[Git][security-tracker-team/security-tracker][master] Add new chromium issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cbb88275 by Salvatore Bonaccorso at 2021-12-07T06:15:41+01:00 Add new chromium issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -267,39 +267,55 @@ CVE-2021-4069 (vim is vulnerable to Use After Free ...) CVE-2021-44548 RESERVED CVE-2021-4068 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-4067 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-4066 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-4065 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-4064 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-4063 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-4062 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-4061 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-4060 RESERVED CVE-2021-4059 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-4058 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-4057 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-4056 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-4055 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-4054 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-4053 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-4052 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2021-4051 RESERVED CVE-2021-44543 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbb882751ba7db59f56a23df73715ad70be39d8e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbb882751ba7db59f56a23df73715ad70be39d8e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim firmware-nonfree in dla-needed.txt again.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 82ff9064 by Markus Koschany at 2021-12-07T01:34:26+01:00 Claim firmware-nonfree in dla-needed.txt again. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,9 +31,10 @@ firefox-esr (Emilio) NOTE: 20211122: blocked on toolchain backports (pochu) NOTE: 20211206: progressing on the toolchain front (pochu) -- -firmware-nonfree +firmware-nonfree (Markus Koschany) NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag + NOTE: 20211207: Intend to release this week. -- gpac NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82ff90645cd082d1603df811cc007f5205ef4f8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82ff90645cd082d1603df811cc007f5205ef4f8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Jeremiah C. Foster pushed to branch master at Debian Security Tracker / security-tracker Commits: b1d8bc91 by Jeremiah C. Foster at 2021-12-06T18:33:23-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Jeremiah C. Foster jerem...@jeremiahfoster.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,11 +31,11 @@ firefox-esr (Emilio) NOTE: 20211122: blocked on toolchain backports (pochu) NOTE: 20211206: progressing on the toolchain front (pochu) -- -firmware-nonfree (Markus Koschany) +firmware-nonfree NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag -- -gpac (Roberto C. Sánchez) +gpac NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto) NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto) -- @@ -49,7 +49,7 @@ libgit2 (Utkarsh) NOTE: 20211129: readied up everything, using pygit and other wrappers NOTE: 20211129: around which the code changed. will upload in the next 2 days. (utkarsh) -- -libssh2 (Ola Lundqvist) +libssh2 NOTE: 20211031: CVE-2019-13115 and CVE-2019-17498 were fixed in jessie DLAs NOTE: 20211031: but still need fixing in stretch and buster. (bunk) NOTE: 2026: Work in progress for stretch. (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1d8bc917fa078f741af6983f92e53b51348f394 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1d8bc917fa078f741af6983f92e53b51348f394 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2841-1 for runc
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: cbb3f3d7 by Chris Lamb at 2021-12-06T14:38:02-08:00 Reserve DLA-2841-1 for runc - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Dec 2021] DLA-2841-1 runc - security update + {CVE-2021-43784} + [stretch] - runc 0.1.1+dfsg1-2+deb9u3 [06 Dec 2021] DLA-2840-1 roundcube - security update {CVE-2021-44025 CVE-2021-44026} [stretch] - roundcube 1.2.3+dfsg.1-4+deb9u9 = data/dla-needed.txt = @@ -67,8 +67,6 @@ nvidia-graphics-drivers (Markus Koschany) pgbouncer (Thorsten Alteholz) NOTE: 20211128: also help with other releases -- -runc (Chris Lamb) --- rustc (Roberto C. Sánchez) NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable NOTE: https://bugs.debian.org/928422 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbb3f3d737da87bc2f83f032022f0b9400cdb3b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbb3f3d737da87bc2f83f032022f0b9400cdb3b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f49d15a7 by Salvatore Bonaccorso at 2021-12-06T21:34:01+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2118,7 +2118,7 @@ CVE-2021-43938 CVE-2021-43937 RESERVED CVE-2021-43936 (The software allows the attacker to upload or transfer files of danger ...) - TODO: check + NOT-FOR-US: Distributed Data Systems CVE-2021-43935 RESERVED CVE-2021-43934 @@ -2128,7 +2128,7 @@ CVE-2021-43933 CVE-2021-43932 RESERVED CVE-2021-43931 (The authentication algorithm of the WebHMI portal is sound, but the im ...) - TODO: check + NOT-FOR-US: Distributed Data Systems CVE-2021-43930 RESERVED CVE-2021-43929 @@ -2390,7 +2390,7 @@ CVE-2021-43802 CVE-2021-43801 RESERVED CVE-2021-43800 (Wiki.js is a wiki app built on Node.js. Prior to version 2.5.254, dire ...) - TODO: check + NOT-FOR-US: Wiki.js CVE-2021-43799 RESERVED CVE-2021-43798 @@ -2431,7 +2431,7 @@ CVE-2021-43783 (@backstage/plugin-scaffolder-backend is the backend for the defa CVE-2021-43782 RESERVED CVE-2021-43781 (Invenio-Drafts-Resources is a submission/deposit module for Invenio, a ...) - TODO: check + NOT-FOR-US: Invenio-Drafts-Resources CVE-2021-43780 (Redash is a package for data visualization and sharing. In versions 10 ...) NOT-FOR-US: Redash CVE-2021-43779 @@ -4050,11 +4050,11 @@ CVE-2021-43473 CVE-2021-43472 RESERVED CVE-2021-43471 (In Canon LBP223 printers, the System Manager Mode login does not requi ...) - TODO: check + NOT-FOR-US: Canon CVE-2021-43470 RESERVED CVE-2021-43469 (VINGA WR-N300U 77.102.1.4853 is affected by a command execution vulner ...) - TODO: check + NOT-FOR-US: VINGA CVE-2021-43468 RESERVED CVE-2021-43467 @@ -23675,7 +23675,7 @@ CVE-2021-36200 CVE-2021-36199 RESERVED CVE-2021-36198 (Successful exploitation of this vulnerability could allow an unauthori ...) - TODO: check + NOT-FOR-US: Sensormatic Electronics, LLC CVE-2021-36197 RESERVED CVE-2021-36196 @@ -26015,13 +26015,13 @@ CVE-2021-35247 CVE-2021-35246 RESERVED CVE-2021-35245 (When a user has admin rights in Serv-U Console, the user can move, cre ...) - TODO: check + NOT-FOR-US: SolarWinds CVE-2021-35244 RESERVED CVE-2021-35243 RESERVED CVE-2021-35242 (Serv-U server responds with valid CSRFToken when the request contains ...) - TODO: check + NOT-FOR-US: SolarWinds CVE-2021-35241 RESERVED CVE-2021-35240 (A security researcher stored XSS via a Help Server setting. This affec ...) @@ -51763,7 +51763,7 @@ CVE-2021-25043 CVE-2021-25042 RESERVED CVE-2021-25041 (The Photo Gallery by 10Web WordPress plugin before 1.5.68 is vulnerabl ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-25040 RESERVED CVE-2021-25039 @@ -51959,7 +51959,7 @@ CVE-2021-24945 CVE-2021-24944 RESERVED CVE-2021-24943 (The Registrations for the Events Calendar WordPress plugin before 2.7. ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24942 RESERVED CVE-2021-24941 @@ -51967,15 +51967,15 @@ CVE-2021-24941 CVE-2021-24940 RESERVED CVE-2021-24939 (The LoginWP (Formerly Peter's Login Redirect) WordPress plugin before ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24938 (The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24937 RESERVED CVE-2021-24936 RESERVED CVE-2021-24935 (The WP Google Fonts WordPress plugin before 3.1.5 does not escape the ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24934 RESERVED CVE-2021-24933 @@ -51983,9 +51983,9 @@ CVE-2021-24933 CVE-2021-24932 RESERVED CVE-2021-24931 (The Secure Copy Content Protection and Content Locking WordPress plugi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24930 (The WordPress Online Booking and Scheduling Plugin WordPress plugin be ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24929 RESERVED CVE-2021-24928 @@ -51997,7 +51997,7 @@ CVE-2021-24926 CVE-2021-24925 RESERVED CVE-2021-24924 (The Email Log WordPress plugin before 2.4.8 does not escape the d para ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24923 RESERVED CVE-2021-24922 @@ -52011,13 +52011,13 @@ CVE-2021-24919 CVE-2021-24918 (The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did n ...) NOT-FOR-US: WordPress plugin CVE-2021-24917 (The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allow
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage runc for stretch LTS (CVE-2021-43784)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 70580f9f by Chris Lamb at 2021-12-06T12:30:06-08:00 data/dla-needed.txt: Triage runc for stretch LTS (CVE-2021-43784) - - - - - 89bfba8a by Chris Lamb at 2021-12-06T12:30:06-08:00 data/dla-needed.txt: Claim runc. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -67,6 +67,8 @@ nvidia-graphics-drivers (Markus Koschany) pgbouncer (Thorsten Alteholz) NOTE: 20211128: also help with other releases -- +runc (Chris Lamb) +-- rustc (Roberto C. Sánchez) NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable NOTE: https://bugs.debian.org/928422 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0a95ed9a77fb5bf9057767d13b1a06349fcce3d4...89bfba8a005f987d39b4f57f5c6e51f44301ec2d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0a95ed9a77fb5bf9057767d13b1a06349fcce3d4...89bfba8a005f987d39b4f57f5c6e51f44301ec2d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-4069/vim
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a95ed9a by Salvatore Bonaccorso at 2021-12-06T21:18:53+01:00 Add CVE-2021-4069/vim - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -261,7 +261,9 @@ CVE-2021-4070 CVE-2021-44549 RESERVED CVE-2021-4069 (vim is vulnerable to Use After Free ...) - TODO: check + - vim + NOTE: https://huntr.dev/bounties/0efd6d23-2259-4081-9ff1-3ade26907d74/ + NOTE: https://github.com/vim/vim/commit/e031fe90cf2e375ce861ff5e5e281e4ad229ebb9 (v8.2.3741) CVE-2021-44548 RESERVED CVE-2021-4068 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a95ed9a77fb5bf9057767d13b1a06349fcce3d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a95ed9a77fb5bf9057767d13b1a06349fcce3d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 741b2cf8 by security tracker role at 2021-12-06T20:10:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2021-4074 + RESERVED +CVE-2021-4073 + RESERVED +CVE-2021-4072 + RESERVED +CVE-2021-4071 + RESERVED CVE-2021-44674 RESERVED CVE-2021-44673 @@ -252,8 +260,8 @@ CVE-2021-4070 RESERVED CVE-2021-44549 RESERVED -CVE-2021-4069 - RESERVED +CVE-2021-4069 (vim is vulnerable to Use After Free ...) + TODO: check CVE-2021-44548 RESERVED CVE-2021-4068 @@ -1744,13 +1752,13 @@ CVE-2021-3975 [segmentation fault during VM shutdown can lead to vdsm hung] NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2024326 NOTE: Fixed by: https://github.com/libvirt/libvirt/commit/1ac703a7d0789e46833f4013a3876c2e3af18ec7 (v7.1.0-rc2) CVE-2021-44025 (Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in han ...) - {DSA-5013-1} + {DSA-5013-1 DLA-2840-1} - roundcube 1.5.0+dfsg.1-1 (bug #1000156) NOTE: https://github.com/roundcube/roundcubemail/issues/8193 NOTE: https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a (1.4.12) NOTE: https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7 (1.3.17) CVE-2021-44026 (Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potentia ...) - {DSA-5013-1} + {DSA-5013-1 DLA-2840-1} - roundcube 1.5.0+dfsg.1-1 (bug #1000156) NOTE: https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1 (1.4.12) NOTE: https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa (1.3.17) @@ -2107,8 +2115,8 @@ CVE-2021-43938 RESERVED CVE-2021-43937 RESERVED -CVE-2021-43936 - RESERVED +CVE-2021-43936 (The software allows the attacker to upload or transfer files of danger ...) + TODO: check CVE-2021-43935 RESERVED CVE-2021-43934 @@ -2117,8 +2125,8 @@ CVE-2021-43933 RESERVED CVE-2021-43932 RESERVED -CVE-2021-43931 - RESERVED +CVE-2021-43931 (The authentication algorithm of the WebHMI portal is sound, but the im ...) + TODO: check CVE-2021-43930 RESERVED CVE-2021-43929 @@ -2379,8 +2387,8 @@ CVE-2021-43802 RESERVED CVE-2021-43801 RESERVED -CVE-2021-43800 - RESERVED +CVE-2021-43800 (Wiki.js is a wiki app built on Node.js. Prior to version 2.5.254, dire ...) + TODO: check CVE-2021-43799 RESERVED CVE-2021-43798 @@ -2411,8 +2419,7 @@ CVE-2021-43786 (Nodebb is an open source Node.js based forum software. In affect NOT-FOR-US: Nodebb CVE-2021-43785 (@joeattardi/emoji-button is a Vanilla JavaScript emoji picker componen ...) NOT-FOR-US: @joeattardi/emoji-button -CVE-2021-43784 - RESERVED +CVE-2021-43784 (runc is a CLI tool for spawning and running containers on Linux accord ...) - runc 1.0.3+ds1-1 NOTE: https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/1 @@ -2421,8 +2428,8 @@ CVE-2021-43783 (@backstage/plugin-scaffolder-backend is the backend for the defa NOT-FOR-US: @backstage/plugin-scaffolder-backend CVE-2021-43782 RESERVED -CVE-2021-43781 - RESERVED +CVE-2021-43781 (Invenio-Drafts-Resources is a submission/deposit module for Invenio, a ...) + TODO: check CVE-2021-43780 (Redash is a package for data visualization and sharing. In versions 10 ...) NOT-FOR-US: Redash CVE-2021-43779 @@ -4040,12 +4047,12 @@ CVE-2021-43473 RESERVED CVE-2021-43472 RESERVED -CVE-2021-43471 - RESERVED +CVE-2021-43471 (In Canon LBP223 printers, the System Manager Mode login does not requi ...) + TODO: check CVE-2021-43470 RESERVED -CVE-2021-43469 - RESERVED +CVE-2021-43469 (VINGA WR-N300U 77.102.1.4853 is affected by a command execution vulner ...) + TODO: check CVE-2021-43468 RESERVED CVE-2021-43467 @@ -14789,8 +14796,8 @@ CVE-2021-39892 RESERVED CVE-2021-39891 (In all versions of GitLab CE/EE since version 8.0, access tokens creat ...) - gitlab -CVE-2021-39890 - RESERVED +CVE-2021-39890 (It was possible to bypass 2FA for LDAP users and access some specific ...) + TODO: check CVE-2021-39889 (In all versions of GitLab EE since version 14.1, due to an insecure di ...) - gitlab (Specific to Enterprise Edition) CVE-2021-39888 (In all versions of GitLab EE since version 13.10, a specific API endpo ...) @@ -23665,8 +23672,8 @@ CVE-2021-36200 RESERVED CVE-2021-36199
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 53e80a2d by Henri Salo at 2021-12-06T21:21:27+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4166,6 +4166,7 @@ CVE-2021-43411 (An issue was discovered in GNU Hurd before 0.9 20210404-9. When - hurd 1:0.9.git20210404-9 CVE-2021-43410 RESERVED + NOT-FOR-US: Apache Airavata CVE-2021-3932 (twill is vulnerable to Cross-Site Request Forgery (CSRF) ...) NOT-FOR-US: twill CVE-2021-43409 (The WPO365 | LOGIN WordPress plugin (up to and including ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53e80a2dbb483d93dfbe6b4b548a371c98047139 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53e80a2dbb483d93dfbe6b4b548a371c98047139 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: drop puppet
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 3239b059 by Sylvain Beucler at 2021-12-06T18:47:00+01:00 dla: drop puppet - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -46566,6 +46566,7 @@ CVE-2021-27025 (A flaw was discovered in Puppet Agent where the agent may silent - puppet [bullseye] - puppet (Minor issue, too intrusive to backport) [buster] - puppet (Minor issue, too intrusive to backport) + [stretch] - puppet (Minor issue, too intrusive to backport) NOTE: https://puppet.com/security/cve/cve-2021-27025 NOTE: https://github.com/puppetlabs/puppet/commit/da8b73edca174309a9bef5f62cd276933fe733e8 (6.25.1) NOTE: Limited impact, needs a malformed custom type provider @@ -46575,12 +46576,14 @@ CVE-2021-27023 (A flaw was discovered in Puppet Agent and Puppet Server that may - puppet [bullseye] - puppet (Minor issue) [buster] - puppet (Minor issue) + [stretch] - puppet (Minor issue) NOTE: https://puppet.com/security/cve/cve-2021-27023 NOTE: https://github.com/puppetlabs/puppet/commit/e90023a8b54a58073d71dae655d7636e2c9bcc61 (6.25.1) NOTE: Marginal/unclear security implications, the redirects are fully under control of NOTE: the puppet masters and the advisory states this CVE would be similar to CVE-2018-107, NOTE: but CVE is for curl, which obviously has different scope being a library. Plus, all NOTE: reasonably secure installations use client auth on the agents + NOTE: Previous client code in lib/puppet/network/http/connection.rb also vulnerable CVE-2021-27022 (A flaw was discovered in bolt-server and ace where running a task with ...) - puppet (Only affects Puppet Enterprise) NOTE: https://puppet.com/security/cve/CVE-2021-27022/ = data/dla-needed.txt = @@ -67,9 +67,6 @@ nvidia-graphics-drivers (Markus Koschany) pgbouncer (Thorsten Alteholz) NOTE: 20211128: also help with other releases -- -puppet (Sylvain Beucler) - NOTE: please recheck whether really affected --- rustc (Roberto C. Sánchez) NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable NOTE: https://bugs.debian.org/928422 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3239b05986b64e508c02ffc7793f3f38cb8fe919 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3239b05986b64e508c02ffc7793f3f38cb8fe919 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-18670,CVE-2020-18671 in roundcube as ignore instead of postponed
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b8e325e5 by Markus Koschany at 2021-12-06T17:34:28+01:00 Mark CVE-2020-18670,CVE-2020-18671 in roundcube as ignore instead of postponed Those issues are borderline unimportant and can be safely ignored. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -96737,13 +96737,13 @@ CVE-2020-18672 CVE-2020-18671 (Cross Site Scripting (XSS) vulnerability in Roundcube Mail =1.4.4 ...) - roundcube 1.4.5+dfsg.1-1 [buster] - roundcube 1.3.13+dfsg.1-1~deb10u1 - [stretch] - roundcube (Minor issue, XSS in installer which is not exposed in Debian) + [stretch] - roundcube (Minor issue, XSS in installer which is not exposed in Debian) NOTE: https://github.com/roundcube/roundcubemail/issues/7406 NOTE: https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12 CVE-2020-18670 (Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via d ...) - roundcube 1.4.5+dfsg.1-1 [buster] - roundcube 1.3.13+dfsg.1-1~deb10u1 - [stretch] - roundcube (Minor issue, XSS in installer which is not exposed in Debian) + [stretch] - roundcube (Minor issue, XSS in installer which is not exposed in Debian) NOTE: https://github.com/roundcube/roundcubemail/issues/7406 NOTE: https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12 CVE-2020-18669 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8e325e5edb09a52d5e195df3f1b6af7082245c7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8e325e5edb09a52d5e195df3f1b6af7082245c7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2840-1 for roundcube
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2bef4ee8 by Markus Koschany at 2021-12-06T17:33:43+01:00 Reserve DLA-2840-1 for roundcube - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Dec 2021] DLA-2840-1 roundcube - security update + {CVE-2021-44025 CVE-2021-44026} + [stretch] - roundcube 1.2.3+dfsg.1-4+deb9u9 [03 Dec 2021] DLA-2839-1 gerbv - security update {CVE-2021-40391} [stretch] - gerbv 2.6.1-2+deb9u1 = data/dla-needed.txt = @@ -70,8 +70,6 @@ pgbouncer (Thorsten Alteholz) puppet (Sylvain Beucler) NOTE: please recheck whether really affected -- -roundcube (Markus Koschany) --- rustc (Roberto C. Sánchez) NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable NOTE: https://bugs.debian.org/928422 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2bef4ee8b515937c42dabb430fcd35bf9297f3de -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2bef4ee8b515937c42dabb430fcd35bf9297f3de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2021-3892
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d30202f by Salvatore Bonaccorso at 2021-12-06T17:29:55+01:00 Update status for CVE-2021-3892 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7166,8 +7166,10 @@ CVE-2021-42554 RESERVED CVE-2021-3892 [memory leak in fib6_rule_suppress could result in DoS] RESERVED - - linux + - linux (Vulnerable code introduced later) + NOTE: https://git.kernel.org/linus/ca7a03c4175366a92cee0ccc4fec0038c3266e26 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2014623 + NOTE: Duplicate of CVE-2019-18198 CVE-2021-26247 RESERVED CVE-2021-23225 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d30202f3035909b0223dd8d9afed89b771bdcd9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d30202f3035909b0223dd8d9afed89b771bdcd9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for tmate-ssh-server issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe997a67 by Salvatore Bonaccorso at 2021-12-06T17:13:20+01:00 Add Debian bug reference for tmate-ssh-server issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -389,13 +389,13 @@ CVE-2021-44514 RESERVED CVE-2021-44513 RESERVED - - tmate-ssh-server + - tmate-ssh-server (bug #1001225) NOTE: Fixed by: https://github.com/tmate-io/tmate-ssh-server/commit/1c020d1f5ca462f5b150b46a027aaa1bbe3c9596 NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/2 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1189388 CVE-2021-44512 RESERVED - - tmate-ssh-server + - tmate-ssh-server (bug #1001225) NOTE: Fixed by: https://github.com/tmate-io/tmate-ssh-server/commit/1c020d1f5ca462f5b150b46a027aaa1bbe3c9596 NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/2 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1189388 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe997a67a13c73f13fd0f843f60cf0326a821491 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe997a67a13c73f13fd0f843f60cf0326a821491 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference SUSE audit for tmate-ssh-server
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eb07872c by Salvatore Bonaccorso at 2021-12-06T17:11:21+01:00 Reference SUSE audit for tmate-ssh-server - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -392,11 +392,13 @@ CVE-2021-44513 - tmate-ssh-server NOTE: Fixed by: https://github.com/tmate-io/tmate-ssh-server/commit/1c020d1f5ca462f5b150b46a027aaa1bbe3c9596 NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/2 + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1189388 CVE-2021-44512 RESERVED - tmate-ssh-server NOTE: Fixed by: https://github.com/tmate-io/tmate-ssh-server/commit/1c020d1f5ca462f5b150b46a027aaa1bbe3c9596 NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/2 + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1189388 CVE-2015-20106 (The ClickBank Affiliate Ads WordPress plugin through 1.20 does not esc ...) NOT-FOR-US: WordPress plugin CVE-2015-20105 (The ClickBank Affiliate Ads WordPress plugin through 1.20 does not hav ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb07872cd7ead1a472892ec79fed840d7bc32c9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb07872cd7ead1a472892ec79fed840d7bc32c9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-4451{2,3}/tmate-ssh-server
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: be77e04a by Salvatore Bonaccorso at 2021-12-06T17:01:55+01:00 Add CVE-2021-4451{2,3}/tmate-ssh-server - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -389,8 +389,14 @@ CVE-2021-44514 RESERVED CVE-2021-44513 RESERVED + - tmate-ssh-server + NOTE: Fixed by: https://github.com/tmate-io/tmate-ssh-server/commit/1c020d1f5ca462f5b150b46a027aaa1bbe3c9596 + NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/2 CVE-2021-44512 RESERVED + - tmate-ssh-server + NOTE: Fixed by: https://github.com/tmate-io/tmate-ssh-server/commit/1c020d1f5ca462f5b150b46a027aaa1bbe3c9596 + NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/2 CVE-2015-20106 (The ClickBank Affiliate Ads WordPress plugin through 1.20 does not esc ...) NOT-FOR-US: WordPress plugin CVE-2015-20105 (The ClickBank Affiliate Ads WordPress plugin through 1.20 does not hav ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be77e04ae07a19132ff58004d1efed0e92442681 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be77e04ae07a19132ff58004d1efed0e92442681 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim puppet
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: ba6f844e by Sylvain Beucler at 2021-12-06T16:46:34+01:00 dla: claim puppet - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -67,7 +67,7 @@ nvidia-graphics-drivers (Markus Koschany) pgbouncer (Thorsten Alteholz) NOTE: 20211128: also help with other releases -- -puppet +puppet (Sylvain Beucler) NOTE: please recheck whether really affected -- roundcube (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba6f844ebc8e0ad2f771b422d212567858f719c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba6f844ebc8e0ad2f771b422d212567858f719c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] List CVE-2021-28702 for DSA 5017-1/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a0975efe by Salvatore Bonaccorso at 2021-12-06T16:15:12+01:00 List CVE-2021-28702 for DSA 5017-1/xen - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,5 +1,5 @@ [05 Dec 2021] DSA-5017-1 xen - security update - {CVE-2021-28704 CVE-2021-28705 CVE-2021-28706 CVE-2021-28707 CVE-2021-28708 CVE-2021-28709} + {CVE-2021-28702 CVE-2021-28704 CVE-2021-28705 CVE-2021-28706 CVE-2021-28707 CVE-2021-28708 CVE-2021-28709} [bullseye] - xen 4.14.3+32-g9de3671772-1~deb11u1 [01 Dec 2021] DSA-5016-1 nss - security update {CVE-2021-43527} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0975efe0fba376c015835198cd4736e8e2cc952 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0975efe0fba376c015835198cd4736e8e2cc952 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: Add note for wireshark
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 329ce92a by Adrian Bunk at 2021-12-06T16:43:36+02:00 dla: Add note for wireshark - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -94,4 +94,5 @@ vim (Anton) -- wireshark (Adrian Bunk) NOTE: 2029: Check https://salsa.debian.org/security-tracker-team/security-tracker/commit/d55b7eff90db8487e20106c2c09e61293a477e89 (lamby) + NOTE: 20211206: DLA coming soon (bunk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/329ce92a1808816f4f0fa9c77524e406da3d0b0c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/329ce92a1808816f4f0fa9c77524e406da3d0b0c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: add notes
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 29137efe by Emilio Pozuelo Monfort at 2021-12-06T13:55:01+01:00 lts: add notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,6 +29,7 @@ debian-archive-keyring -- firefox-esr (Emilio) NOTE: 20211122: blocked on toolchain backports (pochu) + NOTE: 20211206: progressing on the toolchain front (pochu) -- firmware-nonfree (Markus Koschany) NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree @@ -84,6 +85,7 @@ samba (Anton) -- thunderbird (Emilio) NOTE: 20211122: blocked on toolchain backports (pochu) + NOTE: 20211206: progressing on the toolchain front (pochu) -- vim (Anton) NOTE: 20211203: adding here as it's in the ela-needed as well View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29137efef03b415fca0fe9e0a1cd99790f361938 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29137efef03b415fca0fe9e0a1cd99790f361938 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e85cbf2 by Moritz Muehlenhoff at 2021-12-06T12:52:16+01:00 buster/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1125,6 +1125,7 @@ CVE-2021-4024 [podman: podman machine spawns gvproxy with port binded to all IPs NOTE: Fixed by: https://github.com/containers/podman/commit/295d87bb0b028e57dc2739791dee4820fe5fcc48 CVE-2021-44227 (In GNU Mailman before 2.1.38, a list member or moderator can get a CSR ...) - mailman + [buster] - mailman (Minor issue) [stretch] - mailman (Minor issue; can be fixed with the next DLA) NOTE: https://bugs.launchpad.net/mailman/+bug/1952384 NOTE: Patch: https://launchpadlibrarian.net/570827498/patch.txt @@ -9086,6 +9087,8 @@ CVE-2021-42261 (Revisor Video Management System (VMS) before 2.0.0 has a directo NOT-FOR-US: Revisor Video Management System (VMS) CVE-2021-42260 (TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp ...) - tinyxml + [bullseye] - tinyxml (Minor issue) + [buster] - tinyxml (Minor issue) [stretch] - tinyxml (Minor issue; can be fixed with the next DLA) NOTE: https://sourceforge.net/p/tinyxml/bugs/141/ NOTE: https://sourceforge.net/p/tinyxml/git/merge-requests/1/ @@ -10306,6 +10309,7 @@ CVE-2021-41771 (ImportedSymbols in debug/macho (for Open or OpenFat) in Go befor - golang-1.15 [bullseye] - golang-1.15 (Minor issue; will be fixed via point release) - golang-1.11 + [buster] - golang-1.11 (Minor issue) - golang-1.8 - golang-1.7 [stretch] - golang-1.7 (Minor issue; can be fixed with the next DLA) @@ -13730,6 +13734,8 @@ CVE-2021-40331 RESERVED CVE-2021-3756 (libmysofa is vulnerable to Heap-based Buffer Overflow ...) - libmysofa 1.2.1~dfsg0-1 + [bullseye] - libmysofa (Minor issue) + [buster] - libmysofa (Minor issue) NOTE: https://huntr.dev/bounties/7ca8d9ea-e2a6-4294-af28-70260bb53bc1/ NOTE: https://github.com/hoene/libmysofa/commit/890400ebd092c574707d0c132124f8ff047e20e1 (v1.2.1) CVE-2021-3755 @@ -42499,7 +42505,6 @@ CVE-2021-28703 NOTE: https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=c65ea16dbcafbe4fe21693b18f8c2a3c5d14600e (4.14.0-rc1) CVE-2021-28702 (PCI devices with RMRRs not deassigned correctly Certain PCI devices in ...) - xen 4.14.3+32-g9de3671772-1 - [bullseye] - xen (Minor issue, fix along with next DSA) [buster] - xen (Vulnerable code introduced later) [stretch] - xen (Vulnerable code introduced later) NOTE: https://xenbits.xen.org/xsa/advisory-386.html @@ -56328,6 +56333,7 @@ CVE-2021-22943 (A vulnerability found in UniFi Protect application V1.18.1 and e CVE-2021-22942 (A possible open redirect vulnerability in the Host Authorization middl ...) [experimental] - rails 2:6.1.4.1+dfsg-1 - rails (bug #992586) + [bullseye] - rails (Minor issue) [buster] - rails (Vulnerable code not present) [stretch] - rails (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2021/08/20/1 @@ -61686,6 +61692,7 @@ CVE-2021-21306 (Marked is an open-source markdown parser and compiler (npm packa NOTE: https://github.com/markedjs/marked/commit/7293251c438e3ee968970f7609f1a27f9007bccd CVE-2021-21305 (CarrierWave is an open-source RubyGem which provides a simple and flex ...) - ruby-carrierwave (bug #982551) + [buster] - ruby-carrierwave (Minor issue) [stretch] - ruby-carrierwave (No reverse dependencies) NOTE: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4 NOTE: https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7 @@ -61741,6 +61748,7 @@ CVE-2021-21289 (Mechanize is an open-source ruby library that makes automated we NOTE: Test warnings fixup: https://github.com/sparklemotion/mechanize/commit/5b30aed33cbac9825e8978f8e36dd221cbd4c093 (v2.7.7) CVE-2021-21288 (CarrierWave is an open-source RubyGem which provides a simple and flex ...) - ruby-carrierwave 1.3.2-1 (bug #982552) + [buster] - ruby-carrierwave (Minor issue) [stretch] - ruby-carrierwave (No reverse dependencies) NOTE: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5 NOTE: https://github.com/carrierwaveuploader/carrierwave/commit/012702eb3ba1663452aa025831caa304d1a665c0 = data/dsa-needed.txt = @@ -17,16 +17,15 @@ asterisk/oldstable condor -- chromium + inactive, removal from stable likely
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8efc3863 by Salvatore Bonaccorso at 2021-12-06T09:35:36+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1601,15 +1601,15 @@ CVE-2021-44050 (CA Network Flow Analysis (NFA) 21.2.1 and earlier contain a SQL CVE-2021-44049 RESERVED CVE-2021-44048 (An out-of-bounds write vulnerability exists when reading a TIF file us ...) - TODO: check + NOT-FOR-US: Open Design Alliance (ODA) Drawings Explorer CVE-2021-44047 (A use-after-free vulnerability exists when reading a DWF/DWFX file usi ...) - TODO: check + NOT-FOR-US: Open Design Alliance Drawings SDK CVE-2021-44046 (An out-of-bounds write vulnerability exists when reading U3D files in ...) - TODO: check + NOT-FOR-US: Open Design Alliance Drawings SDK CVE-2021-44045 (An out-of-bounds write vulnerability exists when reading a DGN file us ...) - TODO: check + NOT-FOR-US: Open Design Alliance Drawings SDK CVE-2021-44044 (An out-of-bounds write vulnerability exists when reading a JPG file us ...) - TODO: check + NOT-FOR-US: Open Design Alliance Drawings SDK CVE-2021-44043 RESERVED CVE-2021-44042 @@ -6031,29 +6031,29 @@ CVE-2021-43045 CVE-2021-3913 RESERVED CVE-2021-43044 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) - TODO: check + NOT-FOR-US: Kaseya CVE-2021-43043 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) - TODO: check + NOT-FOR-US: Kaseya CVE-2021-43042 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) - TODO: check + NOT-FOR-US: Kaseya CVE-2021-43041 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) - TODO: check + NOT-FOR-US: Kaseya CVE-2021-43040 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) - TODO: check + NOT-FOR-US: Kaseya CVE-2021-43039 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) - TODO: check + NOT-FOR-US: Kaseya CVE-2021-43038 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) - TODO: check + NOT-FOR-US: Kaseya CVE-2021-43037 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) - TODO: check + NOT-FOR-US: Kaseya CVE-2021-43036 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) - TODO: check + NOT-FOR-US: Kaseya CVE-2021-43035 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) - TODO: check + NOT-FOR-US: Kaseya CVE-2021-43034 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) - TODO: check + NOT-FOR-US: Kaseya CVE-2021-43033 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) - TODO: check + NOT-FOR-US: Kaseya CVE-2021-3912 (OctoRPKI tries to load the entire contents of a repository in memory, ...) - cfrpki 1.4.0-1 NOTE: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg @@ -21185,7 +21185,7 @@ CVE-2021-37255 CVE-2021-37254 (In M-Files Web product with versions before 20.10.9524.1 and 20.10.944 ...) NOT-FOR-US: M-Files CVE-2021-37253 (M-Files Web before 20.10.9524.1 allows a denial of service via overlap ...) - TODO: check + NOT-FOR-US: M-Files Web CVE-2021-37252 RESERVED CVE-2021-37251 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8efc3863bc0947c7d6012bb52ce29b34818a2674 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8efc3863bc0947c7d6012bb52ce29b34818a2674 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add references for CVE-2021-43784
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 26605a67 by Salvatore Bonaccorso at 2021-12-06T09:33:48+01:00 Add references for CVE-2021-43784 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2406,6 +2406,8 @@ CVE-2021-43784 RESERVED - runc 1.0.3+ds1-1 NOTE: https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f + NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/1 + NOTE: Fixed by: https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae CVE-2021-43783 (@backstage/plugin-scaffolder-backend is the backend for the default Ba ...) NOT-FOR-US: @backstage/plugin-scaffolder-backend CVE-2021-43782 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26605a673b29c6ff72c3742464043b3bbb0c2991 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26605a673b29c6ff72c3742464043b3bbb0c2991 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for runc CVE-2021-43784 via unstable
Shengjing Zhu pushed to branch master at Debian Security Tracker / security-tracker Commits: b866412f by Shengjing Zhu at 2021-12-06T16:17:37+08:00 Track fixed version for runc CVE-2021-43784 via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2404,6 +2404,8 @@ CVE-2021-43785 (@joeattardi/emoji-button is a Vanilla JavaScript emoji picker co NOT-FOR-US: @joeattardi/emoji-button CVE-2021-43784 RESERVED + - runc 1.0.3+ds1-1 + NOTE: https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f CVE-2021-43783 (@backstage/plugin-scaffolder-backend is the backend for the default Ba ...) NOT-FOR-US: @backstage/plugin-scaffolder-backend CVE-2021-43782 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b866412f68122ea439fc7da24e29a309cf7055e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b866412f68122ea439fc7da24e29a309cf7055e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track remaining CVEs for jqueryui as well for bulleye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dcfbd4b7 by Salvatore Bonaccorso at 2021-12-06T09:11:09+01:00 Track remaining CVEs for jqueryui as well for bulleye-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -22,6 +22,10 @@ CVE-2021-38714 [bullseye] - plib 1.8.5-8+deb11u1 CVE-2021-3802 [bullseye] - udisks2 2.9.2-2+deb11u1 +CVE-2021-41182 + [bullseye] - jqueryui 1.12.1+dfsg-8+deb11u1 +CVE-2021-41183 + [bullseye] - jqueryui 1.12.1+dfsg-8+deb11u1 CVE-2021-41184 [bullseye] - jqueryui 1.12.1+dfsg-8+deb11u1 CVE-2021-42917 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcfbd4b72f7056e2fcc2d52da21b91022c8c184f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcfbd4b72f7056e2fcc2d52da21b91022c8c184f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 210ff793 by security tracker role at 2021-12-06T08:10:14+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,255 @@ +CVE-2021-44674 + RESERVED +CVE-2021-44673 + RESERVED +CVE-2021-44672 + RESERVED +CVE-2021-44671 + RESERVED +CVE-2021-44670 + RESERVED +CVE-2021-44669 + RESERVED +CVE-2021-44668 + RESERVED +CVE-2021-44667 + RESERVED +CVE-2021-44666 + RESERVED +CVE-2021-44665 + RESERVED +CVE-2021-44664 + RESERVED +CVE-2021-44663 + RESERVED +CVE-2021-44662 + RESERVED +CVE-2021-44661 + RESERVED +CVE-2021-44660 + RESERVED +CVE-2021-44659 + RESERVED +CVE-2021-44658 + RESERVED +CVE-2021-44657 + RESERVED +CVE-2021-44656 + RESERVED +CVE-2021-44655 + RESERVED +CVE-2021-44654 + RESERVED +CVE-2021-44653 + RESERVED +CVE-2021-44652 + RESERVED +CVE-2021-44651 + RESERVED +CVE-2021-44650 + RESERVED +CVE-2021-44649 + RESERVED +CVE-2021-44648 + RESERVED +CVE-2021-44647 + RESERVED +CVE-2021-44646 + RESERVED +CVE-2021-44645 + RESERVED +CVE-2021-44644 + RESERVED +CVE-2021-44643 + RESERVED +CVE-2021-44642 + RESERVED +CVE-2021-44641 + RESERVED +CVE-2021-44640 + RESERVED +CVE-2021-44639 + RESERVED +CVE-2021-44638 + RESERVED +CVE-2021-44637 + RESERVED +CVE-2021-44636 + RESERVED +CVE-2021-44635 + RESERVED +CVE-2021-44634 + RESERVED +CVE-2021-44633 + RESERVED +CVE-2021-44632 + RESERVED +CVE-2021-44631 + RESERVED +CVE-2021-44630 + RESERVED +CVE-2021-44629 + RESERVED +CVE-2021-44628 + RESERVED +CVE-2021-44627 + RESERVED +CVE-2021-44626 + RESERVED +CVE-2021-44625 + RESERVED +CVE-2021-44624 + RESERVED +CVE-2021-44623 + RESERVED +CVE-2021-44622 + RESERVED +CVE-2021-44621 + RESERVED +CVE-2021-44620 + RESERVED +CVE-2021-44619 + RESERVED +CVE-2021-44618 + RESERVED +CVE-2021-44617 + RESERVED +CVE-2021-44616 + RESERVED +CVE-2021-44615 + RESERVED +CVE-2021-44614 + RESERVED +CVE-2021-44613 + RESERVED +CVE-2021-44612 + RESERVED +CVE-2021-44611 + RESERVED +CVE-2021-44610 + RESERVED +CVE-2021-44609 + RESERVED +CVE-2021-44608 + RESERVED +CVE-2021-44607 + RESERVED +CVE-2021-44606 + RESERVED +CVE-2021-44605 + RESERVED +CVE-2021-44604 + RESERVED +CVE-2021-44603 + RESERVED +CVE-2021-44602 + RESERVED +CVE-2021-44601 + RESERVED +CVE-2021-44600 + RESERVED +CVE-2021-44599 + RESERVED +CVE-2021-44598 + RESERVED +CVE-2021-44597 + RESERVED +CVE-2021-44596 + RESERVED +CVE-2021-44595 + RESERVED +CVE-2021-44594 + RESERVED +CVE-2021-44593 + RESERVED +CVE-2021-44592 + RESERVED +CVE-2021-44591 + RESERVED +CVE-2021-44590 + RESERVED +CVE-2021-44589 + RESERVED +CVE-2021-44588 + RESERVED +CVE-2021-44587 + RESERVED +CVE-2021-44586 + RESERVED +CVE-2021-44585 + RESERVED +CVE-2021-44584 + RESERVED +CVE-2021-44583 + RESERVED +CVE-2021-44582 + RESERVED +CVE-2021-44581 + RESERVED +CVE-2021-44580 + RESERVED +CVE-2021-44579 + RESERVED +CVE-2021-44578 + RESERVED +CVE-2021-44577 + RESERVED +CVE-2021-44576 + RESERVED +CVE-2021-44575 + RESERVED +CVE-2021-44574 + RESERVED +CVE-2021-44573 + RESERVED +CVE-2021-44572 + RESERVED +CVE-2021-44571 + RESERVED +CVE-2021-44570 + RESERVED +CVE-2021-44569 + RESERVED +CVE-2021-44568 + RESERVED +CVE-2021-44567 + RESERVED +CVE-2021-44566 + RESERVED +CVE-2021-44565 + RESERVED +CVE-2021-44564 + RESERVED +CVE-2021-44563 + RESERVED +CVE-2021-44562 + RESERVED +CVE-2021-44561 + RESERVED +CVE-2021-44560 + RESERVED +CVE-2021-44559 + RESERVED +CVE-2021-44558 + RESERVED +CVE-2021-44557 + RESERVED +CVE-2021-44556 + RESERVED +CVE-2021-44555 + RESERVED +CVE-2021-44554 + RESERVED +CVE-2021-44553 + RESERVED +CVE-2021-44552 + RESERVED +CVE-2021-44551 + RESERVED +CVE-2021-44550 + RESERVED +CVE-2021-4070 + RESERVED CVE-2021-44549 RESERVED CVE-2021-4069 @@ -1348,16 +1600,16 @@ CVE-2021-44050 (CA Network Flow Analysis (NFA) 21.2.1 and earlier contain a SQL NOT-FOR-US: CA Network Flow Analysis (NFA) CVE-2021-44049 RESERVED -CVE-2021-44048 - RESERVED -CVE-2021-44047 - RESERVED -CVE-2021-44046 - RESERVED -CVE-2021-44045 - RESERVED -CVE-2021-44044 - RESERVED +CVE-2021-44048 (An out-of-bounds write vulnerability exists when reading a TIF file us