[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2020-13956,httpcomponents-client: Link to fixing commit
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 89c3a4a2 by Markus Koschany at 2020-10-09T22:37:41+02:00 CVE-2020-13956,httpcomponents-client: Link to fixing commit - - - - - d37e6137 by Markus Koschany at 2020-10-09T23:05:36+02:00 CVE-2020-13956,httpcomponents-client: Fixed in unstable. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28097,8 +28097,9 @@ CVE-2020-13957 RESERVED CVE-2020-13956 [incorrect handling of malformed authority component in request URIs] RESERVED - - httpcomponents-client + - httpcomponents-client 4.5.13-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1886587 + NOTE: Fixed by https://github.com/apache/httpcomponents-client/commit/e628b4c5c464c2fa346385596cc78e035a91a62e CVE-2020-13955 (HttpUtils#getURLConnection method disables explicitly hostname verific ...) TODO: check CVE-2020-13954 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4376346ec33e6e0738dd709e6c1936e02cae95fb...d37e6137343d8b892b526c3fe04780cb0869aaef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4376346ec33e6e0738dd709e6c1936e02cae95fb...d37e6137343d8b892b526c3fe04780cb0869aaef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2404-1 for eclipse-wtp
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4376346e by Markus Koschany at 2020-10-09T22:18:46+02:00 Reserve DLA-2404-1 for eclipse-wtp - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Oct 2020] DLA-2404-1 eclipse-wtp - security update + {CVE-2019-17637} + [stretch] - eclipse-wtp 3.6.3-3+deb9u1 [09 Oct 2020] DLA-2403-1 rails - security update {CVE-2020-15169} [stretch] - rails 2:4.2.7.1-1+deb9u4 = data/dla-needed.txt = @@ -59,8 +59,6 @@ condor NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto) NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) -- -eclipse-wtp (Markus Koschany) --- f2fs-tools NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4376346ec33e6e0738dd709e6c1936e02cae95fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4376346ec33e6e0738dd709e6c1936e02cae95fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim httpcomponents-client in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 270abb9d by Markus Koschany at 2020-10-09T20:14:16+02:00 Claim httpcomponents-client in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -80,6 +80,8 @@ golang-golang-x-net-dev -- guacamole-client -- +httpcomponents-client (Markus Koschany) +-- jupyter-notebook NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/270abb9d7c92e2e323592911260649133e531ce2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/270abb9d7c92e2e323592911260649133e531ce2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2403-1 for rails
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b412091 by Markus Koschany at 2020-10-09T19:06:45+02:00 Reserve DLA-2403-1 for rails - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Oct 2020] DLA-2403-1 rails - security update + {CVE-2020-15169} + [stretch] - rails 2:4.2.7.1-1+deb9u4 [08 Oct 2020] DLA-2402-1 golang-go.crypto - security update {CVE-2019-11840 CVE-2019-11841 CVE-2020-9283} [stretch] - golang-go.crypto 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1 = data/dla-needed.txt = @@ -119,8 +119,6 @@ python3.5 (Thorsten Alteholz) -- qtsvg-opensource-src (Adrian Bunk) -- -rails (Markus Koschany) --- reel NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b412091437d87547f5a21b907c3330b9369a11f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b412091437d87547f5a21b907c3330b9369a11f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2400-1 for activemq
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e6bb39bc by Markus Koschany at 2020-10-07T22:02:30+02:00 Reserve DLA-2400-1 for activemq - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Oct 2020] DLA-2400-1 activemq - security update + {CVE-2020-13920} + [stretch] - activemq 5.14.3-3+deb9u1 [07 Oct 2020] DLA-2399-1 packagekit - security update {CVE-2020-16121 CVE-2020-16122} [stretch] - packagekit 1.1.5-2+deb9u2 = data/dla-needed.txt = @@ -9,8 +9,6 @@ To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues --- -activemq (Markus Koschany) -- ansible NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6bb39bc419bef3999289b7b8cb564de3c30f329 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6bb39bc419bef3999289b7b8cb564de3c30f329 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-13920,activemq: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 1cea118a by Markus Koschany at 2020-10-07T21:42:35+02:00 CVE-2020-13920,activemq: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27927,7 +27927,7 @@ CVE-2020-13922 CVE-2020-13921 (**Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storag ...) NOT-FOR-US: Apache SkyWalking CVE-2020-13920 (Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX ...) - - activemq + - activemq 5.16.0-1 NOTE: http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt NOTE: When fixing this issue make sure to use a complete fix and not open up NOTE: CVE-2020-11998 (a regression introduced in 5.15.12 in the commit preventing View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cea118a4a7b110ba2a55df92fce4d6dc550d9e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cea118a4a7b110ba2a55df92fce4d6dc550d9e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim activemq and eclipse-wtp in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6fbd7676 by Markus Koschany at 2020-10-02T16:00:50+02:00 Claim activemq and eclipse-wtp in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -10,7 +10,7 @@ this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- -activemq +activemq (Markus Koschany) -- ansible NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the @@ -60,7 +60,7 @@ condor NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto) NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) -- -eclipse-wtp +eclipse-wtp (Markus Koschany) -- f2fs-tools NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fbd7676bdaeeec5956f4de9e684601a6d7970b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fbd7676bdaeeec5956f4de9e684601a6d7970b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2394-1 for squid3
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c9c6d8b4 by Markus Koschany at 2020-10-02T15:55:56+02:00 Reserve DLA-2394-1 for squid3 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[02 Oct 2020] DLA-2394-1 squid3 - security update + {CVE-2020-15049 CVE-2020-15810 CVE-2020-15811 CVE-2020-24606} + [stretch] - squid3 3.5.23-5+deb9u5 [01 Oct 2020] DLA-2393-1 snmptt - security update {CVE-2020-24361} [stretch] - snmptt 1.4-1+deb8u1 = data/dla-needed.txt = @@ -175,11 +175,6 @@ slirp NOTE: CVE-2020-7039 to be applied patched first, as they both patch NOTE: the same lines of code in tcp_subr.c (bam). -- -squid3 - NOTE: 20200831: I have backported the HttpHeader parsing code now and - NOTE: incorporated the fixes for the latest CVE. I will send a RFT to - NOTE: debian-lts again before uploading. (apo) --- sympa NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh) NOTE: 20200525: But that is weird, given their announcement. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9c6d8b488036f66b42b7e74193cbc391bc5d785 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9c6d8b488036f66b42b7e74193cbc391bc5d785 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim rails in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4613cf4f by Markus Koschany at 2020-09-30T18:52:52+02:00 Claim rails in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -119,7 +119,7 @@ puma -- python3.5 (Thorsten Alteholz) -- -rails +rails (Markus Koschany) -- reel NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4613cf4f398570c7ba630b5648faf2fdadedfff3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4613cf4f398570c7ba630b5648faf2fdadedfff3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-14340,jboss-xnio: Fixed in unstable.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d9a6d3cd by Markus Koschany at 2020-09-17T01:17:07+02:00 CVE-2020-14340,jboss-xnio: Fixed in unstable. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23988,7 +23988,7 @@ CVE-2020-14341 RESERVED CVE-2020-14340 RESERVED - - jboss-xnio + - jboss-xnio 3.8.2-1 [stretch] - jboss-xnio (vulnerable code is not present) NOTE: Fix for 3.8: https://github.com/xnio/xnio/pull/233 NOTE: Fix for 3.7 (Buster): https://github.com/xnio/xnio/pull/234 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9a6d3cd0cdd43201fe9b2aacdb29be64c2a79fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9a6d3cd0cdd43201fe9b2aacdb29be64c2a79fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Triage CVE-2020-10719,undertow
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b4f06892 by Markus Koschany at 2020-09-14T23:32:24+02:00 Triage CVE-2020-10719,undertow Upstream bug report is not public. The issue was fixed in 2.1.1-1. Most likely fixing commit is https://github.com/undertow-io/undertow/commit/bfc8fbd67f6b3dd96702b363f61cf805baf3c6cf found with diff between version 2.1.0 and 2.1.1. - - - - - d95129a9 by Markus Koschany at 2020-09-14T23:32:25+02:00 Triage CVE-2020-1757,undertow. Fixed in version 2.1.1-1 - - - - - ce7282ce by Markus Koschany at 2020-09-14T23:32:26+02:00 Triage CVE-2020-10705,undertow Fixed in version 2.1.1-1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34816,8 +34816,10 @@ CVE-2020-10720 (A flaw was found in the Linux kernel's implementation of GRO in NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1781204 NOTE: Fixed by: https://git.kernel.org/linus/a4270d6795b0580287453ea55974d948393e66ef CVE-2020-10719 (A flaw was found in Undertow in versions before 2.1.1.Final, regarding ...) - - undertow (bug #969913) + - undertow 2.1.1-1 (bug #969913) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1828459 + NOTE: https://issues.redhat.com/browse/UNDERTOW-1708 (not public) + NOTE: most likely fixed by https://github.com/undertow-io/undertow/commit/bfc8fbd67f6b3dd96702b363f61cf805baf3c6cf CVE-2020-10718 RESERVED - wildfly (bug #752018) @@ -34865,8 +34867,9 @@ CVE-2020-10707 CVE-2020-10706 (A flaw was found in OpenShift Container Platform where OAuth tokens ar ...) NOT-FOR-US: OpenShift CVE-2020-10705 (A flaw was discovered in Undertow in versions before Undertow 2.1.1.Fi ...) - - undertow + - undertow 2.1.1-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1803241 + NOTE: https://github.com/undertow-io/undertow/commit/b53d4589c586e8bbdcc89ed60f32cd7977e9a4f4 CVE-2020-10704 (A flaw was found when using samba as an Active Directory Domain Contro ...) - samba 2:4.12.3+dfsg-2 (bug #960188) [buster] - samba (Can be fixed along in future DSA) @@ -58480,8 +58483,11 @@ CVE-2020-1759 (A vulnerability was found in Red Hat Ceph Storage 4 and Red Hat O CVE-2020-1758 (A flaw was found in Keycloak in versions before 10.0.0, where it does ...) NOT-FOR-US: Keycloak CVE-2020-1757 (A flaw was found in all undertow-2.x.x SP1 versions prior to undertow- ...) - - undertow + - undertow 2.1.1-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1752770 + NOTE: https://issues.redhat.com/browse/UNDERTOW-1464 + NOTE: https://issues.redhat.com/browse/UNDERTOW-1671 + NOTE: https://github.com/undertow-io/undertow/pull/871 CVE-2020-1756 RESERVED CVE-2020-1755 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2e2963c0f4d5b95d9d907546584b6ac812b1c1f7...ce7282ced9156c1cd58c85dccf9c631ea742d4fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2e2963c0f4d5b95d9d907546584b6ac812b1c1f7...ce7282ced9156c1cd58c85dccf9c631ea742d4fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove jetty9 from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 537b05f9 by Markus Koschany at 2020-09-10T16:20:09+02:00 Remove jetty9 from dla-needed.txt - - - - - 28210393 by Markus Koschany at 2020-09-10T16:21:46+02:00 CVE-2019-17638,jetty9: Stretch and Buster are not affected The vulnerable code was introduced in version 9.4.27. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -65648,6 +65648,8 @@ CVE-2019-17639 (In Eclipse OpenJ9 prior to version 0.21 on Power platforms, call NOT-FOR-US: IBM JDK specific issue on on AIX and Linux on the Power platform CVE-2019-17638 (In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in ca ...) - jetty9 9.4.31-1 + [buster] - jetty9 (vulnerable code was introduced in 9.4.27) + [stretch] - jetty9 (vulnerable code was introduced in 9.4.27) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984 NOTE: https://github.com/eclipse/jetty.project/issues/4936 CVE-2019-17637 (In all versions of Eclipse Web Tools Platform through release 3.18 (20 ...) = data/dla-needed.txt = @@ -87,8 +87,6 @@ golang-golang-x-net-dev -- guacamole-client (Mike Gabriel) -- -jetty9 (Markus Koschany) --- jupyter-notebook NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d7b846cfde62e99b72d5ea28b827e5472357b2bf...28210393136edd9e360286a86ce74764fb3520be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d7b846cfde62e99b72d5ea28b827e5472357b2bf...28210393136edd9e360286a86ce74764fb3520be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove no-dsa tags for upcoming libxml2 update.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0976f993 by Markus Koschany at 2020-09-09T23:13:48+02:00 Remove no-dsa tags for upcoming libxml2 update. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41696,7 +41696,6 @@ CVE-2020-7596 (Codecov npm module before 3.6.2 allows remote attackers to execut CVE-2020-7595 (xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infini ...) - libxml2 2.9.10+dfsg-2.1 (bug #949582) [buster] - libxml2 (Minor issue) - [stretch] - libxml2 (Minor issue) [jessie] - libxml2 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c8907645d2e155f0d89d4d9895ac5112b5 CVE-2020-7594 (MultiTech Conduit MTCDT-LVW2-24XX 1.4.17-ocea-13592 devices allow remo ...) @@ -41952,7 +41951,6 @@ CVE-2019-20389 (An XSS issue was identified on the Subrion CMS 4.2.1 /panel/conf CVE-2019-20388 (xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaV ...) - libxml2 2.9.10+dfsg-2.1 (bug #949583) [buster] - libxml2 (Minor issue) - [stretch] - libxml2 (Minor issue) [jessie] - libxml2 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a CVE-2019-20387 (repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-ba ...) @@ -51203,7 +51201,6 @@ CVE-2019-19956 (xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before [experimental] - libxml2 2.9.10+dfsg-1 - libxml2 2.9.10+dfsg-2 [buster] - libxml2 (Minor issue) - [stretch] - libxml2 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libxml2/issues/82 NOTE: https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549 (v2.9.10-rc1) CVE-2019-19955 @@ -131204,7 +131201,6 @@ CVE-2018-14567 (libxml2 2.9.8, if --with-lzma is used, allows remote attackers t [experimental] - libxml2 2.9.9+dfsg1-1~exp1 - libxml2 2.9.10+dfsg-2 [buster] - libxml2 (Minor issue) - [stretch] - libxml2 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libxml2/issues/13 (not public yet) NOTE: https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74 CVE-2018-14566 @@ -131699,7 +131695,6 @@ CVE-2018-14404 (A NULL pointer dereference vulnerability exists in the xpath.c:x [experimental] - libxml2 2.9.9+dfsg1-1~exp1 - libxml2 2.9.10+dfsg-2 (low; bug #901817) [buster] - libxml2 (Minor issue) - [stretch] - libxml2 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libxml2/issues/5 NOTE: https://gitlab.gnome.org/GNOME/libxml2/issues/10 NOTE: https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594 @@ -145514,7 +145509,6 @@ CVE-2017-18258 (The xz_head function in xzlib.c in libxml2 before 2.9.6 allows r [experimental] - libxml2 2.9.7+dfsg-1 - libxml2 2.9.10+dfsg-2 (low; bug #895245) [buster] - libxml2 (Minor issue) - [stretch] - libxml2 (Minor issue; wait for upstream fix for upstream bug 794914) [wheezy] - libxml2 (Minor issue; wait for upstream fix for upstream bug 794914) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=786696 NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb @@ -197732,7 +197726,6 @@ CVE-2017-8873 RESERVED CVE-2017-8872 (The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 all ...) - libxml2 2.9.4+dfsg1-6.1 (bug #862450) - [stretch] - libxml2 (Minor issue) [jessie] - libxml2 (Minor issue) [wheezy] - libxml2 (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=775200 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0976f9932ac0e4422aedb56147ff6c9937458f19 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0976f9932ac0e4422aedb56147ff6c9937458f19 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2369-1 for libxml2
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ee73606 by Markus Koschany at 2020-09-09T23:02:56+02:00 Reserve DLA-2369-1 for libxml2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Sep 2020] DLA-2369-1 libxml2 - security update + {CVE-2017-8872 CVE-2017-18258 CVE-2018-14404 CVE-2018-14567 CVE-2019-19956 CVE-2019-20388 CVE-2020-7595 CVE-2020-24977} + [stretch] - libxml2 2.9.4+dfsg1-2.2+deb9u3 [09 Sep 2020] DLA-2368-1 grunt - security update {CVE-2020-7729} [stretch] - grunt 1.0.1-5+deb9u1 = data/dla-needed.txt = @@ -94,8 +94,6 @@ jupyter-notebook -- kleopatra -- -libxml2 (Markus Koschany) --- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ee73606a2059dc9874b483ccaef754bb3d0a698 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ee73606a2059dc9874b483ccaef754bb3d0a698 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2017-12670,imagemagick: postponed
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f2537493 by Markus Koschany at 2020-09-07T19:08:01+02:00 CVE-2017-12670,imagemagick: postponed Upstream patch appears to be incomplete. Needs further investigation. - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -188857,9 +188857,11 @@ CVE-2017-11724 (The ReadMATImage function in coders/mat.c in ImageMagick through CVE-2017-12670 (In ImageMagick 7.0.6-3, missing validation was found in coders/mat.c, ...) {DLA-2366-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (low; bug #870020) + [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/610 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ab440f9ea11e0dbefb7a808cbb9441198758b0cb NOTE: https://github.com/ImageMagick/ImageMagick/commit/75db34b6a4d642cb6f88c792942de27490c900e0 + NOTE: Upstream patch is apparently incomplete. POC still triggers segfault. CVE-2017-13658 (In ImageMagick before 6.9.9-3 and 7.x before 7.0.6-3, there is a missi ...) {DLA-2366-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (low; bug #870019) = data/DLA/list = @@ -2,7 +2,7 @@ {CVE-2020-24660} [stretch] - lemonldap-ng 1.9.7-3+deb9u4 [07 Sep 2020] DLA-2366-1 imagemagick - security update - {CVE-2017-12140 CVE-2017-12429 CVE-2017-12430 CVE-2017-12435 CVE-2017-12563 CVE-2017-12643 CVE-2017-12670 CVE-2017-12674 CVE-2017-12691 CVE-2017-12692 CVE-2017-12693 CVE-2017-12806 CVE-2017-12875 CVE-2017-13061 CVE-2017-13133 CVE-2017-13658 CVE-2017-13768 CVE-2017-14060 CVE-2017-14172 CVE-2017-14173 CVE-2017-14174 CVE-2017-14175 CVE-2017-14249 CVE-2017-14341 CVE-2017-14400 CVE-2017-14505 CVE-2017-14532 CVE-2017-14624 CVE-2017-14625 CVE-2017-14626 CVE-2017-14739 CVE-2017-14741 CVE-2017-15015 CVE-2017-15017 CVE-2017-15281 CVE-2017-17682 CVE-2017-17914 CVE-2017-18209 CVE-2017-18211 CVE-2017-18271 CVE-2017-18273 CVE-2017-1000445 CVE-2017-1000476 CVE-2018-16643 CVE-2018-16749 CVE-2018-18025 CVE-2019-11598 CVE-2019-13135 CVE-2019-13308 CVE-2019-13391 CVE-2019-15139} + {CVE-2017-12140 CVE-2017-12429 CVE-2017-12430 CVE-2017-12435 CVE-2017-12563 CVE-2017-12643 CVE-2017-12674 CVE-2017-12691 CVE-2017-12692 CVE-2017-12693 CVE-2017-12806 CVE-2017-12875 CVE-2017-13061 CVE-2017-13133 CVE-2017-13658 CVE-2017-13768 CVE-2017-14060 CVE-2017-14172 CVE-2017-14173 CVE-2017-14174 CVE-2017-14175 CVE-2017-14249 CVE-2017-14341 CVE-2017-14400 CVE-2017-14505 CVE-2017-14532 CVE-2017-14624 CVE-2017-14625 CVE-2017-14626 CVE-2017-14739 CVE-2017-14741 CVE-2017-15015 CVE-2017-15017 CVE-2017-15281 CVE-2017-17682 CVE-2017-17914 CVE-2017-18209 CVE-2017-18211 CVE-2017-18271 CVE-2017-18273 CVE-2017-1000445 CVE-2017-1000476 CVE-2018-16643 CVE-2018-16749 CVE-2018-18025 CVE-2019-11598 CVE-2019-13135 CVE-2019-13308 CVE-2019-13391 CVE-2019-15139} [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u10 [04 Sep 2020] DLA-2278-3 squid3 - regression update [stretch] - squid3 3.5.23-5+deb9u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2537493b4a90ecdb284e9688411f922d4cceaf5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2537493b4a90ecdb284e9688411f922d4cceaf5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2366-1 for imagemagick
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a86ab3d by Markus Koschany at 2020-09-07T08:39:24+02:00 Reserve DLA-2366-1 for imagemagick - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Sep 2020] DLA-2366-1 imagemagick - security update + {CVE-2017-12140 CVE-2017-12429 CVE-2017-12430 CVE-2017-12435 CVE-2017-12563 CVE-2017-12643 CVE-2017-12670 CVE-2017-12674 CVE-2017-12691 CVE-2017-12692 CVE-2017-12693 CVE-2017-12806 CVE-2017-12875 CVE-2017-13061 CVE-2017-13133 CVE-2017-13658 CVE-2017-13768 CVE-2017-14060 CVE-2017-14172 CVE-2017-14173 CVE-2017-14174 CVE-2017-14175 CVE-2017-14249 CVE-2017-14341 CVE-2017-14400 CVE-2017-14505 CVE-2017-14532 CVE-2017-14624 CVE-2017-14625 CVE-2017-14626 CVE-2017-14739 CVE-2017-14741 CVE-2017-15015 CVE-2017-15017 CVE-2017-15281 CVE-2017-17682 CVE-2017-17914 CVE-2017-18209 CVE-2017-18211 CVE-2017-18271 CVE-2017-18273 CVE-2017-1000445 CVE-2017-1000476 CVE-2018-16643 CVE-2018-16749 CVE-2018-18025 CVE-2019-11598 CVE-2019-13135 CVE-2019-13308 CVE-2019-13391 CVE-2019-15139} + [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u10 [04 Sep 2020] DLA-2278-3 squid3 - regression update [stretch] - squid3 3.5.23-5+deb9u4 [04 Sep 2020] DLA-2365-1 netty-3.9 - security update = data/dla-needed.txt = @@ -80,8 +80,6 @@ golang-golang-x-net-dev -- guacamole-client (Mike Gabriel) -- -imagemagick (Markus Koschany) --- jetty9 (Markus Koschany) -- jupyter-notebook View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a86ab3d0598e5e7c7cc26f1494654a5d8d0d0d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a86ab3d0598e5e7c7cc26f1494654a5d8d0d0d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove four remaining no-dsa tags from imagemagick CVE.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3579fede by Markus Koschany at 2020-09-07T08:23:17+02:00 Remove four remaining no-dsa tags from imagemagick CVE. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -125428,7 +125428,6 @@ CVE-2018-16750 (In ImageMagick 7.0.7-29 and earlier, a memory leak in the format CVE-2018-16749 (In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJN ...) {DLA-1530-1} - imagemagick 8:6.9.10.2+dfsg-2 (low) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1119 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/1007b98f8795ad4bea6bc5f68a32d83e982fdae4 CVE-2018-16748 @@ -181115,7 +181114,6 @@ CVE-2017-14342 (ImageMagick 7.0.6-6 has a memory exhaustion vulnerability in Rea CVE-2017-14341 (ImageMagick 7.0.6-6 has a large loop vulnerability in ReadWPGImage in ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #876105) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/654 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7d63315a64267c565d1f34b9cb523a14616fed24 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4eae304e773bad8a876c3c26fdffac24d4253ae4 @@ -188848,14 +188846,12 @@ CVE-2017-11724 (The ReadMATImage function in coders/mat.c in ImageMagick through CVE-2017-12670 (In ImageMagick 7.0.6-3, missing validation was found in coders/mat.c, ...) {DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (low; bug #870020) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/610 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ab440f9ea11e0dbefb7a808cbb9441198758b0cb NOTE: https://github.com/ImageMagick/ImageMagick/commit/75db34b6a4d642cb6f88c792942de27490c900e0 CVE-2017-13658 (In ImageMagick before 6.9.9-3 and 7.x before 7.0.6-3, there is a missi ...) {DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (low; bug #870019) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/598 NOTE: https://github.com/ImageMagick/ImageMagick/commit/e5c063a1007506ba69e97a35effcdef944421c89 CVE-2017-12434 (In ImageMagick 7.0.6-1, a missing NULL check vulnerability was found i ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3579fede0cd8615344db2d2eb3383098418d08f2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3579fede0cd8615344db2d2eb3383098418d08f2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove no-dsa tags from imagemagick for upcoming update.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 242ebfe7 by Markus Koschany at 2020-09-07T00:17:38+02:00 Remove no-dsa tags from imagemagick for upcoming update. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -73023,7 +73023,6 @@ CVE-2019-15140 (coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers CVE-2019-15139 (The XWD image (X Window System window dumping file) parsing component ...) {DSA-4712-1 DLA-1968-1} - imagemagick 8:6.9.11.24+dfsg-1 (bug #941670) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/commit/c78993d138bf480ab4652b5a48379d4ff75ba5f7 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/6d46f0a046a58e7c4567a86ba1b9cb847d5b1968 NOTE: ImageMagick6: followup, partly reverts previous patch: @@ -79906,7 +79905,6 @@ CVE-2019-13392 (A reflected Cross-Site Scripting (XSS) vulnerability in MindPale CVE-2019-13391 (In ImageMagick 7.0.8-50 Q16, ComplexImages in MagickCore/fourier.c has ...) {DSA-4712-1} - imagemagick 8:6.9.11.24+dfsg-1 (low; bug #931633) - [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (minor, wait for upstream to clear patch-related questions) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1588 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/f6ffc702c6eecd963587273a429dcd608c648984 @@ -80126,7 +80124,6 @@ CVE-2019-13309 (ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory CVE-2019-13308 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow in MagickCor ...) {DSA-4712-1} - imagemagick 8:6.9.11.24+dfsg-1 (low; bug #931447) - [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (minor, wait for upstream to clear patch-related questions) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1595 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/19651f3db63fa1511ed83a348c4c82fa553f8d01 @@ -80639,7 +80636,6 @@ CVE-2019-13136 (ImageMagick before 7.0.8-50 has an integer overflow vulnerabilit CVE-2019-13135 (ImageMagick before 7.0.8-50 has a "use of uninitialized value" vulnera ...) {DSA-4712-1 DLA-1888-1} - imagemagick 8:6.9.11.24+dfsg-1 (bug #932079) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1599 NOTE: https://github.com/ImageMagick/ImageMagick/commit/cdb383749ef7b68a38891440af8cc23e0115306d (7.x) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/1e59b29e520d2beab73e8c78aacd5f1c0d76196d (6.x) @@ -85039,7 +85035,6 @@ CVE-2019-11599 (The coredump implementation in the Linux kernel before 5.0.10 do CVE-2019-11598 (In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in ...) {DSA-4712-1 DLA-1785-1} - imagemagick 8:6.9.11.24+dfsg-1 (bug #928206) - [stretch] - imagemagick (Fix along in next DSA) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1540 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e2a21735e3a3f3930bd431585ec36334c4c2eb77 NOTE: patch introduces new (potentially security relevant) bugs, see: @@ -122085,7 +122080,6 @@ CVE-2018-18026 (IMFCameraProtect.sys in IObit Malware Fighter 6.2 (and possibly CVE-2018-18025 (In ImageMagick 7.0.8-13 Q16, there is a heap-based buffer over-read in ...) {DLA-1574-1} - imagemagick 8:6.9.10.14+dfsg-1 (low; bug #911435) - [stretch] - imagemagick (Fix along in next DSA) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1335 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1a22fc0c8837838e60daecc0bf01648f359dd6fd NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/394b3e6edf74d1337ce338927da053bb40c00ae9 @@ -125705,7 +125699,6 @@ CVE-2018-16644 (There is a missing check for length in the functions ReadDCMImag CVE-2018-16643 (The functions ReadDCMImage in coders/dcm.c, ReadPWPImage in coders/pwp ...) {DLA-1530-1} - imagemagick 8:6.9.10.8+dfsg-1 (low) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/commit/6b6bff054d569a77973f2140c0e86366e6168a6c NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/11d9dac3d991c62289d1ef7a097670166480e76c NOTE: https://github.com/ImageMagick/ImageMagick/issues/1199 @@ -140153,7 +140146,6 @@ CVE-2018-1000400 (Kubernetes CRI-O version prior to 1.9 contains a Privilege Con CVE-2017-18273 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulner ...) {DLA-1785-1 DLA-1381-1} - imagemagick 8:6.9.9.34+dfsg-3 (low) - [stretch] - imagemagick (M
[Git][security-tracker-team/security-tracker][master] Claim libxml2 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e248911 by Markus Koschany at 2020-09-05T19:51:36+02:00 Claim libxml2 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -86,6 +86,8 @@ jetty9 (Markus Koschany) jupyter-notebook NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby) -- +libxml2 (Markus Koschany) +-- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e2489111ba9adb7775aef83580a88d35a0c6cba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e2489111ba9adb7775aef83580a88d35a0c6cba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2278-3 squid3.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f254665 by Markus Koschany at 2020-09-04T23:44:52+02:00 Reserve DLA-2278-3 squid3. - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[04 Sep 2020] DLA-2278-3 squid3 - regression update + [stretch] - squid3 3.5.23-5+deb9u4 [04 Sep 2020] DLA-2365-1 netty-3.9 - security update {CVE-2019-16869 CVE-2019-20444 CVE-2019-20445} [stretch] - netty-3.9 3.9.9.Final-1+deb9u1 = data/dla-needed.txt = @@ -171,9 +171,6 @@ slirp snmptt -- squid3 (Markus Koschany) - NOTE: 20200831: I have backported the HttpHeader parsing code now and - NOTE: incorporated the fixes for the latest CVE. I will send a RFT to - NOTE: debian-lts again before uploading. -- sympa NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f25466596b1bac2e07e2eae465ecf42b0d28d67 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f25466596b1bac2e07e2eae465ecf42b0d28d67 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-13941,lucene-solr: Mark as ignored for Stretch and Buster.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f0e367a3 by Markus Koschany at 2020-08-31T10:56:03+02:00 CVE-2020-13941,lucene-solr: Mark as ignored for Stretch and Buster. Remove lucene-solr from dla-needed.txt. CVE-2020-13941 is about adding a new parameter to the CoreAdminAPI that validates whether a user is allowed to write or read data to or from a different directory than the default dataDir directory. In Debian the default dataDir directory is /var/lib/solr/data. This is specified in /etc/solr/conf/solrconfig.xml. See also set-data-dir.patch and solr-common.README.Debian. The only way to change that is to edit /etc/solr/conf/solrconfig.xml. The value in solrconfig.xml overrides any dataDir value that is passed to the dynamic core admin interface. That means that only system administrators should be able to change that value. This makes CVE-2020-13941 a rather minor issue for Debian and backporting the new configuration option does not seem strictly necessary. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -23679,6 +23679,8 @@ CVE-2020-13942 RESERVED CVE-2020-13941 (Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), rel ...) - lucene-solr + [buster] - lucene-solr (Minor issue) + [stretch] - lucene-solr (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/08/15/1 NOTE: https://issues.apache.org/jira/browse/SOLR-14561 NOTE: https://github.com/apache/lucene-solr/commit/936b9d770e769c9018a9f408d576f52e7c4e8be2 = data/dla-needed.txt = @@ -102,8 +102,6 @@ linux-4.9 (Ben Hutchings) -- lua5.3 -- -lucene-solr (Markus Koschany) --- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0e367a3d1e318d240b4e758b7d142f91a045b98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0e367a3d1e318d240b4e758b7d142f91a045b98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Readd imagemagick to dla-needed.txt for the upcoming update.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c106b930 by Markus Koschany at 2020-08-31T00:35:28+02:00 Readd imagemagick to dla-needed.txt for the upcoming update. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -86,6 +86,8 @@ golang-golang-x-net-dev -- guacamole-client (Mike Gabriel) -- +imagemagick (Markus Koschany) +-- jetty9 (Markus Koschany) -- jupyter-notebook (Mike Gabriel) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c106b9306bc6f258efcaf5c0f7af2c7d77155d1c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c106b9306bc6f258efcaf5c0f7af2c7d77155d1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status of squid3 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bc10e210 by Markus Koschany at 2020-08-31T00:34:08+02:00 Update status of squid3 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -176,8 +176,9 @@ slirp snmptt -- squid3 (Markus Koschany) - NOTE: 20200813: CVE-2020-15049 requires more testing but backport works in - NOTE: principle. + NOTE: 20200831: I have backported the HttpHeader parsing code now and + NOTE: incorporated the fixes for the latest CVE. I will send a RFT to + NOTE: debian-lts again before uploading. -- sympa NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc10e210c86b60198052476c3ee578dec96dfc46 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc10e210c86b60198052476c3ee578dec96dfc46 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-14340,jboss-xnio: Correct link description
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0209e6b5 by Markus Koschany at 2020-08-30T23:05:32+02:00 CVE-2020-14340,jboss-xnio: Correct link description - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22600,8 +22600,8 @@ CVE-2020-14340 RESERVED - jboss-xnio [stretch] - jboss-xnio (vulnerable code is not present) - NOTE: Fix for Buster: https://github.com/xnio/xnio/pull/233 - NOTE: Fix for 3.8: https://github.com/xnio/xnio/pull/234 + NOTE: Fix for 3.8: https://github.com/xnio/xnio/pull/233 + NOTE: Fix for 3.7 (Buster): https://github.com/xnio/xnio/pull/234 CVE-2020-14339 [leak of /dev/mapper/control into QEMU guests] RESERVED - libvirt 6.6.0-1 (bug #966563) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0209e6b54534f03089fa2bff9670a954576852c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0209e6b54534f03089fa2bff9670a954576852c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim lucene-solr in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 92a1b46d by Markus Koschany at 2020-08-30T23:04:23+02:00 Claim lucene-solr in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -97,7 +97,7 @@ linux-4.9 (Ben Hutchings) -- lua5.3 -- -lucene-solr +lucene-solr (Markus Koschany) -- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92a1b46db3d21382413c9c9246c2b74c02afb510 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92a1b46db3d21382413c9c9246c2b74c02afb510 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim jetty9 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 69852b19 by Markus Koschany at 2020-08-30T23:03:01+02:00 Claim jetty9 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -83,7 +83,7 @@ golang-golang-x-net-dev -- guacamole-client (Mike Gabriel) -- -jetty9 +jetty9 (Markus Koschany) -- jupyter-notebook (Mike Gabriel) NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69852b19d94d3da31bfec187a9a16c20c44355f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69852b19d94d3da31bfec187a9a16c20c44355f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-14340,jboss-xnio: Link to fixing commits
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 799dca3a by Markus Koschany at 2020-08-30T23:01:48+02:00 CVE-2020-14340,jboss-xnio: Link to fixing commits - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22600,6 +22600,8 @@ CVE-2020-14340 RESERVED - jboss-xnio [stretch] - jboss-xnio (vulnerable code is not present) + NOTE: Fix for Buster: https://github.com/xnio/xnio/pull/233 + NOTE: Fix for 3.8: https://github.com/xnio/xnio/pull/234 CVE-2020-14339 [leak of /dev/mapper/control into QEMU guests] RESERVED - libvirt 6.6.0-1 (bug #966563) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/799dca3af33d9413dbbc151a6bb5c73f40d785ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/799dca3af33d9413dbbc151a6bb5c73f40d785ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-14340,jboss-xnio: Stretch is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d1155d4a by Markus Koschany at 2020-08-30T22:35:19+02:00 CVE-2020-14340,jboss-xnio: Stretch is not affected According to Red Hat (upstream) versions 3.6.0.Beta1 are not affected. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -22599,6 +22599,7 @@ CVE-2020-14341 CVE-2020-14340 RESERVED - jboss-xnio + [stretch] - jboss-xnio (vulnerable code is not present) CVE-2020-14339 [leak of /dev/mapper/control into QEMU guests] RESERVED - libvirt 6.6.0-1 (bug #966563) = data/dla-needed.txt = @@ -83,9 +83,6 @@ golang-golang-x-net-dev -- guacamole-client (Mike Gabriel) -- -jboss-xnio - NOTE: probably Markus as a maintainer want to handle this --- jetty9 -- jupyter-notebook (Mike Gabriel) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1155d4a515f135f07fe96a7e94f42153258e254 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1155d4a515f135f07fe96a7e94f42153258e254 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-12066,teeworlds: Fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: db4fb94a by Markus Koschany at 2020-08-30T17:42:05+02:00 CVE-2020-12066,teeworlds: Fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28435,7 +28435,8 @@ CVE-2020-12068 (An issue was discovered in CODESYS Development System before 3.5 CVE-2020-12067 RESERVED CVE-2020-12066 (CServer::SendMsg in engine/server/server.cpp in Teeworlds 0.7.x before ...) - - teeworlds + - teeworlds 0.7.5-1 + [stretch] - teeworlds (Not supported in Stretch LTS) [jessie] - teeworlds (Not supported in jessie LTS) NOTE: https://github.com/teeworlds/teeworlds/commit/c68402fa7e279d42886d5951d1ea8ac2facc1ea5 NOTE: https://www.teeworlds.com/forum/viewtopic.php?id=14785 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db4fb94a94d3a52d4b6000a8bf5a580e6cadc97f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db4fb94a94d3a52d4b6000a8bf5a580e6cadc97f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2338-2 for proftpd-dfsg
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 09b5b666 by Markus Koschany at 2020-08-25T20:49:41+02:00 Reserve DLA-2338-2 for proftpd-dfsg - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[25 Aug 2020] DLA-2338-2 proftpd-dfsg - regression update + [stretch] - proftpd-dfsg 1.3.5e+r1.3.5b-4+deb9u2 [24 Aug 2020] DLA-2344-1 mongodb - security update {CVE-2020-7923} [stretch] - mongodb 1:3.2.11-2+deb9u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09b5b6669993931f7167d5dda93050c09fe849ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09b5b6669993931f7167d5dda93050c09fe849ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] proftpd-dfsg, memory leaks fixed in 1.3.5e+r1.3.5b-4+deb9u1
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a5829ecb by Markus Koschany at 2020-08-22T18:34:45+02:00 proftpd-dfsg, memory leaks fixed in 1.3.5e+r1.3.5b-4+deb9u1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -89935,6 +89935,7 @@ CVE-2019-9625 (JBMC DirectAdmin 1.55 allows CSRF via the /CMD_ACCOUNT_ADMIN URI NOT-FOR-US: JBMC DirectAdmin CVE-2019- [high memory usage with some long running sessions] - proftpd-dfsg 1.3.5d-1 (bug #923926) + [stretch] - proftpd-dfsg 1.3.5e+r1.3.5b-4+deb9u1 [jessie] - proftpd-dfsg 1.3.5e-0+deb8u1 NOTE: https://github.com/proftpd/proftpd/issues/330#issuecomment-276891713 NOTE: https://forum.armbian.com/topic/9692-nanopi-neo-2-memory-leak-in-proftpd-even-worse-if-ssl-encrypted/?do=findComment=73069 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5829ecb98eaef8b1f6f933da58af5696e9455ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5829ecb98eaef8b1f6f933da58af5696e9455ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove no-dsa, proftpd-dfsg memory leak issue from 2019. Upload is pending.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b276b174 by Markus Koschany at 2020-08-22T18:09:01+02:00 Remove no-dsa, proftpd-dfsg memory leak issue from 2019. Upload is pending. - - - - - e5a2965a by Markus Koschany at 2020-08-22T18:10:26+02:00 Reserve DLA-2338-1 for proftpd-dfsg - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -89935,7 +89935,6 @@ CVE-2019-9625 (JBMC DirectAdmin 1.55 allows CSRF via the /CMD_ACCOUNT_ADMIN URI NOT-FOR-US: JBMC DirectAdmin CVE-2019- [high memory usage with some long running sessions] - proftpd-dfsg 1.3.5d-1 (bug #923926) - [stretch] - proftpd-dfsg (Minor issue) [jessie] - proftpd-dfsg 1.3.5e-0+deb8u1 NOTE: https://github.com/proftpd/proftpd/issues/330#issuecomment-276891713 NOTE: https://forum.armbian.com/topic/9692-nanopi-neo-2-memory-leak-in-proftpd-even-worse-if-ssl-encrypted/?do=findComment=73069 = data/DLA/list = @@ -1,3 +1,5 @@ +[22 Aug 2020] DLA-2338-1 proftpd-dfsg - security update + [stretch] - proftpd-dfsg 1.3.5e+r1.3.5b-4+deb9u1 [22 Aug 2020] DLA-2337-1 python2.7 - security update {CVE-2018-20852 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740 CVE-2019-9947 CVE-2019-9948 CVE-2019-16056 CVE-2019-20907} [stretch] - python2.7 2.7.13-2+deb9u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f16f1f789acda233b8a9b6b679d82f01115079d0...e5a2965a738b0c0990ccbc8891462e2f8efbd9a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f16f1f789acda233b8a9b6b679d82f01115079d0...e5a2965a738b0c0990ccbc8891462e2f8efbd9a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove no-dsa entries for upcoming imagemagick release.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b6aaba24 by Markus Koschany at 2020-08-18T00:35:56+02:00 Remove no-dsa entries for upcoming imagemagick release. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48972,7 +48972,6 @@ CVE-2019-19950 (In GraphicsMagick 1.4 snapshot-20190403 Q8, there is a use-after CVE-2019-19949 (In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in ...) {DSA-4712-1 DLA-2049-1} - imagemagick 8:6.9.11.24+dfsg-1 (low; bug #947309) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1561 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d17c047f7bff7c0edbf304470cd2ab9d02fbf617 (7.x) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/34adc98afd5c7e7fb774d2ebdaea39e831c24dce (6.x) @@ -71402,7 +71401,6 @@ CVE-2019-14982 (In Exiv2 before v0.27.2, there is an integer overflow vulnerabil CVE-2019-14981 (In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is ...) {DSA-4712-1 DLA-1968-1} - imagemagick 8:6.9.11.24+dfsg-1 (bug #955025) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1552 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/b522d2d857d2f75b659936b59b0da9df1682c256 CVE-2019-14980 (In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is ...) @@ -77547,7 +77545,6 @@ CVE-2019-13455 (In Xymon through 4.3.28, a stack-based buffer overflow vulnerabi CVE-2019-13454 (ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLay ...) {DSA-4712-1} - imagemagick 8:6.9.11.24+dfsg-1 (low; bug #931740) - [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (low impact issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1629 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/4f31d78716ac94c85c244efcea368fea202e2ed4 @@ -77981,7 +77978,6 @@ CVE-2019-13298 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at Mag CVE-2019-13297 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCo ...) {DSA-4712-1 DLA-1888-1} - imagemagick 8:6.9.11.24+dfsg-1 (low; bug #931455) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1609 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/35c7032723d85eee7318ff6c82f031fa2666b773 NOTE: Some older version before the fixing commit did as well not check for @@ -77993,7 +77989,6 @@ CVE-2019-13296 (ImageMagick 7.0.8-50 Q16 has direct memory leaks in AcquireMagic CVE-2019-13295 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCo ...) {DSA-4712-1 DLA-1888-1} - imagemagick 8:6.9.11.24+dfsg-1 (low; bug #931457) - [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1608 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/55e6dc49f1a381d9d511ee2f888fdc3e3c3e3953 CVE-2019-13294 (AROX School-ERP Pro has a command execution vulnerability. import_stud ...) @@ -78892,21 +78887,18 @@ CVE-2019-12980 (In Ming (aka libming) 0.4.8, there is an integer overflow (cause CVE-2019-12979 (ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability ...) {DSA-4712-1} - imagemagick 8:6.9.11.24+dfsg-1 (bug #931189) - [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (minor security impact) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1522 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/27b1c74979ac473a430e266ff6c4b645664bc805 CVE-2019-12978 (ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability ...) {DSA-4712-1} - imagemagick 8:6.9.11.24+dfsg-1 (low; bug #931190) - [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (minor security impact) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1519 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/ae1ded6140bfa8ae9f6dcba5413b72d98ed94614 CVE-2019-12977 (ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability ...) {DSA-4712-1} - imagemagick 8:6.9.11.24+dfsg-1 (low; bug #931191) - [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (minor security impact) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1518 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e6103897fae2ed47e24b9cf7de719eea877b0504 @@ -78924,7 +78916,6 @@ CVE-2019-12975 (ImageMagick 7.0.8-34 has a memory leak vulnerability in the Writ CVE-2019-12974 (A NULL point
[Git][security-tracker-team/security-tracker][master] Fix DLA/list entry for imagemagick. Whitespace was missing.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: fc929a70 by Markus Koschany at 2020-08-18T00:23:30+02:00 Fix DLA/list entry for imagemagick. Whitespace was missing. - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,5 +1,5 @@ [18 Aug 2020] DLA-2333-1 imagemagick - security update - {CVE-2017-12805 CVE-2017-17681 CVE-2017-18252 CVE-2018-7443 CVE-2018-8804 CVE-2018-8960 CVE-2018-9133 CVE-2018-10177 CVE-2018-14551 CVE-2018-18024 CVE-2018-20467 CVE-2019-10131 CVE-2019-11472 CVE-2019-11597 CVE-2019-12974 CVE-2019-12977 CVE-2019-12978 CVE-2019-12979 CVE-2019-13295 CVE-2019-13297CVE-2019-11470 CVE-2019-13454 CVE-2019-14981 CVE-2019-19949} + {CVE-2017-12805 CVE-2017-17681 CVE-2017-18252 CVE-2018-7443 CVE-2018-8804 CVE-2018-8960 CVE-2018-9133 CVE-2018-10177 CVE-2018-14551 CVE-2018-18024 CVE-2018-20467 CVE-2019-10131 CVE-2019-11472 CVE-2019-11597 CVE-2019-12974 CVE-2019-12977 CVE-2019-12978 CVE-2019-12979 CVE-2019-13295 CVE-2019-13297 CVE-2019-11470 CVE-2019-13454 CVE-2019-14981 CVE-2019-19949} [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u9 [17 Aug 2020] DLA-2332-1 sane-backends - security update {CVE-2020-12862 CVE-2020-12863 CVE-2020-12865 CVE-2020-12867} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc929a701f3250f4498a0bf50f4554fc8e7635b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc929a701f3250f4498a0bf50f4554fc8e7635b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-13305,imagemagick: Fixed in 8:6.9.7.4+dfsg-11+deb9u8
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 66a90d93 by Markus Koschany at 2020-08-18T00:19:45+02:00 CVE-2019-13305,imagemagick: Fixed in 8:6.9.7.4+dfsg-11+deb9u8 This issue was fixed by DSA-4715-1 but apparently it was missing from the announcement. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -77943,6 +77943,7 @@ CVE-2019-13306 (ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at co CVE-2019-13305 (ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/p ...) {DSA-4712-1 DLA-1888-1} - imagemagick 8:6.9.11.24+dfsg-1 (bug #931452) + [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u8 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1613 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/5c7fbf9a14fb83c9685ad69d48899f490a37609d CVE-2019-13304 (ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/p ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66a90d93e3c781b25d725f9f4c3f56e80a05f5c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66a90d93e3c781b25d725f9f4c3f56e80a05f5c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2333-1 for imagemagick
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 150174db by Markus Koschany at 2020-08-18T00:15:49+02:00 Reserve DLA-2333-1 for imagemagick - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Aug 2020] DLA-2333-1 imagemagick - security update + {CVE-2017-12805 CVE-2017-17681 CVE-2017-18252 CVE-2018-7443 CVE-2018-8804 CVE-2018-8960 CVE-2018-9133 CVE-2018-10177 CVE-2018-14551 CVE-2018-18024 CVE-2018-20467 CVE-2019-10131 CVE-2019-11472 CVE-2019-11597 CVE-2019-12974 CVE-2019-12977 CVE-2019-12978 CVE-2019-12979 CVE-2019-13295 CVE-2019-13297CVE-2019-11470 CVE-2019-13454 CVE-2019-14981 CVE-2019-19949} + [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u9 [17 Aug 2020] DLA-2332-1 sane-backends - security update {CVE-2020-12862 CVE-2020-12863 CVE-2020-12865 CVE-2020-12867} [stretch] - sane-backends 1.0.25-4.1+deb9u1 = data/dla-needed.txt = @@ -84,10 +84,6 @@ guacamole-client (Mike Gabriel) NOTE: 20200815: The bad maintenance is not because of the maintainer, but because of upstream's delay to port the software NOTE: 20200815: over to the freerdp2 API. (sunweaver) -- -imagemagick (Markus Koschany) - NOTE: 20200813: Intend to split the work into two updates because of the numerous - NOTE: patches. Will upload part 1 tomorrow und part 2 next week. --- inetutils (Adrian Bunk) -- jetty9 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/150174dbc2efc09a92a505d5b51880d9e66bf310 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/150174dbc2efc09a92a505d5b51880d9e66bf310 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2327-1 for lucene-solr
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 1287e156 by Markus Koschany at 2020-08-15T23:07:21+02:00 Reserve DLA-2327-1 for lucene-solr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Aug 2020] DLA-2327-1 lucene-solr - security update + {CVE-2019-0193} + [stretch] - lucene-solr 3.6.2+dfsg-10+deb9u3 [15 Aug 2020] DLA-2326-1 htmlunit - security update {CVE-2020-5529} [stretch] - htmlunit 2.8-2+deb9u1 = data/dla-needed.txt = @@ -109,8 +109,6 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- -lucene-solr (Markus Koschany) --- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1287e156dc61c3aa81f2ec933976fa46291faf9f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1287e156dc61c3aa81f2ec933976fa46291faf9f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla-needed.txt: Update status of imagemagick
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: daf9ec7f by Markus Koschany at 2020-08-13T19:22:57+02:00 dla-needed.txt: Update status of imagemagick - - - - - b5855098 by Markus Koschany at 2020-08-13T19:27:19+02:00 dla-needed.txt: Add squid3 again for CVE-2020-15049. Claim lucene-solr. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -63,8 +63,9 @@ freerdp NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver) -- -imagemagick - NOTE: 20200713: Ongoing work (apo) +imagemagick (Markus Koschany) + NOTE: 20200813: Intend to split the work into two updates because of the numerous + NOTE: patches. Will upload part 1 tomorrow und part 2 next week. -- inetutils (Adrian Bunk) -- @@ -78,7 +79,7 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- -lucene-solr +lucene-solr (Markus Koschany) -- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. @@ -113,6 +114,10 @@ sane-backends (Sylvain Beucler) slirp NOTE: 20200724: Version in stretch also requires backport of patch from CVE-2020-7039 (lamby) -- +squid3 (Markus Koschany) + NOTE: 20200813: CVE-2020-15049 requires more testing but backport works in + NOTE: principle. +-- sqlite3 (Roberto C. Sánchez) NOTE: 20200712: Vulnerable to at least CVE-2020-13630. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e3b433d3e73f6796ac1521b9ac421928d6879d96...b58550988fbb2b4dbd10fb10b27b4a5586c73a0f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e3b433d3e73f6796ac1521b9ac421928d6879d96...b58550988fbb2b4dbd10fb10b27b4a5586c73a0f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2278-2 for squid3
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e3b433d3 by Markus Koschany at 2020-08-13T19:19:54+02:00 Reserve DLA-2278-2 for squid3 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[13 Aug 2020] DLA-2278-2 squid3 - regression update + [stretch] - squid3 3.5.23-5+deb9u3 [13 Aug 2020] DLA-2325-1 openjdk-8 - security update {CVE-2020-14556 CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14581 CVE-2020-14583 CVE-2020-14593 CVE-2020-14621} [stretch] - openjdk-8 8u265-b01-0+deb9u1 = data/dla-needed.txt = @@ -116,9 +116,6 @@ slirp sqlite3 (Roberto C. Sánchez) NOTE: 20200712: Vulnerable to at least CVE-2020-13630. (lamby) -- -squid3 (Markus Koschany) - NOTE: 20200730: I am investigating a possible regression (#965012) --- sympa NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh) NOTE: 20200525: But that is weird, given their announcement. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3b433d3e73f6796ac1521b9ac421928d6879d96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3b433d3e73f6796ac1521b9ac421928d6879d96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2303-1 for libssh
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 23207fbd by Markus Koschany at 2020-07-31T23:54:23+02:00 Reserve DLA-2303-1 for libssh - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Jul 2020] DLA-2303-1 libssh - security update + {CVE-2020-16135} + [stretch] - libssh 0.7.3-2+deb9u3 [31 Jul 2020] DLA-2302-1 libjpeg-turbo - security update {CVE-2018-1152 CVE-2018-14498 CVE-2020-13790 CVE-2020-14152} [stretch] - libjpeg-turbo 1:1.5.1-2+deb9u1 = data/dla-needed.txt = @@ -79,8 +79,6 @@ libopenmpt (Utkarsh Gupta) libpam-radius-auth (Utkarsh Gupta) NOTE: 20200727: WIP. (utkarsh) -- -libssh (Markus Koschany) --- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23207fbd62ef079e393d8f45e125457a2b5f8017 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23207fbd62ef079e393d8f45e125457a2b5f8017 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim libssh in dla-needed.txt Update status of squid3.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b7a8856 by Markus Koschany at 2020-07-30T17:02:18+02:00 Claim libssh in dla-needed.txt Update status of squid3. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,6 +79,8 @@ libopenmpt (Utkarsh Gupta) libpam-radius-auth (Utkarsh Gupta) NOTE: 20200727: WIP. (utkarsh) -- +libssh (Markus Koschany) +-- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) @@ -120,7 +122,8 @@ slirp sqlite3 NOTE: 20200712: Vulnerable to at least CVE-2020-13630. (lamby) -- -squid3 +squid3 (Markus Koschany) + NOTE: 20200730: I am investigating a possible regression (#965012) -- sympa NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b7a8856c4f2d0b1c713ee94ed96b512886c14ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b7a8856c4f2d0b1c713ee94ed96b512886c14ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2286-1 for tomcat8
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f0e4442a by Markus Koschany at 2020-07-22T17:20:29+02:00 Reserve DLA-2286-1 for tomcat8 - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Jul 2020] DLA-2286-1 tomcat8 - security update + {CVE-2020-13934 CVE-2020-13935} + [stretch] - tomcat8 8.5.54-0+deb9u3 [22 Jul 2020] DLA-2285-1 librsvg - security update {CVE-2017-11464 CVE-2019-20446} [stretch] - librsvg 2.40.21-0+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0e4442a1a5db956d46109e66848d69ed1997309 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0e4442a1a5db956d46109e66848d69ed1997309 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: ongoing work for imagemagick
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 91785824 by Markus Koschany at 2020-07-13T17:17:12+02:00 dla-needed.txt: ongoing work for imagemagick - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -65,8 +65,8 @@ golang-github-seccomp-libseccomp-golang (Adrian Bunk) -- gupnp -- -imagemagick - NOTE: 20200622: Ongoing work +imagemagick (Markus Koschany) + NOTE: 20200713: Ongoing work -- jruby NOTE: 20200706: all open CVEs were fixed in jessie (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91785824e2a4a262a4377588afbc5c7d3f56f9fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91785824e2a4a262a4377588afbc5c7d3f56f9fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2279-1 for tomcat8
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 662a322a by Markus Koschany at 2020-07-12T20:58:02+02:00 Reserve DLA-2279-1 for tomcat8 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[12 Jul 2020] DLA-2279-1 tomcat8 - security update + {CVE-2020-9484 CVE-2020-11996} + [stretch] - tomcat8 8.5.54-0+deb9u2 [10 Jul 2020] DLA-2278-1 squid3 - security update {CVE-2018-19132 CVE-2019-12519 CVE-2019-12520 CVE-2019-12521 CVE-2019-12523 CVE-2019-12524 CVE-2019-12525 CVE-2019-12526 CVE-2019-12528 CVE-2019-12529 CVE-2019-13345 CVE-2019-18676 CVE-2019-18677 CVE-2019-18678 CVE-2019-18679 CVE-2019-18860 CVE-2020-8449 CVE-2020-8450 CVE-2020-11945} [stretch] - squid3 3.5.23-5+deb9u2 = data/dla-needed.txt = @@ -170,9 +170,6 @@ sympa NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh) NOTE: 20200604: shall process the upload once the confirmation is given. (utkarsh) -- -tomcat8 (Markus Koschany) - NOTE: 20200701: CVE-2020-9484's patch should also be included for Stretch LTS. (utkarsh) --- transmission (Utkarsh Gupta) -- unbound View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/662a322afa0527688ee6d7175252ccda8d802589 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/662a322afa0527688ee6d7175252ccda8d802589 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Readd squid3 to dla-needed.txt for CVE-2020-15049
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 9650416e by Markus Koschany at 2020-07-10T22:05:57+02:00 Readd squid3 to dla-needed.txt for CVE-2020-15049 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -141,6 +141,8 @@ salt samba (Roberto C. Sánchez) NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh) -- +squid3 (Markus Koschany) +-- sympa NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh) NOTE: 20200525: But that is weird, given their announcement. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9650416e88f4894b5a4c2026d27bdda69e651da6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9650416e88f4894b5a4c2026d27bdda69e651da6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2278-1 for squid3
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0686eb40 by Markus Koschany at 2020-07-10T22:05:05+02:00 Reserve DLA-2278-1 for squid3 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Jul 2020] DLA-2278-1 squid3 - security update + {CVE-2018-19132 CVE-2019-12519 CVE-2019-12520 CVE-2019-12521 CVE-2019-12523 CVE-2019-12524 CVE-2019-12525 CVE-2019-12526 CVE-2019-12528 CVE-2019-12529 CVE-2019-13345 CVE-2019-18676 CVE-2019-18677 CVE-2019-18678 CVE-2019-18679 CVE-2019-18860 CVE-2020-8449 CVE-2020-8450 CVE-2020-11945} + [stretch] - squid3 3.5.23-5+deb9u2 [11 Jul 2020] DLA-2277-1 openjpeg2 - security update {CVE-2019-12973 CVE-2020-6851 CVE-2020-8112 CVE-2020-15389} [stretch] - openjpeg2 2.1.2-1.1+deb9u5 = data/dla-needed.txt = @@ -141,10 +141,6 @@ salt samba (Roberto C. Sánchez) NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh) -- -squid3 (Markus Koschany) - NOTE: 20200622: https://people.debian.org/~apo/lts/squid3/ - NOTE: 20200622: Patch for CVE-2019-12523 almost complete. --- sympa NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh) NOTE: 20200525: But that is weird, given their announcement. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0686eb40a0a878878d278e7124c98ce96e979ba5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0686eb40a0a878878d278e7124c98ce96e979ba5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-10672,jackson-databind is also fixed in unstable.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c6ed981 by Markus Koschany at 2020-07-09T19:16:06+02:00 CVE-2020-10672,jackson-databind is also fixed in unstable. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13904,7 +13904,7 @@ CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in NOTE: but still an issue when Default Typing is enabled. CVE-2020-10672 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2153-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2659 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c6ed98140a84926024edfd861c42e42e67bbea1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c6ed98140a84926024edfd861c42e42e67bbea1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] jackson-databind: Several CVE are fixed in unstable now.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 858cff0b by Markus Koschany at 2020-07-09T14:44:04+02:00 jackson-databind: Several CVE are fixed in unstable now. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3464,7 +3464,7 @@ CVE-2020-14196 (In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 a NOTE: https://www.openwall.com/lists/oss-security/2020/07/01/1 CVE-2020-14195 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) {DLA-2270-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2765 @@ -3798,7 +3798,7 @@ CVE-2020-14063 RESERVED CVE-2020-14062 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) {DLA-2270-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2704 @@ -3806,7 +3806,7 @@ CVE-2020-14062 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the in NOTE: but still an issue when Default Typing is enabled. CVE-2020-14061 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) {DLA-2270-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2698 @@ -3814,7 +3814,7 @@ CVE-2020-14061 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the in NOTE: but still an issue when Default Typing is enabled. CVE-2020-14060 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) {DLA-2270-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2688 @@ -10811,7 +10811,7 @@ CVE-2020-11621 RESERVED CVE-2020-11620 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2682 @@ -10819,7 +10819,7 @@ CVE-2020-11620 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in NOTE: but still an issue when Default Typing is enabled. CVE-2020-11619 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2680 @@ -12196,7 +12196,7 @@ CVE-2020-5291 (Bubblewrap (bwrap) before version 0.4.1, if installed in setuid m NOTE: https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240 CVE-2020-3 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2670 @@ -12204,7 +12204,7 @@ CVE-2020-3 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in NOTE: but still an issue when Default Typing is enabled. CVE-2020-2 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - - jackson-databind + - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2666 @@ -12212,7 +12212,7 @@ CVE-2020-2 (FasterXML jackson-databind 2
[Git][security-tracker-team/security-tracker][master] 2 commits: Claim tomcat8 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 20e5d55a by Markus Koschany at 2020-07-01T09:01:07+02:00 Claim tomcat8 in dla-needed.txt - - - - - 731417d2 by Markus Koschany at 2020-07-01T09:03:16+02:00 Remove no-dsa tags for squid3. Will be fixed with the upcoming security release 3.5.23-5+deb9u2 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -98314,7 +98314,6 @@ CVE-2018-19132 (Squid before 4.4, when SNMP is enabled, allows a denial of servi {DLA-1596-1} - squid 4.4-1 (low; bug #912294) - squid3 (low) - [stretch] - squid3 (Can be fixed along in a future DSA) NOTE: http://www.squid-cache.org/Advisories/SQUID-2018_5.txt NOTE: 3.5: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-bc9786119f058a76ddf0625424bc33d36460b9a2.patch NOTE: 4.x: http://www.squid-cache.org/Versions/v4/changesets/squid-4-983c5c36e5f109512ed1af38a329d0b5d0967498.patch @@ -220337,7 +220336,6 @@ CVE-2016-3948 (Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform b NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_4.txt CVE-2016-3947 (Heap-based buffer overflow in the Icmp6::Recv function in icmp/Icmp6.c ...) - squid3 3.5.16-1 (bug #819783) - [jessie] - squid3 (Minor issue) [wheezy] - squid3 (Minor issue) - squid 4.1-1 [wheezy] - squid (Minor issue) @@ -224109,7 +224107,6 @@ CVE-2016-2571 (http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds NOTE: Upstream confirmed it does not affect squid 2.7.x CVE-2016-2570 (The Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 and 4.x ...) - squid3 3.5.15-1 (bug #816011) - [jessie] - squid3 (Minor issue, needs substantial backporting; too intrusive to backport) [wheezy] - squid3 (Minor issue, needs substantial backporting; too intrusive to backport) - squid (Vulnerable code not present) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_2.txt @@ -224120,7 +224117,6 @@ CVE-2016-2570 (The Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 an NOTE: It's maybe too instrusive to fix in 3.1 (squeeze and wheezy). CVE-2016-2569 (Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly append ...) - squid3 3.5.15-1 (bug #816011) - [jessie] - squid3 (Minor issue; needs substantial backporting; too intrusive to backport) [wheezy] - squid3 (Minor issue; needs substantial backporting; too intrusive to backport) - squid (Vulnerable code not present) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_2.txt = data/dla-needed.txt = @@ -122,7 +122,7 @@ sympa NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh) NOTE: 20200604: shall process the upload once the confirmation is given. (utkarsh) -- -tomcat8 +tomcat8 (Markus Koschany) -- tzdata NOTE: 20200514: LTS update must wait on oldstable update first (via point release) to prevent newer version in LTS (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9af3f9e9f5a7b360f9aba6cc5e153ce2de7ac878...731417d2034d30b664e1b4ff743d64717b0c3756 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9af3f9e9f5a7b360f9aba6cc5e153ce2de7ac878...731417d2034d30b664e1b4ff743d64717b0c3756 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Update status of squid3 and imagemagick in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a1ce3d59 by Markus Koschany at 2020-06-22T09:59:01+02:00 Update status of squid3 and imagemagick in dla-needed.txt - - - - - 155aade8 by Markus Koschany at 2020-06-22T10:00:17+02:00 CVE-2019-18679,squid3: Correct link to upstream patch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -39335,7 +39335,7 @@ CVE-2019-18679 (An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. {DSA-4682-1 DLA-2028-1} - squid 4.9-1 - squid3 - NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch + NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-6f2841090dffbec1a2b2417e18bb3dc71d62dd2e.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_11.txt CVE-2019-18678 (An issue was discovered in Squid 3.x and 4.x through 4.8. It allows at ...) {DSA-4682-1 DLA-2028-1} = data/dla-needed.txt = @@ -53,6 +53,7 @@ freerdp glib-networking -- imagemagick (Markus Koschany) + NOTE: 20200622: Ongoing work -- libdatetime-timezone-perl NOTE: 20200514: LTS update must wait on oldstable update first (via point release) to prevent newer version in LTS (roberto) @@ -114,9 +115,9 @@ qemu (Adrian Bunk) sqlite3 (Abhijith PA) NOTE: 20200620: WIP (abhijith) -- -squid3 - NOTE: 20200531: Ongoing work on squid3 in Stretch which will be used for Jessie - NOTE: 20200531: and Stretch. (apo) +squid3 (Markus Koschany) + NOTE: 20200622: https://people.debian.org/~apo/lts/squid3/ + NOTE: 20200622: Patch for CVE-2019-12523 almost complete. -- sympa NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/37eb2a38468547b9f4cd3f45543076f28f5cc9d9...155aade8fddf7f5db0a87c52d66d8e2b3837bfbe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/37eb2a38468547b9f4cd3f45543076f28f5cc9d9...155aade8fddf7f5db0a87c52d66d8e2b3837bfbe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reclaim imagemagick in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ba1c4b3 by Markus Koschany at 2020-06-01T16:13:21+02:00 Reclaim imagemagick in dla-needed.txt That will take a few more days to complete. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -51,7 +51,7 @@ graphicsmagick (Roberto C. Sánchez) NOTE: 20200514: no upstream patch available, yet, for CVE-2020-12672 (sunweaver) NOTE: 20200529: still no upstream patch available, yet, for CVE-2020-12672 (roberto) -- -imagemagick +imagemagick (Markus Koschany) -- libdatetime-timezone-perl NOTE: 20200514: LTS update must wait on oldstable update first to prevent newer version in LTS (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ba1c4b3b41a2fb82db51af251535740a1c45972 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ba1c4b3b41a2fb82db51af251535740a1c45972 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Final version for Stretch and Jessie this week but will ask for
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: dca9ff14 by Markus Koschany at 2020-05-31T22:29:58+02:00 dla-needed.txt: Final version for Stretch and Jessie this week but will ask for testing on debian-lts first due to the many changes and issues fixed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -103,8 +103,8 @@ sane-backends (Adrian Bunk) sqlite3 (Abhijith PA) -- squid3 (Markus Koschany) - NOTE: 20200518: Ongoing work on squid3 in Stretch which will be used for Jessie - NOTE: 20200518: and Stretch. + NOTE: 20200531: Ongoing work on squid3 in Stretch which will be used for Jessie + NOTE: 20200531: and Stretch. -- sympa (Utkarsh Gupta) NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dca9ff1430dea31e162bbb8f1ebad4c1ef3ecb45 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dca9ff1430dea31e162bbb8f1ebad4c1ef3ecb45 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove tomcat8 from dla-needed.txt, add CVE-2020-9484 to DLA/list. CVE is fixed
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 602bc042 by Markus Koschany at 2020-05-28T17:44:02+02:00 Remove tomcat8 from dla-needed.txt, add CVE-2020-9484 to DLA/list. CVE is fixed with version 8.0.14-1+deb8u17 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -38,7 +38,7 @@ {CVE-2020-3810} [jessie] - apt 1.0.9.8.6 [11 May 2020] DLA-2209-1 tomcat8 - security update - {CVE-2019-17563 CVE-2020-1935 CVE-2020-1938} + {CVE-2019-17563 CVE-2020-1935 CVE-2020-1938 CVE-2020-9484} [jessie] - tomcat8 8.0.14-1+deb8u17 [10 May 2020] DLA-2208-1 wordpress - security update {CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029} = data/dla-needed.txt = @@ -117,9 +117,6 @@ sympa (Utkarsh Gupta) NOTE: 20200525: Anyway, the patch that is made public so far has been uploaded to NOTE: 20200525: https://people.debian.org/~utkarsh/jessie-lts/sympa/ (utkarsh) -- -tomcat8 (Markus Koschany) - NOTE: 20200521: One patch resulted to have a bug that had to be fixed; new CVE also released. (roberto) --- tzdata NOTE: 20200514: LTS update must wait on oldstable update first to prevent newer version in LTS (roberto) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/602bc04285a5d3b4f0b326c13d416da7b1b7fb46 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/602bc04285a5d3b4f0b326c13d416da7b1b7fb46 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Ongoing work on squid3 to incorporate latest CVE.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 83eee3c6 by Markus Koschany at 2020-05-18T00:50:34+02:00 dla-needed.txt: Ongoing work on squid3 to incorporate latest CVE. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -101,8 +101,8 @@ salt (Abhijith PA) NOTE: 20200501: Upstream fix for CVE-CVE-2020-11651 causes a regression. Should be fixed too. (Ola) -- squid3 (Markus Koschany) - NOTE: 20200427: Working on squid3 in Stretch which will be used for Jessie - NOTE: 20200427: and Stretch. It seems more useful for the future. + NOTE: 20200518: Ongoing work on squid3 in Stretch which will be used for Jessie + NOTE: 20200518: and Stretch. -- tomcat8 (Roberto C. Sánchez) In d8fb8968ba9d89b4fd62e6570ad78b2efa8b7635 the DLA was reserved but not uploaded. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83eee3c6151479dc99a18e84968b2c0b91a3b4e9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83eee3c6151479dc99a18e84968b2c0b91a3b4e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-12761,imlib2: Fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 33ef355b by Markus Koschany at 2020-05-12T01:19:53+02:00 CVE-2020-12761,imlib2: Fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -84,7 +84,7 @@ CVE-2020-12762 (json-c through 0.14 has an integer overflow and out-of-bounds wr NOTE: https://github.com/json-c/json-c/commit/099016b7e8d70a6d5dd814e788bba08d33d48426 NOTE: https://github.com/json-c/json-c/commit/d07b91014986900a3a75f306d302e13e005e9d67 CVE-2020-12761 (modules/loaders/loader_ico.c in imlib2 1.6.0 has an integer overflow ( ...) - - imlib2 (bug #960192) + - imlib2 1.6.1-2 (bug #960192) [buster] - imlib2 (Vulnerable code introduced later) [stretch] - imlib2 (Vulnerable code introduced later) [jessie] - imlib2 (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33ef355b5bd5c2483c317e963755c2e730edf799 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33ef355b5bd5c2483c317e963755c2e730edf799 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim imagemagick in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 135c2275 by Markus Koschany at 2020-05-11T17:23:36+02:00 Claim imagemagick in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -41,6 +41,8 @@ condor freerdp (Utkarsh Gupta) NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) -- +imagemagick (Markus Koschany) +-- libdatetime-timezone-perl -- libmatio (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/135c2275e8f82b6e022c52dcbe88c93f9cfbc1a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/135c2275e8f82b6e022c52dcbe88c93f9cfbc1a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove no-dsa flag from Tomcat 8 / Jessie in CVE list.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cc058251 by Markus Koschany at 2020-05-11T17:15:25+02:00 Remove no-dsa flag from Tomcat 8 / Jessie in CVE list. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28341,7 +28341,6 @@ CVE-2020-1938 (When using the Apache JServ Protocol (AJP), care must be taken wh {DSA-4680-1 DSA-4673-1 DLA-2133-1} - tomcat9 9.0.31-1 (bug #952437) - tomcat8 (bug #952438) - [jessie] - tomcat8 (backport is intrusive because of API changes) - tomcat7 (bug #952436) NOTE: AJP disabled in Debian in default configuration since 2008 NOTE: fixed in upstream versions 9.0.31, 8.5.51, 7.0.100 @@ -28368,7 +28367,6 @@ CVE-2020-1935 (In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to {DSA-4680-1 DSA-4673-1 DLA-2133-1} - tomcat9 9.0.31-1 - tomcat8 - [jessie] - tomcat8 (backport is too intrusive) - tomcat7 NOTE: https://github.com/apache/tomcat/commit/8bfb0ff7f25fe7555a5eb2f7984f73546c11aa26 (9.0.31) NOTE: https://github.com/apache/tomcat/commit/8fbe2e962f0ea138d92361921643fe5abe0c4f56 (8.5.51) @@ -37325,7 +37323,6 @@ CVE-2019-17563 (When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9. {DSA-4680-1 DSA-4596-1 DLA-2077-1} - tomcat9 9.0.31-1 - tomcat8 - [jessie] - tomcat8 (low risk, backport is intrusive) - tomcat7 NOTE: https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652 (9.0.30) NOTE: https://github.com/apache/tomcat/commit/e19a202ee43b6e2a538be5515ae0ab32d8ef112c (8.5.50) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc05825194b70c8a7e9a81aec45617813775d81e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc05825194b70c8a7e9a81aec45617813775d81e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove imlib2 from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2da4be8d by Markus Koschany at 2020-05-11T17:13:53+02:00 Remove imlib2 from dla-needed.txt - - - - - d8fb8968 by Markus Koschany at 2020-05-11T17:14:43+02:00 Reserve DLA-2209-1 for tomcat8 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[11 May 2020] DLA-2209-1 tomcat8 - security update + {CVE-2019-17563 CVE-2020-1935 CVE-2020-1938} + [jessie] - tomcat8 8.0.14-1+deb8u17 [10 May 2020] DLA-2208-1 wordpress - security update {CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029} [jessie] - wordpress 4.1.30+dfsg-0+deb8u1 = data/dla-needed.txt = @@ -41,8 +41,6 @@ condor freerdp (Utkarsh Gupta) NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) -- -imlib2 (Markus Koschany) --- libdatetime-timezone-perl -- libmatio (Adrian Bunk) @@ -92,9 +90,6 @@ squid3 (Markus Koschany) NOTE: 20200427: Working on squid3 in Stretch which will be used for Jessie NOTE: 20200427: and Stretch. It seems more useful for the future. -- -tomcat8 - NOTE: 20200413: Forwarded patches for review to Abhijith --- tzdata -- varnish (Sylvain Beucler) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cada380ee1580a57a1d95a6d265639d0d4825f8a...d8fb8968ba9d89b4fd62e6570ad78b2efa8b7635 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cada380ee1580a57a1d95a6d265639d0d4825f8a...d8fb8968ba9d89b4fd62e6570ad78b2efa8b7635 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim imlib2 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b224d12c by Markus Koschany at 2020-05-10T16:00:49+02:00 Claim imlib2 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,6 +40,8 @@ condor freerdp (Utkarsh Gupta) NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) -- +imlib2 (Markus Koschany) +-- libdatetime-timezone-perl (Emilio) -- libmatio (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b224d12c18d02942d37bf8abfeb9805b51fb4981 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b224d12c18d02942d37bf8abfeb9805b51fb4981 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status of squid3 in dla-needed.txt.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 994ffc63 by Markus Koschany at 2020-04-27T11:50:42+02:00 Update status of squid3 in dla-needed.txt. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -87,9 +87,9 @@ ruby-rack -- sqlite3 (Mike Gabriel) -- -squid3 - NOTE: 20200330: There is still an issue with CVE-2019-12523 but the rest - NOTE: 20200330: looks good now. (apo) +squid3 (Markus Koschany) + NOTE: 20200427: Working on squid3 in Stretch which will be used for Jessie + NOTE: and Stretch. It seems more useful for the future. -- tika (Utkarsh Gupta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/994ffc631303abe50b6f31b5df35cceebb780b6d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/994ffc631303abe50b6f31b5df35cceebb780b6d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status of tomcat8 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7880d6a5 by Markus Koschany at 2020-04-13T21:23:34+02:00 Update status of tomcat8 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -88,7 +88,7 @@ squid3 (Markus Koschany) thunderbird (Emilio) -- tomcat8 (Markus Koschany) - NOTE: 20200330: I am reviewing a patch for Abhijith currently. + NOTE: 20200413: Forwarded patches for review to Abhijith -- varnish NOTE: 20200410: There was a reworking of the functions in cache_req_fsm.c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7880d6a5931ffb244dbdc9aea16ee7ceafb6de61 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7880d6a5931ffb244dbdc9aea16ee7ceafb6de61 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reclaim squid3 and claim tomcat8 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fd7d9ef by Markus Koschany at 2020-03-30T12:46:08+02:00 Reclaim squid3 and claim tomcat8 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,8 +79,12 @@ shiro NOTE: 20200329: https://github.com/apache/shiro/pull/203 (lamby) NOTE: 20200329: See 53dc30bf6823c98 in this repo. (lamby) -- -squid3 - NOTE: 20200309: Requires more tests. (apo) +squid3 (Markus Koschany) + NOTE: 20200330: There is still an issue with CVE-2019-12523 but the rest + NOTE: looks good now. (apo) +-- +tomcat8 (Markus Koschany) + NOTE: I am reviewing a patch for Abhijith currently. -- wireshark (Thorsten Alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fd7d9ef06933418e4e288624dbc6e21e1e6e35e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fd7d9ef06933418e4e288624dbc6e21e1e6e35e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2138-1 for wpa
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a851bf47 by Markus Koschany at 2020-03-10T23:18:42+01:00 Reserve DLA-2138-1 for wpa - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Mar 2020] DLA-2138-1 wpa - security update + {CVE-2019-10064} + [jessie] - wpa 2.3-1+deb8u10 [10 Mar 2020] DLA-2137-1 sleuthkit - security update {CVE-2020-10232} [jessie] - sleuthkit 4.1.3-4+deb8u2 = data/dla-needed.txt = @@ -86,10 +86,6 @@ tomcat8 (Abhijith PA) weechat (Thorsten Alteholz) NOTE: 20200309: work is ongoing -- -wpa (Markus Koschany) - NOTE: 20200218: fix for CVE-2019-5061 removes IAPP functionality from hostapd, which is - NOTE: normally fine, but should be carefully considered for Jessie (alteholz) --- xcftools NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for review. NOTE: but I might just not receive any review any time soon, so I will now attempt to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a851bf474978e70a1baafa7ba708107ae0bf9588 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a851bf474978e70a1baafa7ba708107ae0bf9588 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Update status of squid3 in dla-needed.txt.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c048c8c by Markus Koschany at 2020-03-09T11:26:37+01:00 Update status of squid3 in dla-needed.txt. - - - - - 03239c99 by Markus Koschany at 2020-03-09T11:27:27+01:00 Claim wpa in dla-needed.txt. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -70,19 +70,7 @@ slirp (Utkarsh Gupta) NOTE: 20200223: WIP. -- squid3 (Markus Koschany) - NOTE: 20191210: CVE-2019-12523 and CVE-2019-18676 Requires new API SBuf. - NOTE: 20200116: Researched other distros to see if any had backported the fixes. No luck. - NOTE: 20200116: Tried for some time to reproduce the vulnerabilities, but did not succeed. - NOTE: 20200116: The change is rather involved when considering the new SBuf API, so not - NOTE: 20200116: being able to reproduce makes it impossible isolate the minimal change that - NOTE: 20200116: addresses the vulnerabilities. (roberto) - NOTE: 20200120: CVE-2019-12523 It looks like the only new checks is the introduction of NID - NOTE: 20200120: checks in parseUrn. This function replaces parseFinish. It should be easy - NOTE: 20200120: to add those checks without introducing SBuf. (Ola) - NOTE: 20200120: CVE-2019-18676 however is more complicated to locate. Potentially the // skipping - NOTE: 20200120: or the absolute function is the issue but it is hard to tell without more - NOTE: 20200120: details on the intention. (Ola) - NOTE: 20200224: Ongoing work. (apo) + NOTE: 20200309: Requires more tests. (apo) -- tomcat8 (Abhijith PA) NOTE: 20200106: Almost done. Working on failing testcase. @@ -92,7 +80,7 @@ tomcat8 (Abhijith PA) weechat (Thorsten Alteholz) NOTE: 20200309: work is ongoing -- -wpa +wpa (Markus Koschany) NOTE: 20200218: fix for CVE-2019-5061 removes IAPP functionality from hostapd, which is NOTE: normally fine, but should be carefully considered for Jessie (alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/76bfb7f0c135c4b1d053aab799713767298ae7df...03239c99e4781067975f5bbdd4b3535316180682 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/76bfb7f0c135c4b1d053aab799713767298ae7df...03239c99e4781067975f5bbdd4b3535316180682 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2133-1 for tomcat7
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b6ab5a51 by Markus Koschany at 2020-03-04T11:56:16+01:00 Reserve DLA-2133-1 for tomcat7 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Mar 2020] DLA-2133-1 tomcat7 - security update + {CVE-2019-17569 CVE-2020-1935 CVE-2020-1938} + [jessie] - tomcat7 7.0.56-3+really7.0.100-1 [03 Mar 2020] DLA-2132-1 libzypp - security update {CVE-2019-18900} [jessie] - libzypp 14.29.1-2+deb8u1 = data/dla-needed.txt = @@ -89,8 +89,6 @@ squid3 (Markus Koschany) NOTE: 20200120: details on the intention. (Ola) NOTE: 20200224: Ongoing work. (apo) -- -tomcat7 (Markus Koschany) --- tomcat8 (Abhijith PA) NOTE: 20200106: Almost done. Working on failing testcase. NOTE: 20200210: TestFormAuthenticator failing with CVE-2019-17563. backporting upstream tests (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6ab5a519e5307df8816c5677975d1bede084a65 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6ab5a519e5307df8816c5677975d1bede084a65 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim tomcat7 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 834bb8ac by Markus Koschany at 2020-02-24T22:10:05+01:00 Claim tomcat7 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -97,6 +97,8 @@ squid3 (Markus Koschany) NOTE: 20200120: details on the intention. (Ola) NOTE: 20200224: Ongoing work. (apo) -- +tomcat7 (Markus Koschany) +-- tomcat8 (Abhijith PA) NOTE: 20200106: Almost done. Working on failing testcase. NOTE: 20200210: TestFormAuthenticator failing with CVE-2019-17563. backporting upstream tests (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/834bb8ac9a56b3a4e9dd58fd5aaa6999f953aa58 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/834bb8ac9a56b3a4e9dd58fd5aaa6999f953aa58 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-1000825,freecol: Fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 233f5112 by Markus Koschany at 2020-02-24T13:24:14+01:00 CVE-2018-1000825,freecol: Fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -69178,7 +69178,7 @@ CVE-2018-1000827 (Ubilling version = 0.9.2 contains a Other/Unknown vulnerab CVE-2018-1000826 (Microweber version = 1.0.7 contains a Cross Site Scripting (XSS) v ...) NOT-FOR-US: Microweber CVE-2018-1000825 (FreeCol version = nightly-2018-08-22 contains a XML External Entit ...) - - freecol (bug #917023; low) + - freecol 0.11.6+dfsg2-3 (bug #917023; low) [buster] - freecol (Minor issue) [stretch] - freecol (Minor issue) [jessie] - freecol (Games are not supported) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/233f51128a4a4b30525351758bd5fd24a1ed4c51 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/233f51128a4a4b30525351758bd5fd24a1ed4c51 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Update squid3 notes
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d6f86ada by Markus Koschany at 2020-02-24T03:57:25+01:00 dla-needed.txt: Update squid3 notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -91,6 +91,7 @@ squid3 (Markus Koschany) NOTE: 20200120: CVE-2019-18676 however is more complicated to locate. Potentially the // skipping NOTE: 20200120: or the absolute function is the issue but it is hard to tell without more NOTE: 20200120: details on the intention. (Ola) + NOTE: 20200224: Ongoing work. (apo) -- tomcat8 (Abhijith PA) NOTE: 20200106: Almost done. Working on failing testcase. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d6f86ada67ff7550b750dcdc8a52763b8ab9dced -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d6f86ada67ff7550b750dcdc8a52763b8ab9dced You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-10782,checkstyle: Fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cab62f7f by Markus Koschany at 2020-02-10T16:59:50+01:00 CVE-2019-10782,checkstyle: Fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -50828,7 +50828,7 @@ CVE-2019-9660 (Stored XSS exists in YzmCMS 5.2 via the admin/category/edit.html CVE-2019-9659 (The Chuango 433 MHz burglar-alarm product line uses static codes in th ...) NOT-FOR-US: Chuango CVE-2019-10782 (All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulner ...) - - checkstyle + - checkstyle 8.29-1 [buster] - checkstyle (Incomplete fix for CVE-2019-9658 not applied) [stretch] - checkstyle (Incomplete fix for CVE-2019-9658 not applied) NOTE: https://snyk.io/vuln/SNYK-JAVA-COMPUPPYCRAWLTOOLS-543266 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cab62f7f6a8f755275e67eff671922d4a625334b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cab62f7f6a8f755275e67eff671922d4a625334b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2099-1 for checkstyle
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d8f7179d by Markus Koschany at 2020-02-10T12:51:02+01:00 Reserve DLA-2099-1 for checkstyle - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Feb 2020] DLA-2099-1 checkstyle - security update + {CVE-2019-10782} + [jessie] - checkstyle 5.9-1+deb8u2 [09 Feb 2020] DLA-2098-1 ipmitool - security update {CVE-2020-5208} [jessie] - ipmitool 1.8.14-4+deb8u1 = data/dla-needed.txt = @@ -9,8 +9,6 @@ To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues --- -checkstyle (Markus Koschany) -- clamav (Hugo Lefeuvre) NOTE: 20200127: waiting for 0.102.1 to enter stretch/buster. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8f7179da1611f298bbfa22c43c2338209f029d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8f7179da1611f298bbfa22c43c2338209f029d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim checkstyle and squid3 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bba01702 by Markus Koschany at 2020-02-10T01:25:32+01:00 Claim checkstyle and squid3 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -9,6 +9,8 @@ To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues +-- +checkstyle (Markus Koschany) -- clamav (Hugo Lefeuvre) NOTE: 20200127: waiting for 0.102.1 to enter stretch/buster. @@ -104,7 +106,7 @@ spamassassin (Mike Gabriel) NOTE: 20200131: Code not checked whether it is actually vulnerable since it likely is. (ola) NOTE: 20200131: Contacted SA maintainer: https://lists.debian.org/debian-lts/2020/01/msg00076.html (sunweaver) -- -squid3 +squid3 (Markus Koschany) NOTE: 20191210: CVE-2019-12523 and CVE-2019-18676 Requires new API SBuf. NOTE: 20200116: Researched other distros to see if any had backported the fixes. No luck. NOTE: 20200116: Tried for some time to reproduce the vulnerabilities, but did not succeed. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bba0170255465bcea52c390fe10cf4502b68c08e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bba0170255465bcea52c390fe10cf4502b68c08e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2098-1 for ipmitool
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f8e368e by Markus Koschany at 2020-02-09T16:11:45+01:00 Reserve DLA-2098-1 for ipmitool - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Feb 2020] DLA-2098-1 ipmitool - security update + {CVE-2020-5208} + [jessie] - ipmitool 1.8.14-4+deb8u1 [09 Feb 2020] DLA-2097-1 ppp - security update {CVE-2020-8597} [jessie] - ppp 2.4.6-3.1+deb8u1 = data/dla-needed.txt = @@ -24,8 +24,6 @@ ibus -- intel-microcode -- -ipmitool (Markus Koschany) --- jackson-databind NOTE: 20200105: Can be postponed again. (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f8e368ea43c983bbd3902eef0b53d5714b10213 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f8e368ea43c983bbd3902eef0b53d5714b10213 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2097-1 for ppp
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: efb9a0b3 by Markus Koschany at 2020-02-09T16:11:14+01:00 Reserve DLA-2097-1 for ppp - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Feb 2020] DLA-2097-1 ppp - security update + {CVE-2020-8597} + [jessie] - ppp 2.4.6-3.1+deb8u1 [06 Feb 2020] DLA-2096-1 ruby-rack-cors - security update {CVE-2019-18978} [jessie] - ruby-rack-cors 0.2.9-1+deb8u1 = data/dla-needed.txt = @@ -69,8 +69,6 @@ openjdk-7 (Emilio) -- php5 (Thorsten Alteholz) -- -ppp (Markus Koschany) --- python-pysaml2 (Abhijith PA) NOTE: 2020203: test fails already for the one in archive (abhijith) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/efb9a0b39d47b0d9ecca4cbe2212bd1231d877e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/efb9a0b39d47b0d9ecca4cbe2212bd1231d877e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim ppp in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f79da60 by Markus Koschany at 2020-02-08T23:46:02+01:00 Claim ppp in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -69,6 +69,8 @@ openjdk-7 (Emilio) -- php5 (Thorsten Alteholz) -- +ppp (Markus Koschany) +-- python-pysaml2 (Abhijith PA) NOTE: 2020203: test fails already for the one in archive (abhijith) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f79da606dd1e6b36b95cc848fbc7be69cd71eb1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f79da606dd1e6b36b95cc848fbc7be69cd71eb1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim ipmitool in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f4d7938 by Markus Koschany at 2020-02-08T23:07:22+01:00 Claim ipmitool in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -24,6 +24,8 @@ ibus -- intel-microcode -- +ipmitool (Markus Koschany) +-- jackson-databind NOTE: 20200105: Can be postponed again. (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f4d7938935c9075cacd7b5883958ce4bdf2b379 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f4d7938935c9075cacd7b5883958ce4bdf2b379 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove nss from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f44c8cf by Markus Koschany at 2020-02-07T18:54:42+01:00 Remove nss from dla-needed.txt - - - - - f392457f by Markus Koschany at 2020-02-07T18:55:29+01:00 CVE-2019-17023,nss: Mark as not-affected for Jessie The vulnerable code was introduced later. Version 3.26 of nss only contains an experimental TLS 1.3 implementation. Not every feature has been implemented and the HelloRetryRequest is missing. Thus the vulnerability does not apply. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -26742,6 +26742,7 @@ CVE-2019-17024 (Mozilla developers reported memory safety bugs present in Firefo CVE-2019-17023 (After a HelloRetryRequest has been sent, the client may negotiate a lo ...) - firefox 72.0-1 - nss 2:3.49-1 + [jessie] - nss (Vulnerable code was introduced later) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17023 NOTE: https://hg.mozilla.org/projects/nss/rev/d64102b76a437f24d98a20480dcc9f1655143e7c NOTE: https://hg.mozilla.org/projects/nss/rev/8a2bd40e7f89a796cf24a0ff7cfb67c6e69c5c78 = data/dla-needed.txt = @@ -59,10 +59,6 @@ netty (Sylvain Beucler) -- netty-3.9 (Sylvain Beucler) -- -nss (Markus Koschany) - NOTE: 20200127: Fix for CVE-2019-17023 requires more work and testing but - NOTE: release is planned for this week. --- opendmarc (Thorsten Alteholz) NOTE: 20200119: still testing package, original patch does not seem to be enough, still ongoing -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/fab4f4066da54a910f425fcdea8fe0d732d439cc...f392457f877bc69e8c3bcf3995b43f98163de888 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/fab4f4066da54a910f425fcdea8fe0d732d439cc...f392457f877bc69e8c3bcf3995b43f98163de888 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Update status of nss in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a1ce305 by Markus Koschany at 2020-01-27T00:13:42+01:00 Update status of nss in dla-needed.txt - - - - - f670723e by Markus Koschany at 2020-01-27T00:14:48+01:00 Reserve DLA-2078-1 for libxmlrpc3-java - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[27 Jan 2020] DLA-2078-1 libxmlrpc3-java - security update + {CVE-2019-17570} + [jessie] - libxmlrpc3-java 3.1.3-7+deb8u1 [27 Jan 2020] DLA-2077-1 tomcat7 - security update {CVE-2019-12418 CVE-2019-17563} [jessie] - tomcat7 7.0.56-3+really7.0.99-1 = data/dla-needed.txt = @@ -67,13 +67,13 @@ libmatio (Adrian Bunk) libsolv NOTE: 20200123: Mike is maintainer -- -libxmlrpc3-java (Markus Koschany) --- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- nss (Markus Koschany) + NOTE: 20200127: Fix for CVE-2019-17023 requires more work and testing but + NOTE: release is planned for this week. -- opendmarc (Thorsten Alteholz) NOTE: 20200119: still testing package, original patch does not seem to be enough, still ongoing View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/35a00b7ab908ed8510dc604301faee7655480c07...f670723e4a92b7b99501a6bd86e05a4077f5f0a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/35a00b7ab908ed8510dc604301faee7655480c07...f670723e4a92b7b99501a6bd86e05a4077f5f0a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2077-1 for tomcat7
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 35a00b7a by Markus Koschany at 2020-01-27T00:11:59+01:00 Reserve DLA-2077-1 for tomcat7 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[27 Jan 2020] DLA-2077-1 tomcat7 - security update + {CVE-2019-12418 CVE-2019-17563} + [jessie] - tomcat7 7.0.56-3+really7.0.99-1 [26 Jan 2020] DLA-2076-1 slirp - security update {CVE-2020-7039} [jessie] - slirp 1:1.0.17-7+deb8u1 = data/dla-needed.txt = @@ -138,10 +138,6 @@ storebackup (Utkarsh Gupta) -- suricata (Mike Gabriel) -- -tomcat7 (Markus Koschany) - NOTE: 20200115: https://people.debian.org/~apo/tomcat7/ - NOTE: 20200115: waiting for sunweaver's review --- tomcat8 (Abhijith PA) NOTE: 20200106: Almost done. Working on failing testcase. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/35a00b7ab908ed8510dc604301faee7655480c07 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/35a00b7ab908ed8510dc604301faee7655480c07 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Claim libxmlrpc3-java in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0670a2cb by Markus Koschany at 2020-01-16T23:49:08+01:00 Claim libxmlrpc3-java in dla-needed.txt - - - - - 65401fd2 by Markus Koschany at 2020-01-16T23:49:09+01:00 CVE-2019-17570,libxmlrpc3-java: Link to Red Hat bug report and proposed patch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -21452,6 +21452,7 @@ CVE-2019-17570 [untrusted deserialization] RESERVED - libxmlrpc3-java (bug #949089) NOTE: https://www.openwall.com/lists/oss-security/2020/01/16/1 + NOTE: Proposed patch: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570 CVE-2019-17569 RESERVED CVE-2019-17568 = data/dla-needed.txt = @@ -61,6 +61,8 @@ libmatio (Adrian Bunk) NOTE: 20190428: older changes seem to also be required for them NOTE: 20200112: work is ongoing -- +libxmlrpc3-java (Markus Koschany) +-- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/75c3a624d3167c590d2c9b50aa0ad2124b7623ab...65401fd28de38cfd893787709d60d2297d279446 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/75c3a624d3167c590d2c9b50aa0ad2124b7623ab...65401fd28de38cfd893787709d60d2297d279446 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2065-1 for apache-log4j1.2
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0520f458 by Markus Koschany at 2020-01-12T20:13:27+01:00 Reserve DLA-2065-1 for apache-log4j1.2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[12 Jan 2020] DLA-2065-1 apache-log4j1.2 - security update + {CVE-2019-17571} + [jessie] - apache-log4j1.2 1.2.17-5+deb8u1 [10 Jan 2020] DLA-2064-1 ldm - security update {CVE-2019-20373} [jessie] - ldm 2:2.2.15-2+deb8u1 = data/dla-needed.txt = @@ -15,8 +15,6 @@ ansible NOTE: CVE-2019-14846 should be an easy fix. NOTE: CVE-2019-14858's upstream patch is too big; fails to work properly. (utkarsh2102) -- -apache-log4j1.2 (Markus Koschany) --- clamav (Hugo Lefeuvre) NOTE: 20200111: waiting for 0.102.1 to enter stretch/buster. NOTE: 0.102.* introduces a fair amount of ABI changes, and the migration View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0520f45880eb382b739db3ffa7c2879f367b4f12 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0520f45880eb382b739db3ffa7c2879f367b4f12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-17571,apache-log4j1.2: Remove EOL tag, link to patch
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 73c7ced2 by Markus Koschany at 2020-01-11T18:21:40+01:00 CVE-2019-17571,apache-log4j1.2: Remove EOL tag, link to patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20585,11 +20585,11 @@ CVE-2019-17572 RESERVED CVE-2019-17571 (Included in Log4j 1.2 is a SocketServer class that is vulnerable to de ...) - apache-log4j1.2 (bug #947124) - [jessie] - apache-log4j1.2 (https://salsa.debian.org/debian/debian-security-support/commit/4acf9529dc88fddf60bfa56bb464f9aac703797d) NOTE: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E NOTE: CVE-2019-17571 correspond to CVE-2017-5645 for apache-log4j2. 1.2.x branch NOTE: is end-of-life upstream and does not recieve a fix for this issue. Users NOTE: should upgrade to Log4j 2.x. + NOTE: Fixed by https://src.fedoraproject.org/rpms/log4j12/c/d4c817c458d69dcc629a7271999d178b0dcb7c74?branch=master CVE-2019-17570 RESERVED CVE-2019-17569 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73c7ced223c4798fcab246e3bc94c993a985 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73c7ced223c4798fcab246e3bc94c993a985 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim nss in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d1d8c0ef by Markus Koschany at 2020-01-10T21:45:48+01:00 Claim nss in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -72,6 +72,8 @@ lout NOTE: 20191221: (-> at least someone is still active on lout, providing some NOTE: 20191221: patches, not related to the open CVEs, though) -- +nss (Markus Koschany +-- opendmarc (Thorsten Alteholz) NOTE: 20200105: still testing package, original patch does not seem to be enough, still ongoing -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d1d8c0ef6ca012457a1d1ea3e7e09835d662e45b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d1d8c0ef6ca012457a1d1ea3e7e09835d662e45b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2062-1 for sa-exim
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 01b850f4 by Markus Koschany at 2020-01-09T17:16:14+01:00 Reserve DLA-2062-1 for sa-exim - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Jan 2020] DLA-2062-1 sa-exim - security update + {CVE-2019-19920} + [jessie] - sa-exim 4.2.1-14+deb8u1 [09 Jan 2020] DLA-2061-1 firefox-esr - security update {CVE-2019-17016 CVE-2019-17017 CVE-2019-17022 CVE-2019-17024 CVE-2019-17026} [jessie] - firefox-esr 68.4.0esr-1~deb8u1 = data/dla-needed.txt = @@ -97,8 +97,6 @@ ruby-rack ruby-rack-cors NOTE: 20191218: Debugging test failures. (utkarsh2102) -- -sa-exim (Markus Koschany) --- slurm-llnl NOTE: 20191125: up for testing https://people.debian.org/~abhijith/upload/slurm-llnl_14.03.9-5+deb8u5.dsc NOTE: Regression found. (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/01b850f44cf91bd52404f53b69bb6b24614dbc83 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/01b850f44cf91bd52404f53b69bb6b24614dbc83 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2058-1 for nss
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ef9cbc0 by Markus Koschany at 2020-01-06T22:54:47+01:00 Reserve DLA-2058-1 for nss - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Jan 2020] DLA-2058-1 nss - security update + {CVE-2019-17006} + [jessie] - nss 2:3.26-1+debu8u10 [06 Jan 2020] DLA-2057-1 pillow - security update {CVE-2019-19911 CVE-2020-5312 CVE-2020-5313} [jessie] - pillow 2.6.1-2+deb8u4 = data/dla-needed.txt = @@ -78,8 +78,6 @@ lout NOTE: 20191221: (-> at least someone is still active on lout, providing some NOTE: 20191221: patches, not related to the open CVEs, though) -- -nss (Markus Koschany) --- opendmarc (Thorsten Alteholz) NOTE: 20200105: still testing package, original patch does not seem to be enough, still ongoing -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6ef9cbc093c4b70774f10bfdc8a993da316e2918 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6ef9cbc093c4b70774f10bfdc8a993da316e2918 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add gpac to dla-needed.txt for future triaging.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a8c502b4 by Markus Koschany at 2020-01-05T20:42:01+01:00 Add gpac to dla-needed.txt for future triaging. Should be revisited when more information are available. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,6 +26,10 @@ git (Roberto C. Sánchez) NOTE: 20191226: Patches integrated for 4 of 5 CVEs. The last, CVE-2019-1387, NOTE: 20191226: is proving rather difficult. (roberto) -- +gpac + NOTE: 20200105: All open issues are unfixed. Adding it here for future + NOTE: triaging when more information are available. (apo) +-- graphicsmagick -- gthumb (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a8c502b4b2940b7a4f2dbeb5f84647fb049c289a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a8c502b4b2940b7a4f2dbeb5f84647fb049c289a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2019-12409: Remove TODO item.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cba520c6 by Markus Koschany at 2020-01-05T20:38:00+01:00 CVE-2019-12409: Remove TODO item. - - - - - fea2d6cc by Markus Koschany at 2020-01-05T20:38:01+01:00 CVE-2019-17558,lucene-solr: Mark as unimportant for all distributions The velocity module is not built in Debian due to missing dependencies. It is not clear if lucene-solr is affected at all because the parameter settings are missing in this version and upstream claims only 5.0.0+ is affected. I believe unimportant is correct here. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17718,7 +17718,7 @@ CVE-2019-17560 CVE-2019-17559 RESERVED CVE-2019-17558 (Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code ...) - - lucene-solr + - lucene-solr (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2019/12/30/1 NOTE: https://issues.apache.org/jira/browse/SOLR-13971 NOTE: https://issues.apache.org/jira/browse/SOLR-14025 @@ -33972,7 +33972,6 @@ CVE-2019-12410 (While investigating UBSAN errors in https://github.com/apache/ar CVE-2019-12409 (The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure settin ...) - lucene-solr (Vulnerable code was introduced later) NOTE: https://lists.apache.org/thread.html/6640c7e370fce2b74e466a605a46244ccc40666ad9e3064a4e04a85d@%3Csolr-user.lucene.apache.org%3E - TODO: check CVE-2019-12408 (It was discovered that the C++ implementation (which underlies the R, ...) NOT-FOR-US: Apache Arrow CVE-2019-12407 (On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/5546cbaabb10d97591b9d8e714b085bceacac302...fea2d6cc1d45fc18106aa150724af8d6a4c44572 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/5546cbaabb10d97591b9d8e714b085bceacac302...fea2d6cc1d45fc18106aa150724af8d6a4c44572 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-12409,lucene-solr: Debian is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 19211678 by Markus Koschany at 2020-01-05T19:32:08+01:00 CVE-2019-12409,lucene-solr: Debian is not affected Vulnerable code was introduced later. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33970,7 +33970,7 @@ CVE-2019-12411 CVE-2019-12410 (While investigating UBSAN errors in https://github.com/apache/arrow/pu ...) NOT-FOR-US: Apache Arrow CVE-2019-12409 (The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure settin ...) - - lucene-solr + - lucene-solr (Vulnerable code was introduced later) NOTE: https://lists.apache.org/thread.html/6640c7e370fce2b74e466a605a46244ccc40666ad9e3064a4e04a85d@%3Csolr-user.lucene.apache.org%3E TODO: check CVE-2019-12408 (It was discovered that the C++ implementation (which underlies the R, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/192116789d1c2db7ac6514a898a9d0952e86177f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/192116789d1c2db7ac6514a898a9d0952e86177f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug number for CVE-2019-10219.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 89e43e26 by Markus Koschany at 2020-01-05T19:20:05+01:00 Add bug number for CVE-2019-10219. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39976,7 +39976,7 @@ CVE-2019-10221 CVE-2019-10220 (Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a rel ...) - linux 5.3.9-1 CVE-2019-10219 (A vulnerability was found in Hibernate-Validator. The SafeHtml validat ...) - - libhibernate-validator-java + - libhibernate-validator-java (bug #948235) [buster] - libhibernate-validator-java (Vulnerable code was introduced later.) [stretch] - libhibernate-validator-java (Vulnerable code was introduced later.) [jessie] - libhibernate-validator-java (Vulnerable code was introduced later.) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/89e43e2685fec1ab7521e419656658e3f06ae88e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/89e43e2685fec1ab7521e419656658e3f06ae88e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2019-10219,hibernate-validator: Reference fixing commit
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 70ace504 by Markus Koschany at 2020-01-05T18:43:40+01:00 CVE-2019-10219,hibernate-validator: Reference fixing commit - - - - - 30b3d65a by Markus Koschany at 2020-01-05T19:12:38+01:00 CVE-2019-10219,libhibernate-validator-java: Jessie, Stretch and Buster are not affected. Vulnerable code was introduced later. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39976,9 +39976,12 @@ CVE-2019-10221 CVE-2019-10220 (Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a rel ...) - linux 5.3.9-1 CVE-2019-10219 (A vulnerability was found in Hibernate-Validator. The SafeHtml validat ...) - - libhibernate-validator-java + - libhibernate-validator-java + [buster] - libhibernate-validator-java (Vulnerable code was introduced later.) + [stretch] - libhibernate-validator-java (Vulnerable code was introduced later.) + [jessie] - libhibernate-validator-java (Vulnerable code was introduced later.) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1738673 - TODO: 20190910: Asked for more information in #1738673. (apo) + NOTE: Fixed by https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee CVE-2019-10218 (A flaw was found in the samba client, all samba versions before samba ...) - samba 2:4.11.1+dfsg-2 [buster] - samba (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c7cffec1db839e2965c7610faa09567b6e9b99ca...30b3d65ab45db793565b9a37ec6756fe6515dd51 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c7cffec1db839e2965c7610faa09567b6e9b99ca...30b3d65ab45db793565b9a37ec6756fe6515dd51 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2013-5027,collabtive: Jessie is not affected.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c7cffec1 by Markus Koschany at 2020-01-05T18:26:43+01:00 CVE-2013-5027,collabtive: Jessie is not affected. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -261654,6 +261654,7 @@ CVE-2013-5028 (SQL injection vulnerability in IT/hardware-list.dll in Kwoksys Kw NOT-FOR-US: Kwok Information Server CVE-2013-5027 (Collabtive 1.0 has incorrect access control ...) - collabtive + [jessie] - collabtive (fixed in version 1.1) CVE-2013-5026 (An ActiveX control in lookout650.ocx, lookout660.ocx, and lookout670.o ...) NOT-FOR-US: National Instruments Lookout CVE-2013-5025 (An ActiveX control in exlauncher.dll in the Help subsystem in National ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c7cffec1db839e2965c7610faa09567b6e9b99ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c7cffec1db839e2965c7610faa09567b6e9b99ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2020-5496,CVE-2020-5395,fontforge: Mark as no-dsa for Jessie
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c969a57d by Markus Koschany at 2020-01-05T18:02:52+01:00 CVE-2020-5496,CVE-2020-5395,fontforge: Mark as no-dsa for Jessie Minor issue - - - - - a0e6ba51 by Markus Koschany at 2020-01-05T18:17:39+01:00 Add bug number for fontforge - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,9 +13,10 @@ CVE-2020-5498 CVE-2020-5497 (The OpenID Connect reference implementation for MITREid Connect throug ...) NOT-FOR-US: MITREid Connect CVE-2020-5496 (FontForge 20190801 has a heap-based buffer overflow in the Type2NotDef ...) - - fontforge + - fontforge (bug #948231) [buster] - fontforge (Minor issue) [stretch] - fontforge (Minor issue) + [jessie] - fontforge (Minor issue) NOTE: https://github.com/fontforge/fontforge/issues/4085 CVE-2020-5495 RESERVED @@ -218,9 +219,10 @@ CVE-2020-5397 CVE-2020-5396 RESERVED CVE-2020-5395 (FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd. ...) - - fontforge + - fontforge (bug #948231) [buster] - fontforge (Minor issue) [stretch] - fontforge (Minor issue) + [jessie] - fontforge (Minor issue) NOTE: https://github.com/fontforge/fontforge/issues/4084 CVE-2019-20334 (In Netwide Assembler (NASM) 2.14.02, stack consumption occurs in expr# ...) - nasm (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/145e165bd1194fde3f3b463ab4c6dc38e297bfe1...a0e6ba5183c69ddbc39a62a1cb9303ef6605f86a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/145e165bd1194fde3f3b463ab4c6dc38e297bfe1...a0e6ba5183c69ddbc39a62a1cb9303ef6605f86a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug number for pillow issues.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: df8eb3ee by Markus Koschany at 2020-01-05T16:34:14+01:00 Add bug number for pillow issues. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -396,17 +396,17 @@ CVE-2019-20331 CVE-2020-5314 RESERVED CVE-2020-5313 (libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overfl ...) - - pillow + - pillow (bug #948224) NOTE: https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b (6.2.2) CVE-2020-5312 (libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer ...) - - pillow + - pillow (bug #948224) NOTE: https://github.com/python-pillow/Pillow/commit/93b22b846e0269ee9594ff71a72bec02d2bea8fd (6.2.2) CVE-2020-5311 (libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer ove ...) - - pillow + - pillow (bug #948224) [jessie] - pillow (The vulnerable code was introduced later) NOTE: https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc54548f3 (6.2.2) CVE-2020-5310 (libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding int ...) - - pillow + - pillow (bug #948224) [jessie] - pillow (The vulnerable code was introduced later) NOTE: https://github.com/python-pillow/Pillow/commit/4e2def2539ec13e53a82e06c4b3daf00454100c4 (6.2.2) CVE-2020-5309 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df8eb3eecb0a7edca1b6bb5b3906331838a36139 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df8eb3eecb0a7edca1b6bb5b3906331838a36139 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2020-5310,pillow: Jessie is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 09640081 by Markus Koschany at 2020-01-05T16:25:17+01:00 CVE-2020-5310,pillow: Jessie is not affected The vulnerable code was introduced later. - - - - - 78632f1b by Markus Koschany at 2020-01-05T16:25:17+01:00 CVE-2020-5311,pillow: Jessie is not affected. The vulnerable code was introduced later. - - - - - 7f9a0d04 by Markus Koschany at 2020-01-05T16:25:30+01:00 Add pillow to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -403,9 +403,11 @@ CVE-2020-5312 (libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode bu NOTE: https://github.com/python-pillow/Pillow/commit/93b22b846e0269ee9594ff71a72bec02d2bea8fd (6.2.2) CVE-2020-5311 (libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer ove ...) - pillow + [jessie] - pillow (The vulnerable code was introduced later) NOTE: https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc54548f3 (6.2.2) CVE-2020-5310 (libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding int ...) - pillow + [jessie] - pillow (The vulnerable code was introduced later) NOTE: https://github.com/python-pillow/Pillow/commit/4e2def2539ec13e53a82e06c4b3daf00454100c4 (6.2.2) CVE-2020-5309 RESERVED = data/dla-needed.txt = @@ -79,6 +79,8 @@ nss (Markus Koschany) opendmarc (Thorsten Alteholz) NOTE: 20191222: still testing package, original patch does not seem to be enough, still ongoing -- +pillow +-- python-reportlab (Hugo Lefeuvre) NOTE: 20191227: still no upstream fix -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0786240d6e4b7641f634bc48053e4f9952581ebf...7f9a0d0405f9422a70fe21e81385f60c73cdb497 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0786240d6e4b7641f634bc48053e4f9952581ebf...7f9a0d0405f9422a70fe21e81385f60c73cdb497 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust opencv bug number for unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d90a7b88 by Markus Koschany at 2020-01-05T00:39:19+01:00 Adjust opencv bug number for unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54536,14 +54536,14 @@ CVE-2019-5066 (An exploitable use-after-free vulnerability exists in the way LZW CVE-2019-5065 (An exploitable information disclosure vulnerability exists in the pack ...) NOT-FOR-US: Blynk CVE-2019-5064 (An exploitable heap buffer overflow vulnerability exists in the data s ...) - [experimental] - opencv 4.2.0+dfsg-1 (bug #948180) - - opencv + [experimental] - opencv 4.2.0+dfsg-1 + - opencv (bug #948180) [jessie] - opencv (The vulnerable code was introduced later) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0853 NOTE: Fixed by: https://github.com/opencv/opencv/commit/f42d5399aac80d371b17d689851406669c9b9111 (4.2.0) CVE-2019-5063 (An exploitable heap buffer overflow vulnerability exists in the data s ...) - [experimental] - opencv 4.2.0+dfsg-1 (bug #948180) - - opencv + [experimental] - opencv 4.2.0+dfsg-1 + - opencv (bug #948180) [jessie] - opencv (The vulnerable code was introduced later) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0852 NOTE: Fixed by: https://github.com/opencv/opencv/commit/f42d5399aac80d371b17d689851406669c9b9111 (4.2.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d90a7b887135609e946dfe0bcf1468a33ec197a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d90a7b887135609e946dfe0bcf1468a33ec197a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug number for opencv issues.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: fc710166 by Markus Koschany at 2020-01-05T00:34:49+01:00 Add bug number for opencv issues. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54536,13 +54536,13 @@ CVE-2019-5066 (An exploitable use-after-free vulnerability exists in the way LZW CVE-2019-5065 (An exploitable information disclosure vulnerability exists in the pack ...) NOT-FOR-US: Blynk CVE-2019-5064 (An exploitable heap buffer overflow vulnerability exists in the data s ...) - [experimental] - opencv 4.2.0+dfsg-1 + [experimental] - opencv 4.2.0+dfsg-1 (bug #948180) - opencv [jessie] - opencv (The vulnerable code was introduced later) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0853 NOTE: Fixed by: https://github.com/opencv/opencv/commit/f42d5399aac80d371b17d689851406669c9b9111 (4.2.0) CVE-2019-5063 (An exploitable heap buffer overflow vulnerability exists in the data s ...) - [experimental] - opencv 4.2.0+dfsg-1 + [experimental] - opencv 4.2.0+dfsg-1 (bug #948180) - opencv [jessie] - opencv (The vulnerable code was introduced later) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0852 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fc71016696ddb37f3bbdd973eea34978a5c5838b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fc71016696ddb37f3bbdd973eea34978a5c5838b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add jackson-databind to dla-needed.txt with notes.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f7cc1aa0 by Markus Koschany at 2020-01-05T00:27:45+01:00 Add jackson-databind to dla-needed.txt with notes. - - - - - 7a5a1a56 by Markus Koschany at 2020-01-05T00:29:20+01:00 CVE-2019-5063,CVE-2019-5064,opencv: Jessie is not affected The vulnerable code was introduced later. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -54538,11 +54538,13 @@ CVE-2019-5065 (An exploitable information disclosure vulnerability exists in the CVE-2019-5064 (An exploitable heap buffer overflow vulnerability exists in the data s ...) [experimental] - opencv 4.2.0+dfsg-1 - opencv + [jessie] - opencv (The vulnerable code was introduced later) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0853 NOTE: Fixed by: https://github.com/opencv/opencv/commit/f42d5399aac80d371b17d689851406669c9b9111 (4.2.0) CVE-2019-5063 (An exploitable heap buffer overflow vulnerability exists in the data s ...) [experimental] - opencv 4.2.0+dfsg-1 - opencv + [jessie] - opencv (The vulnerable code was introduced later) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0852 NOTE: Fixed by: https://github.com/opencv/opencv/commit/f42d5399aac80d371b17d689851406669c9b9111 (4.2.0) CVE-2019-5062 (An exploitable denial-of-service vulnerability exists in the 802.11w s ...) = data/dla-needed.txt = @@ -35,6 +35,9 @@ ibus (Emilio) NOTE: 20191210: See https://bugs.debian.org/941018 NOTE: 20191210: See https://gitlab.gnome.org/GNOME/glib/merge_requests/1176 -- +jackson-databind + NOTE: 20200105: Can be postponed again. (apo) +-- libexif (Hugo Lefeuvre) NOTE: 2019: Contacted upstream for relevant commits of CVE-2019-9278. (utkarsh2102) NOTE: 20191114: Pinged upstream; just have the Android patch yet. (utkarsh2102) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/32e9820562eeb76858a6f8f203697e1e40716087...7a5a1a56c523185e399638e6f38611dea4ee828d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/32e9820562eeb76858a6f8f203697e1e40716087...7a5a1a56c523185e399638e6f38611dea4ee828d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add gthumb to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 731a3bef by Markus Koschany at 2020-01-04T23:42:28+01:00 Add gthumb to dla-needed.txt - - - - - 32e98205 by Markus Koschany at 2020-01-04T23:43:41+01:00 CVE-2019-20205,libsixel: Mark as no-dsa for Jessie. Minor issue - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -929,6 +929,7 @@ CVE-2019-20205 (libsixel 1.8.4 has an integer overflow in sixel_frame_resize in - libsixel (low; bug #948103) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) + [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/127 CVE-2019-20204 (The Postie plugin 1.9.40 for WordPress allows XSS, as demonstrated by ...) NOT-FOR-US: Postie plugin for WordPress = data/dla-needed.txt = @@ -28,6 +28,8 @@ git (Roberto C. Sánchez) -- graphicsmagick -- +gthumb +-- ibus (Emilio) NOTE: 20191210: Requires glib2.0 to be patched also. NOTE: 20191210: See https://bugs.debian.org/941018 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e9aec6644d2c641ad4505c92dfe5b15685f66a82...32e9820562eeb76858a6f8f203697e1e40716087 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e9aec6644d2c641ad4505c92dfe5b15685f66a82...32e9820562eeb76858a6f8f203697e1e40716087 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-20176,pure-ftpd: Mark as no-dsa for Jessie
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f097cfc3 by Markus Koschany at 2020-01-04T19:23:19+01:00 CVE-2019-20176,pure-ftpd: Mark as no-dsa for Jessie Minor issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1092,6 +1092,7 @@ CVE-2019-20176 (In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in - pure-ftpd 1.0.49-2 (low; bug #947869) [buster] - pure-ftpd (Minor issue) [stretch] - pure-ftpd (Minor issue) + [jessie] - pure-ftpd (Minor issue) NOTE: https://github.com/jedisct1/pure-ftpd/commit/aea56f4bcb9948d456f3fae4d044fd3fa2e19706 CVE-2019-20175 (** DISPUTED ** An issue was discovered in ide_dma_cb() in hw/ide/core. ...) - qemu (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f097cfc3e4efbae4f1e36dbc083c17eea299795f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f097cfc3e4efbae4f1e36dbc083c17eea299795f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-20079,vim: Jessie is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b89cbb9e by Markus Koschany at 2020-01-02T00:51:44+01:00 CVE-2019-20079,vim: Jessie is not affected The vulnerable code was introduced later - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2763,6 +2763,7 @@ CVE-2019-20080 RESERVED CVE-2019-20079 (The autocmd feature in window.c in Vim before 8.1.2136 accesses freed ...) - vim 2:8.1.2136-1 + [jessie] - vim (vulnerable code was introduced later) NOTE: https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421 CVE-2019-20078 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b89cbb9ec4f1f15692b0a4171fa19433dddaf786 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b89cbb9ec4f1f15692b0a4171fa19433dddaf786 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add xerces-c to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 868ff32c by Markus Koschany at 2019-12-31T17:54:54Z Add xerces-c to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -141,6 +141,9 @@ xcftools (Hugo Lefeuvre) -- xen -- +xerces-c + NOTE: 20191231: There is no upstream patch yet. (apo) +-- yara NOTE: 20191212: no upstream fix yet -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/868ff32cf8796da89b64bf4dd924e2375466d5f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/868ff32cf8796da89b64bf4dd924e2375466d5f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits