[Git][security-tracker-team/security-tracker][master] Claim exim4 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d0f51fc2 by Markus Koschany at 2024-09-08T17:27:28+02:00 Claim exim4 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -57,7 +57,7 @@ espeak-ng (abhijith) NOTE: 20240816: Added by Front-Desk (Beuc) NOTE: 20240816: Follow fixes from bookworm 12.5 (5 CVEs) (Beuc/front-desk) -- -exim4 +exim4 (apo) NOTE: 20240815: Added by Front-Desk (Beuc) NOTE: 20240815: Follow fixes from bookworm 12.3 (2 CVEs) NOTE: 20240815: Consider fixing older postponed CVEs as well (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0f51fc201787e90aa9d8feeda239aa608c928fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0f51fc201787e90aa9d8feeda239aa608c928fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add tomcat9 to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cc541b6b by Markus Koschany at 2024-09-08T17:23:17+02:00 Add tomcat9 to dla-needed.txt Sync bullseye with the upcoming buster update - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -203,6 +203,9 @@ thunderbird (Emilio) tinyproxy (Thorsten Alteholz) NOTE: 20240609: Added by oldstable Security Team (jmm) -- +tomcat9 (apo) + NOTE: 20240908: Added by (apo) +-- trafficserver (tobi) NOTE: 20240802: Added by oldstable Security Team (jmm) NOTE: 20240815: A bookworm DSA is planned (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc541b6ba6d3f3cfa3f026e622fab9e46dc01870 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc541b6ba6d3f3cfa3f026e622fab9e46dc01870 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim ffmpeg in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ca102fd by Markus Koschany at 2024-08-18T18:23:28+02:00 Claim ffmpeg in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -99,7 +99,7 @@ exim4 NOTE: 20240815: Follow fixes from bookworm 12.3 (2 CVEs) NOTE: 20240815: Consider fixing older postponed CVEs as well (Beuc/front-desk) -- -ffmpeg +ffmpeg (Markus Koschany) NOTE: 20240815: Added by Front-Desk (Beuc) NOTE: 20240815: Upgrade to 4.3.8 (same approach as DSA-5748-1) (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ca102fd0a191a65f47bc5a2395f7512c2882f39 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ca102fd0a191a65f47bc5a2395f7512c2882f39 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim ffmpeg in dsa-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 557eedc3 by Markus Koschany at 2024-08-10T22:58:19+02:00 Claim ffmpeg in dsa-needed.txt and prepare new upstream release 5.1.6 for bookworm. - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -26,7 +26,7 @@ cinder dnsmasq Lee Garrett showed interest to prepare an update for review -- -ffmpeg/stable +ffmpeg/stable (apo) update to 5.1.6 -- frr View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/557eedc3a1279c588f7e41b6137828c21e83c736 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/557eedc3a1279c588f7e41b6137828c21e83c736 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-50387,pdns-recursor: link to fixing commit
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 46111c4a by Markus Koschany at 2024-08-02T10:53:38+02:00 CVE-2023-50387,pdns-recursor: link to fixing commit for the record - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51969,6 +51969,7 @@ CVE-2023-50387 (Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4 NOTE: https://github.com/CZ-NIC/knot-resolver/commit/feb65eb97b93f0f024d70c7f5f6cbc6802ba02ec (v5.7.1) NOTE: https://github.com/CZ-NIC/knot-resolver/commit/cc5051b4441307d9b262fa382bc715391112ddbb (v5.7.1) NOTE: https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released + NOTE: Fixed by https://github.com/PowerDNS/pdns/pull/13781 NOTE: https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ NOTE: https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt NOTE: Fixed by: https://github.com/NLnetLabs/unbound/commit/882903f2fa800c4cb6f5e225b728e2887bb7b9ae (release-1.19.1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46111c4a34862658b7732e28b5b8127d1c160f45 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46111c4a34862658b7732e28b5b8127d1c160f45 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3854-1 for tryton-client
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d517c80 by Markus Koschany at 2024-06-30T23:58:54+02:00 Reserve DLA-3854-1 for tryton-client - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,4 @@ +[30 Jun 2024] DLA-3854-1 tryton-client - security update [30 Jun 2024] DLA-3853-1 tryton-server - security update [30 Jun 2024] DLA-3852-1 edk2 - security update {CVE-2023-48733} = data/dla-needed.txt = @@ -257,11 +257,6 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- -tryton-client (Markus Koschany) - NOTE: 20240618: Added by coordinator (santiago) - NOTE: 20240618: bookworm pu by maintainer was accepted. LTS Team should take care of bullseye pu along with buster, as suggested by maintainer (santiago) - NOTE: 20240618: https://salsa.debian.org/tryton-team/tryton-client/-/commit/dfa889381d572f5ee229c3eec32cbdff8084d36c --- varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d517c808545444c5922ed7271550a13c7268c17 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d517c808545444c5922ed7271550a13c7268c17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3853-1 for tryton-server
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 183742e9 by Markus Koschany at 2024-06-30T23:58:46+02:00 Reserve DLA-3853-1 for tryton-server - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,4 @@ +[30 Jun 2024] DLA-3853-1 tryton-server - security update [30 Jun 2024] DLA-3852-1 edk2 - security update {CVE-2023-48733} [30 Jun 2024] DLA-3851-1 gunicorn - security update = data/dla-needed.txt = @@ -262,13 +262,6 @@ tryton-client (Markus Koschany) NOTE: 20240618: bookworm pu by maintainer was accepted. LTS Team should take care of bullseye pu along with buster, as suggested by maintainer (santiago) NOTE: 20240618: https://salsa.debian.org/tryton-team/tryton-client/-/commit/dfa889381d572f5ee229c3eec32cbdff8084d36c -- -tryton-server (Markus Koschany) - NOTE: 20240421: Added by Front-Desk (apo) - NOTE: 20240421: Fix causes regressions in tryton client. Waiting for that - NOTE: 20240421: being resolved upstream. - NOTE: 20240618: Regressions fixed. bookworm pu by maintainer was accepted. LTS Team should take care of bullseye pu along with buster, as suggested by maintainer (santiago) - NOTE: 20240618: https://salsa.debian.org/tryton-team/tryton-server/-/commit/952e147d7732be208d0911d48886380308883498 --- varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/183742e93fedacdf30ed3e74aa317a00db68db55 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/183742e93fedacdf30ed3e74aa317a00db68db55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3852-1 for edk2
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ca8c9bd by Markus Koschany at 2024-06-30T23:58:32+02:00 Reserve DLA-3852-1 for edk2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[30 Jun 2024] DLA-3852-1 edk2 - security update + {CVE-2023-48733} [30 Jun 2024] DLA-3851-1 gunicorn - security update {CVE-2024-1135} [30 Jun 2024] DLA-3850-1 glibc - security update = data/dla-needed.txt = @@ -71,11 +71,6 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -edk2 (Markus Koschany) - NOTE: 20231230: Added by Front-Desk (lamby) - NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) - NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) --- firmware-nonfree NOTE: 20240502: Added by Front-Desk (Beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ca8c9bd6058ecee87ec65abef79e27979194daf -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ca8c9bd6058ecee87ec65abef79e27979194daf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3851-1 for gunicorn
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c9cf6b6 by Markus Koschany at 2024-06-30T23:58:02+02:00 Reserve DLA-3851-1 for gunicorn - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[30 Jun 2024] DLA-3851-1 gunicorn - security update + {CVE-2024-1135} [30 Jun 2024] DLA-3850-1 glibc - security update {CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602} [buster] - glibc 2.28-10+deb10u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c9cf6b6ed0ef48bf8a60f73de1b15c9dc04e1e6 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c9cf6b6ed0ef48bf8a60f73de1b15c9dc04e1e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Claim edk2 and docker.io in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 753f5e94 by Markus Koschany at 2024-06-27T18:35:52+02:00 Claim edk2 and docker.io in dla-needed.txt - - - - - 48c569e6 by Markus Koschany at 2024-06-27T18:37:56+02:00 Reserve DLA-3845-1 for dlt-daemon - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[27 Jun 2024] DLA-3845-1 dlt-daemon - security update + {CVE-2022-39836 CVE-2022-39837 CVE-2023-26257 CVE-2023-36321} + [buster] - dlt-daemon 2.18.0-1+deb10u2 [26 Jun 2024] DLA-3844-1 git - security update {CVE-2019-1387 CVE-2023-25652 CVE-2023-25815 CVE-2023-29007 CVE-2024-32002 CVE-2024-32004 CVE-2024-32021 CVE-2024-32465} [buster] - git 1:2.20.1-2+deb10u9 = data/dla-needed.txt = @@ -49,13 +49,6 @@ cyrus-imapd dcmtk (Adrian Bunk) NOTE: 20240428: Added by Front-Desk (ta) -- -dlt-daemon (Markus Koschany) - NOTE: 20240519: Added by Front-Desk (utkarsh) - NOTE: 20240519: 1 buffer-overflow, 1 memory leak, and 2 crashes. I think we - NOTE: 20240519: can postpone these but I am in split mind. Will take it myself - NOTE: 20240519: and decide further. (utkarsh) - NOTE: 20240610: somebody should take it from here. (utkarsh) --- dns-root-data (santiago) NOTE: 20240607: Added by coordinator (santiago) NOTE: 20240607: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054393 @@ -67,7 +60,7 @@ dnsmasq NOTE: 20240327: Claimed by lamby, started thread on deblts-team. (lamby) NOTE: 20240403: Re-assigned back to dleidert; see thread on deblts-team list. (lamby) -- -docker.io +docker.io (Markus Koschany) NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) NOTE: 20230424: Is in preparation. (gladk) @@ -85,7 +78,7 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -edk2 +edk2 (Markus Koschany) NOTE: 20231230: Added by Front-Desk (lamby) NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0ebcf4e1fac473a2b3644d2510dd9f813c925583...48c569e6a2c215afff86dac6527b1b68ef2fd5ee -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0ebcf4e1fac473a2b3644d2510dd9f813c925583...48c569e6a2c215afff86dac6527b1b68ef2fd5ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix CVE-2024-29025,netty entry in security tracker
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d9b1ee6 by Markus Koschany at 2024-06-21T23:44:19+02:00 Fix CVE-2024-29025,netty entry in security tracker - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -17,7 +17,7 @@ [buster] - roundcube 1.3.17+dfsg.1-1~deb10u6 [17 Jun 2024] DLA-3834-1 netty - security update {CVE-2024-29025} - [buster] - unbound 1.9.0-2+deb10u5 + [buster] - netty 1:4.1.33-1+deb10u5 [17 Jun 2024] DLA-3833-1 php7.3 - security update {CVE-2024-5458} [buster] - php7.3 7.3.31-1~deb10u7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d9b1ee63365ddbeea6e8ac3223a69a593553c6d -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d9b1ee63365ddbeea6e8ac3223a69a593553c6d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 6 commits: Reassign DLA-3834-1 to netty from unbound
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b9097a0 by Markus Koschany at 2024-06-21T23:02:02+02:00 Reassign DLA-3834-1 to netty from unbound Assigning DLA-3834-1 to unbound was premature. Fix that by using the number for netty. - - - - - aad481bc by Markus Koschany at 2024-06-21T23:02:02+02:00 Remove netty from dla-needed.txt - - - - - 5593e2fa by Markus Koschany at 2024-06-21T23:02:03+02:00 CVE-2024-33655,unbound: mark buster as ignored. Reasoning: Unbound itself is not affected by the DoS attack but it could be part of a distributed denial of service attack against other services/servers provided all conditions are met which is non-trivial to do. Ideally we could fix this scenario too. However the patch introduced new configuration options which in turn rely on features which are not present in 1.9. For instance there is no cookie support and there is also no distinction when unbound is used in a proxy scenario. My patch removed the cookie part of the patch and ignored the remote_addr / client_addr part and just used the UDP IP addr. I don't feel confident enough that this is a proper solution to the problem though. Since there is no imminent risk for unbound users I am going to mark this problem as ignored. - - - - - fc60451a by Markus Koschany at 2024-06-21T23:02:05+02:00 CVE-2024-33869,CVE-2024-33870,ghostscript: buster is not affected The gp_validate_path_len function was introduced later. - - - - - 0a202c98 by Markus Koschany at 2024-06-21T23:02:05+02:00 Return ghostscript and let someone else double-check the package. - - - - - 01d5f4db by Markus Koschany at 2024-06-21T23:13:20+02:00 Claim tryton and dlt-daemon in dla-needed.txt - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -15350,8 +15350,8 @@ CVE-2024-0445 (The The Plus Addons for Elementor plugin for WordPress is vulnera CVE-2023-6327 (The ShopLentor (formerly WooLentor) plugin for WordPress is vulnerable ...) NOT-FOR-US: WordPress plugin CVE-2024-33655 (The DNS protocol in RFC 1035 and updates allows remote attackers to ca ...) - {DLA-3834-1} - unbound 1.20.0-1 + [buster] - unbound (Not affected by DoS, intrusive changes) NOTE: https://nlnetlabs.nl/downloads/unbound/CVE-2024-33655.txt NOTE: Fixed by: https://github.com/NLnetLabs/unbound/commit/c3206f4568f60c486be6d165b1f2b5b254fea3de (release-1.20.0rc1) CVE-2024-4693 (A flaw was found in the QEMU Virtio PCI Bindings (hw/virtio/virtio-pci ...) @@ -15424,12 +15424,14 @@ CVE-2024-33871 CVE-2024-33870 {DSA-5692-1} - ghostscript 10.03.1~dfsg~git20240518-1 + [buster] - ghostscript (The vulnerable code was introduced later) NOTE: https://ghostscript.readthedocs.io/en/gs10.03.1/News.html NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc3da2dc090450407d9fbcff80 (ghostpdl-10.03.1) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707686 CVE-2024-33869 {DSA-5692-1} - ghostscript 10.03.1~dfsg~git20240518-1 + [buster] - ghostscript (The vulnerable code was introduced later) NOTE: https://ghostscript.readthedocs.io/en/gs10.03.1/News.html NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5ae2e320d69a7d0973011796bd388cd5befa1a43 (ghostpdl-10.03.1) NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83bc5b9eba94302e6618d4 (ghostpdl-10.03.1) @@ -31093,10 +31095,10 @@ CVE-2024-29650 (An issue in @thi.ng/paths v.5.1.62 and before allows a remote at CVE-2024-29515 (File Upload vulnerability in lepton v.7.1.0 allows a remote authentica ...) NOT-FOR-US: Lepton CMS CVE-2024-29025 (Netty is an asynchronous event-driven network application framework fo ...) + {DLA-3834-1} - netty 1:4.1.48-10 (bug #1068110) [bookworm] - netty (Minor issue, fix along with future update) [bullseye] - netty (Minor issue, fix along with future update) - [buster] - netty (Minor issue, HTTP multipart DoS, fix along with future update) NOTE: https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v NOTE: https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c (netty-4.1.108.Final) NOTE: https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3 = data/DLA/list = @@ -15,8 +15,8 @@ [17 Jun 2024] DLA-3835-1 roundcube - security update {CVE-2024-37383 CVE-2024-37384} [buster] - roundcube 1.3.17+dfsg.1-1~deb10u6 -[17 Jun 2024] DLA-3834-1 unbound - security update - {CVE-2024-33655} +[17 Jun 2024] DLA-3834-1 netty - security update + {CVE-2024-
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3834-1 for unbound
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f4337c4d by Markus Koschany at 2024-06-17T13:56:38+02:00 Reserve DLA-3834-1 for unbound - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Jun 2024] DLA-3834-1 unbound - security update + {CVE-2024-33655} + [buster] - unbound 1.9.0-2+deb10u5 [17 Jun 2024] DLA-3833-1 php7.3 - security update {CVE-2024-5458} [buster] - php7.3 7.3.31-1~deb10u7 = data/dla-needed.txt = @@ -329,9 +329,6 @@ tryton-server NOTE: 20240421: Fix causes regressions in tryton client. Waiting for that NOTE: 20240421: being resolved upstream. -- -unbound (Markus Koschany) - NOTE: 20240609: Added by Front-Desk (apo) --- varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4337c4dcac90af693bb664f7cd2593622ddcffd -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4337c4dcac90af693bb664f7cd2593622ddcffd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3833-1 for php7.3
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ae28f679 by Markus Koschany at 2024-06-17T13:55:39+02:00 Reserve DLA-3833-1 for php7.3 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Jun 2024] DLA-3833-1 php7.3 - security update + {CVE-2024-5458} + [buster] - php7.3 7.3.31-1~deb10u7 [17 Jun 2024] DLA-3832-1 pymongo - security update {CVE-2024-5629} [buster] - pymongo 3.7.1-1.1+deb10u1 = data/dla-needed.txt = @@ -239,9 +239,6 @@ pdns-recursor NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240319: Upload postponed due to #1067124 (dleidert) -- -php7.3 (Markus Koschany) - NOTE: 20240609: Added by Front-Desk (apo) --- putty (rouca) NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20240104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae28f6797ab92d59a0fd2b12ddffb3b165f710e7 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae28f6797ab92d59a0fd2b12ddffb3b165f710e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim unbound in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 70301ea3 by Markus Koschany at 2024-06-10T09:59:02+02:00 Claim unbound in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -360,7 +360,7 @@ tryton-server NOTE: 20240421: Fix causes regressions in tryton client. Waiting for that NOTE: 20240421: being resolved upstream. -- -unbound +unbound (Markus Koschany) NOTE: 20240609: Added by Front-Desk (apo) -- varnish View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70301ea3e1b6f2907f06377d38f51fec2d007950 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70301ea3e1b6f2907f06377d38f51fec2d007950 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 15 commits: CVE-2024-36843,CVE-2024-36844,CVE-2024-36845,libmodbus: buster is postponed
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 909bbef3 by Markus Koschany at 2024-06-10T07:36:28+02:00 CVE-2024-36843,CVE-2024-36844,CVE-2024-36845,libmodbus: buster is postponed Minor issues which can be fixed later. - - - - - 19139250 by Markus Koschany at 2024-06-10T07:39:06+02:00 Triage open bluez issues as postponed for buster Re-visit when those problems are fixed by upstream - - - - - 46bf884c by Markus Koschany at 2024-06-10T07:44:20+02:00 CVE-2024-22871,clojure: buster is postponed Minor issue - - - - - 577206c1 by Markus Koschany at 2024-06-10T07:46:05+02:00 CVE-2024-37408,fprintd: buster is postponed Minor usability issue - - - - - 46a48c63 by Markus Koschany at 2024-06-10T07:50:41+02:00 Triage open freerdp2 issues for buster as postponed Re-visit when they have been fixed in later Debian distributions and unstable. - - - - - 83702ad5 by Markus Koschany at 2024-06-10T07:53:15+02:00 CVE-2022-4968,netplan.io: buster is postponed Minor issue - - - - - 68718b88 by Markus Koschany at 2024-06-10T07:54:37+02:00 CVE-2024-34083,python-aiosmtpd: buster is postponed Minor issue - - - - - 36fdba70 by Markus Koschany at 2024-06-10T07:59:39+02:00 CVE-2024-36048,qtnetworkauth-everywhere-src: buster is postponed Minor issue - - - - - a337e8ec by Markus Koschany at 2024-06-10T08:02:50+02:00 CVE-2024-5206,scikit-learn: buster is postponed Minor issue - - - - - 85e34bf2 by Markus Koschany at 2024-06-10T08:04:44+02:00 CVE-2024-5138,snapd: buster is not-affected The vulnerable code was introduced later in 2021. https://github.com/snapcore/snapd/commit/dc45262288a14679201c916ac1f7aab54e722e9a - - - - - 95d96ccd by Markus Koschany at 2024-06-10T08:08:12+02:00 Add sredird to dla-needed.txt Let's fix this long-standing problem. - - - - - d64278d1 by Markus Koschany at 2024-06-10T08:10:43+02:00 CVE-2024-37535,vte,vte2.91: buster is postponed Minor issue - - - - - 1b44130b by Markus Koschany at 2024-06-10T08:16:44+02:00 Add mariadb-10.3 to dla-needed.txt - - - - - 2075b99f by Markus Koschany at 2024-06-10T08:18:04+02:00 CVE-2024-24789,CVE-2024-24790,golang-1.11: buster is postponed Minor issues - - - - - 482cdde5 by Markus Koschany at 2024-06-10T08:20:20+02:00 Claim php7.3 in dla-needed.txt Update status of netty and ghostscript - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -192,9 +192,11 @@ CVE-2024-37535 (GNOME VTE before 0.76.3 allows an attacker to cause a denial of - vte [bookworm] - vte (Minor issue) [bullseye] - vte (Minor issue) + [buster] - vte (Minor issue) - vte2.91 [bookworm] - vte2.91 (Minor issue) [bullseye] - vte2.91 (Minor issue) + [buster] - vte2.91 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/vte/-/issues/2786 NOTE: https://www.openwall.com/lists/oss-security/2024/06/09/1 NOTE: https://gitlab.gnome.org/GNOME/vte/-/commit/fd5511f24b7269195a7083f409244e9787c705dc (master) @@ -223,6 +225,7 @@ CVE-2024-37408 (fprintd through 1.94.3 lacks a security attention mechanism, and - fprintd (bug #1072854) [bookworm] - fprintd (Minor issue) [bullseye] - fprintd (Minor issue) + [buster] - fprintd (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/05/30/3 NOTE: https://lists.freedesktop.org/archives/fprint/2024-May/001231.html CVE-2024-37407 (Libarchive before 3.7.4 allows name out-of-bounds access when a ZIP ar ...) @@ -647,6 +650,7 @@ CVE-2022-4968 (netplan leaks the private key of wireguard to local users. A secu - netplan.io (bug #1072789) [bookworm] - netplan.io (Minor issue) [bullseye] - netplan.io (Minor issue) + [buster] - netplan.io (Minor issue) NOTE: https://bugs.launchpad.net/netplan/+bug/1987842 NOTE: https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/2065738 CVE-2024-5684 (An attacker with access to the private network (the charger is connect ...) @@ -728,6 +732,7 @@ CVE-2024-5206 (A sensitive data leakage vulnerability was identified in scikit-l - scikit-learn [bookworm] - scikit-learn (Minor issue) [bullseye] - scikit-learn (Minor issue) + [buster] - scikit-learn (Minor issue) NOTE: https://huntr.com/bounties/14bc0917-a85b-4106-a170-d09d5191517c NOTE: https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8 (1.5.0rc1) CVE-2024-5188 (The Essential Addons for Elementor \u2013 Best Elementor Templates, Wi ...) @@ -1793,6 +1798,7 @@ CVE-2024-5138 (The snapctl component within snapd allows a confined snap to inte - snapd 2.62-3 (bug #1072365) [bookworm] - snapd (Minor issue) [bullseye] - snapd (Minor issue) + [buster] - snapd (The vulnerable cod
[Git][security-tracker-team/security-tracker][master] 12 commits: Add cyrus-imapd to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e1e5c213 by Markus Koschany at 2024-06-10T00:00:08+02:00 Add cyrus-imapd to dla-needed.txt - - - - - 0dd0b456 by Markus Koschany at 2024-06-10T00:00:08+02:00 Add plasma-workspace to dla-needed.txt - - - - - ae5e77e1 by Markus Koschany at 2024-06-10T00:00:08+02:00 CVE-2024-36472,gnome-shell: buster is postponed This is partly disputed by upstream as mostly works as expected. No solution so far. We already track thatin ELTS. If the upstream fix can be backported we can address this problem at a later point in time. - - - - - 3f8781a6 by Markus Koschany at 2024-06-10T00:00:09+02:00 CVE-2024-5629,pymongo: link to pull request - - - - - e253f694 by Markus Koschany at 2024-06-10T00:00:09+02:00 Add pymongo to dla-needed.txt Trivial fix. - - - - - 27ddd9b5 by Markus Koschany at 2024-06-10T00:00:09+02:00 Add nano to dla-needed.txt - - - - - 7b777f2b by Markus Koschany at 2024-06-10T00:00:09+02:00 CVE-2024-37407,libarchive: buster is not affected The vulnerable code was introduced later. The tmp_length variable does not exist. There is a filename_length variable though which could be zero when the code enters the else statement but the last parameter of the archive_strncat function is of size_t which means it will always be non-negative. - - - - - 2907afc8 by Markus Koschany at 2024-06-10T00:00:09+02:00 Add libvpx to dla-needed.txt - - - - - 2ffe by Markus Koschany at 2024-06-10T00:00:09+02:00 Add r-base to dla-needed.txt - - - - - 9ef1812b by Markus Koschany at 2024-06-10T00:00:09+02:00 CVE-2024-27322,r-base: link to potential fixing commit and patch - - - - - c94c2dbc by Markus Koschany at 2024-06-10T00:00:09+02:00 Add php7.3 to dla-needed.txt - - - - - 7179a78b by Markus Koschany at 2024-06-10T00:00:10+02:00 Add unbound to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -229,6 +229,7 @@ CVE-2024-37407 (Libarchive before 3.7.4 allows name out-of-bounds access when a - libarchive (bug #1072855) [bookworm] - libarchive (Minor issue) [bullseye] - libarchive (Minor issue) + [buster] - libarchive (The vulnerable code was introduced later) NOTE: https://github.com/libarchive/libarchive/pull/2145 NOTE: https://github.com/libarchive/libarchive/commit/b6a979481b7d77c12fa17bbed94576b63bbcb0c0 (v3.7.4) CVE-2024-35756 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...) @@ -1002,6 +1003,7 @@ CVE-2023-6956 (The EasyAzon \u2013 Amazon Associates Affiliate Plugin plugin for CVE-2024-5629 (An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier ...) - pymongo NOTE: https://jira.mongodb.org/browse/PYTHON-4305 + NOTE: https://github.com/mongodb/mongo-python-driver/pull/1564 CVE-2024-5571 (The EmbedPress \u2013 Embed PDF, Google Docs, Vimeo, Wistia, Embed You ...) NOT-FOR-US: WordPress plugin CVE-2024-5536 (The GamiPress \u2013 Link plugin for WordPress is vulnerable to Stored ...) @@ -2794,6 +2796,7 @@ CVE-2024-36472 (In GNOME Shell through 45.7, a portal helper can be launched aut - gnome-shell (bug #1072124) [bookworm] - gnome-shell (Minor issue) [bullseye] - gnome-shell (Minor issue) + [buster] - gnome-shell (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688 CVE-2024-36110 (ansibleguy-webui is an open source WebUI for using Ansible. Multiple f ...) NOT-FOR-US: ansibleguy-webui @@ -15756,6 +15759,8 @@ CVE-2024-27322 (Deserialization of untrusted data can occur in the R statistical - r-base 4.4.0-2 NOTE: https://hiddenlayer.com/research/r-bitrary-code-execution/ NOTE: https://kb.cert.org/vuls/id/238194 + NOTE: https://src.fedoraproject.org/rpms/R/blob/f39/f/R-CVE-2024-27322.patch + NOTE: https://github.com/r-devel/r-svn/commit/f7c46500f455eb4edfc3656c3fa20af61b16abb7 CVE-2024-23995 (Cross Site Scripting (XSS) in Beekeeper Studio 4.1.13 and earlier allo ...) NOT-FOR-US: Beekeeper Studio CVE-2024-1969 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ...) = data/dla-needed.txt = @@ -49,6 +49,9 @@ cacti NOTE: 20240519: I'd have postponed them but let's fix it before buster NOTE: 20240519: goes EOL. (utkarsh) -- +cyrus-imapd + NOTE: 20240609: Added by Front-Desk (apo) +-- dcmtk (Adrian Bunk) NOTE: 20240428: Added by Front-Desk (ta) -- @@ -173,12 +176,18 @@ libstb NOTE: 20240314: several CVEs fixed in DLA-3305-1 remain unfixed (no-dsa) in bullseye NOTE: 20240314: and bookwork. Uploads to spu and ospu should be coordinated. (roberto) -- +libvpx + NOTE: 20240609: Added
[Git][security-tracker-team/security-tracker][master] Reclaim netty and ghostscript.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 65d93243 by Markus Koschany at 2024-05-27T19:22:27+02:00 Reclaim netty and ghostscript. This is almost done, I am currently testing the update. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -99,7 +99,7 @@ freeimage NOTE: 20240412: ELTS also have a need to update this package. NOTE: 20240412: We should open upstream bug reports and push fixes. See above email discussion. (ola) -- -ghostscript +ghostscript (Markus Koschany) NOTE: 20240510: Added by Front-Desk (ta) -- git (Sean Whitton) @@ -178,7 +178,7 @@ linux (Ben Hutchings) linux-5.10 NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- -netty +netty (Markus Koschany) NOTE: 20240511: Added by (apo) -- nodejs View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65d932438e75896daea6ea31815cd434a741f163 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65d932438e75896daea6ea31815cd434a741f163 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3814-1 for glib2.0
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 641c79be by Markus Koschany at 2024-05-13T23:24:01+02:00 Reserve DLA-3814-1 for glib2.0 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[13 May 2024] DLA-3814-1 glib2.0 - security update + {CVE-2024-34397} + [buster] - glib2.0 2.58.3-2+deb10u6 [13 May 2024] DLA-3813-1 shim - security update {CVE-2023-40546 CVE-2023-40547 CVE-2023-40548 CVE-2023-40549 CVE-2023-40550 CVE-2023-40551} [buster] - shim 15.8-1~deb10u1 = data/dla-needed.txt = @@ -102,10 +102,6 @@ freeimage ghostscript (Markus Koschany) NOTE: 20240510: Added by Front-Desk (ta) -- -glib2.0 (Markus Koschany) - NOTE: 20240509: Added by Front-Desk (ta) - NOTE: 20240511: Coordinate with maintainer https://lists.debian.org/debian-lts/2024/05/msg8.html (Beuc) --- glibc (Adrian Bunk) NOTE: 20240504: Re-add for remaining CVEs. (bunk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/641c79bec3b6128ee650bc42fda17bb874a1afdc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/641c79bec3b6128ee650bc42fda17bb874a1afdc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-29025,netty: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 79525999 by Markus Koschany at 2024-05-12T22:19:04+02:00 CVE-2024-29025,netty: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16335,7 +16335,7 @@ CVE-2024-29650 (An issue in @thi.ng/paths v.5.1.62 and before allows a remote at CVE-2024-29515 (File Upload vulnerability in lepton v.7.1.0 allows a remote authentica ...) NOT-FOR-US: Lepton CMS CVE-2024-29025 (Netty is an asynchronous event-driven network application framework fo ...) - - netty (bug #1068110) + - netty 1:4.1.48-10 (bug #1068110) [bookworm] - netty (Minor issue, fix along with future update) [bullseye] - netty (Minor issue, fix along with future update) [buster] - netty (Minor issue, HTTP multipart DoS, fix along with future update) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79525999a858fc478bd9db7da3bcf20397e594cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79525999a858fc478bd9db7da3bcf20397e594cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Readd netty to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6dc09ead by Markus Koschany at 2024-05-11T22:00:25+02:00 Readd netty to dla-needed.txt Sorry, but I was already preparing an update but I forgot to claim it. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -171,6 +171,9 @@ linux (Ben Hutchings) linux-5.10 NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- +netty (Markus Koschany) + NOTE: 20240511: Added by (apo) +-- nodejs (guilhem) NOTE: 20240406: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6dc09ead8872275628cca5064bb68bb3784413ff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6dc09ead8872275628cca5064bb68bb3784413ff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim ghostscript and glib2.0 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f06bcdc by Markus Koschany at 2024-05-10T23:50:25+02:00 Claim ghostscript and glib2.0 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -98,10 +98,10 @@ freeimage NOTE: 20240412: ELTS also have a need to update this package. NOTE: 20240412: We should open upstream bug reports and push fixes. See above email discussion. (ola) -- -ghostscript +ghostscript (Markus Koschany) NOTE: 20240510: Added by Front-Desk (ta) -- -glib2.0 +glib2.0 (Markus Koschany) NOTE: 20240509: Added by Front-Desk (ta) -- glibc (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f06bcdc948b69d3e9eb1f9ca8aa7e9471ac46c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f06bcdc948b69d3e9eb1f9ca8aa7e9471ac46c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3812-1 for libpgjava
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 113359e0 by Markus Koschany at 2024-05-09T23:34:03+02:00 Reserve DLA-3812-1 for libpgjava - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 May 2024] DLA-3812-1 libpgjava - security update + {CVE-2024-1597} + [buster] - libpgjava 42.2.5-2+deb10u4 [08 May 2024] DLA-3811-1 python-idna - security update {CVE-2024-3651} [buster] - python-idna 2.6-1+deb10u1 = data/dla-needed.txt = @@ -123,9 +123,6 @@ less (Abhijith PA) libmojolicious-perl NOTE: 20240421: Added by Front-Desk (apo) -- -libpgjava (Markus Koschany) - NOTE: 20240308: Added by Front-Desk (opal) --- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/113359e0e2f9378a3af1eb4b0c06089d7186c90f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/113359e0e2f9378a3af1eb4b0c06089d7186c90f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-38000,wordpress: restore bullseye entry
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c54a2aa by Markus Koschany at 2024-05-08T23:37:20+02:00 CVE-2023-38000,wordpress: restore bullseye entry - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48814,6 +48814,7 @@ CVE-2023-39960 (Nextcloud Server provides data storage for Nextcloud, an open so - nextcloud-server (bug #941708) CVE-2023-38000 (Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability i ...) - wordpress 6.3.2+dfsg1-1 + [bullseye] - wordpress (Vulnerable code was introduced in 5.9) [buster] - wordpress (Vulnerable code was introduced in 5.9) NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/ NOTE: https://plugins.trac.wordpress.org/changeset/2978318/gutenberg/trunk/build/block-library/blocks/post-navigation-link.php View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c54a2aaf4d67c6bdbe3de5aba94e0f3768aaeaa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c54a2aaf4d67c6bdbe3de5aba94e0f3768aaeaa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove wordpress from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a2c03299 by Markus Koschany at 2024-05-08T23:35:36+02:00 Remove wordpress from dla-needed.txt - - - - - d2c09af4 by Markus Koschany at 2024-05-08T23:35:38+02:00 Reserve DSA-5685-1 for wordpress - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -48363,8 +48363,6 @@ CVE-2023-5575 (Improper access control in the permission inheritance in Devoluti CVE-2023-5561 (WordPress does not properly restrict which user fields are searchable ...) {DLA-3658-1} - wordpress 6.3.2+dfsg1-1 - [bookworm] - wordpress (Minor issue) - [bullseye] - wordpress (Minor issue) NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/ NOTE: https://core.trac.wordpress.org/changeset/56840/ CVE-2023-5422 (The functions to fetch e-mail via POP3 or IMAP as well as sending e-ma ...) @@ -48810,16 +48808,12 @@ CVE-2023-40682 (IBM App Connect Enterprise 12.0.1.0 through 12.0.8.0 contains an CVE-2023-3 (Exposure of Sensitive Information to an Unauthorized Actor in WordPres ...) {DLA-3658-1} - wordpress 6.3.2+dfsg1-1 - [bookworm] - wordpress (Minor issue) - [bullseye] - wordpress (Minor issue) NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/ NOTE: https://core.trac.wordpress.org/changeset/56843/ CVE-2023-39960 (Nextcloud Server provides data storage for Nextcloud, an open source c ...) - nextcloud-server (bug #941708) CVE-2023-38000 (Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability i ...) - wordpress 6.3.2+dfsg1-1 - [bookworm] - wordpress (Minor issue) - [bullseye] - wordpress (Vulnerable code was introduced in 5.9) [buster] - wordpress (Vulnerable code was introduced in 5.9) NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/ NOTE: https://plugins.trac.wordpress.org/changeset/2978318/gutenberg/trunk/build/block-library/blocks/post-navigation-link.php @@ -68814,8 +68808,6 @@ CVE-2023-2756 (SQL Injection in GitHub repository pimcore/customer-data-framewor CVE-2023-2745 (WordPress Core is vulnerable to Directory Traversal in versions up to, ...) {DLA-3462-1} - wordpress 6.2.1+dfsg1-1 (bug #1036296) - [bookworm] - wordpress (Minor issue, fix along in future update) - [bullseye] - wordpress (Minor issue, fix along in future update) NOTE: https://core.trac.wordpress.org/changeset?old=55765&new=55765 NOTE: https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/ CVE-2023-2679 (Data leakage in Adobe connector in Snow Software SPE 9.27.0 on Windows ...) = data/DSA/list = @@ -1,3 +1,7 @@ +[08 May 2024] DSA-5685-1 wordpress - security update + {CVE-2023-2745 CVE-2023-5561 CVE-2023-38000 CVE-2023-3 CVE-2024-31210} + [bullseye] - wordpress 5.7.11+dfsg1-0+deb11u1 + [bookworm] - wordpress 6.1.6+dfsg1-0+deb12u1 [08 May 2024] DSA-5684-1 webkit2gtk - security update {CVE-2023-42843 CVE-2023-42950 CVE-2023-42956 CVE-2024-23252 CVE-2024-23254 CVE-2024-23263 CVE-2024-23280 CVE-2024-23284} [bullseye] - webkit2gtk 2.44.1-1~deb11u1 = data/dla-needed.txt = @@ -313,11 +313,6 @@ varnish NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- -wordpress (Markus Koschany) - NOTE: 20240314: Added by coordinator (roberto) - NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and - NOTE: 20240314: bookwork. Uploads to spu and ospu should be coordinated. (roberto) --- zookeeper NOTE: 20240324: Added by Front-Desk (ta) NOTE: 20240502: Persistent (and p-recursive) watches were introduced by ZOOKEEPER-1416, which only exists in 3.6+. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c236e40b86d7c13b941c0eeebae7eb76503f3f72...d2c09af46ddeeff6a30f27ac2519881183e4b847 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c236e40b86d7c13b941c0eeebae7eb76503f3f72...d2c09af46ddeeff6a30f27ac2519881183e4b847 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reclaim wordpress and libpgjava in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a2853bcd by Markus Koschany at 2024-05-07T22:51:23+02:00 Reclaim wordpress and libpgjava in dla-needed.txt Already done. Will be released tomorrow. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -120,7 +120,7 @@ less (Abhijith PA) libmojolicious-perl NOTE: 20240421: Added by Front-Desk (apo) -- -libpgjava +libpgjava (Markus Koschany) NOTE: 20240308: Added by Front-Desk (opal) -- libreswan @@ -319,7 +319,7 @@ varnish NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- -wordpress +wordpress (Markus Koschany) NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookwork. Uploads to spu and ospu should be coordinated. (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2853bcdc262b4044907c29ca39aab53f6542f40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2853bcdc262b4044907c29ca39aab53f6542f40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3795-1 for knot-resolver
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d58a1355 by Markus Koschany at 2024-04-26T07:35:06+02:00 Reserve DLA-3795-1 for knot-resolver - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -294164,7 +294164,6 @@ CVE-2020-12668 (Jinjava before 2.5.4 allow access to arbitrary classes by callin NOT-FOR-US: Jinjava CVE-2020-12667 (Knot Resolver before 5.1.1 allows traffic amplification via a crafted ...) - knot-resolver 5.1.1-0.1 (bug #961076) - [buster] - knot-resolver (Minor issue; can be fixed via point release) NOTE: https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/ NOTE: commit: https://gitlab.labs.nic.cz/knot/knot-resolver/-/commit/54f05e4d7b2e47c0bdd30b84272fc503cc65304b NOTE: commit: https://gitlab.labs.nic.cz/knot/knot-resolver/-/commit/ba7b89db780fe3884b4e90090318e25ee5afb118 @@ -325401,7 +325400,6 @@ CVE-2019-19332 (An out-of-bounds memory write issue was found in the Linux Kerne NOTE: https://git.kernel.org/linus/433f4ba1904100da65a311033f17a9bf586b287e CVE-2019-19331 (knot-resolver before version 4.3.0 is vulnerable to denial of service ...) - knot-resolver 5.0.1-1 (bug #946181) - [buster] - knot-resolver (Minor issue; can be fixed via point release) NOTE: https://www.openwall.com/lists/oss-security/2019/12/04/4 CVE-2019-19329 (In Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-0 ...) NOT-FOR-US: Wikibase Wikidata Query Service GUI @@ -356412,13 +356410,11 @@ CVE-2019-10192 (A heap-buffer overflow vulnerability was found in the Redis hype NOTE: https://github.com/antirez/redis/commit/7f79849caa006f0d760b6c7e17f7796e3be92b4f (5.0.4) CVE-2019-10191 (A vulnerability was discovered in DNS resolver of knot resolver before ...) - knot-resolver 5.0.1-1 (bug #932048) - [buster] - knot-resolver (Minor issue; can be fixed via point release) NOTE: https://www.knot-resolver.cz/2019-07-10-knot-resolver-4.1.0.html NOTE: https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/839 NOTE: https://www.openwall.com/lists/oss-security/2019/07/14/1 CVE-2019-10190 (A vulnerability was discovered in DNS resolver component of knot resol ...) - knot-resolver 5.0.1-1 (bug #932048) - [buster] - knot-resolver (Minor issue; can be fixed via point release) NOTE: https://www.knot-resolver.cz/2019-07-10-knot-resolver-4.1.0.html NOTE: https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/827 NOTE: https://www.openwall.com/lists/oss-security/2019/07/14/1 = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Apr 2024] DLA-3795-1 knot-resolver - security update + {CVE-2019-10190 CVE-2019-10191 CVE-2019-19331 CVE-2020-12667} + [buster] - knot-resolver 3.2.1-3+deb10u2 [25 Apr 2024] DLA-3794-1 putty - security update {CVE-2020-14002 CVE-2021-36367 CVE-2023-48795 CVE-2019-17069} [buster] - putty 0.74-1+deb11u1~deb10u1 = data/dla-needed.txt = @@ -124,11 +124,6 @@ jenkins-htmlunit-core-js NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may NOTE: 20231231: … indeed be vulnerable. (lamby) -- -knot-resolver - NOTE: 20231029: Added by Front-Desk (gladk) - NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) - NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) --- less (Abhijith PA) NOTE: 20240418: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d58a13559c87c505e23427b90a9de979336e05e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d58a13559c87c505e23427b90a9de979336e05e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 9 commits: CVE-2024-31497,filezilla: buster is no-dsa
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 74696943 by Markus Koschany at 2024-04-21T23:11:59+02:00 CVE-2024-31497,filezilla: buster is no-dsa Minor issue. - - - - - 8bc9a7e7 by Markus Koschany at 2024-04-21T23:11:59+02:00 Add nghttp2 to dla-needed.txt - - - - - efec8650 by Markus Koschany at 2024-04-21T23:11:59+02:00 Add python-idna to dla-needed.txt - - - - - 51771358 by Markus Koschany at 2024-04-21T23:12:01+02:00 CVE-2024-3446,CVE-2024-3447,CVE-2024-3567,qemu: buster is no-dsa Minor issues. It is good practice not to run qemu directly as a privileged user. - - - - - 0e9b47d2 by Markus Koschany at 2024-04-21T23:12:01+02:00 Add tryton-server to dla-needed.txt and claim it - - - - - 7a3f0d28 by Markus Koschany at 2024-04-21T23:12:02+02:00 CVE-2024-31047,openexr: buster is no-dsa Minor issue - - - - - 76475ee7 by Markus Koschany at 2024-04-21T23:12:03+02:00 CVE-2024-32462,flatpak: buster is ignored We have previously marked sandbox escape issues as ignored because they were either intrusive to backport or could be easily mitigated. Although the fix for CVE-2024-32462 seems straightforward, the whole application should be upgraded to the version in Bullseye in my opinion. Since we approach the end of the Buster LTS cycle I am going to mark CVE-2024-32462 as ignored too. - - - - - 76d860ac by Markus Koschany at 2024-04-21T23:12:03+02:00 Add astropy to dla-needed.txt - - - - - d913e443 by Markus Koschany at 2024-04-21T23:12:03+02:00 Add php7.3 to dla-needed.txt and claim it - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -428,6 +428,7 @@ CVE-2024-32466 (Tolgee is an open-source localization platform. For the `/v2/pro CVE-2024-32462 (Flatpak is a system for building, distributing, and running sandboxed ...) {DSA-5666-1} - flatpak 1.14.6-1 + [buster] - flatpak (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/04/18/5 NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj NOTE: Fixed by: https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931 (1.15.8) @@ -2113,6 +2114,7 @@ CVE-2024-31497 (In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce gener - filezilla 3.67.0-1 [bookworm] - filezilla (Minor issue) [bullseye] - filezilla (Minor issue) + [buster] - filezilla (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/04/15/6 NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html CVE-2024-3804 (A vulnerability, which was classified as critical, has been found in V ...) @@ -3149,6 +3151,7 @@ CVE-2024-3567 (A flaw was found in QEMU. An assertion failure was present in the - qemu (bug #1068822) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) + [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274339 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/2273 CVE-2024-3566 (A command inject vulnerability allows an attacker to perform command i ...) @@ -3572,6 +3575,7 @@ CVE-2024-3447 - qemu (bug #1068821) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) + [buster] - qemu (Minor issue) NOTE: https://patchew.org/QEMU/20240404085549.16987-1-phi...@linaro.org/ NOTE: https://patchew.org/QEMU/20240409145524.27913-1-phi...@linaro.org/ NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 @@ -3735,6 +3739,7 @@ CVE-2024-3446 (A double free vulnerability was found in QEMU virtio devices (vir - qemu (bug #1068820) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) + [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274211 NOTE: https://patchew.org/QEMU/20240409105537.18308-1-phi...@linaro.org/ CVE-2024-3281 (A vulnerability was discovered in the firmware builds after 8.0.2.3267 ...) @@ -4499,6 +4504,7 @@ CVE-2024-31047 (An issue in Academy Software Foundation openexr v.3.2.3 and befo - openexr (bug #1068939) [bookworm] - openexr (Minor issue) [bullseye] - openexr (Minor issue) + [buster] - openexr (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/1680 NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1681 NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/7aa89e1d09b09d9f5dbb96976ee083a331ab9d71 = data/dla-needed.txt = @@ -33,6 +33,9 @@ ansible (debian) apache2 NOTE: 20240418: Added by Front-Desk (apo) -- +astropy + NOTE: 20240421
[Git][security-tracker-team/security-tracker][master] CVE-2024-3296,rust-openssl: buster is no-dsa
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 27ca1e5a by Markus Koschany at 2024-04-21T00:22:59+02:00 CVE-2024-3296,rust-openssl: buster is no-dsa Minor issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5565,6 +5565,7 @@ CVE-2024-3296 (A timing-based side-channel flaw exists in the rust-openssl packa - rust-openssl (bug #1068418) [bookworm] - rust-openssl (Minor issue) [bullseye] - rust-openssl (Minor issue) + [buster] - rust-openssl (Minor issue) NOTE: https://github.com/sfackler/rust-openssl/issues/2171 CVE-2024-31309 (HTTP/2 CONTINUATIONDoS attack can cause Apache Traffic Server to consu ...) {DSA-5659-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27ca1e5a875a146332b4153fdc898f654dc79d6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27ca1e5a875a146332b4153fdc898f654dc79d6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add trafficserver to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ea6baf28 by Markus Koschany at 2024-04-21T00:16:18+02:00 Add trafficserver to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -312,6 +312,9 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- +trafficserver + NOTE: 20240421: Added by Front-Desk (apo) +-- varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea6baf2801f7fab3421efc0efeeac405e8f44d90 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea6baf2801f7fab3421efc0efeeac405e8f44d90 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: Triage ffmpeg CVE as postponed for Buster.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 910f13ec by Markus Koschany at 2024-04-21T00:04:52+02:00 Triage ffmpeg CVE as postponed for Buster. We can wait until upstream fixes these issues in earlier releases. - - - - - dbf30577 by Markus Koschany at 2024-04-21T00:06:41+02:00 Add gunicorn to dla-needed.txt - - - - - 6906ca1b by Markus Koschany at 2024-04-21T00:10:16+02:00 Add libmojolicious-perl to dla-needed.txt - - - - - c5c88137 by Markus Koschany at 2024-04-21T00:11:28+02:00 CVE-2024-28863,node-tar: buster is no-dsa Minor issue - - - - - 305978e5 by Markus Koschany at 2024-04-21T00:13:02+02:00 CVE-2024-3262,node-tar: buster is no-dsa Minor issue - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -719,12 +719,14 @@ CVE-2024-31582 (FFmpeg version n6.1 was discovered to contain a heap buffer over - ffmpeg [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + [buster] - ffmpeg (Pick up when fixed in 4.3.x) NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/99debe5f823f45a482e1dc08de35879aa9c74bd2 (n7.0) CVE-2024-31581 (FFmpeg version n6.1 was discovered to contain an improper validation o ...) [experimental] - ffmpeg 7:7.0-1 - ffmpeg [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + [buster] - ffmpeg (Pick up when fixed in 4.3.x) NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ce0c178a408d43e71085c28a47d50dc939b60196 (n7.0) CVE-2024-31580 (PyTorch before v2.2.0 was discovered to contain a heap buffer overflow ...) - pytorch @@ -734,6 +736,7 @@ CVE-2024-31578 (FFmpeg version n6.1.1 was discovered to contain a heap use-after - ffmpeg [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + [buster] - ffmpeg (Pick up when fixed in 4.3.x) NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/3bb00c0a420c3ce83c6fafee30270d69622ccad7 (n7.0) CVE-2024-31463 (Ironic-image is an OpenStack Ironic deployment packaged and configured ...) TODO: check @@ -5238,6 +5241,7 @@ CVE-2024-3262 (Information exposure vulnerability in RT software affecting versi - request-tracker4 (bug #1068452) [bookworm] - request-tracker4 (Minor issue) [bullseye] - request-tracker4 (Minor issue) + [buster] - request-tracker4 (Minor issue) - request-tracker5 (bug #1068453) [bookworm] - request-tracker5 (Minor issue) NOTE: https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a @@ -9638,6 +9642,7 @@ CVE-2024-28863 (node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 h - node-tar 6.1.13+~cs7.0.5-2 [bookworm] - node-tar (Minor issue) [bullseye] - node-tar (Minor issue) + [buster] - node-tar (Minor issue) NOTE: https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36 NOTE: https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1) CVE-2024-28756 (The SolarEdge mySolarEdge application before 2.20.1 for Android has a ...) = data/dla-needed.txt = @@ -101,6 +101,9 @@ frr (tobi) glibc (Adrian Bunk) NOTE: 20240419: Added by coordinator (santiago) -- +gunicorn + NOTE: 20240421: Added by Front-Desk (apo) +-- h2o NOTE: 20231228: Added by Front-Desk (lamby) -- @@ -124,6 +127,9 @@ knot-resolver (Markus Koschany) less (Abhijith PA) NOTE: 20240418: Added by Front-Desk (apo) -- +libmojolicious-perl + NOTE: 20240421: Added by Front-Desk (apo) +-- libpgjava (Markus Koschany) NOTE: 20240308: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7d5031c83601fd63aa508b0a09294f2cdfdeb1bb...305978e5b03877349498cdb27f60179f994a9eed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7d5031c83601fd63aa508b0a09294f2cdfdeb1bb...305978e5b03877349498cdb27f60179f994a9eed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add pymongo to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d5031c8 by Markus Koschany at 2024-04-20T23:17:09+02:00 Add pymongo to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -227,6 +227,9 @@ putty (rouca) NOTE: 20240324: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/104 NOTE: 20240412: Wait for comments by maintainer -- +pymongo + NOTE: 20240420: Added by Front-Desk (apo) +-- python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d5031c83601fd63aa508b0a09294f2cdfdeb1bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d5031c83601fd63aa508b0a09294f2cdfdeb1bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add netty to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 03a1e375 by Markus Koschany at 2024-04-19T22:59:13+02:00 Add netty to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -169,6 +169,9 @@ mediawiki (guilhem) NOTE: 20240406: Added by Front-Desk (lamby) NOTE: 20240406: Added to address "TEMP-000-519C2D" at the time of writing. (lamby) -- +netty + NOTE: 20240419: Added by Front-Desk (apo) +-- nodejs (guilhem) NOTE: 20240406: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03a1e375358da18934c518631dc0d8a198bf86d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03a1e375358da18934c518631dc0d8a198bf86d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5667-1 for tomcat9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 434bed8e by Markus Koschany at 2024-04-19T21:28:22+02:00 Reserve DSA-5667-1 for tomcat9 - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -34531,7 +34531,6 @@ CVE-2023-46589 (Improper Input Validation vulnerability in Apache Tomcat.Tomcat {DSA-5665-1 DLA-3707-1} - tomcat10 10.1.16-1 (bug #1057082) - tomcat9 9.0.70-2 - [bullseye] - tomcat9 (Minor issue, fix along in next DSA) - tomcat8 NOTE: https://www.openwall.com/lists/oss-security/2023/11/28/2 NOTE: https://github.com/apache/tomcat/commit/b5776d769bffeade865061bc8ecbeb2b56167b08 (10.1.16) = data/DSA/list = @@ -1,3 +1,6 @@ +[19 Apr 2024] DSA-5667-1 tomcat9 - security update + {CVE-2023-46589 CVE-2024-23672 CVE-2024-24549} + [bullseye] - tomcat9 9.0.43-2~deb11u10 [19 Apr 2024] DSA-5666-1 flatpak - security update {CVE-2024-32462} [bullseye] - flatpak 1.10.8-0+deb11u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/434bed8e52cc60d128191cf3a369bcbeb0efcb9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/434bed8e52cc60d128191cf3a369bcbeb0efcb9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2024-2511,openssl: buster is postponed
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c90b39d0 by Markus Koschany at 2024-04-18T22:55:40+02:00 CVE-2024-2511,openssl: buster is postponed because this is a minor issue and prevented in default configurations. - - - - - af013b74 by Markus Koschany at 2024-04-18T23:07:52+02:00 Add less to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -4392,6 +4392,7 @@ CVE-2024-2511 (Issue summary: Some non-default TLS server configurations can cau - openssl (bug #1068658) [bookworm] - openssl (Minor issue, fix along with next update round) [bullseye] - openssl (Minor issue, fix along with next update round) + [buster] - openssl (Minor issue, fix along with next update round) NOTE: https://www.openssl.org/news/secadv/20240408.txt NOTE: https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08 (openssl-3.2.y) NOTE: https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce (openssl-3.1.y) = data/dla-needed.txt = @@ -121,6 +121,9 @@ knot-resolver (Markus Koschany) NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- +less + NOTE: 20240418: Added by Front-Desk (apo) +-- libpgjava (Markus Koschany) NOTE: 20240308: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fe9060aaad459b6b25898d26453ccaab552caec5...af013b7456d90da40faa7d46e23271cd66c7254c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fe9060aaad459b6b25898d26453ccaab552caec5...af013b7456d90da40faa7d46e23271cd66c7254c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add apache2 to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 360c6b52 by Markus Koschany at 2024-04-18T00:12:16+02:00 Add apache2 to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -30,6 +30,9 @@ ansible (debian) NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca) NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee -- +apache2 + NOTE: 20240418: Added by Front-Desk (apo) +-- atril NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/360c6b52193f2ef980b4775ddde1a636031abf96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/360c6b52193f2ef980b4775ddde1a636031abf96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Reserve DSA-5664-1 for jetty9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ffea03a by Markus Koschany at 2024-04-17T23:19:47+02:00 Reserve DSA-5664-1 for jetty9 - - - - - 92f7273d by Markus Koschany at 2024-04-17T23:21:17+02:00 Reserve DSA-5665-1 for tomcat10 - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -34221,7 +34221,6 @@ CVE-2023-34055 (In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3 CVE-2023-46589 (Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 1 ...) {DLA-3707-1} - tomcat10 10.1.16-1 (bug #1057082) - [bookworm] - tomcat10 (Minor issue, fix along in next DSA) - tomcat9 9.0.70-2 [bullseye] - tomcat9 (Minor issue, fix along in next DSA) - tomcat8 = data/DSA/list = @@ -1,3 +1,10 @@ +[17 Apr 2024] DSA-5665-1 tomcat10 - security update + {CVE-2023-46589 CVE-2024-23672 CVE-2024-24549} + [bookworm] - tomcat10 10.1.6-1+deb12u2 +[17 Apr 2024] DSA-5664-1 jetty9 - security update + {CVE-2024-22201} + [bullseye] - jetty9 9.4.50-4+deb11u2 + [bookworm] - jetty9 9.4.50-4+deb12u3 [17 Apr 2024] DSA-5663-1 firefox-esr - security update {CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864} [bullseye] - firefox-esr 115.10.0esr-1~deb11u1 = data/dsa-needed.txt = @@ -35,8 +35,6 @@ guix (jmm) -- h2o (jmm) -- -jetty9 (apo) --- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/99a6a8dd2eaf98b75e8a31741847c7e020543144...92f7273d5ac0dcb437618ca6d9f06fe04566 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/99a6a8dd2eaf98b75e8a31741847c7e020543144...92f7273d5ac0dcb437618ca6d9f06fe04566 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark open CVE for lucene-solr as EOL for buster
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c329976 by Markus Koschany at 2024-04-07T21:55:09+02:00 Mark open CVE for lucene-solr as EOL for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15316,21 +15316,25 @@ CVE-2023-6677 (Improper Neutralization of Special Elements used in an SQL Comman NOT-FOR-US: Oduyo Financial Technology Online Collection CVE-2023-50386 (Improper Control of Dynamically-Managed Code Resources, Unrestricted U ...) - lucene-solr 3.6.2+dfsg-23 + [buster] - lucene-solr (No longer supported in LTS) NOTE: https://solr.apache.org/security.html#cve-2023-50386-apache-solr-backuprestore-apis-allow-for-deployment-of-executables-in-malicious-configsets NOTE: https://www.openwall.com/lists/oss-security/2024/02/09/1 NOTE: Server components disabled in 3.6.2+dfsg-23, using that as the fixed version CVE-2023-50298 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - lucene-solr 3.6.2+dfsg-23 + [buster] - lucene-solr (No longer supported in LTS) NOTE: https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions NOTE: https://www.openwall.com/lists/oss-security/2024/02/09/2 NOTE: Server components disabled in 3.6.2+dfsg-23, using that as the fixed version CVE-2023-50292 (Incorrect Permission Assignment for Critical Resource, Improper Contro ...) - lucene-solr 3.6.2+dfsg-23 + [buster] - lucene-solr (No longer supported in LTS) NOTE: https://solr.apache.org/security.html#cve-2023-50292-apache-solr-schema-designer-blindly-trusts-all-configsets-possibly-leading-to-rce-by-unauthenticated-users NOTE: https://www.openwall.com/lists/oss-security/2024/02/09/3 NOTE: Server components disabled in 3.6.2+dfsg-23, using that as the fixed version CVE-2023-50291 (Insufficiently Protected Credentials vulnerability in Apache Solr. Th ...) - lucene-solr 3.6.2+dfsg-23 + [buster] - lucene-solr (No longer supported in LTS) NOTE: https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies NOTE: https://www.openwall.com/lists/oss-security/2024/02/09/4 NOTE: Server components disabled in 3.6.2+dfsg-23, using that as the fixed version View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c3299769d1664646df2e4c9a1e9a26604997a0c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c3299769d1664646df2e4c9a1e9a26604997a0c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove lucene-solr from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ca0d31eb by Markus Koschany at 2024-04-07T21:39:19+02:00 Remove lucene-solr from dla-needed.txt As discussed with Daniel Leidert via private email, I believe that we should EOL lucene-solr in Buster. This is a truly ancient version which most likely nobody uses in production. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -156,11 +156,6 @@ linux (Ben Hutchings) linux-5.10 NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- -lucene-solr - NOTE: 20240213: Added by Front-Desk (lamby) - NOTE: 20240407: Should the server components be disabled as in 3.6.2+dfsg-23 instead of trying to patch the CVEs? (dleidert) - NOTE: 20240407: I'm going to contact Markus, the maintainer. (dleidert) --- mediawiki (guilhem) NOTE: 20240406: Added by Front-Desk (lamby) NOTE: 20240406: Added to address "TEMP-000-519C2D" at the time of writing. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca0d31ebea43fea42f7979c2256664ce043c0b21 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca0d31ebea43fea42f7979c2256664ce043c0b21 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim libpgjava in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a83b404c by Markus Koschany at 2024-04-07T11:46:24+02:00 Claim libpgjava in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -115,7 +115,7 @@ knot-resolver (Markus Koschany) libdatetime-timezone-perl (Emilio) NOTE: 20240327: Added by pochu -- -libpgjava +libpgjava (Markus Koschany) NOTE: 20240308: Added by Front-Desk (opal) -- libreswan View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a83b404c6afee64b27c51c4936e53e4fc5bd322b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a83b404c6afee64b27c51c4936e53e4fc5bd322b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3780-1 for jetty9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 138dfde5 by Markus Koschany at 2024-04-06T23:02:56+02:00 Reserve DLA-3780-1 for jetty9 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Apr 2024] DLA-3780-1 jetty9 - security update + {CVE-2024-22201} + [buster] - jetty9 9.4.50-4+deb10u2 [06 Apr 2024] DLA-3779-1 tomcat9 - security update {CVE-2024-23672 CVE-2024-24549} [buster] - tomcat9 9.0.31-1~deb10u12 = data/dla-needed.txt = @@ -111,9 +111,6 @@ jenkins-htmlunit-core-js NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may NOTE: 20231231: … indeed be vulnerable. (lamby) -- -jetty9 (Markus Koschany) - NOTE: 20240303: Added by Front-Desk (apo) --- knot-resolver (Markus Koschany) NOTE: 20231029: Added by Front-Desk (gladk) NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/138dfde5b9ea93686debedcd7d3d23dfa3d3eeea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/138dfde5b9ea93686debedcd7d3d23dfa3d3eeea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-23833,openrefine: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 892d791c by Markus Koschany at 2024-04-06T21:57:41+02:00 CVE-2024-23833,openrefine: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14786,7 +14786,7 @@ CVE-2024-24739 (SAP Bank Account Management (BAM) allows an authenticated user w CVE-2024-24337 (CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aq ...) NOT-FOR-US: Koha Library Management System CVE-2024-23833 (OpenRefine is a free, open source power tool for working with messy da ...) - - openrefine (bug #1064192) + - openrefine 3.7.8-1 (bug #1064192) [bookworm] - openrefine (Minor issue) NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4 NOTE: https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a (3.7.8) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892d791c23ee215a6f721987c2752c445d9595af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/892d791c23ee215a6f721987c2752c445d9595af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-24549,CVE-2024-23672,tomcat10: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0971733c by Markus Koschany at 2024-04-06T14:03:33+02:00 CVE-2024-24549,CVE-2024-23672,tomcat10: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6890,7 +6890,7 @@ CVE-2024-24692 (Race condition in the installer for Zoom Rooms Client for Window NOT-FOR-US: Zoom CVE-2024-24549 (Denial of Service due to improper input validation vulnerability for H ...) {DLA-3779-1} - - tomcat10 (bug #1066878) + - tomcat10 10.1.20-1 (bug #1066878) - tomcat9 9.0.70-2 NOTE: https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg NOTE: https://github.com/apache/tomcat/commit/d07c82194edb69d99b438828fe2cbfadbb207843 (10.1.19) @@ -6898,7 +6898,7 @@ CVE-2024-24549 (Denial of Service due to improper input validation vulnerability NOTE: Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version CVE-2024-23672 (Denial of Service via incomplete cleanup vulnerability in Apache Tomca ...) {DLA-3779-1} - - tomcat10 (bug #1066877) + - tomcat10 10.1.20-1 (bug #1066877) - tomcat9 9.0.70-2 NOTE: https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f NOTE: https://github.com/apache/tomcat/commit/0052b374684b613b0c849899b325ebe334ac6501 (10.1.19) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0971733c88eb4f025c2862556942f17ba54d772b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0971733c88eb4f025c2862556942f17ba54d772b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-22201,jetty9: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b2283ac by Markus Koschany at 2024-04-06T13:17:28+02:00 CVE-2024-22201,jetty9: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11745,7 +11745,7 @@ CVE-2024-23496 (A heap-based buffer overflow vulnerability exists in the GGUF li CVE-2024-22873 (Tencent Blueking CMDB v3.2.x to v3.9.x was discovered to contain a Ser ...) NOT-FOR-US: Tencent Blueking CMDB CVE-2024-22201 (Jetty is a Java based web server and servlet engine. An HTTP/2 SSL con ...) - - jetty9 (bug #1064923) + - jetty9 9.4.54-1 (bug #1064923) NOTE: https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98 NOTE: https://github.com/jetty/jetty.project/issues/11256 NOTE: Fixed by: https://github.com/jetty/jetty.project/commit/86586df0a8a4d9c6b5af9a621ad1adf1b494d39b (jetty-9.4.54.v20240208) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b2283ac1d373ef29d9cbaaf9bdfd9c20c38bb81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b2283ac1d373ef29d9cbaaf9bdfd9c20c38bb81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Claim knot-resolver and wordpress in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c336754 by Markus Koschany at 2024-04-06T07:39:03+02:00 Claim knot-resolver and wordpress in dla-needed.txt - - - - - c9dfd707 by Markus Koschany at 2024-04-06T07:39:56+02:00 Claim jetty9 in dsa-needed.txt - - - - - aa44a82e by Markus Koschany at 2024-04-06T07:49:26+02:00 CVE-2024-21733,tomcat9: buster is postponed Minor issue. Tests fail. Needs more investigation but is not critical. - - - - - 3 changed files: - data/CVE/list - data/dla-needed.txt - data/dsa-needed.txt Changes: = data/CVE/list = @@ -19167,6 +19167,7 @@ CVE-2023-28743 (Improper input validation for some Intel NUC BIOS firmware befor CVE-2024-21733 (Generation of Error Message Containing Sensitive Information vulnerabi ...) - tomcat9 9.0.53-1 [bullseye] - tomcat9 (Minor issue, fix along in next update) + [buster] - tomcat9 (Minor issue, fix along in next update) NOTE: https://www.openwall.com/lists/oss-security/2024/01/19/2 NOTE: https://github.com/apache/tomcat/commit/86ccc43940861703c2be96a5f35384407522125a (9.0.44) CVE-2024-23387 (FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability ...) = data/dla-needed.txt = @@ -114,7 +114,7 @@ jenkins-htmlunit-core-js jetty9 (Markus Koschany) NOTE: 20240303: Added by Front-Desk (apo) -- -knot-resolver +knot-resolver (Markus Koschany) NOTE: 20231029: Added by Front-Desk (gladk) NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) @@ -301,7 +301,7 @@ varnish NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- -wordpress +wordpress (Markus Koschany) NOTE: 20240314: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookwork. Uploads to spu and ospu should be coordinated. (roberto) = data/dsa-needed.txt = @@ -31,7 +31,7 @@ gpac/oldstable -- h2o (jmm) -- -jetty9 +jetty9 (apo) -- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/80daa719eb36088138336e3dde00f0092652b90e...aa44a82e33686e44233c73cf7cdb6f0da3e0bf53 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/80daa719eb36088138336e3dde00f0092652b90e...aa44a82e33686e44233c73cf7cdb6f0da3e0bf53 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3779-1 for tomcat9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 80daa719 by Markus Koschany at 2024-04-06T07:15:20+02:00 Reserve DLA-3779-1 for tomcat9 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Apr 2024] DLA-3779-1 tomcat9 - security update + {CVE-2024-23672 CVE-2024-24549} + [buster] - tomcat9 9.0.31-1~deb10u12 [01 Apr 2024] DLA-3778-1 libvirt - security update {CVE-2020-10703 CVE-2020-12430 CVE-2020-25637 CVE-2021-3631 CVE-2021-3667 CVE-2021-3975 CVE-2021-4147 CVE-2022-0897 CVE-2024-1441 CVE-2024-2494 CVE-2024-2496} [buster] - libvirt 5.0.0-4+deb10u2 = data/dla-needed.txt = @@ -287,9 +287,6 @@ tinymce NOTE: 20240404: May be v. difficult to backport and/or not even vulnerable. (lamby) NOTE: 20240404: Check Ola's commit message in 21503da906. (lamby) -- -tomcat9 (Markus Koschany) - NOTE: 20240121: Added by Front-Desk (apo) --- tzdata (Emilio) NOTE: 20240327: Added by pochu -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80daa719eb36088138336e3dde00f0092652b90e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80daa719eb36088138336e3dde00f0092652b90e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reclaim jetty9 and tomcat9 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ca80d547 by Markus Koschany at 2024-03-19T21:23:46+01:00 Reclaim jetty9 and tomcat9 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -110,7 +110,7 @@ jenkins-htmlunit-core-js NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may NOTE: 20231231: … indeed be vulnerable. (lamby) -- -jetty9 +jetty9 (Markus Koschany) NOTE: 20240303: Added by Front-Desk (apo) -- knot-resolver @@ -280,7 +280,7 @@ tiff (Abhijith PA) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. (roberto) -- -tomcat9 +tomcat9 (Markus Koschany) NOTE: 20240121: Added by Front-Desk (apo) -- varnish View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca80d547f638bab621afb3ebdcccb6aea0a08662 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca80d547f638bab621afb3ebdcccb6aea0a08662 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2024-25710,libcommons-compress-java: buster is no-dsa
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cb11667d by Markus Koschany at 2024-03-19T21:22:18+01:00 CVE-2024-25710,libcommons-compress-java: buster is no-dsa Minor issue - - - - - 961b664a by Markus Koschany at 2024-03-19T21:22:58+01:00 Remove libcommons-compress-java from dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -8042,6 +8042,7 @@ CVE-2024-25710 (Loop with Unreachable Exit Condition ('Infinite Loop') vulnerabi - libcommons-compress-java (bug #1064413) [bookworm] - libcommons-compress-java (Minor issue) [bullseye] - libcommons-compress-java (Minor issue) + [buster] - libcommons-compress-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/02/19/1 NOTE: Related to and fixed by https://issues.apache.org/jira/browse/COMPRESS-632 CVE-2024-23114 (Deserialization of Untrusted Data vulnerability in Apache Camel Cassan ...) = data/dla-needed.txt = @@ -118,9 +118,6 @@ knot-resolver NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- -libcommons-compress-java - NOTE: 20240303: Added by Front-Desk (apo) --- libpgjava NOTE: 20240308: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bd90f1b2a8b6cf8b3a08366cb04f7a4b1430f3d0...961b664ae9d8f873cdba0cca9aceb7f760a69ac6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bd90f1b2a8b6cf8b3a08366cb04f7a4b1430f3d0...961b664ae9d8f873cdba0cca9aceb7f760a69ac6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-25710,libcommons-compress-java: Link to upstream ticket
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e90c111 by Markus Koschany at 2024-03-19T20:54:01+01:00 CVE-2024-25710,libcommons-compress-java: Link to upstream ticket Apparently this problem was discovered during some fuzzing and was just one of many improvements fixed by pull requests related to COMPRESS-632. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7875,6 +7875,7 @@ CVE-2024-25710 (Loop with Unreachable Exit Condition ('Infinite Loop') vulnerabi [bookworm] - libcommons-compress-java (Minor issue) [bullseye] - libcommons-compress-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/02/19/1 + NOTE: Related to and fixed by https://issues.apache.org/jira/browse/COMPRESS-632 CVE-2024-23114 (Deserialization of Untrusted Data vulnerability in Apache Camel Cassan ...) NOT-FOR-US: Apache Camel CVE-2024-22369 (Deserialization of Untrusted Data vulnerability in Apache Camel SQL Co ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e90c11189013a24887c772dcb27557e1d464877 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e90c11189013a24887c772dcb27557e1d464877 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3756-1 for wordpress
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c79e5d0 by Markus Koschany at 2024-03-10T18:21:29+01:00 Reserve DLA-3756-1 for wordpress - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[10 Mar 2024] DLA-3756-1 wordpress - security update + [buster] - wordpress 5.0.21+dfsg1-0+deb10u1 [09 Mar 2024] DLA-3755-1 tar - security update {CVE-2023-39804} [buster] - tar 1.30+dfsg-6+deb10u1 = data/dla-needed.txt = @@ -275,9 +275,6 @@ varnish NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- -wordpress - NOTE: 20240306: Added by Front-Desk (opal) --- zabbix NOTE: 20240212: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c79e5d0ef7bbd6375a027256d758712b443960b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c79e5d0ef7bbd6375a027256d758712b443960b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Reserve DSA-5637-1 for squid
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e1e12e3f by Markus Koschany at 2024-03-08T15:01:03+01:00 Reserve DSA-5637-1 for squid - - - - - 824c2821 by Markus Koschany at 2024-03-08T15:02:06+01:00 CVE-2023-46848,bookworm: mark as fixed in 5.7-2+deb12u1 - - - - - 47b3dbc2 by Markus Koschany at 2024-03-08T15:03:07+01:00 CVE-2024-25111,squid: bookworm is fixed in 5.7-2+deb12u1 - - - - - 97f39f57 by Markus Koschany at 2024-03-08T15:04:47+01:00 Readd squid to dsa-needed.txt There are still unfixed problems in both supported versions. Especially the fix for CVE-2023-5824 is kind of intrusive. - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -881,6 +881,7 @@ CVE-2024- [RUSTSEC-2024-0020] NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0020.html CVE-2024-25111 (Squid is a web proxy cache. Starting in version 3.5.27 and prior to ve ...) - squid 6.8-1 + [bookworm] - squid 5.7-2+deb12u1 - squid3 NOTE: https://lists.squid-cache.org/pipermail/squid-announce/2024-March/000165.html NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc @@ -27326,6 +27327,7 @@ CVE-2023-46724 (Squid is a caching proxy for the Web. Due to an Improper Validat NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3 CVE-2023-46848 (Squid is vulnerable to Denial of Service, where a remote attacker can ...) - squid 6.5-1 (bug #1055251) + [bookworm] - squid 5.7-2+deb12u1 [bullseye] - squid (Vulnerable code not present) [buster] - squid (Vulnerable code not present) - squid3 (Vulnerable code not present) = data/DSA/list = @@ -1,3 +1,7 @@ +[08 Mar 2024] DSA-5637-1 squid - security update + {CVE-2023-46724 CVE-2023-46846 CVE-2023-46847 CVE-2023-49285 CVE-2023-49286 CVE-2023-50269 CVE-2024-23638 CVE-2024-25617} + [bullseye] - squid 4.13-10+deb11u3 + [bookworm] - squid 5.7-2+deb12u1 [06 Mar 2024] DSA-5636-1 chromium - security update {CVE-2024-2173 CVE-2024-2174 CVE-2024-2176} [bookworm] - chromium 122.0.6261.111-1~deb12u1 = data/dsa-needed.txt = @@ -92,7 +92,7 @@ salt/oldstable samba/oldstable santiago started to backport patches to bullseye -- -squid (apo) +squid -- varnish -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2e10e39a30bfea25bd6803677d1498fc764aadaf...97f39f57692671e900d1819a4d5281d5b75c09f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2e10e39a30bfea25bd6803677d1498fc764aadaf...97f39f57692671e900d1819a4d5281d5b75c09f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-18860,squid: bookworm is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c1677e09 by Markus Koschany at 2024-03-05T23:23:09+01:00 CVE-2019-18860,squid: bookworm is not affected This issue was adressed in version 4.9, introduced to Debian unstable on 10 Nov 2019. https://github.com/squid-cache/squid/commit/5a90b4ce64c346ba7f317a278ba601091d9de076 @Salvatore, I hope just changing the fixed version does the trick here? - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -311441,7 +311441,7 @@ CVE-2023-49285 (Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP NOTE: http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patch CVE-2019-18860 (Squid before 4.9, when certain web browsers are used, mishandles HTML ...) {DSA-4732-1 DLA-2278-1} - - squid 6.5-1 (low) + - squid 4.9-1 (low) - squid3 NOTE: https://github.com/squid-cache/squid/pull/504 NOTE: https://github.com/squid-cache/squid/commit/5cc4b155cee1a4968109737f6eba2ef29d51034d (SQUID_5_0_1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1677e098d73aacd68bef3abdcb68d1f30e4c44b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1677e098d73aacd68bef3abdcb68d1f30e4c44b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 24 commits: CVE-2024-22201,jetty9: link to fixing commits for 9.x branch
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7cadf7f5 by Markus Koschany at 2024-03-04T13:06:38+01:00 CVE-2024-22201,jetty9: link to fixing commits for 9.x branch - - - - - 488675e6 by Markus Koschany at 2024-03-04T13:06:38+01:00 Add jetty9 to dla-needed.txt - - - - - dda9149f by Markus Koschany at 2024-03-04T13:06:38+01:00 Add libuv1 to dla-needed.txt - - - - - 10cd94f3 by Markus Koschany at 2024-03-04T13:06:38+01:00 Add yard to dla-needed.txt - - - - - f7c91a4b by Markus Koschany at 2024-03-04T13:06:39+01:00 CVE-2024-21742,apache-mime4j: buster is no-dsa Minor issue - - - - - eb5598a8 by Markus Koschany at 2024-03-04T13:06:41+01:00 CVE-2023-49100,arm-trusted-firmware: buster is no-dsa Minor issue - - - - - bf920f98 by Markus Koschany at 2024-03-04T13:06:42+01:00 CVE-2024-25629,c-ares: buster is no-dsa Minor issue - - - - - 25af6d89 by Markus Koschany at 2024-03-04T13:06:43+01:00 CVE-2024-24258,CVE-2024-24259,freeglut: buster is no-dsa Minor issue - - - - - 372269cb by Markus Koschany at 2024-03-04T13:06:44+01:00 Triage krb5 memory leaks as no-dsa for buster Minor issues. - - - - - 7b0caec9 by Markus Koschany at 2024-03-04T13:06:46+01:00 CVE-2022-48624,less: buster is no-dsa Minor issue. Can be fixed when more important issues arise. - - - - - 32b6a875 by Markus Koschany at 2024-03-04T13:06:46+01:00 Add libcommons-compress-java to dla-needed.txt - - - - - afd34344 by Markus Koschany at 2024-03-04T13:06:47+01:00 CVE-2023-45918,ncurses: buster is no-dsa Minor NULL pointer dereference bug. - - - - - 23a5576e by Markus Koschany at 2024-03-04T13:06:48+01:00 CVE-2024-27088,node-es5-ext: buster is no-dsa Minor issue - - - - - 1c70cc2b by Markus Koschany at 2024-03-04T13:06:48+01:00 Add nvidia-graphics-drivers to dla-needed.txt - - - - - 59de8769 by Markus Koschany at 2024-03-04T13:06:49+01:00 Add php-phpseclib to dla-needed.txt - - - - - e4f2317e by Markus Koschany at 2024-03-04T13:06:49+01:00 Add phpseclib to dla-needed.txt - - - - - 86daa2d7 by Markus Koschany at 2024-03-04T13:06:50+01:00 CVE-2024-1433,plasma-workspace: buster is no-dsa Minor issue - - - - - 4b93f9ea by Markus Koschany at 2024-03-04T13:06:51+01:00 CVE-2024-26130,python-cryptography: buster is no-dsa Minor issue - - - - - 294142c4 by Markus Koschany at 2024-03-04T13:06:52+01:00 CVE-2024-1892,python-scrapy: buster is no-dsa Minor issue - - - - - 8e6542f2 by Markus Koschany at 2024-03-04T13:06:54+01:00 CVE-2023-50868,CVE-2023-50387,systemd: buster is no-dsa DNSSEC is disabled by default and an experimental feature. - - - - - ab2db50c by Markus Koschany at 2024-03-04T13:06:55+01:00 CVE-2024-25262,texlive-bin: buster is no-dsa Minor issue - - - - - f7b7db95 by Markus Koschany at 2024-03-04T13:06:55+01:00 Add cpio to dla-needed.txt - - - - - e38cce11 by Markus Koschany at 2024-03-04T13:06:55+01:00 Add dnsmasq to dla-needed.txt - - - - - 336ad067 by Markus Koschany at 2024-03-04T13:06:56+01:00 CVE-2024-24246,qpdf: buster is not-affected The vulnerable code was introduced later, creating a PDF from an input source that contains JSON. https://github.com/qpdf/qpdf/commit/4fe2e06b4787ffb639f965ac840b51018308ec07#diff-8e435b97a9914d4318cc5829a9400e1e49c5b9bc16799de9aef9ef04c4b3f5c0 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -872,6 +872,7 @@ CVE-2024-24818 (EspoCRM is an Open Source Customer Relationship Management softw NOT-FOR-US: EspoCRM CVE-2024-24246 (Heap Buffer Overflow vulnerability in qpdf 11.9.0 allows attackers to ...) - qpdf 11.9.0-1 + [buster] - qpdf (Vulnerable code was introduced later) NOTE: https://github.com/qpdf/qpdf/issues/1123 NOTE: https://github.com/qpdf/qpdf/commit/cb0f390cc1f98a8e82b27259f8f3cd5f162992eb (v11.9.0) CVE-2024-24110 (SQL Injection vulnerability in crmeb_java before v1.3.4 allows attacke ...) @@ -1843,6 +1844,7 @@ CVE-2024-1892 (Parts of the Scrapy API were found to be vulnerable to a ReDoS at - python-scrapy 2.11.1-1 (bug #1065111) [bookworm] - python-scrapy (Minor issue) [bullseye] - python-scrapy (Minor issue) + [buster] - python-scrapy (Minor issue) NOTE: https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b/ NOTE: https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5 (2.11.1) CVE-2024-1866 @@ -2068,6 +2070,7 @@ CVE-2024-21742 (Improper input validation allows for header injection in MIME4J - apache-mime4j 0.8.10-1 (bug #1064966) [bookworm] - apache-mime4j (Minor issue) [bullseye] - apache-mime4j (Minor issue) + [buster] - apache-mime4j (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/02/27/5 NOTE: https://github.com/apache/james-mime4j/commit/9dec5df2a588fed8027839815daefa79ee66efd1
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3736-1 for unbound
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a57f0d7 by Markus Koschany at 2024-02-21T13:11:48+01:00 Reserve DLA-3736-1 for unbound - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[21 Feb 2024] DLA-3736-1 unbound - security update + {CVE-2023-50387 CVE-2023-50868} + [buster] - unbound 1.9.0-2+deb10u4 [19 Feb 2024] DLA-3735-1 runc - security update {CVE-2021-43784 CVE-2024-21626} [buster] - runc 1.0.0~rc6+dfsg1-3+deb10u3 = data/dla-needed.txt = @@ -294,9 +294,6 @@ tinymce tomcat9 (Markus Koschany) NOTE: 20240121: Added by Front-Desk (apo) -- -unbound (Markus Koschany) - NOTE: 20240214: Added by Front-Desk (lamby) --- varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a57f0d7fb0ec3ab98999811e2bc7d5531c895c5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a57f0d7fb0ec3ab98999811e2bc7d5531c895c5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim unbound in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d8f690d8 by Markus Koschany at 2024-02-14T22:13:09+01:00 Claim unbound in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -283,7 +283,7 @@ tinymce tomcat9 (Markus Koschany) NOTE: 20240121: Added by Front-Desk (apo) -- -unbound +unbound (Markus Koschany) NOTE: 20240214: Added by Front-Desk (lamby) -- varnish (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8f690d8769a1a30f877a56f753e3473ec716c28 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8f690d8769a1a30f877a56f753e3473ec716c28 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reclaim tomcat9 and knot-resolver.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a5b32c1b by Markus Koschany at 2024-02-11T00:58:18+01:00 Reclaim tomcat9 and knot-resolver. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -122,7 +122,7 @@ jenkins-htmlunit-core-js NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may NOTE: 20231231: … indeed be vulnerable. (lamby) -- -knot-resolver +knot-resolver (Markus Koschany) NOTE: 20231029: Added by Front-Desk (gladk) -- libreswan @@ -263,7 +263,7 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- -tomcat9 +tomcat9 (Markus Koschany) NOTE: 20240121: Added by Front-Desk (apo) -- varnish (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5b32c1bf0884c0f9ae295a56f0bddfea6efc776 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5b32c1bf0884c0f9ae295a56f0bddfea6efc776 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3721-1 for xorg-server
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: fd1078ed by Markus Koschany at 2024-01-25T22:53:07+01:00 Reserve DLA-3721-1 for xorg-server - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Jan 2024] DLA-3721-1 xorg-server - security update + {CVE-2023-6816 CVE-2024-0229 CVE-2024-0408 CVE-2024-0409 CVE-2024-21885 CVE-2024-21886} + [buster] - xorg-server 2:1.20.4-1+deb10u13 [25 Jan 2024] DLA-3720-1 thunderbird - security update {CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747 CVE-2024-0749 CVE-2024-0750 CVE-2024-0751 CVE-2024-0753 CVE-2024-0755} [buster] - thunderbird 1:115.7.0-1~deb10u1 = data/dla-needed.txt = @@ -304,9 +304,6 @@ wireshark NOTE: 20231204: DLA pending (bunk) NOTE: 20231218: Debugging a problem with the update. (bunk) -- -xorg-server (Markus Koschany) - NOTE: 20240117: Added by Front-Desk (lamby) --- zfs-linux (Utkarsh) NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20240801: the fix for other CVE wasn't obvious but about to be ready; D/ELA to be out soon. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd1078ed4f3c7d09292a71b0fe09ffa002e421d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd1078ed4f3c7d09292a71b0fe09ffa002e421d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3709-2 squid
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 35f2ce6a by Markus Koschany at 2024-01-22T19:52:02+01:00 Reserve DLA-3709-2 squid - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[22 Jan 2024] DLA-3709-2 squid - regression update + [buster] - squid 4.6-1+deb10u10 [21 Jan 2024] DLA-3714-1 keystone - security update {CVE-2021-3563 CVE-2021-38155} [buster] - keystone 2:14.2.0-0+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35f2ce6a23e98d93496ca7bf0334f2a9cfe4a157 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35f2ce6a23e98d93496ca7bf0334f2a9cfe4a157 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 18 commits: CVE-2022-41678,activemq: mark as unimportant
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 03d4849f by Markus Koschany at 2024-01-21T20:39:28+01:00 CVE-2022-41678,activemq: mark as unimportant We don't ship or use Jolokia. The assembly module in ActiveMQ is also ignored/disabled by default. - - - - - 3ea987f1 by Markus Koschany at 2024-01-21T20:39:29+01:00 CVE-2023-6879,aom: Buster is postponed Minor issue. Hard to see the security impact here. Can be fixed later. - - - - - ea933894 by Markus Koschany at 2024-01-21T20:39:29+01:00 Add atril to dla-needed.txt - - - - - 38a1 by Markus Koschany at 2024-01-21T20:39:29+01:00 Add exiftags to dla-needed.txt - - - - - 71338533 by Markus Koschany at 2024-01-21T20:39:29+01:00 Add freeimage to dla-needed.txt - - - - - 6af4d6bb by Markus Koschany at 2024-01-21T20:39:30+01:00 CVE-2024-22211,freerdp2: Buster is postponed Minor issue, can be fixed later. - - - - - 802c59fb by Markus Koschany at 2024-01-21T20:39:30+01:00 Add jinja2 to dla-needed.txt - - - - - 10676421 by Markus Koschany at 2024-01-21T20:39:30+01:00 Add libspreadsheet-parsexlsx-perl to dla-needed.txt - - - - - 310fe293 by Markus Koschany at 2024-01-21T20:39:32+01:00 CVE-2023-0437,mongo-c-driver: Buster is ignored Minor issue - - - - - e8938541 by Markus Koschany at 2024-01-21T20:39:32+01:00 Add nss to dla-needed.txt - - - - - 73d72703 by Markus Koschany at 2024-01-21T20:39:32+01:00 Add openjdk-11 to dla-needed.txt - - - - - 9c6b5418 by Markus Koschany at 2024-01-21T20:39:33+01:00 CVE-2023-50262,php-dompdf: Buster is not-affected SVG images are rejected by default. See also test case for CVE-2021-3902 - - - - - 0ca9fefc by Markus Koschany at 2024-01-21T20:39:33+01:00 Add pillow to dla-needed.txt - - - - - 21b4556b by Markus Koschany at 2024-01-21T20:39:33+01:00 Add rear to dla-needed.txt - - - - - eaf23c37 by Markus Koschany at 2024-01-21T20:39:33+01:00 Add ruby-httparty to dla-needed.txt - - - - - 9a1853c9 by Markus Koschany at 2024-01-21T20:39:34+01:00 CVE-2023-46749,shiro: Debian is not affected The blockSemicolon feature has been introduced with the fix for CVE-2020-13933. It is enabled by default. Mark CVE-2023-46749 fixed by the same versions as CVE-2020-13933. - - - - - ca0ea21c by Markus Koschany at 2024-01-21T20:39:36+01:00 CVE-2023-48104,sogo: Buster is ignored Minor issue similar to the previously ignored ones. - - - - - 4ddb296c by Markus Koschany at 2024-01-21T20:39:36+01:00 Claim tomcat9 in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -129,6 +129,7 @@ CVE-2024-22562 (swftools 0.9.2 was discovered to contain a Stack Buffer Underflo NOTE: https://github.com/matthiaskramm/swftools/issues/210 CVE-2024-22211 (FreeRDP is a set of free and open source remote desktop protocol libra ...) - freerdp2 (bug #1061173) + [buster] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rjhp-44rv-7v59 NOTE: https://github.com/FreeRDP/FreeRDP/commit/939e922936e9c3ae8fc204968645e5e7563a2fff (3.2.0) NOTE: https://github.com/FreeRDP/FreeRDP/commit/aeac3040cc99eeaff1e1171a822114c857b9dca9 (2.11.5) @@ -1112,6 +1113,7 @@ CVE-2023-49106 (Missing Password Field Masking vulnerability in Hitachi Device M NOT-FOR-US: Hitachi CVE-2023-48104 (Alinto SOGo before 5.9.1 is vulnerable to HTML Injection.) - sogo (bug #1060925) + [buster] - sogo (Minor issue) NOTE: Fixed by: https://github.com/Alinto/sogo/commit/7481ccf37087c3f456d7e5a844da01d0f8883098 (SOGo-5.9.1) CVE-2023-47460 (SQL injection vulnerability in Knovos Discovery v.22.67.0 allows a rem ...) NOT-FOR-US: Knovos Discovery @@ -1443,7 +1445,9 @@ CVE-2022-4962 (A vulnerability was found in Apollo 2.0.0/2.0.1 and classified as CVE-2023-50290 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - lucene-solr (Vulnerable code not yet present) CVE-2023-46749 (Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a p ...) - - shiro (bug #1060754) + - shiro 1.3.2-5 (bug #1060754) + [bullseye] - shiro 1.3.2-4+deb11u1 + [buster] - shiro 1.3.2-4+deb10u1 NOTE: https://www.openwall.com/lists/oss-security/2024/01/12/2 CVE-2024-0232 (A heap use-after-free issue has been identified in SQLite in the jsonP ...) - sqlite3 3.43.2-1 @@ -4401,6 +4405,7 @@ CVE-2023-7123 (A vulnerability, which was classified as critical, has been found NOT-FOR-US: SourceCodester Medicine Tracking System CVE-2023-6879 (Increasing the resolution of video frames, while performing a multi-th ...) - aom 3.7.1-1 + [buster] - aom (Minor issue) NOTE: https://crbug.com/aomedia/3491 NOTE: Fixed by: https://aomedia.googlesource.co
[Git][security-tracker-team/security-tracker][master] 6 commits: Triage libcrypto++ CVE as no-dsa for Buster.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 307fc42f by Markus Koschany at 2024-01-15T15:02:54+01:00 Triage libcrypto++ CVE as no-dsa for Buster. Minor issues - - - - - e6e036e0 by Markus Koschany at 2024-01-15T15:02:56+01:00 CVE-2023-37117,liblivemedia: Mark Buster as ignored Minor issue - - - - - 5861332b by Markus Koschany at 2024-01-15T15:02:57+01:00 CVE-2024-0217,packagekit: Mark Buster as ignored Minor issue - - - - - 5c88fac8 by Markus Koschany at 2024-01-15T15:02:57+01:00 Add php-phpseclib to dla-needed.txt - - - - - 87aeee20 by Markus Koschany at 2024-01-15T15:02:57+01:00 Add phpseclib to dla-needed.txt - - - - - b1c9809e by Markus Koschany at 2024-01-15T15:02:58+01:00 CVE-2023-51713,proftpd-dfsg: Buster is no-dsa Minor issue - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -448,6 +448,7 @@ CVE-2023-40250 (Buffer Copy without Checking Size of Input ('Classic Buffer Over NOT-FOR-US: Hancom CVE-2023-37117 (A heap-use-after-free vulnerability was found in live555 version 2023. ...) - liblivemedia + [buster] - liblivemedia (Minor issue) NOTE: http://lists.live555.com/pipermail/live-devel/2023-June/022331.html CVE-2023-36842 (An Improper Check for Unusual or Exceptional Conditions vulnerability ...) NOT-FOR-US: Juniper @@ -2218,6 +2219,7 @@ CVE-2024-0217 (A use-after-free flaw was found in PackageKitd. In some condition - packagekit (bug #1060016) [bookworm] - packagekit (Minor issue) [bullseye] - packagekit (Minor issue) + [buster] - packagekit (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2256624 NOTE: Reducing impact via: https://github.com/PackageKit/PackageKit/commit/64278c9127e342b56ead99556161f7e86f79 (v1.2.7) CVE-2024-0201 (The Product Expiry for WooCommerce plugin for WordPress is vulnerable ...) @@ -3849,6 +3851,7 @@ CVE-2023-51713 (make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte o - proftpd-dfsg 1.3.8.a+dfsg-1 [bookworm] - proftpd-dfsg (Minor issue) [bullseye] - proftpd-dfsg (Minor issue) + [buster] - proftpd-dfsg (Minor issue) NOTE: https://github.com/proftpd/proftpd/issues/1683 NOTE: https://github.com/proftpd/proftpd/commit/1376d8ccc0966d1ce9a1c76b32c6a9ca61bbe67f (v1.3.9rc1) NOTE: https://github.com/proftpd/proftpd/commit/97bbe68363ccf2de0c07f67170ec64a8b4d62592 (v1.3.8a) @@ -4989,16 +4992,19 @@ CVE-2023-50981 (ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allow - libcrypto++ (bug #1059312) [bookworm] - libcrypto++ (Minor issue) [bullseye] - libcrypto++ (Minor issue) + [buster] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1249 CVE-2023-50980 (gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to ...) - libcrypto++ (bug #1059311) [bookworm] - libcrypto++ (Minor issue) [bullseye] - libcrypto++ (Minor issue) + [buster] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1248 CVE-2023-50979 (Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side channel during ...) - libcrypto++ (bug #1059310) [bookworm] - libcrypto++ (Minor issue) [bullseye] - libcrypto++ (Minor issue) + [buster] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/1247 CVE-2023-50976 (Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing authoriz ...) NOT-FOR-US: Redpanda = data/dla-needed.txt = @@ -168,6 +168,12 @@ nvidia-cuda-toolkit paramiko (tobi) NOTE: 20231225: Added by Front-Desk (ta) -- +php-phpseclib + NOTE: 20240114: Added by Front-Desk (apo) +-- +phpseclib + NOTE: 20240114: Added by Front-Desk (apo) +-- putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/770f6309c626cce57af1d61a098bc4177462b6b4...b1c9809e51889076bbc11b788cf51fa2ab9ca472 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/770f6309c626cce57af1d61a098bc4177462b6b4...b1c9809e51889076bbc11b788cf51fa2ab9ca472 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Remove postfix from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0070eef2 by Markus Koschany at 2024-01-09T08:41:19+01:00 Remove postfix from dla-needed.txt - - - - - 622e37f6 by Markus Koschany at 2024-01-09T08:41:20+01:00 CVE-2023-51764,postfix: Mark Buster as no-dsa There exists a configuration setting described in https://www.postfix.org/smtp-smuggling.html to mitigate the problem. - - - - - 998aa899 by Markus Koschany at 2024-01-09T08:41:20+01:00 Claim knot-resolver in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2144,6 +2144,7 @@ CVE-2023-51764 (Postfix through 3.8.4 allows SMTP smuggling unless configured wi - postfix 3.8.4-1 (bug #1059230) [bookworm] - postfix (Minor issue; mitigations exist) [bullseye] - postfix (Minor issue; mitigations exist) + [buster] - postfix (Minor issue; mitigations exist) NOTE: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6 NOTE: https://www.postfix.org/smtp-smuggling.html = data/dla-needed.txt = @@ -107,7 +107,7 @@ keystone (rouca) NOTE: 20231102: Sync (eg. CVE-2021-38155) with stable etc. (lamby) NOTE: 20240105: FTBFS due to https://github.com/testing-cabal/subunit/pull/40 (rouca) -- -knot-resolver +knot-resolver (Markus Koschany) NOTE: 20231029: Added by Front-Desk (gladk) -- kodi (Abhijith PA) @@ -164,9 +164,6 @@ nvidia-cuda-toolkit paramiko (tobi) NOTE: 20231225: Added by Front-Desk (ta) -- -postfix (Markus Koschany) - NOTE: 20231224: Added by Front-Desk (ta) --- putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7f373d763b04b785f33c37fcd3ff3fbd1c7151c3...998aa899a4882bc9b0d48e98ba615eb71f20576f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7f373d763b04b785f33c37fcd3ff3fbd1c7151c3...998aa899a4882bc9b0d48e98ba615eb71f20576f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Re-add squid to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c5c209dd by Markus Koschany at 2024-01-09T01:15:53+01:00 Re-add squid to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -227,6 +227,11 @@ samba sendmail NOTE: 20231224: Added by Front-Desk (ta) -- +squid + NOTE: 20240109: Added by Front-Desk (apo) + NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix + NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) +-- sudo (Adrian Bunk) NOTE: 20231224: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5c209dda1e2c84085886d5ed351c61c605e5248 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5c209dda1e2c84085886d5ed351c61c605e5248 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3709-1 for squid
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b5444bf5 by Markus Koschany at 2024-01-09T01:01:18+01:00 Reserve DLA-3709-1 for squid - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Jan 2024] DLA-3709-1 squid - security update + {CVE-2023-46846 CVE-2023-46847 CVE-2023-49285 CVE-2023-49286 CVE-2023-50269} + [buster] - squid 4.6-1+deb10u9 [05 Jan 2024] DLA-3708-1 exim4 - security update {CVE-2023-51766} [buster] - exim4 4.92-8+deb10u9 = data/dla-needed.txt = @@ -227,11 +227,6 @@ samba sendmail NOTE: 20231224: Added by Front-Desk (ta) -- -squid - NOTE: 20231102: Added by Front-Desk (lamby) - NOTE: 20231218: Investigating new CVE. (apo) - NOTE: 20231223: The update requires a few more tests. Intend to release after the holidays. --- sudo (Adrian Bunk) NOTE: 20231224: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5444bf525df42a73e046417729621220c206b80 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5444bf525df42a73e046417729621220c206b80 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2023-46728,squid: Mark Buster as ignored
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a58e795 by Markus Koschany at 2024-01-08T21:51:11+01:00 CVE-2023-46728,squid: Mark Buster as ignored Gopher support has been removed upstream. Since Gopher is ancient and rarely used, we recommend to reject all gopher URL requests. - - - - - 9c498ef6 by Markus Koschany at 2024-01-08T23:24:45+01:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 0dada7df by Markus Koschany at 2024-01-08T23:25:58+01:00 CVE-2023-46728,squid: Mark Bullseye and Bookworm also as ignored The same reasoning applies to newer releases. Gopher support has just been removed, no fix is available and the simple workaround is to reject Gopher URLs which in 2024 shouldn't be a problem. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13502,6 +13502,9 @@ CVE-2021-46897 (views.py in Wagtail CRX CodeRed Extensions (formerly CodeRed CMS NOT-FOR-US: Wagtail CRX CodeRed Extensions CVE-2023-46728 (Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and ...) - squid 6.1-1 + [bookworm] - squid (unsupported, Gopher support has been removed upstream) + [bullseye] - squid (unsupported, Gopher support has been removed upstream) + [buster] - squid (unsupported, Gopher support has been removed upstream) NOTE: No code fix, gopher support was removed: NOTE: https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3 (SQUID_6_0_1) NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-cg5h-v6vc-w33f View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2f31272fab38603e91f0ec86d08b77d8ac71b410...0dada7df366d9b70323fc63d2605600605281d11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2f31272fab38603e91f0ec86d08b77d8ac71b410...0dada7df366d9b70323fc63d2605600605281d11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim postfix in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bdf2ecb3 by Markus Koschany at 2024-01-05T23:22:16+01:00 Claim postfix in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -166,7 +166,7 @@ nvidia-cuda-toolkit paramiko NOTE: 20231225: Added by Front-Desk (ta) -- -postfix +postfix (Markus Koschany) NOTE: 20231224: Added by Front-Desk (ta) -- putty View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdf2ecb3ce4155955c9c1af4c6e3fc3f6b1c2a3f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdf2ecb3ce4155955c9c1af4c6e3fc3f6b1c2a3f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3708-1 for exim4
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f36ff2f by Markus Koschany at 2024-01-05T23:04:57+01:00 Reserve DLA-3708-1 for exim4 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[05 Jan 2024] DLA-3708-1 exim4 - security update + {CVE-2023-51766} + [buster] - exim4 4.92-8+deb10u9 [05 Jan 2024] DLA-3707-1 tomcat9 - security update {CVE-2023-46589} [buster] - tomcat9 9.0.31-1~deb10u11 = data/dla-needed.txt = @@ -78,9 +78,6 @@ edk2 NOTE: 20231230: Added by Front-Desk (lamby) NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release (lamby) -- -exim4 (Markus Koschany) - NOTE: 20231224: Added by Front-Desk (ta) --- frr NOTE: 20231119: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f36ff2fae0813faa15c850fcf3fe84d141cae98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f36ff2fae0813faa15c850fcf3fe84d141cae98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim squid in dsa-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d093b40 by Markus Koschany at 2024-01-04T22:25:51+01:00 Claim squid in dsa-needed.txt - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -79,7 +79,7 @@ samba/oldstable slurm-wlm Asking Gennaro Oliva for preparing updates -- -squid +squid (apo) -- varnish -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d093b40f9b18bfc0af0ac4a676953bc2d9ec196 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d093b40f9b18bfc0af0ac4a676953bc2d9ec196 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5596-1 for asterisk
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b91e60e8 by Markus Koschany at 2024-01-04T22:13:06+01:00 Reserve DSA-5596-1 for asterisk - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[04 Jan 2024] DSA-5596-1 asterisk - security update + {CVE-2023-37457 CVE-2023-38703 CVE-2023-49294 CVE-2023-49786} + [bullseye] - asterisk 1:16.28.0~dfsg-0+deb11u4 [04 Jan 2024] DSA-5595-1 chromium - security update {CVE-2024-0222 CVE-2024-0223 CVE-2024-0224 CVE-2024-0225} [bullseye] - chromium 120.0.6099.199-1~deb11u1 = data/dsa-needed.txt = @@ -11,8 +11,6 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. --- -asterisk (apo) -- cacti -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b91e60e8b9a5ad770ff41965f1c3c3f8cc30348b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b91e60e8b9a5ad770ff41965f1c3c3f8cc30348b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3706-1 for netatalk
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bc48f615 by Markus Koschany at 2024-01-04T22:06:55+01:00 Reserve DLA-3706-1 for netatalk - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Jan 2024] DLA-3706-1 netatalk - security update + {CVE-2022-22995} + [buster] - netatalk 3.1.12~ds-3+deb10u5 [31 Dec 2023] DLA-3705-1 php-guzzlehttp-psr7 - security update {CVE-2023-29197} [buster] - php-guzzlehttp-psr7 1.4.2-0.1+deb10u2 = data/dla-needed.txt = @@ -146,9 +146,6 @@ linux-5.10 mariadb-10.3 NOTE: 20231129: Added by Front-Desk (Beuc) -- -netatalk (Markus Koschany) - NOTE: 20231119: Added by Front-Desk (apo) --- node-webpack NOTE: 20231005: Added by Front-Desk (Beuc) NOTE: 20231005: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc48f61554df39ba1fedbf1d484199cd0e915448 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc48f61554df39ba1fedbf1d484199cd0e915448 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Claim asterisk in dsa-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 346e501d by Markus Koschany at 2023-12-29T00:06:20+01:00 Claim asterisk in dsa-needed.txt - - - - - 48def921 by Markus Koschany at 2023-12-29T00:07:48+01:00 Claim exim4 and netatalk in dla-needed.txt - - - - - 2 changed files: - data/dla-needed.txt - data/dsa-needed.txt Changes: = data/dla-needed.txt = @@ -72,7 +72,7 @@ dogecoin dropbear (guilhem) NOTE: 20231219: Added by Front-Desk (ta) -- -exim4 +exim4 (Markus Koschany) NOTE: 20231224: Added by Front-Desk (ta) -- firefox-esr (Emilio) @@ -144,7 +144,7 @@ linux-5.10 mariadb-10.3 NOTE: 20231129: Added by Front-Desk (Beuc) -- -netatalk +netatalk (Markus Koschany) NOTE: 20231119: Added by Front-Desk (apo) -- node-webpack = data/dsa-needed.txt = @@ -12,7 +12,7 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. -- -asterisk +asterisk (apo) -- cryptojs -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d420ec5228fd0d5fe5a0015d72ab585b1a3238a3...48def921c58bd6308eb95dab35d751484b216dfc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d420ec5228fd0d5fe5a0015d72ab585b1a3238a3...48def921c58bd6308eb95dab35d751484b216dfc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3696-1 for asterisk
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d420ec52 by Markus Koschany at 2023-12-28T23:55:14+01:00 Reserve DLA-3696-1 for asterisk - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Dec 2023] DLA-3696-1 asterisk - security update + {CVE-2023-37457 CVE-2023-38703 CVE-2023-49294 CVE-2023-49786} + [buster] - asterisk 1:16.28.0~dfsg-0+deb10u4 [28 Dec 2023] DLA-3695-1 ansible - security update {CVE-2019-10206 CVE-2021-3447 CVE-2021-3583 CVE-2021-3620 CVE-2021-20178 CVE-2021-20191 CVE-2022-3697 CVE-2023-5115} [buster] - ansible 2.7.7+dfsg-1+deb10u2 = data/dla-needed.txt = @@ -30,9 +30,6 @@ ansible NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca) NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee -- -asterisk (Markus Koschany) - NOTE: 20231210: Added by Front-Desk (ta) --- bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) NOTE: 20231008: backporting patches View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d420ec5228fd0d5fe5a0015d72ab585b1a3238a3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d420ec5228fd0d5fe5a0015d72ab585b1a3238a3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Remove bouncycastle from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a07c938 by Markus Koschany at 2023-12-23T22:00:07+01:00 Remove bouncycastle from dla-needed.txt - - - - - 5775dc48 by Markus Koschany at 2023-12-23T22:09:43+01:00 CVE-2023-33202,bouncycastle: Buster is ignored Buster is vulnerable. Just apply the test patch from https://salsa.debian.org/java-team/bouncycastle/-/blob/buster/debian/patches/test-CVE-2023-33202.patch?ref_type=heads to verify it. The ASN1 module has been completely reworked in newer releases and the upstream patch cannot be applied as is. I know that the changes break reverse-dependencies hence I am going to mark this issue as ignored in Buster. - - - - - 15d84ba1 by Markus Koschany at 2023-12-23T22:10:43+01:00 Update squid notes. Claim asterisk in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -5765,6 +5765,7 @@ CVE-2023-33202 (Bouncy Castle for Java before 1.73 contains a potential Denial o - bouncycastle 1.77-1 (bug #1056754) [bookworm] - bouncycastle (Minor issue) [bullseye] - bouncycastle (Minor issue) + [buster] - bouncycastle (Minor issue) NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33202 NOTE: Fixed by https://github.com/bcgit/bc-java/commit/0c576892862ed41894f49a8f639112e8d66d229c (r1rv73) CVE-2023-43123 (On unix-like systems, the temporary directory is shared between all us ...) = data/dla-needed.txt = @@ -29,7 +29,7 @@ ansible (rouca) NOTE: 20231217: Begin to triage CVEs (rouca) NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca) -- -asterisk +asterisk (Markus Koschany) NOTE: 20231210: Added by Front-Desk (ta) -- bind9 (Thorsten Alteholz) @@ -37,12 +37,6 @@ bind9 (Thorsten Alteholz) NOTE: 20231008: backporting patches NOTE: 20231217: almost done with testing -- -bouncycastle (Markus Koschany) - NOTE: 20231127: Added by Front-Desk (Beuc) - NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 was fixed in stretch-lts (Beuc/front-desk) - NOTE: 20231128: I can't find changes in PEMParser.java related to CVE-2023-33202, maybe contact upstream (Beuc/front-desk) - NOTE: 20231218: Decision impending. (apo) --- cacti (Sylvain Beucler) NOTE: 20230906: Added by Front-Desk (lamby) NOTE: 20231205: Triaging CVEs backlog (Beuc) @@ -217,6 +211,7 @@ samba squid (Markus Koschany) NOTE: 20231102: Added by Front-Desk (lamby) NOTE: 20231218: Investigating new CVE. (apo) + NOTE: 20231223: The update requires a few more tests. Intend to release after the holidays. -- suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/87fd535340305ac0bdabf6eb1c931776f0599262...15d84ba15106c190afd0ad7cdc8fe1d234b1a1b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/87fd535340305ac0bdabf6eb1c931776f0599262...15d84ba15106c190afd0ad7cdc8fe1d234b1a1b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes of squid and bouncycastle in dla-needed.txt and reclaim the
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bfb04929 by Markus Koschany at 2023-12-18T15:47:48+01:00 Update notes of squid and bouncycastle in dla-needed.txt and reclaim the packages. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -37,10 +37,11 @@ bind9 (Thorsten Alteholz) NOTE: 20231008: backporting patches NOTE: 20231217: almost done with testing -- -bouncycastle +bouncycastle (Markus Koschany) NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 was fixed in stretch-lts (Beuc/front-desk) NOTE: 20231128: I can't find changes in PEMParser.java related to CVE-2023-33202, maybe contact upstream (Beuc/front-desk) + NOTE: 20231218: Decision impending. (apo) -- cacti (Sylvain Beucler) NOTE: 20230906: Added by Front-Desk (lamby) @@ -205,8 +206,9 @@ salt samba NOTE: 20230918: Added by Front-Desk (apo) -- -squid +squid (Markus Koschany) NOTE: 20231102: Added by Front-Desk (lamby) + NOTE: 20231218: Investigating new CVE. (apo) -- suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfb04929cfee7d2f42db0a4d284c88fffe92132e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfb04929cfee7d2f42db0a4d284c88fffe92132e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3687-1 for rabbitmq-server
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0cba743a by Markus Koschany at 2023-12-13T23:11:31+01:00 Reserve DLA-3687-1 for rabbitmq-server - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[13 Dec 2023] DLA-3687-1 rabbitmq-server - security update + {CVE-2023-46118} + [buster] - rabbitmq-server 3.8.2-1+deb10u2 [13 Dec 2023] DLA-3686-1 xorg-server - security update {CVE-2023-6377 CVE-2023-6478} [buster] - xorg-server 2:1.20.4-1+deb10u11 = data/dla-needed.txt = @@ -170,9 +170,6 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -rabbitmq-server (Markus Koschany) - NOTE: 20231119: Added by Front-Desk (apo) --- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cba743a4d9db4adee1ee207214af2b75acaafa7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cba743a4d9db4adee1ee207214af2b75acaafa7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reclaim rabbitmq-server in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f2ec2f3d by Markus Koschany at 2023-12-11T18:41:52+01:00 Reclaim rabbitmq-server in dla-needed.txt Ready. Coming soon. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -170,7 +170,7 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -rabbitmq-server +rabbitmq-server (Markus Koschany) NOTE: 20231119: Added by Front-Desk (apo) -- rails View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2ec2f3d8588cc9eed9cbe391d2a044ab041a787 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2ec2f3d8588cc9eed9cbe391d2a044ab041a787 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-33202,bouncycastle: link to fixing commit
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b02c3a18 by Markus Koschany at 2023-12-04T18:04:21+01:00 CVE-2023-33202,bouncycastle: link to fixing commit The actual fix is not in PEMParser.java but in ASN1Set.java. Upstream provided more details and a reproducer to me but asked me not to share it for now. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1412,6 +1412,7 @@ CVE-2023-33202 (Bouncy Castle for Java before 1.73 contains a potential Denial o [bookworm] - bouncycastle (Minor issue) [bullseye] - bouncycastle (Minor issue) NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33202 + NOTE: Fixed by https://github.com/bcgit/bc-java/commit/0c576892862ed41894f49a8f639112e8d66d229c CVE-2023-43123 (On unix-like systems, the temporary directory is shared between all us ...) NOT-FOR-US: Apache Storm CVE-2023-49146 (DOMSanitizer (aka dom-sanitizer) before 1.0.7 allows XSS via an SVG do ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b02c3a18d2e8220176f1682824731a973b3c3281 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b02c3a18d2e8220176f1682824731a973b3c3281 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-46589,tomcat10: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 29938fd3 by Markus Koschany at 2023-12-03T13:39:17+01:00 CVE-2023-46589,tomcat10: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -714,7 +714,7 @@ CVE-2023-40056 (SQL Injection Remote Code Vulnerability was found in the SolarWi CVE-2023-34055 (In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, ...) NOT-FOR-US: Spring Boot CVE-2023-46589 (Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 1 ...) - - tomcat10 (bug #1057082) + - tomcat10 10.1.16-1 (bug #1057082) - tomcat9 9.0.70-2 - tomcat8 NOTE: https://www.openwall.com/lists/oss-security/2023/11/28/2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29938fd3598d60cb5719050d922ae571261e8586 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29938fd3598d60cb5719050d922ae571261e8586 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove flatpak from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e9a816a by Markus Koschany at 2023-11-30T23:11:40+01:00 Remove flatpak from dla-needed.txt As discussed with Sylvain via private email. Here is my reasoning from 13.07.2023 again. CVE-2023-28100 and CVE-2023-28101 are minor issues and most users will install their applications via GUIs and from trusted repositories anyway. An upgrade to the 1.10.x series would require backports of at least bubblewrap and ostree. This may or may not cause regressions in other applications. The risk to reward ratio is rather unfavorable in this case and since targeted fixes are also intrusive and sensible workarounds do exist, it is better to keep flatpak as is. - - - - - 1fd38ff1 by Markus Koschany at 2023-11-30T23:13:56+01:00 CVE-2023-28100,CVE-2023-28101,flatpak: mark both CVE as ignored in Buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -39151,7 +39151,7 @@ CVE-2023-28102 (discordrb is an implementation of the Discord API using Ruby. In CVE-2023-28101 (Flatpak is a system for building, distributing, and running sandboxed ...) - flatpak 1.14.4-1 (bug #1033098) [bullseye] - flatpak 1.10.8-0+deb11u1 - [buster] - flatpak (Minor issue) + [buster] - flatpak (Minor issue) NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8 NOTE: https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869 (1.15.4) NOTE: https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c (1.15.4) @@ -39161,7 +39161,7 @@ CVE-2023-28101 (Flatpak is a system for building, distributing, and running sand CVE-2023-28100 (Flatpak is a system for building, distributing, and running sandboxed ...) - flatpak 1.14.4-1 (bug #1033099) [bullseye] - flatpak 1.10.8-0+deb11u1 - [buster] - flatpak (Minor issue) + [buster] - flatpak (Minor issue) NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp NOTE: https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9 (1.15.4) NOTE: https://github.com/flatpak/flatpak/commit/a9bf18040cc075a70657c6090a59d7f6fe78f893 (1.10.8) = data/dla-needed.txt = @@ -59,10 +59,6 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -flatpak - NOTE: 20231006: Added by Front-Desk (Beuc) - NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) --- frr NOTE: 20231119: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8bf283d8bfddc75770dd9178b0d15c025c8e3ebf...1fd38ff1b65935881a8402e4d42d556f695a3023 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8bf283d8bfddc75770dd9178b0d15c025c8e3ebf...1fd38ff1b65935881a8402e4d42d556f695a3023 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-33201,CVE-2023-33202,bouncycastle: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0fde016a by Markus Koschany at 2023-11-30T22:29:20+01:00 CVE-2023-33201,CVE-2023-33202,bouncycastle: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -938,7 +938,7 @@ CVE-2023-3631 (Improper Neutralization of Special Elements used in an SQL Comman CVE-2023-3377 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: Veribilim Software Computer Veribase CVE-2023-33202 (Bouncy Castle for Java before 1.73 contains a potential Denial of Serv ...) - - bouncycastle (bug #1056754) + - bouncycastle 1.77-1 (bug #1056754) [bookworm] - bouncycastle (Minor issue) [bullseye] - bouncycastle (Minor issue) NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33202 @@ -27501,7 +27501,7 @@ CVE-2023-33203 (The Linux kernel before 6.2.9 has a race condition and resultant NOTE: https://git.kernel.org/linus/6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75 (6.3-rc4) CVE-2023-33201 (Bouncy Castle For Java before 1.74 is affected by an LDAP injection vu ...) {DLA-3514-1} - - bouncycastle (bug #1040050) + - bouncycastle 1.77-1 (bug #1040050) [bookworm] - bouncycastle (Minor issue) [bullseye] - bouncycastle (Minor issue) NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33201 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fde016ab6c3471d88617f700dbcabd3587edafd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fde016ab6c3471d88617f700dbcabd3587edafd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-23583,intel-microcode: clarify postponed reason
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2403d2a9 by Markus Koschany at 2023-11-29T12:21:35+01:00 CVE-2023-23583,intel-microcode: clarify postponed reason CVE-2023-23583 affects only newer CPU features. Can be fixed with the next round of CVE. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2254,7 +2254,7 @@ CVE-2023-5528 (A security issue was discovered in Kubernetes where a user that c CVE-2023-23583 (Sequence of processor instructions leads to unexpected behavior for so ...) {DSA-5563-1} - intel-microcode 3.20231114.1 (bug #1055962) - [buster] - intel-microcode (Wait for exposure in unstable) + [buster] - intel-microcode (Minor issue for older releases. Affects only newer CPU features.) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00950.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20231114 NOTE: https://lock.cmpxchg8b.com/reptar.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2403d2a9914645e7fe9a32e5af08273d54b95e5d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2403d2a9914645e7fe9a32e5af08273d54b95e5d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim bouncycastle and squid in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 79f6e7d8 by Markus Koschany at 2023-11-27T19:43:26+01:00 Claim bouncycastle and squid in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,7 +29,7 @@ bind9 (Thorsten Alteholz) NOTE: 20231008: backporting patches NOTE: 20231119: almost done with testing -- -bouncycastle +bouncycastle (Markus Koschany) NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 was fixed in stretch-lts (Beuc/front-desk) -- @@ -221,7 +221,7 @@ salt samba NOTE: 20230918: Added by Front-Desk (apo) -- -squid +squid (Markus Koschany) NOTE: 20231102: Added by Front-Desk (lamby) -- suricata (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79f6e7d8bef1f46d3da8fcb2043bcc3cbea6b48e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79f6e7d8bef1f46d3da8fcb2043bcc3cbea6b48e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove curl from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ad8336e by Markus Koschany at 2023-11-24T19:40:42+01:00 Remove curl from dla-needed.txt This was a bit confusing. Apparently curl was added to dla-needed.txt and afterwards someone triaged the two open CVE as no-dsa. I reviewed the decision to mark CVE-2023-27534 and CVE-2023-28322 and I believe no-dsa is the correct decision. CVE-2023-28322 does not affect the command line tool and even a use after free is not present in libcurl. This is a rather theoretical behavior violation. CVE-2023-27534 requires the new internal dnybuf functions which are not present in Buster's curl version. The described scenario is unlikely because sftp users are usually restricted by the ssh server and a buggy client can't just simply access a file in another user's home directory. - - - - - 658354ca by Markus Koschany at 2023-11-24T19:40:42+01:00 Claim rabbitmq-server in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -43,10 +43,6 @@ cinder cryptojs (guilhem) NOTE: 20231119: Added by Front-Desk (apo) -- -curl (Markus Koschany) - NOTE: 20231103: Added by Front-Desk (lamby) - NOTE: 20231103: Sync with stable. (lamby) --- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) @@ -188,7 +184,7 @@ python-requestbuilder NOTE: 20231108: Added by Front-Desk (santiago) NOTE: 20231108: Need to handle incompatibilities with versions in debian packages, brought up by PEP 440. See https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70 -- -rabbitmq-server +rabbitmq-server (Markus Koschany) NOTE: 20231119: Added by Front-Desk (apo) -- rails View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7e00cf6fe4933a4259a4e230e870dcbaa59337e3...658354ca67fe6ddab6709e10ebf22a55c4c7c53e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7e00cf6fe4933a4259a4e230e870dcbaa59337e3...658354ca67fe6ddab6709e10ebf22a55c4c7c53e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3664-1 for symfony
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 317bbfde by Markus Koschany at 2023-11-24T19:19:15+01:00 Reserve DLA-3664-1 for symfony - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Nov 2023] DLA-3664-1 symfony - security update + {CVE-2023-46734} + [buster] - symfony 3.4.22+dfsg-2+deb10u3 [24 Nov 2023] DLA-3663-1 strongswan - security update {CVE-2023-41913} [buster] - strongswan 5.7.2-1+deb10u4 = data/dla-needed.txt = @@ -245,9 +245,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -symfony (Markus Koschany) - NOTE: 20231118: Added by Front-Desk (apo) --- thunderbird (Emilio) NOTE: 20231122: Added by Front-Desk (ola) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/317bbfde51264bb0ced64c23b7db51a99a7172b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/317bbfde51264bb0ced64c23b7db51a99a7172b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Claim curl and symfony in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f36c0119 by Markus Koschany at 2023-11-22T20:07:05+01:00 Claim curl and symfony in dla-needed.txt - - - - - fc9c0a74 by Markus Koschany at 2023-11-22T20:08:15+01:00 Reserve DLA-3660-1 for gnutls28 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Nov 2023] DLA-3660-1 gnutls28 - security update + {CVE-2023-5981} + [buster] - gnutls28 3.6.7-4+deb10u11 [21 Nov 2023] DLA-3659-1 gimp - security update {CVE-2022-30067 CVE-2023-2 CVE-2023-4} [buster] - gimp 2.10.8-2+deb10u1 = data/dla-needed.txt = @@ -43,7 +43,7 @@ cinder cryptojs (guilhem) NOTE: 20231119: Added by Front-Desk (apo) -- -curl +curl (Markus Koschany) NOTE: 20231103: Added by Front-Desk (lamby) NOTE: 20231103: Sync with stable. (lamby) -- @@ -75,9 +75,6 @@ freeimage (gladk) frr NOTE: 20231119: Added by Front-Desk (apo) -- -gnutls28 (Markus Koschany) - NOTE: 20231117: Added by Front-Desk (apo) --- gst-plugins-bad1.0 (Thorsten Alteholz) NOTE: 20231118: Added by Front-Desk (apo) -- @@ -258,7 +255,7 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -symfony +symfony (Markus Koschany) NOTE: 20231118: Added by Front-Desk (apo) -- tor View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/815355e66df3a41c63115d214d90577269c430ae...fc9c0a74db24c7f32f782c3e3fdc674b0ec6daf9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/815355e66df3a41c63115d214d90577269c430ae...fc9c0a74db24c7f32f782c3e3fdc674b0ec6daf9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim gnutls28 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6bedd532 by Markus Koschany at 2023-11-20T23:24:17+01:00 Claim gnutls28 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -78,7 +78,7 @@ frr gimp (Adrian Bunk) NOTE: 20231117: Added by Front-Desk (apo) -- -gnutls28 +gnutls28 (Markus Koschany) NOTE: 20231117: Added by Front-Desk (apo) -- gst-plugins-bad1.0 (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bedd532f7cf29192ea1a8e272cfa819b1e8bdd9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bedd532f7cf29192ea1a8e272cfa819b1e8bdd9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3658-1 for wordpress
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: fb6522fe by Markus Koschany at 2023-11-20T21:52:00+01:00 Reserve DLA-3658-1 for wordpress - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Nov 2023] DLA-3658-1 wordpress - security update + {CVE-2023-5561 CVE-2023-3} + [buster] - wordpress 5.0.20+dfsg1-0+deb10u1 [20 Nov 2023] DLA-3657-1 activemq - security update {CVE-2020-13920 CVE-2021-26117 CVE-2023-46604} [buster] - activemq 5.15.16-0+deb10u1 = data/dla-needed.txt = @@ -274,9 +274,6 @@ vlc wireshark (Adrian Bunk) NOTE: 20231118: Added by Front-Desk (apo) -- -wordpress (Markus Koschany) - NOTE: 20231119: Added by Front-Desk (apo) --- zabbix NOTE: 20231015: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb6522fee7ae6e2c6036673fe37295b789d19a42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb6522fee7ae6e2c6036673fe37295b789d19a42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3657-1 for activemq
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e07f843a by Markus Koschany at 2023-11-20T21:50:55+01:00 Reserve DLA-3657-1 for activemq - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -193223,7 +193223,6 @@ CVE-2021-26118 (While investigating ARTEMIS-2964 it was found that the creation CVE-2021-26117 (The optional ActiveMQ LDAP login module can be configured to use anony ...) {DLA-2583-1} - activemq 5.16.1-1 (bug #982590) - [buster] - activemq (Minor issue) NOTE: https://issues.apache.org/jira/browse/AMQ-8035 NOTE: https://www.openwall.com/lists/oss-security/2021/01/27/6 NOTE: https://gitbox.apache.org/repos/asf?p=activemq.git;h=c9f68f4c64b2687eee283b95538753665d2b229b @@ -253458,7 +253457,6 @@ CVE-2020-13921 (**Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking CVE-2020-13920 (Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX ...) {DLA-2400-1} - activemq 5.16.0-1 - [buster] - activemq (Minor issue; can be fixed via point release) NOTE: http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt NOTE: When fixing this issue make sure to use a complete fix and not open up NOTE: CVE-2020-11998 (a regression introduced in 5.15.12 in the commit preventing = data/DLA/list = @@ -1,3 +1,6 @@ +[20 Nov 2023] DLA-3657-1 activemq - security update + {CVE-2020-13920 CVE-2021-26117 CVE-2023-46604} + [buster] - activemq 5.15.16-0+deb10u1 [19 Nov 2023] DLA-3656-1 netty - security update {CVE-2023-44487} [buster] - netty 1:4.1.33-1+deb10u4 = data/dla-needed.txt = @@ -20,9 +20,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. --- -activemq (Markus Koschany) - NOTE: 20231119: Added by Front-Desk (apo) -- amanda (tobi) NOTE: 20230730: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e07f843a9e7b32633480ecd9c86c043b422f5cfe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e07f843a9e7b32633480ecd9c86c043b422f5cfe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2023-39999,wordpress: link to upstream changeset
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c92d43c by Markus Koschany at 2023-11-20T20:19:11+01:00 CVE-2023-3,wordpress: link to upstream changeset - - - - - aef5fe37 by Markus Koschany at 2023-11-20T20:22:40+01:00 CVE-2023-38000,wordpress: link to upstream changeset Triage Buster as not affected because the vulnerable code was introduced in version 5.9. - - - - - 098d5334 by Markus Koschany at 2023-11-20T20:24:22+01:00 CVE-2023-5561,wordpress: link to upstream changeset - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5749,6 +5749,7 @@ CVE-2023-5575 (Improper access control in the permission inheritance in Devoluti CVE-2023-5561 (WordPress does not properly restrict which user fields are searchable ...) - wordpress 6.3.2+dfsg1-1 NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/ + NOTE: https://core.trac.wordpress.org/changeset/56840/ CVE-2023-5422 (The functions to fetch e-mail via POP3 or IMAP as well as sending e-ma ...) NOT-FOR-US: OTRS NOTE: Could possibly affect Znuny, we'll let their security team figure it out @@ -6187,11 +6188,14 @@ CVE-2023-40682 (IBM App Connect Enterprise 12.0.1.0 through 12.0.8.0 contains an CVE-2023-3 (Exposure of Sensitive Information to an Unauthorized Actor in WordPres ...) - wordpress 6.3.2+dfsg1-1 NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/ + NOTE: https://core.trac.wordpress.org/changeset/56843/ CVE-2023-39960 (Nextcloud Server provides data storage for Nextcloud, an open source c ...) - nextcloud-server (bug #941708) CVE-2023-38000 (Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability i ...) - wordpress 6.3.2+dfsg1-1 + [buster] - wordpress (Vulnerable code was introduced in 5.9) NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/ + NOTE: https://plugins.trac.wordpress.org/changeset/2978318/gutenberg/trunk/build/block-library/blocks/post-navigation-link.php CVE-2023-34977 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) NOT-FOR-US: QNAP CVE-2023-34976 (A SQL injection vulnerability has been reported to affect Video Statio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c5e85dbfd2249a20e31e5f264e25aec4a608b5cf...098d53342e7ef4e730ad1f1dd5701c138ddfb13d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c5e85dbfd2249a20e31e5f264e25aec4a608b5cf...098d53342e7ef4e730ad1f1dd5701c138ddfb13d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2023-48011: link to correct fixing commit again
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c9a56471 by Markus Koschany at 2023-11-19T21:34:16+01:00 CVE-2023-48011: link to correct fixing commit again - - - - - 25bc891b by Markus Koschany at 2023-11-19T21:34:49+01:00 Claim wordpress in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -560,7 +560,7 @@ CVE-2023-48011 (GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain - gpac (bug #1056282) [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2613 - NOTE: https://github.com/gpac/gpac/commit/66abf0887c89c29a484d9e65e70882794e9e3a1b + NOTE: https://github.com/gpac/gpac/commit/c70f49dda4946d6db6aa55588f6a756b76bd84ea CVE-2023-47637 (Pimcore is an Open Source Data & Experience Management Platform. In af ...) NOT-FOR-US: Pimcore CVE-2023-47636 (The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Fu ...) = data/dla-needed.txt = @@ -277,7 +277,7 @@ vlc wireshark (Adrian Bunk) NOTE: 20231118: Added by Front-Desk (apo) -- -wordpress +wordpress (Markus Koschany) NOTE: 20231119: Added by Front-Desk (apo) -- zabbix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/30e3b3d4b805656e4211eb455adf07d37c678e86...25bc891bc23ba7e487e014aba675972e4dff2bbe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/30e3b3d4b805656e4211eb455adf07d37c678e86...25bc891bc23ba7e487e014aba675972e4dff2bbe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5558-1 for netty
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: fb8c6f97 by Markus Koschany at 2023-11-18T16:58:07+01:00 Reserve DSA-5558-1 for netty - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -22182,8 +22182,6 @@ CVE-2023-34553 (An issue was discovered in WAFU Keyless Smart Lock v1.0 allows a NOT-FOR-US: WAFU Keyless Smart Lock CVE-2023-34462 (Netty is an asynchronous event-driven network application framework fo ...) - netty 1:4.1.48-8 (bug #1038947) - [bookworm] - netty (Minor issue, fix along in future update) - [bullseye] - netty (Minor issue, fix along in future update) [buster] - netty (SslClientHelloHandler introduced in v4.1.46) NOTE: https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845 NOTE: https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32 (netty-4.1.94.Final) = data/DSA/list = @@ -1,3 +1,7 @@ +[18 Nov 2023] DSA-5558-1 netty - security update + {CVE-2023-34462 CVE-2023-44487} + [bullseye] - netty 1:4.1.48-4+deb11u2 + [bookworm] - netty 1:4.1.48-7+deb12u1 [17 Nov 2023] DSA-5557-1 webkit2gtk - security update {CVE-2023-41983 CVE-2023-42852} [bullseye] - webkit2gtk 2.42.2-1~deb11u1 = data/dsa-needed.txt = @@ -42,8 +42,6 @@ linux (carnil) nbconvert/oldstable Guilhem Moulin proposed an update ready for review -- -netty (apo) --- nghttp2 -- nodejs View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb8c6f97071556ac2984b4ebea230efb8c2225e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb8c6f97071556ac2984b4ebea230efb8c2225e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Add gst-plugins-bad1.0 to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 533a66d6 by Markus Koschany at 2023-11-18T01:19:37+01:00 Add gst-plugins-bad1.0 to dla-needed.txt - - - - - 79818a3b by Markus Koschany at 2023-11-18T01:51:00+01:00 CVE-2023-46118,rabbitmq-server: link to upstream pull request - - - - - 02adfda7 by Markus Koschany at 2023-11-18T02:02:30+01:00 Add symfony to dla-needed.txt - - - - - 2caaabc3 by Markus Koschany at 2023-11-18T02:09:04+01:00 Add wireshark to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -4126,6 +4126,7 @@ CVE-2023-46119 (Parse Server is an open source backend that can be deployed to a CVE-2023-46118 (RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API ...) - rabbitmq-server NOTE: https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gqpg + NOTE: https://github.com/rabbitmq/rabbitmq-server/pull/9708 CVE-2023-4 (File Upload vulnerability in zzzCMS v.2.1.9 allows a remote attacker t ...) NOT-FOR-US: zzzCMS CVE-2023-45554 (File Upload vulnerability in zzzCMS v.2.1.9 allows a remote attacker t ...) = data/dla-needed.txt = @@ -79,6 +79,9 @@ gimp gnutls28 NOTE: 20231117: Added by Front-Desk (apo) -- +gst-plugins-bad1.0 + NOTE: 20231118: Added by Front-Desk (apo) +-- horizon NOTE: 20231101: Added by Front-Desk (lamby) NOTE: 20231101: Sync with bullseye (CVE-2022-45582). (lamby) @@ -248,6 +251,9 @@ suricata (Adrian Bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) -- +symfony + NOTE: 20231118: Added by Front-Desk (apo) +-- varnish NOTE: 20231117: Added by Front-Desk (apo) -- @@ -255,6 +261,9 @@ vlc NOTE: 20231106: Added by Front-Desk (pochu) NOTE: 20231106: Follow bullseye and update to 3.0.20 (pochu) -- +wireshark + NOTE: 20231118: Added by Front-Desk (apo) +-- zabbix NOTE: 20231015: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8b3307455343db44a32860038ada53dd0ad6537c...2caaabc3619c77ce9500558c7960572dd138f48e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8b3307455343db44a32860038ada53dd0ad6537c...2caaabc3619c77ce9500558c7960572dd138f48e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 8 commits: Add gnutls28 to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b1140c02 by Markus Koschany at 2023-11-17T11:27:33+01:00 Add gnutls28 to dla-needed.txt - - - - - 11e42605 by Markus Koschany at 2023-11-17T11:53:16+01:00 CVE-2023-44429,gst-plugins-bad1.0: Buster is not affected The vulnerable code was introduced later. https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/13d55627f0be18c52dd1019c1f464acfe2da8b98 - - - - - a501a7d4 by Markus Koschany at 2023-11-17T12:57:13+01:00 Add varnish to dla-needed.txt - - - - - 56e1eb6f by Markus Koschany at 2023-11-17T12:58:37+01:00 CVE-2023-44487,varnish: link to upstream issue - - - - - c4d23181 by Markus Koschany at 2023-11-17T13:02:35+01:00 Add zlib to dla-needed.txt - - - - - 75f5bceb by Markus Koschany at 2023-11-17T13:06:42+01:00 CVE-2023-45853: minizip is also affected - - - - - dd2ed1c6 by Markus Koschany at 2023-11-17T13:08:22+01:00 Add minizip to dla-needed.txt - - - - - 3f64dc16 by Markus Koschany at 2023-11-17T13:29:08+01:00 Add gimp to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -5927,6 +5927,7 @@ CVE-2023-45855 (qdPM 9.2 allows Directory Traversal to list files and directorie NOT-FOR-US: qdPM CVE-2023-45853 (MiniZip in zlib through 1.3 has an integer overflow and resultant heap ...) - zlib (bug #1054290) + - minizip NOTE: https://github.com/madler/zlib/pull/843 NOTE: https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c CVE-2023-45852 (In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticat ...) @@ -7020,6 +7021,7 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource NOTE: netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p NOTE: netty: https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 (netty-4.1.100.Final) NOTE: varnish: https://varnish-cache.org/security/VSV00013.html + NOTE: varnish: https://github.com/varnishcache/varnish-cache/issues/3996 NOTE: Unaffected implementations not requiring code changes: NOTE: - rust-hyper: https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected NOTE: - apache2: https://chaos.social/@icing/111210915918780532 @@ -8814,6 +8816,7 @@ CVE-2023-6 [MXF demuxer use-after-free] NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7dfaa57b6f9b55f17ffe824bd8988bb71ae11353 (1.22.7) CVE-2023-44429 [AV1 codec parser buffer overflow] - gst-plugins-bad1.0 (bug #1056102) + [buster] - gst-plugins-bad1.0 (Vulnerable code was introduced later) - gst-plugins-bad0.10 NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0009.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5634 = data/dla-needed.txt = @@ -80,6 +80,12 @@ galera-3 (Adrian Bunk) NOTE: 20231028: Acc. to CVE notes the open issue is fixed in 26.4.12. Please, try to find a corresponding commit and try to backport it. Otherwise - no-dsa. (gladk) NOTE: 20231113: Investigating whether vulnerability already existed before commit introducing current code. (bunk) -- +gimp + NOTE: 20231117: Added by Front-Desk (apo) +-- +gnutls28 + NOTE: 20231117: Added by Front-Desk (apo) +-- horizon NOTE: 20231101: Added by Front-Desk (lamby) NOTE: 20231101: Sync with bullseye (CVE-2022-45582). (lamby) @@ -130,6 +136,9 @@ lwip mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- +minizip + NOTE: 20231117: Added by Front-Desk (apo) +-- netty (Markus Koschany) NOTE: 20231104: Added by Front-Desk (lamby) NOTE: 20231104: For, at least, CVE-2023-44487. (lamby) @@ -246,6 +255,9 @@ suricata (Adrian Bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) -- +varnish + NOTE: 20231117: Added by Front-Desk (apo) +-- vlc NOTE: 20231106: Added by Front-Desk (pochu) NOTE: 20231106: Follow bullseye and update to 3.0.20 (pochu) @@ -253,3 +265,6 @@ vlc zabbix NOTE: 20231015: Added by Front-Desk (ta) -- +zlib + NOTE: 20231117: Added by Front-Desk (apo) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f94cf8c879dce13ad5e9adf9fdf12b42f398d5b3...3f64dc160be59799aefb332345bb3a33996253bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f94cf8c879dce13ad5e9adf9fdf12b42f398d5b3...3f64dc160be59799aefb332345bb3a33996253bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits ma
[Git][security-tracker-team/security-tracker][master] Add clamav to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fda347f by Markus Koschany at 2023-11-13T21:35:37+01:00 Add clamav to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,6 +40,10 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +clamav + NOTE: 20231113: Added by Front-Desk (apo) + NOTE: 20231113: Please upgrade to 0.103.10 to include the fix for CVE-2023-40477 (libclamunrar). +-- curl NOTE: 20231103: Added by Front-Desk (lamby) NOTE: 20231103: Sync with stable. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fda347fcc8485c94ccb6c9fe4e9fe258949cae9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fda347fcc8485c94ccb6c9fe4e9fe258949cae9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim netty in dsa-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f70238ad by Markus Koschany at 2023-11-12T20:52:57+01:00 Claim netty in dsa-needed.txt - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -29,7 +29,7 @@ linux (carnil) nbconvert/oldstable Guilhem Moulin proposed an update ready for review -- -netty +netty (apo) -- nghttp2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f70238ad164b805f14da30b776f2c5586b4426a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f70238ad164b805f14da30b776f2c5586b4426a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-34462,CVE-2023-44487,netty: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 62f81dd4 by Markus Koschany at 2023-11-11T23:32:16+01:00 CVE-2023-34462,CVE-2023-44487,netty: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5722,7 +5722,7 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource - nginx 1.24.0-2 (unimportant; bug #1053770) - nghttp2 1.57.0-1 (bug #1053769) - jetty9 9.4.53-1 - - netty (bug #1054234) + - netty 1:4.1.48-8 (bug #1054234) NOTE: Tomcat: https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49 (10.1.14) NOTE: Tomcat: https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a (9.0.81) NOTE: Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version @@ -20779,7 +20779,7 @@ CVE-2023-35131 (Content on the groups page required additional sanitizing to pre CVE-2023-34553 (An issue was discovered in WAFU Keyless Smart Lock v1.0 allows attacke ...) NOT-FOR-US: WAFU Keyless Smart Lock CVE-2023-34462 (Netty is an asynchronous event-driven network application framework fo ...) - - netty (bug #1038947) + - netty 1:4.1.48-8 (bug #1038947) [bookworm] - netty (Minor issue, fix along in future update) [bullseye] - netty (Minor issue, fix along in future update) [buster] - netty (SslClientHelloHandler introduced in v4.1.46) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62f81dd4abba17cd0b018c7ab988755facc14ddc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62f81dd4abba17cd0b018c7ab988755facc14ddc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Remove mosquitto from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 09a3a1a9 by Markus Koschany at 2023-11-10T02:02:52+01:00 Remove mosquitto from dla-needed.txt - - - - - 853f87ec by Markus Koschany at 2023-11-10T02:03:45+01:00 CVE-2023-5632,mosquitto: buster is not affected The vulnerable code was introduced two years later with https://github.com/eclipse/mosquitto/commit/fabdfcc060432f07595b4a10d4f4fb3d075c64dc#diff-0c14597a927dfee68f01aabb70f76e8d1191380e890978a1cc263855478d6138 - - - - - 673a8bc8 by Markus Koschany at 2023-11-10T02:07:22+01:00 CVE-2023-28366,mosquitto: mark buster as ignored This potential memory leak requires a rewrite of packet handling core functions. Upstream was unsure whether the buster version is affected but did not intend to fix such an old version anyway. It seems mosquitto is ABI stable between 1.5 to 2.x but that does not imply configuration options behave identical. The risk of regressions is thus rather high. An upgrade to the version in Bullseye would be a more sensible approach because this version has an excellent test coverage though. At the moment I tend to ignore this problem because of the regression risks involved. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3807,6 +3807,7 @@ CVE-2023-5642 (Advantech R-SeeNet v2.4.23 allows an unauthenticated remote attac NOT-FOR-US: Advantech R-SeeNet CVE-2023-5632 (In Eclipse Mosquito before and including 2.0.5, establishing a connect ...) - mosquitto 2.0.7-1 + [buster] - mosquitto (The vulnerable code was introduced later) NOTE: https://github.com/eclipse/mosquitto/pull/2053 NOTE: https://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d (v2.0.6) CVE-2023-5631 (Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 al ...) @@ -34856,6 +34857,7 @@ CVE-2023-28368 (TP-Link L2 switch T2600G-28SQ firmware versions prior to 'T2600G CVE-2023-28366 (The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a ...) {DSA-5511-1} - mosquitto 2.0.17-1 + [buster] - mosquitto (Minor memory leak which requires rewrite of core functions) NOTE: https://mosquitto.org/blog/2023/08/version-2-0-16-released/ NOTE: https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9 (v2.0.16) NOTE: Regression fix: https://github.com/eclipse/mosquitto/commit/bfb373d774d8530e8d6620776304a3e0b0201793 = data/dla-needed.txt = @@ -133,10 +133,6 @@ lwip mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- -mosquitto (Markus Koschany) - NOTE: 20230924: Added by Front-Desk (apo) - NOTE: 20231009: Waiting for upstream clarification how to proceed with open CVE. (apo) --- netty (Markus Koschany) NOTE: 20231104: Added by Front-Desk (lamby) NOTE: 20231104: For, at least, CVE-2023-44487. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8a4db919093d6ee4a452964cfa1a3214fc8bd8e3...673a8bc8b99a4dbb09b70c603bde8334982e35bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8a4db919093d6ee4a452964cfa1a3214fc8bd8e3...673a8bc8b99a4dbb09b70c603bde8334982e35bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3647-1 for trapperkeeper-webserver-jetty9-clojure
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 670f51ad by Markus Koschany at 2023-11-07T00:03:06+01:00 Reserve DLA-3647-1 for trapperkeeper-webserver-jetty9-clojure - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[07 Nov 2023] DLA-3647-1 trapperkeeper-webserver-jetty9-clojure - security update + [buster] - trapperkeeper-webserver-jetty9-clojure 1.7.0-2+deb10u2 [05 Nov 2023] DLA-3646-1 open-vm-tools - security update {CVE-2023-34058 CVE-2023-34059} [buster] - open-vm-tools 2:10.3.10-1+deb10u6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/670f51ade33e395efbee1490eb13893c41830441 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/670f51ade33e395efbee1490eb13893c41830441 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Remove memcached from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 334571c9 by Markus Koschany at 2023-11-05T00:13:24+01:00 Remove memcached from dla-needed.txt - - - - - d66194c5 by Markus Koschany at 2023-11-05T00:14:38+01:00 Triage CVE-2023-46852,CVE-2023-46853,memcached as not affected for Buster The vulnerable code was introduced in later releases. See https://github.com/memcached/memcached/commit/d22b66483bce8843110795609386edc6ebf65b69 - - - - - a6dea465 by Markus Koschany at 2023-11-05T00:17:30+01:00 Claim netty in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1092,11 +1092,13 @@ CVE-2023-46853 (In Memcached before 1.6.22, an off-by-one error exists when proc - memcached 1.6.22-1 [bookworm] - memcached (Minor issue) [bullseye] - memcached (Minor issue) + [buster] - memcached (The vulnerable code was introduced later) NOTE: https://github.com/memcached/memcached/commit/6987918e9a3094ec4fc8976f01f769f624d790fa (1.6.22) CVE-2023-46852 (In Memcached before 1.6.22, a buffer overflow exists when processing m ...) - memcached 1.6.22-1 [bookworm] - memcached (Minor issue) [bullseye] - memcached (Minor issue) + [buster] - memcached (The vulnerable code was introduced later) NOTE: https://github.com/memcached/memcached/commit/76a6c363c18cfe7b6a1524ae64202ac9db330767 (1.6.22) CVE-2023-46604 (Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerabili ...) - activemq (bug #1054909) = data/dla-needed.txt = @@ -132,14 +132,11 @@ lwip mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- -memcached (Markus Koschany) - NOTE: 20231029: Added by Front-Desk (gladk) --- mosquitto (Markus Koschany) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20231009: Waiting for upstream clarification how to proceed with open CVE. (apo) -- -netty +netty (Markus Koschany) NOTE: 20231104: Added by Front-Desk (lamby) NOTE: 20231104: For, at least, CVE-2023-44487. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/10d0f985fa27b64648fbb9e89d112ba6386220cd...a6dea465fc1ab0e1751bff0880c481020624cd99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/10d0f985fa27b64648fbb9e89d112ba6386220cd...a6dea465fc1ab0e1751bff0880c481020624cd99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim memcached and mosquitto
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e9655085 by Markus Koschany at 2023-10-31T18:18:32+01:00 Claim memcached and mosquitto - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -116,10 +116,10 @@ linux-5.10 mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- -memcached +memcached (Markus Koschany) NOTE: 20231029: Added by Front-Desk (gladk) -- -mosquitto +mosquitto (Markus Koschany) NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20231009: Waiting for upstream clarification how to proceed with open CVE. (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9655085a671e5ff7a1fa1445ead0094c48f50e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9655085a671e5ff7a1fa1445ead0094c48f50e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3641-1 for jetty9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c93dfd66 by Markus Koschany at 2023-10-30T21:05:48+01:00 Reserve DLA-3641-1 for jetty9 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -218554,7 +218554,6 @@ CVE-2020-27219 (In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 NOT-FOR-US: Eclipse Hawkbit CVE-2020-27218 (In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 ...) - jetty9 9.4.35-1 (bug #976211) - [buster] - jetty9 (Minor issue, too intrusive to backport, patch introduces regressions, workarounds exist) [stretch] - jetty9 (Minor issue, request smuggling in specific conditions, invasive, patch introduces regressions, workarounds exist) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=568892 NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm-8wh8 = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Oct 2023] DLA-3641-1 jetty9 - security update + {CVE-2020-27218 CVE-2023-36478 CVE-2023-44487} + [buster] - jetty9 9.4.50-4+deb10u1 [30 Oct 2023] DLA-3640-1 distro-info - database update [buster] - distro-info 0.21+deb10u1 [30 Oct 2023] DLA-3639-1 distro-info-data - database update = data/dla-needed.txt = @@ -87,9 +87,6 @@ imagemagick NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) NOTE: 20231014: Some work under git branch debian/buster but unease -- -jetty9 (Markus Koschany) - NOTE: 20231011: Added by Front-Desk (ta) --- knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c93dfd66cac3e599ad34df17a76ce1764e427450 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c93dfd66cac3e599ad34df17a76ce1764e427450 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits