[Git][security-tracker-team/security-tracker][master] CVE-2024-38473/apache2
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: e2ed15b8 by Bastien Roucariès at 2024-07-11T21:40:39+00:00 CVE-2024-38473/apache2 One of the identified fix is in fact CVE-2024-39573 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2631,11 +2631,10 @@ CVE-2024-38473 (Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and e NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38473 NOTE: https://github.com/apache/httpd/pull/457 NOTE: https://github.com/apache/httpd/pull/458 - NOTE: Fixed by [1/5] https://github.com/apache/httpd/commit/b10cb2d69184843832d501a615abe3e8e5e256dc - NOTE: Fixed by [2/5] https://github.com/apache/httpd/commit/6b8e043ce4f27114e6ae1b8176b629b7cb3fbbce - NOTE: Fixed by [3/5] https://github.com/apache/httpd/commit/93aec0e3ca451bcc97f6d91c14d5399d13a73365 - NOTE: Fixed by [4/5] https://github.com/apache/httpd/commit/cc00cf6b4e37370897daddc307bf1deecf8fedfa - NOTE: Fixed by [5/5] https://github.com/apache/httpd/commit/4326d6b9041a3bcb9b529f9163d0761c2d760700 + NOTE: Fixed by [1/4] https://github.com/apache/httpd/commit/b10cb2d69184843832d501a615abe3e8e5e256dc + NOTE: Fixed by [2/4] https://github.com/apache/httpd/commit/6b8e043ce4f27114e6ae1b8176b629b7cb3fbbce + NOTE: Fixed by [3/4] https://github.com/apache/httpd/commit/cc00cf6b4e37370897daddc307bf1deecf8fedfa + NOTE: Fixed by [4/4] https://github.com/apache/httpd/commit/4326d6b9041a3bcb9b529f9163d0761c2d760700 CVE-2024-38472 (SSRF in Apache HTTP Server on Windows allows to potentially leak NTML ...) - apache2 2.4.60-1 (unimportant) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38472 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2ed15b8e8e35c7c54921a4b76bd1a912a9fed9a -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2ed15b8e8e35c7c54921a4b76bd1a912a9fed9a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-36387/apache2
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: df91a1cf by Bastien Roucariès at 2024-07-11T21:18:52+00:00 CVE-2024-36387/apache2 Change fixed commit by cross checking SVN - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2645,7 +2645,8 @@ CVE-2024-36387 (Serving WebSocket protocol upgrades over a HTTP/2 connection cou {DSA-5729-1} - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-36387 - NOTE: https://github.com/apache/httpd/commit/c69a51bff8157e403121f8436d85dde21ad28bd2 + NOTE: https://github.com/apache/httpd/commit/62aa64e5aea21dd969db97aded4443c98c0735ac + NOTE: (see also https://svn.apache.org/viewvc?view=revision=1918557) CVE-2024-6409 (A signal handler race condition vulnerability was found in OpenSSH's s ...) - openssh (Exploitable issue in RHEL9 packaged versions) NOTE: https://www.openwall.com/lists/oss-security/2024/07/08/2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df91a1cfb894b84698891194906cd98135391499 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df91a1cfb894b84698891194906cd98135391499 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update CVE-2022-3213/imagemagick for bullseye
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ed49a12 by Bastien Roucariès at 2024-07-11T16:50:26+00:00 Update CVE-2022-3213/imagemagick for bullseye The issue got fixed along with fixes of CVE-2023-1906 and CVE-2023-3428 long the way in the imagemagick/8:6.9.11.60+dfsg-1.3+deb11u3 update. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -144531,7 +144531,7 @@ CVE-2022-3214 (Delta Industrial Automation's DIAEnergy, an industrial energy man CVE-2022-3213 (A heap buffer overflow issue was found in ImageMagick. When an applica ...) - imagemagick 8:6.9.12.98+dfsg1-2 (bug #1021141) [bookworm] - imagemagick 8:6.9.11.60+dfsg-1.6+deb12u1 - [bullseye] - imagemagick (Minor issue) + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u3 [buster] - imagemagick (Vulnerable code was introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2126824 NOTE: https://github.com/ImageMagick/ImageMagick/commit/30ccf9a0da1f47161b5935a95be854fe84e6c2a2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ed49a1237621ce56155f1391f780c4b7f0ed8f8 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ed49a1237621ce56155f1391f780c4b7f0ed8f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-38477/apache2
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 9292d514 by Bastien Roucariès at 2024-07-11T14:55:51+00:00 CVE-2024-38477/apache2 Add a note about a regression identified by ubuntu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2487,6 +2487,8 @@ CVE-2024-38477 (null pointer dereference in mod_proxy in Apache HTTP Server 2.4. - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38477 NOTE: Fixed by https://github.com/apache/httpd/commit/1d98d4db186e708f059336fb9342d0adb6925e85 + NOTE: Regression identified by Ubuntu https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2072648 + NOTE: Rgression fixed by https://github.com/apache/httpd/commit/4d3a308014be26e5407113b4c827a1ea2882bf38 NOTE: (or https://svn.apache.org/viewvc?view=revision=1918607) CVE-2024-38476 (Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vul ...) - apache2 2.4.60-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9292d51416f5e7621ca183fe9a92c5a2cafd092a -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9292d51416f5e7621ca183fe9a92c5a2cafd092a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-3847[4-5]/apache2
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 923198a2 by Bastien Roucariès at 2024-07-09T21:34:28+00:00 CVE-2024-3847[4-5]/apache2 Add logging fix for this CVE - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2030,12 +2030,14 @@ CVE-2024-38475 (Improper escaping of output in mod_rewrite in Apache HTTP Server NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38475 NOTE: same fix as CVE-2024-28474 NOTE: Fixed by https://github.com/apache/httpd/commit/1feb5e04a4f7b5f3f13cd40f9635144319dcf24a + NOTE: Need also log fix https://github.com/apache/httpd/commit/4797330ad813d9f8a2bb1b3b8d03ceb523dc4884 NOTE: (or https://svn.apache.org/viewvc?view=revision=1918561) CVE-2024-38474 (Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.5 ...) - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38474 NOTE: same fix as CVE-2024-28475 NOTE: Fixed by https://github.com/apache/httpd/commit/1feb5e04a4f7b5f3f13cd40f9635144319dcf24a + NOTE: need also log fix https://github.com/apache/httpd/commit/4797330ad813d9f8a2bb1b3b8d03ceb523dc4884 NOTE: (or https://svn.apache.org/viewvc?view=revision=1918561) CVE-2024-38473 (Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier ...) - apache2 2.4.60-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/923198a2788f126033a653ede190c7f6417ecc14 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/923198a2788f126033a653ede190c7f6417ecc14 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-39573/apache2
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d6cd056 by Bastien Roucariès at 2024-07-09T21:29:47+00:00 CVE-2024-39573/apache2 Comment on patch https://github.com/apache/httpd/commit/9494aa8d52e3c263bc0413b77ac8a73b0d524388 said else if (!(p-flags (RULEFLAG_PROXY | RULEFLAG_FORCEREDIRECT))) { /* Not an absolute URI-path and the scheme (if any) is unknown, * and it wont be passed to fully_qualify_uri() below either, * so add an implicit / prefix. This avoids potentially a common * rule like RewriteRule ^/some/path(.*) $1 that is given a path * like /some/pathscheme:... to produce the fully qualified URL * scheme:... which could be misinterpreted later. */ It is the description of CVE-2024-39573 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2013,6 +2013,7 @@ CVE-2024-39884 (A regression in the core of Apache HTTP Server 2.4.60 ignores so CVE-2024-39573 (Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier ...) - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-39573 + NOTE: likely fix according to comment in code https://github.com/apache/httpd/commit/9494aa8d52e3c263bc0413b77ac8a73b0d524388 CVE-2024-38477 (null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and ...) - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38477 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d6cd0564ff41a7a5de5bef47b0babe63271c4e6 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d6cd0564ff41a7a5de5bef47b0babe63271c4e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-39884/apache2
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: da5fc7bc by Bastien Roucariès at 2024-07-09T21:21:14+00:00 CVE-2024-39884/apache2 Add some note about regression - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2004,6 +2004,12 @@ CVE-2024-39884 (A regression in the core of Apache HTTP Server 2.4.60 ignores so [bookworm] - apache2 (Vulnerable code not present) [bullseye] - apache2 (Vulnerable code not present) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-39884 + NOTE: Fixed by [1/4] https://github.com/apache/httpd/commit/cf3402e182f7a32eb9085a82347769cb2efe491e + NOTE: Fixed by [2/4] https://github.com/apache/httpd/commit/aa4b05ee0536fdbd62b02eaab91f31ae3a305129 + NOTE: Fixed by [3/4] https://github.com/apache/httpd/commit/8ad3ec08d4852e1fc967377dbab4e8c76b96b791 + NOTE: Fixed by [4/4] https://github.com/apache/httpd/commit/fbe782e6c4a7c255790b80c74d5b8ee320ec93d2 + NOTE: Introduced by https://github.com/apache/httpd/commit/925b6f0ceb8983a11662b5f3a6f2fa75860c2cde + NOTE: Likely a regression during fix of CVE-2024-38476 CVE-2024-39573 (Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier ...) - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-39573 @@ -2015,8 +2021,9 @@ CVE-2024-38477 (null pointer dereference in mod_proxy in Apache HTTP Server 2.4. CVE-2024-38476 (Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vul ...) - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38476 - NOTE: Fixed by https://github.com/apache/httpd/commit/554554b0ebb14d6578adb70a389c57a0d5f18a3b + NOTE: Fixed by https://github.com/apache/httpd/commit/925b6f0ceb8983a11662b5f3a6f2fa75860c2cde NOTE: (or https://svn.apache.org/viewvc?view=revision=1918560) + NOTE: see also regression CVE-2024-39884 CVE-2024-38475 (Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.5 ...) - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38475 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da5fc7bc798a86bf0f9337c833aae3761ffc4a2b -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da5fc7bc798a86bf0f9337c833aae3761ffc4a2b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-38476/apache2
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b07e538 by Bastien Roucariès at 2024-07-09T18:29:54+00:00 CVE-2024-38476/apache2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1312,6 +1312,8 @@ CVE-2024-39573 (Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and e CVE-2024-38477 (null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and ...) - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38477 + NOTE: Fixed by https://github.com/apache/httpd/commit/1d98d4db186e708f059336fb9342d0adb6925e85 + NOTE: (or https://svn.apache.org/viewvc?view=revision=1918607) CVE-2024-38476 (Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vul ...) - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38476 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b07e53864d50425ef789501487376f8a4d5c707 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b07e53864d50425ef789501487376f8a4d5c707 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-38476/apache2
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a1eb48f by Bastien Roucariès at 2024-07-09T18:26:13+00:00 CVE-2024-38476/apache2 Add commits fixing the CVE - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1315,6 +1315,8 @@ CVE-2024-38477 (null pointer dereference in mod_proxy in Apache HTTP Server 2.4. CVE-2024-38476 (Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vul ...) - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38476 + NOTE: Fixed by https://github.com/apache/httpd/commit/554554b0ebb14d6578adb70a389c57a0d5f18a3b + NOTE: (or https://svn.apache.org/viewvc?view=revision=1918560) CVE-2024-38475 (Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.5 ...) - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38475 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a1eb48f04334f8d6d1e5e5dd3557acfdc8f4a2e -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a1eb48f04334f8d6d1e5e5dd3557acfdc8f4a2e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-2847{4,5}/apach2
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: d624b0af by Bastien Roucariès at 2024-07-09T18:23:12+00:00 CVE-2024-2847{4,5}/apach2 Add commit fixing upstream and note - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1318,9 +1318,15 @@ CVE-2024-38476 (Vulnerability in core of Apache HTTP Server 2.4.59 and earlier a CVE-2024-38475 (Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.5 ...) - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38475 + NOTE: same fix as CVE-2024-28474 + NOTE: Fixed by https://github.com/apache/httpd/commit/1feb5e04a4f7b5f3f13cd40f9635144319dcf24a + NOTE: (or https://svn.apache.org/viewvc?view=revision=1918561) CVE-2024-38474 (Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.5 ...) - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38474 + NOTE: same fix as CVE-2024-28475 + NOTE: Fixed by https://github.com/apache/httpd/commit/1feb5e04a4f7b5f3f13cd40f9635144319dcf24a + NOTE: (or https://svn.apache.org/viewvc?view=revision=1918561) CVE-2024-38473 (Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier ...) - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38473 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d624b0afdb51dcafeea66af1d499a4c1ef1acfab -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d624b0afdb51dcafeea66af1d499a4c1ef1acfab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-38473/apache2
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: a3019397 by Bastien Roucariès at 2024-07-09T18:20:16+00:00 CVE-2024-38473/apache2 Add pull request (including some bug report) and commit fixing the CVE - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1324,6 +1324,13 @@ CVE-2024-38474 (Substitution encoding issue in mod_rewrite in Apache HTTP Server CVE-2024-38473 (Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier ...) - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38473 + NOTE: https://github.com/apache/httpd/pull/457 + NOTE: https://github.com/apache/httpd/pull/458 + NOTE: Fixed by [1/5] https://github.com/apache/httpd/commit/b10cb2d69184843832d501a615abe3e8e5e256dc + NOTE: Fixed by [2/5] https://github.com/apache/httpd/commit/6b8e043ce4f27114e6ae1b8176b629b7cb3fbbce + NOTE: Fixed by [3/5] https://github.com/apache/httpd/commit/93aec0e3ca451bcc97f6d91c14d5399d13a73365 + NOTE: Fixed by [4/5] https://github.com/apache/httpd/commit/cc00cf6b4e37370897daddc307bf1deecf8fedfa + NOTE: Fixed by [5/5] https://github.com/apache/httpd/commit/4326d6b9041a3bcb9b529f9163d0761c2d760700 CVE-2024-38472 (SSRF in Apache HTTP Server on Windows allows to potentially leak NTML ...) - apache2 2.4.60-1 (unimportant) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38472 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3019397586a48f853c6285e7a1ffd50dfc8058c -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3019397586a48f853c6285e7a1ffd50dfc8058c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-38472/apache2
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 949e0518 by Bastien Roucariès at 2024-07-09T18:09:55+00:00 CVE-2024-38472/apache2 Unimportant affects only windows - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1325,8 +1325,10 @@ CVE-2024-38473 (Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and e - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38473 CVE-2024-38472 (SSRF in Apache HTTP Server on Windows allows to potentially leak NTML ...) - - apache2 2.4.60-1 + - apache2 2.4.60-1 (unimportant) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38472 + NOTE: https://github.com/apache/httpd/commit/12542a80324b69ad6a1a489e1b697398551a5fe0 + NOTE: Only affects Apache HTTP Server on Windows CVE-2024-36387 (Serving WebSocket protocol upgrades over a HTTP/2 connection could res ...) - apache2 2.4.60-1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-36387 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/949e05187d490c379719dcd326ba964951e7894d -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/949e05187d490c379719dcd326ba964951e7894d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-40211/imagemagick
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: a5b2734c by Bastien Roucariès at 2024-06-25T18:31:44+00:00 CVE-2021-40211/imagemagick This CVE was closed and in changelog but not in tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -216522,7 +216522,7 @@ CVE-2021-40212 (An exploitable out-of-bounds write vulnerability in PotPlayer 1. NOT-FOR-US: PotPlayer CVE-2021-40211 (An issue was discovered with ImageMagick 7.1.0-4 via Division by zero ...) - imagemagick 8:6.9.11.60+dfsg-1.5 - [bullseye] - imagemagick (Minor issue) + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 [buster] - imagemagick 8:6.9.10.23+dfsg-2.1+deb10u5 NOTE: https://github.com/ImageMagick/ImageMagick/issues/4097 NOTE: https://github.com/ImageMagick/ImageMagick/commit/0fb77f2a231038efdc38dcceddae6952ebdfb000 (7.1.0-5) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5b2734cbdecda28068b978ae781400079ebb8fa -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5b2734cbdecda28068b978ae781400079ebb8fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take nodejs
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 43c47476 by Bastien Roucariès at 2024-06-20T21:00:07+00:00 Take nodejs - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -191,7 +191,7 @@ netty (Markus Koschany) NOTE: 20240511: Added by (apo) NOTE: 20240610: Doing some final tests. (apo) -- -nodejs +nodejs (rouca) NOTE: 20240406: Added by Front-Desk (lamby) -- nova View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43c47476c1d98993661c539cf8ac009d425df7e7 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43c47476c1d98993661c539cf8ac009d425df7e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3839-1 for putty
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 067c0b8a by Bastien Roucariès at 2024-06-20T16:39:38+00:00 Reserve DLA-3839-1 for putty - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Jun 2024] DLA-3839-1 putty - security update + {CVE-2024-31497} + [buster] - putty 0.74-1+deb11u1~deb10u2 [20 Jun 2024] DLA-3829-2 sendmail - regression update [buster] - sendmail 8.15.2-14~deb10u3 [19 Jun 2024] DLA-3838-1 composer - security update = data/dla-needed.txt = @@ -234,14 +234,6 @@ pdns-recursor NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240319: Upload postponed due to #1067124 (dleidert) -- -putty (rouca) - NOTE: 20231224: Added by Front-Desk (ta) - NOTE: 20240104: massive code change against bullseye. May be better to backport bullseye (rouca) - NOTE: 20240324: Backport is straighforward (rouca) - NOTE: 20240324: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/104 - NOTE: 20240412: Wait for comments by maintainer - NOTE: 20240430: Backport fixes for CVE-2024-31497 wait review --- pypy3 NOTE: 20240503: Added by Front-Desk (Beuc) NOTE: 20240503: Fix newly triaged (but old) issues; View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/067c0b8af8e8c2bdad69622d1bc4d1ad092c55ea -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/067c0b8af8e8c2bdad69622d1bc4d1ad092c55ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3829-2 for sendmail
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 565badcf by Bastien Roucariès at 2024-06-20T07:34:53+00:00 Reserve DLA-3829-2 for sendmail - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[20 Jun 2024] DLA-3829-2 sendmail - regression update + [buster] - sendmail 8.15.2-14~deb10u3 [19 Jun 2024] DLA-3838-1 composer - security update {CVE-2024-35241 CVE-2024-35242} [buster] - composer 1.8.4-1+deb10u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/565badcfb4a33c1a8d137a37b71fe9fa3c3e76bb -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/565badcfb4a33c1a8d137a37b71fe9fa3c3e76bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3832-1 for pymongo
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 766e496b by Bastien Roucariès at 2024-06-17T10:40:13+00:00 Reserve DLA-3832-1 for pymongo - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Jun 2024] DLA-3832-1 pymongo - security update + {CVE-2024-5629} + [buster] - pymongo 3.7.1-1.1+deb10u1 [17 Jun 2024] DLA-3831-1 nano - security update {CVE-2024-5742} [buster] - nano 3.2-3+deb10u1 = data/dla-needed.txt = @@ -250,9 +250,6 @@ putty (rouca) NOTE: 20240412: Wait for comments by maintainer NOTE: 20240430: Backport fixes for CVE-2024-31497 wait review -- -pymongo (rouca) - NOTE: 20240609: Added by Front-Desk (apo) --- pypy3 NOTE: 20240503: Added by Front-Desk (Beuc) NOTE: 20240503: Fix newly triaged (but old) issues; View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/766e496bf1f8ed3a00c2cebbf6f16c6630a12522 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/766e496bf1f8ed3a00c2cebbf6f16c6630a12522 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take pymongo
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 3282db30 by Bastien Roucariès at 2024-06-16T21:02:36+00:00 Take pymongo - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -253,7 +253,7 @@ putty (rouca) NOTE: 20240412: Wait for comments by maintainer NOTE: 20240430: Backport fixes for CVE-2024-31497 wait review -- -pymongo +pymongo (rouca) NOTE: 20240609: Added by Front-Desk (apo) -- pypy3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3282db30637a94c995792b8c3f10884a36930f54 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3282db30637a94c995792b8c3f10884a36930f54 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Retake putty
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a257463 by Bastien Roucariès at 2024-06-15T16:04:41+00:00 Retake putty - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -245,7 +245,7 @@ pdns-recursor php7.3 (Markus Koschany) NOTE: 20240609: Added by Front-Desk (apo) -- -putty +putty (rouca) NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20240104: massive code change against bullseye. May be better to backport bullseye (rouca) NOTE: 20240324: Backport is straighforward (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a25746365a9dd0196d80dbfd60ab813b09cf344 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a25746365a9dd0196d80dbfd60ab813b09cf344 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3829-1 for sendmail
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a931aa5 by Bastien Roucariès at 2024-06-15T07:33:19+00:00 Reserve DLA-3829-1 for sendmail - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Jun 2024] DLA-3829-1 sendmail - security update + {CVE-2023-51765} + [buster] - sendmail 8.15.2-14~deb10u2 [14 Jun 2024] DLA-3828-1 atril - security update {CVE-2023-52076} [buster] - atril 1.20.3-1+deb10u2 = data/dla-needed.txt = @@ -298,22 +298,6 @@ runc (dleidert) NOTE: 20240521: Already started to work on it. Upload will haben until end of month. (dleidert) NOTE: 20240531: Waiting for ok to upload to bullseye-pu <https://bugs.debian.org/1072248> (dleidert) -- -sendmail (rouca) - NOTE: 20231224: Added by Front-Desk (ta) - NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches (CVE-2023-51765) - NOTE: 20240217: Patch extracted and being reviewed (rouca) - NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) - NOTE: 20240311: Re-added to dla-needed.txt; while secteam tagged it no-dsa in later dists, - NOTE: 20240311: I believe we should fix this sponsored package, like postfix and exim, in all dists, - NOTE: 20240311: please coordinate with the package maintainer to help make this happen. (Beuc/front-desk) - NOTE: 20240324: some issue coordinate with myself and security team (rouca) - NOTE: 20240425: need more time to investigate issue - NOTE: 20240430: https://marc.info/?l=oss-security=171447187004229=2 - NOTE: 20240506: add possible workarround see #1070190 - NOTE: 20240514: sid is on the way - NOTE: 20240525: sid/testing ok. Bookworm PU - NOTE: 20240614: bullseye PU --- squid NOTE: 20240109: Added by Front-Desk (apo) NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a931aa54e27136ce65714e718838551d67b11dc -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a931aa54e27136ce65714e718838551d67b11dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Retake sendmail
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: bb16a895 by Bastien Roucariès at 2024-06-14T21:03:51+00:00 Retake sendmail - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -305,7 +305,7 @@ runc (dleidert) NOTE: 20240521: Already started to work on it. Upload will haben until end of month. (dleidert) NOTE: 20240531: Waiting for ok to upload to bullseye-pu <https://bugs.debian.org/1072248> (dleidert) -- -sendmail +sendmail (rouca) NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches (CVE-2023-51765) NOTE: 20240217: Patch extracted and being reviewed (rouca) @@ -318,7 +318,8 @@ sendmail NOTE: 20240430: https://marc.info/?l=oss-security=171447187004229=2 NOTE: 20240506: add possible workarround see #1070190 NOTE: 20240514: sid is on the way - NOTE: 20240525: sid/bookworm ok. Bullseye PU + NOTE: 20240525: sid/testing ok. Bookworm PU + NOTE: 20240614: bullseye PU -- squid NOTE: 20240109: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb16a8951ce2b97f602adc18a735098629d52dcd -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb16a8951ce2b97f602adc18a735098629d52dcd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3821-1 for libreoffice
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 972084d0 by Bastien Roucariès at 2024-05-26T06:38:58+00:00 Reserve DLA-3821-1 for libreoffice - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[26 May 2024] DLA-3821-1 libreoffice - security update + {CVE-2024-3044} + [buster] - libreoffice 1:6.1.5-3+deb10u12 [25 May 2024] DLA-3820-1 bluez - security update {CVE-2023-27349} [buster] - bluez 5.50-1.2~deb10u5 = data/dla-needed.txt = @@ -140,9 +140,6 @@ less (guilhem) libmojolicious-perl NOTE: 20240421: Added by Front-Desk (apo) -- -libreoffice (rouca) - NOTE: 20240518: Added by Front-Desk (utkarsh) --- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/972084d0abbd0ff1923604dfd28a332519bddb5a -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/972084d0abbd0ff1923604dfd28a332519bddb5a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update sendmail/dla status
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 88b9f3b6 by Bastien Roucariès at 2024-05-25T12:04:31+00:00 Update sendmail/dla status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -295,6 +295,7 @@ sendmail (rouca) NOTE: 20240430: https://marc.info/?l=oss-security=171447187004229=2 NOTE: 20240506: add possible workarround see #1070190 NOTE: 20240514: sid is on the way + NOTE: 20240525: sid/bookworm ok. Bullseye PU -- squid NOTE: 20240109: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88b9f3b6fd1f71f87345381490347eaefc56bcd4 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88b9f3b6fd1f71f87345381490347eaefc56bcd4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take libreoffice/dla
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 7734f1f6 by Bastien Roucariès at 2024-05-25T11:37:45+00:00 Take libreoffice/dla - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -144,7 +144,7 @@ less (guilhem) libmojolicious-perl NOTE: 20240421: Added by Front-Desk (apo) -- -libreoffice +libreoffice (rouca) NOTE: 20240518: Added by Front-Desk (utkarsh) -- libreswan View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7734f1f6af98d5281e8d7e41882b98ad1dccf625 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7734f1f6af98d5281e8d7e41882b98ad1dccf625 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3819-1 for fossil
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 8efcae78 by Bastien Roucariès at 2024-05-25T11:27:12+00:00 Reserve DLA-3819-1 for fossil - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 May 2024] DLA-3819-1 fossil - security update + {CVE-2024-24795} + [buster] - fossil 1:2.8-1+deb10u1 [24 May 2024] DLA-3818-1 apache2 - security update {CVE-2019-17567 CVE-2023-31122 CVE-2023-38709 CVE-2023-45802 CVE-2024-24795 CVE-2024-27316} [buster] - apache2 2.4.59-1~deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8efcae782eea33a77e01967b70559a3453f7be08 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8efcae782eea33a77e01967b70559a3453f7be08 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3818-1 for apache2
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 10b3814a by Bastien Roucariès at 2024-05-24T22:54:17+00:00 Reserve DLA-3818-1 for apache2 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -55878,7 +55878,6 @@ CVE-2020-36698 (The Security & Malware scan by CleanTalk plugin for WordPress is CVE-2023-45802 (When a HTTP/2 stream was reset (RST frame) by a client, there was a ti ...) {DSA-5662-1} - apache2 2.4.58-1 - [buster] - apache2 (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/10/19/6 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-45802 NOTE: https://github.com/icing/blog/blob/main/h2-rapid-reset.md#cve-2023-45802 @@ -78709,7 +78708,6 @@ CVE-2023-2258 (Improper Neutralization of Formula Elements in a CSV File in GitH CVE-2023-31122 (Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.Th ...) {DSA-5662-1} - apache2 2.4.58-1 - [buster] - apache2 (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/10/19/4 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-31122 NOTE: Fixed by: https://github.com/apache/httpd/commit/c41eb3b14a3d1eb2e3c42c4728cc52a22748851a @@ -347024,7 +347022,6 @@ CVE-2019-17568 CVE-2019-17567 (Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configu ...) [experimental] - apache2 2.4.48-1 - apache2 2.4.48-2 - [buster] - apache2 (Intrusive and risky backport) [stretch] - apache2 (Intrusive and risky backport) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-17567 NOTE: https://svn.apache.org/r1885605 = data/DLA/list = @@ -1,3 +1,6 @@ +[24 May 2024] DLA-3818-1 apache2 - security update + {CVE-2019-17567 CVE-2023-31122 CVE-2023-38709 CVE-2023-45802 CVE-2024-24795 CVE-2024-27316} + [buster] - apache2 2.4.59-1~deb10u1 [20 May 2024] DLA-3817-1 thunderbird - security update {CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769 CVE-2024-4770 CVE-2024-4777} [buster] - thunderbird 1:115.11.0-1~deb10u1 = data/dla-needed.txt = @@ -31,9 +31,6 @@ ansible NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee NOTE: 20240501: Update for bookworm-proposed-update: #1070193 (lee) -- -apache2 (Lee Garrett) - NOTE: 20240418: Added by Front-Desk (apo) --- atril NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10b3814a5b2eca9e3f242c88bb028e3cafc4258e -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10b3814a5b2eca9e3f242c88bb028e3cafc4258e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix a typo in sendmail/dla-needed
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 784d930c by Bastien Roucariès at 2024-05-14T13:31:29+00:00 Fix a typo in sendmail/dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -273,7 +273,7 @@ sendmail (rouca) NOTE: 20240425: need more time to investigate issue NOTE: 20240430: https://marc.info/?l=oss-security=171447187004229=2 NOTE: 20240506: add possible workarround see #1070190 - NOTE: 20240214: sid is on the way + NOTE: 20240514: sid is on the way -- squid NOTE: 20240109: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/784d930cd1d78dc3a1ed09de852973e315ff1c80 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/784d930cd1d78dc3a1ed09de852973e315ff1c80 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note about sendmail/dla-needed
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 2cb4a6e6 by Bastien Roucariès at 2024-05-14T12:00:28+00:00 Add note about sendmail/dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -273,6 +273,7 @@ sendmail (rouca) NOTE: 20240425: need more time to investigate issue NOTE: 20240430: https://marc.info/?l=oss-security=171447187004229=2 NOTE: 20240506: add possible workarround see #1070190 + NOTE: 20240214: sid is on the way -- squid NOTE: 20240109: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cb4a6e6547bcf1c5f3ff438393b59c6b4f9c222 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cb4a6e6547bcf1c5f3ff438393b59c6b4f9c222 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVEs fixed by shim DLA
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 359f1dc4 by Bastien Roucariès at 2024-05-13T20:13:17+00:00 Add CVEs fixed by shim DLA - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,4 +1,5 @@ [13 May 2024] DLA-3813-1 shim - security update + {CVE-2023-40546 CVE-2023-40547 CVE-2023-40548 CVE-2023-40549 CVE-2023-40550 CVE-2023-40551} [buster] - shim 15.8-1~deb10u1 [09 May 2024] DLA-3812-1 libpgjava - security update {CVE-2024-1597} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/359f1dc46593ad1f9cd7d20e1e5e6778d537867f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/359f1dc46593ad1f9cd7d20e1e5e6778d537867f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3813-1 for shim
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: d8ec5ee1 by Bastien Roucariès at 2024-05-13T20:07:04+00:00 Reserve DLA-3813-1 for shim - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[13 May 2024] DLA-3813-1 shim - security update + [buster] - shim 15.8-1~deb10u1 [09 May 2024] DLA-3812-1 libpgjava - security update {CVE-2024-1597} [buster] - libpgjava 42.2.5-2+deb10u4 = data/dla-needed.txt = @@ -278,11 +278,6 @@ sendmail (rouca) NOTE: 20240430: https://marc.info/?l=oss-security=171447187004229=2 NOTE: 20240506: add possible workarround see #1070190 -- -shim (rouca) - NOTE: 20240306: Added by Front-Desk (opal) - NOTE: 20240415: https://salsa.debian.org/efi-team/shim/-/merge_requests/13 - NOTE: 20240502: add autopkgtest suite + wait for sid --- squid NOTE: 20240109: Added by Front-Desk (apo) NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8ec5ee1ceeeff6fcd54a53deca69b49a71cb718 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8ec5ee1ceeeff6fcd54a53deca69b49a71cb718 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add comment about sendmail state in dla
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f4ffdce by Bastien Roucariès at 2024-05-06T21:15:38+00:00 Add comment about sendmail state in dla - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -271,6 +271,7 @@ sendmail (rouca) NOTE: 20240324: some issue coordinate with myself and security team (rouca) NOTE: 20240425: need more time to investigate issue NOTE: 20240430: https://marc.info/?l=oss-security=171447187004229=2 + NOTE: 20240506: add possible workarround see #1070190 -- shim (rouca) NOTE: 20240306: Added by Front-Desk (opal) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f4ffdce8c90f68630416692a5a29e1e3a3570ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f4ffdce8c90f68630416692a5a29e1e3a3570ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note about zookeeper
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 69d99277 by Bastien Roucariès at 2024-05-02T13:59:41+00:00 Add note about zookeeper - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -320,4 +320,9 @@ wordpress -- zookeeper NOTE: 20240324: Added by Front-Desk (ta) + NOTE: 20240502: Persistent (and p-recursive) watches were introduced by ZOOKEEPER-1416, which only exists in 3.6+. + NOTE: 20240502: See https://issues.apache.org/jira/browse/ZOOKEEPER-1416 + NOTE: 20240502: However, classical watches are used (<< 3.6), it seems that to trigger for nodes whose names are not + NOTE: 20240502: known in advance is not possible. Nevertheless classical watch leaks some information. + NOTE: 20240502: CVE-2024-23944 may be therefore downgraded for << 3.6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69d99277fa3a5fd862f2669fa23500c39dd07fd2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69d99277fa3a5fd862f2669fa23500c39dd07fd2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note about shim
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a158e3d by Bastien Roucariès at 2024-05-02T13:57:21+00:00 Add note about shim - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -267,9 +267,10 @@ sendmail (rouca) NOTE: 20240425: need more time to investigate issue NOTE: 20240430: https://marc.info/?l=oss-security=171447187004229=2 -- -shim +shim (rouca) NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240415: https://salsa.debian.org/efi-team/shim/-/merge_requests/13 + NOTE: 20240502: add autopkgtest suite + wait for sid -- squid NOTE: 20240109: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a158e3dc87b085cbd41327bb2d275a578890f3a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a158e3dc87b085cbd41327bb2d275a578890f3a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add more info about sendmail issue
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: b963bea6 by Bastien Roucariès at 2024-04-30T21:30:48+00:00 Add more info about sendmail issue - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -254,6 +254,7 @@ sendmail (rouca) NOTE: 20240311: please coordinate with the package maintainer to help make this happen. (Beuc/front-desk) NOTE: 20240324: some issue coordinate with myself and security team (rouca) NOTE: 20240425: need more time to investigate issue + NOTE: 20240430: https://marc.info/?l=oss-security=171447187004229=2 -- shim NOTE: 20240306: Added by Front-Desk (opal) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b963bea6bef732c12d71deb5ccdc409f44c52399 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b963bea6bef732c12d71deb5ccdc409f44c52399 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fossil for including embedded-code-copies of sqlite3
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: e99cb980 by Bastien Roucariès at 2024-04-30T15:54:02+00:00 Add fossil for including embedded-code-copies of sqlite3 - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -2690,6 +2690,7 @@ sqlite3 - chromium-browser (embed) - mame (embed) - db5.3 (modified-embed) + - fossil (need SQLITE_ENABLE_JSON1; see bug #1070126) sysfsutils - ia32-libs (embed) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e99cb980d9df1dc7adb74c27c373b5fcd6a17128 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e99cb980d9df1dc7adb74c27c373b5fcd6a17128 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add comment about putty
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: d44af883 by Bastien Roucariès at 2024-04-30T15:22:47+00:00 Add comment about putty - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -215,6 +215,7 @@ putty (rouca) NOTE: 20240324: Backport is straighforward (rouca) NOTE: 20240324: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/104 NOTE: 20240412: Wait for comments by maintainer + NOTE: 20240430: Backport fixes for CVE-2024-31497 wait review -- pymongo NOTE: 20240420: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d44af883f5881370ebc612194aa682f3a63e9cc1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d44af883f5881370ebc612194aa682f3a63e9cc1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-31497
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f9357ca by Bastien Roucariès at 2024-04-29T15:25:30+00:00 CVE-2024-31497 Add patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3673,6 +3673,7 @@ CVE-2024-31497 (In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce gener [buster] - filezilla (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/04/15/6 NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html + NOTE: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff_plain;h=c193fe9848f50a88a4089aac647fecc31ae96d27 CVE-2024-3804 (A vulnerability, which was classified as critical, has been found in V ...) NOT-FOR-US: Vesystem Cloud Desktop CVE-2024-3803 (A vulnerability classified as critical was found in Vesystem Cloud Des ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f9357ca2048a1cfc9f4bfb3e2a3f92dbd56e642 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f9357ca2048a1cfc9f4bfb3e2a3f92dbd56e642 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take wpa/dsa-needed
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 0aa44d8a by Bastien Roucariès at 2024-04-29T15:19:26+00:00 Take wpa/dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -88,7 +88,7 @@ squid -- webkit2gtk (berto) -- -wpa +wpa (rouca) -- zabbix -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0aa44d8ad309f1dabb497928681692a70c0b43d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0aa44d8ad309f1dabb497928681692a70c0b43d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-24795/uwsgi
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 55ad4073 by Bastien Roucariès at 2024-04-26T19:00:52+00:00 CVE-2024-24795/uwsgi Add uwsgi due to embeded source of apache2 module - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6609,11 +6609,14 @@ CVE-2024-26745 (In the Linux kernel, the following vulnerability has been resolv CVE-2024-24795 (HTTP Response splitting in multiple modules in Apache HTTP Server allo ...) {DSA-5662-1} - apache2 2.4.59-1 (bug #1068412) + - uwsgi (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2024/04/04/5 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-24795 NOTE: https://github.com/apache/httpd/commit/a29723ce1af75eed0813c3717d3f6dee9b405ca8 NOTE: Fix will trigger a regression at least in fossil see https://bz.apache.org/bugzilla/show_bug.cgi?id=68905 NOTE: Fossil fix here: https://fossil-scm.org/home/info/f4ffefe708793b03 + NOTE: uwsgi include sources of uwgi apache2 module. Since buster we compile the uwsgi module of apache2 source package. + NOTE: https://github.com/unbit/uwsgi/issues/2635 CVE-2023-38709 (Faulty input validation in the core of Apache allows malicious or expl ...) {DSA-5662-1} - apache2 2.4.59-1 (bug #1068412) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55ad4073e1d300aca8d2f10fee697b78a693e02a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55ad4073e1d300aca8d2f10fee697b78a693e02a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] DLA-3794-1/putty
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: cfaffae9 by Bastien Roucariès at 2024-04-25T20:34:07+00:00 DLA-3794-1/putty - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Apr 2024] DLA-3794-1 putty - security update + {CVE-2020-14002 CVE-2021-36367 CVE-2023-48795 CVE-2019-17069} + [buster] - putty 0.74-1+deb11u1~deb10u1 [22 Apr 2024] DLA-3793-1 openjdk-11 - security update {CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094} [buster] - openjdk-11 11.0.23+9-1~deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfaffae9b185a961bd736e4ee474dd4fb9f8375c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfaffae9b185a961bd736e4ee474dd4fb9f8375c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add comment about sendmail
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f5b6f03 by Bastien Roucariès at 2024-04-25T19:52:57+00:00 Add comment about sendmail - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -287,6 +287,7 @@ sendmail (rouca) NOTE: 20240311: I believe we should fix this sponsored package, like postfix and exim, in all dists, NOTE: 20240311: please coordinate with the package maintainer to help make this happen. (Beuc/front-desk) NOTE: 20240324: some issue coordinate with myself and security team (rouca) + NOTE: 20240425: need more time to investigate issue -- shim (rouca) NOTE: 20240306: Added by Front-Desk (opal) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f5b6f03eff95629fd37f4dd73be4880f2ca1c51 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f5b6f03eff95629fd37f4dd73be4880f2ca1c51 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-24795/apache2
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 103025ef by Bastien Roucariès at 2024-04-24T15:39:14+00:00 CVE-2024-24795/apache2 Document fix and possible regression - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6011,6 +6011,9 @@ CVE-2024-24795 (HTTP Response splitting in multiple modules in Apache HTTP Serve - apache2 2.4.59-1 (bug #1068412) NOTE: https://www.openwall.com/lists/oss-security/2024/04/04/5 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-24795 + NOTE: https://github.com/apache/httpd/commit/a29723ce1af75eed0813c3717d3f6dee9b405ca8 + NOTE: Fix will trigger a regression at least in fossil see https://bz.apache.org/bugzilla/show_bug.cgi?id=68905 + NOTE: Fossil fix here: https://fossil-scm.org/home/info/f4ffefe708793b03 CVE-2023-38709 (Faulty input validation in the core of Apache allows malicious or expl ...) {DSA-5662-1} - apache2 2.4.59-1 (bug #1068412) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/103025ef4cc4cccb705da7580a6c513b84533326 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/103025ef4cc4cccb705da7580a6c513b84533326 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-38709/apache2
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: ad578b47 by Bastien Roucariès at 2024-04-24T15:30:17+00:00 CVE-2023-38709/apache2 Fixed by: https://github.com/apache/httpd/commit/ac20389f3c816d990aba21720f1492b69ac5cb44 Backport of: https://svn.apache.org/viewvc?view=revisionrevision=1916770 header validation after content-* are evaled Submitted By: ylavic - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6016,6 +6016,7 @@ CVE-2023-38709 (Faulty input validation in the core of Apache allows malicious o - apache2 2.4.59-1 (bug #1068412) NOTE: https://www.openwall.com/lists/oss-security/2024/04/04/3 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-38709 + NOTE: https://github.com/apache/httpd/commit/ac20389f3c816d990aba21720f1492b69ac5cb44 CVE-2024-27316 (HTTP/2 incoming headers exceeding the limit are temporarily buffered i ...) {DSA-5662-1} - apache2 2.4.59-1 (bug #1068412) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad578b475241e3e5448fd89413749f13a7453a93 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad578b475241e3e5448fd89413749f13a7453a93 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-27316/apache2
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 59151ea3 by Bastien Roucariès at 2024-04-24T15:15:42+00:00 CVE-2024-27316/apache2 Fixed by: https://github.com/apache/httpd/commit/0d73970ec161300a55b630f71bbf72b5c41f28b9 from SVN (https://svn.apache.org/viewvc?view=revisionrevision=1916779) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames (cve.mitre.org) HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Credits: Bartek Nowotarski (https://nowotarski.info/) Submitted By: icing - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6022,6 +6022,7 @@ CVE-2024-27316 (HTTP/2 incoming headers exceeding the limit are temporarily buff NOTE: https://www.kb.cert.org/vuls/id/421644 NOTE: https://www.openwall.com/lists/oss-security/2024/04/04/4 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-27316 + NOTE: https://github.com/apache/httpd/commit/0d73970ec161300a55b630f71bbf72b5c41f28b9 CVE-2024-3296 (A timing-based side-channel flaw exists in the rust-openssl package, w ...) - rust-openssl (bug #1068418) [bookworm] - rust-openssl (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59151ea3a3ae40d2105d7d0f485b32df16052ae7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59151ea3a3ae40d2105d7d0f485b32df16052ae7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add MR for shim fixing shim/dla-needed
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 45229451 by Bastien Roucariès at 2024-04-15T11:44:41+00:00 Add MR for shim fixing shim/dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -258,6 +258,7 @@ sendmail (rouca) -- shim (rouca) NOTE: 20240306: Added by Front-Desk (opal) + NOTE: 20240415: https://salsa.debian.org/efi-team/shim/-/merge_requests/13 -- squid NOTE: 20240109: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45229451637266a499a7580422a5f8448f140331 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45229451637266a499a7580422a5f8448f140331 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add myself for wpa/dsa-needed
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b8992b5 by Bastien Roucariès at 2024-04-15T11:43:41+00:00 Add myself for wpa/dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -94,7 +94,7 @@ squid -- webkit2gtk (berto) -- -wpa +wpa (rouca) -- zabbix -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b8992b5d659ed8af306d6034efa02dc3c2dc066 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b8992b5d659ed8af306d6034efa02dc3c2dc066 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-23944/zookeeper
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 2307b820 by Bastien Roucariès at 2024-04-15T08:15:12+00:00 CVE-2024-23944/zookeeper There is indeed a triggerWatch in 3.4, and it arguably leaks *some* information. E.g., super create /foo X world:anyone: noauth ls /foo Insufficient permission : /foo noauth stat -w /foo/bar Node does not exist: /foo/bar super create /foo/bar 42 world:anyone: noauth WATCHER:: WatchedEvent state:SyncConnected type:NodeCreated path:/foo/bar zxid: -1 However it seems that it is not possible for watches to trigger for nodes whose names are not known in advance. That is CVE-2024-23944 Thanks to Damien Diederen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9378,6 +9378,9 @@ CVE-2024-23944 (Information disclosure in persistent watchers handling in Apache NOTE: https://issues.apache.org/jira/browse/ZOOKEEPER-4799 NOTE: Fixed by: https://github.com/apache/zookeeper/commit/65b91d2d9a56157285c2a86b106e67c26520b01d (release-3.8.4-0) NOTE: Fixed by: https://github.com/apache/zookeeper/commit/daf7cfd04005cff1a4f7cab5ab13d41db88d0cd8 (release-3.9.2-0) + NOTE: Persistent (and p-recursive) watches were introduced by ZOOKEEPER-1416, which only exists in 3.6+. + NOTE: See https://issues.apache.org/jira/browse/ZOOKEEPER-1416 + NOTE: However, classical watches are used (<< 3.6), it seems that to trigger for nodes whose names are not known in advance is not possible. Nevertheless classical watch leaks some information CVE-2024-2746 NOT-FOR-US: dnf5daemon-server CVE-2024-1930 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2307b820ca2c6aaae182e74aa344239c1e7a3499 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2307b820ca2c6aaae182e74aa344239c1e7a3499 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take shim
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 32613d6b by Bastien Roucariès at 2024-04-12T21:08:32+00:00 Take shim - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -256,7 +256,7 @@ sendmail (rouca) NOTE: 20240311: please coordinate with the package maintainer to help make this happen. (Beuc/front-desk) NOTE: 20240324: some issue coordinate with myself and security team (rouca) -- -shim +shim (rouca) NOTE: 20240306: Added by Front-Desk (opal) -- squid View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32613d6bad4ecc56dc9a6b4b74c198359afdd174 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32613d6bad4ecc56dc9a6b4b74c198359afdd174 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Retake putty
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 6200f8de by Bastien Roucariès at 2024-04-12T20:57:04+00:00 Retake putty - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -204,11 +204,12 @@ pdns-recursor NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240319: Upload postponed due to #1067124 (dleidert) -- -putty +putty (rouca) NOTE: 20231224: Added by Front-Desk (ta) - NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) - NOTE: 20230324: Backport is straighforward (rouca) - NOTE: 20230324: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/104 + NOTE: 20240104: massive code change against bullseye. May be better to backport bullseye (rouca) + NOTE: 20240324: Backport is straighforward (rouca) + NOTE: 20240324: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/104 + NOTE: 20240412: Wait for comments by maintainer -- python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6200f8de9fa42cac646c81ad4b2c79a60bbea4d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6200f8de9fa42cac646c81ad4b2c79a60bbea4d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Retake sendmail
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 6df2fb5d by Bastien Roucariès at 2024-04-09T10:07:46+00:00 Retake sendmail - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -246,7 +246,7 @@ samba (Santiago) NOTE: 20230918: Added by Front-Desk (apo) NOTE: 20240406: Update should be ready. Will upload this Monday. (Santiago) -- -sendmail +sendmail (rouca) NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches (CVE-2023-51765) NOTE: 20240217: Patch extracted and being reviewed (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6df2fb5da1a9606358df9e1decb3e4e106fc4330 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6df2fb5da1a9606358df9e1decb3e4e106fc4330 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3777-1 for composer
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 58493d0a by Bastien Roucariès at 2024-03-27T08:34:47+00:00 Reserve DLA-3777-1 for composer - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -36112,7 +36112,6 @@ CVE-2023-43655 (Composer is a dependency manager for PHP. Users publishing a com - composer 2.6.4-1 [bookworm] - composer (Minor issue) [bullseye] - composer (Minor issue) - [buster] - composer (Minor issue, only a problem when configured improperly) NOTE: https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf NOTE: https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d (1.10.27) NOTE: https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c (2.2.22) = data/DLA/list = @@ -1,3 +1,6 @@ +[27 Mar 2024] DLA-3777-1 composer - security update + {CVE-2023-43655} + [buster] - composer 1.8.4-1+deb10u3 [26 Mar 2024] DLA-3776-1 nodejs - security update {CVE-2023-30590 CVE-2023-46809 CVE-2024-22025} [buster] - nodejs 10.24.0~dfsg-1~deb10u4 = data/dla-needed.txt = @@ -40,13 +40,6 @@ bind9 (Sean Whitton) NOTE: 20240218: Added by Front-Desk (lamby) NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby) -- -composer (rouca) - NOTE: 20240209: Added by Front-Desk (utkarsh) - NOTE: 20240304: Need to backport bullseye (rouca) - NOTE: 20240312: likely not affected by CVE-2024-24821 (rouca) - NOTE: 20240315: DSA 5632-1 is out (Beuc/front-desk) - NOTE: 20240316: Ask clarification about some fixes on DSA 5632-1 without CVE --- dnsmasq NOTE: 20240303: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58493d0ae7ad5b00c5f5403c8a3a9aef445775cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58493d0ae7ad5b00c5f5403c8a3a9aef445775cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim zookeeper
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: d3c9a03f by Bastien Roucariès at 2024-03-26T21:29:37+00:00 Claim zookeeper - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -300,6 +300,6 @@ wordpress zabbix (utkarsh) NOTE: 20240212: Added by Front-Desk (utkarsh) -- -zookeeper +zookeeper (rouca) NOTE: 20240324: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3c9a03f45207e65d1f87ad166f352cfdfa0bc82 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3c9a03f45207e65d1f87ad166f352cfdfa0bc82 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add issue tracker for putty/dla
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e969a86 by Bastien Roucariès at 2024-03-24T21:12:52+00:00 Add issue tracker for putty/dla - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -218,6 +218,7 @@ putty (rouca) NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) NOTE: 20230324: Backport is straighforward (rouca) + NOTE: 20230324: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/104 -- python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e969a86eeb66161e1a0f18092480d264c7414ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e969a86eeb66161e1a0f18092480d264c7414ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add myself for putty/dla
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 80797d36 by Bastien Roucariès at 2024-03-24T19:42:43+00:00 Add myself for putty/dla - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -214,9 +214,10 @@ pdns-recursor (dleidert) NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240319: Upload postponed due to #1067124 (dleidert) -- -putty +putty (rouca) NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) + NOTE: 20230324: Backport is straighforward (rouca) -- python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80797d36149432196926fb2ca81e7ca77fd6523f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80797d36149432196926fb2ca81e7ca77fd6523f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note about sendmail status
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 47348167 by Bastien Roucariès at 2024-03-24T17:23:18+00:00 Add note about sendmail status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -269,6 +269,7 @@ sendmail (rouca) NOTE: 20240311: Re-added to dla-needed.txt; while secteam tagged it no-dsa in later dists, NOTE: 20240311: I believe we should fix this sponsored package, like postfix and exim, in all dists, NOTE: 20240311: please coordinate with the package maintainer to help make this happen. (Beuc/front-desk) + NOTE: 20240324: some issue coordinate with myself and security team (rouca) -- shim NOTE: 20240306: Added by Front-Desk (opal) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4734816754d286e8198e442b3e182bdfd2047a14 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4734816754d286e8198e442b3e182bdfd2047a14 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3767-1 for imagemagick
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 6311a65e by Bastien Roucariès at 2024-03-20T00:32:47+00:00 Reserve DLA-3767-1 for imagemagick - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Mar 2024] DLA-3767-1 imagemagick - security update + {CVE-2022-48541} + [buster] - imagemagick 8:6.9.10.23+dfsg-2.1+deb10u7 [19 Mar 2024] DLA-3766-1 zfs-linux - security update {CVE-2013-20001 CVE-2023-49298} [buster] - zfs-linux 0.7.12-2+deb10u3 = data/dla-needed.txt = @@ -95,13 +95,6 @@ i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 -- -imagemagick (rouca) - NOTE: 20230622: Added by Front-Desk (Beuc) - NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) - NOTE: 20231014: Some work under git branch debian/buster but unease (rouca) - NOTE: 20240227: Made a partial release (rouca) - NOTE: 20240317: bookworm/bullseye CVE free in git --- jenkins-htmlunit-core-js NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: Needs checking that this is definitely vulnerable: a quick glance View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6311a65e7b85d8329942c92090943b3b7404c6f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6311a65e7b85d8329942c92090943b3b7404c6f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Clarify CVE-2023-3195/imagemagick
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 937cf279 by Bastien Roucariès at 2024-03-19T09:41:11+00:00 Clarify CVE-2023-3195/imagemagick This CVE was first introduced in 6.9.12-20 but was reintroduced later - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48849,7 +48849,8 @@ CVE-2023-3195 (A stack-based buffer overflow issue was found in ImageMagick's co NOTE: https://www.openwall.com/lists/oss-security/2023/05/29/1 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/85a370c79afeb45a97842b0959366af5236e9023 (6.9.12-26) NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/f620340935777b28fa3f7b0ed7ed6bd86946934c (7.1.0-11) - NOTE: Introduced by 6.9.12.55 https://github.com/ImageMagick/ImageMagick6/commit/2b4eabb9d09b278f16727c635e928bd951c58773 + NOTE: Introduced by: https://github.com/ImageMagick/ImageMagick6/commit/f90a091c7dd12cc53b0999bf49d1c80651534eea (6.9.12-20) + NOTE: ReIntroduced (regression) by 6.9.12.55 https://github.com/ImageMagick/ImageMagick6/commit/2b4eabb9d09b278f16727c635e928bd951c58773 CVE-2023-3192 (Session Fixation in GitHub repository froxlor/froxlor prior to 2.1.0.) - froxlor (bug #581792) CVE-2023-3191 (Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassn ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/937cf279d40b48d80b1028cc22525596759aa96f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/937cf279d40b48d80b1028cc22525596759aa96f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-2157/imagemagick
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 66f314e8 by Bastien Roucariès at 2024-03-17T22:46:00+00:00 CVE-2023-2157/imagemagick This CVE was in the code supporting exif feature following https://github.com/ImageMagick/ImageMagick/issues/5768 First commit introducing this feature was in https://github.com/ImageMagick/ImageMagick6/commit/a45686d30fb5785d7f0cb8a0e8efdeb75eabfe08 This commit does not pin point the exact point where the CVE was introduced but version before 6.9.12.72, does not read the exif and thus did not trigger the CVE - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53546,11 +53546,13 @@ CVE-2023-2158 (Code Dx versions prior to 2023.4.2 are vulnerable to user imperso NOT-FOR-US: Code Dx CVE-2023-2157 (A heap-based buffer overflow vulnerability was found in the ImageMagic ...) - imagemagick 8:6.9.12.98+dfsg1-2 (bug #1036476) - [bookworm] - imagemagick (Minor issue) - [bullseye] - imagemagick (Minor issue) + [bookworm] - imagemagick (Vulnerable code introduced later) + [bullseye] - imagemagick (Vulnerable code introduced later) [buster] - imagemagick (Vulnerable code was introduced later) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/9a9896fce95d09e5e47b86baccbe1ce1a2fca76b (7.1.1-7) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/7e4c992f148afc5b28111e540921d5b6e4e38673 (6.9.12-85) + NOTE: Introduced by: https://github.com/ImageMagick/ImageMagick/issues/5768 + NOTE: Introduced by: https://github.com/ImageMagick/ImageMagick6/commit/a45686d30fb5785d7f0cb8a0e8efdeb75eabfe08 (exif feature not present before this commit 6.9.12.72) CVE-2023-2156 (A flaw was found in the networking subsystem of the Linux kernel withi ...) {DSA-5453-1 DSA-5448-1 DLA-3512-1} - linux 6.3.11-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66f314e8bc9ac6c9adcee8728ca0b0b892ffadb9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66f314e8bc9ac6c9adcee8728ca0b0b892ffadb9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3195/imagemagick
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 73584b34 by Bastien Roucariès at 2024-03-17T22:42:15+00:00 CVE-2023-3195/imagemagick Add more detail why this CVE is not present in debian. Introduced by https://github.com/ImageMagick/ImageMagick6/commit/2b4eabb9d09b278f16727c635e928bd951c58773 Maybe introduced by backporting not carefully CVE-2023-1906 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48319,12 +48319,13 @@ CVE-2015-10118 (A vulnerability classified as problematic was found in cchetanon NOT-FOR-US: WordPress plugin CVE-2023-3195 (A stack-based buffer overflow issue was found in ImageMagick's coders/ ...) - imagemagick 8:6.9.12.98+dfsg1-2 - [bookworm] - imagemagick (Minor issue) - [bullseye] - imagemagick (Minor issue) + [bookworm] - imagemagick (regression introduced by some backport of CVE-2023-1906, debian patch does not include the regression) + [bullseye] - imagemagick (regression introduced by some backport of CVE-2023-1906, debian patch does not include the regression) [buster] - imagemagick (Vulnerable code was introduced later) NOTE: https://www.openwall.com/lists/oss-security/2023/05/29/1 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/85a370c79afeb45a97842b0959366af5236e9023 (6.9.12-26) NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/f620340935777b28fa3f7b0ed7ed6bd86946934c (7.1.0-11) + NOTE: Introduced by 6.9.12.55 https://github.com/ImageMagick/ImageMagick6/commit/2b4eabb9d09b278f16727c635e928bd951c58773 CVE-2023-3192 (Session Fixation in GitHub repository froxlor/froxlor prior to 2.1.0.) - froxlor (bug #581792) CVE-2023-3191 (Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassn ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73584b34bd40a080d225c265b25332e7f0456a99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73584b34bd40a080d225c265b25332e7f0456a99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3195/imagemagick buster
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: cbdef8c4 by Bastien Roucariès at 2024-03-17T15:37:52+00:00 CVE-2023-3195/imagemagick buster Buster is not vulnerable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48281,7 +48281,7 @@ CVE-2023-3195 (A stack-based buffer overflow issue was found in ImageMagick's co - imagemagick 8:6.9.12.98+dfsg1-2 [bookworm] - imagemagick (Vulnerable code was introduced later and security patches does not introduce this bug) [bullseye] - imagemagick (Vulnerable code was introduced later and security patches does not introduce this bug) - [buster] - imagemagick (Minor issue) + [buster] - imagemagick (Vulnerable code was introduced later) NOTE: https://www.openwall.com/lists/oss-security/2023/05/29/1 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/85a370c79afeb45a97842b0959366af5236e9023 (6.9.12-26) NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/f620340935777b28fa3f7b0ed7ed6bd86946934c (7.1.0-11) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbdef8c4720f32c6e2191a37984828f779d22d39 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbdef8c4720f32c6e2191a37984828f779d22d39 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Retake imagemagick
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e376add by Bastien Roucariès at 2024-03-17T15:20:32+00:00 Retake imagemagick - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -107,11 +107,12 @@ i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 -- -imagemagick +imagemagick (rouca) NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) NOTE: 20231014: Some work under git branch debian/buster but unease (rouca) NOTE: 20240227: Made a partial release (rouca) + NOTE: 20240317: bookworm/bullseye CVE free in git -- jenkins-htmlunit-core-js NOTE: 20231231: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e376addf6d8e871f6bef22455e345b39b422ad0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e376addf6d8e871f6bef22455e345b39b422ad0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3195/imagemagick bullseye not affected
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: c46857a1 by Bastien Roucariès at 2024-03-17T15:18:27+00:00 CVE-2023-3195/imagemagick bullseye not affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48280,7 +48280,7 @@ CVE-2015-10118 (A vulnerability classified as problematic was found in cchetanon CVE-2023-3195 (A stack-based buffer overflow issue was found in ImageMagick's coders/ ...) - imagemagick 8:6.9.12.98+dfsg1-2 [bookworm] - imagemagick (Vulnerable code was introduced later and security patches does not introduce this bug) - [bullseye] - imagemagick (Minor issue) + [bullseye] - imagemagick (Vulnerable code was introduced later and security patches does not introduce this bug) [buster] - imagemagick (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/05/29/1 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/85a370c79afeb45a97842b0959366af5236e9023 (6.9.12-26) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c46857a10333e7a74c273946ae74ea0f7586efb9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c46857a10333e7a74c273946ae74ea0f7586efb9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-32547/imagemagick
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b5ebfaf by Bastien Roucariès at 2024-03-17T15:13:51+00:00 CVE-2022-32547/imagemagick Fixed in bullseye by 8:6.9.11.60+dfsg-1.3+deb11u2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -128310,7 +128310,7 @@ CVE-2022-32548 (An issue was discovered on certain DrayTek Vigor routers before CVE-2022-32547 (In ImageMagick, there is load of misaligned address for type 'double', ...) {DLA-3429-1} - imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1016442) - [bullseye] - imagemagick (Minor issue) + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 [stretch] - imagemagick (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2091813 NOTE: https://github.com/ImageMagick/ImageMagick/issues/5033 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b5ebfaf3819d98f944a374028f16bd0f9cfe619 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b5ebfaf3819d98f944a374028f16bd0f9cfe619 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3195/imagemagick
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: b3cc8d3e by Bastien Roucariès at 2024-03-17T14:35:41+00:00 CVE-2023-3195/imagemagick This CVE does not affects bookworm. This a regression due to another fix. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48279,7 +48279,7 @@ CVE-2015-10118 (A vulnerability classified as problematic was found in cchetanon NOT-FOR-US: WordPress plugin CVE-2023-3195 (A stack-based buffer overflow issue was found in ImageMagick's coders/ ...) - imagemagick 8:6.9.12.98+dfsg1-2 - [bookworm] - imagemagick (Minor issue) + [bookworm] - imagemagick (Vulnerable code was introduced later and security patches does not introduce this bug) [bullseye] - imagemagick (Minor issue) [buster] - imagemagick (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/05/29/1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3cc8d3e2f028f909ace0f8e9927b85de7dfdcf1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3cc8d3e2f028f909ace0f8e9927b85de7dfdcf1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-2157/imagemagick
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: fcd73685 by Bastien Roucariès at 2024-03-17T13:34:38+00:00 CVE-2023-2157/imagemagick Code was introduce post trixie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53504,9 +53504,9 @@ CVE-2023-2158 (Code Dx versions prior to 2023.4.2 are vulnerable to user imperso NOT-FOR-US: Code Dx CVE-2023-2157 (A heap-based buffer overflow vulnerability was found in the ImageMagic ...) - imagemagick 8:6.9.12.98+dfsg1-2 (bug #1036476) - [bookworm] - imagemagick (Minor issue) - [bullseye] - imagemagick (Minor issue) - [buster] - imagemagick (Minor issue) + [bookworm] - imagemagick (Vulnerable code was introduced later) + [bullseye] - imagemagick (Vulnerable code was introduced later) + [buster] - imagemagick (Vulnerable code was introduced later) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/9a9896fce95d09e5e47b86baccbe1ce1a2fca76b (7.1.1-7) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/7e4c992f148afc5b28111e540921d5b6e4e38673 (6.9.12-85) CVE-2023-2156 (A flaw was found in the networking subsystem of the Linux kernel withi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcd73685be2e57f6802681cec476ae6c68807bb8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcd73685be2e57f6802681cec476ae6c68807bb8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] imagemagick/CVE-2022-3213
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 5977a1c8 by Bastien Roucariès at 2024-03-17T11:31:39+00:00 imagemagick/CVE-2022-3213 Vulnerable code (stripped TIFF) was introduced later. Same diagnostic by ubuntu. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -106273,9 +106273,9 @@ CVE-2022-3214 (Delta Industrial Automation's DIAEnergy, an industrial energy man NOT-FOR-US: Delta CVE-2022-3213 (A heap buffer overflow issue was found in ImageMagick. When an applica ...) - imagemagick 8:6.9.12.98+dfsg1-2 (bug #1021141) - [bookworm] - imagemagick (Minor issue) - [bullseye] - imagemagick (Minor issue) - [buster] - imagemagick (Minor issue) + [bookworm] - imagemagick (Vulnerable code was introduced later) + [bullseye] - imagemagick (Vulnerable code was introduced later) + [buster] - imagemagick (Vulnerable code was introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2126824 NOTE: https://github.com/ImageMagick/ImageMagick/commit/30ccf9a0da1f47161b5935a95be854fe84e6c2a2 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/1aea203eb36409ce6903b9e41fe7cb70030e8750 (6.9.12-62) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5977a1c8144cd0dc847b38fcd2fa610b9607e67f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5977a1c8144cd0dc847b38fcd2fa610b9607e67f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add myself to sendmail
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e695b37 by Bastien Roucariès at 2024-03-17T11:15:28+00:00 Add myself to sendmail Sendmail status of SMTP smurgling is complicated. Add myself as in charge of this - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -97,6 +97,8 @@ ruby-tzinfo/oldstable -- salt/oldstable -- +sendmail (rouca) +-- samba/oldstable santiago started to backport patches to bullseye -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e695b3704813c84c439ff829cbacb0f5f4c81ff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e695b3704813c84c439ff829cbacb0f5f4c81ff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3763-1 for curl
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f003d9d by Bastien Roucariès at 2024-03-17T09:22:54+00:00 Reserve DLA-3763-1 for curl - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -64149,7 +64149,6 @@ CVE-2023-27535 (An authentication bypass vulnerability exists in libcurl <8.0.0 CVE-2023-27534 (A path traversal vulnerability exists in curl <8.0.0 SFTP implementati ...) - curl 7.88.1-7 [bullseye] - curl 7.74.0-1.3+deb11u8 - [buster] - curl (Minor issue) NOTE: https://curl.se/docs/CVE-2023-27534.html NOTE: Introduced by: https://github.com/curl/curl/commit/ba6f20a2442ab1ebfe947cff19a552f92114a29a (curl-7_18_0) NOTE: Fixed by: https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 (curl-8_0_0) = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Mar 2024] DLA-3763-1 curl - security update + {CVE-2023-27534} + [buster] - curl 7.64.0-4+deb10u9 [15 Mar 2024] DLA-3762-1 unadf - security update {CVE-2016-1243 CVE-2016-1244} [buster] - unadf 0.7.11a-4+deb11u1~deb10u1 = data/dla-needed.txt = @@ -59,12 +59,6 @@ composer (rouca) NOTE: 20240315: DSA 5632-1 is out (Beuc/front-desk) NOTE: 20240316: Ask clarification about some fixes on DSA 5632-1 without CVE -- -curl (rouca) - NOTE: 20231229: Added by Front-Desk (lamby) - NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby) - NOTE: 20240129: https://salsa.debian.org/debian/curl/-/merge_requests/21 (rouca) - NOTE: 20240312: test fix (rouca) --- dnsmasq (dleidert) NOTE: 20240303: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f003d9d3fbf160ffc6753ddaa616a492a6e8445 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f003d9d3fbf160ffc6753ddaa616a492a6e8445 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take sendmail
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: c7a6472c by Bastien Roucariès at 2024-03-16T21:23:20+00:00 Take sendmail - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -267,7 +267,7 @@ runc samba NOTE: 20230918: Added by Front-Desk (apo) -- -sendmail +sendmail (rouca) NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches (CVE-2023-51765) NOTE: 20240217: Patch extracted and being reviewed (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7a6472c0478a3b9d1d0db752bd3a4a7d6de0e4f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7a6472c0478a3b9d1d0db752bd3a4a7d6de0e4f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add more comment on php-composer
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: fd5dce31 by Bastien Roucariès at 2024-03-16T21:15:41+00:00 Add more comment on php-composer d/changelog include some changes that may need backport to buster, even if all CVE are closed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -57,6 +57,7 @@ composer (rouca) NOTE: 20240304: Need to backport bullseye (rouca) NOTE: 20240312: likely not affected by CVE-2024-24821 (rouca) NOTE: 20240315: DSA 5632-1 is out (Beuc/front-desk) + NOTE: 20240316: Ask clarification about some fixes on DSA 5632-1 without CVE -- curl (rouca) NOTE: 20231229: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd5dce31ceaefb56cb174033245806e786490d13 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd5dce31ceaefb56cb174033245806e786490d13 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-24821
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d90a5cd by Bastien Roucariès at 2024-03-16T20:51:51+00:00 CVE-2024-24821 InstalledVersion feature was created in 2.0 so buster is not affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9105,6 +9105,7 @@ CVE-2024-24825 (DIRAC is a distributed resource framework. In affected versions CVE-2024-24821 (Composer is a dependency Manager for the PHP language. In affected ver ...) {DSA-5632-1} - composer 2.7.1-1 (bug #1063603) + [buster] - composer (InstalledVersions feature is post version 2.0) NOTE: https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h NOTE: https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5 (2.7.0) CVE-2024-24820 (Icinga Director is a tool designed to make Icinga 2 configuration hand ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d90a5cd98407e46d22b9ec57e18345ab90aafea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d90a5cd98407e46d22b9ec57e18345ab90aafea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Retake curl
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 51bdeece by Bastien Roucariès at 2024-03-12T20:03:59+00:00 Retake curl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -61,10 +61,11 @@ composer (rouca) NOTE: 20240304: Need to backport bullseye NOTE: 20240312: likely not affected by CVE-2024-24821 -- -curl +curl (rouca) NOTE: 20231229: Added by Front-Desk (lamby) NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby) NOTE: https://salsa.debian.org/debian/curl/-/merge_requests/21 + NOTE: test fix -- dnsmasq (dleidert) NOTE: 20240303: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51bdeecea0c92cf2a6ed4c79fa17d2d5f837062d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51bdeecea0c92cf2a6ed4c79fa17d2d5f837062d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] php-composer/buster likely not affected by CVE-2024-24821
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b77f3a0 by Bastien Roucariès at 2024-03-12T19:58:01+00:00 php-composer/buster likely not affected by CVE-2024-24821 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -59,6 +59,7 @@ cinder composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) NOTE: 20240304: Need to backport bullseye + NOTE: 20240312: likely not affected by CVE-2024-24821 -- curl NOTE: 20231229: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b77f3a043064876c84d2d92eb9ae9df04979971 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b77f3a043064876c84d2d92eb9ae9df04979971 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Retake composer
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 777c00a0 by Bastien Roucariès at 2024-03-04T15:34:16+00:00 Retake composer - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -60,8 +60,9 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -composer +composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) + NOTE: 20240304: Need to backport bullseye -- cpio NOTE: 20240303: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/777c00a04218cd5f0d7999b9acfaac038a1605b4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/777c00a04218cd5f0d7999b9acfaac038a1605b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add a note about dla imagemagick
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 51d788e0 by Bastien Roucariès at 2024-02-27T21:52:58+00:00 Add a note about dla imagemagick - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -122,6 +122,7 @@ imagemagick NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) NOTE: 20231014: Some work under git branch debian/buster but unease + NOTE: 20240227: Made a partial release -- jenkins-htmlunit-core-js NOTE: 20231231: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51d788e0d76b0ae789e47de9492e95201f7d8ee5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51d788e0d76b0ae789e47de9492e95201f7d8ee5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-43907/OptiPNG fixed in 0.7.8+ds-1
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: dae7f314 by Bastien Roucariès at 2024-02-22T13:38:13+00:00 CVE-2023-43907/OptiPNG fixed in 0.7.8+ds-1 Mark this CVE as fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26599,7 +26599,7 @@ CVE-2023-5112 (Os Commerce is currently susceptible to a Cross-Site Scripting (X CVE-2023-5111 (Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) v ...) NOT-FOR-US: Os Commerce CVE-2023-43907 (OptiPNG v0.7.7 was discovered to contain a global buffer overflow via ...) - - optipng (unimportant; bug #1055668) + - optipng 0.7.8+ds-1 NOTE: https://sourceforge.net/p/optipng/bugs/87/ NOTE: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/optipng-global-buffer-overflow1/optipng-global-buffer-overflow1.md NOTE: Crash in CLI tool, no security impact View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dae7f314618bf7e6ff7b69b6f9c3d4f8f0efb936 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dae7f314618bf7e6ff7b69b6f9c3d4f8f0efb936 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-39978/imagemagick only mentioned on changelog not fixed
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ffd3d73 by Bastien Roucariès at 2024-02-22T09:38:40+00:00 CVE-2023-39978/imagemagick only mentioned on changelog not fixed CVE-2023-39978 was fixed due to be introduced by fixes of other problems - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,5 +1,5 @@ [22 Feb 2024] DLA-3737-1 imagemagick - security update - {CVE-2023-1289 CVE-2023-5341 CVE-2023-34151 CVE-2023-39978} + {CVE-2023-1289 CVE-2023-5341 CVE-2023-34151} [buster] - imagemagick 8:6.9.10.23+dfsg-2.1+deb10u6 [21 Feb 2024] DLA-3736-1 unbound - security update {CVE-2023-50387 CVE-2023-50868} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ffd3d733ffe48b438bd7d7a491647cfcad30735 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ffd3d733ffe48b438bd7d7a491647cfcad30735 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Keep imagemagick dla entry
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 857719c3 by Bastien Roucariès at 2024-02-22T09:25:51+00:00 Keep imagemagick dla entry Imagemagick has a few CVEs that need more investigation - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -122,6 +122,11 @@ i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 -- +imagemagick + NOTE: 20230622: Added by Front-Desk (Beuc) + NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) + NOTE: 20231014: Some work under git branch debian/buster but unease +-- iwd (Chris Lamb) NOTE: 20240218: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/857719c3751083b81fcfa97928f68895b1be9a8c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/857719c3751083b81fcfa97928f68895b1be9a8c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3737-1 for imagemagick
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f250824 by Bastien Roucariès at 2024-02-22T09:25:02+00:00 Reserve DLA-3737-1 for imagemagick - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -56179,7 +56179,6 @@ CVE-2023-1289 (A vulnerability was discovered in ImageMagick where a specially c - imagemagick 8:6.9.12.98+dfsg1-2 [bookworm] - imagemagick (Minor issue) [bullseye] - imagemagick (Minor issue) - [buster] - imagemagick (Should be fixed together with some other CVEs) NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j96m-mjp6-99xr NOTE: https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4 (7.1.1-0) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/706d381b7eb79927d328c96f7b7faab5dc109368 (6.9.12-78) @@ -121834,7 +121833,6 @@ CVE-2023-34151 (A vulnerability was found in ImageMagick. This security flaw ouc - imagemagick 8:6.9.12.98+dfsg1-2 (bug #1036999) [bookworm] - imagemagick (Minor issue) [bullseye] - imagemagick (Minor issue) - [buster] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/6341 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/3d6d98d8a2be30d74172ab43b5b8e874d2deb158 (7.1.1-10) NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/133089f716f23ce0b80d89ccc1fd680960235512 (6.9.12-88) = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Feb 2024] DLA-3737-1 imagemagick - security update + {CVE-2023-1289 CVE-2023-5341 CVE-2023-34151 CVE-2023-39978} + [buster] - imagemagick 8:6.9.10.23+dfsg-2.1+deb10u6 [21 Feb 2024] DLA-3736-1 unbound - security update {CVE-2023-50387 CVE-2023-50868} [buster] - unbound 1.9.0-2+deb10u4 = data/dla-needed.txt = @@ -122,11 +122,6 @@ i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 -- -imagemagick - NOTE: 20230622: Added by Front-Desk (Beuc) - NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) - NOTE: 20231014: Some work under git branch debian/buster but unease --- iwd (Chris Lamb) NOTE: 20240218: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f250824eeb595aa560a5d58364d4e7a120b09ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f250824eeb595aa560a5d58364d4e7a120b09ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster CVE-2023-3745/imagemagick
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: fdc095e7 by Bastien Roucariès at 2024-02-22T09:16:52+00:00 buster CVE-2023-3745/imagemagick Buster is not affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36910,6 +36910,7 @@ CVE-2023-3748 (A flaw was found in FRRouting when parsing certain babeld unicast NOTE: https://github.com/FRRouting/frr/commit/0a95d121ca8e1f43d41d952d6c82d111ca850085 (frr-8.5) CVE-2023-3745 (A heap-based buffer overflow issue was found in ImageMagick's PushChar ...) - imagemagick 8:6.9.11.24+dfsg-1 + [buster] - imagemagick (vulnerable code was introduced later) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1857 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/7486477aa00c5c7856b111506da075b6cdfa8b73 (6.9.11-0) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/b466a96965afc1308a4ace93f5535c2b770f294b (6.9.11-0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdc095e7f57bd523d624908fe5e554585060703b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdc095e7f57bd523d624908fe5e554585060703b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-1114
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: e4e1232a by Bastien Roucariès at 2024-02-21T12:54:28+00:00 CVE-2022-1114 Tested against poc: convert-im6.q16: insufficient image data in file `poc @ error/dcm.c/ReadDCMImage/3313. convert-im6.q16: no images defined `/dev/null @ error/convert.c/ConvertImageCommand/3258. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -135127,7 +135127,7 @@ CVE-2022-1115 (A heap-buffer-overflow flaw was found in ImageMagick\u2019s PushS CVE-2022-1114 (A heap-use-after-free flaw was found in ImageMagick's RelinquishDCMInf ...) - imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1013282) [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 - [buster] - imagemagick (Minor issue) + [buster] - imagemagick (Vulnerable code not present, bail out early) [stretch] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/4947 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/78f03b619d08d7c2e0fcaccab407e3ac93c2ee8f View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4e1232aa1a21f8511b8463070273070ce72fc07 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4e1232aa1a21f8511b8463070273070ce72fc07 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3428: mark buster not affected
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: fc5d8e94 by Bastien Roucariès at 2024-02-21T10:28:48+00:00 CVE-2023-3428: mark buster not affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39655,6 +39655,7 @@ CVE-2023-3436 (Xpdf 4.04 will deadlock on a PDF object stream whose "Length" fie CVE-2023-3428 (A heap-based buffer overflow vulnerability was found in coders/tiff.c ...) [experimental] - imagemagick 8:6.9.12.98+dfsg1-1 - imagemagick 8:6.9.12.98+dfsg1-2 + [buster] - imagemagick (code is introduced later) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/a531d28e31309676ce8168c3b6dbbb5374b78790 (7.1.1-13) NOTE: Prerequisite: https://github.com/ImageMagick/ImageMagick6/commit/2b4eabb9d09b278f16727c635e928bd951c58773 (6.9.12-55) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/0d00400727170b0540a355a1bc52787bc7bcdea5 (6.9.12-91) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc5d8e9465c5e6b2a263f823bf986851b6de14c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc5d8e9465c5e6b2a263f823bf986851b6de14c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-1906 does not affect buster
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 7bc11732 by Bastien Roucariès at 2024-02-20T21:50:48+00:00 CVE-2023-1906 does not affect buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -50461,7 +50461,7 @@ CVE-2023-1906 (A heap-based buffer overflow issue was discovered in ImageMagick' - imagemagick 8:6.9.12.98+dfsg1-2 (bug #1034373) [bookworm] - imagemagick (Minor issue) [bullseye] - imagemagick (Minor issue) - [buster] - imagemagick (Minor issue) + [buster] - imagemagick (Vulnerable code introduced later) NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-35q2-86c7-9247 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e30c693b37c3b41723f1469d1226a2c814ca443d (ImageMagick 6.9.12-84) CVE-2023-1905 (The WP Popups WordPress plugin before 2.1.5.1 does not properly escape ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bc117326d801bcc63e66a2e288067e9d2175bb3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bc117326d801bcc63e66a2e288067e9d2175bb3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take composer
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: f7d650d8 by Bastien Roucariès at 2024-02-18T14:02:41+00:00 Take composer - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,7 +52,7 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -composer +composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) -- curl (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7d650d831e5df8c36495098aea0776de99f2258 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7d650d831e5df8c36495098aea0776de99f2258 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add a note on sendmail/dla
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: a81b52a4 by Bastien Roucariès at 2024-02-17T20:24:58+00:00 Add a note on sendmail/dla I have a patch that is private and being reviewed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -250,6 +250,7 @@ samba sendmail (rouca) NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches + NOTE: 20240217: Patch extracted and being reviewed (rouca) -- squid NOTE: 20240109: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a81b52a46a1882d0c99f30c37eb459b710c4ef98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a81b52a46a1882d0c99f30c37eb459b710c4ef98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take sendmail
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 08b41d6f by Bastien Roucariès at 2024-02-13T22:42:57+00:00 Take sendmail - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -250,8 +250,9 @@ runc (dleidert) samba NOTE: 20230918: Added by Front-Desk (apo) -- -sendmail +sendmail (rouca) NOTE: 20231224: Added by Front-Desk (ta) + NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches -- squid NOTE: 20240109: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08b41d6fb4a8ec046ba51ee3207008fff483d2e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08b41d6fb4a8ec046ba51ee3207008fff483d2e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note about CVE-2024-24557 for docker
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: f057785d by Bastien Roucariès at 2024-02-13T22:23:30+00:00 Add note about CVE-2024-24557 for docker - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -70,6 +70,7 @@ docker.io NOTE: 20230424: Is in preparation. (gladk) NOTE: 20230706: ask for review testing https://lists.debian.org/debian-lts/2023/07/msg00013.html NOTE: 20230801: rouca and santiago testing the swarm overlay network (including current buster version) + NOTE: 20240213: CVE-2024-24557 patch does not directly apply and lack of reproducer test case -- dogecoin NOTE: 20230619: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f057785dc371332a6dd18f119c5d7a1901079f3d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f057785dc371332a6dd18f119c5d7a1901079f3d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-24557
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 603248c5 by Bastien Roucariès at 2024-02-13T22:25:52+00:00 CVE-2024-24557 Add note about existing workarround - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2349,8 +2349,10 @@ CVE-2024-24557 (Moby is an open-source project created by Docker to enable softw - docker.io [bookworm] - docker.io (Minor issue) [bullseye] - docker.io (Minor issue) + [buster] - docker.io (Minor issue with workarround) NOTE: https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae NOTE: https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc + NOTE: workarround exists CVE-2024-24062 (springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) vi ...) NOT-FOR-US: springboot-manager CVE-2024-24061 (springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) vi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/603248c555b8378b07c435a99dd6c3d47ee439d2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/603248c555b8378b07c435a99dd6c3d47ee439d2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3732-1 for sudo
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b6222ed by Bastien Roucariès at 2024-02-03T09:05:40+00:00 Reserve DLA-3732-1 for sudo - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -50357,12 +50357,10 @@ CVE-2023-28488 (client.c in gdhcp in ConnMan through 1.41 could be used by netwo CVE-2023-28487 (Sudo before 1.9.13 does not escape control characters in sudoreplay ou ...) - sudo 1.9.13p1-1 [bullseye] - sudo (Minor issue) - [buster] - sudo (Minor issue) NOTE: https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca CVE-2023-28486 (Sudo before 1.9.13 does not escape control characters in log messages.) - sudo 1.9.13p1-1 [bullseye] - sudo (Minor issue) - [buster] - sudo (Minor issue) NOTE: https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca NOTE: https://github.com/sudo-project/sudo/commit/12648b4e0a8cf486480442efd52f0e0b6cab6e8b (fix a regression) CVE-2023-28485 (A stored cross-site scripting (Stored XSS) vulnerability in file previ ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[03 Feb 2024] DLA-3732-1 sudo - security update + {CVE-2023-7090 CVE-2023-28486 CVE-2023-28487} + [buster] - sudo 1.8.27-1+deb10u6 [01 Feb 2024] DLA-3731-1 man-db - sandboxing fixes [buster] - man-db 2.8.5-2+deb10u1 [01 Feb 2024] DLA-3730-1 python-asyncssh - security update = data/dla-needed.txt = @@ -229,11 +229,6 @@ squid NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) -- -sudo (rouca) - NOTE: 20231224: Added by Front-Desk (ta) - NOTE: 20240128: Wait for review by sudo team (rouca) - NOTE: 20240128: Ported test suite (rouca) --- suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b6222ed8da2765e55a2ff7a292add3e35438dd2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b6222ed8da2765e55a2ff7a292add3e35438dd2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3725-1 for postfix
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 08abd39d by Bastien Roucariès at 2024-01-30T12:42:03+00:00 Reserve DLA-3725-1 for postfix - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -6418,7 +6418,6 @@ CVE-2023-51764 (Postfix through 3.8.5 allows SMTP smuggling unless configured wi - postfix 3.8.4-1 (bug #1059230) [bookworm] - postfix (Minor issue; mitigations exist) [bullseye] - postfix (Minor issue; mitigations exist) - [buster] - postfix (Minor issue; mitigations exist) NOTE: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6 NOTE: https://www.postfix.org/smtp-smuggling.html = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Jan 2024] DLA-3725-1 postfix - security update + {CVE-2023-51764} + [buster] - postfix 3.4.23-0+deb10u2 [29 Jan 2024] DLA-3724-1 pillow - security update {CVE-2023-50447} [buster] - pillow 5.4.1-2+deb10u4 = data/dla-needed.txt = @@ -178,9 +178,6 @@ nvidia-cuda-toolkit openjdk-11 (Emilio) NOTE: 20240121: Added by Front-Desk (apo) -- -postfix (rouca) - NOTE: 20240129: Added by Front-Desk (ta) --- putty (santiago) NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08abd39d647ebcc5564e4f701b7f60fb28753a99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08abd39d647ebcc5564e4f701b7f60fb28753a99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take postfix
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f690682 by Bastien Roucariès at 2024-01-29T18:29:07+00:00 Take postfix - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -181,7 +181,7 @@ openjdk-11 (Emilio) pillow (Chris Lamb) NOTE: 20240121: Added by Front-Desk (apo) -- -postfix +postfix (rouca) NOTE: 20240129: Added by Front-Desk (ta) -- putty (santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f6906825796de45354b8bc51e80e00d215b7ede -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f6906825796de45354b8bc51e80e00d215b7ede You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add merge request on curl
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: f19faea2 by Bastien Roucariès at 2024-01-29T16:31:13+00:00 Add merge request on curl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -57,6 +57,7 @@ cinder curl (rouca) NOTE: 20231229: Added by Front-Desk (lamby) NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby) + NOTE: https://salsa.debian.org/debian/curl/-/merge_requests/21 -- dask.distributed NOTE: 20231228: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f19faea298b2764ccb50bfd737ba5cede76f2e2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f19faea298b2764ccb50bfd737ba5cede76f2e2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take curl
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: eb154028 by Bastien Roucariès at 2024-01-28T21:02:41+00:00 Take curl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -53,7 +53,7 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -curl +curl (rouca) NOTE: 20231229: Added by Front-Desk (lamby) NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb154028231acac3b5c4b137b0bb6514ef89408f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb154028231acac3b5c4b137b0bb6514ef89408f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note about sudo
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 2054e7b1 by Bastien Roucariès at 2024-01-28T14:32:22+00:00 Add note about sudo - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -258,6 +258,8 @@ squid -- sudo (rouca) NOTE: 20231224: Added by Front-Desk (ta) + NOTE: 20240128: Wait for review by sudo team (rouca) + NOTE: 20240128: Ported test suite (rouca) -- suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2054e7b1f1a530f72f9e8375b50d2ee02166ae42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2054e7b1f1a530f72f9e8375b50d2ee02166ae42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2023-22084/buster
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: d3ec6f26 by Bastien Roucariès at 2024-01-27T07:35:18+00:00 Add fixed version for CVE-2023-22084/buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -70840,6 +70840,7 @@ CVE-2023-22084 (Vulnerability in the MySQL Server product of Oracle MySQL (compo - mariadb-10.5 [bullseye] - mariadb-10.5 (Minor issue, will be fixed via point update) - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.39-0+deb10u2 - mysql-8.0 8.0.35-1 (bug #1055034) NOTE: Fixed in MariaDB: 11.2.2, 11.1.3, 11.0.4, 10.11.6, 10.10.7, 10.6.16, 10.5.23, 10.4.32 NOTE: https://github.com/MariaDB/server/commit/15ae97b1c2c14f1263cdc853673c4129625323de View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3ec6f2686f402a7e1d20a395f21462308557b17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3ec6f2686f402a7e1d20a395f21462308557b17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3722-1 for mariadb-10.3
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: a3ee8b68 by Bastien Roucariès at 2024-01-27T07:29:14+00:00 Reserve DLA-3722-1 for mariadb-10.3 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -217932,8 +217932,8 @@ CVE-2020-35878 (An issue was discovered in the ozone crate through 2020-07-04 fo CVE-2020-35877 (An issue was discovered in the ozone crate through 2020-07-04 for Rust ...) NOT-FOR-US: ozone rust crate CVE-2020-35876 (An issue was discovered in the rio crate through 2020-05-11 for Rust. ...) -- rust-rio (bug #1061577) -NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0021.html + - rust-rio (bug #1061577) + NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0021.html CVE-2020-35875 (An issue was discovered in the tokio-rustls crate before 0.13.1 for Ru ...) NOT-FOR-US: Rust crate tokio-rustls NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0019.html = data/DLA/list = @@ -1,3 +1,6 @@ +[27 Jan 2024] DLA-3722-1 mariadb-10.3 - security update + {CVE-2023-22084} + [buster] - mariadb-10.3 1:10.3.39-0+deb10u2 [25 Jan 2024] DLA-3721-1 xorg-server - security update {CVE-2023-6816 CVE-2024-0229 CVE-2024-0408 CVE-2024-0409 CVE-2024-21885 CVE-2024-21886} [buster] - xorg-server 2:1.20.4-1+deb10u13 = data/dla-needed.txt = @@ -154,10 +154,6 @@ linux (Ben Hutchings) linux-5.10 NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- -mariadb-10.3 (rouca) - NOTE: 20231129: Added by Front-Desk (Beuc) - NOTE: 20240114: Contacted upstream about this particular CVE and that commit fix it (rouca) --- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3ee8b68684a0594bb47ea4a03d5c650b358e50b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3ee8b68684a0594bb47ea4a03d5c650b358e50b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3714-1 for keystone
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: cb665e10 by Bastien Roucariès at 2024-01-21T21:10:41+00:00 Reserve DLA-3714-1 for keystone - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -173970,7 +173970,6 @@ CVE-2021-38156 (In Nagios XI before 5.8.6, XSS exists in the dashboard page (/da CVE-2021-38155 (OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1 ...) - keystone 2:19.0.0-3 (bug #992070) [bullseye] - keystone 2:18.0.0-3+deb11u1 - [buster] - keystone (Minor issue) [stretch] - keystone (Keystone not supported in stretch) NOTE: https://launchpad.net/bugs/1688137 CVE-2021-38165 (Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, whic ...) @@ -185515,7 +185514,6 @@ CVE-2021-3563 (A flaw was found in openstack-keystone. Only the first 72 charact - keystone 2:23.0.0-3 (bug #989998) [bookworm] - keystone (Minor issue) [bullseye] - keystone (Minor issue) - [buster] - keystone (Minor issue) [stretch] - keystone (Keystone is not supported in stretch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1962908 NOTE: https://bugs.launchpad.net/keystone/+bug/1901891 = data/DLA/list = @@ -1,3 +1,6 @@ +[21 Jan 2024] DLA-3714-1 keystone - security update + {CVE-2021-3563 CVE-2021-38155} + [buster] - keystone 2:14.2.0-0+deb10u2 [21 Jan 2024] DLA-3713-1 subunit - bugfix update [buster] - subunit 1.3.0-1+deb10u1 [17 Jan 2024] DLA-3712-1 kodi - security update = data/dla-needed.txt = @@ -120,11 +120,6 @@ jenkins-htmlunit-core-js jinja2 NOTE: 20240121: Added by Front-Desk (apo) -- -keystone (rouca) - NOTE: 20231102: Added by Front-Desk (lamby) - NOTE: 20231102: Sync (eg. CVE-2021-38155) with stable etc. (lamby) - NOTE: 20240105: FTBFS due to https://github.com/testing-cabal/subunit/pull/40 (rouca) --- knot-resolver (Markus Koschany) NOTE: 20231029: Added by Front-Desk (gladk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb665e10ab603d30151622402c6eef040868bcb4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb665e10ab603d30151622402c6eef040868bcb4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-42465
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: b5542d69 by Bastien Roucariès at 2024-01-21T16:41:40+00:00 CVE-2023-42465 Add information about this hardening patch Moreover only a few part are relevant for debian due to using PAM - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5185,8 +5185,13 @@ CVE-2023-42465 (Sudo before 1.9.15 might allow row hammer attacks (for authentic - sudo 1.9.15p2-2 [bookworm] - sudo (Minor issue) [bullseye] - sudo (Minor issue) + [buster] - sudo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/9 NOTE: https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f (SUDO_1_9_15p1) + NOTE: it is more an hardening against hardware bug (rowhammer) than a security fix per se + NOTE: part of the code in the fix commit are not built because debian use PAM: plugins/sudoers/auth/sudo_auth.[ch] + NOTE: plugins/sudoers/lookup.c part was added in version 1.9.15 + NOTE: plugins/sudoers/match.c, part was added in 1.8.21 CVE-2023-7047 (Inadequate validation of permissions when employing remote tools and ...) NOT-FOR-US: Devolutions CVE-2023-7042 (A null pointer dereference vulnerability was found in ath10k_wmi_tlv_o ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5542d6949246c804483ef72d1d148be52715f83 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5542d6949246c804483ef72d1d148be52715f83 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2015-8239
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: d1873a9c by Bastien Roucariès at 2024-01-21T12:44:36+00:00 CVE-2015-8239 Add commit for fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -497535,6 +497535,7 @@ CVE-2015-8239 (The SHA-2 digest support in the sudoers plugin in sudo after 1.8. [wheezy] - sudo (Command digests are only supported by version 1.8.7 or higher) [squeeze] - sudo (Command digests are only supported by version 1.8.7 or higher) NOTE: https://www.openwall.com/lists/oss-security/2015/11/10/2 + NOTE: https://www.sudo.ws/repos/sudo/rev/397722cdd7ec CVE-2015-8234 (The image signature algorithm in OpenStack Glance 11.0.0 allows remote ...) - glance (unimportant) CVE-2015-8219 (The init_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1873a9c45dd5306ad345b35aa1d3f6641f8a0bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1873a9c45dd5306ad345b35aa1d3f6641f8a0bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-28486
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: ee5aa032 by Bastien Roucariès at 2024-01-21T11:52:59+00:00 CVE-2023-28486 Add a new commit fixing a regression - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -47812,6 +47812,7 @@ CVE-2023-28486 (Sudo before 1.9.13 does not escape control characters in log mes [bullseye] - sudo (Minor issue) [buster] - sudo (Minor issue) NOTE: https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca + NOTE: https://github.com/sudo-project/sudo/commit/12648b4e0a8cf486480442efd52f0e0b6cab6e8b (fix a regression) CVE-2023-28485 (A stored cross-site scripting (Stored XSS) vulnerability in file previ ...) NOT-FOR-US: WeKan CVE-2023-28484 (In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can l ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee5aa0327f76a65eba8a0388a8b63b6393d92835 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee5aa0327f76a65eba8a0388a8b63b6393d92835 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits