[Git][security-tracker-team/security-tracker][master] Reserve DLA-2618-1 for smarty3
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: fe4acfc7 by Abhijith PA at 2021-04-05T10:48:58+05:30 Reserve DLA-2618-1 for smarty3 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Apr 2021] DLA-2618-1 smarty3 - security update + {CVE-2018-13982 CVE-2021-26119 CVE-2021-26120} + [stretch] - smarty3 3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u2 [04 Apr 2021] DLA-2617-1 php-nette - security update {CVE-2020-15227} [stretch] - php-nette 2.4-20160731-1+deb9u1 = data/dla-needed.txt = @@ -144,9 +144,6 @@ shiro (Roberto C. Sánchez) NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) NOTE: 20201220: Upstream has responded. Working with them to backport fixes. (roberto) -- -smarty3 (Abhijith PA) - NOTE: 20200322: CVE-2018-13982 need more time to backport (abhijith) --- spotweb NOTE: 20201220: The affected code uses string concatenation to construct a SQL query. NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe4acfc7320aa9758372ef72ba84aa4609bf2670 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe4acfc7320aa9758372ef72ba84aa4609bf2670 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-25290 as no-dsa for stretch
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 51f81b65 by Abhijith PA at 2021-04-05T08:18:57+05:30 Mark CVE-2021-25290 as no-dsa for stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -11330,6 +11330,7 @@ CVE-2021-25291 (An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, CVE-2021-25290 (An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there ...) - pillow 8.1.1-1 [buster] - pillow (Minor issue) + [stretch] - pillow (Minor issue) NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html NOTE: https://github.com/python-pillow/Pillow/commit/e25be1e33dc526bfd1094bc778a54d8e29bf66c9 CVE-2021-25289 (An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap- ...) = data/dla-needed.txt = @@ -85,9 +85,6 @@ opendmarc -- php-pear (Sylvain Beucler) -- -pillow (Abhijith PA) - NOTE: 20200322: Working on no-DSA tagged CVEs (abhijith) --- python2.7 (Anton Gladky) NOTE: 20210316: Same issue as python3.5 immediately below; suggest handled by same maintainer. (lamby) NOTE: 20210320: https://salsa.debian.org/lts-team/packages/python2.7 (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51f81b65b9c28f3ae190689e43453c63855478d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51f81b65b9c28f3ae190689e43453c63855478d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Triage python-bleach for stretch
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 9492244e by Utkarsh Gupta at 2021-04-05T05:59:43+05:30 Triage python-bleach for stretch - - - - - 5dfe3191 by Utkarsh Gupta at 2021-04-05T06:00:23+05:30 Mark CVE-2021-/plinth as no-dsa for stretch - - - - - 621a79ca by Utkarsh Gupta at 2021-04-05T06:01:30+05:30 Mark CVE-2021-29424/libnet-netmask-perl as no-dsa for stretch - - - - - 4773d226 by Utkarsh Gupta at 2021-04-05T06:04:58+05:30 Mark several openexr issues as no-dsa; follow buster triage - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1037,18 +1037,21 @@ CVE-2021-3480 CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in versions bef ...) - openexr [buster] - openexr (Minor issue) + [stretch] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25370 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d007ae80a162bf257ec291612c NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/830 CVE-2021-3478 (There's a flaw in OpenEXR's scanline input file functionality in versi ...) - openexr [buster] - openexr (Minor issue) + [stretch] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27409 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939160 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/bc88cdb6c97fbf5bc5d11ad8ca55306da931283a CVE-2021-3477 (There's a flaw in OpenEXR's deep tile sample size calculations in vers ...) - openexr [buster] - openexr (Minor issue) + [stretch] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26956 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939159 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/467be80b75642efbbe6bdace558079f68c16acb1 @@ -1497,11 +1500,13 @@ CVE-2021-29425 CVE-2021-3476 (A flaw was found in OpenEXR's B44 uncompression functionality in versi ...) - openexr [buster] - openexr (Minor issue) + [stretch] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24787 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/eec0dba242bedd2778c973ae4af112107b33d9c9 CVE-2021-3475 (There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker ...) - openexr [buster] - openexr (Minor issue) + [stretch] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25297 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/2a18ed424a854598c2a20b5dd7e782b436a1e753 CVE-2021-3474 (There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted inp ...) @@ -1515,6 +1520,7 @@ CVE-2021-29662 (The Data::Validate::IP module through 0.29 for Perl does not pro CVE-2021-29424 (The Net::Netmask module before 2. for Perl does not properly consi ...) - libnet-netmask-perl (bug #986135) [buster] - libnet-netmask-perl (Minor issue) + [stretch] - libnet-netmask-perl (Minor issue) NOTE: https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/ NOTE: https://metacpan.org/changes/distribution/Net-Netmask#L11-22 NOTE: https://github.com/jmaslak/Net-Netmask/commit/9023b403682f1eaadadf6cb71ba0117a1fa4f163 @@ -1836,6 +1842,7 @@ CVE-2021- [first_boot: Use session to verify first boot welcome step] - freedombox 21.4.2 - plinth [buster] - plinth (Minor issue) + [stretch] - plinth (Minor issue) NOTE: https://salsa.debian.org/freedombox-team/freedombox/-/issues/2074 (not yet public) NOTE: https://salsa.debian.org/freedombox-team/freedombox/-/commit/f2005f56aa44d15c0fb82c5211c548a575961b03 CVE-2021-29273 @@ -23596,6 +23603,7 @@ CVE-2021-20297 [Setting match.path and activating a profiles crashes NetworkMana CVE-2021-20296 (A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted i ...) - openexr [buster] - openexr (Minor issue) + [stretch] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24854 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/b0c63c0b96eb9b0d3998f603e12f9f414fb0d44a CVE-2021-20295 [Regression of CVE-2020-10756 fix in virt:rhel/qemu-kvm in Red Hat Enterprise Linux 8.3] = data/dla-needed.txt = @@ -98,6 +98,8 @@ python3.5 (Anton Gladky) NOTE: 20210320: https://salsa.debian.org/lts-team/packages/python3.5 (gladk) NOTE: 20210404: Almost ready for upload (gladk
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2021-22890/curl as not-affected for stretch
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: cc93b4c8 by Utkarsh Gupta at 2021-04-05T05:51:07+05:30 Mark CVE-2021-22890/curl as not-affected for stretch - - - - - 0d426f85 by Utkarsh Gupta at 2021-04-05T05:52:32+05:30 Triage curl for stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -16445,6 +16445,7 @@ CVE-2021-22891 CVE-2021-22890 (curl 7.63.0 to and including 7.75.0 includes vulnerability that allows ...) {DSA-4881-1} - curl (bug #986270) + [stretch] - curl (Vunerable code introduced later) NOTE: https://curl.se/docs/CVE-2021-22890.html NOTE: Fixed by: https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844 CVE-2021-22889 (Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnera ...) = data/dla-needed.txt = @@ -44,6 +44,11 @@ courier-authlib NOTE: 20210329: and getting prepared. The nature of conversation is NOTE: 20210329: internal and Utkarsh is working on it already. (utkarsh) -- +curl + NOTE: 20210405: the patch applies but is missing a lot of elements; + NOTE: 20210405: namely CURLU, CURLUPART_{URL,FRAGMENT,USER,PASSWORD}. (utkarsh) + NOTE: 20210405: see https://lists.debian.org/debian-lts/2021/04/msg2.html. (utkarsh) +-- edk2 -- firmware-nonfree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/050815f038924983c0ff501fc15fae104bcd408f...0d426f85caaad5728761ad3fc1d65f965cccba26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/050815f038924983c0ff501fc15fae104bcd408f...0d426f85caaad5728761ad3fc1d65f965cccba26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 050815f0 by security tracker role at 2021-04-04T20:10:19+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -62601,6 +62601,7 @@ CVE-2020-15229 (Singularity (an open source container platform) from version 3.1 CVE-2020-15228 (In the `@actions/core` npm module before version 1.2.6,`addPath` and ` ...) NOT-FOR-US: Node @actions/core CVE-2020-15227 (Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 ar ...) + {DLA-2617-1} - php-nette NOTE: https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94 CVE-2020-15226 (In GLPI before version 9.5.2, there is a SQL Injection in the API's se ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/050815f038924983c0ff501fc15fae104bcd408f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/050815f038924983c0ff501fc15fae104bcd408f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: c790f7ed by Thorsten Alteholz at 2021-04-04T19:35:19+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,7 +52,7 @@ firmware-nonfree golang-github-appc-cni (Thorsten Alteholz) NOTE: 20210221: also taking care of reverse dependencies NOTE: 20210221: also taking care of other suites - NOTE: 20210321: still WIP + NOTE: 20210304: still WIP, trying to automize golang updates -- golang-gogoprotobuf NOTE: 20210218: If you have any idea why this is called the "skippy peanut butter" issue, I would be mildly interested. (lamby) @@ -66,8 +66,8 @@ golang-gogoprotobuf gsoap -- libebml (Thorsten Alteholz) - NOTE: 20210307: testing package NOTE: 20210321: preparing buster debdiff as well + NOTE: 20210404: still WIP -- linux (Ben Hutchings) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c790f7ed7c84ad9d9efbafc9803b088df9ad0bcb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c790f7ed7c84ad9d9efbafc9803b088df9ad0bcb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Update information about CVE-2021-3426
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 535dc827 by Anton Gladky at 2021-04-03T22:29:44+02:00 Update information about CVE-2021-3426 - - - - - 812bd66b by Anton Gladky at 2021-04-04T10:13:33+02:00 Use square brackets - - - - - ffdfd9b0 by Salvatore Bonaccorso at 2021-04-04T17:09:44+00:00 Merge branch update_CVE-2021-3426 into master Update information about CVE-2021-3426 See merge request security-tracker-team/security-tracker!82 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4447,7 +4447,7 @@ CVE-2021-28374 (The Debian courier-authlib package before 0.71.1-2 for Courier A - courier-authlib 0.71.1-2 (bug #984810) NOTE: Re-introduction of #378571 while migrating from debian/permissions to NOTE: debian/courier-authdaemon.tmpfiles in 0.66.4-2. -CVE-2021-3426 +CVE-2021-3426 [Running `pydoc -p` allows other local users to extract arbitrary files. The `/getfile?key=path` URL allows to read arbitrary file on the filesystem.] RESERVED [experimental] - python3.9 3.9.3-1 - python3.9 @@ -4457,6 +4457,7 @@ CVE-2021-3426 - python3.5 - python2.7 (Vulnerable code not present) NOTE: https://bugs.python.org/issue42988 + NOTE: https://github.com/python/cpython/commit/9b999479c0022edfc9835a8a1f06e046f3881048 NOTE: https://python-security.readthedocs.io/vuln/pydoc-getfile.html NOTE: https://github.com/python/cpython/pull/24337 NOTE: https://github.com/python/cpython/pull/24285 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/478394fb481195484fda76549810233faa99f9a0...ffdfd9b04f2730fee67d19a5bb61f94229e30bb7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/478394fb481195484fda76549810233faa99f9a0...ffdfd9b04f2730fee67d19a5bb61f94229e30bb7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Deleted branch update_CVE-2021-3426
Anton Gladky deleted branch update_CVE-2021-3426 at Debian Security Tracker / security-tracker -- You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Update status of packages
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 478394fb by Anton Gladky at 2021-04-04T19:07:23+02:00 LTS: Update status of packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,6 +26,7 @@ ceph NOTE: 20210118: wip (Emilio) -- cgal (Anton Gladky) + NOTE: 20210404: https://salsa.debian.org/lts-team/packages/cgal WIP (gladk) -- condor NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto) @@ -85,10 +86,12 @@ pillow (Abhijith PA) python2.7 (Anton Gladky) NOTE: 20210316: Same issue as python3.5 immediately below; suggest handled by same maintainer. (lamby) NOTE: 20210320: https://salsa.debian.org/lts-team/packages/python2.7 (gladk) + NOTE: 20210404: WIP (gladk) -- python3.5 (Anton Gladky) NOTE: 20210217: Fairly invasive change, changing/augmenting API of standard library. (lamby) NOTE: 20210320: https://salsa.debian.org/lts-team/packages/python3.5 (gladk) + NOTE: 20210404: Almost ready for upload (gladk) -- qemu (Markus Koschany) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/478394fb481195484fda76549810233faa99f9a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/478394fb481195484fda76549810233faa99f9a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2020-15227,nette: Remove no-dsa tag
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d6d44c7 by Markus Koschany at 2021-04-04T11:42:10+02:00 CVE-2020-15227,nette: Remove no-dsa tag - - - - - 1de6dc27 by Markus Koschany at 2021-04-04T11:55:27+02:00 Reserve DLA-2617-1 for php-nette - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -62601,7 +62601,6 @@ CVE-2020-15228 (In the `@actions/core` npm module before version 1.2.6,`addPath` NOT-FOR-US: Node @actions/core CVE-2020-15227 (Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 ar ...) - php-nette - [stretch] - php-nette (low priority) NOTE: https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94 CVE-2020-15226 (In GLPI before version 9.5.2, there is a SQL Injection in the API's se ...) - glpi = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Apr 2021] DLA-2617-1 php-nette - security update + {CVE-2020-15227} + [stretch] - php-nette 2.4-20160731-1+deb9u1 [03 Apr 2021] DLA-2616-1 libxstream-java - security update {CVE-2021-21341 CVE-2021-21342 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351} [stretch] - libxstream-java 1.4.11.1-1+deb9u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3c8ca4545eba46449b9710840d363e6399412af7...1de6dc275242579611cacb0ab8b2cdcc8d0ec737 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3c8ca4545eba46449b9710840d363e6399412af7...1de6dc275242579611cacb0ab8b2cdcc8d0ec737 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][update_CVE-2021-3426] Use square brackets
Anton Gladky pushed to branch update_CVE-2021-3426 at Debian Security Tracker / security-tracker Commits: 812bd66b by Anton Gladky at 2021-04-04T10:13:33+02:00 Use square brackets - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4445,7 +4445,7 @@ CVE-2021-28374 (The Debian courier-authlib package before 0.71.1-2 for Courier A - courier-authlib 0.71.1-2 (bug #984810) NOTE: Re-introduction of #378571 while migrating from debian/permissions to NOTE: debian/courier-authdaemon.tmpfiles in 0.66.4-2. -CVE-2021-3426 (Running `pydoc -p` allows other local users to extract arbitrary files. The `/getfile?key=path` URL allows to read arbitrary file on the filesystem.) +CVE-2021-3426 [Running `pydoc -p` allows other local users to extract arbitrary files. The `/getfile?key=path` URL allows to read arbitrary file on the filesystem.] RESERVED [experimental] - python3.9 3.9.3-1 - python3.9 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/812bd66b30d3b4db6b70c9ab72a6110c14883008 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/812bd66b30d3b4db6b70c9ab72a6110c14883008 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits