[Git][security-tracker-team/security-tracker][master] Reserve DLA-3676-1 for libde265
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 808dc32e by Anton Gladky at 2023-11-30T17:39:19+01:00 Reserve DLA-3676-1 for libde265 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -41871,14 +41871,12 @@ CVE-2023-27103 (Libde265 v1.0.11 was discovered to contain a heap buffer overflo - libde265 1.0.12-1 (bug #1033257) [bookworm] - libde265 (Minor issue) [bullseye] - libde265 (Minor issue) - [buster] - libde265 (Minor issue) NOTE: https://github.com/strukturag/libde265/issues/394 NOTE: https://github.com/strukturag/libde265/commit/d6bf73e765b7a23627bfd7a8645c143fd9097995 (v1.0.12) CVE-2023-27102 (Libde265 v1.0.11 was discovered to contain a segmentation violation vi ...) - libde265 1.0.12-1 (bug #1033257) [bookworm] - libde265 (Minor issue) [bullseye] - libde265 (Minor issue) - [buster] - libde265 (Minor issue) NOTE: https://github.com/strukturag/libde265/issues/393 NOTE: https://github.com/strukturag/libde265/commit/0b1752abff97cb542941d317a0d18aa50cb199b1 (v1.0.12) CVE-2023-27101 = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Nov 2023] DLA-3676-1 libde265 - security update + {CVE-2023-27102 CVE-2023-27103 CVE-2023-43887 CVE-2023-47471} + [buster] - libde265 1.0.11-0+deb10u5 [30 Nov 2023] DLA-3675-1 zbar - security update {CVE-2023-40889 CVE-2023-40890} [buster] - zbar 0.22-1+deb10u1 = data/dla-needed.txt = @@ -89,10 +89,6 @@ keystone knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- -libde265 (gladk) - NOTE: 20231119: Added by Front-Desk (apo) - NOTE: 20231119: Fix along with postponed issues. --- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/808dc32e5e7fbd049a8faf0570941fe689e19210 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/808dc32e5e7fbd049a8faf0570941fe689e19210 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-21428 as not-affected for stretch
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 6619bfa5 by Anton Gladky at 2023-11-28T06:52:43+01:00 Mark CVE-2020-21428 as not-affected for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -236803,6 +236803,7 @@ CVE-2020-21429 CVE-2020-21428 (Buffer Overflow vulnerability in function LoadRGB in PluginDDS.cpp in ...) {DLA-3662-1} - freeimage 3.18.0+ds2-10 (bug #1051738) + [stretch] - freeimage (vulnerable code is not present) NOTE: https://sourceforge.net/p/freeimage/bugs/299/ NOTE: Fixed with r1877 from http://svn.code.sf.net/p/freeimage/svn/FreeImage/ CVE-2020-21427 (Buffer Overflow vulnerability in function LoadPixelDataRLE8 in PluginB ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6619bfa58413f9d3459f33f21a696aa0da67fb3b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6619bfa58413f9d3459f33f21a696aa0da67fb3b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3662-1 for freeimage
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 22ea11b5 by Anton Gladky at 2023-11-24T06:51:27+01:00 Reserve DLA-3662-1 for freeimage - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Nov 2023] DLA-3662-1 freeimage - security update + {CVE-2020-21427 CVE-2020-21428 CVE-2020-22524} + [buster] - freeimage 3.18.0+ds2-1+deb10u2 [23 Nov 2023] DLA-3661-1 firefox-esr - security update {CVE-2023-6204 CVE-2023-6205 CVE-2023-6206 CVE-2023-6207 CVE-2023-6208 CVE-2023-6209 CVE-2023-6212} [buster] - firefox-esr 115.5.0esr-1~deb10u1 = data/dla-needed.txt = @@ -65,13 +65,6 @@ flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) -- -freeimage (gladk) - NOTE: 20230826: Added by Front-Desk (utkarsh) - NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the - NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll - NOTE: 20230826: out the DLA/ELA now. (utkarsh) - NOTE: 20231120: many CVEs, check with ASAN is needed. (gladk) --- frr NOTE: 20231119: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22ea11b5c0e68482bfcb0169a846d12f3eff2ee2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22ea11b5c0e68482bfcb0169a846d12f3eff2ee2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for outstanding freeimage issues
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e1308ad by Anton Gladky at 2023-11-24T06:15:04+01:00 Update notes for outstanding freeimage issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -157555,26 +157555,31 @@ CVE-2021-40266 (FreeImage before 1.18.0, ReadPalette function in PluginTIFF.cpp - freeimage (bug #1055305) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/334/ CVE-2021-40265 (A heap overflow bug exists FreeImage before 1.18.0 via ofLoad function ...) - freeimage (bug #1055304) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/337/ CVE-2021-40264 (NULL pointer dereference vulnerability in FreeImage before 1.18.0 via ...) - freeimage (bug #1055303) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/335/ CVE-2021-40263 (A heap overflow vulnerability in FreeImage 1.18.0 via the ofLoad funct ...) - freeimage (bug #1055302) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/336/ CVE-2021-40262 (A stack exhaustion issue was discovered in FreeImage before 1.18.0 via ...) - freeimage (bug #1055301) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/338/ CVE-2021-40261 (Multiple Cross Site Scripting (XSS) vulnerabilities exist in SourceCod ...) NOT-FOR-US: SourceCodester @@ -236524,6 +236529,7 @@ CVE-2020-21427 (Buffer Overflow vulnerability in function LoadPixelDataRLE8 in P CVE-2020-21426 (Buffer Overflow vulnerability in function C_IStream::read in PluginEXR ...) - freeimage (bug #1051736) NOTE: https://sourceforge.net/p/freeimage/bugs/300/ + NOTE: it looks like the issue is in openexr. No relevant patches in freeimage are detected CVE-2020-21425 RESERVED CVE-2020-21424 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e1308ad75a56bf0dd66cb4d1ec18df92aff30ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e1308ad75a56bf0dd66cb4d1ec18df92aff30ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: note in dla_neded
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 16e6f3b6 by Anton Gladky at 2023-11-20T07:02:25+01:00 LTS: note in dla_neded - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -73,6 +73,7 @@ freeimage (gladk) NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll NOTE: 20230826: out the DLA/ELA now. (utkarsh) + NOTE: 20231120: many CVEs, check with ASAN is needed. (gladk) -- frr NOTE: 20231119: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16e6f3b6512b453ff0939ec5f3289d8b7bca143b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16e6f3b6512b453ff0939ec5f3289d8b7bca143b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take netatalk and libde265
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 0473ca78 by Anton Gladky at 2023-11-20T06:31:00+01:00 Take netatalk and libde265 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -106,7 +106,7 @@ keystone knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- -libde265 +libde265 (gladk) NOTE: 20231119: Added by Front-Desk (apo) NOTE: 20231119: Fix along with postponed issues. -- @@ -138,7 +138,7 @@ mediawiki (guilhem) minizip (Thorsten Alteholz) NOTE: 20231117: Added by Front-Desk (apo) -- -netatalk +netatalk (gladk) NOTE: 20231119: Added by Front-Desk (apo) -- node-json5 (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0473ca7857001389e12bf070d7a9189be3c5b6f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0473ca7857001389e12bf070d7a9189be3c5b6f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add Thorsten as FD 18-12 to 24-12
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: da44dab4 by Anton Gladky at 2023-11-12T20:50:04+01:00 LTS: add Thorsten as FD 18-12 to 24-12 - - - - - 1 changed file: - org/lts-frontdesk.2023.txt Changes: = org/lts-frontdesk.2023.txt = @@ -48,5 +48,5 @@ From 20-11 to 26-11:Ola Lundqvist From 27-11 to 03-12:Sylvain Beucler From 04-12 to 10-12:Thorsten Alteholz From 11-12 to 17-12:Utkarsh Gupta -From 18-12 to 24-12:Anton Gladky +From 18-12 to 24-12:Thorsten Alteholz From 25-12 to 31-12:Chris Lamb View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da44dab4615cce4ded1eb0909ed4e75eebc15d03 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da44dab4615cce4ded1eb0909ed4e75eebc15d03 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take freeimage
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ce2e749f by Anton Gladky at 2023-11-02T06:13:42+01:00 LTS: take freeimage - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -62,7 +62,7 @@ flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) -- -freeimage +freeimage (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce2e749f378fb03929164cf665a4e30f232c2d9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce2e749f378fb03929164cf665a4e30f232c2d9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3638-1 for h2o
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: afc552e0 by Anton Gladky at 2023-10-29T21:57:19+01:00 Reserve DLA-3638-1 for h2o - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Oct 2023] DLA-3638-1 h2o - security update + {CVE-2023-44487} + [buster] - h2o 2.2.5+dfsg2-2+deb10u2 [29 Oct 2023] DLA-3637-1 thunderbird - security update {CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728 CVE-2023-5730 CVE-2023-5732} [buster] - thunderbird 1:115.4.1-1~deb10u1 = data/dla-needed.txt = @@ -78,9 +78,6 @@ galera-3 (Adrian Bunk) NOTE: 20231028: Added by Front-Desk (gladk) NOTE: 20231028: Acc. to CVE notes the open issue is fixed in 26.4.12. Please, try to find a corresponding commit and try to backport it. Otherwise - no-dsa. (gladk) -- -h2o (gladk) - NOTE: 20231013: Added by Front-Desk (ta) --- i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afc552e00ddc08e5828739a01f7712cfcd48663e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afc552e00ddc08e5828739a01f7712cfcd48663e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS add memcached
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ba968ee5 by Anton Gladky at 2023-10-29T20:55:01+01:00 LTS add memcached - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -121,6 +121,9 @@ linux-5.10 mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- +memcached + NOTE: 20231029: Added by Front-Desk (gladk) +-- mosquitto NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20231009: Waiting for upstream clarification how to proceed with open CVE. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba968ee5aed1ee863489a7a7a58afb3116878b11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba968ee5aed1ee863489a7a7a58afb3116878b11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Mark CVE-2023-42445 as no-dsa for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: a6540828 by Anton Gladky at 2023-10-29T20:49:01+01:00 Mark CVE-2023-42445 as no-dsa for buster - - - - - 2ae22b88 by Anton Gladky at 2023-10-29T20:49:45+01:00 LTS add knot-resolver - - - - - 8be5dbb5 by Anton Gladky at 2023-10-29T20:53:46+01:00 LTS add libstb - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -4080,6 +4080,7 @@ CVE-2023-42445 (Gradle is a build tool with a focus on build automation and supp - gradle [bookworm] - gradle (Minor issue) [bullseye] - gradle (Minor issue) + [buster] - gradle (Minor issue) NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-mrff-q8qj-xvg8 CVE-2023-41950 (Cross-Site Request Forgery (CSRF) vulnerability in Laposta - Roel Bous ...) NOT-FOR-US: WordPress plugin = data/dla-needed.txt = @@ -93,6 +93,9 @@ imagemagick jetty9 (Markus Koschany) NOTE: 20231011: Added by Front-Desk (ta) -- +knot-resolver + NOTE: 20231029: Added by Front-Desk (gladk) +-- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to @@ -104,6 +107,11 @@ libreswan libspf2 (Thorsten Alteholz) NOTE: 20231016: Added by Front-Desk (ta) -- +libstb + NOTE: 20231029: Added by Front-Desk (gladk) + NOTE: 20231029: A lot of open CVEs. Maybe duplicates. + NOTE: 20231029: If you take a package, please evaluate it as well as its importance. +-- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f92b09c1de83c27ee21cdebc8c88710e2c0fdff8...8be5dbb500f0a3c0220487b9ed7b96b7cba78fc5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f92b09c1de83c27ee21cdebc8c88710e2c0fdff8...8be5dbb500f0a3c0220487b9ed7b96b7cba78fc5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add galera-3
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: e801f1a0 by Anton Gladky at 2023-10-28T21:06:08+02:00 LTS: add galera-3 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,6 +74,10 @@ freerdp2 (tobi) NOTE: 20231007: First round done, unfortunatly missed a few CVES while updating, will do an follow up. NOTE: 20231023: Will continue working on package next weekend. (tobi) -- +galera-3 + NOTE: 20231028: Added by Front-Desk (gladk) + NOTE: 20231028: Acc. to CVE notes the open issue is fixed in 26.4.12. Please, try to find a corresponding commit and try to backport it. Otherwise - no-dsa. (gladk) +-- h2o (gladk) NOTE: 20231013: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e801f1a04ddb617cd411eaf499ba786e5261373f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e801f1a04ddb617cd411eaf499ba786e5261373f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add python-urllib3 and assign to spwhitton
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cb7d3aa by Anton Gladky at 2023-10-28T20:57:51+02:00 LTS: add python-urllib3 and assign to spwhitton - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -169,6 +169,9 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +python-urllib3 (spwhitton) + NOTE: 20231028: Added by Front-Desk (gladk) +-- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb7d3aa1a20579cf4b92eb1590ecad18d328cae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb7d3aa1a20579cf4b92eb1590ecad18d328cae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: Mark CVE-2023-{5586,5595} as EOL for LTS (gpac)
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: e794e0ed by Anton Gladky at 2023-10-24T21:20:34+02:00 Mark CVE-2023-{5586,5595} as EOL for LTS (gpac) - - - - - b60ef744 by Anton Gladky at 2023-10-24T21:38:01+02:00 Mark CVE-2023-41914 as EOL for buster (slurm-llnl) - - - - - c594f8a6 by Anton Gladky at 2023-10-24T21:40:21+02:00 Add firefox-esr - - - - - 944e210f by Anton Gladky at 2023-10-24T21:43:09+02:00 LTS: Add pmix - - - - - b6e80ee3 by Anton Gladky at 2023-10-24T21:49:32+02:00 LTS: add request-tracker4 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1207,6 +1207,7 @@ CVE-2011-10004 (A vulnerability was found in reciply Plugin up to 1.1.7 on WordP NOT-FOR-US: WordPress plugin CVE-2023-5595 (Denial of Service in GitHub repository gpac/gpac prior to 2.3.0-DEV.) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/0064cf76-ece1-495d-82b4-e4a1bebeb28e NOTE: https://github.com/gpac/gpac/commit/7a6f636db3360bb16d18078d51e8c596f31302a1 CVE-2023-5575 (Improper access control in the permission inheritance in Devolutions S ...) @@ -1508,6 +1509,7 @@ CVE-2018-25091 (urllib3 before 1.24.2 does not remove the authorization HTTP hea NOTE: Fixed by https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc (1.25) CVE-2023-5586 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3.0 ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/d2a6ea71-3555-47a6-9b18-35455d103740 NOTE: https://github.com/gpac/gpac/commit/ca1b48f0abe71bf81a58995d7d75dc27f5a17ddc CVE-2023-5585 (A vulnerability was found in SourceCodester Online Motorcycle Rental S ...) @@ -1548,6 +1550,7 @@ CVE-2023-41914 - slurm-wlm 23.02.6-1 [bullseye] - slurm-wlm (Very intrusive patch and upstream does not release patches for unsupported versions) - slurm-llnl + [buster] - slurm-llnl (EOL in buster LTS) NOTE: https://groups.google.com/g/slurm-users/c/N9WHFVefSHA NOTE: slurm-wlm-contrib also changed, but actual security issue is in slurm-wlm CVE-2023-4263 (Potential buffer overflow vulnerability in the Zephyr IEEE 802.15.4 nR ...) = data/dla-needed.txt = @@ -58,6 +58,9 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- +firefox-esr + NOTE: 20231024: Added by Front-Desk (gladk) +-- flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) @@ -159,6 +162,9 @@ osslsigncode phppgadmin (Chris Lamb) NOTE: 20230925: Added by Front-Desk (apo) -- +pmix + NOTE: 20231024: Added by Front-Desk (gladk) +-- python-django (Chris Lamb) NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) @@ -189,6 +195,11 @@ rails NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) NOTE: 20230828: want to rollout ruby-rack first. (utkarsh) -- +request-tracker4 + NOTE: 20231024: Added by Front-Desk (gladk) + NOTE: 20231024: Please check the commit: https://github.com/bestpractical/rt/commit/a7a83dfdf591cd4d9f547048e89a5a310eeef32d + NOTE: 20231024: Please check the commit: https://github.com/bestpractical/rt/commit/afb7dcded721e27028e47b62e7e5ed8ffc492beb +-- ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cf08268df07488cd908bcfeeda4b0dff8ad6c346...b6e80ee32afc2cdb18397cc1b3984781cecb9387 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cf08268df07488cd908bcfeeda4b0dff8ad6c346...b6e80ee32afc2cdb18397cc1b3984781cecb9387 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add roundcube and assign to maintainer
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 48b0cbf9 by Anton Gladky at 2023-10-24T18:35:36+02:00 LTS: add roundcube and assign to maintainer - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -193,6 +193,9 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- +roundcube (guilhem) + NOTE: 20231024: Added by Front-Desk (gladk) +-- salt NOTE: 20220814: Added by Front-Desk (gladk) NOTE: 20220814: I am not sure, whether it is possible to fix issues View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48b0cbf9c2541e3f71ca3a5bbc4ba31157fa50ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48b0cbf9c2541e3f71ca3a5bbc4ba31157fa50ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take h2o
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: a3bd8eea by Anton Gladky at 2023-10-21T09:47:45+02:00 LTS: take h2o - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -84,7 +84,7 @@ gst-plugins-bad1.0 (Thorsten Alteholz) NOTE: 20230928: Added by Frond-Desk (ola) NOTE: 20231013: testing package -- -h2o (Abhijith PA) +h2o (gladk) NOTE: 20231013: Added by Front-Desk (ta) -- i2p View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3bd8eea71ddba0835e3da46384c0475eb6bc230 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3bd8eea71ddba0835e3da46384c0475eb6bc230 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-30847 as not-affected in Debian
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e7dd3e1 by Anton Gladky at 2023-10-20T06:51:42+02:00 Mark CVE-2023-30847 as not-affected in Debian - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23110,15 +23110,13 @@ CVE-2023-30849 (Pimcore is an open source data and experience management platfor CVE-2023-30848 (Pimcore is an open source data and experience management platform. Pri ...) NOT-FOR-US: Pimcore CVE-2023-30847 (H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the rev ...) - - h2o - [bookworm] - h2o (Minor issue) - [bullseye] - h2o (Minor issue) - [buster] - h2o (Minor issue) + - h2o (versions up to 2.2.6 not affected) NOTE: Fixed by: https://github.com/h2o/h2o/commit/a70af675328dda438ecd9d8a1673c1715fd93cc7 NOTE: Fixed by: https://github.com/h2o/h2o/commit/5f57d505514e937d13787b1f408837cb9197e2b2 NOTE: https://github.com/h2o/h2o/pull/3229 NOTE: https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx NOTE: https://github.com/h2o/h2o/commit/f2d9056ba5004000755a5a7adccd27d0d79d83da has done a major refactoring, but issue possibly present before + NOTE: versions up to 2.2.6 not affected (May 15 2023). Never been in Debian. https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx CVE-2023-30846 (typed-rest-client is a library for Node Rest and Http Clients with typ ...) NOT-FOR-US: typed-rest-client CVE-2023-30845 (ESPv2 is a service proxy that provides API management capabilities usi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e7dd3e160822a7a4e9a7c4c4915c62579c33154 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e7dd3e160822a7a4e9a7c4c4915c62579c33154 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take freeimage
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 7eaec764 by Anton Gladky at 2023-10-14T21:13:52+02:00 LTS: take freeimage - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,7 +79,7 @@ flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) -- -freeimage +freeimage (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eaec764449d7cded838abbe46955ae73dff8dc1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eaec764449d7cded838abbe46955ae73dff8dc1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3567-1 for c-ares
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: f7d87040 by Anton Gladky at 2023-09-15T07:36:26+02:00 Reserve DLA-3567-1 for c-ares - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Sep 2023] DLA-3567-1 c-ares - security update + {CVE-2020-22217} + [buster] - c-ares 1.14.0-1+deb10u4 [13 Sep 2023] DLA-3566-1 ruby-rails-html-sanitizer - security update {CVE-2022-23517 CVE-2022-23518 CVE-2022-23519 CVE-2022-23520} [buster] - ruby-rails-html-sanitizer 1.0.4-1+deb10u2 = data/dla-needed.txt = @@ -25,10 +25,6 @@ amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) NOTE: 20230910: still testing package (ta) -- -c-ares (gladk) - NOTE: 20230826: Added by Front-Desk (utkarsh) - NOTE: 20230826: it's a heap buffer overflow. Have mixed feelings about this one. Will look thoroughly. (utkarsh) --- cacti NOTE: 20230906: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7d87040c1a130e91637598eb091cf494791e913 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7d87040c1a130e91637598eb091cf494791e913 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take freeimage
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 59a480aa by Anton Gladky at 2023-09-14T04:55:59+02:00 LTS: take freeimage - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -73,7 +73,7 @@ flac NOTE: 20230827: Added by Front-Desk (utkarsh) NOTE: 20230827: incoming DSA -- -freeimage +freeimage (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59a480aa246d00c144e9f84f1d70d79f569d0a85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59a480aa246d00c144e9f84f1d70d79f569d0a85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3562-1 for orthanc
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: b315e37b by Anton Gladky at 2023-09-12T06:41:50+02:00 Reserve DLA-3562-1 for orthanc - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -9853,7 +9853,6 @@ CVE-2023-34486 (itsourcecode Online Hotel Management System Project In PHP v1.0. CVE-2023-33466 (Orthanc before 1.12.0 allows authenticated users with access to the Or ...) {DSA-5473-1} - orthanc 1.12.1+dfsg-1 (bug #1040597) - [buster] - orthanc (Requires new configuration variable) NOTE: https://discourse.orthanc-server.org/t/security-advisory-for-orthanc-deployments-running-versions-before-1-12-0/3568 NOTE: Requires the addition of a new RestApiWriteToFileSystemEnabled configuration and NOTE: a check in ExportInstanceFile (OrthancRestResources.cpp); the default value = data/DLA/list = @@ -1,3 +1,6 @@ +[12 Sep 2023] DLA-3562-1 orthanc - security update + {CVE-2023-33466} + [buster] - orthanc 1.5.6+dfsg-1+deb10u1 [11 Sep 2023] DLA-3561-1 node-cookiejar - security update {CVE-2022-25901} [buster] - node-cookiejar 2.0.1-1+deb10u1 = data/dla-needed.txt = @@ -156,11 +156,6 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- -orthanc (gladk) - NOTE: 20230812: Added by Front-Desk (Beuc) - NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41 - NOTE: 20230812: Check DSA-5473-1 (Beuc/front-desk) --- poppler NOTE: 20230908: Added by Front-Desk (lamby) NOTE: 20230908: Added due to CVE-2020-23804. However, please check CVE-2020-18839 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b315e37b22361d185fcb3974d805fc81871bd5c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b315e37b22361d185fcb3974d805fc81871bd5c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[med-svn] [Git][med-team/orthanc] Pushed new tag debian/1.5.6+dfsg-1+deb10u1
Anton Gladky pushed new tag debian/1.5.6+dfsg-1+deb10u1 at Debian Med / orthanc -- View it on GitLab: https://salsa.debian.org/med-team/orthanc/-/tree/debian/1.5.6+dfsg-1+deb10u1 You're receiving this email because of your account on salsa.debian.org. ___ debian-med-commit mailing list debian-med-com...@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-commit
[med-svn] [Git][med-team/orthanc] Pushed new branch debian/buster
Anton Gladky pushed new branch debian/buster at Debian Med / orthanc -- View it on GitLab: https://salsa.debian.org/med-team/orthanc/-/tree/debian/buster You're receiving this email because of your account on salsa.debian.org. ___ debian-med-commit mailing list debian-med-com...@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-commit
[Git][security-tracker-team/security-tracker][master] LTS: take c-ares
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 29d1a721 by Anton Gladky at 2023-09-11T14:21:32+02:00 LTS: take c-ares - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -25,7 +25,7 @@ amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) NOTE: 20230910: still testing package (ta) -- -c-ares +c-ares (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: it's a heap buffer overflow. Have mixed feelings about this one. Will look thoroughly. (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29d1a7215d0d7fd2f1ae7376144e2f491f36dccf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29d1a7215d0d7fd2f1ae7376144e2f491f36dccf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add elfutils to dla-needed
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: b29cbb45 by Anton Gladky at 2023-09-03T21:25:34+02:00 LTS: add elfutils to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,6 +54,9 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- +elfutils + NOTE: 20230903: Added by Front-Desk (gladk) +-- file NOTE: 20230901: Added by Front-Desk (gladk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b29cbb455f01623885c8ef502dafe6089ac2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b29cbb455f01623885c8ef502dafe6089ac2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add some packages into the dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ceae6e23 by Anton Gladky at 2023-09-03T21:14:46+02:00 LTS: add some packages into the dla-needed.txt - - - - - dec5bf52 by Anton Gladky at 2023-09-03T21:19:47+02:00 LTS: mark CVE-2020-22217 as not-affected for jessie and stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -220872,6 +220872,8 @@ CVE-2020-22218 (An issue was discovered in function _libssh2_packet_add in libss NOTE: https://github.com/libssh2/libssh2/commit/642eec48ff3adfdb7a9e562b6d7fc865d1733f45 (libssh2-1.10.0) CVE-2020-22217 (Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via ...) - c-ares 1.17.1-1 + [jessie] - c-ares (vulnerable code is not present) + [stretch] - c-ares (vulnerable code is not present) NOTE: https://github.com/c-ares/c-ares/issues/333 NOTE: https://github.com/c-ares/c-ares/pull/332 NOTE: Fixed by: https://github.com/c-ares/c-ares/commit/1b98172b141fe874ad43e679e67506f9b2139043 (c-ares-1_17_0) = data/dla-needed.txt = @@ -73,6 +73,9 @@ freeimage frr NOTE: 20230901: Added by Front-Desk (gladk) -- +gerbv + NOTE: 20230903: Added by Front-Desk (gladk) +-- glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230710: WIP (santiago) @@ -80,6 +83,9 @@ glib2.0 (santiago) NOTE: 20230807: idem. NOTE: 20230820: asked for review/test. -- +gsl + NOTE: 20230903: Added by Front-Desk (gladk) +-- i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 @@ -91,6 +97,9 @@ imagemagick libreswan (Markus Koschany) NOTE: 20230817: Added by Front-Desk (ta) -- +libssh2 + NOTE: 20230903: Added by Front-Desk (gladk) +-- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- @@ -167,6 +176,9 @@ rails (utkarsh) NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) NOTE: 20230828: want to rollout ruby-rack first. (utkarsh) -- +ring + NOTE: 20230903: Added by Front-Desk (gladk) +-- ruby-loofah NOTE: 20221231: Added by Front-Desk (ola) NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f2cbdbbbd71480032bd068740a244e3cae0520c...dec5bf5248e2327a541604610f3c040bdf072f31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f2cbdbbbd71480032bd068740a244e3cae0520c...dec5bf5248e2327a541604610f3c040bdf072f31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add file and frr
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: fdc54d79 by Anton Gladky at 2023-09-01T18:55:27+02:00 LTS: add file and frr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,6 +54,9 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- +file + NOTE: 20230901: Added by Front-Desk (gladk) +-- firmware-nonfree NOTE: 20230820: Added by Front-Desk (ta) -- @@ -67,6 +70,9 @@ freeimage NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll NOTE: 20230826: out the DLA/ELA now. (utkarsh) -- +frr + NOTE: 20230901: Added by Front-Desk (gladk) +-- glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230710: WIP (santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdc54d79b47bcfaf9ab433057f1f095504075ec4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdc54d79b47bcfaf9ab433057f1f095504075ec4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: mark gpac CVEs as end-of-life for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b02951f by Anton Gladky at 2023-09-01T18:52:11+02:00 LTS: mark gpac CVEs as end-of-life for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61,20 +61,24 @@ CVE-2023-39912 (Zoho ManageEngine ADManager Plus through 7202 allows admin users CVE-2023-4683 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-D ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/112767e8b178fc82dec3cf82a1ca14d802cdb8ec NOTE: https://huntr.dev/bounties/7852e4d2-af4e-4421-a39e-db23e0549922 CVE-2023-4682 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3 ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/b1042c3eefca87c4bc32afb404ed6518d693e5be NOTE: https://huntr.dev/bounties/15232a74-e3b8-43f0-ae8a-4e89d56c474c CVE-2023-4681 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-D ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/4bac19ad854159b21ba70d8ab7c4e1cd1db8ea1c NOTE: https://huntr.dev/bounties/d67c5619-ab36-41cc-93b7-04828e25f60e CVE-2023-4678 (Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV.) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/4607052c482a51dbdacfe1ade10645c181d07b07 NOTE: https://huntr.dev/bounties/688a4a01-8c18-469d-8cbe-a2e79e80c877 CVE-2023-41748 (Remote command execution due to improper input validation. The followi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b02951f0c92dd615f9995398d293bf8a0fa1f32 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b02951f0c92dd615f9995398d293bf8a0fa1f32 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: take orthanc and tiff
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ac555012 by Anton Gladky at 2023-08-29T18:49:24+02:00 LTS: take orthanc and tiff - - - - - de4dd34a by Anton Gladky at 2023-08-29T18:50:54+02:00 Update email - - - - - 2 changed files: - data/dla-needed.txt - org/lts-frontdesk.2023.txt Changes: = data/dla-needed.txt = @@ -126,7 +126,7 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- -orthanc +orthanc (gladk) NOTE: 20230812: Added by Front-Desk (Beuc) NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41 NOTE: 20230812: Check DSA-5473-1 (Beuc/front-desk) @@ -233,7 +233,7 @@ suricata (Adrian Bunk) thunderbird (Emilio) NOTE: 20230829: Added by pochu -- -tiff +tiff (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) -- trafficserver = org/lts-frontdesk.2023.txt = @@ -24,15 +24,15 @@ From 05-06 to 11-06:Markus Koschany From 12-06 to 18-06:Ola Lundqvist From 19-06 to 25-06:Sylvain Beucler From 26-06 to 02-07:Thorsten Alteholz -From 03-07 to 09-07:Anton Gladky +From 03-07 to 09-07:Anton Gladky From 10-07 to 16-07:Chris Lamb From 17-07 to 23-07:Emilio Pozuelo Monfort From 24-07 to 30-07:Markus Koschany -From 31-07 to 06-08:Anton Gladky +From 31-07 to 06-08:Anton Gladky From 07-08 to 13-08:Sylvain Beucler From 14-08 to 20-08:Thorsten Alteholz From 21-08 to 27-08:Utkarsh Gupta -From 28-08 to 03-09:Anton Gladky +From 28-08 to 03-09:Anton Gladky From 04-09 to 10-09:Chris Lamb From 11-09 to 17-09:Emilio Pozuelo Monfort From 18-09 to 24-09:Markus Koschany @@ -40,7 +40,7 @@ From 25-09 to 01-10:Ola Lundqvist From 02-10 to 08-10:Sylvain Beucler From 09-10 to 15-10:Thorsten Alteholz From 16-10 to 22-10:Utkarsh Gupta -From 23-10 to 29-10:Anton Gladky +From 23-10 to 29-10:Anton Gladky From 30-10 to 05-11:Chris Lamb From 06-11 to 12-11:Emilio Pozuelo Monfort From 13-11 to 19-11:Markus Koschany @@ -48,5 +48,5 @@ From 20-11 to 26-11:Ola Lundqvist From 27-11 to 03-12:Sylvain Beucler From 04-12 to 10-12:Thorsten Alteholz From 11-12 to 17-12:Utkarsh Gupta -From 18-12 to 24-12:Anton Gladky +From 18-12 to 24-12:Anton Gladky From 25-12 to 31-12:Chris Lamb View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fdb067e1a312feac5be29e31047dac80828d1552...de4dd34a68381a1344af5927547073b1b104c0b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fdb067e1a312feac5be29e31047dac80828d1552...de4dd34a68381a1344af5927547073b1b104c0b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3530-1 for openssl
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 07413911 by Anton Gladky at 2023-08-15T21:55:34+02:00 Reserve DLA-3530-1 for openssl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Aug 2023] DLA-3530-1 openssl - security update + {CVE-2023-3446 CVE-2023-3817} + [buster] - openssl 1.1.1n-0+deb10u6 [15 Aug 2023] DLA-3529-1 datatables.js - security update {CVE-2021-23445} [buster] - datatables.js 1.10.19+dfsg-1+deb10u1 = data/dla-needed.txt = @@ -139,10 +139,6 @@ openjdk-11 (Emilio) openssh NOTE: 20230814: Added by Front-Desk (ta) -- -openssl (gladk) - NOTE: 20230731: Added by Front-Desk (apo) - NOTE: 20230814: ready to be uploaded --- orthanc (gladk) NOTE: 20230812: Added by Front-Desk (Beuc) NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/074139111dfba9e192df3014f1f26261ae9990c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/074139111dfba9e192df3014f1f26261ae9990c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take openssl again, it will be uploaded today
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: c0675d07 by Anton Gladky at 2023-08-14T20:09:51+02:00 LTS: take openssl again, it will be uploaded today - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -141,8 +141,9 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- -openssl +openssl (gladk) NOTE: 20230731: Added by Front-Desk (apo) + NOTE: 20230814: ready to be uploaded -- orthanc (gladk) NOTE: 20230812: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0675d07f033f09cfc930e286b19407ba71a8f7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0675d07f033f09cfc930e286b19407ba71a8f7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take orthanc
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 55e76921 by Anton Gladky at 2023-08-13T17:53:16+02:00 LTS: take orthanc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -153,7 +153,7 @@ openjdk-11 (Emilio) openssl (gladk) NOTE: 20230731: Added by Front-Desk (apo) -- -orthanc +orthanc (gladk) NOTE: 20230812: Added by Front-Desk (Beuc) NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41 NOTE: 20230812: Check DSA-5473-1 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55e76921bad76df0b69bd533d9bebd92b41b2d5d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55e76921bad76df0b69bd533d9bebd92b41b2d5d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add gawk
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d9c15ff2 by Anton Gladky at 2023-08-06T22:34:53+02:00 LTS: add gawk - - - - - 1da15071 by Anton Gladky at 2023-08-06T22:37:52+02:00 LTS: add libhtmlcleaner-java - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,6 +49,11 @@ dogecoin firefox-esr (Emilio) NOTE: 20230802: Added by pochu -- +gawk + NOTE: 20230806: Added by Front-Desk (gladk) + NOTE: 20230806: Please, check, whether CVE is applicable for buster + NOTE: 20230806: poc are available in the mailing list (gladk) +-- ghostscript (Adrian Bunk) NOTE: 20230803: Added by Front-Desk (gladk) -- @@ -73,6 +78,11 @@ imagemagick NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- +libhtmlcleaner-java + NOTE: 20230806: Added by Front-Desk (gladk) + NOTE: 20230806: https://github.com/amplafi/htmlcleaner/issues/13#issuecomment-1597626510 + NOTE: 20230806: Please, check the upper link, whether the patch can be got (gladk) +-- libreoffice NOTE: 20230530: Added by Front-Desk (pochu) NOTE: 20230718: http://people.debian.org/~abhijith/upload/lo (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fcf9282efdb89459070b0d18c2db15bc5264d3ef...1da15071a3d33dd9831419435ba35e6a1a49e6f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fcf9282efdb89459070b0d18c2db15bc5264d3ef...1da15071a3d33dd9831419435ba35e6a1a49e6f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark new CVEs for webkit2gtk as end-of-line for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d4af5b20 by Anton Gladky at 2023-08-05T21:20:50+02:00 Mark new CVEs for webkit2gtk as end-of-line for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -950,6 +950,7 @@ CVE-2023-38601 (This issue was addressed by removing the vulnerable code. This i NOT-FOR-US: Apple CVE-2023-38599 (A logic issue was addressed with improved state management. This issue ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html @@ -957,6 +958,7 @@ CVE-2023-38598 (A use-after-free issue was addressed with improved memory manage NOT-FOR-US: Apple CVE-2023-38592 (A logic issue was addressed with improved restrictions. This issue is ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html @@ -1071,6 +1073,7 @@ CVE-2023-3451 REJECTED CVE-2023-38611 (The issue was addressed with improved memory handling. This issue is f ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html @@ -1084,21 +1087,25 @@ CVE-2023-38602 (A permissions issue was addressed with additional restrictions. NOT-FOR-US: Apple CVE-2023-38600 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html CVE-2023-38597 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html CVE-2023-38595 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html CVE-2023-38594 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html @@ -1108,6 +1115,7 @@ CVE-2023-38580 (The issue was addressed with improved memory handling. This issu NOT-FOR-US: Apple CVE-2023-38572 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html @@ -1136,6 +1144,7 @@ CVE-2023-38136 (The issue was addressed with improved memory handling. This issu NOT-FOR-US: Apple CVE-2023-38133 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4af5b202196a67e6599e5e8fbd6476c653b6409 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4af5b202196a67e6599e5e8fbd6476c653b6409 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add burp, poppler, thunderbird
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 9db40c66 by Anton Gladky at 2023-08-04T21:55:46+02:00 LTS: add burp, poppler, thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -24,6 +24,9 @@ rather than remove/replace existing ones. amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) -- +burp + NOTE: 20230804: Added by Front-Desk (gladk) +-- cairosvg (gladk) NOTE: 20230323: Added by Front-Desk (gladk) NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive) @@ -124,6 +127,9 @@ openssl (gladk) pdfcrack (Adrian Bunk) NOTE: 20230731: Added by Front-Desk (apo) -- +poppler + NOTE: 20230804: Added by Front-Desk (gladk) +-- python-glance-store NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. @@ -194,6 +200,9 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- +thunderbird + NOTE: 20230804: Added by Front-Desk (gladk) +-- zabbix (tobi) NOTE: 20230731: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9db40c661345d17a5d8878affb46fdc5c2f6f8ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9db40c661345d17a5d8878affb46fdc5c2f6f8ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add ghostscript
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 61ad503e by Anton Gladky at 2023-08-03T22:44:45+02:00 LTS: add ghostscript - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,6 +52,9 @@ dogecoin firefox-esr (Emilio) NOTE: 20230802: Added by pochu -- +ghostscript + NOTE: 20230803: Added by Front-Desk (gladk) +-- glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230710: WIP (santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ad503edf06a0cac65995f5cb084447c726104c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ad503edf06a0cac65995f5cb084447c726104c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: CVE-2023-34478 mark as no-dsa
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 16b66fa0 by Anton Gladky at 2023-08-03T22:38:57+02:00 LTS: CVE-2023-34478 mark as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1552,6 +1552,7 @@ CVE-2023-34478 (Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible - shiro [bookworm] - shiro (Minor issue) [bullseye] - shiro (Minor issue) + [buster] - shiro (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/07/24/4 CVE-2023-34429 (Weintek Weincloud v0.13.6 could allow an attacker to cause a denia ...) NOT-FOR-US: Weincloud View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16b66fa05d33782cb17cf1ffb8569b1e7e1712ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16b66fa05d33782cb17cf1ffb8569b1e7e1712ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2020-22402: mark as not-affected for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: b285cbab by Anton Gladky at 2023-07-31T19:04:58+02:00 CVE-2020-22402: mark as not-affected for buster - - - - - 20387165 by Anton Gladky at 2023-07-31T19:04:59+02:00 LTS: add bouncycastle - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -214874,7 +214874,9 @@ CVE-2020-22403 (Cross Site Request Forgery (CSRF) vulnerability in Express cart NOT-FOR-US: Node express-cart CVE-2020-22402 (Cross Site Scripting (XSS) vulnerability in SOGo Web Mail before 4.3.1 ...) - sogo 4.3.2-1 + [buster] - sogo (Vulnerable code added later) NOTE: https://bugs.sogo.nu//view.php?id=4979 + NOTE: https://github.com/Alinto/sogo/commit/d1dbceb407b37aff6563d06194189965af39cf3e CVE-2020-22401 RESERVED CVE-2020-22400 = data/dla-needed.txt = @@ -24,6 +24,9 @@ rather than remove/replace existing ones. amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) -- +bouncycastle + NOTE: 20230731: Added by Front-Desk (gladk) +-- cairosvg (gladk) NOTE: 20230323: Added by Front-Desk (gladk) NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/abfb15aa3b763450b48fc626260a925efd9a79e8...203871654dfc7032aa83961ac891d40daea608a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/abfb15aa3b763450b48fc626260a925efd9a79e8...203871654dfc7032aa83961ac891d40daea608a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take openssl
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 15ad4339 by Anton Gladky at 2023-07-31T18:37:51+02:00 LTS: take openssl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -116,7 +116,7 @@ openjdk-11 (Emilio) NOTE: 20230612: sid updated, preparing backport (pochu) NOTE: 20230717: waiting for DSA, might wait for next CPU (pochu) -- -openssl +openssl (gladk) NOTE: 20230731: Added by Front-Desk (apo) -- orthanc (Chris Lamb) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15ad4339f85321b3f8bc0154a0671aecf3d5f4b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15ad4339f85321b3f8bc0154a0671aecf3d5f4b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: set myself as a FD for next week
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ed8ad67 by Anton Gladky at 2023-07-30T14:46:33+02:00 LTS: set myself as a FD for next week - - - - - 1 changed file: - org/lts-frontdesk.2023.txt Changes: = org/lts-frontdesk.2023.txt = @@ -28,7 +28,7 @@ From 03-07 to 09-07:Anton Gladky From 10-07 to 16-07:Chris Lamb From 17-07 to 23-07:Emilio Pozuelo Monfort From 24-07 to 30-07:Markus Koschany -From 31-07 to 06-08:Ola Lundqvist +From 31-07 to 06-08:Anton Gladky From 07-08 to 13-08:Sylvain Beucler From 14-08 to 20-08:Thorsten Alteholz From 21-08 to 27-08:Utkarsh Gupta @@ -49,4 +49,4 @@ From 27-11 to 03-12:Sylvain Beucler From 04-12 to 10-12:Thorsten Alteholz From 11-12 to 17-12:Utkarsh Gupta From 18-12 to 24-12:Anton Gladky -From 25-12 to 31-12:Chris Lamb \ No newline at end of file +From 25-12 to 31-12:Chris Lamb View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ed8ad67a02055e382e0f06a11adc9bfa89af0e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ed8ad67a02055e382e0f06a11adc9bfa89af0e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take cairosvg
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 62ba6ed8 by Anton Gladky at 2023-07-25T22:10:09+02:00 LTS: take cairosvg - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,7 +21,7 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -cairosvg +cairosvg (gladk) NOTE: 20230323: Added by Front-Desk (gladk) NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62ba6ed8bcc720692a5e6c87a235144dd7f42416 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62ba6ed8bcc720692a5e6c87a235144dd7f42416 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Mark CVE-2023-36201 as ignored for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 53d95b27 by Anton Gladky at 2023-07-09T20:45:19+02:00 Mark CVE-2023-36201 as ignored for buster - - - - - ebd698e1 by Anton Gladky at 2023-07-09T20:45:19+02:00 Mark CVE-2023-3523 as EOL for buster (gpac) - - - - - 2533cd69 by Anton Gladky at 2023-07-09T20:45:19+02:00 LTS: Add node-tough-cookie - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -109,6 +109,7 @@ CVE-2023-36256 (The Online Examination System Project 1.0 version is vulnerable CVE-2023-36201 (An issue in JerryscriptProject jerryscript v.3.0.0 allows an attacker ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5026 CVE-2023-34197 (Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP ...) NOT-FOR-US: Zoho @@ -160,6 +161,7 @@ CVE-2023-3523 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2. - gpac NOTE: https://huntr.dev/bounties/57e0be03-8484-415e-8b5c-c1fe4546eaac/ NOTE: https://github.com/gpac/gpac/commit/64201a26476c12a7dbd7ffb5757743af6954db96 + [buster] - gpac (EOL in buster LTS) CVE-2023-3456 (Vulnerability of kernel raw address leakage in the hang detector modu ...) NOT-FOR-US: Huawei CVE-2023-37454 (An issue was discovered in the Linux kernel through 6.4.2. A crafted U ...) = data/dla-needed.txt = @@ -103,6 +103,9 @@ linux (Ben Hutchings) mediawiki (Markus Koschany) NOTE: 20230701: Added by Front-Desk (ta) -- +node-tough-cookie + NOTE: 20230709: Added by Front-Desk (gladk) +-- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression @@ -132,6 +135,9 @@ openjdk-11 (Emilio) NOTE: 20230612: sid updated, preparing backport (pochu) NOTE: 20230627: waiting for DSA (pochu) -- +pandoc + NOTE: 20230709: Added by Front-Desk (gladk) +-- php-dompdf (rouca) NOTE: 20230618: Added by Front-Desk (opal) NOTE: 20230618: Low priority but higher than to not fix it. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/00404a33424169134995001a541dfecc28fd17a8...2533cd69dae703e8ebb5ec18e44b2b682bcf950d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/00404a33424169134995001a541dfecc28fd17a8...2533cd69dae703e8ebb5ec18e44b2b682bcf950d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add xqilla
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cd9e307 by Anton Gladky at 2023-07-06T06:54:41+02:00 LTS: add xqilla - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -268,6 +268,9 @@ webkit2gtk (Emilio) NOTE: 20230606: https://lists.debian.org/debian-lts/2023/06/msg5.html (pochu) NOTE: 20230627: will likely hold the update and mark as not-supported due to feedback (pochu) -- +xqilla + NOTE: 20230706: Added by Front-Desk (gladk) +-- yajl (tobi) NOTE: 20230702: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cd9e30762c0c123604902006e71b399d27d2359 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cd9e30762c0c123604902006e71b399d27d2359 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add pypdf2
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 8bf22648 by Anton Gladky at 2023-07-05T06:59:05+02:00 LTS: add pypdf2 - - - - - 544d1f55 by Anton Gladky at 2023-07-05T06:59:39+02:00 Mark ruby-yajl as no-dsa for buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3010,6 +3010,7 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse - ruby-yajl [bookworm] - ruby-yajl (Minor issue) [bullseye] - ruby-yajl (Minor issue) + [buster] - ruby-yajl (Minor issue) CVE-2023-33457 (In Sogou Workflow v0.10.6, memcpy a negtive size in URIParser::parse , ...) NOT-FOR-US: Sogou Workflow CVE-2023-33381 (A command injection vulnerability was found in the ping functionality ...) = data/dla-needed.txt = @@ -173,6 +173,9 @@ php-dompdf NOTE: 20230618: Added by Front-Desk (opal) NOTE: 20230618: Low priority but higher than to not fix it. -- +pypdf2 + NOTE: 20230705: Added by Front-Desk (gladk) +-- python-glance-store (jspricke) NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6870f195eca3236b18912c607f24f0f89da9dba9...544d1f55ffdf81d721dc6b756d6a122d5b70def0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6870f195eca3236b18912c607f24f0f89da9dba9...544d1f55ffdf81d721dc6b756d6a122d5b70def0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add nsis
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 6870f195 by Anton Gladky at 2023-07-05T06:30:01+02:00 LTS: add nsis - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -141,6 +141,9 @@ nova NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby) -- +nsis + NOTE: 20230705: Added by Front-Desk (gladk) +-- nvidia-cuda-toolkit NOTE: 20230514: Added by Front-Desk (utkarsh) NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6870f195eca3236b18912c607f24f0f89da9dba9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6870f195eca3236b18912c607f24f0f89da9dba9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take openimageio
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 787f91d4 by Anton Gladky at 2023-07-02T18:47:46+02:00 LTS: take openimageio - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -136,7 +136,7 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -openimageio +openimageio (gladk) NOTE: 20230406: Re-added due to regressions (apo) NOTE: 20230612: Backporting is mostly done, but still some failures. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/787f91d43baff9798ed5c3f6cab8e1e00212d451 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/787f91d43baff9798ed5c3f6cab8e1e00212d451 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take libapache2-mod-auth-openidc
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a751704 by Anton Gladky at 2023-06-26T21:58:26+02:00 LTS: take libapache2-mod-auth-openidc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -101,7 +101,7 @@ lemonldap-ng NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow 2 fixes from bullseye 11.7 (CVE-2023-28862 + unreferenced URL validation bypass) (Beuc/front-desk) -- -libapache2-mod-auth-openidc +libapache2-mod-auth-openidc (gladk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fix from bullseye 11.7 (CVE-2022-23527) + 1 postponed CVE-2021-39191 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a7517046ac19feb90f3f8a069f7799f01967011 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a7517046ac19feb90f3f8a069f7799f01967011 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3471-1 for c-ares
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: b49472f7 by Anton Gladky at 2023-06-26T06:54:50+02:00 Reserve DLA-3471-1 for c-ares - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Jun 2023] DLA-3471-1 c-ares - security update + {CVE-2023-31130 CVE-2023-32067} + [buster] - c-ares 1.14.0-1+deb10u3 [25 Jun 2023] DLA-3470-1 owslib - security update {CVE-2023-27476} [buster] - owslib 0.17.1-1+deb10u1 = data/dla-needed.txt = @@ -25,10 +25,6 @@ bind9 (Chris Lamb) NOTE: 20230623: Added by Front-Desk (Beuc) NOTE: 20230623: Upcoming DSA prepared by maintainer (Beuc/front-desk) -- -c-ares (gladk) - NOTE: 20230523: Added by Front-Desk (lamby) - NOTE: 20230612: WIP. Work also on not-important issues (gladk) --- cairosvg NOTE: 20230323: Added by Front-Desk (gladk) NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b49472f7c98951a09aa9de1fd966607ef92c3e1d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b49472f7c98951a09aa9de1fd966607ef92c3e1d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Status update
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ebca59de by Anton Gladky at 2023-06-12T07:25:26+02:00 Status update - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,6 +21,7 @@ rather than remove/replace existing ones. -- c-ares (gladk) NOTE: 20230523: Added by Front-Desk (lamby) + NOTE: 20230612: WIP. Work also on not-important issues (gladk) -- cairosvg NOTE: 20230323: Added by Front-Desk (gladk) @@ -103,7 +104,7 @@ nvidia-cuda-toolkit (tobi) -- openimageio (gladk) NOTE: 20230406: Re-added due to regressions (apo) - NOTE: 20230508: WIP + NOTE: 20230612: Backporting is mostly done, but still some failures. -- openjdk-11 (Emilio) NOTE: 20230419: Added by Front-Desk (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebca59de004a3062951cd5f4cfcb92c13ba89ed9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebca59de004a3062951cd5f4cfcb92c13ba89ed9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Deleted branch fix_987283
Anton Gladky deleted branch fix_987283 at Debian Security Tracker / security-tracker -- You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][fix_987283] Add verbose change
Anton Gladky pushed to branch fix_987283 at Debian Security Tracker / security-tracker Commits: 547f1afc by Anton Gladky at 2023-05-25T16:06:19+02:00 Add verbose change - - - - - 1 changed file: - lib/python/security_db.py Changes: = lib/python/security_db.py = @@ -932,7 +932,8 @@ class DB: if self.verbose: print(f"Table {table} does not exist") continue -print (f"Clearing table {table}") +if self.verbose: +print (f"Clearing table {table}") cursor.execute(f"DELETE FROM {table}") # The *_status tables are regenerated anyway, no need to # delete them here. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/547f1afc5197685b9e72673e2da22b5e96d4788f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/547f1afc5197685b9e72673e2da22b5e96d4788f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Deleted branch add_removed_files_to_DB
Anton Gladky deleted branch add_removed_files_to_DB at Debian Security Tracker / security-tracker -- You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add file print of the removed_packages into DB
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: b232fb0b by Anton Gladky at 2023-05-25T13:51:43+02:00 Add file print of the removed_packages into DB - - - - - 704ed519 by Anton Gladky at 2023-05-25T13:01:23+00:00 Merge branch add_removed_files_to_DB into master Add file print of the removed_packages into DB See merge request security-tracker-team/security-tracker!134 - - - - - 1 changed file: - lib/python/security_db.py Changes: = lib/python/security_db.py = @@ -963,14 +963,19 @@ class DB: source_paths = [src["path"] for src in sources] unchanged = True +changed_source = None for filename in source_paths + [source_removed_packages]: if has_changed(path + filename): unchanged = False +changed_source = path + filename break if unchanged: if self.verbose: print(" finished (no changes)") return +else: +if self.verbose: +print(f" clearing database, because some files have changed ({changed_source})") clear_db() @@ -1992,6 +1997,14 @@ class DB: cursor.executemany( "INSERT OR IGNORE INTO removed_packages (name) VALUES (?)", gen()) + +# Add file print to database for removed packages +current_print = self.filePrint(filename) +cursor.execute( +"""INSERT OR REPLACE INTO inodeprints (inodeprint, file) +VALUES (?, ?)""", (current_print, filename)) + + def getUnknownPackages(self, cursor): """Returns a generator for a list of unknown packages. Each entry has the form (PACKAGE, BUG-LIST).""" View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8c27ceb23a1fb7f06dc717f560846b4b6b0fa2a8...704ed519f6cfb075bf6932b4e0888098f7b7bba3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8c27ceb23a1fb7f06dc717f560846b4b6b0fa2a8...704ed519f6cfb075bf6932b4e0888098f7b7bba3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Pushed new branch add_removed_files_to_DB
Anton Gladky pushed new branch add_removed_files_to_DB at Debian Security Tracker / security-tracker -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/tree/add_removed_files_to_DB You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][fix_987283] 2 commits: Remove one more print
Anton Gladky pushed to branch fix_987283 at Debian Security Tracker / security-tracker Commits: aff4d306 by Anton Gladky at 2023-05-24T17:31:27+02:00 Remove one more print - - - - - 351ff96d by Anton Gladky at 2023-05-24T18:16:58+02:00 Fix failure - - - - - 1 changed file: - lib/python/security_db.py Changes: = lib/python/security_db.py = @@ -910,6 +910,8 @@ class DB: print("readBugs:") def clear_db(cleared=[False]): +if self.verbose: +print(" clearing database") # Avoid clearing the database multiple times. if cleared[0]: return @@ -922,9 +924,11 @@ class DB: for table in tables: # check first, whether the table exists try: -cursor.execute(f"SELECT 1 FROM sqlite_schema WHERE type = 'table' AND name = {table}") +cursor.execute(f"SELECT * FROM {table} LIMIT 1") except: # table does not exist +if self.verbose: +print(f"Table {table} does not exist") continue cursor.execute(f"DELETE FROM {table}") @@ -966,15 +970,13 @@ class DB: return True source_removed_packages = '/packages/removed-packages' -source_ignored_unreported = 'data/packages/ignored-debian-bug-packages' +source_ignored_unreported = '/packages/ignored-debian-bug-packages' sources = self.getSources() source_paths = [src["path"] for src in sources] unchanged = True - for filename in source_paths + [source_removed_packages, source_ignored_unreported]: -print (path + filename) if has_changed(path + filename): unchanged = False break @@ -1005,9 +1007,8 @@ class DB: print(" update removed packages") self.readRemovedAndIgnoredPackages(cursor, path + source_removed_packages, table = "removed_packages") - # Add file print to database for ignored packages -current_print = self.filePrint(source_ignored_unreported) +current_print = self.filePrint(path + source_ignored_unreported) cursor.execute( """INSERT OR REPLACE INTO inodeprints (inodeprint, file) VALUES (?, ?)""", (current_print, source_ignored_unreported)) @@ -1016,7 +1017,7 @@ class DB: print(" update ignored packages") # Read list of packages, which should be ignored for the status/unreported -self.readRemovedAndIgnoredPackages(cursor, source_ignored_unreported, table = "ignored_packages") +self.readRemovedAndIgnoredPackages(cursor, path + source_ignored_unreported, table = "ignored_packages") errors = [] @@ -1993,7 +1994,7 @@ class DB: yield bug_name def readRemovedAndIgnoredPackages(self, cursor, filename, table='removed_packages'): -"""Reads a file of removed packages and stores it in the database. +"""Reads a file of removed or ignored packages and stores it in the database. For that the table parameter must be set to 'removed_packages'. This is the default value. The original contents of the removed_packages table is preserved. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bac5fccf07af52fc6a3085cd6be7f829283d6ed8...351ff96d1b9e172d4908521e6f7f12fecb5bd656 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bac5fccf07af52fc6a3085cd6be7f829283d6ed8...351ff96d1b9e172d4908521e6f7f12fecb5bd656 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][fix_987283] Simplify the code
Anton Gladky pushed to branch fix_987283 at Debian Security Tracker / security-tracker Commits: bac5fccf by Anton Gladky at 2023-05-24T16:58:34+02:00 Simplify the code - - - - - 1 changed file: - lib/python/security_db.py Changes: = lib/python/security_db.py = @@ -966,20 +966,19 @@ class DB: return True source_removed_packages = '/packages/removed-packages' +source_ignored_unreported = 'data/packages/ignored-debian-bug-packages' sources = self.getSources() source_paths = [src["path"] for src in sources] unchanged = True -for filename in source_paths + [source_removed_packages]: + + +for filename in source_paths + [source_removed_packages, source_ignored_unreported]: +print (path + filename) if has_changed(path + filename): unchanged = False break -# Check if the ignored packages file has changed -source_ignore_unreported = "data/packages/ignored-debian-bug-packages" -if has_changed(path + filename): -unchanged = False - if unchanged: if self.verbose: print(" finished (no changes)") @@ -1008,16 +1007,16 @@ class DB: # Add file print to database for ignored packages -current_print = self.filePrint(source_ignore_unreported) +current_print = self.filePrint(source_ignored_unreported) cursor.execute( """INSERT OR REPLACE INTO inodeprints (inodeprint, file) -VALUES (?, ?)""", (current_print, source_ignore_unreported)) +VALUES (?, ?)""", (current_print, source_ignored_unreported)) if self.verbose: print(" update ignored packages") # Read list of packages, which should be ignored for the status/unreported -self.readRemovedAndIgnoredPackages(cursor, source_ignore_unreported, table = "ignored_packages") +self.readRemovedAndIgnoredPackages(cursor, source_ignored_unreported, table = "ignored_packages") errors = [] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bac5fccf07af52fc6a3085cd6be7f829283d6ed8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bac5fccf07af52fc6a3085cd6be7f829283d6ed8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take c-ares and openimageio)
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 65bd13ae by Anton Gladky at 2023-05-24T13:58:05+02:00 LTS: take c-ares and openimageio) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -13,7 +13,7 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -c-ares +c-ares (gladk) NOTE: 20230523: Programming language: C. NOTE: 20230523: VCS: https://salsa.debian.org/lts-team/packages/c-ares.git -- @@ -114,7 +114,7 @@ nvidia-cuda-toolkit NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have NOTE: 20230514: piled up. (utkarsh) -- -openimageio +openimageio (gladk) NOTE: 20230406: Programming language: C. NOTE: 20230406: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git NOTE: 20230508: WIP View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65bd13ae703aaf873f760b5edb6b7cf5f72b657a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65bd13ae703aaf873f760b5edb6b7cf5f72b657a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add libssh to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fd52af7 by Anton Gladky at 2023-05-20T09:29:32+02:00 LTS: add libssh to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -75,6 +75,10 @@ libraw NOTE: 20230520: Programming language: C++. NOTE: 20230520: VCS: https://salsa.debian.org/lts-team/packages/libraw.git -- +libssh + NOTE: 20230520: Programming language: C. + NOTE: 20230520: VCS: https://salsa.debian.org/lts-team/packages/libssh.git +-- linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fd52af7b00ac065c63243fc69461ebfd3933a06 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fd52af7b00ac065c63243fc69461ebfd3933a06 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add libraw to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 0cf00fb8 by Anton Gladky at 2023-05-20T09:26:02+02:00 LTS: add libraw to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -71,6 +71,10 @@ libfastjson (Thorsten Alteholz) NOTE: 20230507: Programming language: C. NOTE: 20230507: the CVE was fixed in json-c already -- +libraw + NOTE: 20230520: Programming language: C++. + NOTE: 20230520: VCS: https://salsa.debian.org/lts-team/packages/libraw.git +-- linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cf00fb891ba75ad19b8047f3e862b753c81a522 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cf00fb891ba75ad19b8047f3e862b753c81a522 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Revert "LTS: add libpcap to dla-needed.txt"
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 4449ecac by Anton Gladky at 2023-05-17T23:11:08+02:00 Revert LTS: add libpcap to dla-needed.txt This reverts commit 5b2bcfaa20e12d0c90eb3999fba8b6e942e201ab. - - - - - 7f3ee2c5 by Anton Gladky at 2023-05-17T23:11:42+02:00 LTS: add libcap2 to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -62,14 +62,14 @@ hdf5 (tobi) NOTE: 20230506: tried to triage… seems to be that only sensible way forward would be to update to a newer version in the 1.10.x NOTE: 20230506: line. Still then, state of CVEs are unknown if they have been fixed. 1.10.11 is scheduled for September. (tobi) -- +libcap2 + NOTE: 20230517: Programming language: C. + NOTE: 20230517: VCS: https://salsa.debian.org/lts-team/packages/libcap2.git +-- libfastjson (Thorsten Alteholz) NOTE: 20230507: Programming language: C. NOTE: 20230507: the CVE was fixed in json-c already -- -libpcap - NOTE: 20230516: Programming language: C. - NOTE: 20230516: VCS: https://salsa.debian.org/lts-team/packages/libpcap.git --- linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9df0780563e09ac014a0740faab922481a1c2999...7f3ee2c5ddd26950afec90eb94a93d639ba5209b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9df0780563e09ac014a0740faab922481a1c2999...7f3ee2c5ddd26950afec90eb94a93d639ba5209b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add libpcap to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b2bcfaa by Anton Gladky at 2023-05-16T22:39:34+02:00 LTS: add libpcap to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -63,6 +63,10 @@ libfastjson (Thorsten Alteholz) NOTE: 20230507: Programming language: C. NOTE: 20230507: the CVE was fixed in json-c already -- +libpcap + NOTE: 20230516: Programming language: C. + NOTE: 20230516: VCS: https://salsa.debian.org/lts-team/packages/libpcap.git +-- linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b2bcfaa20e12d0c90eb3999fba8b6e942e201ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b2bcfaa20e12d0c90eb3999fba8b6e942e201ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: status update
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 736c6dd3 by Anton Gladky at 2023-05-08T06:37:55+02:00 LTS: status update - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -144,6 +144,7 @@ nvidia-graphics-drivers-legacy-390xx (tobi) openimageio (gladk) NOTE: 20230406: Programming language: C. NOTE: 20230406: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git + NOTE: 20230508: WIP -- openjdk-11 (Emilio) NOTE: 20230419: Programming language: Java. @@ -236,6 +237,7 @@ sqlparse (guilhem) sssd (gladk) NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git + NOTE: 20230508: WIP -- webkit2gtk (Emilio) NOTE: 20230503: Programming language: C++. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/736c6dd358bc522f22d220848f635e54cdc4983a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/736c6dd358bc522f22d220848f635e54cdc4983a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take openimageio
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: f9c17a67 by Anton Gladky at 2023-04-30T23:21:17+02:00 LTS: take openimageio - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -153,7 +153,7 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20230103: https://lists.debian.org/debian-lts/2023/01/msg5.html NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/nvidia-graphics-drivers-legacy-390xx.git -- -openimageio +openimageio (gladk) NOTE: 20230406: Programming language: C. NOTE: 20230406: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9c17a6758cac3e85c5bc325a5780de769411358 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9c17a6758cac3e85c5bc325a5780de769411358 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update notes on docker
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: aa52fed0 by Anton Gladky at 2023-04-24T06:51:20+02:00 LTS: update notes on docker - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -44,7 +44,7 @@ docker.io (gladk) NOTE: 20230303: Programming language: Go. NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk) NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git - NOTE: 20230410: WIP + NOTE: 20230424: Is in preparation. -- emacs NOTE: 20230223: Programming language: Lisp. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa52fed0da18d50ad4178c3c127106b70c4f379f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa52fed0da18d50ad4178c3c127106b70c4f379f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take sssd
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ae250c31 by Anton Gladky at 2023-04-24T06:45:30+02:00 LTS: take sssd - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -287,7 +287,7 @@ sniproxy (Thorsten Alteholz) NOTE: 20230423: Programming language: C. NOTE: 20230423: Rather severe issue but very few users. (opal). -- -sssd +sssd (gladk) NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae250c31b4ef95926bf34a25ac5f5df8a8dcef17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae250c31b4ef95926bf34a25ac5f5df8a8dcef17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3399-1 for 389-ds-base
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: b660147b by Anton Gladky at 2023-04-24T06:28:47+02:00 Reserve DLA-3399-1 for 389-ds-base - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -135609,7 +135609,6 @@ CVE-2021-36768 CVE-2021-3652 (A flaw was found in 389-ds-base. If an asterisk is imported as passwor ...) - 389-ds-base 1.4.4.17-1 (bug #991405) [bullseye] - 389-ds-base (Minor issue) - [buster] - 389-ds-base (Minor issue) [stretch] - 389-ds-base (Minor issue) NOTE: https://github.com/389ds/389-ds-base/issues/4817 NOTE: https://github.com/389ds/389-ds-base/commit/aeb90eb0c41fc48541d983f323c627b2e6c328c7 (master) @@ -148060,7 +148059,6 @@ CVE-2021-3515 (A shell injection flaw was found in pglogical in versions before NOTE: https://github.com/2ndQuadrant/pglogical/commit/95c0e8981485e09efab6821cf55a4e27b086efe5 CVE-2021-3514 (When using a sync_repl client in 389-ds-base, an authenticated attacke ...) - 389-ds-base 1.4.4.11-2 (bug #988727) - [buster] - 389-ds-base (Minor issue) [stretch] - 389-ds-base (Minor issue) NOTE: https://github.com/389ds/389-ds-base/issues/4711 CVE-2021-31829 (kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs unde ...) @@ -273758,7 +273756,6 @@ CVE-2019-14825 (A cleartext password storage issue was discovered in Katello, ve CVE-2019-14824 (A flaw was found in the 'deref' plugin of 389-ds-base where it could u ...) {DLA-2004-1} - 389-ds-base 1.4.2.4-1 (bug #944150) - [buster] - 389-ds-base (Minor issue) [stretch] - 389-ds-base (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1747448 NOTE: https://pagure.io/freeipa/issue/8050 @@ -288164,7 +288161,6 @@ CVE-2019-10225 (A flaw was found in atomic-openshift of openshift-4.2 where the NOT-FOR-US: OpenShift CVE-2019-10224 (A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. ...) - 389-ds-base 1.4.1.5-1 - [buster] - 389-ds-base (Minor issue) [stretch] - 389-ds-base (vulnerable code not present) [jessie] - 389-ds-base (vulnerable code not present) - python-lib389 @@ -305557,7 +305553,6 @@ CVE-2019-3884 (A vulnerability exists in the garbage collection mechanism of ato CVE-2019-3883 (In 389-ds-base up to version 1.4.1.2, requests are handled by workers ...) {DLA-1779-1} - 389-ds-base 1.4.1.5-1 (bug #927939) - [buster] - 389-ds-base (Minor issue) [stretch] - 389-ds-base (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1693612 NOTE: https://pagure.io/389-ds-base/issue/50329 = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Apr 2023] DLA-3399-1 389-ds-base - security update + {CVE-2019-3883 CVE-2019-10224 CVE-2019-14824 CVE-2021-3514 CVE-2021-3652 CVE-2021-4091 CVE-2022-0918 CVE-2022-0996 CVE-2022-2850} + [buster] - 389-ds-base 1.4.0.21-1+deb10u1 [21 Apr 2023] DLA-3398-1 curl - security update {CVE-2023-27533 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538} [buster] - curl 7.64.0-4+deb10u6 = data/dla-needed.txt = @@ -12,13 +12,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. --- -389-ds-base (gladk) - NOTE: 20221231: Programming language: C. - NOTE: 20221231: Few users. Low prio. (opal). - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/389-ds-base.git - NOTE: 20230327: test new CI - NOTE: 20230410: WIP -- apache2 (rouca) NOTE: 20230312: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b660147bd0488607a08ede7cbfb06fd807991db3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b660147bd0488607a08ede7cbfb06fd807991db3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add link to github issue of CVE-2019-14824
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d1d13493 by Anton Gladky at 2023-04-21T06:34:25+02:00 Add link to github issue of CVE-2019-14824 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -273340,6 +273340,7 @@ CVE-2019-14824 (A flaw was found in the 'deref' plugin of 389-ds-base where it c [stretch] - 389-ds-base (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1747448 NOTE: https://pagure.io/freeipa/issue/8050 + NOTE: https://github.com/389ds/389-ds-base/issues/3771 CVE-2019-14823 (A flaw was found in the "Leaf and Chain" OCSP policy implementation in ...) - jss 4.6.2-1 (bug #942463) [buster] - jss (Vulnerable code backported only in 4.5.3 onwards) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1d1349352aab7381e2169372959e2dcc81299e0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1d1349352aab7381e2169372959e2dcc81299e0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-1949 mark as ignored for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d0d4bd4 by Anton Gladky at 2023-04-19T06:45:22+02:00 CVE-2022-1949 mark as ignored for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -74312,6 +74312,7 @@ CVE-2022-1950 (The Youzify WordPress plugin before 1.2.0 does not sanitise and e NOT-FOR-US: WordPress plugin CVE-2022-1949 (An access control bypass vulnerability found in 389-ds-base. That mish ...) - 389-ds-base 2.3.1-1 (bug #1016446) + [buster] - 389-ds-base (Too intrusive too backport) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2091781 NOTE: https://github.com/389ds/389-ds-base/issues/5170 NOTE: Fixed by: https://github.com/389ds/389-ds-base/commit/a444d3454bd719ac161c30d638983ab0ff66f1b8 (389-ds-base-2.0.16) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d0d4bd47c6264bed5e67d9f88353328fbb71264 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d0d4bd47c6264bed5e67d9f88353328fbb71264 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: WIP two packages
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: bf957a88 by Anton Gladky at 2023-04-10T16:39:45+02:00 LTS: WIP two packages - - - - - 261cacf9 by Anton Gladky at 2023-04-10T16:40:41+02:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -17,7 +17,8 @@ rather than remove/replace existing ones. NOTE: 20221231: Programming language: C. NOTE: 20221231: Few users. Low prio. (opal). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/389-ds-base.git - NOTE: 20230227: test new CI + NOTE: 20230327: test new CI + NOTE: 20230410: WIP -- apache2 (rouca) NOTE: 20230312: Programming language: C. @@ -25,7 +26,7 @@ apache2 (rouca) NOTE: 20230312: Special attention: Double check an update! Package is used by many customers and users!. NOTE: 20230326: VCS: https://salsa.debian.org/apache-team/apache2. Yadd is ok for using apache2 salsa tree -- -cairosvg (Chris Lamb) +cairosvg NOTE: 20230323: Programming language: Python. -- ceph @@ -44,7 +45,7 @@ consul (Abhijith PA) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git NOTE: 20230423: WIP, Fixed CVE-2018-19653 (abhijith) -- -curl (holger) +curl NOTE: 20230321: Programming language: C. NOTE: 20230321: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20230321: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/curl.html @@ -54,8 +55,9 @@ docker.io (gladk) NOTE: 20230303: Programming language: Go. NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk) NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git + NOTE: 20230410: WIP -- -emacs (Adrian Bunk) +emacs NOTE: 20230223: Programming language: Lisp. NOTE: 20230223: VCS: https://salsa.debian.org/lts-team/packages/emacs.git NOTE: 20230228: Waiting for confirmation that CVE-2022-48337 regression @@ -219,7 +221,7 @@ python-oslo.privsep NOTE: 20221231: Programming language: Python. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/python-oslo.privsep.git -- -python3.7 (Adrian Bunk) +python3.7 NOTE: 20230220: Programming language: Python. NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/python3.7.git NOTE: 20230220: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/python.html @@ -281,7 +283,7 @@ salt NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/salt.html NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/salt.git -- -samba (Lee Garrett) +samba NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/samba.git NOTE: 20220904: Special attention: High popcon! Used in many servers. @@ -296,7 +298,7 @@ tinymce NOTE: 20221227: Programming language: PHP. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/tinymce.git -- -wordpress (guilhem) +wordpress NOTE: 20230302: Programming language: PHP. NOTE: 20230302: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/wordpress.html NOTE: 20230302: buster is 6 CVEs behind bullseye (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cd9c051a662d88b75596fa739e93e04d580ac831...261cacf9eec8bce9783622b3a4a46fea5ea4fa5c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cd9c051a662d88b75596fa739e93e04d580ac831...261cacf9eec8bce9783622b3a4a46fea5ea4fa5c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b248745 by Anton Gladky at 2023-04-03T07:31:51+02:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -38,7 +38,7 @@ ceph NOTE: 20230102: [buster] - ceph (ceph-crash service added in Ceph 14) (stefanor) NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ceph.git -- -consul (Abhijith PA) +consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git @@ -170,7 +170,7 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20230103: https://lists.debian.org/debian-lts/2023/01/msg5.html NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/nvidia-graphics-drivers-legacy-390xx.git -- -openimageio (Markus Koschany) +openimageio NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git NOTE: 20220313: will be released today (apo) @@ -240,7 +240,7 @@ ring NOTE: 20221120: Programming language: C. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ring.git -- -ruby-loofah (Daniel Leidert) +ruby-loofah NOTE: 20221231: Programming language: Ruby. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/ruby-loofah.git NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b248745145a36b5dcfee154245d4ee0436cb713 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b248745145a36b5dcfee154245d4ee0436cb713 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2019-6245 and CVE-2019-6247 as fixed in 1.3.0+dfsg1-5
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: de9e9f62 by Anton Gladky at 2023-03-31T21:36:03+02:00 Mark CVE-2019-6245 and CVE-2019-6247 as fixed in 1.3.0+dfsg1-5 - - - - - 6feb617f by Anton Gladky at 2023-03-31T21:37:10+02:00 Reserve DLA-3376-1 for svgpp - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -104104,7 +104104,6 @@ CVE-2021-44961 (A memory leakage flaw exists in the class PerimeterGenerator of CVE-2021-44960 (In SVGPP SVG++ library 1.3.0, the XMLDocument::getRoot function in the ...) - svgpp 1.3.0+dfsg1-5 (bug #1014599) [bullseye] - svgpp (Minor issue) - [buster] - svgpp (Minor issue) NOTE: https://github.com/svgpp/svgpp/issues/101 NOTE: https://github.com/svgpp/svgpp/commit/0bc57f2cc6d9d86a0fa1ce73e508c2b5994b4b91 CVE-2021-44959 @@ -293893,7 +293892,7 @@ CVE-2019-6250 (A pointer overflow, with code execution, was discovered in ZeroMQ CVE-2019-6248 (PHP Scripts Mall Citysearch / Hotfrog / Gelbeseiten Clone Script 2.0.1 ...) NOT-FOR-US: PHP Scripts Mall Citysearch / Hotfrog / Gelbeseiten Clone Script CVE-2019-6247 (An issue was discovered in Anti-Grain Geometry (AGG) 2.4 as used in SV ...) - - svgpp (unimportant; bug #919321) + - svgpp 1.3.0+dfsg1-5 (unimportant; bug #919321) NOTE: https://github.com/svgpp/svgpp/issues/70 NOTE: Issue only in src:svgpp which does not call the AGG-API in correct way. NOTE: No security impact, only used to build examples, see #921097 @@ -293903,7 +293902,7 @@ CVE-2019-6246 (An issue was discovered in SVG++ (aka svgpp) 1.2.3. After calling CVE-2019-6245 (An issue was discovered in Anti-Grain Geometry (AGG) 2.4 as used in SV ...) {DLA-2872-1 DLA-1656-1} - agg 1:2.4-r127+dfsg1-1 (low; bug #919322) - - svgpp (unimportant; bug #919321) + - svgpp 1.3.0+dfsg1-5 (unimportant; bug #919321) NOTE: https://github.com/svgpp/svgpp/issues/70 NOTE: Fixed in src:agg with: https://sourceforge.net/p/agg/svn/119/ NOTE: and possibly already fixed with the inclusion of 05-fix-recursion-crash.patch = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Mar 2023] DLA-3376-1 svgpp - security update + {CVE-2019-6245 CVE-2019-6247 CVE-2021-44960} + [buster] - svgpp 1.2.3+dfsg1-6+deb10u1 [31 Mar 2023] DLA-3375-1 xrdp - security update {CVE-2022-23480 CVE-2022-23481 CVE-2022-23482} [buster] - xrdp 0.9.9-1+deb10u3 = data/dla-needed.txt = @@ -291,10 +291,6 @@ sssd NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git -- -svgpp (gladk) - NOTE: 20230322: Programming language: C++. - NOTE: 20230322: VCS: https://salsa.debian.org/debian/svgpp.git --- systemd (Adrian Bunk) NOTE: 20230304: Programming language: C. NOTE: 20230304: VCS: https://salsa.debian.org/lts-team/packages/systemd.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6e99681b66d193025dcb6c7bec6eefe7e84118c3...6feb617f5b61d124076a91a5fa1d2de356fcaf62 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6e99681b66d193025dcb6c7bec6eefe7e84118c3...6feb617f5b61d124076a91a5fa1d2de356fcaf62 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: LTS: add hotspot to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: b483632b by Anton Gladky at 2023-03-27T06:01:55+02:00 LTS: add hotspot to dla-needed.txt - - - - - 189be72a by Anton Gladky at 2023-03-27T06:01:55+02:00 LTS: add json-smart to dla-needed.txt - - - - - 20d75842 by Anton Gladky at 2023-03-27T06:40:01+02:00 LTS: update notes for 389-ds-base - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -17,6 +17,7 @@ rather than remove/replace existing ones. NOTE: 20221231: Programming language: C. NOTE: 20221231: Few users. Low prio. (opal). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/389-ds-base.git + NOTE: 20230227: test new CI -- apache2 NOTE: 20230312: Programming language: C. @@ -120,6 +121,9 @@ hdf5 NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, probably NOTE: 20230318: sync w/ him. (utkarsh) -- +hotspot + NOTE: 20230324: Programming language: C++. +-- intel-microcode (tobi) NOTE: 20230219: Programming language: Binary blob. NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/intel-microcode.git @@ -127,6 +131,9 @@ intel-microcode (tobi) NOTE: 20230312: uploaded to DELAYED/5 for unstable. NOTE: 20230317: now in unstable. prepared SPU for bullseye (#1033079), prepared update for buster, stretch and jessie, available in LTS repo. (tobi) -- +json-smart + NOTE: 20230324: Programming language: Java. +-- libmicrohttpd (Thorsten Alteholz) NOTE: 20230313: Programming language: C. NOTE: 20230326: testing package View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fc28cbbea8b9ba52d5b8952a979ce95979363c38...20d7584284af7e241629d731c16f387e043141c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fc28cbbea8b9ba52d5b8952a979ce95979363c38...20d7584284af7e241629d731c16f387e043141c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add cairosvg to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d9a4b6ef by Anton Gladky at 2023-03-23T06:35:18+01:00 LTS: add cairosvg to dla-needed.txt - - - - - 4eb3147e by Anton Gladky at 2023-03-23T06:39:48+01:00 Mark CVE-2023-1289 as postponed for buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2536,6 +2536,7 @@ CVE-2023-1289 RESERVED - imagemagick (bug #1033254) [bullseye] - imagemagick (Minor issue) + [buster] - imagemagick (Should be fixed together with some other CVEs) NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j96m-mjp6-99xr NOTE: https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4 CVE-2023-1288 (An XML External Entity injection (XXE) vulnerability in ENOVIA Live Co ...) = data/dla-needed.txt = @@ -23,6 +23,9 @@ apache2 NOTE: 20230312: VCS: https://salsa.debian.org/lts-team/packages/apache2.git NOTE: 20230312: Special attention: Double check an update! Package is used by many customers and users!. -- +cairosvg + NOTE: 20230323: Programming language: Python. +-- ceph NOTE: 20221031: Programming language: C++. NOTE: 20221031: To be checked further. Not clear whether the vulnerability can be exploited in a Debian system. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ed43841f38719e4bc2339a4b3daf89f5bf9b47a7...4eb3147efe322b3bd57a98dc2736db546cda8fe7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ed43841f38719e4bc2339a4b3daf89f5bf9b47a7...4eb3147efe322b3bd57a98dc2736db546cda8fe7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add svgpp to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 17bb2f30 by Anton Gladky at 2023-03-22T07:11:00+01:00 LTS: add svgpp to dla-needed.txt - - - - - fe799dff by Anton Gladky at 2023-03-22T07:11:49+01:00 LTS: assign svgpp to myself (maintainer) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -305,6 +305,10 @@ sssd NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git -- +svgpp (gladk) + NOTE: 20230322: Programming language: C++. + NOTE: 20230322: VCS: https://salsa.debian.org/debian/svgpp.git +-- systemd (Adrian Bunk) NOTE: 20230304: Programming language: C. NOTE: 20230304: VCS: https://salsa.debian.org/lts-team/packages/systemd.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c470665c346af3b9508c7e109bde5873652a1aa0...fe799dff9e776c98e6e051f21bee347c8b318ae6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c470665c346af3b9508c7e109bde5873652a1aa0...fe799dff9e776c98e6e051f21bee347c8b318ae6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark 3 gpac CVEs as EOL for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: e1df97c1 by Anton Gladky at 2023-03-21T06:35:41+01:00 Mark 3 gpac CVEs as EOL for buster - - - - - e8a8f822 by Anton Gladky at 2023-03-21T06:36:40+01:00 LTS: add curl to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -502,6 +502,7 @@ CVE-2023-1453 (A vulnerability was found in Watchdog Anti-Virus 1.4.214.0. It ha NOT-FOR-US: Watchdog Anti-Virus CVE-2023-1452 (A vulnerability was found in GPAC 2.3-DEV-rev35-gbbca86917-master. It ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2386 NOTE: https://github.com/gpac/gpac/commit/a5efec8187de02d1f0a412140b0bf030a6747d3f CVE-2023-1451 (A vulnerability was found in MP4v2 2.1.2. It has been classified as pr ...) @@ -510,10 +511,12 @@ CVE-2023-1450 (A vulnerability was found in MP4v2 2.1.2 and classified as proble NOT-FOR-US: MP4v2 CVE-2023-1449 (A vulnerability has been found in GPAC 2.3-DEV-rev35-gbbca86917-master ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2387 NOTE: https://github.com/gpac/gpac/commit/8ebbfd61c73d61a2913721a492e5a81fb8d9f9a9 CVE-2023-1448 (A vulnerability, which was classified as problematic, was found in GPA ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2388 NOTE: https://github.com/gpac/gpac/commit/8db20cb634a546c536c31caac94e1f74b778b463 CVE-2023-1447 (A vulnerability, which was classified as problematic, has been found i ...) = data/dla-needed.txt = @@ -38,6 +38,12 @@ consul (Abhijith PA) NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git -- +curl + NOTE: 20230321: Programming language: C. + NOTE: 20230321: VCS: https://salsa.debian.org/lts-team/packages/curl.git + NOTE: 20230321: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/curl.html + NOTE: 20230321: Special attention: High popcon! Roberto has some experience with the package.. +-- docker.io (gladk) NOTE: 20230303: Programming language: Go. NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f5a4f2c3e631fe6577ae35f57f400d907c83f9ee...e8a8f822978be6c1491f202a03e7122b827bb87e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f5a4f2c3e631fe6577ae35f57f400d907c83f9ee...e8a8f822978be6c1491f202a03e7122b827bb87e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: Add VCS for docker
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f81daa3 by Anton Gladky at 2023-03-21T06:21:29+01:00 LTS: Add VCS for docker - - - - - 004bec61 by Anton Gladky at 2023-03-21T06:21:29+01:00 LTS: swap FDs - - - - - 2 changed files: - data/dla-needed.txt - org/lts-frontdesk.2023.txt Changes: = data/dla-needed.txt = @@ -41,6 +41,7 @@ consul (Abhijith PA) docker.io (gladk) NOTE: 20230303: Programming language: Go. NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk) + NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git -- duktape (Thorsten Alteholz, maintainer) NOTE: 20230311: Programming language: C. = org/lts-frontdesk.2023.txt = @@ -11,10 +11,10 @@ From 06-03 to 12-03:Thorsten Alteholz From 13-03 to 19-03:Utkarsh Gupta From 20-03 to 26-03:Anton Gladky From 27-03 to 02-04:Chris Lamb -From 03-04 to 09-04:Emilio Pozuelo Monfort +From 03-04 to 09-04:Sylvain Beucler From 10-04 to 16-04:Markus Koschany From 17-04 to 23-04:Ola Lundqvist -From 24-04 to 30-04:Sylvain Beucler +From 24-04 to 30-04:Emilio Pozuelo Monfort From 01-05 to 07-05:Thorsten Alteholz From 08-05 to 14-05:Utkarsh Gupta From 15-05 to 21-05:Anton Gladky @@ -49,4 +49,4 @@ From 27-11 to 03-12: From 04-12 to 10-12: From 11-12 to 17-12: From 18-12 to 24-12: -From 25-12 to 31-12: \ No newline at end of file +From 25-12 to 31-12: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fcd20a665c3042f779bc3e215fb16ace6dff1c29...004bec61aedcc2f263a0ce3dac8cfc7599e6cd93 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fcd20a665c3042f779bc3e215fb16ace6dff1c29...004bec61aedcc2f263a0ce3dac8cfc7599e6cd93 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ea5ad6b5 by Anton Gladky at 2023-03-20T06:28:06+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -46,7 +46,7 @@ duktape (Thorsten Alteholz, maintainer) NOTE: 20230311: Programming language: C. NOTE: 20230311: Maintainer notes: Maintainer prepares o-o-s updates. -- -emacs (Adrian Bunk) +emacs NOTE: 20230223: Programming language: Lisp. NOTE: 20230223: VCS: https://salsa.debian.org/lts-team/packages/emacs.git NOTE: 20230228: Waiting for confirmation that CVE-2022-48337 regression @@ -58,7 +58,7 @@ erlang NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang NOTE: 20230111: Maintainer notes: Coordinate with maintainer, whether their VCS can be used. -- -firmware-nonfree (tobi) +firmware-nonfree NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it. NOTE: 20221204: Coming soon in the first week of December. (apo) NOTE: 20221211: Programming language: Binary blob @@ -133,7 +133,7 @@ man2html NOTE: 20230226: I would prefer to fix it instead of ignoring. (gladk) NOTE: 20230226: It looks like upstream is dead. Patch needs to be written. (gladk) -- -mariadb-10.3 (Emilio) +mariadb-10.3 NOTE: 20230225: Programming language: C. NOTE: 20230225: VCS: https://salsa.debian.org/mariadb-team/mariadb-10.3/-/commits/buster NOTE: 20230225: Testsuite: https://lists.debian.org/debian-lts/2019/07/msg00049.html @@ -145,7 +145,7 @@ netatalk NOTE: 20221212: VCS: https://salsa.debian.org/lts-team/packages/netatalk NOTE: 20221212: Work is ongoing. CVE-2022-0194 is probably too intrusive. (gladk) -- -nheko (Dominik George) +nheko NOTE: 20230101: Programming language: C++. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/nheko.git -- @@ -217,7 +217,7 @@ python-oslo.privsep NOTE: 20221231: Programming language: Python. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/python-oslo.privsep.git -- -python3.7 (Adrian Bunk) +python3.7 NOTE: 20230220: Programming language: Python. NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/python3.7.git NOTE: 20230220: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/python.html @@ -270,7 +270,7 @@ ruby-rails-html-sanitizer NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh) -- -runc (Sylvain Beucler) +runc NOTE: 20220905: Programming language: Go. NOTE: 20220905: Special attention: Sync with Bullseye. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/runc.git @@ -297,11 +297,11 @@ sox (Helmut Grohne) NOTE: 20230313: Programming language: C. NOTE: 20230313: VCS: https://salsa.debian.org/lts-team/packages/sox.git -- -sssd (Dominik George) +sssd NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git -- -systemd (Adrian Bunk) +systemd NOTE: 20230304: Programming language: C. NOTE: 20230304: VCS: https://salsa.debian.org/lts-team/packages/systemd.git NOTE: 20230304: Special attention: High popcon! Used almost by all systems!. @@ -321,12 +321,12 @@ trafficserver NOTE: 20230209: could find informatin for CVE-2022-31779, might be the same fix as CVE-2022-31778 (marked as to be ignored), but no proof on that… NOTE: 20230209: not sure, maybe the safest way would be to update to 8.1.6. -- -wordpress (guilhem) +wordpress NOTE: 20230302: Programming language: PHP. NOTE: 20230302: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/wordpress.html NOTE: 20230302: buster is 6 CVEs behind bullseye (Beuc/front-desk) -- -xrdp (Dominik George) +xrdp NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git NOTE: 20230117: Fixed 6 out 10 CVEs. Testing (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea5ad6b559a41d46891e4000a20edf8a9597c43f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea5ad6b559a41d46891e4000a20edf8a9597c43f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add sox to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 021f3208 by Anton Gladky at 2023-03-13T06:16:29+01:00 LTS: add sox to dla-needed.txt - - - - - 5b85a46f by Anton Gladky at 2023-03-13T06:18:31+01:00 LTS: assign sox to Helmut. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -298,6 +298,10 @@ samba NOTE: 20220904: Special attention: High popcon! Used in many servers. NOTE: 20220904: Many postponed or open CVE in general. (apo) -- +sox (Helmut Grohne) + NOTE: 20230313: Programming language: C. + NOTE: 20230313: VCS: https://salsa.debian.org/lts-team/packages/sox.git +-- sssd (Dominik George) NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2688047f171735c53f928803b7de4d837d65a79c...5b85a46f9368e1eb5237414c321e5f6960a18b32 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2688047f171735c53f928803b7de4d837d65a79c...5b85a46f9368e1eb5237414c321e5f6960a18b32 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 2688047f by Anton Gladky at 2023-03-13T06:06:55+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -117,7 +117,7 @@ libreoffice linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- -man2html (gladk) +man2html NOTE: 20221004: Programming language: C. NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . @@ -178,7 +178,7 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20230103: https://lists.debian.org/debian-lts/2023/01/msg5.html NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/nvidia-graphics-drivers-legacy-390xx.git -- -openimageio (Markus Koschany) +openimageio NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git -- @@ -262,7 +262,7 @@ ring NOTE: 20221120: Programming language: C. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ring.git -- -ruby-loofah (Daniel Leidert) +ruby-loofah NOTE: 20221231: Programming language: Ruby. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/ruby-loofah.git -- @@ -292,7 +292,7 @@ salt NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/salt.html NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/salt.git -- -samba (Lee Garrett) +samba NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/samba.git NOTE: 20220904: Special attention: High popcon! Used in many servers. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2688047f171735c53f928803b7de4d837d65a79c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2688047f171735c53f928803b7de4d837d65a79c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take go
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 7707875b by Anton Gladky at 2023-03-13T06:06:37+01:00 LTS: take go - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -38,7 +38,7 @@ consul NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git -- -docker.io +docker.io (gladk) NOTE: 20230303: Programming language: Go. NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7707875beff34242158dbd57d637577abebf6ed7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7707875beff34242158dbd57d637577abebf6ed7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take 389-ds-base
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 392ff630 by Anton Gladky at 2023-03-12T21:52:23+01:00 LTS: take 389-ds-base - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -13,7 +13,7 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -389-ds-base +389-ds-base (gladk) NOTE: 20221231: Programming language: C. NOTE: 20221231: Few users. Low prio. (opal). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/389-ds-base.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/392ff63012d3b582d96f91198a57d66731325a92 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/392ff63012d3b582d96f91198a57d66731325a92 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3353-1 for xfig
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: a06b1e53 by Anton Gladky at 2023-03-05T11:08:21+01:00 Reserve DLA-3353-1 for xfig - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Mar 2023] DLA-3353-1 xfig - security update + {CVE-2021-40241} + [buster] - xfig 1:3.2.7a-3+deb10u1 [04 Mar 2023] DLA-3352-1 libde265 - security update {CVE-2023-24751 CVE-2023-24752 CVE-2023-24754 CVE-2023-24755 CVE-2023-24756 CVE-2023-24757 CVE-2023-24758 CVE-2023-25221} [buster] - libde265 1.0.11-0+deb10u4 = data/dla-needed.txt = @@ -333,13 +333,6 @@ wordpress (guilhem) NOTE: 20230302: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/wordpress.html NOTE: 20230302: buster is 6 CVEs behind bullseye (Beuc/front-desk) -- -xfig (gladk) - NOTE: 20230105: Programming language: C. - NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) - NOTE: 20230206: VCS: https://salsa.debian.org/debian/xfig - NOTE: 20230213: ddCommunication with the maintainer. - NOTE: 20230226: CVE-2021-4024 is prepared by maintainer. --- xrdp (Dominik George) NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a06b1e53448ac233c51c63409f7d8551d42b3245 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a06b1e53448ac233c51c63409f7d8551d42b3245 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2009-4228 as not-affected
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ad5997f by Anton Gladky at 2023-03-05T10:43:14+01:00 Mark CVE-2009-4228 as not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -558863,7 +558863,7 @@ CVE-2009-4226 (Race condition in the IP module in the kernel in Sun OpenSolaris CVE-2009-4225 (Stack-based buffer overflow in the PestPatrol ActiveX control (ppctl.d ...) NOT-FOR-US: PestPatrol CVE-2009-4228 (Stack consumption vulnerability in u_bound.c in Xfig 3.2.5b and earlie ...) - - xfig (unimportant) + - xfig (all available versions in archive are newer, than 3.2.5b) CVE-2009-4227 (Stack-based buffer overflow in the read_1_3_textobject function in f_r ...) - xfig 1:3.2.5.b-1 (low; bug #559274) [lenny] - xfig (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ad5997f64d9ab9dde81235c1bdcf8a26e16c4a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ad5997f64d9ab9dde81235c1bdcf8a26e16c4a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update note on man2html
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: c8e9681c by Anton Gladky at 2023-02-26T22:22:34+01:00 Update note on man2html - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -129,6 +129,8 @@ man2html (gladk) NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . NOTE: 20230213: VCS: https://salsa.debian.org/debian/man2html.git + NOTE: 20230226: I would prefer to fix it instead of ignoring. (gladk) + NOTE: 20230226: It looks like upstream is dead. Patch needs to be written. (gladk) -- mariadb-10.3 NOTE: 20230225: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8e9681c8f1a007062e562b78fba2b998a3b98aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8e9681c8f1a007062e562b78fba2b998a3b98aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add missing meta-info
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 075e163f by Anton Gladky at 2023-02-26T21:44:49+01:00 LTS: add missing meta-info - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -189,6 +189,7 @@ php-cas php7.3 (guilhem) NOTE: 20230225: Programming language: C. NOTE: 20230225: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/php.html + NOTE: 20230226: VCS: https://salsa.debian.org/lts-team/packages/php.git -- pluxml NOTE: 20220913: Programming language: PHP. @@ -305,6 +306,7 @@ sssd syslog-ng NOTE: 20230226: Programming language: C. NOTE: 20230226: No patch available and therefore we cannot fully determine whether the problem is applicable to the version in buster. (opal). + NOTE: 20230226: VCS: https://salsa.debian.org/lts-team/packages/syslog-ng.git -- tinymce NOTE: 20221227: Programming language: PHP. @@ -323,8 +325,9 @@ trafficserver xfig (gladk) NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/xfig.git - NOTE: 20230213: Communication with the maintainer. + NOTE: 20230206: VCS: https://salsa.debian.org/debian/xfig + NOTE: 20230213: ddCommunication with the maintainer. + NOTE: 20230226: CVE-2021-4024 is prepared by maintainer. -- xrdp NOTE: 20221225: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/075e163f61072319ff4c1cb8491b7666f80f89da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/075e163f61072319ff4c1cb8491b7666f80f89da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][fix_987283] Check whether the ignored-debian-bug-packages is changed
Anton Gladky pushed to branch fix_987283 at Debian Security Tracker / security-tracker Commits: 32e39839 by Anton Gladky at 2023-02-25T23:26:12+01:00 Check whether the ignored-debian-bug-packages is changed - - - - - 1 changed file: - lib/python/security_db.py Changes: = lib/python/security_db.py = @@ -967,6 +967,12 @@ class DB: if has_changed(path + filename): unchanged = False break + +# Check if the ignored packages file has changed +source_ignore_unreported = "data/packages/ignored-debian-bug-packages" +if has_changed(path + filename): +unchanged = False + if unchanged: if self.verbose: print(" finished (no changes)") @@ -993,6 +999,20 @@ class DB: print(" update removed packages") self.readRemovedAndIgnoredPackages(cursor, path + source_removed_packages, table = "removed_packages") + +# Add file print to database for ignored packages +current_print = self.filePrint(source_ignore_unreported) +cursor.execute( +"""INSERT OR REPLACE INTO inodeprints (inodeprint, file) +VALUES (?, ?)""", (current_print, source_ignore_unreported)) + +if self.verbose: +print(" update ignored packages") + +# Read list of packages, which should be ignored for the status/unreported +self.readRemovedAndIgnoredPackages(cursor, source_ignore_unreported, table = "ignored_packages") + + errors = [] if self.verbose: @@ -1330,10 +1350,6 @@ class DB: alias = config.get_release_alias(release) self._calcTesting(c, bug_name, alias, release) -# Read list of packages, which should be ignored for the status/unreported -source_ignore_unreported = "data/packages/ignored-debian-bug-packages" -self.readRemovedAndIgnoredPackages(cursor, source_ignore_unreported, table = "ignored_packages") - return result def _calcUnstable(self, cursor, bug_name): View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32e398392b522bbe5184dfe1a44ca0dbfa82f6cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32e398392b522bbe5184dfe1a44ca0dbfa82f6cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][fix_987283] Simplify DELETE FROM functions
Anton Gladky pushed to branch fix_987283 at Debian Security Tracker / security-tracker Commits: 0b6fc947 by Anton Gladky at 2023-02-25T22:45:48+01:00 Simplify DELETE FROM functions - - - - - 1 changed file: - lib/python/security_db.py Changes: = lib/python/security_db.py = @@ -916,15 +916,10 @@ class DB: else: cleared[0] = True -cursor.execute("DELETE FROM debian_bugs") -cursor.execute("DELETE FROM bugs") -cursor.execute("DELETE FROM package_notes") -cursor.execute("DELETE FROM bugs_notes") -cursor.execute("DELETE FROM bugs_xref") -cursor.execute("DELETE FROM package_notes_nodsa") -cursor.execute("DELETE FROM ignored_packages") -cursor.execute("DELETE FROM removed_packages") -cursor.execute("DELETE FROM next_point_update") +tables = ['debian_bugs', 'bugs', 'package_notes', 'bugs_notes', 'bugs_xref', 'package_notes_nodsa', 'ignored_packages', 'removed_packages', 'next_point_update'] + +for table in tables: +cursor.execute(f"DELETE FROM {table}") # The *_status tables are regenerated anyway, no need to # delete them here. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b6fc947c144ed57f38949cfe9c7cb3bccc48460 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b6fc947c144ed57f38949cfe9c7cb3bccc48460 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 53f57d61 by Anton Gladky at 2023-02-20T08:26:17+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - d2693455 by Anton Gladky at 2023-02-20T08:33:49+01:00 LTS: assign libgit2 to Tobias - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ amanda NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/amanda.git NOTE: 20230219: Special attention: Privilege escalation. -- -apache2 (Lee Garrett) +apache2 NOTE: 20221227: Programming language: C. NOTE: 20221227: VCS: https://salsa.debian.org/lts-team/packages/apache2.git NOTE: 20221227: Special attention: Double check an update! Package is used by many customers and users!. @@ -32,7 +32,7 @@ apr-util (Adrian Bunk) NOTE: 20230207: Programming language: C. NOTE: 20230208: VCS: https://salsa.debian.org/lts-team/packages/apr-util.git -- -asterisk (Lee Garrett) +asterisk NOTE: 20221211: Programming language: C. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git -- @@ -117,7 +117,7 @@ golang-yaml.v2 NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/golang-yaml.v2.git NOTE: 20230125: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't). -- -imagemagick (Roberto C. Sánchez) +imagemagick NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) @@ -138,7 +138,7 @@ libapache2-mod-auth-mellon (Utkarsh) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/libapache2-mod-auth-mellon.git NOTE: 20230220: upload prepped, testing remains. (utkarsh) -- -libgit2 (gladk) +libgit2 (tobi) NOTE: 20230126: Programming language: C. NOTE: 20230126: VCS: https://salsa.debian.org/debian/libgit2.git NOTE: 20230126: Please fix also CVE-2020* (gladk). @@ -167,7 +167,7 @@ nextcloud-desktop NOTE: 20221128: VCS: https://salsa.debian.org/owncloud-team/nextcloud-desktop NOTE: 20221128: Please coordinate with maintainer the usage of their git-repo (gladk). -- -nheko (Abhijith PA) +nheko NOTE: 20230101: Programming language: C++. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/nheko.git -- @@ -188,7 +188,7 @@ node-nth-check NOTE: 20221223: Module has been rewritten in Typescript since Buster released (lamby). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/node-nth-check.git -- -node-url-parse (guilhem) +node-url-parse NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 + check postponed issues (Beuc/front-desk) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/node-url-parse.git @@ -355,7 +355,7 @@ sssd NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git -- -thunderbird (Emilio) +thunderbird NOTE: 20230123: Programming language: C++ NOTE: 20230205: VCS: https://salsa.debian.org/mozilla-team/thunderbird.git NOTE: 20230205: Maintainer notes: Coordinate with maintainer @@ -390,7 +390,7 @@ xrdp NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git NOTE: 20230117: Fixed 6 out 10 CVEs. Testing (abhijith) -- -zabbix (Adrian Bunk) +zabbix NOTE: 20220911: At least CVE-2022-23134 was fixed in stretch so it should be fixed in buster too. NOTE: 20221209: Programming language: C. NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/zabbix.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/39aeedb1ddfe0c6bfd5efe0e459dbf900ccb0393...d2693455f1a83e058d61de02116ba0d5ce94964a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/39aeedb1ddfe0c6bfd5efe0e459dbf900ccb0393...d2693455f1a83e058d61de02116ba0d5ce94964a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Update VCS and note
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f7c73c1 by Anton Gladky at 2023-02-13T20:08:18+01:00 LTS: Update VCS and note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -134,7 +134,7 @@ man2html (gladk) NOTE: 20221004: Programming language: C. NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/man2html.git + NOTE: 20230213: VCS: https://salsa.debian.org/debian/man2html.git -- netatalk NOTE: 20220816: Programming language: C. @@ -341,6 +341,7 @@ xfig (gladk) NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/xfig.git + NOTE: 20230213: Communication with the maintainer. -- xrdp NOTE: 20221225: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f7c73c1a78a23a2a296a8186852e8a3fe2fae02 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f7c73c1a78a23a2a296a8186852e8a3fe2fae02 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Add meta-ifnrormation
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e30ea9a by Anton Gladky at 2023-02-08T21:39:39+01:00 LTS: Add meta-ifnrormation - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -201,6 +201,8 @@ openimageio -- openssl NOTE: 20230208: Programming language: C. + NOTE: 20230208: Special attention: Very high popcon! + NOTE: 20230208: VCS: https://salsa.debian.org/lts-team/packages/openssl.git -- php-cas NOTE: 20221105: Programming language: PHP. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e30ea9a0994990bf3668b5c3293d5ef735683a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e30ea9a0994990bf3668b5c3293d5ef735683a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Add VCS to apr-util
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ead1eea by Anton Gladky at 2023-02-08T06:16:57+01:00 LTS: Add VCS to apr-util - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -25,6 +25,7 @@ apache2 (Lee Garrett) -- apr-util (Adrian Bunk) NOTE: 20230207: Programming language: C. + NOTE: 20230208: VCS: https://salsa.debian.org/lts-team/packages/apr-util.git -- asterisk (Lee Garrett) NOTE: 20221211: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ead1eeae9495089dca0f33eec71f45cccba9d64 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ead1eeae9495089dca0f33eec71f45cccba9d64 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Add meta-information
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 3dcbc257 by Anton Gladky at 2023-02-06T22:15:14+01:00 LTS: Add meta-information - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -94,6 +94,9 @@ golang-yaml.v2 NOTE: 20230125: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't). -- heimdal (Helmut Grohne) + NOTE: 20230206: Programming language: C + NOTE: 20230206: Special attention: Do review patches, even those, coming from upstream. + NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/heimdal/ -- imagemagick (Roberto C. Sánchez) NOTE: 20220904: Programming language: C. @@ -312,6 +315,8 @@ sox (Helmut Grohne) -- spip NOTE: 20230206: Programming language: PHP. + NOTE: 20230206: Special attention: Please contact maintainer regarding VCS usage + NOTE: 20230206: VCS: https://salsa.debian.org/debian/spip.git -- sssd NOTE: 20230131: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dcbc2571082ea43963d86a583445ef8abf6a1c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dcbc2571082ea43963d86a583445ef8abf6a1c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add missing meta-information
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: f17072bd by Anton Gladky at 2023-02-05T20:46:49+01:00 LTS: add missing meta-information - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -286,9 +286,12 @@ sox (Helmut Grohne) -- sssd NOTE: 20230131: Programming language: C. + NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git -- thunderbird (Emilio) NOTE: 20230123: Programming language: C++ + NOTE: 20230205: VCS: https://salsa.debian.org/mozilla-team/thunderbird.git + NOTE: 20230205: Maintainer notes: Coordinate with maintainer -- tinymce NOTE: 20221227: Programming language: PHP. @@ -307,6 +310,7 @@ webkit2gtk wireshark (tobi) NOTE: 20230123: Programming language: C. NOTE: 20230123: 7 new CVEs + 3 postponed ones. Would be good to not let them pile up like last time. (utkarsh). + NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/wireshark.git -- xfig (gladk) NOTE: 20230105: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f17072bdaf3d5796c7e2e4d8585d2c552661b133 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f17072bdaf3d5796c7e2e4d8585d2c552661b133 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Meta-Information to some newly added packages
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ff9a66bf by Anton Gladky at 2023-01-30T21:30:39+01:00 Add Meta-Information to some newly added packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -42,6 +42,8 @@ ceph -- cinder NOTE: 20230130: Same issue in cinder, glance and nova packages: claim all three? (lamby) + NOTE: 20230130: Programming language: Python + NOTE: 20230130: VCS: https://salsa.debian.org/lts-team/packages/cinder.git -- consul NOTE: 20221031: Programming language: Go. @@ -72,6 +74,8 @@ fusiondirectory -- glance NOTE: 20230130: Same issue in cinder, glance and nova packages: claim all three? (lamby) + NOTE: 20230130: Programming language: Python + NOTE: 20230130: VCS: https://salsa.debian.org/lts-team/packages/glance.git -- golang-1.11 NOTE: 20220916: Programming language: Go. @@ -194,6 +198,10 @@ nodejs -- nova NOTE: 20230130: Same issue in cinder, glance and nova packages: claim all three? (lamby) + NOTE: 20230130: Programming language: Python + NOTE: 20230130: VCS: https://salsa.debian.org/openstack-team/services/nova + NOTE: 20230130: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/OpenStack.html + NOTE: 20230130: Maintainer notes: Contact original maintainer: zigo -- nvidia-graphics-drivers NOTE: 20221225: Programming language: binary blob. @@ -266,6 +274,8 @@ rainloop NOTE: 20220913: Evaluate the situation and decide whether we should support or EOL this package (Beuc/front-desk) -- redis (Chris Lamb) + NOTE: 20230130: Programming language: C + NOTE: 20230130: VCS: https://salsa.debian.org/lts-team/packages/redis.git -- ring NOTE: 20221120: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff9a66bfa3272007f9804a46a3cc689c4e24feed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff9a66bfa3272007f9804a46a3cc689c4e24feed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Change VCS for libgit2
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: de321af1 by Anton Gladky at 2023-01-30T19:54:25+01:00 Change VCS for libgit2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -120,7 +120,7 @@ libapache2-mod-auth-mellon -- libgit2 (gladk) NOTE: 20230126: Programming language: C. - NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/libgit2.git + NOTE: 20230126: VCS: https://salsa.debian.org/debian/libgit2.git NOTE: 20230126: Please fix also CVE-2020* (gladk). -- libhtml-stripscripts-perl (Utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de321af1d50353da1b7bb3b747c8da4b441ead12 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de321af1d50353da1b7bb3b747c8da4b441ead12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 95472c99 by Anton Gladky at 2023-01-30T06:50:17+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,7 +31,7 @@ bind9 (Emilio) NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/bind9.git NOTE: 20230126: Special attention: Package is used in many cases. Please be very carefull with fix and upload!. -- -ceph (Stefano Rivera) +ceph NOTE: 20221031: Programming language: C++. NOTE: 20221031: To be checked further. Not clear whether the vulnerability can be exploited in a Debian system. NOTE: 20221031: What should be checked is whether any user with ceph permission can do the actions described in the exploit. (ola/front-desk) @@ -140,7 +140,7 @@ man2html (gladk) NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . -- -modsecurity-crs (Tobias Frost) +modsecurity-crs NOTE: 20221006: Programming language: Other. NOTE: 20221006: Maintainer notes: Please contact maintainer. Consider uploading of newer version. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/modsecurity-crs.git @@ -168,7 +168,7 @@ node-got NOTE: 2022: Follow fixes from bullseye 11.4 (Beuc/front-desk) NOTE: 20221223: Module has been rewritten in Typescript since Buster released (lamby). -- -node-moment (Utkarsh) +node-moment NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 and 11.5 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95472c998f3a42ea346fd2e2c92b3c92e86d6c8f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95472c998f3a42ea346fd2e2c92b3c92e86d6c8f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add ruby-rack to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a75521a by Anton Gladky at 2023-01-29T20:51:06+01:00 LTS: add ruby-rack to dla-needed.txt - - - - - b7512050 by Anton Gladky at 2023-01-29T20:55:40+01:00 LTS: add tmux to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -268,6 +268,10 @@ ring ruby-loofah NOTE: 20221231: Programming language: Ruby. -- +ruby-rack + NOTE: 20230129: Programming language: Ruby. + NOTE: 20230129: VCS: https://salsa.debian.org/lts-team/packages/ruby-rack.git +-- ruby-rails-html-sanitizer NOTE: 20221231: Programming language: Ruby. NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git @@ -327,6 +331,10 @@ tiff (Utkarsh) tinymce NOTE: 20221227: Programming language: PHP. -- +tmux + NOTE: 20230129: Programming language: C. + NOTE: 20230129: VCS: https://salsa.debian.org/lts-team/packages/tmux.git +-- wireshark NOTE: 20230123: Programming language: C. NOTE: 20230123: 7 new CVEs + 3 postponed ones. Would be good to not let them pile up like last time. (utkarsh). View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d135f1805bbdc3ce352b4b113f59df9920a5eff...b7512050abddcfa78497aca3d00f5f6b13c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d135f1805bbdc3ce352b4b113f59df9920a5eff...b7512050abddcfa78497aca3d00f5f6b13c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: take libgit2
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: c570f946 by Anton Gladky at 2023-01-29T18:23:14+01:00 LTS: take libgit2 - - - - - 2d135f18 by Anton Gladky at 2023-01-29T18:23:41+01:00 LTS: take man2html - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -112,7 +112,7 @@ libapache2-mod-auth-mellon NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- -libgit2 +libgit2 (gladk) NOTE: 20230126: Programming language: C. NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/libgit2.git NOTE: 20230126: Please fix also CVE-2020* (gladk). @@ -135,7 +135,7 @@ libstb (Adrian Bunk) linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- -man2html +man2html (gladk) NOTE: 20221004: Programming language: C. NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/86672ee355229f340c3fa92a00d7ba7903893d1d...2d135f1805bbdc3ce352b4b113f59df9920a5eff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/86672ee355229f340c3fa92a00d7ba7903893d1d...2d135f1805bbdc3ce352b4b113f59df9920a5eff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: LTS: add tiff to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ce7e10d8 by Anton Gladky at 2023-01-26T06:25:25+01:00 LTS: add tiff to dla-needed.txt - - - - - 9247fe01 by Anton Gladky at 2023-01-26T06:28:22+01:00 LTS: add bind9 to dla-needed.txt - - - - - a3f38955 by Anton Gladky at 2023-01-26T06:30:36+01:00 LTS: add libgit2 to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,6 +26,11 @@ asterisk NOTE: 20221211: Programming language: C. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git -- +bind9 + NOTE: 20230126: Programming language: C. + NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/bind9.git + NOTE: 20230126: Special attention: Package is used in many cases. Please be very carefull with fix and upload!. +-- ceph (Stefano Rivera) NOTE: 20221031: Programming language: C++. NOTE: 20221031: To be checked further. Not clear whether the vulnerability can be exploited in a Debian system. @@ -127,6 +132,11 @@ libapache2-mod-auth-mellon (Adrian Bunk) NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- +libgit2 + NOTE: 20230126: Programming language: C. + NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/libgit2.git + NOTE: 20230126: Please fix also CVE-2020* (gladk). +-- libhtml-stripscripts-perl (Utkarsh) NOTE: 20230125: Programming language: Perl. NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/libhtml-stripscripts-perl.git @@ -347,6 +357,11 @@ sox thunderbird (Emilio) NOTE: 20230123: Programming language: C++ -- +tiff + NOTE: 20230126: Programming language: C. + NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/tiff.git + NOTE: 20230126: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/tiff.html +-- tinymce NOTE: 20221227: Programming language: PHP. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0e06eda544305a780ac64c0ef55cdc4ba01311ae...a3f389554e3c95532d90e382713cccfe15177029 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0e06eda544305a780ac64c0ef55cdc4ba01311ae...a3f389554e3c95532d90e382713cccfe15177029 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Add fix link to the libhtml-stripscripts-perl
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a16069d by Anton Gladky at 2023-01-25T06:24:14+01:00 Add fix link to the libhtml-stripscripts-perl - - - - - ffc35fcd by Anton Gladky at 2023-01-25T06:28:55+01:00 LTS: add libhtml-stripscripts-perl to dla-needed.txt - - - - - 6c96ab38 by Anton Gladky at 2023-01-25T06:39:18+01:00 LTS: add golang-yaml.v2 to dla-needed.txt - - - - - f5bd72e6 by Anton Gladky at 2023-01-25T06:45:04+01:00 LTS: add sofia-sip to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1071,6 +1071,7 @@ CVE-2023-24039 (** UNSUPPORTED WHEN ASSIGNED ** A stack-based buffer overflow in CVE-2023-24038 (The HTML-StripScripts module through 1.06 for Perl allows _hss_attval_ ...) - libhtml-stripscripts-perl 1.06-4 (bug #1029400) NOTE: https://github.com/clintongormley/perl-html-stripscripts/issues/3 + NOTE: https://github.com/clintongormley/perl-html-stripscripts/pull/4 CVE-2023-24037 RESERVED CVE-2023-24036 = data/dla-needed.txt = @@ -101,6 +101,11 @@ golang-websocket NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies -- +golang-yaml.v2 + NOTE: 20230125: Programming language: Go. + NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/golang-yaml.v2.git + NOTE: 20230125: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't). +-- graphite-web NOTE: 20221229: Programming language: Python. -- @@ -122,6 +127,10 @@ libapache2-mod-auth-mellon NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- +libhtml-stripscripts-perl + NOTE: 20230125: Programming language: Perl. + NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/libhtml-stripscripts-perl.git +-- libreoffice NOTE: 20221012: Programming language: C++. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git @@ -325,6 +334,10 @@ snort (Markus Koschany) NOTE: 20230121: Prepared new upstream version for unstable which we could NOTE: 20230121: backport to buster later. See https://bugs.debian.org/1021276 -- +sofia-sip + NOTE: 20230125: Programming language: C. + NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/sofia-sip.git +-- sox NOTE: 20220818: Programming language: C. NOTE: 20220818: Requires some investigation; see #1012138 etc. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/24a110dd2b485ff3413d8325916c5c7161215086...f5bd72e6efcb5a14077c4f09dd44e29ec62f4602 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/24a110dd2b485ff3413d8325916c5c7161215086...f5bd72e6efcb5a14077c4f09dd44e29ec62f4602 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits