[Git][security-tracker-team/security-tracker][master] Remove excessive notes for slirp dla-needed entry
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: bd78d7ae by Brian May at 2020-09-08T08:35:01+10:00 Remove excessive notes for slirp dla-needed entry - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -176,8 +176,8 @@ samba (Mike Gabriel) shiro (Roberto C. Sánchez) -- slirp - NOTE: Upstream patch for CVE-2020-8608 requires patches for NOTE: - NOTE: CVE-2020-7039 to be applied patched first, as they both patch NOTE: + NOTE: Upstream patch for CVE-2020-8608 requires patches for + NOTE: CVE-2020-7039 to be applied patched first, as they both patch NOTE: the same lines of code in tcp_subr.c (bam). -- snmptt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd78d7ae755f39758438d2841c32ff01074128cc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd78d7ae755f39758438d2841c32ff01074128cc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 09dbe532 by security tracker role at 2020-09-07T20:10:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1130,6 +1130,7 @@ CVE-2020-24661 (GNOME Geary before 3.36.3 mishandles pinned TLS certificate veri NOTE: https://gitlab.gnome.org/GNOME/geary/-/issues/866 CVE-2020-24660 RESERVED + {DSA-4762-1 DLA-2367-1} - lemonldap-ng 2.0.9+ds-1 NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290 CVE-2020-24659 (An issue was discovered in GnuTLS before 3.6.15. A server can trigger ...) @@ -20803,6 +20804,7 @@ CVE-2020-15167 (In Miller (command line utility) using the configuration file su NOTE: https://github.com/johnkerl/miller/security/advisories/GHSA-mw2v-4q78-j2cw CVE-2020-15166 RESERVED + {DSA-4761-1} - zeromq3 4.3.3-1 NOTE: https://www.openwall.com/lists/oss-security/2020/09/07/3 NOTE: https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m @@ -188866,7 +188868,7 @@ CVE-2017-11724 (The ReadMATImage function in coders/mat.c in ImageMagick through NOTE: https://github.com/ImageMagick/ImageMagick/issues/624 NOTE: https://github.com/ImageMagick/ImageMagick/commit/5163756a1f829a561912dfdb74a0dae41d8ed8cf CVE-2017-12670 (In ImageMagick 7.0.6-3, missing validation was found in coders/mat.c, ...) - {DLA-2366-1 DLA-1785-1 DLA-1081-1} + {DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (low; bug #870020) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/610 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09dbe5325216b1f63eb9a38581a0820a3e98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09dbe5325216b1f63eb9a38581a0820a3e98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for CVE-2020-7729 via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8996054e by Salvatore Bonaccorso at 2020-09-07T21:37:31+02:00 Track proposed update for CVE-2020-7729 via buster-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -62,3 +62,5 @@ CVE-2020-8124 [buster] - node-url-parse 1.2.0-2+deb10u1 CVE-2020-13822 [buster] - node-elliptic 6.4.1~dfsg-1+deb10u1 +CVE-2020-7729 + [buster] - grunt 1.0.1-8+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8996054e63da0e29b7cedfd7e6342e6f488d2739 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8996054e63da0e29b7cedfd7e6342e6f488d2739 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-7729/grunt as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 30203754 by Salvatore Bonaccorso at 2020-09-07T21:36:20+02:00 Mark CVE-2020-7729/grunt as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41346,6 +41346,7 @@ CVE-2020-7730 (The package bestzip before 2.1.7 are vulnerable to Command Inject NOT-FOR-US: bestzip nodejs module CVE-2020-7729 (The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execut ...) - grunt 1.3.0-1 (bug #969668) + [buster] - grunt (Minor issue) NOTE: https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7 NOTE: https://snyk.io/vuln/SNYK-JS-GRUNT-597546 CVE-2020-7728 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30203754e481d53ceb829b620dc4423dccded31c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30203754e481d53ceb829b620dc4423dccded31c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-24916/yaws
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cde260c7 by Salvatore Bonaccorso at 2020-09-07T21:21:17+02:00 Add CVE-2020-24916/yaws - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -605,8 +605,11 @@ CVE-2020-24918 RESERVED CVE-2020-24917 (osTicket before 1.14.3 allows XSS via a crafted filename to DraftAjaxA ...) NOT-FOR-US: osTicket -CVE-2020-24916 +CVE-2020-24916 [OS command injection in Yaws web server] RESERVED + - yaws 2.0.8+dfsg-1 + NOTE: https://github.com/erlyaws/yaws/commit/799b3b526d15b7a9bc43ae97165aeb085f18fac1 + NOTE: https://github.com/vulnbe/poc-yaws-cgi-shell-injection CVE-2020-24915 RESERVED CVE-2020-24914 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cde260c738fe8d61cd84ed5a3588e4d837cb2d1d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cde260c738fe8d61cd84ed5a3588e4d837cb2d1d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-24379/yaws
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1fe381ce by Salvatore Bonaccorso at 2020-09-07T21:19:15+02:00 Add CVE-2020-24379/yaws - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1729,8 +1729,11 @@ CVE-2020-24381 (** DISPUTED ** GUnet Open eClass Platform (aka openeclass) throu NOT-FOR-US: GUnet Open eClass Platform CVE-2020-24380 RESERVED -CVE-2020-24379 +CVE-2020-24379 [XXE in Yaws web server] RESERVED + - yaws 2.0.8+dfsg-1 + NOTE: https://github.com/erlyaws/yaws/commit/05a06345012598f5da55dbb4d041c8dc26e88e6c + NOTE: https://github.com/vulnbe/poc-yaws-dav-xxe CVE-2020-24378 RESERVED CVE-2020-24377 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1fe381ceac89577ead8b79b65752946250a35a6a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1fe381ceac89577ead8b79b65752946250a35a6a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lemonldap-ng DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e0e0411e by Moritz Muehlenhoff at 2020-09-07T21:04:19+02:00 lemonldap-ng DSA - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[07 Sep 2020] DSA-4762-1 lemonldap-ng - security update + {CVE-2020-24660} + [buster] - lemonldap-ng 2.0.2+ds-7+deb10u5 [07 Sep 2020] DSA-4761-1 zeromq3 - security update {CVE-2020-15166} [buster] - zeromq3 4.3.1-4+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0e0411ed943f6764cc0406f67a32a876a8e6705 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0e0411ed943f6764cc0406f67a32a876a8e6705 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for zeromq3 update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b58d06e5 by Salvatore Bonaccorso at 2020-09-07T20:58:12+02:00 Reserve DSA number for zeromq3 update - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[07 Sep 2020] DSA-4761-1 zeromq3 - security update + {CVE-2020-15166} + [buster] - zeromq3 4.3.1-4+deb10u2 [06 Sep 2020] DSA-4760-1 qemu - security update {CVE-2020-12829 CVE-2020-14364 CVE-2020-15863 CVE-2020-16092} [buster] - qemu 1:3.1+dfsg-8+deb10u8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b58d06e5bd49d857588aa8e9101766fc6c067f3d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b58d06e5bd49d857588aa8e9101766fc6c067f3d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2020-15166/zeromq3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 62ce6176 by Salvatore Bonaccorso at 2020-09-07T20:35:51+02:00 Reference upstream commit for CVE-2020-15166/zeromq3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20800,6 +20800,7 @@ CVE-2020-15166 - zeromq3 4.3.3-1 NOTE: https://www.openwall.com/lists/oss-security/2020/09/07/3 NOTE: https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m + NOTE: https://github.com/zeromq/libzmq/commit/e7f0090b161ce6344f6bd35009816a925c070b09 CVE-2020-15165 (Version 1.1.6-free of Chameleon Mini Live Debugger on Google Play Stor ...) NOT-FOR-US: Chameleon Mini Live Debugger CVE-2020-15164 (in Scratch Login (MediaWiki extension) before version 1.1, any account ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62ce617620e23134014f10504a143e643d06e587 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62ce617620e23134014f10504a143e643d06e587 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-12829/qemu: stretch not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9918f39f by Sylvain Beucler at 2020-09-07T19:55:34+02:00 CVE-2020-12829/qemu: stretch not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26939,7 +26939,7 @@ CVE-2020-12830 CVE-2020-12829 (In QEMU through 5.0.0, an integer overflow was found in the SM501 disp ...) {DSA-4760-1} - qemu 1:5.0-12 (low; bug #961451) - [stretch] - qemu (Minor issue) + [stretch] - qemu (SM501 only compiled for misc/sh4 where it's not enabled as a graphics device yet; intrusive) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1808510 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1786026 NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9918f39f4bb9d31112c1472a4dafbd774b91cd67 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9918f39f4bb9d31112c1472a4dafbd774b91cd67 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-15166/zeromq3 fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b7b1529 by Salvatore Bonaccorso at 2020-09-07T19:25:17+02:00 CVE-2020-15166/zeromq3 fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20797,7 +20797,7 @@ CVE-2020-15167 (In Miller (command line utility) using the configuration file su NOTE: https://github.com/johnkerl/miller/security/advisories/GHSA-mw2v-4q78-j2cw CVE-2020-15166 RESERVED - - zeromq3 + - zeromq3 4.3.3-1 NOTE: https://www.openwall.com/lists/oss-security/2020/09/07/3 NOTE: https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m CVE-2020-15165 (Version 1.1.6-free of Chameleon Mini Live Debugger on Google Play Stor ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b7b1529041781ccb97093e8dd39c9e779628086 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b7b1529041781ccb97093e8dd39c9e779628086 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-15166/zeromq3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 70fc4327 by Salvatore Bonaccorso at 2020-09-07T19:24:24+02:00 Add CVE-2020-15166/zeromq3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20797,6 +20797,9 @@ CVE-2020-15167 (In Miller (command line utility) using the configuration file su NOTE: https://github.com/johnkerl/miller/security/advisories/GHSA-mw2v-4q78-j2cw CVE-2020-15166 RESERVED + - zeromq3 + NOTE: https://www.openwall.com/lists/oss-security/2020/09/07/3 + NOTE: https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m CVE-2020-15165 (Version 1.1.6-free of Chameleon Mini Live Debugger on Google Play Stor ...) NOT-FOR-US: Chameleon Mini Live Debugger CVE-2020-15164 (in Scratch Login (MediaWiki extension) before version 1.1, any account ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70fc43271073835cb8d13708ff74763b6930fe54 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70fc43271073835cb8d13708ff74763b6930fe54 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2017-12670,imagemagick: postponed
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f2537493 by Markus Koschany at 2020-09-07T19:08:01+02:00 CVE-2017-12670,imagemagick: postponed Upstream patch appears to be incomplete. Needs further investigation. - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -188857,9 +188857,11 @@ CVE-2017-11724 (The ReadMATImage function in coders/mat.c in ImageMagick through CVE-2017-12670 (In ImageMagick 7.0.6-3, missing validation was found in coders/mat.c, ...) {DLA-2366-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (low; bug #870020) + [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/610 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ab440f9ea11e0dbefb7a808cbb9441198758b0cb NOTE: https://github.com/ImageMagick/ImageMagick/commit/75db34b6a4d642cb6f88c792942de27490c900e0 + NOTE: Upstream patch is apparently incomplete. POC still triggers segfault. CVE-2017-13658 (In ImageMagick before 6.9.9-3 and 7.x before 7.0.6-3, there is a missi ...) {DLA-2366-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (low; bug #870019) = data/DLA/list = @@ -2,7 +2,7 @@ {CVE-2020-24660} [stretch] - lemonldap-ng 1.9.7-3+deb9u4 [07 Sep 2020] DLA-2366-1 imagemagick - security update - {CVE-2017-12140 CVE-2017-12429 CVE-2017-12430 CVE-2017-12435 CVE-2017-12563 CVE-2017-12643 CVE-2017-12670 CVE-2017-12674 CVE-2017-12691 CVE-2017-12692 CVE-2017-12693 CVE-2017-12806 CVE-2017-12875 CVE-2017-13061 CVE-2017-13133 CVE-2017-13658 CVE-2017-13768 CVE-2017-14060 CVE-2017-14172 CVE-2017-14173 CVE-2017-14174 CVE-2017-14175 CVE-2017-14249 CVE-2017-14341 CVE-2017-14400 CVE-2017-14505 CVE-2017-14532 CVE-2017-14624 CVE-2017-14625 CVE-2017-14626 CVE-2017-14739 CVE-2017-14741 CVE-2017-15015 CVE-2017-15017 CVE-2017-15281 CVE-2017-17682 CVE-2017-17914 CVE-2017-18209 CVE-2017-18211 CVE-2017-18271 CVE-2017-18273 CVE-2017-1000445 CVE-2017-1000476 CVE-2018-16643 CVE-2018-16749 CVE-2018-18025 CVE-2019-11598 CVE-2019-13135 CVE-2019-13308 CVE-2019-13391 CVE-2019-15139} + {CVE-2017-12140 CVE-2017-12429 CVE-2017-12430 CVE-2017-12435 CVE-2017-12563 CVE-2017-12643 CVE-2017-12674 CVE-2017-12691 CVE-2017-12692 CVE-2017-12693 CVE-2017-12806 CVE-2017-12875 CVE-2017-13061 CVE-2017-13133 CVE-2017-13658 CVE-2017-13768 CVE-2017-14060 CVE-2017-14172 CVE-2017-14173 CVE-2017-14174 CVE-2017-14175 CVE-2017-14249 CVE-2017-14341 CVE-2017-14400 CVE-2017-14505 CVE-2017-14532 CVE-2017-14624 CVE-2017-14625 CVE-2017-14626 CVE-2017-14739 CVE-2017-14741 CVE-2017-15015 CVE-2017-15017 CVE-2017-15281 CVE-2017-17682 CVE-2017-17914 CVE-2017-18209 CVE-2017-18211 CVE-2017-18271 CVE-2017-18273 CVE-2017-1000445 CVE-2017-1000476 CVE-2018-16643 CVE-2018-16749 CVE-2018-18025 CVE-2019-11598 CVE-2019-13135 CVE-2019-13308 CVE-2019-13391 CVE-2019-15139} [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u10 [04 Sep 2020] DLA-2278-3 squid3 - regression update [stretch] - squid3 3.5.23-5+deb9u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2537493b4a90ecdb284e9688411f922d4cceaf5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2537493b4a90ecdb284e9688411f922d4cceaf5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-5008/qemu: stretch ignored->not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 0623e8f1 by Sylvain Beucler at 2020-09-07T17:54:21+02:00 CVE-2019-5008/qemu: stretch ignored-not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -103718,11 +103718,12 @@ CVE-2018-20670 CVE-2019-5008 (hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dere ...) - qemu 1:3.1+dfsg-8 (low; bug #927439) [buster] - qemu 1:3.1+dfsg-8~deb10u1 - [stretch] - qemu (Minor issue) + [stretch] - qemu (Vulnerable code not present) [jessie] - qemu (Vulnerable code not present) - qemu-kvm NOTE: https://fakhrizulkifli.github.io/posts/2019/01/03/CVE-2019-5008/ NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=ad280559c68360c9f1cd7be063857853759e6a73 (4.0.0-rc0) + NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=25c5d5acfbaa148b2da64b1f2c1401f87ebb0bb4 (MemoryRegionOps introduced in 2.12) CVE-2019-5007 (An issue was discovered in Foxit Reader and PhantomPDF before 9.4 on W ...) NOT-FOR-US: Foxit Reader and PhantomPDF CVE-2019-5006 (An issue was discovered in Foxit Reader and PhantomPDF before 9.4 on W ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0623e8f19735fa1a2ade859388bc526644db4357 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0623e8f19735fa1a2ade859388bc526644db4357 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Reserve DLA-2368-1 for lemonldap-ng" (duplication)
Xavier Guimard pushed to branch master at Debian Security Tracker / security-tracker Commits: c3bcb2b1 by Xavier Guimard at 2020-09-07T17:20:59+02:00 Revert Reserve DLA-2368-1 for lemonldap-ng (duplication) This reverts commit f19eebce6170dd86df1d5540a554fcf6db3011b4. - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,6 +1,3 @@ -[07 Sep 2020] DLA-2368-1 lemonldap-ng - security update - {CVE-2020-24660} - [stretch] - lemonldap-ng 1.9.7-3+deb9u4 [07 Sep 2020] DLA-2367-1 lemonldap-ng - security update {CVE-2020-24660} [stretch] - lemonldap-ng 1.9.7-3+deb9u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3bcb2b10c1cd4e381ff9142a35d8930f497ad42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3bcb2b10c1cd4e381ff9142a35d8930f497ad42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2368-1 for lemonldap-ng
Xavier Guimard pushed to branch master at Debian Security Tracker / security-tracker Commits: f19eebce by Xavier Guimard at 2020-09-07T17:20:16+02:00 Reserve DLA-2368-1 for lemonldap-ng - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Sep 2020] DLA-2368-1 lemonldap-ng - security update + {CVE-2020-24660} + [stretch] - lemonldap-ng 1.9.7-3+deb9u4 [07 Sep 2020] DLA-2367-1 lemonldap-ng - security update {CVE-2020-24660} [stretch] - lemonldap-ng 1.9.7-3+deb9u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f19eebce6170dd86df1d5540a554fcf6db3011b4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f19eebce6170dd86df1d5540a554fcf6db3011b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2367-1 for lemonldap-ng
Xavier Guimard pushed to branch master at Debian Security Tracker / security-tracker Commits: 3129a27b by Xavier Guimard at 2020-09-07T17:19:22+02:00 Reserve DLA-2367-1 for lemonldap-ng - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Sep 2020] DLA-2367-1 lemonldap-ng - security update + {CVE-2020-24660} + [stretch] - lemonldap-ng 1.9.7-3+deb9u4 [07 Sep 2020] DLA-2366-1 imagemagick - security update {CVE-2017-12140 CVE-2017-12429 CVE-2017-12430 CVE-2017-12435 CVE-2017-12563 CVE-2017-12643 CVE-2017-12670 CVE-2017-12674 CVE-2017-12691 CVE-2017-12692 CVE-2017-12693 CVE-2017-12806 CVE-2017-12875 CVE-2017-13061 CVE-2017-13133 CVE-2017-13658 CVE-2017-13768 CVE-2017-14060 CVE-2017-14172 CVE-2017-14173 CVE-2017-14174 CVE-2017-14175 CVE-2017-14249 CVE-2017-14341 CVE-2017-14400 CVE-2017-14505 CVE-2017-14532 CVE-2017-14624 CVE-2017-14625 CVE-2017-14626 CVE-2017-14739 CVE-2017-14741 CVE-2017-15015 CVE-2017-15017 CVE-2017-15281 CVE-2017-17682 CVE-2017-17914 CVE-2017-18209 CVE-2017-18211 CVE-2017-18271 CVE-2017-18273 CVE-2017-1000445 CVE-2017-1000476 CVE-2018-16643 CVE-2018-16749 CVE-2018-18025 CVE-2019-11598 CVE-2019-13135 CVE-2019-13308 CVE-2019-13391 CVE-2019-15139} [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u10 = data/dla-needed.txt = @@ -92,9 +92,6 @@ jupyter-notebook -- kleopatra -- -lemonldap-ng - NOTE: 20200907: Vulnerable to CVE-2020-24660 --- libxml2 (Markus Koschany) -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3129a27b45a1167760bf44a03f4f1dc5f2d2d999 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3129a27b45a1167760bf44a03f4f1dc5f2d2d999 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update dla-needed.txt: add lemonldap-ng
Xavier Guimard pushed to branch master at Debian Security Tracker / security-tracker Commits: dedf0852 by Xavier Guimard at 2020-09-07T15:03:59+00:00 Update dla-needed.txt: add lemonldap-ng - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -92,6 +92,9 @@ jupyter-notebook -- kleopatra -- +lemonldap-ng + NOTE: 20200907: Vulnerable to CVE-2020-24660 +-- libxml2 (Markus Koschany) -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dedf08529e71d6202565b848b410ac13f06352e6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dedf08529e71d6202565b848b410ac13f06352e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2017-11334/qemu: postponed->ignored
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 4af34862 by Sylvain Beucler at 2020-09-07T15:56:51+02:00 CVE-2017-11334/qemu: postponed-ignored - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -190224,7 +190224,7 @@ CVE-2017-11524 (The WriteBlob function in MagickCore/blob.c in ImageMagick befor CVE-2017-11334 (The address_space_write_continue function in exec.c in QEMU (aka Quick ...) {DSA-3925-1} - qemu 1:2.8+dfsg-7 (bug #869173) - [jessie] - qemu (Minor issue, root DoS, backport caused Xen regression in Ubuntu and was reverted) + [jessie] - qemu (Minor issue, root DoS, Xen regression, multiple refactorings after 2.5, no reproducer) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4af348626f64869cfa431d01b8b07eeb9bf91a27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4af348626f64869cfa431d01b8b07eeb9bf91a27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] qemu/CVE-2019-12067: 1 year later, no news
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: f610867a by Sylvain Beucler at 2020-09-07T15:41:00+02:00 qemu/CVE-2019-12067: 1 year later, no news - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -83644,7 +83644,7 @@ CVE-2019-12067 [ide: ahci: add check to avoid null dereference] [jessie] - qemu (Minor issue, can be fixed along in future update) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01358.html - NOTE: patch not sanctioned as of 20190909 + NOTE: patch not sanctioned as of 20200907 NOTE: patched function introduced in 2014/2.1.50 but affected code pre-existed NOTE: https://github.com/qemu/qemu/commit/659142ecf71a0da240ab0ff7cf929ee25c32b9bc CVE-2019-12066 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f610867a41d7dc904ec206968af8688524dc3413 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f610867a41d7dc904ec206968af8688524dc3413 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim gnutls28, shiro
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 5295d431 by Roberto C. Sánchez at 2020-09-07T07:54:01-04:00 LTS: claim gnutls28, shiro - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -75,7 +75,7 @@ freerdp (Mike Gabriel) gnome-shell (Mike Gabriel) NOTE: 20200829: https://salsa.debian.org/gnome-team/gnome-shell/-/merge_requests/41 (sunweaver) -- -gnutls28 +gnutls28 (Roberto C. Sánchez) -- golang-go.crypto -- @@ -173,7 +173,7 @@ samba (Mike Gabriel) NOTE: 20200830: Will remove this entry and mark all current CVEs as postponed. But first I need to know were the patches are (ola). NOTE: 20200903: As discussed internally, I will look into Samba AD CVEs and revisit the risk assessment, plus fix the more severe issues (sunweaver) -- -shiro +shiro (Roberto C. Sánchez) -- slirp NOTE: Upstream patch for CVE-2020-8608 requires patches for NOTE: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5295d431548f46cb06d300635a2e1d9e9ee2f621 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5295d431548f46cb06d300635a2e1d9e9ee2f621 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 6 commits: data/dla-needed.txt: Triage gnutls28 for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e4ca473 by Chris Lamb at 2020-09-07T12:38:33+01:00 data/dla-needed.txt: Triage gnutls28 for stretch LTS. - - - - - 0e8743f7 by Chris Lamb at 2020-09-07T12:39:04+01:00 data/dla-needed.txt: Triage grunt for stretch LTS. - - - - - 4c684814 by Chris Lamb at 2020-09-07T12:39:11+01:00 data/dla-needed.txt: Claim grunt. - - - - - 21f1c5d8 by Chris Lamb at 2020-09-07T12:41:16+01:00 data/dla-needed.txt: Triage kleopatra for stretch LTS (CVE-2020-24972). - - - - - 842f9aed by Chris Lamb at 2020-09-07T12:43:30+01:00 data/dla-needed.txt: Triage python-pip for stretch LTS (CVE-2019-20916). - - - - - 4154f5b9 by Chris Lamb at 2020-09-07T12:43:40+01:00 data/dla-needed.txt: Claim python-pip. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -75,10 +75,14 @@ freerdp (Mike Gabriel) gnome-shell (Mike Gabriel) NOTE: 20200829: https://salsa.debian.org/gnome-team/gnome-shell/-/merge_requests/41 (sunweaver) -- +gnutls28 +-- golang-go.crypto -- golang-golang-x-net-dev -- +grunt (Chris Lamb) +-- guacamole-client (Mike Gabriel) -- jetty9 (Markus Koschany) @@ -86,6 +90,8 @@ jetty9 (Markus Koschany) jupyter-notebook NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby) -- +kleopatra +-- libxml2 (Markus Koschany) -- linux (Ben Hutchings) @@ -115,6 +121,8 @@ php-horde-trean (Mike Gabriel) puma NOTE: 20200708: Vulnerable to (at least) CVE-2020-11076. (lamby) -- +python-pip (Chris Lamb) +-- qemu (Abhijith PA) NOTE: 20200824: currently all are minor issues. Reduce frequent upload (abhijith) NOTE: 20200901: CVE-2020-14364 is rather not a minor issue. check for stretch. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9b17f95df039d947e3d05b158710ccb73dff9cb3...4154f5b90c53f401272cfe662be8ef0df1afea1b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9b17f95df039d947e3d05b158710ccb73dff9cb3...4154f5b90c53f401272cfe662be8ef0df1afea1b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-16093 and CVE-2020-24660 adressed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b17f95d by Salvatore Bonaccorso at 2020-09-07T12:37:04+02:00 CVE-2020-16093 and CVE-2020-24660 adressed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1127,7 +1127,7 @@ CVE-2020-24661 (GNOME Geary before 3.36.3 mishandles pinned TLS certificate veri NOTE: https://gitlab.gnome.org/GNOME/geary/-/issues/866 CVE-2020-24660 RESERVED - - lemonldap-ng + - lemonldap-ng 2.0.9+ds-1 NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290 CVE-2020-24659 (An issue was discovered in GnuTLS before 3.6.15. A server can trigger ...) - gnutls28 3.6.15-1 (bug #969547) @@ -18518,6 +18518,7 @@ CVE-2020-16094 (In imap_scan_tree_recursive in Claws Mail through 3.17.6, a mali NOTE: https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4313 CVE-2020-16093 RESERVED + - lemonldap-ng 2.0.9+ds-1 CVE-2020-16092 (In QEMU through 5.0.0, an assertion failure can occur in the network p ...) {DSA-4760-1} - qemu 1:5.1+dfsg-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b17f95df039d947e3d05b158710ccb73dff9cb3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b17f95df039d947e3d05b158710ccb73dff9cb3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-24660/lemonldap-ng
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e10fcce9 by Salvatore Bonaccorso at 2020-09-07T10:53:55+02:00 Add CVE-2020-24660/lemonldap-ng - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1127,6 +1127,8 @@ CVE-2020-24661 (GNOME Geary before 3.36.3 mishandles pinned TLS certificate veri NOTE: https://gitlab.gnome.org/GNOME/geary/-/issues/866 CVE-2020-24660 RESERVED + - lemonldap-ng + NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290 CVE-2020-24659 (An issue was discovered in GnuTLS before 3.6.15. A server can trigger ...) - gnutls28 3.6.15-1 (bug #969547) NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e10fcce95ac6ac7ca033d3b9eb70ef408bf9717d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e10fcce95ac6ac7ca033d3b9eb70ef408bf9717d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0047763e by security tracker role at 2020-09-07T08:10:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18517,6 +18517,7 @@ CVE-2020-16094 (In imap_scan_tree_recursive in Claws Mail through 3.17.6, a mali CVE-2020-16093 RESERVED CVE-2020-16092 (In QEMU through 5.0.0, an assertion failure can occur in the network p ...) + {DSA-4760-1} - qemu 1:5.1+dfsg-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1860283 NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=035e69b063835a5fd23cacabd63690a3d84532a8 @@ -19035,7 +19036,7 @@ CVE-2020-15865 (A Remote Code Execution vulnerability in Stimulsoft (aka Stimuls CVE-2020-15864 RESERVED CVE-2020-15863 (hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2 ...) - {DLA-2288-1} + {DSA-4760-1 DLA-2288-1} - qemu 1:5.0-12 NOTE: https://www.openwall.com/lists/oss-security/2020/07/22/1 NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555 @@ -22940,6 +22941,7 @@ CVE-2020-14365 [dnf module install packages with no GPG signature] - ansible NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1869154 CVE-2020-14364 (An out-of-bounds read/write access flaw was found in the USB emulator ...) + {DSA-4760-1} - qemu 1:5.1+dfsg-4 (bug #968947) NOTE: https://xenbits.xen.org/xsa/advisory-335.html NOTE: https://www.openwall.com/lists/oss-security/2020/08/24/3 @@ -26929,6 +26931,7 @@ CVE-2020-12831 (** DISPUTED ** An issue was discovered in FRRouting FRR (aka Fre CVE-2020-12830 RESERVED CVE-2020-12829 (In QEMU through 5.0.0, an integer overflow was found in the SM501 disp ...) + {DSA-4760-1} - qemu 1:5.0-12 (low; bug #961451) [stretch] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1808510 @@ -73021,7 +73024,7 @@ CVE-2019-15140 (coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers NOTE: https://github.com/ImageMagick/ImageMagick6/commit/5caef6e97f3f575cf7bea497865a4c1e624b8010 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1554 CVE-2019-15139 (The XWD image (X Window System window dumping file) parsing component ...) - {DSA-4712-1 DLA-1968-1} + {DSA-4712-1 DLA-2366-1 DLA-1968-1} - imagemagick 8:6.9.11.24+dfsg-1 (bug #941670) NOTE: https://github.com/ImageMagick/ImageMagick/commit/c78993d138bf480ab4652b5a48379d4ff75ba5f7 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/6d46f0a046a58e7c4567a86ba1b9cb847d5b1968 @@ -79903,7 +79906,7 @@ CVE-2019-13393 (The Voo branded NETGEAR CG3700b custom firmware V2.02.03 uses th CVE-2019-13392 (A reflected Cross-Site Scripting (XSS) vulnerability in MindPalette Na ...) NOT-FOR-US: MindPalette NateMail CVE-2019-13391 (In ImageMagick 7.0.8-50 Q16, ComplexImages in MagickCore/fourier.c has ...) - {DSA-4712-1} + {DSA-4712-1 DLA-2366-1} - imagemagick 8:6.9.11.24+dfsg-1 (low; bug #931633) [jessie] - imagemagick (minor, wait for upstream to clear patch-related questions) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1588 @@ -80122,7 +80125,7 @@ CVE-2019-13309 (ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory NOTE: https://github.com/ImageMagick/ImageMagick/issues/1616 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/5982632109cad48bc6dab867298fdea4dea57c51 CVE-2019-13308 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow in MagickCor ...) - {DSA-4712-1} + {DSA-4712-1 DLA-2366-1} - imagemagick 8:6.9.11.24+dfsg-1 (low; bug #931447) [jessie] - imagemagick (minor, wait for upstream to clear patch-related questions) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1595 @@ -80634,7 +80637,7 @@ CVE-2019-13136 (ImageMagick before 7.0.8-50 has an integer overflow vulnerabilit NOTE: https://github.com/ImageMagick/ImageMagick/commit/fe5f4b85e6b1b54d3b4588a77133c06ade46d891 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1602 CVE-2019-13135 (ImageMagick before 7.0.8-50 has a "use of uninitialized value" vulnera ...) - {DSA-4712-1 DLA-1888-1} + {DSA-4712-1 DLA-2366-1 DLA-1888-1} - imagemagick 8:6.9.11.24+dfsg-1 (bug #932079) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1599 NOTE: https://github.com/ImageMagick/ImageMagick/commit/cdb383749ef7b68a38891440af8cc23e0115306d (7.x) @@ -85033,7 +85036,7 @@ CVE-2019-11599 (The coredump implementation in the Linux kernel before 5.0.10 do NOTE: https://marc.info/?l=linux-mm=155355419911404=2 NOTE:
[Git][security-tracker-team/security-tracker][master] reclaim curl
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 875c5859 by Thorsten Alteholz at 2020-09-07T09:06:51+02:00 reclaim curl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,7 +52,8 @@ condor NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto) NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) -- -curl +curl (Thorsten Alteholz) + NOTE: 20200907: testing package (thorsten) -- eclipse-wtp -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/875c585979f510bfa3595b47ef2ff8fe84d7a6ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/875c585979f510bfa3595b47ef2ff8fe84d7a6ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Holger Levsen pushed to branch master at Debian Security Tracker / security-tracker Commits: 40e150ba by Holger Levsen at 2020-09-07T09:00:17+02:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Holger Levsen hol...@layer-acht.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,7 +52,7 @@ condor NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto) NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) -- -curl (Thorsten Alteholz) +curl -- eclipse-wtp -- @@ -173,7 +173,7 @@ slirp -- snmptt -- -squid3 (Markus Koschany) +squid3 -- sympa NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40e150ba440e08644534b827c7d3f8b69a2d24bc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40e150ba440e08644534b827c7d3f8b69a2d24bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2366-1 for imagemagick
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a86ab3d by Markus Koschany at 2020-09-07T08:39:24+02:00 Reserve DLA-2366-1 for imagemagick - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Sep 2020] DLA-2366-1 imagemagick - security update + {CVE-2017-12140 CVE-2017-12429 CVE-2017-12430 CVE-2017-12435 CVE-2017-12563 CVE-2017-12643 CVE-2017-12670 CVE-2017-12674 CVE-2017-12691 CVE-2017-12692 CVE-2017-12693 CVE-2017-12806 CVE-2017-12875 CVE-2017-13061 CVE-2017-13133 CVE-2017-13658 CVE-2017-13768 CVE-2017-14060 CVE-2017-14172 CVE-2017-14173 CVE-2017-14174 CVE-2017-14175 CVE-2017-14249 CVE-2017-14341 CVE-2017-14400 CVE-2017-14505 CVE-2017-14532 CVE-2017-14624 CVE-2017-14625 CVE-2017-14626 CVE-2017-14739 CVE-2017-14741 CVE-2017-15015 CVE-2017-15017 CVE-2017-15281 CVE-2017-17682 CVE-2017-17914 CVE-2017-18209 CVE-2017-18211 CVE-2017-18271 CVE-2017-18273 CVE-2017-1000445 CVE-2017-1000476 CVE-2018-16643 CVE-2018-16749 CVE-2018-18025 CVE-2019-11598 CVE-2019-13135 CVE-2019-13308 CVE-2019-13391 CVE-2019-15139} + [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u10 [04 Sep 2020] DLA-2278-3 squid3 - regression update [stretch] - squid3 3.5.23-5+deb9u4 [04 Sep 2020] DLA-2365-1 netty-3.9 - security update = data/dla-needed.txt = @@ -80,8 +80,6 @@ golang-golang-x-net-dev -- guacamole-client (Mike Gabriel) -- -imagemagick (Markus Koschany) --- jetty9 (Markus Koschany) -- jupyter-notebook View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a86ab3d0598e5e7c7cc26f1494654a5d8d0d0d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a86ab3d0598e5e7c7cc26f1494654a5d8d0d0d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove four remaining no-dsa tags from imagemagick CVE.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3579fede by Markus Koschany at 2020-09-07T08:23:17+02:00 Remove four remaining no-dsa tags from imagemagick CVE. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -125428,7 +125428,6 @@ CVE-2018-16750 (In ImageMagick 7.0.7-29 and earlier, a memory leak in the format CVE-2018-16749 (In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJN ...) {DLA-1530-1} - imagemagick 8:6.9.10.2+dfsg-2 (low) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1119 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/1007b98f8795ad4bea6bc5f68a32d83e982fdae4 CVE-2018-16748 @@ -181115,7 +181114,6 @@ CVE-2017-14342 (ImageMagick 7.0.6-6 has a memory exhaustion vulnerability in Rea CVE-2017-14341 (ImageMagick 7.0.6-6 has a large loop vulnerability in ReadWPGImage in ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #876105) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/654 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7d63315a64267c565d1f34b9cb523a14616fed24 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4eae304e773bad8a876c3c26fdffac24d4253ae4 @@ -188848,14 +188846,12 @@ CVE-2017-11724 (The ReadMATImage function in coders/mat.c in ImageMagick through CVE-2017-12670 (In ImageMagick 7.0.6-3, missing validation was found in coders/mat.c, ...) {DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (low; bug #870020) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/610 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ab440f9ea11e0dbefb7a808cbb9441198758b0cb NOTE: https://github.com/ImageMagick/ImageMagick/commit/75db34b6a4d642cb6f88c792942de27490c900e0 CVE-2017-13658 (In ImageMagick before 6.9.9-3 and 7.x before 7.0.6-3, there is a missi ...) {DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (low; bug #870019) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/598 NOTE: https://github.com/ImageMagick/ImageMagick/commit/e5c063a1007506ba69e97a35effcdef944421c89 CVE-2017-12434 (In ImageMagick 7.0.6-1, a missing NULL check vulnerability was found i ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3579fede0cd8615344db2d2eb3383098418d08f2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3579fede0cd8615344db2d2eb3383098418d08f2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits