C++.
   NOTE: 20230111: VCS: 
https://salsa.debian.org/lts-team/packages/libreoffice.git
@@ -325,6 +334,10 @@ snort (Markus Koschany)
   NOTE: 20230121: Prepared new upstream version for unstable which we could
   NOTE: 20230121: backport to buster later. See https://bugs.debian.org/1021276
 --
+sofia-sip
+  NOTE: 20230125: Programming language: C.
+  NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/sofia-sip.git
+--
 sox
   NOTE: 20220818: Programming language: C.
   NOTE: 20220818: Requires some investigation; see #1012138 etc.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/24a110dd2b485ff3413d8325916c5c7161215086...f5bd72e6efcb5a14077c4f09dd44e29ec62f4602

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/24a110dd2b485ff3413d8325916c5c7161215086...f5bd72e6efcb5a14077c4f09dd44e29ec62f4602
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits