[Git][security-tracker-team/security-tracker][master] Add CVE-2018-12022/jackson-databind
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ba93952 by Salvatore Bonaccorso at 2019-01-31T07:48:17Z Add CVE-2018-12022/jackson-databind - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37776,8 +37776,11 @@ CVE-2018-12023 [improper polymorphic deserialization of types from Oracle JDBC d - jackson-databind 2.9.8-1 NOTE: https://github.com/FasterXML/jackson-databind/issues/2058 NOTE: https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1 -CVE-2018-12022 +CVE-2018-12022 [improper polymorphic deserialization of types from Jodd-db library] RESERVED + - jackson-databind 2.9.8-1 + NOTE: https://github.com/FasterXML/jackson-databind/issues/2052 + NOTE: https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1 CVE-2018-12021 (Singularity 2.3.0 through 2.5.1 is affected by an incorrect access ...) - singularity-container 2.5.2-1 NOTE: https://github.com/singularityware/singularity/releases/tag/2.5.2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1ba939525dd019d9b09a615c3aa0e50d4df99b50 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1ba939525dd019d9b09a615c3aa0e50d4df99b50 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-12023/jackson-databind
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9577b5b1 by Salvatore Bonaccorso at 2019-01-31T07:46:15Z Add CVE-2018-12023/jackson-databind - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37771,8 +37771,11 @@ CVE-2018-12025 (The transferFrom function of a smart contract implementation for NOT-FOR-US: FuturXE CVE-2018-12024 RESERVED -CVE-2018-12023 +CVE-2018-12023 [improper polymorphic deserialization of types from Oracle JDBC driver] RESERVED + - jackson-databind 2.9.8-1 + NOTE: https://github.com/FasterXML/jackson-databind/issues/2058 + NOTE: https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1 CVE-2018-12022 RESERVED CVE-2018-12021 (Singularity 2.3.0 through 2.5.1 is affected by an incorrect access ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9577b5b1fa6ed05dedcbd0bc7053ca9dde0b93e9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9577b5b1fa6ed05dedcbd0bc7053ca9dde0b93e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-5782/chromium
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bc5a48da by Salvatore Bonaccorso at 2019-01-31T07:44:07Z Add CVE-2019-5782/chromium - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3276,6 +3276,7 @@ CVE-2019-5783 RESERVED CVE-2019-5782 RESERVED + - chromium CVE-2019-5781 RESERVED - chromium View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bc5a48da82579e31266832db3f0670b1739b45d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bc5a48da82579e31266832db3f0670b1739b45d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-6690/python-gnupg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c05f5a5 by Salvatore Bonaccorso at 2019-01-31T07:42:18Z Add CVE-2019-6690/python-gnupg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1156,8 +1156,12 @@ CVE-2019-6692 RESERVED CVE-2019-6691 (phpwind 9.0.2.170426 UTF8 allows SQL Injection via the ...) NOT-FOR-US: phpwind -CVE-2019-6690 +CVE-2019-6690 [improper input validation in gnupg.GPG.encrypt() and gnupg.GPG.decrypt()] RESERVED + - python-gnupg 0.4.4-1 + NOTE: https://github.com/stigtsp/CVE-2019-6690-python-gnupg-vulnerability + NOTE: https://github.com/vsajip/python-gnupg/commit/39eca266dd837e2ad89c94eb17b7a6f50b25e7cf#diff-88b99bb28683bd5b7e3a204826ead112 + NOTE: https://github.com/vsajip/python-gnupg/commit/3003b654ca1c29b0510a54b9848571b3ad57df19#diff-88b99bb28683bd5b7e3a204826ead112 CVE-2018-1000997 (A path traversal vulnerability exists in the Stapler web framework ...) NOT-FOR-US: Jenkins CVE-2019-6689 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c05f5a530cdd6b1252c4f82cc6749e275c43c5b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c05f5a530cdd6b1252c4f82cc6749e275c43c5b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-7147/nasm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 34561db0 by Salvatore Bonaccorso at 2019-01-31T07:38:59Z Add CVE-2019-7147/nasm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -183,7 +183,8 @@ CVE-2019-7148 (An attempted excessive memory allocation was discovered in the fu NOTE: malloc can fail on invalid file, but "nothing" bad with security implication will NOTE: happen, negligible security impact. CVE-2019-7147 (A buffer over-read exists in the function crc64ib in crc64.c in nasmlib ...) - TODO: check + - nasm (Vulnerable code introduced later) + NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392544 CVE-2019-7146 (In elfutils 0.175, there is a buffer over-read in the ebl_object_note ...) - elfutils (bug #920911) [stretch] - elfutils (Vulnerable code introduced in 0.175) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/34561db06c119366bff15508a3a7537b196613f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/34561db06c119366bff15508a3a7537b196613f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2018-207{48,49,50}/libvncserver
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ed0f24c by Salvatore Bonaccorso at 2019-01-30T22:20:07Z Track fixed version for CVE-2018-207{48,49,50}/libvncserver - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13178,7 +13178,7 @@ CVE-2018-20020 (LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d co NOTE: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-030-libvnc-heap-out-of-bound-write/ CVE-2018-20748 (LibVNC before 0.9.12 contains multiple heap out-of-bounds write ...) - - libvncserver (bug #920941) + - libvncserver 0.9.11+dfsg-1.3 (bug #920941) [stretch] - libvncserver (Incomplete fix for CVE-2018-20019 not applied) NOTE: https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a NOTE: https://github.com/LibVNC/libvncserver/commit/e34bcbb759ca5bef85809967a268fdf214c1ad2c @@ -29573,11 +29573,11 @@ CVE-2018-15129 (ThinkSAAS through 2018-07-25 has XSS via the ...) CVE-2018-15128 RESERVED CVE-2018-20750 (LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability ...) - - libvncserver (bug #920941) + - libvncserver 0.9.11+dfsg-1.3 (bug #920941) [stretch] - libvncserver (Incomplete fix for CVE-2018-15127 not applied) NOTE: https://github.com/LibVNC/libvncserver/commit/09e8fc02f59f16e2583b34fe1a270c238bd9ffec CVE-2018-20749 (LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability ...) - - libvncserver (bug #920941) + - libvncserver 0.9.11+dfsg-1.3 (bug #920941) [stretch] - libvncserver (Incomplete fix for CVE-2018-15127 not applied) NOTE: https://github.com/LibVNC/libvncserver/commit/15bb719c03cc70f14c36a843dcb16ed69b405707 CVE-2018-15127 (LibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de contains ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9ed0f24cedaa832ae0385ef6359866aaca1b080c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9ed0f24cedaa832ae0385ef6359866aaca1b080c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-3813/spice in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a26c40fd by Salvatore Bonaccorso at 2019-01-30T21:06:36Z Add fixed version for CVE-2019-3813/spice in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7442,7 +7442,7 @@ CVE-2019-3814 CVE-2019-3813 [Off-by-one error in array access in spice/server/memslot.c] RESERVED {DSA-4375-1 DLA-1649-1} - - spice (bug #920762) + - spice 0.14.0-1.3 (bug #920762) NOTE: https://www.openwall.com/lists/oss-security/2019/01/28/2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1665371 CVE-2019-3812 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a26c40fd926eaf76c69e33a199fa5a775c676bbd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a26c40fd926eaf76c69e33a199fa5a775c676bbd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVEs have been fixed
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: a67d65cb by Thorsten Alteholz at 2019-01-30T20:44:49Z CVEs have been fixed - - - - - 8ccf597a by Thorsten Alteholz at 2019-01-30T20:45:22Z Reserve DLA-1651-1 for libgd2 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -28467,7 +28467,6 @@ CVE-2018-1000224 (Godot Engine version All versions prior to 2.1.5, all 3.0 vers CVE-2018-1000222 (Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability ...) - libgd2 2.2.5-4.1 (low; bug #906886) [stretch] - libgd2 2.2.4-2+deb9u3 - [jessie] - libgd2 (Minor issue) NOTE: https://github.com/libgd/libgd/issues/447 NOTE: https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 CVE-2018-1000221 (pkgconf version 1.5.0 to 1.5.2 contains a Buffer Overflow ...) @@ -55861,7 +55860,6 @@ CVE-2018-5711 (gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PH NOTE: https://hhvm.com/blog/2018/05/04/hhvm-3.25.3.html - libgd2 2.2.5-4.1 (bug #887485) [stretch] - libgd2 2.2.4-2+deb9u3 - [jessie] - libgd2 (Minor issue, can be fixed along in a future update) NOTE: https://github.com/libgd/libgd/issues/420 NOTE: https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04 CVE-2018-5710 (An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Jan 2019] DLA-1651-1 libgd2 - security update + {CVE-2018-5711 CVE-2018-1000222 CVE-2019-6977 CVE-2019-6978} + [jessie] - libgd2 2.1.0-5+deb8u12 [30 Jan 2019] DLA-1650-1 rssh - security update {CVE-2019-118} [jessie] - rssh 2.3.4-4+deb8u1 = data/dla-needed.txt = @@ -70,8 +70,6 @@ jackson-databind (Thorsten Alteholz) libav (Mike Gabriel) NOTE: 20190128: More patches / fixes in my local pipeline. Uploads coming soon. -- -libgd2 (Thorsten Alteholz) --- libraw (Abhijith PA) NOTE: 20181222: As usual please consider to fix ignored/no-dsa issues too, NOTE: especially those that are still marked vulnerable in Stretch but also View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/45c8e8ddfcba339333f1b95ec9f1a7daf7ecf53c...8ccf597af61f75314195bfcc569def556d808132 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/45c8e8ddfcba339333f1b95ec9f1a7daf7ecf53c...8ccf597af61f75314195bfcc569def556d808132 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 45c8e8dd by security tracker role at 2019-01-30T20:10:20Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,21 @@ +CVE-2019-7224 + RESERVED +CVE-2019-7223 + RESERVED +CVE-2019-7222 + RESERVED +CVE-2019-7221 + RESERVED +CVE-2019-7220 + RESERVED +CVE-2019-7219 + RESERVED +CVE-2019-7218 + RESERVED +CVE-2019-7217 + RESERVED +CVE-2019-7216 + RESERVED CVE-2019-7215 RESERVED CVE-2019-7214 @@ -495,6 +513,7 @@ CVE-2019-6990 (A stored-self XSS exists in web/skins/classic/views/zones.php of CVE-2016-10740 (Various resources in Atlassian Crowd before version 2.10.1 allow remote ...) NOT-FOR-US: Atlassian Crowd CVE-2019-118 [Remote code execution in scp support] + {DSA-4377-1 DLA-1650-1} - rssh 2.3.4-9 (bug #919623) NOTE: https://sourceforge.net/p/rssh/mailman/message/36519118/ CVE-2019-6989 @@ -7422,7 +7441,7 @@ CVE-2019-3814 RESERVED CVE-2019-3813 [Off-by-one error in array access in spice/server/memslot.c] RESERVED - {DSA-4375-1} + {DSA-4375-1 DLA-1649-1} - spice (bug #920762) NOTE: https://www.openwall.com/lists/oss-security/2019/01/28/2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1665371 @@ -8738,6 +8757,7 @@ CVE-2018-1000890 (FrontAccounting 2.4.5 contains a Time Based Blind SQL Injectio CVE-2018-1000889 (Logisim Evolution version 2.14.3 and earlier contains an XML External ...) NOT-FOR-US: Logisim Evolution CVE-2018-1000888 (PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 ...) + {DSA-4378-1} - php-pear 1:1.10.6+submodules+notgz-1.1 (bug #919147) NOTE: https://pear.php.net/bugs/bug.php?id=23782 NOTE: https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76 @@ -13157,7 +13177,7 @@ CVE-2018-20020 (LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d co NOTE: https://github.com/LibVNC/libvncserver/commit/09f2f3fb6a5a163e453e5c2979054670c39694bc NOTE: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-030-libvnc-heap-out-of-bound-write/ -CVE-2018-20748 [Incomplete fix for CVE-2018-20019] +CVE-2018-20748 (LibVNC before 0.9.12 contains multiple heap out-of-bounds write ...) - libvncserver (bug #920941) [stretch] - libvncserver (Incomplete fix for CVE-2018-20019 not applied) NOTE: https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a @@ -19607,8 +19627,8 @@ CVE-2018-19029 RESERVED CVE-2018-19028 RESERVED -CVE-2018-19027 - RESERVED +CVE-2018-19027 (Three type confusion vulnerabilities exist in CX-One Versions 4.50 and ...) + TODO: check CVE-2018-19026 RESERVED CVE-2018-19025 @@ -20856,6 +20876,7 @@ CVE-2018-18506 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18506 CVE-2018-18505 RESERVED + {DSA-4376-1 DLA-1648-1} - firefox 65.0-1 - firefox-esr 60.5.0esr-1 - thunderbird 1:60.5.0-1 @@ -20876,6 +20897,7 @@ CVE-2018-18502 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18502 CVE-2018-18501 RESERVED + {DSA-4376-1 DLA-1648-1} - firefox 65.0-1 - firefox-esr 60.5.0esr-1 - thunderbird 1:60.5.0-1 @@ -20884,6 +20906,7 @@ CVE-2018-18501 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-03/#CVE-2018-18501 CVE-2018-18500 RESERVED + {DSA-4376-1 DLA-1648-1} - firefox 65.0-1 - firefox-esr 60.5.0esr-1 - thunderbird 1:60.5.0-1 @@ -29550,11 +29573,11 @@ CVE-2018-15129 (ThinkSAAS through 2018-07-25 has XSS via the ...) NOT-FOR-US: ThinkSAAS CVE-2018-15128 RESERVED -CVE-2018-20750 [Incomplete fix for CVE-2018-15127] +CVE-2018-20750 (LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability ...) - libvncserver (bug #920941) [stretch] - libvncserver (Incomplete fix for CVE-2018-15127 not applied) NOTE: https://github.com/LibVNC/libvncserver/commit/09e8fc02f59f16e2583b34fe1a270c238bd9ffec -CVE-2018-20749 [Incomplete fix for CVE-2018-15127] +CVE-2018-20749 (LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability ...) - libvncserver (bug #920941) [stretch] - libvncserver (Incomplete fix for CVE-2018-15127 not applied) NOTE: https://github.com/LibVNC/libvncserver/commit/15bb719c03cc70f14c36a843dcb16ed69b405707 @@ -104785,7 +104808,7 @@ CVE-2017-6521 RESERVED CVE-2017-6520 (The
[Git][security-tracker-team/security-tracker][master] CVE/list: update for latest cacti release
Paul Gevers pushed to branch master at Debian Security Tracker / security-tracker Commits: f21f0376 by Paul Gevers at 2019-01-30T18:24:31Z CVE/list: update for latest cacti release - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1716,19 +1716,19 @@ CVE-2019-6448 CVE-2019-6447 (The ES File Explorer File Manager application through 4.1.9.7.4 for ...) NOT-FOR-US: ES File Explorer File Manager application CVE-2018-20726 (A cross-site scripting (XSS) vulnerability exists in host.php (via ...) - - cacti + - cacti 1.2.1+ds1-1 NOTE: https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d NOTE: https://github.com/Cacti/cacti/issues/2213 CVE-2018-20725 (A cross-site scripting (XSS) vulnerability exists in ...) - - cacti + - cacti 1.2.1+ds1-1 NOTE: https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d NOTE: https://github.com/Cacti/cacti/issues/2214 CVE-2018-20724 (A cross-site scripting (XSS) vulnerability exists in pollers.php in ...) - - cacti + - cacti 1.2.1+ds1-1 NOTE: https://github.com/Cacti/cacti/commit/1f42478506d83d188f68ce5ff41728a7bd159f53 NOTE: https://github.com/Cacti/cacti/issues/2212 CVE-2018-20723 (A cross-site scripting (XSS) vulnerability exists in ...) - - cacti + - cacti 1.2.1+ds1-1 NOTE: https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d NOTE: https://github.com/Cacti/cacti/issues/2215 CVE-2018-20722 @@ -271417,7 +271417,7 @@ CVE-2009-4047 (Multiple cross-site scripting (XSS) vulnerabilities in PHD Help D NOT-FOR-US: PHD Help Desk CVE-2009-4112 (Cacti 0.8.7e and earlier allows remote authenticated administrators to ...) [experimental] - cacti 1.2.0~beta2+ds1-1 - - cacti (unimportant; bug #561339) + - cacti 1.2.1+ds1-1 (unimportant; bug #561339) NOTE: 4b0e1566.1070...@moritz-naumann.com in bugtraq NOTE: as one requires admin access to cacti, upstream will implement a whitelist NOTE: https://github.com/Cacti/cacti/issues/1072 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f21f03767e4adbb3a299bdf3892c5efe001e8cd3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f21f03767e4adbb3a299bdf3892c5efe001e8cd3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2018-207{48,49,50}/libvncserver
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 73ff7dfa by Salvatore Bonaccorso at 2019-01-30T18:23:10Z Add Debian bug reference for CVE-2018-207{48,49,50}/libvncserver - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13158,7 +13158,7 @@ CVE-2018-20020 (LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d co NOTE: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-030-libvnc-heap-out-of-bound-write/ CVE-2018-20748 [Incomplete fix for CVE-2018-20019] - - libvncserver + - libvncserver (bug #920941) [stretch] - libvncserver (Incomplete fix for CVE-2018-20019 not applied) NOTE: https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a NOTE: https://github.com/LibVNC/libvncserver/commit/e34bcbb759ca5bef85809967a268fdf214c1ad2c @@ -29551,11 +29551,11 @@ CVE-2018-15129 (ThinkSAAS through 2018-07-25 has XSS via the ...) CVE-2018-15128 RESERVED CVE-2018-20750 [Incomplete fix for CVE-2018-15127] - - libvncserver + - libvncserver (bug #920941) [stretch] - libvncserver (Incomplete fix for CVE-2018-15127 not applied) NOTE: https://github.com/LibVNC/libvncserver/commit/09e8fc02f59f16e2583b34fe1a270c238bd9ffec CVE-2018-20749 [Incomplete fix for CVE-2018-15127] - - libvncserver + - libvncserver (bug #920941) [stretch] - libvncserver (Incomplete fix for CVE-2018-15127 not applied) NOTE: https://github.com/LibVNC/libvncserver/commit/15bb719c03cc70f14c36a843dcb16ed69b405707 CVE-2018-15127 (LibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de contains ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73ff7dfa36f079fa2a738b5b06576c24fc9a1ca6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73ff7dfa36f079fa2a738b5b06576c24fc9a1ca6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add spelling fix in explanation of not-affected status
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b5254993 by Salvatore Bonaccorso at 2019-01-30T18:16:42Z Add spelling fix in explanation of not-affected status - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29552,11 +29552,11 @@ CVE-2018-15128 RESERVED CVE-2018-20750 [Incomplete fix for CVE-2018-15127] - libvncserver - [stretch] - libvncserver (Incomplete fix CVE-2018-15127 not applied) + [stretch] - libvncserver (Incomplete fix for CVE-2018-15127 not applied) NOTE: https://github.com/LibVNC/libvncserver/commit/09e8fc02f59f16e2583b34fe1a270c238bd9ffec CVE-2018-20749 [Incomplete fix for CVE-2018-15127] - libvncserver - [stretch] - libvncserver (Incomplete fix CVE-2018-15127 not applied) + [stretch] - libvncserver (Incomplete fix for CVE-2018-15127 not applied) NOTE: https://github.com/LibVNC/libvncserver/commit/15bb719c03cc70f14c36a843dcb16ed69b405707 CVE-2018-15127 (LibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de contains ...) {DLA-1617-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b52549939741538998c6c1cf1bd9cb61185b4e24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b52549939741538998c6c1cf1bd9cb61185b4e24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Stretch not affected by CVE-2018-20748, CVE-2018-20749 and CVE-2018-20750
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f52786d6 by Salvatore Bonaccorso at 2019-01-30T18:15:02Z Stretch not affected by CVE-2018-20748, CVE-2018-20749 and CVE-2018-20750 As no update with incomplete fixes was released for the CVE-2018-20019 and CVE-2018-15127 issues stretch version of src:libvncserver is not affected by the CVEs assigned due to the security issues caused by the incomplete fixes. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13159,6 +13159,7 @@ CVE-2018-20020 (LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d co NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-030-libvnc-heap-out-of-bound-write/ CVE-2018-20748 [Incomplete fix for CVE-2018-20019] - libvncserver + [stretch] - libvncserver (Incomplete fix for CVE-2018-20019 not applied) NOTE: https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a NOTE: https://github.com/LibVNC/libvncserver/commit/e34bcbb759ca5bef85809967a268fdf214c1ad2c NOTE: https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 @@ -29551,9 +29552,11 @@ CVE-2018-15128 RESERVED CVE-2018-20750 [Incomplete fix for CVE-2018-15127] - libvncserver + [stretch] - libvncserver (Incomplete fix CVE-2018-15127 not applied) NOTE: https://github.com/LibVNC/libvncserver/commit/09e8fc02f59f16e2583b34fe1a270c238bd9ffec CVE-2018-20749 [Incomplete fix for CVE-2018-15127] - libvncserver + [stretch] - libvncserver (Incomplete fix CVE-2018-15127 not applied) NOTE: https://github.com/LibVNC/libvncserver/commit/15bb719c03cc70f14c36a843dcb16ed69b405707 CVE-2018-15127 (LibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de contains ...) {DLA-1617-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f52786d6cd2be87abd5c39acde3ad98f83893599 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f52786d6cd2be87abd5c39acde3ad98f83893599 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-20748/libvncserver
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d33dc413 by Salvatore Bonaccorso at 2019-01-30T18:12:29Z Add CVE-2018-20748/libvncserver - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13157,12 +13157,24 @@ CVE-2018-20020 (LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d co NOTE: https://github.com/LibVNC/libvncserver/commit/09f2f3fb6a5a163e453e5c2979054670c39694bc NOTE: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-030-libvnc-heap-out-of-bound-write/ +CVE-2018-20748 [Incomplete fix for CVE-2018-20019] + - libvncserver + NOTE: https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a + NOTE: https://github.com/LibVNC/libvncserver/commit/e34bcbb759ca5bef85809967a268fdf214c1ad2c + NOTE: https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 + NOTE: https://github.com/LibVNC/libvncserver/commit/a64c3b37af9a6c8f8009d7516874b8d266b42bae CVE-2018-20019 (LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains ...) {DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) NOTE: https://github.com/LibVNC/libvncserver/issues/247 NOTE: https://github.com/LibVNC/libvncserver/commit/a83439b9fbe0f03c48eb94ed05729cb016f8b72f NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-029-libvnc-multiple-heap-out-of-bound-vulnerabilities/ + NOTE: When fixing this issue apply the complete set of fixes to not open CVE-2018-20748. + NOTE: Additional commits: + NOTE: https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a + NOTE: https://github.com/LibVNC/libvncserver/commit/e34bcbb759ca5bef85809967a268fdf214c1ad2c + NOTE: https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 + NOTE: https://github.com/LibVNC/libvncserver/commit/a64c3b37af9a6c8f8009d7516874b8d266b42bae CVE-2018-20018 (S-CMS V3.0 has SQL injection via the S_id parameter, as demonstrated by ...) NOT-FOR-US: S-CMS CVE-2018-20017 (SEMCMS 3.5 has XSS via the first text box to the SEMCMS_Main.php URI. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d33dc41307fb53be8317a3fd17daca57a82421a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d33dc41307fb53be8317a3fd17daca57a82421a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-207{49,50}/libvncserver incomplete fixes for CVE-2018-15127
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 574c881f by Salvatore Bonaccorso at 2019-01-30T18:13:17Z Add CVE-2018-207{49,50}/libvncserver incomplete fixes for CVE-2018-15127 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29549,12 +29549,22 @@ CVE-2018-15129 (ThinkSAAS through 2018-07-25 has XSS via the ...) NOT-FOR-US: ThinkSAAS CVE-2018-15128 RESERVED +CVE-2018-20750 [Incomplete fix for CVE-2018-15127] + - libvncserver + NOTE: https://github.com/LibVNC/libvncserver/commit/09e8fc02f59f16e2583b34fe1a270c238bd9ffec +CVE-2018-20749 [Incomplete fix for CVE-2018-15127] + - libvncserver + NOTE: https://github.com/LibVNC/libvncserver/commit/15bb719c03cc70f14c36a843dcb16ed69b405707 CVE-2018-15127 (LibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de contains ...) {DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) NOTE: https://github.com/LibVNC/libvncserver/issues/243 NOTE: https://github.com/LibVNC/libvncserver/commit/502821828ed00b4a2c4bef90683d0fd88ce495de NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-028-libvnc-heap-out-of-bound-write/ + NOTE: When fixing this issue make sure to not open CVE-2018-20749 and CVE-2018-20750 + NOTE: Additional commits: + NOTE: https://github.com/LibVNC/libvncserver/commit/15bb719c03cc70f14c36a843dcb16ed69b405707 + NOTE: https://github.com/LibVNC/libvncserver/commit/09e8fc02f59f16e2583b34fe1a270c238bd9ffec CVE-2018-15126 (LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b contains ...) - libvncserver 0.9.11+dfsg-1.2 (bug #916941) [jessie] - libvncserver (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/574c881fc3bf170ebc9034d4216dc12e9db0e79f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/574c881fc3bf170ebc9034d4216dc12e9db0e79f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for mariadb-10.3 issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d4a82492 by Salvatore Bonaccorso at 2019-01-30T18:08:09Z Add Debian bug reference for mariadb-10.3 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11640,7 +11640,7 @@ CVE-2019-2538 (Vulnerability in the Oracle Managed File Transfer component of Or NOT-FOR-US: Oracle CVE-2019-2537 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - mysql-5.7 5.7.25-1 (bug #919817) - - mariadb-10.3 + - mariadb-10.3 (bug #920933) - mariadb-10.1 - mariadb-10.0 NOTE: Fixed in MariaDB: 10.3.13, 10.1.38, 10.0.38 @@ -11710,7 +11710,7 @@ CVE-2019-2511 (Vulnerability in the Oracle VM VirtualBox component of Oracle ... [jessie] - virtualbox (DSA-3699-1) CVE-2019-2510 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - mysql-5.7 5.7.25-1 (bug #919817) - - mariadb-10.3 + - mariadb-10.3 (bug #920933) NOTE: Fixed in MariaDB: 10.3.13 CVE-2019-2509 (Vulnerability in the Oracle VM VirtualBox component of Oracle ...) - virtualbox 5.2.24-dfsg-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d4a8249266be4a599a531ba84d0d5b47f27778cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d4a8249266be4a599a531ba84d0d5b47f27778cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1650-1 for rssh
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2733bdb6 by Markus Koschany at 2019-01-30T17:47:50Z Reserve DLA-1650-1 for rssh - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Jan 2019] DLA-1650-1 rssh - security update + {CVE-2019-118} + [jessie] - rssh 2.3.4-4+deb8u1 [30 Jan 2019] DLA-1649-1 spice - security update {CVE-2019-3813} [jessie] - spice 0.12.5-1+deb8u7 = data/dla-needed.txt = @@ -120,8 +120,6 @@ qemu (Hugo Lefeuvre) NOTE: CVE-2018-19665: see https://lists.debian.org/debian-lts/2019/01/msg00073.html NOTE: 20190129: working on a second upload addressing latest cves -- -rssh (Markus Koschany) --- symfony (Roberto C. Sánchez) NOTE: 20190128: Working on resolving FTFBS with feedback received from mailing list (roberto) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2733bdb6f1ef78dfe3e1786d872b9d2f4564ef18 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2733bdb6f1ef78dfe3e1786d872b9d2f4564ef18 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] One duplicate CVE for avahi REJECTED
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7de61b85 by Salvatore Bonaccorso at 2019-01-30T16:52:30Z One duplicate CVE for avahi REJECTED Move relevant information to the remaining entry CVE-2017-6519 as it was decided that the CVE-2018-1000845 is to be rejected. The rejection will be included in future CVE feed update. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9408,10 +9408,8 @@ CVE-2018-1000847 (FreshDNS version 1.0.3 and prior contains a Cross Site Scripti NOT-FOR-US: FreshDNS CVE-2018-1000846 (FreshDNS version 1.0.3 and earlier contains a Cross ite Request ...) NOT-FOR-US: FreshDNS -CVE-2018-1000845 (Avahi version 0.7 contains a Incorrect Access Control vulnerability in ...) - - avahi (unimportant; bug #917047) - NOTE: https://github.com/lathiat/avahi/issues/203 - NOTE: https://github.com/lathiat/avahi/commit/e111def44a7df4624a4aa3f85fe98054bffb6b4f +CVE-2018-1000845 + REJECTED CVE-2018-1000844 (Square Open Source Retrofit version Prior to commit ...) NOT-FOR-US: Square Retrofit CVE-2018-1000843 (Luigi version prior to version 2.8.0; after commit ...) @@ -104763,8 +104761,9 @@ CVE-2017-6521 CVE-2017-6520 (The Multicast DNS (mDNS) responder used in BOSE Soundtouch 30 ...) NOT-FOR-US: Multicast DNS (mDNS) responder used in BOSE Soundtouch 30 CVE-2017-6519 (avahi-daemon in Avahi through 0.6.32 inadvertently responds to IPv6 ...) - - avahi (unimportant) + - avahi (unimportant; bug #917047) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1426712 + NOTE: https://github.com/lathiat/avahi/issues/203 NOTE: https://github.com/lathiat/avahi/commit/e111def44a7df4624a4aa3f85fe98054bffb6b4f CVE-2017-6518 (Cross-site scripting (XSS) vulnerability in /sanadata/seo/index.asp in ...) NOT-FOR-US: SanaCMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7de61b8577f12d6423ab083d89e53b1eb43986cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7de61b8577f12d6423ab083d89e53b1eb43986cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1649-1 for spice
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 019a4b1e by Emilio Pozuelo Monfort at 2019-01-30T16:26:21Z Reserve DLA-1649-1 for spice - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Jan 2019] DLA-1649-1 spice - security update + {CVE-2019-3813} + [jessie] - spice 0.12.5-1+deb8u7 [30 Jan 2019] DLA-1648-1 firefox-esr - security update {CVE-2018-18500 CVE-2018-18501 CVE-2018-18505} [jessie] - firefox-esr 60.5.0esr-1~deb8u1 = data/dla-needed.txt = @@ -122,8 +122,6 @@ qemu (Hugo Lefeuvre) -- rssh (Markus Koschany) -- -spice (Emilio) --- symfony (Roberto C. Sánchez) NOTE: 20190128: Working on resolving FTFBS with feedback received from mailing list (roberto) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/019a4b1ec9024e3ef1071152787d0e15dae2001e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/019a4b1ec9024e3ef1071152787d0e15dae2001e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1648-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 51065f99 by Emilio Pozuelo Monfort at 2019-01-30T16:21:49Z Reserve DLA-1648-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Jan 2019] DLA-1648-1 firefox-esr - security update + {CVE-2018-18500 CVE-2018-18501 CVE-2018-18505} + [jessie] - firefox-esr 60.5.0esr-1~deb8u1 [29 Jan 2019] DLA-1647-1 apache2 - security update {CVE-2018-17199} [jessie] - apache2 2.4.10-10+deb8u13 = data/dla-needed.txt = @@ -28,8 +28,6 @@ exiv2 (Thorsten Alteholz) faad2 (Hugo Lefeuvre) NOTE: 20190125: No known patch yet. Going to fix the most exploitable issues at first. -- -firefox-esr (Emilio) --- firmware-nonfree NOTE: needed by sponsors -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/51065f99da151f49d8b578cf67677fe1ca8e369c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/51065f99da151f49d8b578cf67677fe1ca8e369c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim php5 in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 79ea5296 by Roberto C. Sánchez at 2019-01-30T15:42:41Z LTS: claim php5 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -101,7 +101,7 @@ nss -- openssh (Mike Gabriel) -- -php5 +php5 (Roberto C. Sánchez) -- phpmyadmin (Lucas Kanashiro) NOTE: 20190116: Please also fix no-dsa issue CVE-2018-19970 (requested by sunweaver, with frontdesk hat on) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/79ea5296bbe3649cc9f99679dba2a1e0c432ff7a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/79ea5296bbe3649cc9f99679dba2a1e0c432ff7a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add php5 to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: dd339f5b by Markus Koschany at 2019-01-30T15:31:02Z Add php5 to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -101,6 +101,8 @@ nss -- openssh (Mike Gabriel) -- +php5 +-- phpmyadmin (Lucas Kanashiro) NOTE: 20190116: Please also fix no-dsa issue CVE-2018-19970 (requested by sunweaver, with frontdesk hat on) NOTE: 20190116: Please also triage CVE-2018-19969. Thanks. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dd339f5b0041792627b82c8b01044383003f97f3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dd339f5b0041792627b82c8b01044383003f97f3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for php-pear update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ef1dbc49 by Salvatore Bonaccorso at 2019-01-30T15:28:41Z Reserve DSA number for php-pear update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[30 Jan 2019] DSA-4378-1 php-pear - security update + {CVE-2018-1000888} + [stretch] - php-pear 1:1.10.1+submodules+notgz-9+deb9u1 [30 Jan 2019] DSA-4377-1 rssh - security update {CVE-2019-118} [stretch] - rssh 2.3.4-5+deb9u1 = data/dsa-needed.txt = @@ -52,8 +52,6 @@ openssh (corsac) -- passenger -- -php-pear (carnil) --- simplesamlphp -- smarty3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ef1dbc491f00702dd407fe35eb8566a7e64968fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ef1dbc491f00702dd407fe35eb8566a7e64968fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] rssh DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 40b75608 by Moritz Muehlenhoff at 2019-01-30T15:20:37Z rssh DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[30 Jan 2019] DSA-4377-1 rssh - security update + {CVE-2019-118} + [stretch] - rssh 2.3.4-5+deb9u1 [30 Jan 2019] DSA-4376-1 firefox-esr - security update {CVE-2018-18500 CVE-2018-18501 CVE-2018-18505} [stretch] - firefox-esr 60.5.0esr-1~deb9u1 = data/dsa-needed.txt = @@ -54,9 +54,6 @@ passenger -- php-pear (carnil) -- -rssh (jmm) - Maintainer prepared a debdiff for a proposed update, needs review + ack --- simplesamlphp -- smarty3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/40b75608605250f01fab49cae7715f8bdbeba939 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/40b75608605250f01fab49cae7715f8bdbeba939 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] firefox DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 55cfb215 by Moritz Muehlenhoff at 2019-01-30T14:56:18Z firefox DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[30 Jan 2019] DSA-4376-1 firefox-esr - security update + {CVE-2018-18500 CVE-2018-18501 CVE-2018-18505} + [stretch] - firefox-esr 60.5.0esr-1~deb9u1 [29 Jan 2019] DSA-4375-1 spice - security update {CVE-2019-3813} [stretch] - spice 0.12.8-2.1+deb9u3 = data/dsa-needed.txt = @@ -23,8 +23,6 @@ chromium faad2 not yet fixed upstream -- -firefox-esr (jmm) --- glusterfs -- graphicsmagick View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/55cfb21541bbe4b6c568ee378d7fc2f14f84cdda -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/55cfb21541bbe4b6c568ee378d7fc2f14f84cdda You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Add Debian bug reference for CVE-2019-7150/elfutils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c845012 by Salvatore Bonaccorso at 2019-01-30T14:44:30Z Add Debian bug reference for CVE-2019-7150/elfutils - - - - - 2329150b by Salvatore Bonaccorso at 2019-01-30T14:44:54Z Add Debian bug reference for CVE-2019-7149/elfutils - - - - - 40252230 by Salvatore Bonaccorso at 2019-01-30T14:45:10Z Add Debian bug for CVE-2019-7146/elfutils - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -150,12 +150,12 @@ CVE-2019-7151 (A NULL pointer dereference was discovered in ...) NOTE: https://github.com/WebAssembly/binaryen/commit/2127e64f42da55bb5b9b0ab1995b3ca7fc4e0d0b NOTE: https://github.com/WebAssembly/binaryen/commit/85e95e315a8023c46eb804fe80ebc244bcfdae3e CVE-2019-7150 (An issue was discovered in elfutils 0.175. A segmentation fault can ...) - - elfutils + - elfutils (bug #920909) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24103 NOTE: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00070.html NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=da5c5336a1eaf519de246f7d9f0f5585e1d4ac59 CVE-2019-7149 (A heap-based buffer over-read was discovered in the function ...) - - elfutils + - elfutils (bug #920910) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24102 NOTE: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00068.html NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=2562759d6fe5b364fe224852e64e8bda39eb2e35 @@ -167,7 +167,7 @@ CVE-2019-7148 (An attempted excessive memory allocation was discovered in the fu CVE-2019-7147 (A buffer over-read exists in the function crc64ib in crc64.c in nasmlib ...) TODO: check CVE-2019-7146 (In elfutils 0.175, there is a buffer over-read in the ebl_object_note ...) - - elfutils + - elfutils (bug #920911) [stretch] - elfutils (Vulnerable code introduced in 0.175) [jessie] - elfutils (Vulnerable code introduced in 0.175) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24075 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e1f5eb8bff5a11cd3e6761fb8eb83ddf1bcf727f...402522301a7c609637191618f92e0989d684840f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e1f5eb8bff5a11cd3e6761fb8eb83ddf1bcf727f...402522301a7c609637191618f92e0989d684840f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track unstable fix for CVE-2018-17204/openvswitch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e1f5eb8b by Salvatore Bonaccorso at 2019-01-30T14:42:31Z Track unstable fix for CVE-2018-17204/openvswitch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24230,7 +24230,7 @@ CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7. NOTE: https://github.com/openvswitch/ovs/commit/638d406e3b647359f3d82189d7a6ee56b4a54928 (branch-2.8) NOTE: https://github.com/openvswitch/ovs/commit/0befd1f3745055c32940f5faf9559be6a14395e6 (branch-2.7) CVE-2018-17204 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) - - openvswitch + - openvswitch 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1 [jessie] - openvswitch (Vulnerable code does not exist; no such function) NOTE: https://github.com/openvswitch/ovs/commit/9740d81d94888cb158fa99a9366fe2b32b3e4aaa (master) NOTE: https://github.com/openvswitch/ovs/commit/8976ea1d680ab7a2d726a50e5666aa8fefd24168 (branch-2.8) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e1f5eb8bff5a11cd3e6761fb8eb83ddf1bcf727f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e1f5eb8bff5a11cd3e6761fb8eb83ddf1bcf727f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-17205/openvswitch fixed in 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1 for unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a75503d by Salvatore Bonaccorso at 2019-01-30T14:40:22Z CVE-2018-17205/openvswitch fixed in 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1 for unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24224,7 +24224,7 @@ CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7. NOTE: https://github.com/openvswitch/ovs/commit/20626d38c1a1d4cebb5a6911ea3cb6a7f4f993f8 (branch-2.8) NOTE: https://github.com/openvswitch/ovs/commit/9237a63c47bd314b807cda0bd2216264e82edbe8 (branch-2.7) CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) - - openvswitch + - openvswitch 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1 [jessie] - openvswitch (Vulnerable code does not exist; no such function) NOTE: https://github.com/openvswitch/ovs/commit/9a0ac025de9303334688ff08f01fc08604d2f624 (master) NOTE: https://github.com/openvswitch/ovs/commit/638d406e3b647359f3d82189d7a6ee56b4a54928 (branch-2.8) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6a75503d08a7274411dba0cc70218f11da35ea70 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6a75503d08a7274411dba0cc70218f11da35ea70 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2018-17206/openvswitch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ab2779b8 by Salvatore Bonaccorso at 2019-01-30T14:37:47Z Add fixed version for CVE-2018-17206/openvswitch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24218,7 +24218,7 @@ CVE-2018-17208 (Linksys Velop 1.1.2.187020 devices allow unauthenticated command CVE-2018-17207 (An issue was discovered in Snap Creek Duplicator before 1.2.42. By ...) NOT-FOR-US: Snap Creek Duplicator CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The ...) - - openvswitch + - openvswitch 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1 [jessie] - openvswitch (Vulnerable code does not exist; no such function) NOTE: https://github.com/openvswitch/ovs/commit/5026a263d7846077eee540de42192d27da513226 (master) NOTE: https://github.com/openvswitch/ovs/commit/20626d38c1a1d4cebb5a6911ea3cb6a7f4f993f8 (branch-2.8) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ab2779b8fb8df96610a896e2f497bee3b11a4e0e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ab2779b8fb8df96610a896e2f497bee3b11a4e0e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fix for CVE-2017-8872/libxml2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c2a2d93c by Salvatore Bonaccorso at 2019-01-30T13:44:38Z Track fix for CVE-2017-8872/libxml2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -97435,6 +97435,7 @@ CVE-2017-8872 (The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9. [jessie] - libxml2 (Minor issue) [wheezy] - libxml2 (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=775200 + NOTE: https://gitlab.gnome.org/GNOME/libxml2/commit/123234f2cfcd9e9b9f83047eee1dc17b4c3f4407 CVE-2017-8871 (The cr_parser_parse_selector_core function in cr-parser.c in libcroco ...) - libcroco (bug #864666; low) [stretch] - libcroco (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c2a2d93ce230daa435fb30df402e11b2e5f9c609 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c2a2d93ce230daa435fb30df402e11b2e5f9c609 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] take thunderbird
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 10236f85 by Moritz Muehlenhoff at 2019-01-30T13:39:30Z take thunderbird - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -66,5 +66,5 @@ smarty3 sssd Maintainer prepared an update and proposed debdiff, acked for upload, but update needs further testing before release. -- -thunderbird +thunderbird (jmm) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10236f85345594db02f964b0217e662f81281cab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10236f85345594db02f964b0217e662f81281cab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 276e8284 by Moritz Muehlenhoff at 2019-01-30T13:36:00Z NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32610,6 +32610,7 @@ CVE-2018-14014 (In waimai Super Cms 20150505, there is a CSRF vulnerability that NOT-FOR-US: waimai Super Cms CVE-2018-14013 RESERVED + NOT-FOR-US: Zimbra CVE-2018-14012 (WolfSight CMS 3.2 allows SQL injection via the PATH_INFO to the default ...) NOT-FOR-US: WolfSight CMS CVE-2018-14011 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/276e8284fc3219d4e6fb7d25cbe71bd89dba518d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/276e8284fc3219d4e6fb7d25cbe71bd89dba518d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add coturn to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6de2a8cb by Markus Koschany at 2019-01-30T13:18:48Z Add coturn to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -13,6 +13,8 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues cairo NOTE: 20190109: No fix available yet. (ola) -- +coturn +-- drupal7 (Abhijith PA) -- enigmail View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6de2a8cbe34d362f173f474c787b286ded9873eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6de2a8cbe34d362f173f474c787b286ded9873eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2019-6131,mupdf: Jessie is not affected.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 1336a18c by Markus Koschany at 2019-01-30T12:59:39Z CVE-2019-6131,mupdf: Jessie is not affected. Vulnerable code is not present (svg support). - - - - - c4aeb744 by Markus Koschany at 2019-01-30T13:00:19Z CVE-2019-6130,mupdf: Jessie is no-dsa Minor issue. Jessie is also only partly affected. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2488,11 +2488,13 @@ CVE-2019-6132 (An issue was discovered in Bento4 v1.5.1-627. There is a memory l CVE-2019-6131 (svg-run.c in Artifex MuPDF 1.14.0 has infinite recursion with stack ...) - mupdf 1.14.0+ds1-3 (bug #918970) [stretch] - mupdf (Minor issue) + [jessie] - mupdf (vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700442 NOTE: http://www.ghostscript.com/cgi-bin/findgit.cgi?c8f7e48ff74720a5e984ae19d978a5ab4d5dde5b CVE-2019-6130 (Artifex MuPDF 1.14.0 has a SEGV in the function fz_load_page of the ...) - mupdf 1.14.0+ds1-3 (bug #918971) [stretch] - mupdf (Minor issue) + [jessie] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700446 NOTE: http://www.ghostscript.com/cgi-bin/findgit.cgi?faf47b94e24314d74907f3f6bc874105f2c962ed CVE-2019-6129 (png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ac408c2ff33b583df6c68d0c9fd5fe93599435ab...c4aeb744c8e00087e9ba556e2de2f059f4c3d7cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ac408c2ff33b583df6c68d0c9fd5fe93599435ab...c4aeb744c8e00087e9ba556e2de2f059f4c3d7cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim rssh in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ac408c2f by Markus Koschany at 2019-01-30T12:51:14Z Claim rssh in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -118,6 +118,8 @@ qemu (Hugo Lefeuvre) NOTE: CVE-2018-19665: see https://lists.debian.org/debian-lts/2019/01/msg00073.html NOTE: 20190129: working on a second upload addressing latest cves -- +rssh (Markus Koschany) +-- spice (Emilio) -- symfony (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac408c2ff33b583df6c68d0c9fd5fe93599435ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac408c2ff33b583df6c68d0c9fd5fe93599435ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: remove libreoffice, no open issues
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 00fb28ea by Emilio Pozuelo Monfort at 2019-01-30T12:19:27Z dla: remove libreoffice, no open issues - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -72,8 +72,6 @@ libav (Mike Gabriel) -- libgd2 (Thorsten Alteholz) -- -libreoffice --- libraw (Abhijith PA) NOTE: 20181222: As usual please consider to fix ignored/no-dsa issues too, NOTE: especially those that are still marked vulnerable in Stretch but also View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/00fb28eae4317c066636738a3e0acdfd88dd7b5d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/00fb28eae4317c066636738a3e0acdfd88dd7b5d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take mariadb-10.0
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 6099c192 by Emilio Pozuelo Monfort at 2019-01-30T12:16:11Z dla: take mariadb-10.0 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -88,6 +88,8 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- +mariadb-10.0 (Emilio) +-- nettle (Ola Lundqvist) NOTE: 20190119: Prerequisite for gnutls28 being fixed. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6099c192f6794e82366fb8b04b2bdd90af72a99c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6099c192f6794e82366fb8b04b2bdd90af72a99c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take spice
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a2275b9 by Emilio Pozuelo Monfort at 2019-01-30T11:41:25Z dla: take spice - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -118,6 +118,8 @@ qemu (Hugo Lefeuvre) NOTE: CVE-2018-19665: see https://lists.debian.org/debian-lts/2019/01/msg00073.html NOTE: 20190129: working on a second upload addressing latest cves -- +spice (Emilio) +-- symfony (Roberto C. Sánchez) NOTE: 20190128: Working on resolving FTFBS with feedback received from mailing list (roberto) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3a2275b9e1a58c610c6a4c2b84c563ca6d026ba1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3a2275b9e1a58c610c6a4c2b84c563ca6d026ba1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: Add upstream commit reference for CVE-2019-7150
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ca9d5f1 by Salvatore Bonaccorso at 2019-01-30T09:55:40Z Add upstream commit reference for CVE-2019-7150 - - - - - 58fd3cc3 by Salvatore Bonaccorso at 2019-01-30T09:56:05Z Add upstream commit reference for CVE-2019-7149 - - - - - 441592a5 by Salvatore Bonaccorso at 2019-01-30T09:56:37Z Update severity for CVE-2019-7148/elfutils Although there is an issue, and malloc() can fail on an invalid file, nothing other furhter bad security wise can happend here as describend in https://sourceware.org/bugzilla/show_bug.cgi?id=24085 . As such demote severity to unimportant and add a respective explaining note on the negligible security impact. - - - - - 18d6b277 by Salvatore Bonaccorso at 2019-01-30T09:57:39Z Add upstream commits for CVE-2019-7146/elfutils - - - - - 75714855 by Salvatore Bonaccorso at 2019-01-30T09:57:56Z Update suite status for CVE-2019-7146/elfutils for stretch and earlier - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -153,19 +153,27 @@ CVE-2019-7150 (An issue was discovered in elfutils 0.175. A segmentation fault c - elfutils NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24103 NOTE: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00070.html + NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=da5c5336a1eaf519de246f7d9f0f5585e1d4ac59 CVE-2019-7149 (A heap-based buffer over-read was discovered in the function ...) - elfutils NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24102 NOTE: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00068.html + NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=2562759d6fe5b364fe224852e64e8bda39eb2e35 CVE-2019-7148 (An attempted excessive memory allocation was discovered in the function ...) - - elfutils + - elfutils (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24085 + NOTE: malloc can fail on invalid file, but "nothing" bad with security implication will + NOTE: happen, negligible security impact. CVE-2019-7147 (A buffer over-read exists in the function crc64ib in crc64.c in nasmlib ...) TODO: check CVE-2019-7146 (In elfutils 0.175, there is a buffer over-read in the ebl_object_note ...) - elfutils + [stretch] - elfutils (Vulnerable code introduced in 0.175) + [jessie] - elfutils (Vulnerable code introduced in 0.175) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24075 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24081 + NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=012018907ca05eb0ab51d424a596ef38fc87cae1 + NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=cd7ded3df43f655af945c869976401a602e46fcd CVE-2019-7145 RESERVED CVE-2019-7144 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/f51646130f07e3c91f9943ee6436d479edece4c9...75714855580b6f1b194d2da03b1ed5d70048b267 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/f51646130f07e3c91f9943ee6436d479edece4c9...75714855580b6f1b194d2da03b1ed5d70048b267 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] firefox issues from mfsa2019-01 fixed via 65.0-1 upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f5164613 by Salvatore Bonaccorso at 2019-01-30T09:16:31Z firefox issues from mfsa2019-01 fixed via 65.0-1 upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20831,11 +20831,11 @@ CVE-2018-18507 RESERVED CVE-2018-18506 RESERVED - - firefox + - firefox 65.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18506 CVE-2018-18505 RESERVED - - firefox + - firefox 65.0-1 - firefox-esr 60.5.0esr-1 - thunderbird 1:60.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18505 @@ -20843,19 +20843,19 @@ CVE-2018-18505 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-03/#CVE-2018-18505 CVE-2018-18504 RESERVED - - firefox + - firefox 65.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18504 CVE-2018-18503 RESERVED - - firefox + - firefox 65.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18503 CVE-2018-18502 RESERVED - - firefox + - firefox 65.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18502 CVE-2018-18501 RESERVED - - firefox + - firefox 65.0-1 - firefox-esr 60.5.0esr-1 - thunderbird 1:60.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18501 @@ -20863,7 +20863,7 @@ CVE-2018-18501 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-03/#CVE-2018-18501 CVE-2018-18500 RESERVED - - firefox + - firefox 65.0-1 - firefox-esr 60.5.0esr-1 - thunderbird 1:60.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18500 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f51646130f07e3c91f9943ee6436d479edece4c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f51646130f07e3c91f9943ee6436d479edece4c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2016-5824 as affecting thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 23d5928c by Emilio Pozuelo Monfort at 2019-01-30T09:06:50Z Mark CVE-2016-5824 as affecting thunderbird - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -135199,6 +135199,7 @@ CVE-2016-5824 (libical 1.0 allows remote attackers to cause a denial of service - libical (bug #860451) [stretch] - libical (Minor issue) [jessie] - libical (Minor issue) + - thunderbird 1:60.5.0-1 NOTE: Original report: https://github.com/libical/libical/issues/235 NOTE: Reopened at: https://bugzilla.mozilla.org/show_bug.cgi?id=1275400 NOTE: Reproducer: https://bugzilla.mozilla.org/attachment.cgi?id=8757553 @@ -135207,6 +135208,8 @@ CVE-2016-5824 (libical 1.0 allows remote attackers to cause a denial of service NOTE: Whilst the upstream commits in issues/251 fix the issue of #251 itself NOTE: they do not fix the bugzilla.mozilla.org case 1275400 which was assigned NOTE: in http://www.openwall.com/lists/oss-security/2016/06/25/4 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-03/#CVE-2016-5824 + NOTE: thunderbird uses embedded libical copy CVE-2016-5823 (The icalproperty_new_clone function in libical 0.47 and 1.0 allows ...) - libical 1.0-1 [wheezy] - libical (Only possible denial of service, not severe enough to solve) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/23d5928c487f3c7dba551a964e1d78528502d854 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/23d5928c487f3c7dba551a964e1d78528502d854 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: dcfa4201 by Henri Salo at 2019-01-30T08:47:53Z NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32636,16 +32636,22 @@ CVE-2018-13996 (Genann through 2018-07-08 has a stack-based buffer over-read in NOT-FOR-US: Genann CVE-2018-13995 RESERVED + NOT-FOR-US: Phoenix Contact FL switch CVE-2018-13994 RESERVED + NOT-FOR-US: Phoenix Contact FL switch CVE-2018-13993 RESERVED + NOT-FOR-US: Phoenix Contact FL switch CVE-2018-13992 RESERVED + NOT-FOR-US: Phoenix Contact FL switch CVE-2018-13991 RESERVED + NOT-FOR-US: Phoenix Contact FL switch CVE-2018-13990 RESERVED + NOT-FOR-US: Phoenix Contact FL switch CVE-2018-13989 (Grundig Smart Inter@ctive TV 3.0 devices allow CSRF attacks via a POST ...) NOT-FOR-US: Grundig Smart Inter@ctive TV 3.0 devices CVE-2018-13988 (Poppler through 0.62 contains an out of bounds read vulnerability due ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dcfa4201a84bdebd40e749bf7184e727e2238c71 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dcfa4201a84bdebd40e749bf7184e727e2238c71 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: f81557c9 by Henri Salo at 2019-01-30T08:42:15Z NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1468,14 +1468,17 @@ CVE-2019-6524 RESERVED CVE-2019-6523 RESERVED + NOT-FOR-US: Advantech WebAccess/SCADA CVE-2019-6522 RESERVED CVE-2019-6521 RESERVED + NOT-FOR-US: Advantech WebAccess/SCADA CVE-2019-6520 RESERVED CVE-2019-6519 RESERVED + NOT-FOR-US: Advantech WebAccess/SCADA CVE-2019-6518 RESERVED CVE-2019-6517 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f81557c91a85b77c1ea780d8be9bd7f0d913404b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f81557c91a85b77c1ea780d8be9bd7f0d913404b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a235ee6 by Henri Salo at 2019-01-30T08:27:01Z NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1442,6 +1442,7 @@ CVE-2019-6536 RESERVED CVE-2019-6535 RESERVED + NOT-FOR-US: Mitsubishi Electric MELSEC-Q Series PLCs CVE-2019-6534 RESERVED CVE-2019-6533 @@ -1462,6 +1463,7 @@ CVE-2019-6526 RESERVED CVE-2019-6525 RESERVED + NOT-FOR-US: AVEVA Wonderware System Platform CVE-2019-6524 RESERVED CVE-2019-6523 @@ -1478,6 +1480,7 @@ CVE-2019-6518 RESERVED CVE-2019-6517 RESERVED + NOT-FOR-US: BD FACSLyric CVE-2019-6516 RESERVED CVE-2019-6515 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8a235ee64b6905570715af88676fa425b78b3d12 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8a235ee64b6905570715af88676fa425b78b3d12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 92d838bc by Henri Salo at 2019-01-30T08:18:59Z NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2980,6 +2980,7 @@ CVE-2019-5910 RESERVED CVE-2019-5909 RESERVED + NOT-FOR-US: Yokogawa License Manager Service CVE-2019-5908 RESERVED CVE-2019-5907 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/92d838bc7acfa6d00a87f9f607270aa9e2017ea5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/92d838bc7acfa6d00a87f9f607270aa9e2017ea5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d6b76ec by security tracker role at 2019-01-30T08:10:19Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,81 @@ +CVE-2019-7215 + RESERVED +CVE-2019-7214 + RESERVED +CVE-2019-7213 + RESERVED +CVE-2019-7212 + RESERVED +CVE-2019-7211 + RESERVED +CVE-2019-7210 + RESERVED +CVE-2019-7209 + RESERVED +CVE-2019-7208 + RESERVED +CVE-2019-7207 + RESERVED +CVE-2019-7206 + RESERVED +CVE-2019-7205 + RESERVED +CVE-2019-7204 + RESERVED +CVE-2019-7203 + RESERVED +CVE-2019-7202 + RESERVED +CVE-2019-7201 + RESERVED +CVE-2019-7200 + RESERVED +CVE-2019-7199 + RESERVED +CVE-2019-7198 + RESERVED +CVE-2019-7197 + RESERVED +CVE-2019-7196 + RESERVED +CVE-2019-7195 + RESERVED +CVE-2019-7194 + RESERVED +CVE-2019-7193 + RESERVED +CVE-2019-7192 + RESERVED +CVE-2019-7191 + RESERVED +CVE-2019-7190 + RESERVED +CVE-2019-7189 + RESERVED +CVE-2019-7188 + RESERVED +CVE-2019-7187 + RESERVED +CVE-2019-7186 + RESERVED +CVE-2019-7185 + RESERVED +CVE-2019-7184 + RESERVED +CVE-2019-7183 + RESERVED +CVE-2019-7182 + RESERVED +CVE-2019-7181 + RESERVED +CVE-2019-7180 + RESERVED +CVE-2019-7179 + RESERVED +CVE-2018-20747 + RESERVED +CVE-2018-20746 + RESERVED CVE-2019-7178 RESERVED CVE-2019-7177 @@ -11637,6 +11715,7 @@ CVE-2019-2504 (Vulnerability in the Oracle VM VirtualBox component of Oracle ... - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2503 (Vulnerability in the MySQL Server component of Oracle MySQL ...) + {DLA-1570-1} - mysql-5.7 5.7.25-1 (bug #919817) - mariadb-10.0 NOTE: Fixed in MariaDB: 10.0.37 @@ -14374,8 +14453,8 @@ CVE-2018-19860 RESERVED CVE-2018-19859 (OpenRefine before 3.5 allows directory traversal via a relative ...) NOT-FOR-US: OpenRefine -CVE-2018-19858 - RESERVED +CVE-2018-19858 (PrinceXML, versions 10 and below, is vulnerable to XXE due to the lack ...) + TODO: check CVE-2018-19857 (The CAF demuxer in modules/demux/caf.c in VideoLAN VLC media player ...) {DSA-4366-1} - vlc 3.0.4-4 (bug #915760) @@ -14578,8 +14657,8 @@ CVE-2018-19784 (The str_rot_pass function in ...) NOT-FOR-US: PHP-Proxy CVE-2018-19783 RESERVED -CVE-2018-19782 - RESERVED +CVE-2018-19782 (Multiple cross-site scripting (XSS) vulnerabilities in GET requests in ...) + TODO: check CVE-2018-19781 RESERVED CVE-2018-19780 @@ -18137,8 +18216,8 @@ CVE-2018-19442 RESERVED CVE-2018-19441 RESERVED -CVE-2018-19440 - RESERVED +CVE-2018-19440 (ARM Trusted Firmware-A allows information disclosure. ...) + TODO: check CVE-2018-19439 (XSS exists in the Administration Console in Oracle Secure Global ...) NOT-FOR-US: Oracle CVE-2018-19438 @@ -19794,8 +19873,8 @@ CVE-2018-18897 (An issue was discovered in Poppler 0.71.0. There is a memory lea NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/654 CVE-2018-18896 RESERVED -CVE-2018-18895 - RESERVED +CVE-2018-18895 (A version of Castor XML, as used in Cisco WebEx Meetings Server before ...) + TODO: check CVE-2018-18894 RESERVED CVE-2018-18893 (Jinjava before 2.4.6 does not block the getClass method, related to ...) @@ -23614,8 +23693,8 @@ CVE-2018-17433 (A heap-based buffer overflow in ReadGifImageDesc() in gifread.c CVE-2018-17432 (A NULL pointer dereference in H5O_sdspace_encode() in H5Osdspace.c in ...) - hdf5 NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln6#null-pointer-dereference-in-h5o_sdspace_encode -CVE-2018-17431 - RESERVED +CVE-2018-17431 (Web Console in Comodo UTM Firewall before 2.7.0 allows remote ...) + TODO: check CVE-2018-17430 RESERVED CVE-2018-17429 @@ -24150,6 +24229,7 @@ CVE-2018-17200 RESERVED CVE-2018-17199 [mod_session_cookie does not respect expiry time] RESERVED + {DLA-1647-1} - apache2 2.4.38-1 (bug #920303) NOTE: https://www.openwall.com/lists/oss-security/2019/01/22/3 NOTE: 2.4.x http://svn.apache.org/r1851409 @@ -29413,8 +29493,8 @@ CVE-2018-15138 (Ericsson-LG iPECS NMS 30M allows directory traversal via ...) NOT-FOR-US: Ericsson-LG iPECS NMS 30M CVE-2018-15137 (CeLa Link CLR-M20 devices allow unauthorized users to upload any file ...) NOT-FOR-US: CeLa Link CLR-M20 devices -CVE-2018-15136 - RESERVED +CVE-2018-15136 (TitanHQ SpamTitan before 7.01 has Improper input validation. This ...) + TODO: check CVE-2018-15135 RESERVED
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for three thunderbird CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aa61719a by Salvatore Bonaccorso at 2019-01-30T08:03:15Z Add fixed version via unstable for three thunderbird CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20751,7 +20751,7 @@ CVE-2018-18505 RESERVED - firefox - firefox-esr 60.5.0esr-1 - - thunderbird + - thunderbird 1:60.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18505 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-02/#CVE-2018-18505 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-03/#CVE-2018-18505 @@ -20771,7 +20771,7 @@ CVE-2018-18501 RESERVED - firefox - firefox-esr 60.5.0esr-1 - - thunderbird + - thunderbird 1:60.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18501 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-02/#CVE-2018-18501 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-03/#CVE-2018-18501 @@ -20779,7 +20779,7 @@ CVE-2018-18500 RESERVED - firefox - firefox-esr 60.5.0esr-1 - - thunderbird + - thunderbird 1:60.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18500 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-02/#CVE-2018-18500 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-03/#CVE-2018-18500 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa61719a827aad80a628b06a1070efe2347ddf94 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa61719a827aad80a628b06a1070efe2347ddf94 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add thunderbird to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 767da4b1 by Salvatore Bonaccorso at 2019-01-30T08:00:54Z Add thunderbird to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -66,3 +66,5 @@ smarty3 sssd Maintainer prepared an update and proposed debdiff, acked for upload, but update needs further testing before release. -- +thunderbird +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/767da4b1f00531371a6be498833f3f1c8c383695 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/767da4b1f00531371a6be498833f3f1c8c383695 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits