[Git][security-tracker-team/security-tracker][master] Fix typo in todo item
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f8e45188 by Salvatore Bonaccorso at 2021-08-15T00:07:18+02:00 Fix typo in todo item - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37651,7 +37651,7 @@ CVE-2021-22931 [cares upgrade - Improper handling of untypical characters in dom RESERVED - nodejs NOTE: https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#cares-upgrade-improper-handling-of-untypical-characters-in-domain-names-high-cve-2021-22931 - TODO: check, nodejfs uses system c-ares which fixed CVE-2021-3672 and so this entry might be not-affected + TODO: check, nodejs uses system c-ares which fixed CVE-2021-3672 and so this entry might be not-affected CVE-2021-22930 [Use after free on close http2 on stream canceling] RESERVED - nodejs 12.22.4~dfsg-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8e45188ddcaa117d3819cf682682c6743866487 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8e45188ddcaa117d3819cf682682c6743866487 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-38597/wolfssl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b9e47d04 by Salvatore Bonaccorso at 2021-08-14T23:07:50+02:00 Add Debian bug reference for CVE-2021-38597/wolfssl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -202,7 +202,7 @@ CVE-2021-38599 (WAL-G before 1.1, when a non-libsodium build (e.g., one of the o CVE-2021-38598 RESERVED CVE-2021-38597 (wolfSSL before 4.8.1 incorrectly skips OCSP verification in certain si ...) - - wolfssl + - wolfssl (bug #992174) NOTE: https://github.com/wolfSSL/wolfssl/commit/f93083be72a3b3d956b52a7ec13f307a27b6e093 CVE-2021-38596 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9e47d048a48d1431b538f140e3f8c0b2a12bd6c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9e47d048a48d1431b538f140e3f8c0b2a12bd6c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-38511/rust-tar
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 21d600b3 by Salvatore Bonaccorso at 2021-08-14T22:55:30+02:00 Add Debian bug reference for CVE-2021-38511/rust-tar - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -343,7 +343,7 @@ CVE-2021- [RUSTSEC-2021-0079] NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0079.html NOTE: https://github.com/hyperium/hyper/security/advisories/GHSA-5h46-h7hh-c6x9 CVE-2021-38511 (An issue was discovered in the tar crate before 0.4.36 for Rust. When ...) - - rust-tar + - rust-tar (bug #992173) NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0080.html NOTE: https://github.com/alexcrichton/tar-rs/issues/238 CVE-2021-38540 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21d600b3f6f468c114da72bbeaf078708ad78414 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21d600b3f6f468c114da72bbeaf078708ad78414 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-38371/exim4
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ffe425d7 by Salvatore Bonaccorso at 2021-08-14T22:53:39+02:00 Add Debian bug reference for CVE-2021-38371/exim4 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -691,7 +691,7 @@ CVE-2021-38373 (In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is n CVE-2021-38372 (In KDE Trojita 0.7, man-in-the-middle attackers can create new folders ...) - trojita (bug #795701) CVE-2021-38371 (The STARTTLS feature in Exim through 4.94.2 allows response injection ...) - - exim4 + - exim4 (bug #992172) NOTE: https://nostarttls.secvuln.info NOTE: https://www.exim.org/static/doc/security/CVE-2021-38371.txt CVE-2021-38370 (In Alpine through 2.24, untagged responses from an IMAP server are acc ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffe425d739bdd2efd89a5e08792790421d5d02ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffe425d739bdd2efd89a5e08792790421d5d02ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-38370/alpine
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 43fb59dc by Salvatore Bonaccorso at 2021-08-14T22:41:24+02:00 Add Debian bug reference for CVE-2021-38370/alpine - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -695,7 +695,7 @@ CVE-2021-38371 (The STARTTLS feature in Exim through 4.94.2 allows response inje NOTE: https://nostarttls.secvuln.info NOTE: https://www.exim.org/static/doc/security/CVE-2021-38371.txt CVE-2021-38370 (In Alpine through 2.24, untagged responses from an IMAP server are acc ...) - - alpine + - alpine (bug #992171) NOTE: https://nostarttls.secvuln.info CVE-2021-38369 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43fb59dcd65a8e803a93ed1ad04133d6fa4b4f73 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43fb59dcd65a8e803a93ed1ad04133d6fa4b4f73 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ee8df1d by security tracker role at 2021-08-14T20:10:19+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1357,6 +1357,7 @@ CVE-2021-38115 (read_header_tga in gd_tga.c in the GD Graphics Library (aka LibG NOTE: https://github.com/libgd/libgd/issues/697 NOTE: https://github.com/libgd/libgd/commit/8b111b2b4a4842179be66db68d84dda91a246032 CVE-2021-38114 (libavcodec/dnxhddec.c in FFmpeg 4.4 does not check the return value of ...) + {DLA-2742-1} - ffmpeg [bullseye] - ffmpeg (Wait for 4.3.3) [buster] - ffmpeg (Wait for 4.1.7) @@ -11637,6 +11638,7 @@ CVE-2021-33586 (InspIRCd 3.8.0 through 3.9.x before 3.10.0 allows any user (able NOTE: https://docs.inspircd.org/security/2021-01/ NOTE: https://github.com/inspircd/inspircd/commit/4350a11c663b0d75f8119743bffb7736d87abd4d CVE-2021-3566 (Prior to ffmpeg version 4.3, the tty demuxer did not have a 'read_prob ...) + {DLA-2742-1} - ffmpeg 7:4.3-2 [buster] - ffmpeg (Wait for 4.1.7) NOTE: https://github.com/FFmpeg/FFmpeg/commit/3bce9e9b3ea35c54ba793d7da99ea5157532 @@ -70315,6 +70317,7 @@ CVE-2020-22037 (A Denial of Service vulnerability exists in FFmpeg 4.2 due to a - ffmpeg (unimportant) NOTE: https://trac.ffmpeg.org/ticket/8281 CVE-2020-22036 (A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 in fil ...) + {DLA-2742-1} - ffmpeg 7:4.3-2 [buster] - ffmpeg (Wait for 4.1.7) NOTE: https://trac.ffmpeg.org/ticket/8261 @@ -70339,11 +70342,13 @@ CVE-2020-22033 (A heap-based Buffer Overflow Vulnerability exists FFmpeg 4.2 at NOTE: https://trac.ffmpeg.org/ticket/8241 NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=82ad1b76751bcfad5005440db48c46a4de5d6f02 CVE-2020-22032 (A heap-based Buffer Overflow vulnerability exists FFmpeg 4.2 at libavf ...) + {DLA-2742-1} - ffmpeg 7:4.3-2 [buster] - ffmpeg (Wait for 4.1.7) NOTE: https://trac.ffmpeg.org/ticket/8275 NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=de598f82f8c3f8000e1948548e8088148e2b1f44 CVE-2020-22031 (A Heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 at lib ...) + {DLA-2742-1} - ffmpeg 7:4.3-2 [buster] - ffmpeg (Wait for 4.1.7) NOTE: https://trac.ffmpeg.org/ticket/8243 @@ -70361,6 +70366,7 @@ CVE-2020-22029 (A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a7fd1279703683ebb548ef7baa2f1519994496ae NOTE: https://trac.ffmpeg.org/ticket/8250 CVE-2020-22028 (Buffer Overflow vulnerability exists in FFmpeg 4.2 in filter_verticall ...) + {DLA-2742-1} - ffmpeg 7:4.3-2 [buster] - ffmpeg (Wait for 4.1.7) NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f069a9c2a65bc20c3462127623127df6dfd06c5b @@ -70372,11 +70378,13 @@ CVE-2020-22027 (A heap-based Buffer Overflow vulnerability exits in FFmpeg 4.2 i NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=e787f8fd7ee99ba0c3e0f086ce2ce59eea7ed86c NOTE: https://trac.ffmpeg.org/ticket/8242 CVE-2020-22026 (Buffer Overflow vulnerability exists in FFmpeg 4.2 in the config_input ...) + {DLA-2742-1} - ffmpeg 7:4.3-2 [buster] - ffmpeg (Wait for 4.1.7) NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=58bb9d3a3a6ede1c6cfb82bf671a5f138e6b2144 NOTE: https://trac.ffmpeg.org/ticket/8317 CVE-2020-22025 (A heap-based Buffer Overflow vulnerability exists in gaussian_blur at ...) + {DLA-2742-1} - ffmpeg 7:4.3-2 [buster] - ffmpeg (Wait for 4.1.7) NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=ccf4ab8c9aca0aee66bcc2914031a9c97ac0eeb8 @@ -70388,21 +70396,25 @@ CVE-2020-22024 (Buffer Overflow vulnerability in FFmpeg 4.2 at the lagfun_frame1 NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=723d69f99cd26db9687ed2d24d06afaff624daf3 NOTE: https://trac.ffmpeg.org/ticket/8310 CVE-2020-22023 (A heap-based Buffer Overflow vulnerabililty exists in FFmpeg 4.2 in fi ...) + {DLA-2742-1} - ffmpeg 7:4.3-2 [buster] - ffmpeg (Wait for 4.1.7) NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0b567238741854b41f84f7457686b044eadfe29c NOTE: https://trac.ffmpeg.org/ticket/8244 CVE-2020-22022 (A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 in fil ...) + {DLA-2742-1} - ffmpeg 7:4.3-2 [buster] - ffmpeg (Wait for 4.1.7) NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=07050d7bdc32d82e53ee5bb727f5882323d00dba
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2742-1 for ffmpeg
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d91d5b6 by Anton Gladky at 2021-08-14T18:33:35+02:00 Reserve DLA-2742-1 for ffmpeg - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[14 Aug 2021] DLA-2742-1 ffmpeg - security update + {CVE-2020-21041 CVE-2020-22015 CVE-2020-22016 CVE-2020-22020 CVE-2020-22021 CVE-2020-22022 CVE-2020-22023 CVE-2020-22025 CVE-2020-22026 CVE-2020-22028 CVE-2020-22031 CVE-2020-22032 CVE-2020-22036 CVE-2021-3566 CVE-2021-38114} + [stretch] - ffmpeg 7:3.2.15-0+deb9u3 [12 Aug 2021] DLA-2741-1 commons-io - security update {CVE-2021-29425} [stretch] - commons-io 2.5-1+deb9u1 = data/dla-needed.txt = @@ -24,19 +24,6 @@ ansible exiv2 (Utkarsh Gupta) NOTE: 20210801: check further; some no-dsa issues have piled up, too. (utkarsh) -- -ffmpeg (Anton Gladky) - NOTE: 20210607: stretch was following the 3.2.x release line, but 3.2.15 - NOTE: 20210607: (released 2020-07-02) was the last on this branch. There are - NOTE: 20210607: now 10+ ~new CVEs that nominally apply to the version in LTS, - NOTE: 20210607: so some investigation and insight is required to see which - NOTE: 20210607: apply and/or what we do with the version of ffmpeg in LTS - NOTE: 20210607: going forward. There is a 3.4.x release branch, for example, - NOTE: 20210607: but unclear on the compatibility as well as whether this one - NOTE: 20210607: won't just be dropped too, etc. etc. (lamby) - NOTE: 20210719: https://salsa.debian.org/lts-team/packages/ffmpeg/-/blob/master/debian/changelog - NOTE: 20210719: CVE-2020-22036 and CVE-2020-22032 are done. Many false-positive. Investigating. - NOTE: 20210730: CVE-2020-22031 and CVE-2020-22028 are done. Checking rest of patches. Try to reproduce --- firmware-nonfree (Anton Gladky) NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d91d5b67ccdcd69d688c4c9579afe1bcc67970f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d91d5b67ccdcd69d688c4c9579afe1bcc67970f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: unmark CVE-2020-22015 as ignored for stretch
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: e0658b8e by Anton Gladky at 2021-08-14T17:02:35+02:00 LTS: unmark CVE-2020-22015 as ignored for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -70430,7 +70430,6 @@ CVE-2020-22016 (A heap-based Buffer Overflow vulnerability in FFmpeg 4.2 at liba CVE-2020-22015 (Buffer Overflow vulnerability in FFmpeg 4.2 in mov_write_video_tag due ...) - ffmpeg 7:4.3.2-0+deb11u2 (bug #989439) [buster] - ffmpeg (Minor issue) - [stretch] - ffmpeg (Minor issue) NOTE: https://trac.ffmpeg.org/ticket/8190 NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=4c1afa292520329eecd1cc7631bc59a8cca95c46 CVE-2020-22014 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0658b8ebe2219bbca221891b76a36d2c5a12e8d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0658b8ebe2219bbca221891b76a36d2c5a12e8d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some new NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d4406311 by Salvatore Bonaccorso at 2021-08-14T14:51:51+02:00 Process some new NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -141,7 +141,7 @@ CVE-2021-38625 CVE-2021-38624 RESERVED CVE-2021-38623 (The deferred_image_processing (aka Deferred image processing) extensio ...) - TODO: check + NOT-FOR-US: deferred_image_processing (aka Deferred image processing) extension for TYPO3 CVE-2021-38622 RESERVED CVE-2021-38621 (The remove API in v1/controller/cloudStorage/alibabaCloud/remove/index ...) @@ -2252,7 +2252,7 @@ CVE-2021-37707 CVE-2021-37706 RESERVED CVE-2021-37705 (OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. S ...) - TODO: check + NOT-FOR-US: OneFuzz CVE-2021-37704 (PhpFastCache is a high-performance backend cache system (packagist pac ...) TODO: check CVE-2021-37703 (Discourse is an open-source platform for community discussion. In Disc ...) @@ -40206,9 +40206,9 @@ CVE-2021-21832 CVE-2021-21831 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...) NOT-FOR-US: Foxit CVE-2021-21830 (A heap-based buffer overflow vulnerability exists in the XML Decompres ...) - TODO: check + NOT-FOR-US: Xmill (AT Labs) CVE-2021-21829 (A heap-based buffer overflow vulnerability exists in the XML Decompres ...) - TODO: check + NOT-FOR-US: Xmill (AT Labs) CVE-2021-21828 RESERVED CVE-2021-21827 @@ -40236,13 +40236,13 @@ CVE-2021-21817 (An information disclosure vulnerability exists in the Zebra IP R CVE-2021-21816 (An information disclosure vulnerability exists in the Syslog functiona ...) NOT-FOR-US: D-LINK CVE-2021-21815 (A stack-based buffer overflow vulnerability exists in the command-line ...) - TODO: check + NOT-FOR-US: Xmill (AT Labs) CVE-2021-21814 (Within the function HandleFileArg the argument filepattern is under co ...) TODO: check CVE-2021-21813 (Within the function HandleFileArg the argument filepattern is under co ...) - TODO: check + NOT-FOR-US: Xmill (AT Labs) CVE-2021-21812 (A stack-based buffer overflow vulnerability exists in the command-line ...) - TODO: check + NOT-FOR-US: Xmill (AT Labs) CVE-2021-21811 RESERVED CVE-2021-21810 @@ -72370,11 +72370,11 @@ CVE-2020-21068 CVE-2020-21067 RESERVED CVE-2020-21066 (An issue was discovered in Bento4 v1.5.1.0. There is a heap-buffer-ove ...) - TODO: check + NOT-FOR-US: Bento4 CVE-2020-21065 RESERVED CVE-2020-21064 (A buffer-overflow vulnerability in the AP4_RtpAtom::AP4_RtpAtom functi ...) - TODO: check + NOT-FOR-US: Bento4 CVE-2020-21063 RESERVED CVE-2020-21062 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d44063119e78c666b664521a4aeda66c8722e56f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d44063119e78c666b664521a4aeda66c8722e56f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 67bd2972 by security tracker role at 2021-08-14T12:45:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,45 @@ +CVE-2021-38693 + RESERVED +CVE-2021-38692 + RESERVED +CVE-2021-38691 + RESERVED +CVE-2021-38690 + RESERVED +CVE-2021-38689 + RESERVED +CVE-2021-38688 + RESERVED +CVE-2021-38687 + RESERVED +CVE-2021-38686 + RESERVED +CVE-2021-38685 + RESERVED +CVE-2021-38684 + RESERVED +CVE-2021-38683 + RESERVED +CVE-2021-38682 + RESERVED +CVE-2021-38681 + RESERVED +CVE-2021-38680 + RESERVED +CVE-2021-38679 + RESERVED +CVE-2021-38678 + RESERVED +CVE-2021-38677 + RESERVED +CVE-2021-38676 + RESERVED +CVE-2021-38675 + RESERVED +CVE-2021-38674 + RESERVED +CVE-2021-3706 + RESERVED CVE-2021-38673 RESERVED CVE-2021-38672 @@ -2209,8 +2251,8 @@ CVE-2021-37707 RESERVED CVE-2021-37706 RESERVED -CVE-2021-37705 - RESERVED +CVE-2021-37705 (OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. S ...) + TODO: check CVE-2021-37704 (PhpFastCache is a high-performance backend cache system (packagist pac ...) TODO: check CVE-2021-37703 (Discourse is an open-source platform for community discussion. In Disc ...) @@ -7291,6 +7333,7 @@ CVE-2021-3615 CVE-2021-3614 (A vulnerability was reported on some Lenovo Notebook systems that coul ...) NOT-FOR-US: Lenovo CVE-2021-35474 (Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache ...) + {DSA-4957-1} - trafficserver 8.1.1+ds-1.1 (bug #990303) NOTE: https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cannounce.trafficserver.apache.org%3E NOTE: https://github.com/apache/trafficserver/pull/7945 (8.1.x) @@ -14070,18 +14113,21 @@ CVE-2021-32569 CVE-2021-32568 RESERVED CVE-2021-32567 (Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Se ...) + {DSA-4957-1} - trafficserver 8.1.1+ds-1.1 (bug #990303) NOTE: https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cannounce.trafficserver.apache.org%3E NOTE: https://github.com/apache/trafficserver/pull/7945 (8.1.x) NOTE: https://github.com/apache/trafficserver/commit/034965e0fd0def114658f0048d953d1c16a95bed (master) NOTE: https://github.com/apache/trafficserver/commit/b82a3d192f995fb9d78e1c44d51d9acca4783277 (8.1.x) CVE-2021-32566 (Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Se ...) + {DSA-4957-1} - trafficserver 8.1.1+ds-1.1 (bug #990303) NOTE: https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cannounce.trafficserver.apache.org%3E NOTE: https://github.com/apache/trafficserver/pull/7945 (8.1.x) NOTE: https://github.com/apache/trafficserver/commit/034965e0fd0def114658f0048d953d1c16a95bed (master) NOTE: https://github.com/apache/trafficserver/commit/b82a3d192f995fb9d78e1c44d51d9acca4783277 (8.1.x) CVE-2021-32565 (Invalid values in the Content-Length header sent to Apache Traffic Ser ...) + {DSA-4957-1} - trafficserver 8.1.1+ds-1.1 (bug #990303) NOTE: https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cannounce.trafficserver.apache.org%3E NOTE: https://github.com/apache/trafficserver/pull/7945 (8.1.x) @@ -17335,6 +17381,7 @@ CVE-2021-31294 CVE-2021-31293 RESERVED CVE-2021-31292 (An integer overflow in CrwMap::encode0x1810 of Exiv2 0.27.3 allows att ...) + {DSA-4958-1} - exiv2 (bug #991706) [bullseye] - exiv2 0.27.3-3+deb11u1 NOTE: https://github.com/Exiv2/exiv2/issues/1530 @@ -20896,6 +20943,7 @@ CVE-2021-30002 (An issue was discovered in the Linux kernel before 5.11.3 when a [buster] - linux 4.19.181-1 NOTE: https://git.kernel.org/linus/fb18802a338b36f675a388fc03d2aa504a0d0899 CVE-2021-3482 (A flaw was found in Exiv2 in versions before and including 0.27.4-RC1. ...) + {DSA-4958-1} - exiv2 (bug #986888) [bullseye] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue; can be fixed in next update) @@ -22026,6 +22074,7 @@ CVE-2021-29475 (HedgeDoc (formerly known as CodiMD) is an open-source collaborat CVE-2021-29474 (HedgeDoc (formerly known as CodiMD) is an open-source collaborative ma ...) NOT-FOR-US: HedgeDoc CVE-2021-29473 (Exiv2 is a C++ library and a command-line utility to read, write, dele ...) + {DSA-4958-1} - exiv2 (bug #987736) [bullseye] - exiv2 (Minor issue)
[Git][security-tracker-team/security-tracker][master] Add missing CVE for DSA 4957-1
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9270f4e6 by Salvatore Bonaccorso at 2021-08-14T14:21:57+02:00 Add missing CVE for DSA 4957-1 Closes: #992159 - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -2,7 +2,7 @@ {CVE-2019-20421 CVE-2021-3482 CVE-2021-29457 CVE-2021-29473 CVE-2021-31292} [buster] - exiv2 0.25-4+deb10u2 [13 Aug 2021] DSA-4957-1 trafficserver - security update - {CVE-2021-27577 CVE-2021-32566 CVE-2021-32567 CVE-2021-35474} + {CVE-2021-27577 CVE-2021-32565 CVE-2021-32566 CVE-2021-32567 CVE-2021-35474} [buster] - trafficserver 8.0.2+ds-1+deb10u5 [11 Aug 2021] DSA-4956-1 firefox-esr - security update {CVE-2021-29980 CVE-2021-29984 CVE-2021-29985 CVE-2021-29986 CVE-2021-29988 CVE-2021-29989} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9270f4e67d190c53e8477b274794b25f5ac950ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9270f4e67d190c53e8477b274794b25f5ac950ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Unify product name
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a78f2b2 by Henri Salo at 2021-08-14T11:47:42+03:00 Unify product name - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -77620,7 +77620,7 @@ CVE-2020-18465 CVE-2020-18464 (Cross Site Request Forgery (CSRF) vulnerability in AikCms 2.0.0 in vid ...) NOT-FOR-US: AikCms CVE-2020-18463 (Cross Site Request Forgery (CSRF) vulnerability exists in v2.0.0 in vi ...) - NOT-FOR-US: aikcms + NOT-FOR-US: AikCms CVE-2020-18462 (File Upload vulnerabilty in AikCms v2.0.0 in poster_edit.php because t ...) NOT-FOR-US: AikCms CVE-2020-18461 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a78f2b293247d8b8d0f513a31a901d1464317c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a78f2b293247d8b8d0f513a31a901d1464317c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-22931/nodejs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a5f341c6 by Salvatore Bonaccorso at 2021-08-14T09:32:52+02:00 Add CVE-2021-22931/nodejs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37594,8 +37594,11 @@ CVE-2021-22933 RESERVED CVE-2021-22932 RESERVED -CVE-2021-22931 +CVE-2021-22931 [cares upgrade - Improper handling of untypical characters in domain names] RESERVED + - nodejs + NOTE: https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#cares-upgrade-improper-handling-of-untypical-characters-in-domain-names-high-cve-2021-22931 + TODO: check, nodejfs uses system c-ares which fixed CVE-2021-3672 and so this entry might be not-affected CVE-2021-22930 [Use after free on close http2 on stream canceling] RESERVED - nodejs 12.22.4~dfsg-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5f341c630e89339606d8587ecee89e5913d00a1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5f341c630e89339606d8587ecee89e5913d00a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits