[Git][security-tracker-team/security-tracker][master] dla: add note
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: a8392601 by Adrian Bunk at 2020-12-07T02:21:40+02:00 dla: add note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -75,6 +75,7 @@ linux (Ben Hutchings) linux-4.19 (Ben Hutchings) -- mariadb-10.1 (Adrian Bunk) + NOTE: 20201207: still ongoing (bunk) -- minidlna (Thorsten Alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a839260140544e7227aeeb6a66f4a3c9a0b4829e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a839260140544e7227aeeb6a66f4a3c9a0b4829e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim golang-golang-x-net-dev
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 77291e9f by Brian May at 2020-12-07T08:21:28+11:00 Claim golang-golang-x-net-dev - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,7 +49,7 @@ f2fs-tools -- firmware-nonfree (Emilio) -- -golang-golang-x-net-dev +golang-golang-x-net-dev (Brian May) -- golang-websocket -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77291e9ff8a5019eb4ea4cc26442814fb763d320 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77291e9ff8a5019eb4ea4cc26442814fb763d320 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add trafficserver to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f374a23f by Salvatore Bonaccorso at 2020-12-06T21:10:35+01:00 Add trafficserver to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -36,6 +36,8 @@ salt -- slurm-llnl (jmm) -- +trafficserver +-- xcftools Hugo proposed to work on this update -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f374a23f80726d4e74e2038275ecfe19141f2bb9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f374a23f80726d4e74e2038275ecfe19141f2bb9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-1750{8,9}/trafficserver
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: caecd657 by Salvatore Bonaccorso at 2020-12-06T20:51:02+01:00 Add CVE-2020-1750{8,9}/trafficserver - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29128,10 +29128,16 @@ CVE-2020-17511 CVE-2020-17510 (Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a spec ...) - shiro NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/7 -CVE-2020-17509 +CVE-2020-17509 [ATS negative cache option is vulnerable to a cache poisoning attack] RESERVED -CVE-2020-17508 + - trafficserver 8.1.1+ds-1 + NOTE: https://github.com/apache/trafficserver/pull/7359 + NOTE: https://lists.apache.org/thread.html/raa9f0589c26c4d146646425e51e2a33e1457492df9f7ea2019daa6d3%40%3Cdev.trafficserver.apache.org%3E +CVE-2020-17508 [The ATS ESI plugin has a memory disclosure vulnerability] RESERVED + - trafficserver 8.1.1+ds-1 + NOTE: https://github.com/apache/trafficserver/pull/7358 + NOTE: https://lists.apache.org/thread.html/r65434f7acca3aebf81b0588587149c893fe9f8f9f159eaa7364a70ff%40%3Cdev.trafficserver.apache.org%3E CVE-2020-17507 (An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15. ...) {DLA-2377-1 DLA-2376-1} - qtbase-opensource-src 5.14.2+dfsg-6 (bug #968444) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caecd657d8e60be605b5c5c3b2d52184b089 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caecd657d8e60be605b5c5c3b2d52184b089 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add php-pear to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e4aab6e2 by Salvatore Bonaccorso at 2020-12-06T20:39:36+01:00 Add php-pear to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -30,6 +30,8 @@ minidlna (jmm) -- netty -- +php-pear (carnil) +-- salt -- slurm-llnl (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4aab6e2f85b011a6ccf86e8517bcec11a18d0c5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4aab6e2f85b011a6ccf86e8517bcec11a18d0c5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] take slurm, minidlna
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e0ebaf0 by Moritz Muehlenhoff at 2020-12-06T19:36:20+01:00 take slurm, minidlna - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -26,13 +26,13 @@ linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. -- -minidlna +minidlna (jmm) -- netty -- salt -- -slurm-llnl +slurm-llnl (jmm) -- xcftools Hugo proposed to work on this update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e0ebaf0c4896869ab6e35ed1c156e78d7bebe54 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e0ebaf0c4896869ab6e35ed1c156e78d7bebe54 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take tomcat8
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: de562af7 by Utkarsh Gupta at 2020-12-06T23:21:32+05:30 Take tomcat8 Signed-off-by: Utkarsh Gupta utka...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -157,7 +157,7 @@ spice-vdagent (Abhijith PA) spip NOTE: Low priority for us. sec team did DSA-4798-1 (abhijith) -- -tomcat8 +tomcat8 (Utkarsh) -- webcit (Markus Koschany) NOTE: 20201130: Requested more information from upstream. Currently patches View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de562af7b32e62d50aa84361279081fc2cae5632 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de562af7b32e62d50aa84361279081fc2cae5632 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: add tomcat8
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 53908f36 by Thorsten Alteholz at 2020-12-06T17:21:19+01:00 add tomcat8 - - - - - 20695177 by Thorsten Alteholz at 2020-12-06T17:23:20+01:00 mark CVE-2020-29565 as no-das - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -56,6 +56,7 @@ CVE-2020-29566 RESERVED CVE-2020-29565 (An issue was discovered in OpenStack Horizon before 15.3.2, 16.x befor ...) - horizon 3:18.6.1-1 + [stretch] - horizon (Minor issue) NOTE: https://bugs.launchpad.net/horizon/+bug/1865026 NOTE: https://review.opendev.org/c/openstack/horizon/+/758841/ NOTE: https://review.opendev.org/c/openstack/horizon/+/758843/ = data/dla-needed.txt = @@ -157,6 +157,8 @@ spice-vdagent (Abhijith PA) spip NOTE: Low priority for us. sec team did DSA-4798-1 (abhijith) -- +tomcat8 +-- webcit (Markus Koschany) NOTE: 20201130: Requested more information from upstream. Currently patches NOTE: or workarounds are not available. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/10f47fcfa30572abf1b592aea6b69ac285529086...2069517724592770df8cc7aa9a3f359808bab2cc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/10f47fcfa30572abf1b592aea6b69ac285529086...2069517724592770df8cc7aa9a3f359808bab2cc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 6 commits: mark CVE-2020-27818 as no-dsa for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 08cbb2ff by Thorsten Alteholz at 2020-12-06T17:04:06+01:00 mark CVE-2020-27818 as no-dsa for Stretch - - - - - 6f10c86e by Thorsten Alteholz at 2020-12-06T17:05:17+01:00 mark CVE-2020-27821 as postponed for Stretch - - - - - 9a70de2d by Thorsten Alteholz at 2020-12-06T17:09:56+01:00 mark CVE-2020-29562 as no-dsa for Stretch - - - - - 7e763b66 by Thorsten Alteholz at 2020-12-06T17:10:35+01:00 mark CVE-2020-29573 as no-dsa for Stretch - - - - - 8725f0a1 by Thorsten Alteholz at 2020-12-06T17:14:02+01:00 add golang-websocket - - - - - 10f47fcf by Thorsten Alteholz at 2020-12-06T17:17:00+01:00 mark CVE-2020-17521 as no-dsa for Stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -36,6 +36,7 @@ CVE-2020-29574 RESERVED CVE-2020-29573 (sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) befo ...) - glibc + [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=26649 NOTE: https://sourceware.org/pipermail/libc-alpha/2020-September/117779.html NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=681900d29683722b1cb0a8e565a0585846ec5a61 @@ -64,6 +65,7 @@ CVE-2020-29563 RESERVED CVE-2020-29562 (The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2 ...) - glibc (bug #976391) + [stretch] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=26923 NOTE: https://sourceware.org/pipermail/libc-alpha/2020-November/119822.html CVE-2020-29561 (An issue was discovered in SonicBOOM riscv-boom 3.0.0. For LR, it does ...) @@ -6885,6 +6887,7 @@ CVE-2020-27822 CVE-2020-27821 [heap buffer overflow in msix_table_mmio_write() in hw/pci/msix.c] RESERVED - qemu + [stretch] - qemu (Fix along in future DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1902651 CVE-2020-27820 [use-after-free in nouveau kernel module] RESERVED @@ -6897,6 +6900,7 @@ CVE-2020-27818 RESERVED - pngcheck 2.3.0-13 (bug #976350) [buster] - pngcheck (Minor issue) + [stretch] - pngcheck (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1902011 NOTE: Patch applied in Fedora: https://src.fedoraproject.org/rpms/pngcheck/blob/cc48791e34201caf7b686084b735d06cef66c974/f/pngcheck-2.4.0-overflow-bz1897485.patch CVE-2020-27817 @@ -29095,6 +29099,7 @@ CVE-2020-17522 CVE-2020-17521 [Information Disclosure] RESERVED - groovy + [stretch] - groovy (Minor issue) - groovy2 NOTE: https://issues.apache.org/jira/browse/GROOVY-9824 NOTE: https://www.openwall.com/lists/oss-security/2020/12/06/1 = data/dla-needed.txt = @@ -51,6 +51,8 @@ firmware-nonfree (Emilio) -- golang-golang-x-net-dev -- +golang-websocket +-- influxdb -- intel-microcode View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d4fb490c27e8bfa2c7a60c775a19d2598a708c18...10f47fcfa30572abf1b592aea6b69ac285529086 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d4fb490c27e8bfa2c7a60c775a19d2598a708c18...10f47fcfa30572abf1b592aea6b69ac285529086 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for opensc issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d4fb490c by Salvatore Bonaccorso at 2020-12-06T11:38:12+01:00 Track fixed version for opensc issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10238,19 +10238,19 @@ CVE-2019-20923 (A user authorized to perform database queries may trigger denial CVE-1999-0199 (manual/search.texi in the GNU C Library (aka glibc) before 2.2 lacks a ...) - glibc 2.2-1 CVE-2020-26572 (The TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a ...) - - opensc (bug #972035) + - opensc 0.21.0-1 (bug #972035) [buster] - opensc (Minor issue) [stretch] - opensc (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22967 NOTE: https://github.com/OpenSC/OpenSC/commit/9d294de90d1cc66956389856e60b6944b27b4817 (0.21.0-rc1) CVE-2020-26571 (The gemsafe GPK smart card software driver in OpenSC before 0.21.0-rc1 ...) - - opensc (bug #972036) + - opensc 0.21.0-1 (bug #972036) [buster] - opensc (Minor issue) [stretch] - opensc (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20612 NOTE: https://github.com/OpenSC/OpenSC/commit/ed55fcd2996930bf58b9bb57e9ba7b1f3a753c43 (0.21.0-rc1) CVE-2020-26570 (The Oberthur smart card software driver in OpenSC before 0.21.0-rc1 ha ...) - - opensc (bug #972037) + - opensc 0.21.0-1 (bug #972037) [buster] - opensc (Minor issue) [stretch] - opensc (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24316 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4fb490c27e8bfa2c7a60c775a19d2598a708c18 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4fb490c27e8bfa2c7a60c775a19d2598a708c18 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2020-17521
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 77e51144 by Salvatore Bonaccorso at 2020-12-06T11:05:50+01:00 Update information for CVE-2020-17521 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29092,10 +29092,13 @@ CVE-2020-17523 RESERVED CVE-2020-17522 RESERVED -CVE-2020-17521 +CVE-2020-17521 [Information Disclosure] RESERVED - TODO: check + - groovy + - groovy2 + NOTE: https://issues.apache.org/jira/browse/GROOVY-9824 NOTE: https://www.openwall.com/lists/oss-security/2020/12/06/1 + NOTE: https://github.com/apache/groovy/commit/4e418d4a34c973a7ec1e822552103043ac13780e (GROOVY_2_4_21) CVE-2020-17520 RESERVED CVE-2020-17519 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77e51144c6b3b5aaa1962bad3a82f3e03fcc7754 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77e51144c6b3b5aaa1962bad3a82f3e03fcc7754 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-17521
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 63e150ff by Henri Salo at 2020-12-06T11:46:22+02:00 CVE-2020-17521 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29094,6 +29094,8 @@ CVE-2020-17522 RESERVED CVE-2020-17521 RESERVED + TODO: check + NOTE: https://www.openwall.com/lists/oss-security/2020/12/06/1 CVE-2020-17520 RESERVED CVE-2020-17519 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63e150ff30b26d9f5e411798e1055382f85a3a3f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63e150ff30b26d9f5e411798e1055382f85a3a3f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add slurm-llnl to dsa-needed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c1b09566 by Salvatore Bonaccorso at 2020-12-06T10:10:49+01:00 Add slurm-llnl to dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -32,6 +32,8 @@ netty -- salt -- +slurm-llnl +-- xcftools Hugo proposed to work on this update -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1b0956691a2d6e49a7bd373a56b79216731698f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1b0956691a2d6e49a7bd373a56b79216731698f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2019-10221/dogtag-pki via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 21ebdd15 by Salvatore Bonaccorso at 2020-12-06T09:41:35+01:00 Track fixed version for CVE-2019-10221/dogtag-pki via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -103000,7 +103000,7 @@ CVE-2019-10222 (A flaw was found in the Ceph RGW configuration with Beast as the NOTE: 12.2.x installations only affected by the vulnerability if experimental NOTE: features are enabled. CVE-2019-10221 (A Reflected Cross Site Scripting vulnerability was found in all pki-co ...) - - dogtag-pki + - dogtag-pki 10.9.1-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1732565 NOTE: https://github.com/dogtagpki/pki/pull/452 CVE-2019-10220 (Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a rel ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21ebdd1529ca65e8b1099f8fb2aaad75b708c86e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21ebdd1529ca65e8b1099f8fb2aaad75b708c86e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream pull request to adress CVE-2019-10221/dogtag-pki
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b8195e61 by Salvatore Bonaccorso at 2020-12-06T09:40:51+01:00 Add upstream pull request to adress CVE-2019-10221/dogtag-pki - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -103002,6 +103002,7 @@ CVE-2019-10222 (A flaw was found in the Ceph RGW configuration with Beast as the CVE-2019-10221 (A Reflected Cross Site Scripting vulnerability was found in all pki-co ...) - dogtag-pki NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1732565 + NOTE: https://github.com/dogtagpki/pki/pull/452 CVE-2019-10220 (Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a rel ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.9-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8195e61d481566e3d2a12b5bac7f6ce8b05d69a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8195e61d481566e3d2a12b5bac7f6ce8b05d69a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for two consul issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 394f32d8 by Salvatore Bonaccorso at 2020-12-06T09:33:22+01:00 Track fixed version for two consul issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6165,7 +6165,7 @@ CVE-2020-28055 (A vulnerability in the TCL Android Smart TV series V8-R851T02-LF CVE-2020-28054 (JamoDat TSMManager Collector version up to 6.5.0.21 is vulnerable to a ...) NOT-FOR-US: JamoDat TSMManager Collector CVE-2020-28053 (HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed opera ...) - - consul (bug #975584) + - consul 1.8.6+dfsg1-1 (bug #975584) [buster] - consul (Vulnerable code introduced later) NOTE: https://github.com/hashicorp/consul/issues/9240 NOTE: https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#186-november-19-2020 @@ -13502,7 +13502,7 @@ CVE-2020-25575 (** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in the f CVE-2020-25202 RESERVED CVE-2020-25201 (HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a names ...) - - consul (bug #973892) + - consul 1.8.6+dfsg1-1 (bug #973892) [buster] - consul (Vulnerable code introduced later) NOTE: https://github.com/hashicorp/consul/pull/9024 NOTE: https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#185-october-23-2020 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/394f32d8e8fd75074eef1f43e2d8ddc6590e2f79 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/394f32d8e8fd75074eef1f43e2d8ddc6590e2f79 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a37c5f76 by Salvatore Bonaccorso at 2020-12-06T09:30:17+01:00 Mark one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40,7 +40,7 @@ CVE-2020-29573 (sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6 NOTE: https://sourceware.org/pipermail/libc-alpha/2020-September/117779.html NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=681900d29683722b1cb0a8e565a0585846ec5a61 CVE-2020-29572 (app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp ...) - TODO: check + NOT-FOR-US: MISP CVE-2020-29571 RESERVED CVE-2020-29570 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a37c5f7687c4b3d19faf3954491ef0e8b8f2a4b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a37c5f7687c4b3d19faf3954491ef0e8b8f2a4b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-29573/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d017a377 by Salvatore Bonaccorso at 2020-12-06T09:24:30+01:00 Add CVE-2020-29573/glibc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35,7 +35,10 @@ CVE-2020-29575 CVE-2020-29574 RESERVED CVE-2020-29573 (sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) befo ...) - TODO: check + - glibc + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=26649 + NOTE: https://sourceware.org/pipermail/libc-alpha/2020-September/117779.html + NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=681900d29683722b1cb0a8e565a0585846ec5a61 CVE-2020-29572 (app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp ...) TODO: check CVE-2020-29571 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d017a377dd838fd1e07a46ff7d4b03c13ba8d38a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d017a377dd838fd1e07a46ff7d4b03c13ba8d38a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add minidlna to dsa-needed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 725d052e by Salvatore Bonaccorso at 2020-12-06T09:16:54+01:00 Add minidlna to dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -26,6 +26,8 @@ linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. -- +minidlna +-- netty -- salt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/725d052e8db633b58c471fd14085c872935f157d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/725d052e8db633b58c471fd14085c872935f157d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Mark minidlna issues as no-dsa"
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 13a9c41a by Salvatore Bonaccorso at 2020-12-06T09:14:35+01:00 Revert Mark minidlna issues as no-dsa This reverts commit 1140fa69eb1c8fa380eb45a5949d7494a9914a25. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1654,7 +1654,6 @@ CVE-2020-28927 (There is a Stored XSS in Magicpin v2.1 in the User Registration NOT-FOR-US: Magicpin CVE-2020-28926 (ReadyMedia (aka MiniDLNA) before versions 1.3.0 allows remote code exe ...) - minidlna (bug #976595) - [buster] - minidlna (Minor issue, DLNA only used in a trusted context) NOTE: https://www.rootshellsecurity.net/remote-heap-corruption-bug-discovery-minidlna/ NOTE: https://sourceforge.net/p/minidlna/git/ci/9fba41008adebc1da0f4f6c6e27ae422ace3fe4a (v1_3_0) CVE-2020-28925 @@ -41328,7 +41327,6 @@ CVE-2020-12695 (The Open Connectivity Foundation UPnP specification before 2020- - gupnp 1.2.3-1 [buster] - gupnp 1.0.5-0+deb10u1 - minidlna (bug #976594) - [buster] - minidlna (Minor issue, DLNA only used in a trusted context) NOTE: https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt NOTE: https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch NOTE: https://w1.fi/security/2020-1/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13a9c41a09d82039fd9c6d437698c16f7a162cda -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13a9c41a09d82039fd9c6d437698c16f7a162cda You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 696c52e8 by security tracker role at 2020-12-06T08:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,43 @@ +CVE-2020-29591 + RESERVED +CVE-2020-29590 + RESERVED +CVE-2020-29589 + RESERVED +CVE-2020-29588 + RESERVED +CVE-2020-29587 + RESERVED +CVE-2020-29586 + RESERVED +CVE-2020-29585 + RESERVED +CVE-2020-29584 + RESERVED +CVE-2020-29583 + RESERVED +CVE-2020-29582 + RESERVED +CVE-2020-29581 + RESERVED +CVE-2020-29580 + RESERVED +CVE-2020-29579 + RESERVED +CVE-2020-29578 + RESERVED +CVE-2020-29577 + RESERVED +CVE-2020-29576 + RESERVED +CVE-2020-29575 + RESERVED +CVE-2020-29574 + RESERVED +CVE-2020-29573 (sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) befo ...) + TODO: check +CVE-2020-29572 (app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp ...) + TODO: check CVE-2020-29571 RESERVED CVE-2020-29570 @@ -1567,6 +1607,7 @@ CVE-2020-28943 CVE-2020-28942 (An issue exists in PrimeKey EJBCA before 7.4.3 when enrolling with EST ...) NOT-FOR-US: PrimeKey EJBCA CVE-2020-28941 (An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c i ...) + {DLA-2483-1} - linux 5.9.11-1 [buster] - linux 4.19.160-1 [stretch] - linux (Vulnerable code not present) @@ -3972,6 +4013,7 @@ CVE-2020-28362 (Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Serv NOTE: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ NOTE: https://github.com/golang/go/issues/42552 CVE-2020-28974 (A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 co ...) + {DLA-2483-1} - linux 5.9.9-1 [buster] - linux 4.19.160-1 NOTE: https://git.kernel.org/linus/3c4e0dff2095c579b142d5a0693257f1c58b4804 @@ -6958,6 +7000,7 @@ CVE-2020-27778 (A flaw was found in Poppler in the way certain PDF files were co NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/commit/30c731b487190c02afff3f036736a392eb60cd9a (poppler-0.76.0) CVE-2020-2 RESERVED + {DLA-2483-1} - linux 5.9.6-1 [buster] - linux 4.19.160-1 [stretch] - linux (Only an issue when Secure Boot is implemented) @@ -7914,10 +7957,12 @@ CVE-2020-27602 (BigBlueButton before 2.2.7 does not have a protection mechanism CVE-2020-27601 (In BigBlueButton before 2.2.7, lockSettingsProps.disablePrivateChat do ...) NOT-FOR-US: BigBlueButton CVE-2020-27673 (An issue was discovered in the Linux kernel through 5.9.1, as used wit ...) + {DLA-2483-1} - linux 5.9.6-1 [buster] - linux 4.19.160-1 NOTE: https://xenbits.xen.org/xsa/advisory-332.html CVE-2020-27675 (An issue was discovered in the Linux kernel through 5.9.1, as used wit ...) + {DLA-2483-1} - linux 5.9.6-1 [buster] - linux 4.19.160-1 NOTE: https://xenbits.xen.org/xsa/advisory-331.html @@ -12141,11 +12186,13 @@ CVE-2020-25706 (A cross-site scripting (XSS) vulnerability exists in templates_i NOTE: https://github.com/Cacti/cacti/issues/3723 NOTE: https://github.com/Cacti/cacti/commit/39458efcd5286d50e6b7f905fedcdc1059354e6e CVE-2020-25705 (A flaw in the way reply ICMP packets are limited in the Linux kernel f ...) + {DLA-2483-1} - linux 5.9.6-1 [buster] - linux 4.19.160-1 NOTE: https://git.kernel.org/linus/b38e7819cae946e2edf869e604af1e65a5d241c5 NOTE: https://www.saddns.net/ CVE-2020-25704 (A flaw memory leak in the Linux kernel performance monitoring subsyste ...) + {DLA-2483-1} - linux 5.9.6-1 [buster] - linux 4.19.160-1 NOTE: https://git.kernel.org/linus/7bdb157cdebbf95a1cd94ed2e01b338714075d00 @@ -12270,11 +12317,13 @@ CVE-2020-25670 NOTE: https://www.openwall.com/lists/oss-security/2020/11/01/1 CVE-2020-25669 RESERVED + {DLA-2483-1} - linux 5.9.11-1 [buster] - linux 4.19.160-1 NOTE: https://www.openwall.com/lists/oss-security/2020/11/05/2 CVE-2020-25668 [concurrency use-after-free in vt] RESERVED + {DLA-2483-1} - linux 5.9.6-1 [buster] - linux 4.19.160-1 NOTE: https://www.openwall.com/lists/oss-security/2020/10/30/1 @@ -12353,6 +12402,7 @@ CVE-2020-25657 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1889823 NOTE: https://gitlab.com/m2crypto/m2crypto/-/issues/285 CVE-2020-25656 (A flaw was found in the Linux kernel. A use-after-free was found in th ...) + {DLA-2483-1} - linux 5.9.6-1 [buster] - linux 4.19.160-1 NOTE: