[Git][security-tracker-team/security-tracker][master] Update Python3.4 DLA status
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: e8ccb3ce by Brian May at 2019-01-19T23:08:03Z Update Python3.4 DLA status Progress slower then expected due to unexpected cold. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -102,6 +102,7 @@ policykit-1 (Emilio) python3.4 (Brian May) NOTE: 20181225: The update should include also the postponed and no-dsa NOTE: issues which were already fixed by us in Wheezy. (apo) + NOTE: 20190120: Have patched all known vulnerabilies, now testing. -- qemu (Hugo Lefeuvre) NOTE: CVE-2018-19665: no practical exploit at the moment + patch quite big (but easy to review, though) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e8ccb3cec041d0d3a1ad1ef1060e082fdee8e50f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e8ccb3cec041d0d3a1ad1ef1060e082fdee8e50f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Changed decision about nettle update.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: eaf26e42 by Ola Lundqvist at 2019-01-19T22:42:58Z Changed decision about nettle update. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -23347,12 +23347,11 @@ CVE-2018-16870 (It was found that wolfssl before 3.15.7 is vulnerable to a new v NOTE: https://github.com/wolfSSL/wolfssl/pull/1950 CVE-2018-16869 (A Bleichenbacher type side-channel based padding oracle attack was ...) - nettle 3.4.1~rc1-1 - [jessie] - nettle (Not important enough, see note below) NOTE: http://cat.eyalro.net/ NOTE: https://lists.lysator.liu.se/pipermail/nettle-bugs/2018/007363.html NOTE: The upstream correction is to make a new public function that packages using - NOTE: nettle can use. The new function has a 60% performance penalty. Since all packages - NOTE: using nettle needs to be updated it is not suitable for an oldstable update. + NOTE: nettle can use. This means that fixing this CVE does not solve anything on its + NOTE: own, but it is a pre-requisite for fixing other CVEs like CVE-2018-16868. CVE-2018-16868 (A Bleichenbacher type side-channel based padding oracle attack was ...) [experimental] - gnutls28 3.6.5-1 - gnutls28 3.6.5-2 @@ -23360,6 +23359,8 @@ CVE-2018-16868 (A Bleichenbacher type side-channel based padding oracle attack w NOTE: http://cat.eyalro.net/ NOTE: https://gitlab.com/gnutls/gnutls/issues/630 NOTE: https://gitlab.com/gnutls/gnutls/merge_requests/832 + NOTE: CVE-2018-16869 must be fixed first and a new build dependency on this new + NOTE: nettle version. CVE-2018-16867 (A flaw was found in qemu Media Transfer Protocol (MTP) before version ...) - qemu 1:3.1+dfsg-1 (bug #915884) - qemu-kvm = data/dla-needed.txt = @@ -76,6 +76,9 @@ linux-4.9 (Ben Hutchings) -- mxml (Abhijith PA) -- +nettle (Ola Lundqvist) + NOTE: 20190119: Prerequisite for gnutls28 being fixed. +-- nss NOTE: 20181212: Bug report not public but it is likely that the package is vulnerable. Maintainer not contacted NOTE: 20181212: yet. Further investigation needed. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eaf26e427177be8ac2660c56a80de14a32a9377d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eaf26e427177be8ac2660c56a80de14a32a9377d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-1002208/mono adressed with 5.18.0.240+dfsg-1 upload to unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d4b0161 by Salvatore Bonaccorso at 2019-01-19T22:41:51Z CVE-2018-1002208/mono adressed with 5.18.0.240+dfsg-1 upload to unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29232,7 +29232,7 @@ CVE-2017-18344 (The timer_create syscall implementation in kernel/time/posix-tim CVE-2018-14597 (CA Technologies Identity Governance 12.6, 14.0, 14.1, and 14.2 and CA ...) NOT-FOR-US: CA Technologies Identity Governance CVE-2018-1002208 (sharplibzip before 1.0 RC1 is vulnerable to directory traversal, ...) - - mono + - mono 5.18.0.240+dfsg-1 [stretch] - mono (Minor issue) [jessie] - mono (Minor issue) - mono-reference-assemblies (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d4b0161fa87963bcef3ccb02b534f29c49c80ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d4b0161fa87963bcef3ccb02b534f29c49c80ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d07559e0 by Salvatore Bonaccorso at 2019-01-19T22:31:11Z Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2019-6497 (Hotels_Server through 2018-11-05 has SQL Injection via the ...) TODO: check CVE-2019-6496 (The ThreadX-based firmware on Marvell Avastar Wi-Fi devices allows ...) - TODO: check + NOT-FOR-US: ThreadX-based firmware on Marvell Avastar Wi-Fi devices CVE-2019-6495 RESERVED CVE-2019-6494 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d07559e0f73c5a1b18a794f362fa9e0403b816b4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d07559e0f73c5a1b18a794f362fa9e0403b816b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Nettle conclusion.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e2f429c by Ola Lundqvist at 2019-01-19T22:14:49Z Nettle conclusion. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -23347,8 +23347,12 @@ CVE-2018-16870 (It was found that wolfssl before 3.15.7 is vulnerable to a new v NOTE: https://github.com/wolfSSL/wolfssl/pull/1950 CVE-2018-16869 (A Bleichenbacher type side-channel based padding oracle attack was ...) - nettle 3.4.1~rc1-1 + [jessie] - nettle (Not important enough, see note below) NOTE: http://cat.eyalro.net/ NOTE: https://lists.lysator.liu.se/pipermail/nettle-bugs/2018/007363.html + NOTE: The upstream correction is to make a new public function that packages using + NOTE: nettle can use. The new function has a 60% performance penalty. Since all packages + NOTE: using nettle needs to be updated it is not suitable for an oldstable update. CVE-2018-16868 (A Bleichenbacher type side-channel based padding oracle attack was ...) [experimental] - gnutls28 3.6.5-1 - gnutls28 3.6.5-2 = data/dla-needed.txt = @@ -76,8 +76,6 @@ linux-4.9 (Ben Hutchings) -- mxml (Abhijith PA) -- -nettle (Ola Lundqvist) --- nss NOTE: 20181212: Bug report not public but it is likely that the package is vulnerable. Maintainer not contacted NOTE: 20181212: yet. Further investigation needed. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e2f429cc34e5243eabb25efb5fda7310ddb3618 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e2f429cc34e5243eabb25efb5fda7310ddb3618 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add todo/note for CVE-2019-6256/liblivemedia
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 113e87fb by Salvatore Bonaccorso at 2019-01-19T22:11:18Z Add todo/note for CVE-2019-6256/liblivemedia The addition of 2018.11.26-1 was based on reproducibility of the issue. We have no proof yet on where the fix actually lies so add at least here a todo for further checking given the maintainers are confident the issue is fixed in the newest version. We would need to isolate the fix, and secondly pinpoint to the exact version adressing the issue in sid. - - - - - 9b37c29f by Salvatore Bonaccorso at 2019-01-19T22:12:16Z Revert Triage results. This reverts commit 2558c51f7986177185e47a8e2f5fee3a1430f1ed. The issue was adressed in DLA-1632-1 for jessie, thus adding the ignored causes more confusion. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -639,6 +639,7 @@ CVE-2019-6257 (A Server Side Request Forgery (SSRF) vulnerability in elFinder be CVE-2019-6256 (A Denial of Service issue was discovered in the LIVE555 Streaming Media ...) - liblivemedia 2018.11.26-1 (bug #919529) NOTE: https://github.com/rgaufman/live555/issues/19 + TODO: not entirely clear if 2018.11.26-1 is really the fixing version, cf. #919529 CVE-2019-6255 RESERVED CVE-2019-6254 @@ -13056,7 +13057,6 @@ CVE-2018-19758 (There is a heap-based buffer over-read at wav.c in wav_write_hea {DLA-1632-1} - libsndfile (bug #917416) [stretch] - libsndfile (Minor issue) - [jessie] - libsndfile (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643812 NOTE: https://github.com/erikd/libsndfile/issues/435 NOTE: https://github.com/erikd/libsndfile/commit/42132c543358cee9f7c3e9e9b15bb6c1063a608e View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/2558c51f7986177185e47a8e2f5fee3a1430f1ed...9b37c29fe1143f18ba20b7eb6e27b7be46c5fd3d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/2558c51f7986177185e47a8e2f5fee3a1430f1ed...9b37c29fe1143f18ba20b7eb6e27b7be46c5fd3d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage results.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 2558c51f by Ola Lundqvist at 2019-01-19T22:02:31Z Triage results. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13056,6 +13056,7 @@ CVE-2018-19758 (There is a heap-based buffer over-read at wav.c in wav_write_hea {DLA-1632-1} - libsndfile (bug #917416) [stretch] - libsndfile (Minor issue) + [jessie] - libsndfile (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643812 NOTE: https://github.com/erikd/libsndfile/issues/435 NOTE: https://github.com/erikd/libsndfile/commit/42132c543358cee9f7c3e9e9b15bb6c1063a608e View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2558c51f7986177185e47a8e2f5fee3a1430f1ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2558c51f7986177185e47a8e2f5fee3a1430f1ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-6240/gitlab
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 71b50ec6 by Salvatore Bonaccorso at 2019-01-19T21:58:20Z Add Debian bug reference for CVE-2019-6240/gitlab - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -689,7 +689,7 @@ CVE-2019-6241 RESERVED CVE-2019-6240 [Arbitrary repo read in Gitlab project import] RESERVED - - gitlab + - gitlab (bug #919822) NOTE: https://about.gitlab.com/2019/01/16/critical-security-release-gitlab-11-dot-6-dot-4-released/ CVE-2018-20699 (Docker Engine before 18.09 allows attackers to cause a denial of ...) - docker.io View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/71b50ec6ba43e116b32b983fd54df36f91a967ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/71b50ec6ba43e116b32b983fd54df36f91a967ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-2435/mysql-connector-python
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 226323e0 by Salvatore Bonaccorso at 2019-01-19T21:53:06Z Add Debian bug reference for CVE-2019-2435/mysql-connector-python - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10208,7 +10208,7 @@ CVE-2019-2437 (Vulnerability in the Oracle Solaris component of Oracle Sun Syste CVE-2019-2436 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - mysql-5.7 (Specific to 8) CVE-2019-2435 (Vulnerability in the MySQL Connectors component of Oracle MySQL ...) - - mysql-connector-python + - mysql-connector-python (bug #919820) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#CVE-2019-2435 CVE-2019-2434 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - mysql-5.7 (bug #919817) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/226323e03cac0044780146e32fa6fa8ea2e57bf4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/226323e03cac0044780146e32fa6fa8ea2e57bf4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2019-3815/systemd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e13356e by Salvatore Bonaccorso at 2019-01-19T21:50:22Z Update notes on CVE-2019-3815/systemd The CVE is affecting specifically our backport of the CVE-2018-16864 fix for stretch which was based on both upstreams and Red Hats backport work for v219. Details in the regression fix at https://lists.debian.org/debian-security-announce/2019/msg8.html . - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5783,12 +5783,14 @@ CVE-2019-3817 RESERVED CVE-2019-3816 RESERVED -CVE-2019-3815 +CVE-2019-3815 [systemd: memory leak in journald-server.c introduced by fix for CVE-2018-16864] RESERVED - systemd (This only affected backports to older suites, not the version in sid) [stretch] - systemd 232-25+deb9u8 - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3815 + [jessie] - systemd (Broken fix for CVE-2018-16864 not applied) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=190 NOTE: For stable it affected DSA-4367-1 and was corrected in DSA-4367-2 + NOTE: specifically the backport of the fix for CVE-2018-16864. CVE-2019-3814 RESERVED CVE-2019-3813 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e13356ebe28dd61cf418f814688fc5960e10118 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e13356ebe28dd61cf418f814688fc5960e10118 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Simplify note for CVE-2018-16883 for affected version information
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 85a08a3b by Salvatore Bonaccorso at 2019-01-19T21:45:54Z Simplify note for CVE-2018-16883 for affected version information - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23285,7 +23285,7 @@ CVE-2018-16884 (A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ CVE-2018-16883 (sssd versions from 1.13.0 to before 2.0.0 did not properly restrict ...) - sssd (bug #916824) [stretch] - sssd (Minor issue) - [jessie] - sssd (Issue got introduced with 1.13.0, jessie has 1.11.7) + [jessie] - sssd (Issue got introduced with 1.13.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1659862 NOTE: Fixed in upstream 2.0.0 while refactoring code NOTE: Fixed by https://pagure.io/SSSD/sssd/c/fbe2476a3dd9be83ffa85c29dca26f734618d72d?branch=master View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/85a08a3b5e8c35e2b741c6a2ddbbd93641d8db8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/85a08a3b5e8c35e2b741c6a2ddbbd93641d8db8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reverse order of listing: kbuild embeds make-dfsg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d1aaa46 by Salvatore Bonaccorso at 2019-01-19T21:44:15Z Reverse order of listing: kbuild embeds make-dfsg - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -3436,5 +3436,5 @@ nbis (not packaged, https://www.nist.gov/services-resources/software/nist-biomet igraph - r-cran-igraph (embed) -kbuild - - make-dfsg (embed; bug #919295) +make-dfsg + - kbuild (embed; bug #919295) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7d1aaa46ed56a47641405929075892b0032533bc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7d1aaa46ed56a47641405929075892b0032533bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for mysql-5.7 issues from Oracle CPU Jan 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 467b80aa by Salvatore Bonaccorso at 2019-01-19T21:20:41Z Add Debian bug reference for mysql-5.7 issues from Oracle CPU Jan 2019 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9982,25 +9982,25 @@ CVE-2019-2539 (Vulnerability in the MySQL Server component of Oracle MySQL ...) CVE-2019-2538 (Vulnerability in the Oracle Managed File Transfer component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2537 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - - mysql-5.7 + - mysql-5.7 (bug #919817) CVE-2019-2536 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - mysql-5.7 (Specific to 8) CVE-2019-2535 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - mysql-5.7 (Specific to 8) CVE-2019-2534 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - - mysql-5.7 + - mysql-5.7 (bug #919817) CVE-2019-2533 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - mysql-5.7 (Specific to 8.x) CVE-2019-2532 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - - mysql-5.7 + - mysql-5.7 (bug #919817) CVE-2019-2531 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - - mysql-5.7 + - mysql-5.7 (bug #919817) CVE-2019-2530 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - mysql-5.7 (Specific to 8) CVE-2019-2529 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - - mysql-5.7 + - mysql-5.7 (bug #919817) CVE-2019-2528 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - - mysql-5.7 + - mysql-5.7 (bug #919817) CVE-2019-2527 (Vulnerability in the Oracle VM VirtualBox component of Oracle ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) @@ -10045,7 +10045,7 @@ CVE-2019-2511 (Vulnerability in the Oracle VM VirtualBox component of Oracle ... - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2510 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - - mysql-5.7 + - mysql-5.7 (bug #919817) CVE-2019-2509 (Vulnerability in the Oracle VM VirtualBox component of Oracle ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) @@ -10053,7 +10053,7 @@ CVE-2019-2508 (Vulnerability in the Oracle VM VirtualBox component of Oracle ... - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2507 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - - mysql-5.7 + - mysql-5.7 (bug #919817) CVE-2019-2506 (Vulnerability in the Oracle VM VirtualBox component of Oracle ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) @@ -10064,7 +10064,7 @@ CVE-2019-2504 (Vulnerability in the Oracle VM VirtualBox component of Oracle ... - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2503 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - - mysql-5.7 + - mysql-5.7 (bug #919817) CVE-2019-2502 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - mysql-5.7 (Specific to 8) CVE-2019-2501 (Vulnerability in the Oracle VM VirtualBox component of Oracle ...) @@ -10100,7 +10100,7 @@ CVE-2019-2488 (Vulnerability in the Oracle CRM Technical Foundation component of CVE-2019-2487 (Vulnerability in the Oracle Transportation Management component of ...) NOT-FOR-US: Oracle CVE-2019-2486 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - - mysql-5.7 + - mysql-5.7 (bug #919817) CVE-2019-2485 (Vulnerability in the Oracle Mobile Field Service component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2484 @@ -10108,9 +10108,9 @@ CVE-2019-2484 CVE-2019-2483 RESERVED CVE-2019-2482 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - - mysql-5.7 + - mysql-5.7 (bug #919817) CVE-2019-2481 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - - mysql-5.7 + - mysql-5.7 (bug #919817) CVE-2019-2480 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2479 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) @@ -10162,7 +10162,7 @@ CVE-2019-2457 (Vulnerability in the Oracle Outside In Technology component of Or CVE-2019-2456 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2455 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - - mysql-5.7 + - mysql-5.7 (bug #919817) CVE-2019-2454 RESERVED
[Git][security-tracker-team/security-tracker][master] Add fixed version for three CVEs for mupdf fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b9a50504 by Salvatore Bonaccorso at 2019-01-19T21:16:31Z Add fixed version for three CVEs for mupdf fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -917,11 +917,11 @@ CVE-2019-6133 (In PolicyKit (aka polkit) 0.115, the start time prote CVE-2019-6132 (An issue was discovered in Bento4 v1.5.1-627. There is a memory leak in ...) NOT-FOR-US: Bento4 CVE-2019-6131 (svg-run.c in Artifex MuPDF 1.14.0 has infinite recursion with stack ...) - - mupdf (bug #918970) + - mupdf 1.14.0+ds1-3 (bug #918970) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700442 NOTE: http://www.ghostscript.com/cgi-bin/findgit.cgi?c8f7e48ff74720a5e984ae19d978a5ab4d5dde5b CVE-2019-6130 (Artifex MuPDF 1.14.0 has a SEGV in the function fz_load_page of the ...) - - mupdf (bug #918971) + - mupdf 1.14.0+ds1-3 (bug #918971) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700446 NOTE: http://www.ghostscript.com/cgi-bin/findgit.cgi?faf47b94e24314d74907f3f6bc874105f2c962ed CVE-2019-6129 (png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as ...) @@ -18737,7 +18737,7 @@ CVE-2018-18664 CVE-2018-18663 RESERVED CVE-2018-18662 (There is an out-of-bounds read in fz_run_t3_glyph in fitz/font.c in ...) - - mupdf (bug #912013) + - mupdf 1.14.0+ds1-3 (bug #912013) [jessie] - mupdf (vulnerable code introduced later) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700043 NOTE: http://git.ghostscript.com/?p=mupdf.git;h=164ddc22ee0d5b63a81d5148f44c37dd132a9356 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b9a505041a96a3f9fad4a2f61bdb090f3e74154c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b9a505041a96a3f9fad4a2f61bdb090f3e74154c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2018-16884/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f71ec333 by Salvatore Bonaccorso at 2019-01-19T21:07:24Z Add fixed version for CVE-2018-16884/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23278,7 +23278,7 @@ CVE-2018-16885 (A flaw was found in the Linux kernel that allows the userspace t - linux NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1661503 CVE-2018-16884 (A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares ...) - - linux + - linux 4.19.16-1 NOTE: https://patchwork.kernel.org/cover/10733767/ NOTE: https://patchwork.kernel.org/patch/10733769/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1660375 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f71ec3331805c1ab2d5e15c7fbed254299fd4863 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f71ec3331805c1ab2d5e15c7fbed254299fd4863 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f37172d by security tracker role at 2019-01-19T20:10:14Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2019-6497 (Hotels_Server through 2018-11-05 has SQL Injection via the ...) + TODO: check +CVE-2019-6496 (The ThreadX-based firmware on Marvell Avastar Wi-Fi devices allows ...) + TODO: check +CVE-2019-6495 + RESERVED CVE-2019-6494 RESERVED CVE-2019-6493 @@ -18168,8 +18174,8 @@ CVE-2018-18910 RESERVED CVE-2018-18909 (xhEditor 1.2.2 allows XSS via JavaScript code in the SRC attribute of ...) NOT-FOR-US: xhEditor -CVE-2018-18908 - RESERVED +CVE-2018-18908 (The Sky Go Desktop application 1.0.19-1 through 1.0.23-1 for Windows ...) + TODO: check CVE-2018-18907 RESERVED CVE-2018-18906 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f37172db958509005d9eebe6217096c49c13a44 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f37172db958509005d9eebe6217096c49c13a44 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla: poppler already triaged no-dsa for jessie
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d4a0193 by Emilio Pozuelo Monfort at 2019-01-19T12:46:27Z dla: poppler already triaged no-dsa for jessie - - - - - 68e99472 by Emilio Pozuelo Monfort at 2019-01-19T12:48:06Z dla: add note for policykit-1 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -96,11 +96,7 @@ polarssl NOTE: 20121207: Not 100% sure if vulnerable. Upstream would prefer us to move to latest version, etc. (!). (lamby) -- policykit-1 (Emilio) - NOTE: 20181207: jessie vulnerable to CVE-2018-19788? unable to reproduce systemctl poc (Santiago) - NOTE: 20181230: needs source code analysis --- -poppler - NOTE: 20190116: CVE-2018-20650 is easy to fix, not yet triage for stretch, probably no-dsa + NOTE: 20190119: fix for CVE-2018-19788 not fully functional, investigating complete fix -- python3.4 (Brian May) NOTE: 20181225: The update should include also the postponed and no-dsa View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/642cad9a3a7f18dc404ff254d394d807236cbff7...68e9947213bbc6082864c0601da3149d7526663f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/642cad9a3a7f18dc404ff254d394d807236cbff7...68e9947213bbc6082864c0601da3149d7526663f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 642cad9a by security tracker role at 2019-01-19T08:10:10Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,27 @@ +CVE-2019-6494 + RESERVED +CVE-2019-6493 + RESERVED +CVE-2019-6492 + RESERVED +CVE-2019-6491 + RESERVED +CVE-2019-6490 + RESERVED +CVE-2019-6489 + RESERVED +CVE-2018-20741 + RESERVED +CVE-2018-20740 + RESERVED +CVE-2018-20739 + RESERVED +CVE-2018-20738 + RESERVED +CVE-2018-20737 + RESERVED +CVE-2018-20736 + RESERVED CVE-2019-6488 (The string component in the GNU C Library (aka glibc or libc6) through ...) - glibc (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24097 @@ -5847,12 +5871,12 @@ CVE-2019-3776 RESERVED CVE-2019-3775 RESERVED -CVE-2019-3774 - RESERVED -CVE-2019-3773 - RESERVED -CVE-2019-3772 - RESERVED +CVE-2019-3774 (Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported ...) + TODO: check +CVE-2019-3773 (Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported ...) + TODO: check +CVE-2019-3772 (Spring Integration (spring-integration-xml and spring-integration-ws ...) + TODO: check CVE-2019-3771 RESERVED CVE-2019-3770 @@ -7979,8 +8003,8 @@ CVE-2018-20235 RESERVED CVE-2018-20234 RESERVED -CVE-2018-20233 - RESERVED +CVE-2018-20233 (The Upload add-on resource in Atlassian Universal Plugin Manager ...) + TODO: check CVE-2018-20232 RESERVED CVE-2018-20231 (Cross Site Request Forgery (CSRF) in the two-factor-authentication ...) @@ -26204,8 +26228,8 @@ CVE-2018-15786 REJECTED CVE-2018-15785 REJECTED -CVE-2018-15784 - RESERVED +CVE-2018-15784 (Dell Networking OS10 versions prior to 10.4.3.0 contain a ...) + TODO: check CVE-2018-15783 REJECTED CVE-2018-15782 (The Quick Setup component of RSA Authentication Manager versions prior ...) @@ -34649,10 +34673,10 @@ CVE-2017-18334 RESERVED CVE-2017-18333 RESERVED -CVE-2017-18332 - RESERVED -CVE-2017-18331 - RESERVED +CVE-2017-18332 (Security keys are logged when any WCDMA call is configured or ...) + TODO: check +CVE-2017-18331 (Improper access control on secure display buffers in snapdragon ...) + TODO: check CVE-2017-18330 (Buffer overflow in AES-CCM and AES-GCM encryption via initialization ...) NOT-FOR-US: snapdragon CVE-2017-18329 (Possible Buffer overflow when transmitting an RTP packet in snapdragon ...) @@ -35999,10 +36023,10 @@ CVE-2018-12001 RESERVED CVE-2018-12000 RESERVED -CVE-2018-11999 - RESERVED -CVE-2018-11998 - RESERVED +CVE-2018-11999 (Improper input validation in trustzone can lead to denial of service ...) + TODO: check +CVE-2018-11998 (While processing a packet decode request in MQTT, Race condition can ...) + TODO: check CVE-2018-11997 RESERVED CVE-2018-11996 (When a malformed command is sent to the device programmer, an ...) @@ -36011,8 +36035,8 @@ CVE-2018-11995 (In all android releases(Android for MSM, Firefox OS for MSM, QRD NOT-FOR-US: Qualcomm components for Android CVE-2018-11994 (SMMU secure camera logic allows secure camera controllers to access ...) NOT-FOR-US: Qualcomm components for Android -CVE-2018-11993 - RESERVED +CVE-2018-11993 (Improper check while accessing the local memory stack on MQTT ...) + TODO: check CVE-2018-11992 RESERVED CVE-2018-11991 @@ -37944,8 +37968,7 @@ CVE-2018-11290 (In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM NOT-FOR-US: Qualcomm components for Android CVE-2018-11289 RESERVED -CVE-2018-11288 - RESERVED +CVE-2018-11288 (Possible undefined behavior due to lack of size check in function for ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11287 (In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, ...) NOT-FOR-US: Qualcomm components for Android @@ -37953,8 +37976,8 @@ CVE-2018-11286 (In all android releases (Android for MSM, Firefox OS for MSM, QR NOT-FOR-US: Qualcomm components for Android CVE-2018-11285 (In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, ...) NOT-FOR-US: Qualcomm components for Android -CVE-2018-11284 - RESERVED +CVE-2018-11284 (Spoofed SMS can be used to send a large number of messages to the ...) + TODO: check CVE-2018-11283 RESERVED CVE-2018-11282 @@ -37963,8 +37986,8 @@ CVE-2018-11281 (In all android releases (Android for MSM, Firefox OS for MSM, QR NOT-FOR-US: Qualcomm components for Android CVE-2018-11280 (In all android releases (Android for MSM, Firefox OS for MSM,